Last week, the White House released a draft of its new National Strategy for Trusted Identities in Cyberspace (NSTIC), which is intended to create a so-called "identity ecosystem" in which individuals, organizations, and other entities rely on authoritative sources of their digital identities to enable trust in online interactions. The document was published through the Department of Homeland Security, one of many agencies and industry participants that collaborated on the Strategy, and includes many key elements that were called out as future action items in the administration's Cyberspace Policy Review, titled "Assuring a Trusted and Resilient Communications Infrastructure."
Trust in NSTIC context is limited only to the identity of the parties to an online interaction, so while having confidence in the validity of an asserted identity may help the parties may decisions about whether to engage in the interaction in question, the identity ecosystem envisioned in the Strategy provides insufficient basis for establishing the trustworthiness of entities, although it does allow for different participants to establish different sets of attributes about individuals that will be required in order to make authentication and authorization decisions.
With this in mind, it's important not to confuse trust in an entity's identity with trust in the entity itself. To engender trust in the entities, identity verification is necessary, but what is also needed is a clear explanation of the criteria that underlie the issuance of any credential presented to validate the identity, understanding that such criteria can and likely should vary depending on the context of the interaction. In the same vein, one of the things the Strategy makes clear is how important it is to separate the concepts (often spoken about in the same breath) of identification, authentication, and authorization. In general, an identity credential provider performs identity proofing (such as checking ID or other documentation if the identity proofing happens in person) and binds an individual identity to a digital representation, such as a certificate or other form of token, but often does not provide any information about what permissions the individual should have. These authorization decisions are entirely separate from identification and authentication, although identification and authentication are often prerequisites for granting authorization. This means that when considering authorization, an individual or entity evaluating the credentials presented should understand whether the issuance of those credentials took into account anything that informs the authorization decision. In the identity ecosystem as described, such consideration involves both the identity provider that establishes the digital identity, and the attribute provider that maintains and asserts characteristics or information associated with the identity.
This idea of entities requiring differing amounts of information (attributes) about each other depending on the context is one of several fundamental characteristics of claims-based identity management, a topic we've weighed in on before. The draft Strategy document embodies many of principles of claims-based identity management, most importantly the user-centric focus of the approach: "The Identity Ecosystem protects anonymous parties by keeping their identity a secret and sharing only the information necessary to complete the transaction. For example, the Identity Ecosystem allows an individual to provide age without releasing birth date, name, address, or other identifying data. At the other end of the spectrum, the Identity Ecosystem supports transactions that require high assurance of a participant’s identity."
As a simple real-world example, when an individual presents a driver's license to a TSA agent at an airport security checkpoint, assuming the license is self is authentic, the agent can assume very little information aside from the name on the license and that at least at some time between the date is was issued and now, the person resided in the state that issued the license, and was at that time a U.S. citizen or legally resident alien. This information is insufficient to determine with any real confidence whether the bearer of the license is a good person or a bad one, whether their intentions are benign or malicious, or generally whether the person is trustworthy. Context is important here too — validating an individual's identity in this manner is sufficient for the TSA's purposes, but would be wholly insufficient for, say, a bank to decide whether to give the person a car loan. Instead, performing a credit check in addition to verifying identity gives the loan officer more information about the financial standing of the individual, which is what the bank is most concerned about, but even with this additional information, it would be a mistake to say the individual has been shown to be trustworthy in any context other than the immediate one. The bank officer might now understand that the individual should have the resources to repay the loan, and some confidence about his or her likelihood to honor commitments to repay debts, but the information presented cannot be used to assert trustworthiness of the individual in the sense of saying he or she won't take the new car and use it as the getaway vehicle in a robbery later that day (even on the same bank!).
It is good to see that the Strategy acknowledges the importance of accrediting identity and attribute providers and relying parties to give parties to transactions with the relying parties some degree of confidence in the identity and authenticity of those entities. However, the explanation of the functions of the governing authority and accrediting authority in the Governance Layer section provide too little detail about the criteria that will be used to accredit entities for particular types of transactions or interactions. With a long history of data breaches resulting from authorized access incorrectly given to entities or through unauthorized actions of entity employees (ChoicePoint, LexisNexis, etc.) it is essential that the accreditation process be sufficiently robust to guard against entities mis-representing themselves in order to receive accreditation, and that accreditation criteria include validation (not self-assertion) of appropriate security and privacy practices. It is only with sufficient rigor supporting accreditation of identity and attribute providers that individuals and relying parties will be able to make some determination of the trustworthiness of entities with which they interact online.
Diving Deep into Mayhem
15 hours ago