Digital Identity 101
Session Leader: Kaliya Hamlin
Notes Taker: Jed Bruaker
National Strategy for Trusted Identities in Cyberspace
– Not a single ID
– Not a national ID
It is coming through the chamber of commerce, business focused
Comes via three initiatives:
– Obama addressing challenges in cyberspace
—- Phishing and Password reuse
– FICAM (Federal Identity and Credential Access Management, Under the Federal CIO Roundtable
—- Link to K’s FastCompany article, National! Identity! Cyberspace! Why we shoudln’t freak out about NSTIC.
One way to solve current identity issues is with a national ID.
– Not gonna work in the US. (Political, logistical reasons)
– Government cost of maintaining a user account is between $12-100/yr (this is currently experienced by each government entity that handles identity verification separately)
NSTIC is a vetted identity that is issued by a 3rd party, that can then be used at any number of service providers/user accounts
– Talking about another layer via two-factor authentication (e.g., single use passwords)
Identifiers
– Email uses a password
– Bank accounts use a card, and pin number
– Banks are mandated to do two-factor authentication. The second factor is invisible to end users — it is the “we don’t recognize this computer” screen.
NSTIC has asked for feedback
– We should probably write in and say “what about death?”
OAuth
– Let’s you connect two accounts without passwords, and lets information move between them
– Works by service A saying “do you want to link account on service B to us”? You then go to service B that says “are you sure”? They exchange tokens that effectively creates a tunnel that information can move through.
– I’ve predominantly seen this in terms of logins
– This can be thought of as a series of tunnels.
– Could conceptually be used as a notification service: E.g., a death related service could have links to a variety of providers that could be notified when using the death service
Trust Framework
– Set of policies that a group of agrees on
– Needed to enable scaling beyond federation (pairwise or hub and spoke structures to network structures).
– A set of policies that is used for identity vetting (e.g., ICANN, PBS Kids, etc.)
– If the criterion are met, you can “trust” the implementer
– Levels of Assurance (how well are they vetting)
– Levels of Protection (how well is it secured)
– Levels of Control (how much control do end users have)
— Potential for LOC relative to death?
– Auditors have then emerged to test a provider in relationship to these trust frameworks