White House Releases Trusted Internet ID Plan

angry tapir writes "From the Computerworld article: 'the U.S. government will coordinate private-sector efforts to create trusted identification systems for the Internet, with the goal of giving consumers and businesses multiple options for authenticating identity online, according to a plan released by President Barack Obama's administration.'"

From TFA: "entirely voluntary"

[Anonymous Coward]

Just like a SSN.

Re:From TFA: "entirely voluntary"

[tripleevenfall]

My guess is this will go from "great, safe option" to "suggested" to "merged with your SSN and required" to "Used to search for and track 'potential domestic terrorists'".

Probably won't take too long either.

Re:From TFA: "entirely voluntary"

[darkpixel2k]

My guess is this will go from "great, safe option" to "suggested" to "merged with your SSN and required" to "Used to search for and track 'potential domestic terrorists'".

Probably won't take too long either.

How in the hell did you get rated 'Flamebait'?!? Seriously--Your Social Security Number went from being a 'social insurance' number, to your taxpayer ID, and now it's required pretty much everywhere--bank accounts, new jobs, car loans, doctors appointments, etc... ...and it started out with very strong language that it was *only* to be used for social security...

Re:From TFA: "entirely voluntary"

[AK Marc]

You don't have to give your SSN for a doctors appt or for a car loan, but don't be surprised if they refuse your business if you don't give it. After all, in a free market, if you don't want to give it, then some company would have come along and filled the niche. Invisible hand to the rescue.

Re:

[Man On Pink Corner]

(Shrug) With regard to security theater, most of what has happened since 9/11 could have been imagined by anyone watching the news that day. Bush may not have planned that little Reichstag fire but no administration in history would've let it go to waste.

The slippery slope fallacy is only fallacious in a logical context. People aren't all that logical, in case you haven't been paying attention.

Re:

[Jane Q. Public]

What most people refer to as the "slippery slope fallacy" is not even fallacious in most logical contexts!

Contrary to what many believe, the "slippery slope fallacy" is only a fallacy when something that is not a slippery slope is claimed to be. It has nothing at all to do with whether slippery slopes exist. They do.

The fallacy refers only to false accusations of slippery slope, nothing more. As such, it doesn't even deserve the title "fallacy", because false accusations of anything are logically faul

Re:

[markdavis]

+1 I wish I could mod you up because that is EXACTLY what I was going to say.

Obviously it will not be voluntary, except in the sense that you can choose not to do any online business/purchasing anymore. Once a system catches on, it won't be "optional" anymore.

Re:

[alphatel]

Just like a tattoo, except we'll all have "Trustmarkings"

Re:

[Anne Thwacks]

Cos no one can hack into US government computers, not even Gary McKinnon!

Re:

[Chaos Incarnate]

No, you have to give it to the IRS. And to local school districts - they won't enroll your kid without their SSN, but it's illegal to not enroll your kid.

Re:SSN is not voluntary

[jroysdon]

No, they cannot require your SSN for school. It is a hassle, but you can ask for an alternative ID number which they generate. Even for Federally funded things, even at college levels, you cannot be required to give your SSN (except for financial aid, but not just for regular admissions).

I sure wouldn't want to give my SSN at a school. It's statistically rather easy to get the first 5 digits, and so many places using the last four as some sort of ID method is ridiculous. I know I've seen plenty of colleges databases cracked and leaked containing student records - not to mention do you really trust the guy in charge of lab sign-ins with your SSN?

Identity fraud is so easy to commit these days. Most have their birthdays for the public to see on Facebook, etc.

Re:

[Imrik]

Before the college I went to started using unique IDs for their students, professors would often post grades using the last 4 digits of the SSN, in alphabetical order.

Let me guess

[calmofthestorm]

Requires Windows (tm) 7 (tm) Professional (tm) using an Intel (tm) chipset supporting a Trusted Platform Module (tm) with keys in escrow by the issuing authority.

Re:

[vuke69]

Too many (tm)s, I'll pass.

Re:

[DamonHD]

tmtm;dnr?

Re:Let me guess

[iluvcapra]

After reading the document, there really aren't any system requirements, specific technology or any kind of actual implementation, all it really does is set out some goals and establish a certain vocabulary. It's utterly anodyne and will probably die before being considered because it sets out concrete goals for private companies that handle identifying data:

Limit the collection and transmission of information to the minimum necessary to fulfill the transaction’s purpose and related legal requirements;
Limit the use of the individual’s data that is collected and transmitted to specified purposes;
Be accountable for how information is actually used and provide mechanisms for compliance, audit, and verification; and
Provide effective redress mechanisms for, and advocacy on behalf of, individuals who believe their data may have been misused

Surely this is the thin end of the wedge of tyranny.

Re:Let me guess

[jd]

Since all tyrannies require those tyrranized to still be breathing, oxygen is the thin end of the wedge to tyranny. (In other words, almost anything can be dual-purposed for "good" and "evil", so almost anything can be considered the thin end of some wedge or other. It renders that entire line of reasoning pointless.)

Re:

[iluvcapra]

* <------- sarcasm

Depiction of "you" elided for brevity.

Re:

[icebike]

After reading the document, there really aren't any system requirements, specific technology or any kind of actual implementation, all it really does is set out some goals and establish a certain vocabulary. It's utterly anodyne and will probably die before being considered because it sets out concrete goals for private companies that handle identifying data

Actually the more you read on it the evil less it sounds.

It requires on-device credentials (files, private keys, or some such).
It transmits no-passwords, instead using one-time keys calculated and negotiated for a single use.
It uses third party authentication.
It requires user control of exactly which data elements are to be shared.
Passwords would presumable be required to decrypt/access your own on-device credential cache.

So, basically you have something like Kerberos [wikipedia.org] where any number of different private/c

Re:

[dasdrewid]

Be accountable for how information is actually used and provide mechanisms for compliance, audit, and verification; and Provide effective redress mechanisms for, and advocacy on behalf of, individuals who believe their data may have been misused

Considering we still haven't managed to do this for our electronic voting systems, I foresee a long future of this not happening if they actually put this in as one of the requirements...

Re:

[calmofthestorm]

All these services are available in the US, though they're not really secure at all. I've never been to a 711 in my life (it's a gas station right?) and do all my banking online.

Doing all your banking online

[tepples]

A 7-Eleven store is a small grocery store similar to the stores at gas stations, though I've never seen one with gasoline pumps in front of it.

If you do all your banking online, how do you deposit cash or checks that other individuals give you? Do you mail the checks, and buy money orders with the cash and mail those? And do you refuse to take any job that doesn't direct deposit your paycheck?

Re:

[calmofthestorm]

I've never been offered a job that didn't direct deposit my paycheck and I've been working since high school. BoA has a smartphone app for depositing checks by taking a picture, and usually I just hand off cash or keep track of debts on whiteboards/Google Docs with my friends and take turns paying. Never heard of a money order except on those cheesy TV informericals. I got my first checking account earlier this year. Move money around from various accounts via HSBC online. They even have an option to pay so

Re:

[Ihmhi]

Never heard of a money order except on those cheesy TV informericals.

Money orders are quite simple and straightforward. They're like checks, except you pay a (small) fee to actually use them. My mom still refuses to get on the online payment bandwagon and pays our power bill and whatnot thusly. Example:

1) Go to a store that doles out money orders. Most supermarkets that have Western Union and the like can also process money orders.

2) Tell them the amount and the recipient, i.e. "Power Company" for $56.83.

3) A money order, along with a receipt, is printed up.

4) Detach the rec

Re:

[zippthorne]

I believe there are apps out there for a few banks that let you take picture of a check with your smartphone, and it registers it and deposits it.. I'm not sure if it works for personal checks, though, but who uses those any more?

Re:

[tepples]

I'm not sure if it works for personal checks, though, but who uses those any more?

People who have been paying utility bills for decades by mailing a paper check. I've got a couple in my family.

And how else does one person pay another person through the mail, such as money included with a birthday card? Most individuals don't take credit cards. Or have gifts included with birthday cards moved to Walmart gift cards? Or have people stopped celebrating birthdays [spotlightm...ies.org.uk] where you live?

Re:

[nschubach]

I'm not a Jehovah's Witness, but our family has pretty much never celebrated birthday's and other holidays (except Christmas). My parents (who are on again/off again Christian religious) visit me on mine and we go eat, but my brothers and I do not do anything besides Christmas... and that's good enough for me.

Re:

[Gerzel]

Depending on the field you wouldn't be refusing much.

Direct deposit is a fairly standard option and is even available to many small businesses.

Re:

[ZankerH]

People still use checks? I haven't seen one since the mid-90s, and I've had the displeasure of holding jobs that involved handling other people's money for most of that time.

Re:

[Sporkinum]

Any time a business or utility charges a fee for electronic payment, you can bet they are going to get a check from me. .44 cents beats the $5 or so they charge for electronic payments. Same thing with efiling state taxes. If the state wants me to efile, make it cheaper than .44 cents. Right now, it's between $10 and $20 to efile depending on who does it.

Re:

[Pax681]

A 7-Eleven store is a small grocery store similar to the stores at gas stations, though I've never seen one with gasoline pumps in front of it.

i was in Denver last october/november and there were 711's aplenty with pumps in front bud.

maybe it just depends on your locale

eBarter a bag of eggs for a box of apples?

[Hognoxious]

If you do all your banking online, how do you deposit cash or checks that other individuals give you?

If he's accepting payment by such archaic methods then by definition he isn't doing all his banking online.

Re:

[tepples]

Then please allow me to rephrase: How do you do all your banking online if the people with whom you trade don't do all their banking online?

Deposits for banks with no ATM in town

[tepples]

if you get a cheque, you go to an ATM at the bank and deposit it

ATMs in my town won't take deposits for other banks, including online-only or otherwise out-of-town banks.

Re:

[QuoteMstr]

Most banks let you make deposits by mail [citibank.com].

It is not wise to mail cash

[tepples]

It is not wise to mail cash. Or did you mean go to the post office and buy a money order? Or did you mean spend all the cash people give you on grocery store gift cards?

Re:

[calmofthestorm]

You backward canucks still get your slurpees in stores? In America we order and enjoy them online! No need to leave the sofa and no mess.

What money transfer fee?

[tepples]

We just transfer money between accounts securely, conveniently and relatively speedily.

You didn't say cheaply. How much do the source bank and destination bank charge for each such transfer?

Re:

[tepples]

I just checked my account, and it turns out that Chase Bank in the United States also appears to offer Chase QuickPay. But until the price of mobile Internet access falls precipitously from its current luxury rate, how would one send money to someone else while away from the Internet?

Re:

[tripleevenfall]

I think one point of this "service" is that it will lay the groundwork for the government to tax the internet without having to go through the legislative process. At least not until they are just one step away.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[Hognoxious]

At least you can still post to slashdot anonymously ... for now.

Re:

[michelcolman]

So you haven't used any checks since sometime in the 90's?

I can say I haven't, except when dealing with American companies. Here in Belgium, electronic transfers are free, and we can even attach a message. Want to pay your friend $10 for next weekend's barbecue? Just ask for his account number, transfer the money and add "Looking forward to the barbecue, great idea!" as a message. No need to say it came from you, he'll get that information automatically. To pay bills, just add the bill number as a message.

Re:

[calmofthestorm]

Thing is the GNU foundation doesn't make large contributions to various political campaigns, so it's products aren't MSXZYJLAMP certified.

Re:

[mrnobo1024]

Why is it that this is common knowledge on /., yet this seems never to end up on the nightly news shows?

The corporate media isn't going to educate the masses about our system of legalized corruption, because they benefit from it more than anyone. Not only are they giving bribes (and get laws like the DMCA passed in return), but they are also indirectly a beneficiary of them (expensive campaigns = more demand for TV advertising time = more money for the media co.'s)

Oooh I know!

[Haedrian]

Lets give controls of the keys to the Homeland Security.

I'm sure we can trust them with our internet.

Re:

[slashqwerty]

Lets give controls of the keys to the Homeland Security.

Or better yet, farm the whole system out to several private companies like the proposal calls for.

I'm sure we can trust them to protect our freedoms.

Re:

[QuantumRiff]

I'm sure it will be just as horrible as the Arpa-net was.. Oh, wait..

Taxes, spying, control.

[assemblerex]

Items purchased with trusted ID: Washing machine, PS4, Glycerine, Shower tiles cleaner (flagged combo).
Taxes due on purchases $156.00. Forwarding purchase of glycerine and acid product to FBI for examination.

The format

[TheSpoom]

The format of the Trusted ID will be a nine digit number, separated into three groups by dashes...

They need to use the right statistics

[chimerafun]

This is just another step in the governments plan to control our online lives. John Locke states that the reason for this plan is that 8.1 million people were victims of identity theft in the US last year. What he fails to mention is that only 11% of that 8.1 million were internet or technology related while over 43% were due to theft of purse or wallet, another large chunk were the result of dumpster diving or other unsavory methods.

Re:They need to use the right statistics

[iluvcapra]

What he fails to mention is that only 11% of that 8.1 million were internet or technology related while over 43% were due to theft of purse or wallet, another large chunk were the result of dumpster diving or other unsavory methods.

It works both ways though: you can create an online account or forge the identity of someone else with nothing more than what is in a wallet. People dumpster dive or steal wallets, and then use the Internet to create false accounts with the information in a wallet or discarded credit application. The problems with validating identity allow a thief to turn a stolen wallet into a stolen identity, this shouldn't be possible and regulation is a good way of addressing this, for example by forbidding businesses from using SSNs as record identifiers, or requiring three-factor auth for credit transactions.

The document in the TFA proposes no central repository or government database, and proposes a private system that's only regulated by the government to prevent fraud and set minimum standards. Your characterization of the proposal is a strawman.

Re:

[Kjella]

this shouldn't be possible and regulation is a good way of addressing this, for example by forbidding businesses from using SSNs as record identifiers

Governments are very two-faced on this one, on the one hand they get their panties in a bunch about it yet on the other hand they require it in so many places. Here in Norway I have a unique id assigned to me by the government. Employers report income to the authorities for income tax, so all HR positions have to have it. I can't open a bank account without one. I can't trade stocks or funds without one. Car registry, property registry, pretty much every registry that requires a unique id uses it. There's a

It's not a secret, don't use it to authenticate

[js_sebastian]

this shouldn't be possible and regulation is a good way of addressing this, for example by forbidding businesses from using SSNs as record identifiers

Governments are very two-faced on this one, on the one hand they get their panties in a bunch about it yet on the other hand they require it in so many places. Here in Norway I have a unique id assigned to me by the government. Employers report income to the authorities for income tax, so all HR positions have to have it. I can't open a bank account without one. I can't trade stocks or funds without one. Car registry, property registry, pretty much every registry that requires a unique id uses it. There's a central registry that I have to report in when I move, so I get all the local voting rights, pay the right local taxes and so on. Even the card that gives me 3% off at the grocery store and pays out when it reaches a certain amount has to have that ID, because even those 20$ are reported to the government as my asset. Along with audit requirements that means many, many people past and present have to know it. That it's also written on my drivers license in my wallet is the least of my worries. Of course the explanations are all the usual ones, tax fraud, money laundering, mistaken identities and so on. Fair enough but you can't both have your cake and eat it too, if so many people know it then it's not a very well kept secret.

It's not a secret, well kept or otherwise, anymore than your date of birth is. But I am pretty sure that someone cannot create a bank account or get a credit card in your name just because he has found out that non-secret number. The problem they have in the US is that with no national id and with many people not having a passport, companies resort to all sorts of bizarre things to identify people (including the social security number, which was never meant for that purpose, or absurdities like your mother'

Re:

[icebike]

>It works both ways though: you can create an online account or forge the identity of someone else with nothing more than what is in a wallet. People dumpster dive or steal wallets, and then use the Internet to create false accounts with the information in a wallet or discarded credit application. The problems with validating identity allow a thief to turn a stolen wallet into a stolen identity, this shouldn't be possible and regulation is a good way of addressing this, for example by forbidding businesses from using SSNs as record identifiers, or requiring three-factor auth for credit transactions.

The document in the TFA proposes no central repository or government database, and proposes a private system that's only regulated by the government to prevent fraud and set minimum standards. Your characterization of the proposal is a strawman.

Exactly right. At least Somebody here gets it.

Furthermore even if a stolen wallet is used to create an identity, they couldn't use it to access your bank account, because your bank already knows that this account is locked by a different authenticated identity. You can easily prove you didn't order those 15 60-inch TVs because its not your Secure ID.

So many people here rush to judgment. Or worse, the decry this effort while propping up PGP, not realizing that it is essentially the same thing, with a mor

Re:

[imamac]

The REAL John Locke would not approve of this.

Fantastic.

[fuzzyfuzzyfungus]

Remember how we were just talking about the nasty, gaping, holes in the practice of using CAs to verify SSL certs? How the CAs were largely rent-seeking incompetents with strong market incentives to do inadequate verification while simultaneously trumpeting their security? How there were just too many of them, and a compromise at any served to threaten the security of all SSLed connections?

Well, yeah, that kind of sucks because this plan looks very similar: Some kind of public/private key system, with mu

Re:

[jd]

It depends on the details, none of which exist yet. The theorietical benefit of a quango is that because they can get some/all income via taxes, they should be able to do a better job. Market forces dictate that a private company can NEVER do a better job than the market will bear and it is clear from the multitude of SSL disasters over time (I'm including Verisign's handing out of Microsoft's private keys in the early days) that the market won't tolerate quality work at all. A quango has no such limitation

Re:

[iluvcapra]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

"the organizational/economic incentives side of this is pretty much certain to be totally, utterly fucked"

The two ways you can approach incentives are (1) make the penalties for data breaches much more severe, to the extent that private companies that keep personal data must safeguard it, and (2) make a bunch of rules that govern how personal data can be collected and used, how much information you need in order to consider a transaction bona fide. Both have thei

Voluntary? LOL

[Glarimore]

It's going to be "voluntary", but soon enough legislation will be passed that makes it so "questionable websites", such as those associated with porn, will be mandated to require an Internet ID for age verification. And simultaneously the government will know what kind of porn you like to look at and can blackmail you whenever they see fit.

Re:

[vlm]

It's going to be "voluntary", but soon enough legislation will be passed that makes it so "questionable websites", such as those associated with porn, will be mandated to require an Internet ID for age verification. And simultaneously the government will know what kind of porn you like to look at and can blackmail you whenever they see fit.

You would think the nice heroically ethical guys at the ISPs and/or CC companies and/or tracking and marketing companies would have thought of this money making business model a long time ago... The lack of (known) implementations of this business model, indicates something about its likelihood of success.

Unrealized potential?

[fahrbot-bot]

From TFA:

Because of online fraud, many people don't trust the Internet, Locke added. "It will not reach its full potential -- commercial or otherwise -- until users and consumers feel more secure than they do today when they go online,"

Yes, the Internet has been a pretty big failure so far. :-) What more "full potential" he's talking about?

it's optional

[hugg]

Don't worry, they point out that use of the system is completely voluntary. Just like owning a mobile phone or participating in interstate commerce.

Re:

[TheGratefulNet]

I don't own a mobile phone.

really. no kidding.

I'm online almost all the time when home. what is it with you kids (...) that you have to be 100.0% online?

I have no phone; especially not a 'smart' phone. look how much time and aggrivation I've saved, not to mention I own a lot more of my private life. the less it leaves traces here and there, the more privacy I keep. I like that.

you enjoy your little phone, there. I'll enjoy my peace of mind and the extra $1k a year I am saving.

Direct link

[vlm]

Rather than hittin a journalist site, go direct to the source at

http://www.nist.gov/nstic/ [nist.gov]

You can trust this isn't a rickroll or a goatse because I'm usin' my trusted internet ID of VLM

The headline made me expect a detailed bit level cryptoanalysis of the new protocol complete with flowcharts, etc. Instead it seems to be the tech equivalent of a bunch of hippies high on weed sitting around a campfire and curing all the worlds ills by talking about them.

More like "whitehouse releases a plan to create a plan for a trusted internet ID plan"

Re:

[icebike]

Instead it seems to be the tech equivalent of a bunch of hippies high on weed sitting around a campfire and curing all the worlds ills by talking about them.

More like "whitehouse releases a plan to create a plan for a trusted internet ID plan"

Oh, climb down.

There has to be a start somewhere.

'the U.S. government will coordinate private-sector efforts to create trusted identification systems for the Internet

.

What part of that don't you understand?

Businesses are eating billions in credit card fraud every year. This is long overdue.

Re:

[vlm]

What part of that don't you understand?

What they're plotting will not work for various basic computer science and security fundamental reasons, over extremely well trodden ground where success despite those odds would be staggeringly profitable and implementation would seem to be simple and cheap, thus extraordinary ROI, if it were only possible. Its the waste of time and money and/or security theater aspect that I don't understand or find very useful.

Its "the internet" so people just nod their heads and defer to the experts. If it were an ind

Uses advanced protection technology.

[140Mandak262Jamuna]

Most people are familiar with the out dated ancient technology used by most computer users. The username + password system. Basically any one can know your username. But only you know the password. That is the basic idea of protection in this system. Cyber security experts are nearly unanimous in saying this does not provide for adequate security. So the new system has been founded on a fantastic new paradigm

It completely dispenses with the password. It is your responsibility to protect your username. If anyone from Nigeria to Nantucket know your identification code, it means they are authorized to do any financial transaction on your behalf. This breakthrough technology makes it possible for the people creating new and exciting contracts under 409 clause to not only draw money from your bank, but also from your brokerage account, and also change your network log in id and to rearrange your netflix queue and use ftp to open your garage doors Imagine! The New possibilities!

i trust myself...

[FudRucker]

what i dont trust is the internets.

Typical

[Anonymous Coward]

Sounds about right for liberals. You have to have an ID to use the Internet, but not to vote.

Catch-22

[NiceGeek]

People complain about identity theft, people complain about efforts to verify ID.

Re:

[Noughmad]

To summarize the summary of the summary:

People complain.

Re:

[nschubach]

The only people I've seen complain about identity theft were on TV in a commercial for the company selling identity theft protection.

Re:

[NiceGeek]

Must not read much /. then.

It's not that it will fail; it's already failed

[Arrogant-Bastard]

There are, at current best estimate, at least 200 million fully-compromised systems on the Internet. That number has been monotonically increasing for most of a decade, and there is no reason to expect that trend to change. (And many reasons to expect it to continue.) Not all of those are in the US, of course, but a lot of them are. This is turn means that any credentials present on those systems are now the property of their REAL owners, not the people who mistakenly believe they own them. Which means that even if such a universal ID system was properly designed (unlikely) properly built (unlikely) and properly deployed (extremely unlikely) that its first major effect will be handing over a large number of those IDs to The Bad Guys. The second major effect will be providing major incentives to The Bad Guys to compromise more systems, as the value of such increases with both their usefulness and the value of the data stored on them. The third major effect will be providing major incentives to The Bad Guys to go after any system where these IDs are stored or used, since they now have widespread usefulness, not just localized usefulness. They will be successful some of the time, of course, and we will once again get to hear the refrain of the professional liars who call themselves "spokespeople", as they solemnly intone "Nobody could have foreseen..." I think the biggest usefulness of this scheme will be filtering: anyone supporting it is clearly marking themselves as a security imbecile, should be fired on the spot, blacklisted for life, and never permitted to speak in public again on the topic of security. That won't happen of course. They'll get bonuses. That's how we reward sufficiently grandiose failure in this society.

Re:

[Aldenissin]

Please user paragraphs, it makes it easier to read/parse, thanks!

Exactly, if they wan't to plan to do something, how about educate about sound security period. I don't care if Microsoft employs 88,000 people. What is the opportunity cost in feeding their monopoly to society and business? Competition is a good thing. We need the government to push things open things like Linux, and in time even better will come along if everything is not so regulated to death, allowing for other monopolies to rise up.

all the talk about it being voluntary will stop

[superwiz]

as soon as you'll need to use it to pay taxes. Many of the taxes that are collected are collected not to keep revenue stream going but to ensure that the information records keep flowing. As soon as you can't pay your taxes online without one of these, it will be over. Since the burden of preparing taxes only keeps going up, most people will gravitate towards the electronic solutions which assist in tax-record preparation. Using this thing will be seen as just part of the cost of doing business.

Public-private partnerships

[Curunir_wolf]

The new version more explicitly emphasizes that the private sector will drive forward the trusted ID market, with government playing a coordinating role, administration officials said.

In other words, it's a Mussolini-style Fascism model.

Consumer participation in trusted ID technologies will be voluntary, they added.

Because nobody is going to force you to use a bank, shop on-line, or send email that will actually make it to somebody else's inbox. Sorry about all those on-line government services that you won't be able to use. You can always hike to one of the brick-and-mortar offices and present your papers in person.

Re:

[iluvcapra]

Because nobody is going to force you to use a bank, shop on-line, or send email that will actually make it to somebody else's inbox. Sorry about all those on-line government services that you won't be able to use. You can always hike to one of the brick-and-mortar offices and present your papers in person.

Freedom isn't free. If you really want to live a life unfettered by a verifiable identity, that choice has real consequences for the sort of lifestyle you can enjoy, the sort of trust others will be will

Re:Public-private partnerships

[Curunir_wolf]

Because nobody is going to force you to use a bank, shop on-line, or send email that will actually make it to somebody else's inbox. Sorry about all those on-line government services that you won't be able to use. You can always hike to one of the brick-and-mortar offices and present your papers in person.

Freedom isn't free. If you really want to live a life unfettered by a verifiable identity, that choice has real consequences for the sort of lifestyle you can enjoy, the sort of trust others will be willing to grant you, and the sort of financial transactions people will be willing to make with you.

I currently have a verifiable identity that I can use to do all of those things. And I don't have to be "coordinated" with some government bureaucracy in order to do it.

This isn't about solving a problem, it's about gaining more power and control for the central authorities and global corporations. It's really very transparent. There are much better ways to deal with identity theft than a draconian central planning scheme dreamed up by fascist partnerships.

Why not ?

[Yvanhoe]

Having a way to authenticate a person as unique is a missing brick in many web applications, especially all the voting applications. I see it as a good thing and I have a hard time seeing how such a tech makes bad scenarios more likely.

Re:

[vlm]

I have a hard time seeing how such a tech makes bad scenarios more likely.

Think about a MITM attack implemented serverside on a weak server, proxying thru to a 3rd party strong server. The most secure system that uses a global auth system can only be as secure as the least secure system in the universe because the least secure system can get owned, have a MITM proxy stuck on it that talks to the most secure system.

In even more detail, spelling it all out ... the "small town journal" newspaper installs global auth so letters to the editor cannot get forged in someone elses name,

RSA Out of Business?

[laing]

If you extend this policy to all businesses and persons then everyone will have a trusted identity and there will no longer be a need for costly server certificates on web servers. If this is true then I will support the adoption of this "Trusted Internet ID" plan. Alternatively, if this is just another "bolted on" form of security that still requires the legacy RSA certificates, I will not support this plan.

I strongly doubt that the Obama administration would be willing to push a plan that eliminates t

Sadly, I trust Verified by Visa more

[Shivetya]

I trust VISA and my bank more than I trust my government. I will keep voting my conscience and hopefully one day that will work out.

Re:

[vlm]

I trust VISA and my bank more than I trust my government.

In a corporatocracy or fascistic capitalist system like ours, those two have merged together. Like saying you trust your right hand more than your left hand, or your political party is more trustworthy than the other political party, or like saying the fry cook is a much better cook than the burger flipper cook at your local mcdonalds. So that statement logically simplifies to ... nothing.

Hmm...

[fuzzyfuzzyfungus]

Arguably, "Identity" is the wrong target(or, if you think that it is the right target, I consider your motives suspect) for many applications:

"Identity" is a polite euphemism for a lot of personal information. For most purposes, it is utter overkill to achieve legitimate ends. Say that I'm buying some booze online. You don't actually need to know my name, age, appearance, etc, etc. You simply need to know that my age > legal age and that my payment is valid. To log into an email account, you don't nee

Re:

[vlm]

Say that I'm buying some booze online. You don't actually need to know my name, age, appearance, etc, etc. You simply need to know that my age > legal age and that my payment is valid.

You also need to verify the shipping address is linked to your id, and not some teenagers address. Security; its always harder than it appears.

There are about eighty zillion other "straw buyer" attack scenarios using valid auth credentials. There are also many orders of magnitude more "straw buyer" attacks that are possible with faked / stolen / impersonated / coerced auth credentials. At least some of those attacks can not be prevented, but can be tracked down afterwards, given "lots of info".

There is s

Yeah, I don't think so....

[thestudio_bob]

I have a hard time trusting a proposal like this that comes from an administration that includes a lot of former RIAA and MPAA associates.

Who benefits from this?

[glebovitz]

I just want to point out that private industry created the credit reporting service, and now I have to spend money to protect my interest against the shoddy practices of this industry. I don't think it is that fact that people will commit fraud that worries me, but the poor practices that the industry follows that provides no protection against fraud.

The creation of a government credit ID that has anti-fraud measures might be the first step in battling this issue. The second step would be making the credit

Single. Point. Of. Failure.

[w0mprat]

What I like about the current mess of different usernames and passwords for different sites, entrust card, RSA tokens etc is that any identity theft is likely to be rather limited. With a Internet ID plan it makes it possible for someone to take an entire identity in one hit, along with all your money and likely better lock you out of getting it back.

This is going become prime target for identity theft, I can tell by the lack of language even acknoledging security issues let alone addressing how it may be kept safe.

Re:

[fuzzyfuzzyfungus]

Never going to work while the security of home PC's is Swiss cheese.

Not to worry. Palladium, er, I mean the 'Next Generation Secure Computing Base', er... umm... the 'Trusted Computing Group' will save us from that(and the evils of piracy and software that isn't signed by Verisign!)

Re:

[sakdoctor]

but at least they know if the signature block isn't there. It is not from me.

Yeah, I do something similar.

^_^

Re:Trusted ID

[icebike]

And sadly, this solution wont prevent that from happening in the first place. More tax dollars to waste.

Except there are very little tax dollars involved. The effort is to be largely private.

And if you needed secure credentials to get into your yahoo account, it would certainly go a long way toward preventing it from happening in the first place. Previously all they had to do was guess your (weak) password. With this, they would need certificates/keys stored on your computer AND your password to unlock these.

Even now you can set a switch in Gmail that insists all access to it be via ssl so that your password never travels over the net in cleartext. This might be even better than that option, as one-time keys can be negotiated of any length which would be unique for each session.

However, login is not the focus of this effort. Banking and on-line purchases are.

Re:

[vlm]

I just RTFA... and the only question that comes to mind is.... HOW IS THIS ANY DIFFERENT THAN OPENID ?!

Let me give you a little analogy here, you know how your average high tech redneck installs drupal with a little apt-get install (more or less) but a govt install of a drupal site costs the govt $50M in consultative fees?

Well, yer average high tech redneck would implement openid with a little "apt-get install libopenid-ruby" and, admittedly, some hours spent running vim, but this here is gonna cost the govt about $50M in consultative fees.

Re:

[icebike]

OpenID may in fact server as a model for this one, but since this effort is just getting underway, no one can tell you how it is different, at least not until the first draft is out.

Its like asking how your yet to be conceived child will be different than your younger brother before you've even reached puberty.

Re:

[psithurism]

If people can't see this: http://msgboard.snopes.com/politics/graphics/birth.jpg [snopes.com], realize that birth announcements were made in the local papers, and notice that multiple agencies have put investigating it's legitimacy and found it real, then no amount of convincing that trustedID is trustable is going to convince them.

If I have to bring at least two newspaper articles, several sworn officials, several in depth investigations and court rulings in support of my identity to prove myself for an amazon purchas

Re:

[superwiz]

Right. So wedding announcement is enough to file for divorce? Or do you actually need a legal document like a marriage certificate? How about posting a necrology in a newspaper? is that enough to claim an inheritance? Or maybe you should get a death certificate first? Most people do think he was born in Hawaii. What irritates people is this arrogant attitude that he is above the law. That he is special and doesn't have to show his papers. At least Bush and Clinton tried to claim executive privilege

Re:

[superwiz]

First of all, the link you give is broken. And 2nd, enough playing of these games. He is not being asked to prove a negative (as you suggest). No one is asking him to provide evidence that he never molested children. Simply put the original of a historical document in national archives. It's not that big a request to produce that big a controversy.

Re:

[Compaqt]

Remember the days when only dictatorships required "Internet drivers licenses" to access the Internet?

Re:

[icebike]

SSH, and Kerberos have been compromised multiple times, and rapidly fixed each time.

If its open source, even if your Ebay account is compromised, all they get is your Public Key and an encrypted file full of gibberish.