NSTIC – Update From NIST and Roundtable

From IIW

Session Topic: NSTIC: Update from NIST & Roundtable

Tuesday 4E

Convener: James Sheire

Notes-taker(s): Kaliya Hamlin

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

NSTIC = National Strategy for Trusted Identities in Cyberspace


It is the National Strategy to form an Ecosystem ~ where people can voluntarily choose and ID and login.


Privacy, Interoperability, User-Friendly, More Secure ---> User have to create dozens of account.


Problems it seeks to address - Re-Use over and over of passwords.


They (the NPO) is facilitating a private sector lead group.

The purpose is to create the policies, rules and standards and framework that governs the interactions in the ecosystem.


Getting Federal Government Programs to get being early adopters and use 3rd party credentials.

Access to government services, file a medicare claim.


FCCX (pronounced F6) service users login approved credentials. Choose from IDP's that are approved.


Q: Do any of them let them control their ID.

A: At higher level of assurances must have it be bound.

Vouch for Individual


What about allowing users vouch self where the individual holds externally vouched for attributes?


Dialogues will emerge on different efforts.

LOA - 1, 2, 3, 4


Digital Certificates of Proof


The hardest part is the business process - record keeping etc.


Robin: HIS model where brokering system where credentials themselves come from bank.


Update: become independent entity with its own capabilities. 501( c )3

  • -comment from crowd - "so it is a charity"


IDESG will have funding through Grants


FCCX (USPS) (Contract with Secure key) to build the HUB - processes for ID and for departments who will pulg in.

It has better privacy capabilities.


It will have a consistent experience for citizens. <---starts new behavior


What is the business model for FCCX

  • Cost reduction
  • Agencies will/do subscribe
  • Tired of paying for proofing vs. authentication again and again.
  • Payment for Authentication.


Question: States? get involved?

  • Legislation to expand


Struggling with attempts to integrate access via single ID

Citizen authentication strategy


Virginia DMV

others HHS (Health and Human Services)


Hurdle 1 - create place for 1 credential

Then 2 - accepting third party


requirements - verify eligibility.


Ken K. 700 Credential service providers

  • not approached about getting $


Jims comment Agencies want Identity proofing - wants to be stateless


Tensions and Challenges - ID Resolution - Do I have right dataset?


As CSP (credential service provider)


They don't have all the attributes they need - even if we had moving them in back.


The way NSTIC coordinate ONC

see potential


TrustedID = better proofing of ID better security + privacy options


How same patient @one place is another place.


Inora Healthcare 3rd party private access - Google, MSFT.

Personal Health Records


"Tools"

What does that mean?

  • Standards?
  • how you do it?


Direct Protocol - well established

Digitally signed email

RESTful health exchange


Feature Speaker ONC


Awarded 12 pilots to catalyze 2 states 10 innovations


NSTIC.gov

greatw ay to meet pilots

Round 3 is being announced in early fall.


Might have a 4th round.


Question to facilitate.


Market 2011 - when issue, where now?


Mobile Device

OpenID Connect is the answer

of course privacy a lot of attention.


Real marketplace competition

Wanted to stimulate broad spectrum of identities to choose from. greater level of offering


In coming year - write framework requirments

  • work
  • intention
  • resources


Its a "round table" always looking for feedback.


2 schools of thought - credit agency, VRM Proofs

look at Scandinavian model


The truth about NSTIC - what is a trusted (verified) ID

Financial services - IDProofing/Authentication


Three aspects

  • Session
  • Authentication
  • ID

They are different


Pilot in NY with Broadridge

IdP -> KYC

  • attribute
  • exchange
  • networks


timeframework 2010-2011 IdP "do" everything


My thought while listening - what to do to create a real learning community

Power / Info Asymmetry

with IdP / AP / Relying Party


Why FB make change, fine grain

Indepth privacy assessment

one for internal / one for external


they are now enabling anonymous login - sell in aggregate form to the later


NSTIC language "unobtrusively" IdP


FCCX - double blind unobservability


still a lot to be done have consumers fully participate. In value of data

Privacy enhancing workshop series at NIST


Full value exchange

How to leverage against include services

changing user expectations