Collision

[Dave Birch] Here at Consult Hyperion we've recommended to more than one non-US customer that they look at specifying PIV solutions. Why? Because PIV does almost all of what they want, and the cost and integration advantages make it a better short- to medium-term solution. But there's another less tangible reason for being interested in it: because once the US government has chosen something as a "standard", then that is where the energy will go, because the suppliers are rational people. The seal of approval is very, very important. Which is why I"m not the only one who has been reflecting on just how significant the US government's support for OpenID is. When this support was announced, Bob Blakely highlighted just how important an announcement it was.

But the identity world had its own big news today; the news is that the US Government has teamed up with the OpenID Foundation, the Information Card Foundation, the Kantara Initiative, and InCommon in creating the Open Identity Initiative.

[From Burton Group Identity Blog: US Government Identity News]

I was involved in some discussions with a government department a few months ago -- long before the US government announcement -- during which I suggested opening up some public services using OpenID. My reasoning was that we could experiment with "soft" OpenIDs provided by (to consumers) familiar services. If you asked a customer to log in to the DVLC using their Facebook "Identity", then I'm sure they would manage to do this with little training and no mention of trust infrastructures and the like. Once they are comfortable with this, then you can restrict access to "hard" OpenIDs (by which I mean 2FA OpenIDs).

The central point, though, was that the government could help to create an identity infrastructure built on a diverse selection of "private" digital identities. I think that, as Burton note, the US government's decision signals a genuine paradigm shift in this direction, a genuine change in the mental model are identity.

after years of government attempts to create identities and assign them to citizens (via such bad ideas as the UK National ID scheme and the US REAL-ID act), a government has finally recognized that individuals already HAVE identities, and that it’s a better idea, for most purposes, to use these identities than to establish a new government bureaucracy to create new identities

[From Burton Group Identity Blog: US Government Identity News]

Personally, I think that the government ought to be a "gold standard" identity provider as well as an identity oonsumer, but that's another issue.

Imperfect crime

[Dave Birch] Some years ago at the Digital Money Forum, Richard Bartle from the University of Essex characterised the economy of virtual worlds as "people buying things that don't exist from people who don't own them" which was, frankly, a brilliant summary. There are also, sadly, a class of people stealing things that don't exist from people who don't own them and this is a crime, so it was with great interest I read that

A British man has been arrested and cautioned for stealing accounts for online game Runescape... A statement from the Police National e-crime unit said: "A 23-year-old man was arrested in Avon and Somerset... on suspicion of a number of computer misuse offences."... Once hi-tech thieves have these credentials they plunder the accounts, strip characters of their items and sell off the rare virtual goods for Runescape gold.

[From BBC News - Runescape creator pursues 'phishing thieves']

This is real identity theft. If criminals somehow get into my bank account and spirit the money away, I don't really care because it's the bank's problem and they will give me the money back. But if the criminals take over my Runescape character, that's a real personal violation. As I said before

a bank can easily restore my money, but it's much harder for Facebook to restore my reputation (apart from anything else, a reputation takes time to build). Which is the worse crime?

[From Digital Identity Forum: What identity is important?]

It's the latter, clearly. So perhaps the "standard" use case for strong authentication should be switched from logging on for home banking to logging on to Facebook, which takes us into the world of OAuth and OpenID instead of EMV and OTP. In this world, there's already plenty of work going on around authentication, credentials and federation that could provide key portions of the infrastructure that we know that we are going to need in the mass market.

The DNS of the industrial bourgeoisie

[Dave Birch] I have a vague memory -- which five minutes googling cannot substantiate and I'm too lazy to go and find the book in the other room -- that somewhere in the Gulag Archipeligo by Aleksandr Isaevich Solzhenitsyn there is mention of Stalin's desire to have a more revolutionary telephone system where all calls had to go through a central exchange and be encrypted so that Stalin could listen to everyone else's calls but his would be encrypted to remain secret. The prisoners with relevant skills were supposed to be designing this while in the gulag. It never worked, of course, and the Soviet Union had appalling telecommunications infrastructure as a consequence because the communications revolution was halted by the dictatorship of the proletariat: there's some deep incompatibility between innovation and centralisation. I couldn't help thinking of this when I read about the calls by Eugene Kaspersky to have a more Stalinist internet:

The CEO of Russia's No. 1 anti-virus package has said that the internet's biggest security vulnerability is anonymity, calling for mandatory internet passports that would work much like driver licenses do in the offline world.

[From Security boss calls for end to net anonymity • The Register]

What he means by this is that he wants a technologically complicated and expensive solution to be implemented so that ordinary people are inconvenienced to the maximum while criminals can roam free (which is what would happen). Creating such an asymmetric solution is not the way forwards: for one thing, who would decide what to censor?

A little local controversy involving the Church of Scientology and its critics could lead to curbs on the right to anonymity of anyone using the web.

[From Scientology seeks to squash anonymity • The Register]

We already have experience of this "solution" in the UK. Laws giving a wide variety of bodies the ability to monitor CCTV, the internet, phone calls and everything else which were supposed to save us from international terrorism are used by local councils to stop people from trying to get their children into better schools and to check that people are recycling enough of their rubbish. I'm sorry, but creating a world in which anyone can read anyone else's e-mail, track anyone else's web browsing, see what anyone is reading is not the way stop Russian virus writers from taking over everyone's PCs. We need an identity infrastructure.

4D Secure

[Dave Birch] One of the things that I thought might happen this year is that the US government standard for ID cards might begin to spread into the commercial sector, simply because of the impact of standardisation. I wasn't the only person who thought this, by the way.

In 2009, common access card programs will get another chance to conquer the enterprise market due to the government’s drive to implement PIV cards for all employees and contractors, the availability of standards and compatible products, the spread of standards beyond the federal government to state and local entities as well as government-linked enterprises. Most importantly, security convergence will finally receive market traction.

[From ContactlessNews | Look for renewed interest in enterprise common access card programs in 2009]

I should say that I thought this was a good thing. The PIV might not be an exact match with some corporate requirements, but on the other hand a standard means lower costs and an emerging ecosystem. So, if we want to improve corporate security, do we start designing our own, optimal solution, or go with the grain of what's out there on the basis that it's much, much better than nothing?

Mark Cross, OpenID UK Ltd

[Dave Birch] Mark Cross is the CEO of OpenID Ltd, an example of a company providing commercial services around the OpenID concept. In this podcast, he talks about his ideas for the evolution of OpenID.

Listen here in either [Podcast MPEG4] or [Sound-only MP3] format.

Hadi Nahari, PayPal

[Dave Birch] Hadi Nahari is the Principal Security Architect at PayPal. He has over 18 years of extensive software development experience, designing, developing, deploying and verifying complex software application and infrastructure of varying scales. In this podcast, he talks about some of the challenges in identification and authentication for large-scale customer-facing onine businesses.

Listen here in either [Podcast MPEG4] or [Sound-only MP3] format.

Announcing Identity & Privacy 2009

[Dave Birch] Here's another date for your calendars: London, 14th an 15th May 2009. The Digital Identity Forum and the Enterprise Privacy Group will be hosting the first Identity & Privacy Forum, sponsored by Consult Hyperion with support from HP, Microsoft, Symantec, Verisign and VoicePay. The Forum will be held at the Guoman Charing Cross Hotel, London, and I'm looking forward to seeing you there. Toby Stevens and I will be sending out a detailed agenda in a couple of weeks, but just as a heads-up there are going to be four sessions: "a snapshot of electronic identity", "co-evolving privacy and consent", "sharing front line experiences" from the public sector and "catching up with biometrics".

We'll be sending out the agenda in a couple of weeks and fleshing out the expert panels. As soon as we do, you'll be able to buy tickets!

Opening for business

[Dave Birch] Despite some criticism, OpenID continues to spread. I have a rather soft spot for OpenID, but it is fair to observe that not everyone is enthusiastic.

We won’t make much progress on information cards in the near future, however, because of wasted energy and attention devoted to a large distraction, the OpenID initiative. OpenID promotes “Single Sign-On”: with it, logging on to one OpenID Web site with one password will grant entrance during that session to all Web sites that accept OpenID credentials.

[From Digital Domain - Goodbye, Passwords. You Aren’t a Good Defense. - NYTimes.com]

OpenID is simple (to technical persons such as myself), which is one of the main reasons why it is spreading, but that simplicity also means that it doesn't solve all of the problems.

OpenID provides Single Sign On to social networking sites and blogs. It means we can use a public personna across sites, and just log in once to use that persona. But OpenID doesn’t have the privacy characteristics that would make it suitable for government applications or casual web surfing. And it doesn’t have the security characteristics necessary for financial transactions or access to private data.

[From IdentityBlog - Digital Identity, Privacy, and the Internet's Missing Identity Layer]

True. However, there are people working to combine OpenID with other technologies in fruitful ways.

Google also announced that it is looking to combine the OAuth and OpenID protocol so that a service can not only request a user’s identity through OpenID, but also “request access to information available via OAuth-enabled APIs such as Google Data APIs as well as standard data formats such as Portable Contacts and OpenSocial REST APIs.”

[From Google Adopts, Forks OpenID 1.0 - ZePy]

All of these pointers suggest to me that business strategies should be featuring OpenID as a near-future practical component rather than as a distant solution to a poorly-understood problem.

Authentication in 3D

[Dave Birch] Over on Digital Money there's been some discussion about the current state of, and future of, the 3D Secure (3DS) authentication schemes used by Visa and MasterCard to add security to online transactions (under the brand names Verified by Visa and SecureCode). One the problems with the deployment of these services was that customers didn't really understand the technology and were confused by the sign-up and usage processes. Now the schemes have responded with a raft of efforts to make 3DS more effective.

The research highlighted that consumers wanted to be certain that Verified by Visa was part of the purchase process. A key feature of the new user interface is that the consumer does not leave the merchant site during the identity checking process; instead the Verified by Visa authentication window appears as an overlay on top of the merchant page.

[From Verified by Visa Europe upgraded to improve cardholder experience]

MasterCard has also come up with a way to make 3DS more palatable to consumers and merchants alike.

To date, all e-commerce purchases on Maestro cards leverage MasterCard® SecureCode™ authentication to ensure the highest security for payment card transactions. The Maestro Advance Registration Program™ enables select online merchants to accept Maestro cards for e-commerce transactions by using SecureCode™ to enroll the customer during the first transaction. Subsequent purchases the same customer makes at the merchant web site using the same Maestro account can now be processed without MasterCard SecureCode authentication, making repeat buying both convenient and fast.

[From MasterCard Unlocks Maestro Debit Card Acceptance on the Internet with Maestro Advance Registration Program | MasterCard®]

I'm interested in these efforts because if banks found a way to make 3D Secure authentication effective, painless and ubiquitous then it would make sense for other organisations to pay the banks to provide that authentication services to them, rather than build their own versions. In these circumstances I could well imagine using my Barclays thingy (a.k.a. PINsentry) and debit card to log in to do my taxes or whatever.

I'm sure banks have a strategy for this kind of thing

[Dave Birch] Some time ago, I pointed out that sensible retailers would use ID cards to cut payment schemes out of the transaction loop, by using ID cards as payment tokens and using the ACH network rather than Visa or MasterCard. I've just written another piece on this for Electronic Finance & Payments Law & Policy.

As I have long been advising our clients in the payment space, there will be inevitable implications for retail payments businesses once a national ID card is in place.

[From Digital Identity Forum: Paying for identity]

Retailers want business change, not just lower fees. Now, a barrier to their competing with existing card schemes themselves has been the cost of issuing and managing secure smart cards or other tokens. But if the government is going to do it for them, then they may as well exploit it. I can easily imagine taking my ID card and a blank cheque down to Tesco, putting them both into a machine and punching in my PIN. Then, next time I go shopping, I punch my PIN into the keypad at the checkout lane, wave my ID card over a reader and then go on my way. This kind of the service has already begun to spring up in the U.S.A., in response to the issuing of “Real ID”drivers’ licences which have machine readable magnetic stripes that can be read at POS terminals. A company called National Payment Card (NPC) has begun to exploit the opportunity, by getting customers to register their bank details and a PIN against their licence. This means that customers can then pay for fuel by swiping their licenses at petrol stations and entering a PIN. A similar national scheme has just launched in Malaysia, where one of the leading banks has begun installing kiosks where customers can use their bank chip card and the MyKad ID card (without biometric authentication) together to link the ID card with the bank account automatically:

Consumers will have to open either a savings or a current account with EON Bank, which is the only bank providing payment transactions through the MyKad at the moment.

[From Buy fuel with your MyKad]

The scheme is targeting the fuel sector in the first instance and has signed up all Caltex and BHP filling stations, so that customers can fill up and they pay at the pump with their ID card. Since the margins on fuel are thin, the sector has every incentive to cut payment schemes out of the loop and move to direct bank transfer via ACH. I wonder if they even bother to authorise the transactions: after all, if you try to cheat them by presenting the ID card when you have no money in the bank, they have your ID details and I imagine you'll be hotlisted pretty quickly.