Loading…

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

Like this presentation? Why not share!

Like this? Share it with your network

Share

IIW-11 NSTIC Update

on

  • 1,833 views

IIW-11 Session Presentation

IIW-11 Session Presentation
November 2-4, 2010

Statistics

Views

Total Views
1,833
Views on SlideShare
1,833
Embed Views
0

Actions

Likes
1
Downloads
6
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

IIW-11 NSTIC Update Presentation Transcript

  • 1. NSTIC Update: What has been happening since The June 25 th 2010 Announcement Convener: Jay Unger National Strategy for Trusted Identities in Cyberspace Action: What should the Internet Identity Community do to contribute / get ready?
  • 2. NSTIC – Update & Action
    • What is NSTIC ?
      • National Strategy for Trusted Identities in Cyberspace
      • Blog post and link to draft document on White House blog on June 25 th 2010 http://www.whitehouse.gov/blog/2010/06/25/ national-strategy-trusted-identities-cyberspace
      • by Howard Schmidt Cybersecurity Coordinator and Special Assistant to the President
      • Document still available at http://www.dhs.gov/xlibrary/assets/ns_tic.pdf
      • Public comments were accepted at http://www.nstic.ideascale.com
        • From June 25 th to January 19 th 2010
        • No new comment are being accepted but existing comments can still be viewed
  • 3. NSTIC Update & Action
    • The NSTIC Document
      • Document Summary
        • 36 Pages
        • Written primarily by a contractor (Deloitte) with input from various government agencies and some information technology organizations and business.
        • High-level document – mostly vision, examples, and goals and objectives.
        • Very little technical detail or technology specifics.
        • No specific implementation plan or schedule.
        • Fairly repetitive. Not very well written or presented.
        • Examples are generally poor.
      • Document Spirit
        • Does recognize the need for a general identity mechanism on the internet.
          • To support and enhance both public and private interaction between citizens and government, businesses, organizations etc.
          • To reduce risks associated with identity theft and fraud for all citizens.
          • Recognizes the need to work with both the information industry and citizens.
          • Views government leadership as
  • 4. NSTIC Update & Action
    • The NSTIC Document
      • Reading between the lines
        • Talks about present problems and limitations
          • “ … the online environment today is not user-centric; individuals tend to have little control over their own personal information. They have limited ability to utilize a single digital identity across multiple applications …”
          • “ Over 10 million Americans are … victims of identity theft each year.”
          • “… victims of identity theft can spend up to 130 hours reconstructing their identities (e.g., credit rating, bank accounts, reputation, etc.) following an identity crime.”
          • “ The collection of identity-related information across multiple providers and accounts, coupled with the sharing of personal information through the growth of social media, increases opportunities for data compromise.”
        • Discusses a vision of a “user centric identity ecosystem”
          • “ The Identity Ecosystem is an online environment where individuals, organizations, services, and devices can trust one another through proper identification and authentication.”
          • “… a world where individuals can seamlessly access information and services online from a variety of sources …”
          • “… and without the need to manage many accounts and passwords.”
          • “ … eliminate redundant processes associated with collecting, managing, authenticating, authorizing, and validating identity data … “
  • 5. NSTIC Update & Action
    • The NSTIC Document
      • Reading between the lines
        • Reference to well established concepts:
          • Identity Provider - “ … responsible for the processes associated with enrolling a subject, and establishing and maintaining the digital identity associated with an individual … “
          • User Centric – “ … allow individuals to select the interoperable credential appropriate for the transaction.”
          • Relying Party – “ … makes transaction decisions based upon its receipt, validation, and acceptance of a subject’s authenticated credentials (sic) and attributes.
          • Attributes – “Trusted and validated attributes provide a basis for organizations that offer online services to make authorization decisions.
          • Anonymity / Pseudonym – “An individual has the choice to … authenticate to a transaction anonymously or a pseudonym without uniquely identifying himself.”
  • 6. NSTIC Update & Action
    • The NSTIC Process
    • “ The Federal government - in collaboration with industry and the civil liberties and privacy communities - should build a cyber security-based identity management vision and strategy for the Nation.”
        • Goals
          • Build and implement an interoperable identity infrastructure aligned with the Identity Ecosystem Framework
          • Enhance confidence and willingness to participate in the Identity Ecosystem
          • Ensure the long-term success of the Identity Ecosystem
        • Actions
          • Designate a Federal Agency to Lead the Public/Private Sector Efforts Associated with Achieving the Goals of the Strategy
          • Develop a Shared, Comprehensive Public/Private Sector Implementation Plan
          • Accelerate the Expansion of Federal Services, Pilots, and Policies that Align with the Identity Ecosystem
          • Work Among the Public/Private Sectors to Implement Enhanced Privacy Protections
          • Coordinate the Development and Refinement of Risk Models and Interoperability Standards
  • 7. NSTIC Update & Action
    • NSTIC Feedback after June 25 th 2010
      • IdeaScale Comments
        • Comment period was very short (6/25-7/19).
        • Over 500 comments were posted and voted on.
        • Many “knee-jerk” comments from the fringes.
          • “ Hands off my Internet”, “No National ID”, “Government Power Grab”, etc.
        • Most frequent (non knee-jerk) comment:
          • Extend Public Comment Opportunity
        • Several thoughtful and technically insightful comments and threads
          • Various authentication methods, process for public engagement, leadership agency, how government should participate, existing standards etc.
        • No public follow-up response, communication or Announcements
      • Press Coverage
        • Lots of trade press coverage - Mostly favorable.
        • Some general press coverage - Neutral.
  • 8. NSTIC Update & Action
    • NSTIC Feedback after June 25 th 2010 (continued)
      • Open Letter to Howard Schmidt at the White House on July 16 th 2010
        • From: Center for Democracy in Technology (CDT), Electronic Frontier Foundation (EFF), Liberty Coalition http://www.cdt.org/files/pdfs/20100716_nstic_extend_ltr.pdf
        • Requesting:
          • “… that the public comment period be extended for at least 30 days to facilitate more robust public discussion … that subsequent public comment periods on this topic extend for at least 90 days”
          • “… clarification on the agency's proposed timeline and process”
          • “… an opportunity to convene an in-person discussion with an appropriate White House or DHS official to discuss this important matter and engage in further public discussion.”
        • Results:
          • No extension of public comment period (IdeaScale was closed to new posts on 7/19/2010)
          • CDT has had at least two follow-up meetings with the cyber-security staff at the White House between mid-July and the present.
          • CDT has had the opportunity to review and comment on new document drafts being developed including an implementation plan and schedule.
          • CDT has been informed that work is ongoing, internal agency reviews are being conducted, and no announcements are expected before the beginning of next year