NSTIC – Update From NIST and Roundtable
Session Topic: NSTIC: Update from NIST & Roundtable
Convener: James Sheire
Notes-taker(s): Kaliya Hamlin
Tags for the session - technology discussed/ideas considered:
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
NSTIC = National Strategy for Trusted Identities in Cyberspace
It is the National Strategy to form an Ecosystem ~ where people can voluntarily choose and ID and login.
Privacy, Interoperability, User-Friendly, More Secure ---> User have to create dozens of account.
Problems it seeks to address - Re-Use over and over of passwords.
They (the NPO) is facilitating a private sector lead group.
The purpose is to create the policies, rules and standards and framework that governs the interactions in the ecosystem.
Getting Federal Government Programs to get being early adopters and use 3rd party credentials.
Access to government services, file a medicare claim.
FCCX (pronounced F6) service users login approved credentials. Choose from IDP's that are approved.
Q: Do any of them let them control their ID.
A: At higher level of assurances must have it be bound.
Vouch for Individual
What about allowing users vouch self where the individual holds externally vouched for attributes?
Dialogues will emerge on different efforts.
LOA - 1, 2, 3, 4
Digital Certificates of Proof
The hardest part is the business process - record keeping etc.
Robin: HIS model where brokering system where credentials themselves come from bank.
Update: become independent entity with its own capabilities. 501( c )3
- -comment from crowd - "so it is a charity"
IDESG will have funding through Grants
FCCX (USPS) (Contract with Secure key) to build the HUB - processes for ID and for departments who will pulg in.
It has better privacy capabilities.
It will have a consistent experience for citizens. <---starts new behavior
What is the business model for FCCX
- Cost reduction
- Agencies will/do subscribe
- Tired of paying for proofing vs. authentication again and again.
- Payment for Authentication.
Question: States? get involved?
- Legislation to expand
Struggling with attempts to integrate access via single ID
Citizen authentication strategy
others HHS (Health and Human Services)
Hurdle 1 - create place for 1 credential
Then 2 - accepting third party
requirements - verify eligibility.
Ken K. 700 Credential service providers
- not approached about getting $
Jims comment Agencies want Identity proofing - wants to be stateless
Tensions and Challenges - ID Resolution - Do I have right dataset?
As CSP (credential service provider)
They don't have all the attributes they need - even if we had moving them in back.
The way NSTIC coordinate ONC
TrustedID = better proofing of ID better security + privacy options
How same patient @one place is another place.
Inora Healthcare 3rd party private access - Google, MSFT.
Personal Health Records
What does that mean?
- how you do it?
Direct Protocol - well established
Digitally signed email
RESTful health exchange
Feature Speaker ONC
Awarded 12 pilots to catalyze 2 states 10 innovations
greatw ay to meet pilots
Round 3 is being announced in early fall.
Might have a 4th round.
Question to facilitate.
Market 2011 - when issue, where now?
OpenID Connect is the answer
of course privacy a lot of attention.
Real marketplace competition
Wanted to stimulate broad spectrum of identities to choose from. greater level of offering
In coming year - write framework requirments
Its a "round table" always looking for feedback.
2 schools of thought - credit agency, VRM Proofs
look at Scandinavian model
The truth about NSTIC - what is a trusted (verified) ID
Financial services - IDProofing/Authentication
They are different
Pilot in NY with Broadridge
IdP -> KYC
timeframework 2010-2011 IdP "do" everything
My thought while listening - what to do to create a real learning community
Power / Info Asymmetry
with IdP / AP / Relying Party
Why FB make change, fine grain
Indepth privacy assessment
one for internal / one for external
they are now enabling anonymous login - sell in aggregate form to the later
NSTIC language "unobtrusively" IdP
FCCX - double blind unobservability
still a lot to be done have consumers fully participate. In value of data
Privacy enhancing workshop series at NIST
Full value exchange
How to leverage against include services
changing user expectations