What's Going On With NSTIC? Pilots! Steering Groups! - (1A)
NSTIC Update & Identity Intro (1A)
Convener: Jeremy Grant
Notes-taker(s): Allan Friedman
Tags for the session - technology discussed/ideas considered:
NSTIC, federal, DoC, pilots, grants,...
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
Not NSTIC 101
Good news: lots going on
- Funding! - $16.5 M
Bad news: Lots going on slowly
- Inter-agency review
Steering group
- Privately led, with some govt funding
- Still in review
- Look for an organization to convene the group by application
- Goal: want all stakeholders involved
- Ideally open to everyone who wants to participate
- Want to impose some structure, but don't want to hand-choose
- Govt as one stakeholder at the table, albeit an active one
Staffing up - 6-7 hires
$10 NSTIC pilot program
- Focus on testing & demonstrating new ideas, not in the market place today
- Begin with motivation for govt involvement- market failure, lack of standards
- Objectives - primarily non-technical barriers
- Multi-sector
- Public-private partnerships
- Establish consumer demand
- liability clarity
- privacy-enhancing tech in business models
- interoperability across different niches
- user-centric frameworks for attribute exchange
- trust frameworks with multiple RP
- New interfaces
- Usability --> consumer uptake
- Role of public sector for improving private sector adoption
- RFP in early Feb
- Potential 2-step process to allow NSTIC to select more promising proposals for full applications
Explicitly NOT about purely technical solutions - we have those
Q: Role of Chamber of Commerce?
A: Hosted the launch, but not involved more than an interested stakeholder
Don Thibodeau - The broad perspective
- Takeaway - action-forcing events
- Different areas of activity
- Smart cards tying physical with information architecture
- UMA enabling interoperability of data ecosystems
- OASIS working on trust elevation
- How attributes are verified & exchanged for risk
- User-driven assertions vs. automatic attributes
- Defining the terms - ABA vs. other
- Attributes are actionable, definable, monetizable
- List of organizations
- NIST - NSTIC, standards
- Open Identity Exchange (OIX) - trust frameworks for the exchange of attributes
- Can customize for different communities & use cases
- InCommon
Going to see a top-down & bottom up merge
- Common standards between competitors
Q: Will trust frameworks certify?
A:
- See Kaliya's diagrams of protocols & organization -
- Focused on Discovery
- Another on the evolution of community
- Eve - "venn of identity" and others
Alphabet soup
- Open Web Foundation -
- W3C - Fed Soc Web, Browser ID
Shift between identity and management of attributes
Notes-taker(s): Ross Foard
Got funded with 16+ M in 2012
I establishing a Steering Committee
Next 45 days will release details
$10M on a grant next 45 days
Pilots that can demonstrate real pilots
Products and Frameworks that are not in the marketplace today
Government role in NSTIC is that Market has failed to solve Identity and Privacy
Challenges
Gov't may be able to help overcome this
No clarity on liability
Monetizing transactions
Common standards for privacy protection and data reuse
How to engage user in permissions granting use
Interoperability has high assurance level has been a challenge
Pilot objectives
1. How to demonstrate feasibility of identity eco system across domains and providers
2. How to demonstrate both public and private sectors in lieu of passwords (ID Exchange Hubs)
3. How to create solutions that have inhibited strng credentials adoption
4. ID framework that provides assurance on liability
5. Strong set of user centric privacy protections
6. Demonstrate privacy enhancing technology
7. Demonstrate interoperability across solution stacks
8. Demonstrate attribute exchanges
9. Expand use of trust credentials
10. End user choice in adopting and using technologies
11. Advancement in usability and interoperability
12. Public sector entities to prove id to private sector parties
Government RFP will be a Statement of Objectives, and a response and reward
Perhaps a two step process of the issuance of the grants for the Private sector
To be on steering group what does one have to do
1. Everyone should be able to participate on the working group
2. Don't want to hand choose participants
3. Want this to be private sector lead
4. Set up a .com or .org and not government run
In private sector pilot will try and address non-technology issues
Make things that would not otherwise be done
What is the output of these working groups?
Solutions that could transition from pilot to practice
What is the long term relationship between your office and steering group?
Can't answer that at this time, going under review
We would find discrete period of time and then transition to the private sector
IDTrust conference
NIST has been running for 8-9 years
Thought was to have the IDTrust to reconcile with the NSTIC
Will be focused on topics of wider interest
March 11-12-13-14 somewhere in there
Go to id commons website as an aggregation site to find topics across the space
Chamber of Commerce hosted the launch
They are one of many interested parties
Have not been asked to do anything