Session Topic: NSTIC 101
Notes-taker(s): Michael Lewis
Tags for the session - technology discussed/ideas considered: NSTIC, NPO, IDESG
Kaliya started off with a question: Why are you here at this session? What do you want to get out of it? Answers varied, but general theme was “What is NSTIC and what is the status?”
- What's going on
- Security industry- smart cards and access control cards.
- Concerned with FICAM and NSTIC, lack of physical security aspect.
- Not involved in steering groups.
- Digital rights ppl think he knows about NSTIC, so he wants to
- Thought NSTIC was a flawed strategy, want to see
- NSTIC after Snowden
- Involved with NSTIC, frustrated wants to discuss to make it better
- Don't know anything about NSTIC
- How does NSTIC make decisions
- Security Standards Committee- things not moving too fast, have functional models, want to try to push it forward (new session proposal?)
- Need update
- NSTIC office- want to know what ppl think, help correct misperceptions
- Did ppl get grants and is that process working?
- Have proof of concept code
- Grant awardee- here to get best practices
New Session Plan: Not enough critical mass to have the "let's get real" conversation, so Kaliya is going to talk about history, state and what is NSTIC, and how to get involved.
FICAM - federal program, goal is how to support citizens login into agencies.
- After 9/11 mandate that all government employees and contractors need to be ID'd with interop systems.
- 12M IDs issued. Now how to do it for citizens?
- At start of first term, Obama admin did a study. National cyber-security review.
- Found that password reuse is a problem to be solved. Catalyst for engaging with industry sector.
- Andy Osmit and Mike Garcia wrote a draft in July 2010.
- First draft published in April 2011
What is NSTIC about?
- passwords suck, how do we address it?
- reduce number of credentials
- use more single/federated sign on
Kaliya wrote a response to the backlash about "global id" problems that could be addressed:
1. normative rules and practices for everyday life
2. lawful intercept
3. Creepy NSA stuff
NSTIC addresses only #1
Govn't motivation for NSTIC
- Each government agency can't issue its own secure ID/smartcard
- too expensive
- everyone would have chain of dongles
- ... but also a national ID isn't going to fly: Americans don't like it
NSTIC is a way to create free-market solution that can be leveraged by government agencies
Bonus: how to use the 12M government issued credentials in private sector
issues: legal liability, what is the bar for proof, how to be pseudonymous, etc.
Jim: Important to know that this is not a government initiative.
- It is a government funded a project that is led by private sector.
- Now a 501(c) nonprofit
[Perhaps for tomorrow: What do people _think_ NSTIC document says? Lot of different perceptions.]
Early NSTIC History:
National Program Office (NPO) launched. NPO to facilitate.
- see NSTIC.gov: there are three parts
- 1 Federal Cloud Credential Exchange
- 2 Pilot project awards: e.g.
- 2a service awarded to SecureKey. Allows citizens to use provider of their choice (google, etc.) to access govm't services
- 2b Recent award to Michgan to do this at the state level
- 3 IDESG - Identity ecosystem steering group <--- this is what we're concerned with here.
- A NOI for governance was issued
- David T came up with charter & bylaws proposal to bootstrap it
- RFP was issued for a Secretariat:
- Trusted Federal chosen as Secretariat and awarded $2.5M to manage bootstrap process
- 14 stakeholder categories were created.
- e.g. business & entrepreneurs, regulated industries, ID providers, unaffiliated, etc.
- Anyone can join Plenary for free, and self-assert which category they want to join.
- Plenary elects:
- management council (including, Don, Kalyia, etc.)
- chair of Plenary (currently Bob Blakely)
- Governance meeting was 270 people.
- Bit of a rush... so the stakeholder groups were solidified before there were even rules adopted by plenary, before management council was elected.
Goal output is: "Identity Ecosystem Framework". What is this?
Stakeholder groups don't really do much except elect people.
- current state of IDESG (a.k.a. NSTIC/although its not really technical accurate):
- no overall plenary mailing list.
- lots of individual mailing lists.
- seems like mostly government contractors who have time to go to meetings
- week diversity of participation:
- e.g. disabled community, minority communities, immigrant communities, sexual minority, religious communities (important for schools that implement IDs that object)
Trusted Federal ran out of grant money in Oct (was supposed to last until next Aug)
q: What does Trusted Federal do?
a: schedule/run meetings and plenaries, basic website, mailing lists.
Mgmt Council has no visibility into Secretariat's ops, budget, etc.
NPO will put out competitive bid for fund to support the framework stuff.
Hopefully the 501(c) will win it... government _has to_ issue only competitive bids.
Undecided: how to fund this 501(c), re: corp membership fees, personal fees, grants, etc.
- What is your recommendation for moving forward and improving situation?
- Look at Ken Klingenstine is doing good stuff. (Also a NSTIC pilot recipient).
- Look at Andrew Hughs & Tom S: also doing work in similar area.
- Both working on interop of Trust Frameworks.
- Get the vocabulary / taxonomy figured out.
- Define what is a functional model.
- Engage with citizens: e.g. youtube videos to get real world use cases
Q: Anyone on Mgmt council know how to do
- 1 NSTIC Notes site, including a functional model
- 2 idecosystem.org
- 3 @NSTICNPO twitter handle
- 4 NSTIC.gov
Q: where do we get more diversity?
A: e.g. Go to Laraza and find a techie and get them to commit staff to showing up
Kaliya's magic-wand wish list:
- 1 Regional f2f meetings
- 2 use professional community building and synth practices