As the current draft stands, what is the most significant change the "National Strategy for Trusted Identities in Cyberspace" will provoke?
- by mfg
A current draft of the "National Strategy for Trusted Identities in Cyberspace" has been posted by the Department of Homeland Security. This question is not asking about privacy or constitutionality, but about how this act will impact developers' business models and development strategies.
When the post was made I was reminded of Jeff's November blog post regarding an internet driver's license. Whether that is a perfect model or not, both approaches are attempting to handle a shared problem (of both developers and end users): How do we establish an online identity?
The question I ask here is, with respect to the various burdens that would be imposed on developers and users, what are some of the major, foreseeable implementation issues that will arise from the current U.S. Government's proposed solution?
For a quick primer on the setup, jump to page 12 for infrastructure components, here are two stand-outs:
An Identity Provider (IDP) is responsible for the processes associated with enrolling a
subject, and establishing and maintaining the digital identity associated with an individual or NPE. These processes include identity vetting and proofing, as well as revocation, suspension, and recovery of the digital identity. The IDP is responsible for issuing a credential, the information object or device used during a transaction to provide evidence of the subject’s identity; it may also provide linkage to authority, roles, rights, privileges, and other attributes.
The credential can be stored on an identity medium, which is a device or object (physical or virtual) used for storing one or more credentials, claims, or attributes related to a subject. Identity media are widely available in many formats, such as smart cards, security chips embedded in PCs, cell phones, software based certificates, and USB devices. Selection of the appropriate credential is implementation specific and dependent on the risk tolerance of the participating entities.
Here are the first considered actionable components of the draft:
Action 1: Designate a Federal Agency to Lead the Public/Private Sector Efforts Associated with Achieving the Goals of the Strategy
Action 2: Develop a Shared, Comprehensive Public/Private Sector Implementation Plan
Action 3:Accelerate the Expansion of Federal Services, Pilots, and Policies that Align with the Identity Ecosystem
Action 4:Work Among the Public/Private Sectors to Implement Enhanced Privacy
Protections
Action 5:Coordinate the Development and Refinement of Risk Models and Interoperability
Standards
Action 6: Address the Liability Concerns of Service Providers and Individuals
Action 7: Perform Outreach and Awareness Across all Stakeholders
Action 8: Continue Collaborating in International Efforts
Action 9: Identify Other Means to Drive Adoption of the Identity Ecosystem across the
Nation
