National! Identity! Cyberspace!: Why we shouldn’t freak out about NSTIC.

This is cross posted on my Fast Company Expert Blog with the same title.

I was very skeptical when I first learned government officials were poking around the identity community to learn from us and work with us.  Over the last two and a half years, I have witnessed dozens of dedicated government officials work with the various communities focused on digital identity to really make sure they get it right. Based on what I heard in the announcements Friday at Stanford by Secretary of Commerce Locke and White House Cybersecurity Coordinator  Howard Schmidt to put the Program Office in support of NSTIC (National Strategy for Trusted Identities in Cyberspace) within the Department of Commerce. I am optimistic about their efforts and frustrated by the lack of depth and insight displayed in the news cycle with headlines that focus on a few choice phrases to raise hackles about this initiative, like this from CBS News: Obama Eyeing Internet ID for Americans.

I was listening to the announcement with a knowledgeable ear, having spent the last seven years of my life focused on user-centric digital identity.Internet Identity Workshop Logo Our main conference Internet Identity Workshop held every 6 months since the fall of 2005 has for a logo the identity dog: an allusion to the famous New Yorker cartoon On the internet, nobody knows you are a dog. To me, this symbolizes the two big threads of our work: 1) maintaining the freedom to be who you want to be on the internet AND 2) having the freedom and ability to share verified information about yourself when you do want to.  I believe the intentions of NSTIC align with both of these, and with other core threads of our communities’ efforts: to support identifiers portable from one site to another, to reduce the number of passwords people need, to prevent one centralized identity provider from being the default identity provider for the whole internet, to support verified anonymity (sharing claims about yourself that are verified and true but not giving away “who you are”),  support broader diffusion of strong authentication technologies (USB tokens, one-time passwords on cellphones, or smart cards), and mutual authentication, allowing users to see more closely that the site they are intending to do business with is actually that site.

Looking at use cases that government agencies need to solve is the best way to to understand why the government is working with the private sector to catalyze an “Identity Ecosystem”.

[Read more...]

Identity & Gov and & Open Standards

I am really happy to let you all know about this forth coming OASIS ID-Trust Identity Management 2009 event September 29-30.

The theme of the event will be “Transparent Government: Risk, Rewards, and Repercussions.”

The U.S. National Institute of Standards and Technology (NIST) will be hosting it in Gainthersburg, Maryland.

In the why attend the reference part of a directive by Barack Obama to the National Security Council and Homeland Security Council.

“to defend our information and communications infrastructure, strengthen public/private partnerships, invest in cutting edge research and development and to begin a national campaign to promote cyber-security awareness and digital literacy.” The U.S. federal government aims to accomplish all of this while becoming increasingly open and transparent.

The program is now available – and looks quite good.

There is a discount available until August 31. There are special registration proceedures for non-US citizens.

India says it will be creating National ID for Citizens

I found this last night on Slashdot – it was to important not to blog about. “India to Put All Citizen Info into Central Database

Reading the article in The Independent this stood out for me

The creation of the ID or Unique Identification Number (UID) was a major plank of the manifesto of the ruling Congress Party during the recent election.

India is not a western democracy where “everyone” has papers and certificates of birth. As the article highlights

“This could be used as a security measure by the government which leaves migrant workers, refugees and other stateless people in India in limbo, without access to public services, employment and basic welfare.”

Our identities don’t come from government – they come from our social interactions and relationships.

The other issue that comes from this is “everyone in one database” is a giant honey pot.

Catalyst: SSO Simple Secure and Open – Dick on Identity .20

Dick – had a 580 slide deck done Lessig Style
This is a summary of his talk:

We found out about Dick’s Identity

We learned a about what Identity is

What I say about me
What other say about me (others trust this)
So,
identity=reputaiton
What others say about you
We learned about Identity Transactions:
Verbal in person (with visual cues)
Talk on phone (loss of visual cues)
Job Application (fill out form)

We learned about data verification using drivers licenses in the real world and how the process reduces Identity Friction.
Identity Transactions are Asymmetrical
There is separation of the acquisition and presentation of credential
The credential is reusable
Trust is social

What is digital identity?

Identity 1.0 Today

Today it is the hassel of filling out the same information again and again.
Basically today authentication is that you get to prove you are an entry in a directory entry. single authority on one credential – not portable – in silo.

Verified digital Identity is not what you give a site today.
e-bay -/-> Craigslist
We have walled gardens

Identity 2.0 is where the user can move it to any site.

Simple and open has a history of winning in new standards look at:

  • networking
  • e-mail
  • web – html

WHAT DOES IT LOOK LIKE?
Identity Credential exchange is transparent transaction that is scalable.

WHO WILL DRIVE THIS?
users? – to many user names and passwords

won’t pay – little influence

enterprise? - partners, contracts, agents

but risky to lead… can’t get there
Identity 1.5

e-government?

maybe

but localized

Banks?

motivated to solve
theoretical trust relationship

Identity Ecosystem will emerge where

users are loosely coupled
share user identity

We are in a new era

Webservices – Flickr, Mappr, SalesForce

Web 2.0 will drive identity 2.0

It will happen on the edge of the Internet (not the edge of the enterprise).

XRI/XDI no web-service apps

SXIP

name/value pairs
DIGS XML

The goal is to mimic photo ID
With Sxip Network

SXIP 1.0 has had a few tire kickers

SXORE Blog comment spam solution

SXIP 2.0 support web services
SXIP ACCESS
SSO – Simple Secure and Open

Jamie Lewis –
Q: So will this go into a STANDARDS PROCESS?
A: We are working on it. We want to get it very close to right then put it into standards body. I like IETF. Our goal is to be open