NSTICy questions
By Dave Birch posted Jul 6 2011 at 9:47 PMI've been reading through the final version of the US government's National Strategy on Trusted Identities in Cyberspace (NSTIC). This is roughly what journalists think about:
What's envisioned by the White House is an end to passwords, a system in which a consumer will have a piece of software on a smartsphone or some kind of card or token, which they can swipe on their computers to log on to a website.
[From White House Proposes A Universal Credential For Web : The Two-Way : NPR]
And this is roughly what the public think about it
Why don’t they just put a chip in all of us and get it over with? What part of being a free people do these socialists not understand?
[From White House Proposes A Universal Credential For Web : The Two-Way : NPR]
And this is roughly what I think about it: I think that NSTIC isn't bad at all. As I've noted before I'm pretty warm to it. The "identity ecosystem" it envisages is infinitely better than the current ecosystem and it embodies many of the principles that I regard a crucial to the online future. It explicitly says that "the identity ecosystem will use privacy-enhancing technology and policies to inhibit the ability of service providers (presumably including government bodies) to link an individual's transactions and says that by default only the minimum necessary information will be shared in transactions. They have a set of what they term the Fair Information Practice Principles (FIPPs) that share, shall we say, a common heritage with Forum friend Kim Cameron's laws (for the record, the FIPPs cover transparency, individual participation, purpose specification, data minimisation, use limitation, data quality and integrity, security and accountability and audit).
It also, somewhat strangely, I think, says the this proposed ecosystem "will preserve online anonymity", including "anonymous browsing". I think this is strange because there is no online anonymity. If the government, or the police, or an organisation really want to track someone, they can. There are numerous examples which show this to be the case. There may be some practical limitations as to what they can do with this information, but that's a slightly different matter: if I hunt through the inter web tubes to determine that that the person posting "Dave Birch fancies goats" on our blog comes from a particular house in Minsk, there's not much I can do about it. But that doesn't make them anonymous, it makes the economically anonymous, and that's not the same thing, especially to people who don't care about economics (eg, the security services). It's not clear to me whether we as a society actually want an internet that allows anonymity or not, but we certainly don't have one now.
The strategy says that the identity ecosystem must develop in parallel with ongoing "national efforts" to improve platform, network and software security, and I guess that no-one would argue against them, but if we were ever to begin to design an EUSTIC (ie, an EU Strategy for Trusted Identities in Cyberspace) I think I would like it to render platform, network and software security less important. That is, I want my identity to work properly in an untrusted cyberspace, one where ne'erdowells have put viruses on my phone and ever PC is part of a sinister botnet (in other words, the real world).
I rather liked the "envision" boxes that are used to illustrate some of the principles with specific examples to help politicians and journalists to understand what this all means. I have to say that it didn't help in all cases...
The "power utility" example serves as a good focus for discussion. It expects secure authentication between the utility and the domestic meter, trusted hardware modules to ensure that the software configuration on the meter is correct and to ensure that commands and software upgrades do indeed come from the utility. All well and good (and I should declare an interest a disclose that Consult Hyperion has provided paid professional services in this area in the last year). There's an incredible amount of work to be done, though, to translate these relatively modest requirements into a national-scale, multi-supplier roll-out.
Naturally I will claim the credit for the chat room "envision it"! I've used this for many years to illustrate a number of the key concepts in one simple example. But again, we have to acknowledge there's a big step from the strategy to any realistic tactics. Right now, I can't pay my kids school online (last Thursday saw yet another chaotic morning trying to find a cheque book to pay for a school outing) so the chance of them providing a zero-knowledge proof digital credential that the kids can use to access (say) BBC chatrooms is absolutely nil to any horizon I can envisage. In the UK, we're going to have to start somewhere else, and I really think that that place should be with the mobile operators.
What is the government's role in this then? The strategy expect policy and technology interoperability, and there's an obvious role for government -- given its purchasing power -- to drive interoperability. The government must, however, at some point make some firm choices about its own systems, and this will mean choosing a specific set of standards and fixing a standards profile. They are creating a US National Project Office (NPO) within the Department of Commerce to co-ordinate the public and private sectors along the Implementation Roadmap that is being developed, so let's wish them all the best and look forward to some early results from these efforts.
As an aside, I gave one of the keynote talks at the Smart Card Alliance conference in Chicago a few weeks ago, and I suggested, as a bit of an afterthought, after having sat through some interesting talks about the nascent NSTIC, that a properly implemented infrastructure could provide a viable alternative to the existing mass market payment schemes. But it occurs to me that it might also provide an avenue for EMV in the USA, because the DDA EMV cards that would be issued (were the USA to decide to go ahead and migrate to EMV) could easily be first-class implementations of identity credentials (since DDA cards have the onboard cryptography needed for encryption and digital signatures). What's more, when the EMV cards migrate their way into phones, the PKI applications could follow them on the Secure Element (SE) and deliver an implementation of NSTIC that could succeed in the mass market with the mobile phone as a kind of "personal identity commander".
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]