Thoughts on the White House/DHS Identity Plan
The White House and the Department of Homeland Security have come out with an initiative called the National Strategy for Trusted Identities in Cyberspace (NSTIC). Before you ask, no, government people don’t ever plan to stop using the word “cyberspace.”☺
The NSTIC is a vision for identities online, with the Government exerting a significant level of authority over the system and the implementation being carried out largely by the private sector. I earlier submitted technical comments on the draft coauthored with Stanford colleague Jonathan Mayer. This post reflects my personal view of the NSTIC.
Depth. The first thing one notices about the NSTIC strategy document is that it is quite high-level. A lot of the details are going to hinge on a separate implementation plan document. There is an early draft of the implementation document being kicked around, but it is not yet available to the public. The public comment period for the strategy document has closed.
Scope. Identity is a highly overloaded term. The NSTIC doesn’t offer a clear definition; in our comment we analyzed the different flavors and aspects of identity that are being addressed: (i) plain old self-asserted online identity (ii) linking real-world ID to online ID (iii) public-key infrastructure (iv) attribute authentication (v) anonymous credentials, (vi) credential management and (vii) identity interoperability. The NSTIC tries to do a lot.
Why identity? What problems does it solve? Many others have commented on the fact that the hard problems of cybersecurity, such as malware, cannot really be solved by identity; moreover, solving them might be a requirement for getting an identity infrastructure to work, rather than an outcome. In our technical document we offer a detailed breakdown of what security threats exist today and how the identity plan addresses (or fails to address) each of them.
The NSTIC claims to have been developed in response to a variety of cybersecurity threats. It appears to me, however, that the main goal here is to develop an identity system, and the cybersecurity motivations were tacked on as afterthoughts. While I don’t see a problem with wanting an identity infrastructure for its own sake, it is important not to view it as some kind of panacea.
Process. The only public comment process was via the ideascale website and lasted about 3 weeks. Creating a Web 2.0 crowdsourcing site with a cute theme and opening up the gates is a solution to some problems, but not all. Sometimes actual expertise is required. I find it hilarious that one of the few comments with a deep grasp of the technical issues — by the ACM — was voted down to a -2.
It’s unfortunate that there was no effort to get thet input of CS security researchers in the drafting of the NSTIC. There are many aspects of the plan whose implementation involves research questions, and it is not clear how they are going to be solved. I sure hope there will be more outreach to the security community as the process moves forward.
Summary. I definitely see a role for government leadership in the identity space, and I am glad that this is being worked on. At the same time, there are a variety of concerns with the proposal, including scope creep (look what happened to SSN), malware and software security, hardware security and vested interests (especially since they’re talking about smart cards, DRM, etc.), and usability. It is too early to tell how this is going to turn out. Let’s keep our fingers crossed.
Thanks to Jonathan Mayer for comments on a draft of this blog post.
Entry filed under: Uncategorized.