{"id":1138,"date":"2010-06-27T11:12:22","date_gmt":"2010-06-27T19:12:22","guid":{"rendered":"\/?p=1138"},"modified":"2010-06-27T14:48:19","modified_gmt":"2010-06-27T22:48:19","slug":"national-strategy-for-trusted-identities-in-cyberspace","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=1138","title":{"rendered":"National Strategy for Trusted Identities in Cyberspace"},"content":{"rendered":"<p>Friday saw what I think is a <a href=\"http:\/\/www.whitehouse.gov\/blog\/2010\/06\/25\/national-strategy-trusted-identities-cyberspace?utm_source=related\" class=\"broken_link\">historic post <\/a>by Howard Schmidt\u00a0on <a href=\"http:\/\/www.whitehouse.gov\/blog\/\" class=\"broken_link\">The\u00a0Whitehouse Blog<\/a>:<\/p>\n<p style=\"PADDING-LEFT: 30px\"><img class=\"alignright\" style=\"FLOAT: right; MARGIN-LEFT: 10px; MARGIN-RIGHT: 10px\" src=\"\/wp-content\/images\/2010\/06\/whitehouse.gif\" alt=\"\" \/>&#8220;Today, I am pleased to announce the latest step in moving our Nation forward in securing our cyberspace with the release of the draft National Strategy for Trusted\u00a0Identities in Cyberspace (NSTIC). \u00a0This first draft of NSTIC was developed in collaboration with key government agencies, business leaders and privacy advocates.\u00a0What has emerged is a blueprint to reduce cybersecurity vulnerabilities and improve online privacy protections through the use of trusted digital identities.\u00a0&#8220;<\/p>\n<p>I say <a href=\"http:\/\/www.whitehouse.gov\/assets\/documents\/Cyberspace_Policy_Review_final.pdf\" class=\"broken_link\">the current draft<\/a>\u00a0<em>is historic because of the grasp of identity issues it achieves<\/em>.\u00a0<\/p>\n<p>At the core of the\u00a0document is a recognition that we need a solution\u00a0supporting\u00a0privacy-enhancing technologies and built by harnessing a user-centric\u00a0Identity Ecosystem offering citizens and private enterprise\u00a0plenty of\u00a0choice.\u00a0\u00a0<\/p>\n<p>Finally we have before us a proposal\u00a0that can\u00a0move\u00a0society forward in\u00a0\u00a0protecting individual privacy and simultaneously create a secure and trustworthy infrastructure with enough protections to be resistant to insider attacks.\u00a0\u00a0<\/p>\n<p>Further, the work appears to have support from multiple government agencies &#8211; the Department of Homeland Security\u00a0was a\u00a0key partner in its\u00a0creation.\u00a0<\/p>\n<p>Here are\u00a0the\u00a0guiding principles (beginning page 8):<\/p>\n<ul>\n<li>Identity solutions will be secure and resilient<\/li>\n<li>Identity solutions will be interoperable<\/li>\n<li>Identity solutions will be privacy enhancing and voluntary for the public<\/li>\n<li>Identity solutions will be cost-effective and easy to use<\/li>\n<\/ul>\n<p>Let&#39;s start with the final &#8220;s&#8221; on the word &#8220;solutions&#8221; &#8211; a major achievement.\u00a0 The authors understand\u00a0society needs a spectrum of approaches suitable for different use cases but fitting within a common interoperable framework &#8211; what I and others have called an identity metasystem.\u00a0<\/p>\n<p>The report embraces the need for anonymous access as well as that for strong identification.\u00a0 It stands firmly in favor of minimal disclosure.\u00a0 The authors call out the requirement that solutions be privacy enhancing and voluntary for the public, rather\u00a0than attempting to ram something bureaucratic down\u00a0peoples&#8217; throats.\u00a0 And\u00a0they\u00a0are fully cognisant of the practicality and usability requirements for the initiative to be successful.\u00a0 A few years ago I would not have believed this kind of progress would be\u00a0possible.<\/p>\n<p>Nor is the report just a theoretical treatment devoid of concrete proposals.\u00a0 The section on &#8220;Commitment to Action&#8221; includes:<\/p>\n<ul>\n<li>Designate a federal agency to lead the public\/private sector efforts to advance the vision<\/li>\n<li>Develop a shared, comprehensive public\/private sector implementation plan<\/li>\n<li>Accelerate the expansion of government services, pilots and policies that align with the identity ecosystem<\/li>\n<li>Work to implement enhanced privacy protections<\/li>\n<li>Coordinate the development and refinement of risk management and interoperability standards<\/li>\n<li>Address liability concerns of service providers and individuals<\/li>\n<li>Perform outreach and awareness across all stakeholders<\/li>\n<li>Continue collaborating in international efforts<\/li>\n<li>Identify other means to drive adoption<\/li>\n<\/ul>\n<p>Readers should dive into the\u00a0report &#8211; it is in a draft stage and &#8220;<a href=\"http:\/\/nstic.ideascale.com\/a\/ideafactory.do?id=9351&amp;mode=recent&amp;discussionFilter=active&amp;target=home\" class=\"broken_link\">Public ideas and recommendations to further refine this Strategy are encouraged<em>.<\/em><\/a>&#8221;\u00a0\u00a0<\/p>\n<p>A number of people and organizations\u00a0in the identity world have participated in getting this right, working closely with policy thinkers and those leading this initiative in government.\u00a0\u00a0I don&#39;t hesitate to say that\u00a0congratulations are due all round for getting this effort off to such a good start.<\/p>\n<p>We can expect\u00a0suggestions\u00a0to be made strengthening various aspects of the report &#8211; mainly in terms of making it more internally consistent.\u00a0\u00a0<\/p>\n<p>For example, the report contains\u00a0good vignettes about minimal\u00a0disclosure and the use of claims to gain access to resources.\u00a0 Yet\u00a0it also\u00a0retains the\u00a0traditional\u00a0notion\u00a0that authentication is dependent on identification.\u00a0\u00a0What is meant by identification?\u00a0 Many will\u00a0assume it means &#8220;unique identification&#8221; in the old-fashioned sense of associating someone with an identifier.\u00a0\u00a0That doesn&#39;t\u00a0jive with the notion of minimal disclosure present throughout the report.\u00a0 Why? For many purposes association with an identifier is over-identification or unhelpful, and\u00a0a simple proof of some set of claims would suffice to control access.\u00a0\u00a0<\/p>\n<p>But these refinements can be\u00a0made fairly easily.\u00a0\u00a0The real\u00a0challenge will be to actually <em>live up to the guiding principles<\/em> as we move from high level statements to a widely deployed system &#8211; making it truly secure, resilient and privacy enhancing.\u00a0\u00a0These are guiding principles\u00a0we can use to measure our success and help\u00a0select between alternatives.<\/p>\n<p>\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The report understands the spectrum of use cases and specifically calls out the need for identity solutions to be privacy enhancing and voluntary for the public<\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[17,10,2,8,7,3,40],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/1138"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1138"}],"version-history":[{"count":0,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/1138\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1138"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1138"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1138"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}