Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Privacy Security United States Your Rights Online

White House Releases Trusted Internet ID Plan 229

Posted by samzenpus
from the I-feel-safer-already dept.
angry tapir writes "From the Computerworld article: 'the U.S. government will coordinate private-sector efforts to create trusted identification systems for the Internet, with the goal of giving consumers and businesses multiple options for authenticating identity online, according to a plan released by President Barack Obama's administration.'"
This discussion has been archived. No new comments can be posted.

White House Releases Trusted Internet ID Plan

Comments Filter:
  • by Anonymous Coward on Sunday April 17, 2011 @01:10PM (#35849066)

    Just like a SSN.

    • by tripleevenfall (1990004) on Sunday April 17, 2011 @01:43PM (#35849336)

      My guess is this will go from "great, safe option" to "suggested" to "merged with your SSN and required" to "Used to search for and track 'potential domestic terrorists'".

      Probably won't take too long either.

      • by darkpixel2k (623900) <aaron@heyaaron.com> on Sunday April 17, 2011 @08:38PM (#35851604) Homepage

        My guess is this will go from "great, safe option" to "suggested" to "merged with your SSN and required" to "Used to search for and track 'potential domestic terrorists'".

        Probably won't take too long either.

        How in the hell did you get rated 'Flamebait'?!? Seriously--Your Social Security Number went from being a 'social insurance' number, to your taxpayer ID, and now it's required pretty much everywhere--bank accounts, new jobs, car loans, doctors appointments, etc... ...and it started out with very strong language that it was *only* to be used for social security...

    • by markdavis (642305)

      +1 I wish I could mod you up because that is EXACTLY what I was going to say.

      Obviously it will not be voluntary, except in the sense that you can choose not to do any online business/purchasing anymore. Once a system catches on, it won't be "optional" anymore.

    • by alphatel (1450715) *
      Just like a tattoo, except we'll all have "Trustmarkings"
  • Let me guess (Score:2, Insightful)

    Requires Windows (tm) 7 (tm) Professional (tm) using an Intel (tm) chipset supporting a Trusted Platform Module (tm) with keys in escrow by the issuing authority.

    • by vuke69 (450194)

      Too many (tm)s, I'll pass.

    • Re:Let me guess (Score:5, Insightful)

      by iluvcapra (782887) on Sunday April 17, 2011 @01:27PM (#35849214)

      After reading the document, there really aren't any system requirements, specific technology or any kind of actual implementation, all it really does is set out some goals and establish a certain vocabulary. It's utterly anodyne and will probably die before being considered because it sets out concrete goals for private companies that handle identifying data:

      Limit the collection and transmission of information to the minimum necessary to fulfill the transaction’s purpose and related legal requirements;
      Limit the use of the individual’s data that is collected and transmitted to specified purposes;
      Be accountable for how information is actually used and provide mechanisms for compliance, audit, and verification; and
      Provide effective redress mechanisms for, and advocacy on behalf of, individuals who believe their data may have been misused

      Surely this is the thin end of the wedge of tyranny.

      • Re:Let me guess (Score:4, Insightful)

        by jd (1658) <<moc.oohay> <ta> <kapimi>> on Sunday April 17, 2011 @01:46PM (#35849362) Homepage Journal

        Since all tyrannies require those tyrranized to still be breathing, oxygen is the thin end of the wedge to tyranny. (In other words, almost anything can be dual-purposed for "good" and "evil", so almost anything can be considered the thin end of some wedge or other. It renders that entire line of reasoning pointless.)

      • by icebike (68054)

        After reading the document, there really aren't any system requirements, specific technology or any kind of actual implementation, all it really does is set out some goals and establish a certain vocabulary. It's utterly anodyne and will probably die before being considered because it sets out concrete goals for private companies that handle identifying data

        Actually the more you read on it the evil less it sounds.

        It requires on-device credentials (files, private keys, or some such).
        It transmits no-passwords, instead using one-time keys calculated and negotiated for a single use.
        It uses third party authentication.
        It requires user control of exactly which data elements are to be shared.
        Passwords would presumable be required to decrypt/access your own on-device credential cache.

        So, basically you have something like Kerberos [wikipedia.org] where any number of different private/c

      • by dasdrewid (653176)

        Be accountable for how information is actually used and provide mechanisms for compliance, audit, and verification; and Provide effective redress mechanisms for, and advocacy on behalf of, individuals who believe their data may have been misused

        Considering we still haven't managed to do this for our electronic voting systems, I foresee a long future of this not happening if they actually put this in as one of the requirements...

  • by Haedrian (1676506) on Sunday April 17, 2011 @01:22PM (#35849176)

    Lets give controls of the keys to the Homeland Security.

    I'm sure we can trust them with our internet.

    • Lets give controls of the keys to the Homeland Security.

      Or better yet, farm the whole system out to several private companies like the proposal calls for.

      I'm sure we can trust them to protect our freedoms.

    • I'm sure it will be just as horrible as the Arpa-net was.. Oh, wait..

  • by assemblerex (1275164) on Sunday April 17, 2011 @01:23PM (#35849180)
    Items purchased with trusted ID: Washing machine, PS4, Glycerine, Shower tiles cleaner (flagged combo).
    Taxes due on purchases $156.00. Forwarding purchase of glycerine and acid product to FBI for examination.
  • The format (Score:5, Funny)

    by TheSpoom (715771) <slashdot@NOSpAM.uberm00.net> on Sunday April 17, 2011 @01:25PM (#35849204) Homepage Journal

    The format of the Trusted ID will be a nine digit number, separated into three groups by dashes...

  • by chimerafun (1364591) on Sunday April 17, 2011 @01:30PM (#35849250)
    This is just another step in the governments plan to control our online lives. John Locke states that the reason for this plan is that 8.1 million people were victims of identity theft in the US last year. What he fails to mention is that only 11% of that 8.1 million were internet or technology related while over 43% were due to theft of purse or wallet, another large chunk were the result of dumpster diving or other unsavory methods.
    • by iluvcapra (782887) on Sunday April 17, 2011 @01:45PM (#35849354)

      What he fails to mention is that only 11% of that 8.1 million were internet or technology related while over 43% were due to theft of purse or wallet, another large chunk were the result of dumpster diving or other unsavory methods.

      It works both ways though: you can create an online account or forge the identity of someone else with nothing more than what is in a wallet. People dumpster dive or steal wallets, and then use the Internet to create false accounts with the information in a wallet or discarded credit application. The problems with validating identity allow a thief to turn a stolen wallet into a stolen identity, this shouldn't be possible and regulation is a good way of addressing this, for example by forbidding businesses from using SSNs as record identifiers, or requiring three-factor auth for credit transactions.

      The document in the TFA proposes no central repository or government database, and proposes a private system that's only regulated by the government to prevent fraud and set minimum standards. Your characterization of the proposal is a strawman.

      • by Kjella (173770)

        this shouldn't be possible and regulation is a good way of addressing this, for example by forbidding businesses from using SSNs as record identifiers

        Governments are very two-faced on this one, on the one hand they get their panties in a bunch about it yet on the other hand they require it in so many places. Here in Norway I have a unique id assigned to me by the government. Employers report income to the authorities for income tax, so all HR positions have to have it. I can't open a bank account without one. I can't trade stocks or funds without one. Car registry, property registry, pretty much every registry that requires a unique id uses it. There's a

        • this shouldn't be possible and regulation is a good way of addressing this, for example by forbidding businesses from using SSNs as record identifiers

          Governments are very two-faced on this one, on the one hand they get their panties in a bunch about it yet on the other hand they require it in so many places. Here in Norway I have a unique id assigned to me by the government. Employers report income to the authorities for income tax, so all HR positions have to have it. I can't open a bank account without one. I can't trade stocks or funds without one. Car registry, property registry, pretty much every registry that requires a unique id uses it. There's a central registry that I have to report in when I move, so I get all the local voting rights, pay the right local taxes and so on. Even the card that gives me 3% off at the grocery store and pays out when it reaches a certain amount has to have that ID, because even those 20$ are reported to the government as my asset. Along with audit requirements that means many, many people past and present have to know it. That it's also written on my drivers license in my wallet is the least of my worries. Of course the explanations are all the usual ones, tax fraud, money laundering, mistaken identities and so on. Fair enough but you can't both have your cake and eat it too, if so many people know it then it's not a very well kept secret.

          It's not a secret, well kept or otherwise, anymore than your date of birth is. But I am pretty sure that someone cannot create a bank account or get a credit card in your name just because he has found out that non-secret number. The problem they have in the US is that with no national id and with many people not having a passport, companies resort to all sorts of bizarre things to identify people (including the social security number, which was never meant for that purpose, or absurdities like your mother'

      • by icebike (68054)

        >It works both ways though: you can create an online account or forge the identity of someone else with nothing more than what is in a wallet. People dumpster dive or steal wallets, and then use the Internet to create false accounts with the information in a wallet or discarded credit application. The problems with validating identity allow a thief to turn a stolen wallet into a stolen identity, this shouldn't be possible and regulation is a good way of addressing this, for example by forbidding businesses from using SSNs as record identifiers, or requiring three-factor auth for credit transactions.

        The document in the TFA proposes no central repository or government database, and proposes a private system that's only regulated by the government to prevent fraud and set minimum standards. Your characterization of the proposal is a strawman.

        Exactly right. At least Somebody here gets it.

        Furthermore even if a stolen wallet is used to create an identity, they couldn't use it to access your bank account, because your bank already knows that this account is locked by a different authenticated identity. You can easily prove you didn't order those 15 60-inch TVs because its not your Secure ID.

        So many people here rush to judgment. Or worse, the decry this effort while propping up PGP, not realizing that it is essentially the same thing, with a mor

    • by imamac (1083405)
      The REAL John Locke would not approve of this.
  • Remember how we were just talking about the nasty, gaping, holes in the practice of using CAs to verify SSL certs? How the CAs were largely rent-seeking incompetents with strong market incentives to do inadequate verification while simultaneously trumpeting their security? How there were just too many of them, and a compromise at any served to threaten the security of all SSLed connections?

    Well, yeah, that kind of sucks because this plan looks very similar: Some kind of public/private key system, with mu
    • by jd (1658)

      It depends on the details, none of which exist yet. The theorietical benefit of a quango is that because they can get some/all income via taxes, they should be able to do a better job. Market forces dictate that a private company can NEVER do a better job than the market will bear and it is clear from the multitude of SSL disasters over time (I'm including Verisign's handing out of Microsoft's private keys in the early days) that the market won't tolerate quality work at all. A quango has no such limitation

    • by iluvcapra (782887)

      -----BEGIN PGP SIGNED MESSAGE-----
      Hash: SHA1

      "the organizational/economic incentives side of this is pretty much certain to be totally, utterly fucked"

      The two ways you can approach incentives are (1) make the penalties for data breaches much more severe, to the extent that private companies that keep personal data must safeguard it, and (2) make a bunch of rules that govern how personal data can be collected and used, how much information you need in order to consider a transaction bona fide. Both have thei

  • It's going to be "voluntary", but soon enough legislation will be passed that makes it so "questionable websites", such as those associated with porn, will be mandated to require an Internet ID for age verification. And simultaneously the government will know what kind of porn you like to look at and can blackmail you whenever they see fit.
    • by vlm (69642)

      It's going to be "voluntary", but soon enough legislation will be passed that makes it so "questionable websites", such as those associated with porn, will be mandated to require an Internet ID for age verification. And simultaneously the government will know what kind of porn you like to look at and can blackmail you whenever they see fit.

      You would think the nice heroically ethical guys at the ISPs and/or CC companies and/or tracking and marketing companies would have thought of this money making business model a long time ago... The lack of (known) implementations of this business model, indicates something about its likelihood of success.

  • by fahrbot-bot (874524) on Sunday April 17, 2011 @01:44PM (#35849342)
    From TFA:

    Because of online fraud, many people don't trust the Internet, Locke added. "It will not reach its full potential -- commercial or otherwise -- until users and consumers feel more secure than they do today when they go online,"

    Yes, the Internet has been a pretty big failure so far. :-) What more "full potential" he's talking about?

  • Don't worry, they point out that use of the system is completely voluntary. Just like owning a mobile phone or participating in interstate commerce.

    • I don't own a mobile phone.

      really. no kidding.

      I'm online almost all the time when home. what is it with you kids (...) that you have to be 100.0% online?

      I have no phone; especially not a 'smart' phone. look how much time and aggrivation I've saved, not to mention I own a lot more of my private life. the less it leaves traces here and there, the more privacy I keep. I like that.

      you enjoy your little phone, there. I'll enjoy my peace of mind and the extra $1k a year I am saving.

  • Direct link (Score:5, Informative)

    by vlm (69642) on Sunday April 17, 2011 @01:47PM (#35849378)

    Rather than hittin a journalist site, go direct to the source at

    http://www.nist.gov/nstic/ [nist.gov]

    You can trust this isn't a rickroll or a goatse because I'm usin' my trusted internet ID of VLM

    The headline made me expect a detailed bit level cryptoanalysis of the new protocol complete with flowcharts, etc. Instead it seems to be the tech equivalent of a bunch of hippies high on weed sitting around a campfire and curing all the worlds ills by talking about them.

    More like "whitehouse releases a plan to create a plan for a trusted internet ID plan"

    • by icebike (68054)

      Instead it seems to be the tech equivalent of a bunch of hippies high on weed sitting around a campfire and curing all the worlds ills by talking about them.

      More like "whitehouse releases a plan to create a plan for a trusted internet ID plan"

      Oh, climb down.

      There has to be a start somewhere.

      'the U.S. government will coordinate private-sector efforts to create trusted identification systems for the Internet

      .

      What part of that don't you understand?

      Businesses are eating billions in credit card fraud every year. This is long overdue.

      • by vlm (69642)

        What part of that don't you understand?

        What they're plotting will not work for various basic computer science and security fundamental reasons, over extremely well trodden ground where success despite those odds would be staggeringly profitable and implementation would seem to be simple and cheap, thus extraordinary ROI, if it were only possible. Its the waste of time and money and/or security theater aspect that I don't understand or find very useful.

        Its "the internet" so people just nod their heads and defer to the experts. If it were an ind

  • by 140Mandak262Jamuna (970587) on Sunday April 17, 2011 @01:48PM (#35849382) Journal
    Most people are familiar with the out dated ancient technology used by most computer users. The username + password system. Basically any one can know your username. But only you know the password. That is the basic idea of protection in this system. Cyber security experts are nearly unanimous in saying this does not provide for adequate security. So the new system has been founded on a fantastic new paradigm

    It completely dispenses with the password. It is your responsibility to protect your username. If anyone from Nigeria to Nantucket know your identification code, it means they are authorized to do any financial transaction on your behalf. This breakthrough technology makes it possible for the people creating new and exciting contracts under 409 clause to not only draw money from your bank, but also from your brokerage account, and also change your network log in id and to rearrange your netflix queue and use ftp to open your garage doors Imagine! The New possibilities!

  • what i dont trust is the internets.
  • Typical (Score:2, Insightful)

    by Anonymous Coward

    Sounds about right for liberals. You have to have an ID to use the Internet, but not to vote.

  • People complain about identity theft, people complain about efforts to verify ID.

  • by Arrogant-Bastard (141720) on Sunday April 17, 2011 @02:02PM (#35849462)
    There are, at current best estimate, at least 200 million fully-compromised systems on the Internet. That number has been monotonically increasing for most of a decade, and there is no reason to expect that trend to change. (And many reasons to expect it to continue.) Not all of those are in the US, of course, but a lot of them are. This is turn means that any credentials present on those systems are now the property of their REAL owners, not the people who mistakenly believe they own them. Which means that even if such a universal ID system was properly designed (unlikely) properly built (unlikely) and properly deployed (extremely unlikely) that its first major effect will be handing over a large number of those IDs to The Bad Guys. The second major effect will be providing major incentives to The Bad Guys to compromise more systems, as the value of such increases with both their usefulness and the value of the data stored on them. The third major effect will be providing major incentives to The Bad Guys to go after any system where these IDs are stored or used, since they now have widespread usefulness, not just localized usefulness. They will be successful some of the time, of course, and we will once again get to hear the refrain of the professional liars who call themselves "spokespeople", as they solemnly intone "Nobody could have foreseen..." I think the biggest usefulness of this scheme will be filtering: anyone supporting it is clearly marking themselves as a security imbecile, should be fired on the spot, blacklisted for life, and never permitted to speak in public again on the topic of security. That won't happen of course. They'll get bonuses. That's how we reward sufficiently grandiose failure in this society.
    • Please user paragraphs, it makes it easier to read/parse, thanks!

      Exactly, if they wan't to plan to do something, how about educate about sound security period. I don't care if Microsoft employs 88,000 people. What is the opportunity cost in feeding their monopoly to society and business? Competition is a good thing. We need the government to push things open things like Linux, and in time even better will come along if everything is not so regulated to death, allowing for other monopolies to rise up.

  • as soon as you'll need to use it to pay taxes. Many of the taxes that are collected are collected not to keep revenue stream going but to ensure that the information records keep flowing. As soon as you can't pay your taxes online without one of these, it will be over. Since the burden of preparing taxes only keeps going up, most people will gravitate towards the electronic solutions which assist in tax-record preparation. Using this thing will be seen as just part of the cost of doing business.
  • The new version more explicitly emphasizes that the private sector will drive forward the trusted ID market, with government playing a coordinating role, administration officials said.

    In other words, it's a Mussolini-style Fascism model.

    Consumer participation in trusted ID technologies will be voluntary, they added.

    Because nobody is going to force you to use a bank, shop on-line, or send email that will actually make it to somebody else's inbox. Sorry about all those on-line government services that you won't be able to use. You can always hike to one of the brick-and-mortar offices and present your papers in person.

    • by iluvcapra (782887)

      Because nobody is going to force you to use a bank, shop on-line, or send email that will actually make it to somebody else's inbox. Sorry about all those on-line government services that you won't be able to use. You can always hike to one of the brick-and-mortar offices and present your papers in person.

      Freedom isn't free. If you really want to live a life unfettered by a verifiable identity, that choice has real consequences for the sort of lifestyle you can enjoy, the sort of trust others will be will

      • by Curunir_wolf (588405) on Sunday April 17, 2011 @03:52PM (#35850160) Homepage Journal

        Because nobody is going to force you to use a bank, shop on-line, or send email that will actually make it to somebody else's inbox. Sorry about all those on-line government services that you won't be able to use. You can always hike to one of the brick-and-mortar offices and present your papers in person.

        Freedom isn't free. If you really want to live a life unfettered by a verifiable identity, that choice has real consequences for the sort of lifestyle you can enjoy, the sort of trust others will be willing to grant you, and the sort of financial transactions people will be willing to make with you.

        I currently have a verifiable identity that I can use to do all of those things. And I don't have to be "coordinated" with some government bureaucracy in order to do it.

        This isn't about solving a problem, it's about gaining more power and control for the central authorities and global corporations. It's really very transparent. There are much better ways to deal with identity theft than a draconian central planning scheme dreamed up by fascist partnerships.

  • by Yvanhoe (564877) on Sunday April 17, 2011 @02:27PM (#35849636) Journal
    Having a way to authenticate a person as unique is a missing brick in many web applications, especially all the voting applications. I see it as a good thing and I have a hard time seeing how such a tech makes bad scenarios more likely.
    • by vlm (69642)

      I have a hard time seeing how such a tech makes bad scenarios more likely.

      Think about a MITM attack implemented serverside on a weak server, proxying thru to a 3rd party strong server. The most secure system that uses a global auth system can only be as secure as the least secure system in the universe because the least secure system can get owned, have a MITM proxy stuck on it that talks to the most secure system.

      In even more detail, spelling it all out ... the "small town journal" newspaper installs global auth so letters to the editor cannot get forged in someone elses name,

  • If you extend this policy to all businesses and persons then everyone will have a trusted identity and there will no longer be a need for costly server certificates on web servers. If this is true then I will support the adoption of this "Trusted Internet ID" plan. Alternatively, if this is just another "bolted on" form of security that still requires the legacy RSA certificates, I will not support this plan.

    I strongly doubt that the Obama administration would be willing to push a plan that eliminates t

  • by Shivetya (243324) on Sunday April 17, 2011 @02:49PM (#35849786) Homepage Journal

    I trust VISA and my bank more than I trust my government. I will keep voting my conscience and hopefully one day that will work out.

    • Re: (Score:3, Insightful)

      by vlm (69642)

      I trust VISA and my bank more than I trust my government.

      In a corporatocracy or fascistic capitalist system like ours, those two have merged together. Like saying you trust your right hand more than your left hand, or your political party is more trustworthy than the other political party, or like saying the fry cook is a much better cook than the burger flipper cook at your local mcdonalds. So that statement logically simplifies to ... nothing.

  • Arguably, "Identity" is the wrong target(or, if you think that it is the right target, I consider your motives suspect) for many applications:

    "Identity" is a polite euphemism for a lot of personal information. For most purposes, it is utter overkill to achieve legitimate ends. Say that I'm buying some booze online. You don't actually need to know my name, age, appearance, etc, etc. You simply need to know that my age > legal age and that my payment is valid. To log into an email account, you don't nee
    • by vlm (69642)

      Say that I'm buying some booze online. You don't actually need to know my name, age, appearance, etc, etc. You simply need to know that my age > legal age and that my payment is valid.

      You also need to verify the shipping address is linked to your id, and not some teenagers address. Security; its always harder than it appears.

      There are about eighty zillion other "straw buyer" attack scenarios using valid auth credentials. There are also many orders of magnitude more "straw buyer" attacks that are possible with faked / stolen / impersonated / coerced auth credentials. At least some of those attacks can not be prevented, but can be tracked down afterwards, given "lots of info".

      There is s

  • I have a hard time trusting a proposal like this that comes from an administration that includes a lot of former RIAA and MPAA associates.

  • I just want to point out that private industry created the credit reporting service, and now I have to spend money to protect my interest against the shoddy practices of this industry. I don't think it is that fact that people will commit fraud that worries me, but the poor practices that the industry follows that provides no protection against fraud.

    The creation of a government credit ID that has anti-fraud measures might be the first step in battling this issue. The second step would be making the credit

  • by w0mprat (1317953) on Sunday April 17, 2011 @08:34PM (#35851594)
    What I like about the current mess of different usernames and passwords for different sites, entrust card, RSA tokens etc is that any identity theft is likely to be rather limited. With a Internet ID plan it makes it possible for someone to take an entire identity in one hit, along with all your money and likely better lock you out of getting it back.

    This is going become prime target for identity theft, I can tell by the lack of language even acknoledging security issues let alone addressing how it may be kept safe.

Loose bits sink chips.

Working...