Re: National Strategy for Trusted Identities in Cyberspace

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Marshall, 

the comment period last year was very short; too short for us to reply at the time when we learned about it. Other groups had problems getting their feedback in as well. 

The work they are looking into is related to web identity management protocols and trust frameworks. There are technical aspects as well as policy parts to the larger body of work. 

To provide a comparison I would pick the credit card industry. There are technical standards (such as a completely insecure "authentication mechanism") but there are also security best current practices (such as the PCI DSS work), an architecture how the different actors (such as merchants, acquirer, payment networks, issuers, and banks) interact, and regulation (banking laws, liability guarantees for unauthorized credit and debit card charges), policies regarding levels of authentication assurances, etc. 

>From the technical work a lot centers around OpenID and SAML profiles. Other protocols would be relevant to the exchange of data but the work has not progressed so far yet. 
 
You raised the question whether the IETF/IAB should have a look at this topic. Maybe not a bad idea and the next IETF meeting is upcoming to talk about it. And "yes", there are also interesting privacy questions. 

Ciao
Hannes

PS: There are similar efforts outside the US (such as in Europe). They do not, however, receive so much press attention. 

On Jan 10, 2011, at 6:50 PM, Marshall Eubanks wrote:

> Friday, the White House blog announced the creation of 
> 
> "A National Program Office for Enhancing Online Trust and Privacy"
> 
> http://www.whitehouse.gov/blog/2011/01/07/national-program-office-enhancing-online-trust-and-privacy
> 
> This activity will be based on the National Strategy for
> Trusted Identities in Cyberspace, which is available in draft form
> 
> http://www.dhs.gov/xlibrary/assets/ns_tic.pdf
> 
> There was a comment period, which is now closed (and the comments have now been taken down)
> 
> http://www.msnbc.msn.com/id/37943900/
> 
> http://www.nstic.ideascale.com/
> 
> The draft action items include
> 
> Action 2:
> Develop a Shared, Comprehensive Public/Private Sector Implementation Plan
> 
> Action 4:
> Work Among the Public/Private Sectors to Implement Enhanced Privacy
> Protections
> 
> Action 5:
> Coordinate the Development and Refinement of Risk Models and Interoperability
> Standards
> 
> Standards that cover interoperability requirements, trustmark criteria, and accreditation will pave a path that supports choice across solutions, ultimately accelerating Identity Ecosystem adoption. All detailed actions associated with Identity Ecosystem standards will build on existing efforts undertaken by the Federal Government, trust framework providers, private sector, standards bodies, and international organizations.
> 
> Standards established within the Identity Ecosystem will require incorporation of privacy guidelines. They should also require, to the extent feasible, adoption of protocols that minimize the ability to link or aggregate transactions and transaction data across Identity Ecosystem participants and relying parties, while maintaining individual transaction history, integrity, and auditability.	Standards development, adoption, or enhancement will support autonomy and choice among Identity Ecosystem providers and flexibility within industry sectors, while facilitating cross-sector and international interoperability.
> 
> -----
> 
> What is proposed is apparently something like an official version of the existing Certificate system, and apparently will involve technical standards setting.
> 
> This is an area where the IETF has some expertise, and also should have some concerns. I must admit that statements such as this
> 
> "The Governance Layer enables unaffiliated entities to trust each other’s digital identities. A Governance Authority will establish the criteria for assessing and certifying Accrediting Authorities, who in turn assess and certify service providers. In addition, the Governance Authority will control the rules for trustmarks that indicate the service provider’s standing as a participant within the Identity Ecosystem."
> 
> make me nervous. 
> 
> Has the IETF (presumably, the IAB) considered a response to this proposal ?  Should it ?
> 
> Regards
> Marshall
> _______________________________________________
> Ietf mailing list
> Ietf@xxxxxxxx
> https://www.ietf.org/mailman/listinfo/ietf

_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf



[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]