White House releases draft authenticated Internet identity plan

• Subscribe
• Email
• Print
• Comment
• Contact Author
• Reprint

The White House revealed June 25 a draft strategy for creating a voluntarily authenticated online identity for Internet users and organizations.

The "National Strategy for Trusted Identities in Cyberspace" proposes a system under which identity-certified individuals wishing to conduct online transactions with identity-certified organizations, submit an interoperable, standards-based credential before proceeding with the transaction. Members of the public would utilize it while conducting online banking or even just sending an email, states White House cyber czar Howard Schmidt in a blog post announcing the strategy.

Sign up for our FREE newsletter for more news like this sent to your inbox!

The credential could come in the form of a smart card, a cell phone, a downloaded software certificate, USB device or security chip embedded into computers.

Through the credential, online organizations (called a "relying party" in the plan) could verify two categories of information: An individual's identity, from a public- or private- sector identity provider, and information about that individual (called "attributes" in the plan) from an organization that can verify individual characteristics, such as age. The plan gives a loose idea in a diagram.

Relying parties would verify the end user's identity and attributes directly with the identity and attribute providers once they've read the end user's credential. "The user can also provide all validations directly to the relying party through the mediation of privacy enhancing technology," the draft strategy adds.

The draft plan says the system will enhance online privacy since relying parties could request to verify only relevant attributes. Transactions could still be anonymous to the extent that relying parties accept a strong credential that nevertheless does not uniquely identify individuals to them, the draft plan states.

The system would contain policies and standards would minimize the linkage of individuals' credential use among and between service providers, the plan states. Unclear from the plan is what kind of logs identity and authentication providers would retain of verification requests made through individuals' online activity. The plan states that providers should limit their retention of data "to the period necessary for the provision of services...except as otherwise required by law."

Also unclear from the plan is how the identity and authentication providers would verify that individuals are indeed who they say they are and that their attributes are correct.

An authenticated online identity is necessary to reduce online fraud and identity theft and also increase the ease of online transactions, the plan states.

"The role of government is to address the safety and economic needs of its people," the plan states. The federal government will become an early adopter of the identity technology and possibly encourage its spread through tax credits or breaks, grant programs, loans to first adopters and "cybersecurity insurance."

The draft plans call for selection of a lead agency responsible for driving the plan forward; Schmidt, in his blog post, says that the Homeland Security Department has already been "a key partner in the development of the strategy" and the draft plan is hosed on a DHS website.

The White House is accepting public comment on the draft strategy through July 19. The plan is slated for final form this fall.

For more:
- see the execution layer diagram 
- read the draft "National Strategy for Trusted Identities in Cyberspace" (.pdf) and Schmidt's blog post
- comment on its contents or rate other people's comments

Related Articles:
White House preparing national Internet identity authentication plan
OMB gives DHS new powers under revised FISMA guidance
Obama declassifies parts of cybersecurity plan

Related Stories

• White House preparing national Internet identity authentication plan
• FierceGovernmentIT covers the fiscal 2012 budget request - UPDATED II
• WhiteHouse.gov contributes a second round of code to the Drupal community
• New White House cybersecurity strategy needs new ideas, says CSIS commission
• Cyber bill would reform FISMA, instate new DHS agency and appoint White House-level authority
• OMB Watch pines for the OIRA that could be
• White House, Commerce prepare for trusted identities in cyberspace
• Who's visiting Vivek Kundra?
• Feds sign cybersecurity commercialization MOU with financial association
• Schmidt outlines goals for cyber policymaking

Comments

Our privacy needs to remain intact. That is why I suggested that banks issue personal card readers with PIN Pads (PCI 2.1 certified of course) which enable users to swipe their card and enter their PIN in a secure environment "outside the browser space." Existing cards, existing PINs on existing bank rails in real time with two factor authentication.

If we stop "typing" our sensitive data (usernames, passwords, credit/debit card numbers) into the inherently dangerous browser space, and start swiping so that the data is 3DES DUKPT end-to-end-encrypted, we solve myriad problems. For example, "phishing" would be virtually eliminated because there would be nothing to "phish phor."

It is the same trusted method used to authenticate a consumer at 2:00 AM 2000 miles away from his bank branch when he want's $200 cash in real-time. Replicate that same process using existing cards, existing PINs and existing bank rails and have customer swipe their card and enter their PIN to login.

The plan is to issue a smart identity card anyway, so how is is going to be "read" without a card reader?

In Europe, almost 30% of online banking customers use a card reader to log-in and Kaspersky Labs has called for the mass adoption of peripheral card readers and implied that banks could be huge drivers of this technology.

We don't write our credit/debit card numbers down on a piece of paper and leave it at the retailers POS, we swipe our cards and enter our PINs. Why should it be any different for the web? Again, the root of the problem is that we are typing sensitive data into an insecure browser making it easy for the bad guys to steal our credentials via keylogging or infecting our PC with malware. Common sense says "stop typing and start swiping. If someone's going to "swipe" your card data shouldn't it be you instead of the bad guys?

For more info on a "low cost" PCI 2.1 Certified PIN Enttry Device designed specifically for e-Commerce use, visit http://PINDebit.blogspot.com or www.HomeATM.net

• reply

Post a comment

Your name: E-mail: The content of this field is kept private and will not be shown publicly. Comment: *

More information about formatting options

CAPTCHA

This question is for testing whether you are a human visitor and to prevent automated spam submissions. Type the two words:Type what you hear:Incorrect. Try again.