White House Unveils Plans For "Trusted Identities In Cyberspace" 202
Presto Vivace writes with news that the Obama administration's cyber-security coordinater, Howard Schmidt, yesterday unveiled a national plan for "trusted" online identities. Schmidt wrote,
"The NSTIC, which is in response to one of the near term action items in the President’s Cyberspace Policy Review, calls for the creation of an online environment, or an Identity Ecosystem as we refer to it in the strategy, where individuals and organizations can complete online transactions with confidence, trusting the identities of each other and the identities of the infrastructure that the transaction runs on. For example, no longer should individuals have to remember an ever-expanding and potentially insecure list of usernames and passwords to login into various online services. Through the strategy we seek to enable a future where individuals can voluntarily choose to obtain a secure, interoperable, and privacy-enhancing credential (e.g., a smart identity card, a digital certificate on their cell phone, etc.) from a variety of service providers — both public and private — to authenticate themselves online for different types of transactions (e.g., online banking, accessing electronic health records, sending email, etc.)."
You can read the full draft of the plan (PDF), and the White House is seeking public comments on it as well.
Brought to you by Verizon and Verisign (Score:3, Interesting)
Don't like (Score:3, Interesting)
I think a 'strong identity' transactional system likely requires a secret known to a user, paired with a hardware device that can be remotely disabled, and is difficult to tamper with and lift the user's keypair from, even with the user's password. I think that can be built, but the 'remote kill' potential is alarming in the context of a national (or more than national) strong-identity system. In order to be reliable, parties will have to check transactions against some sort of central database, which is a serious privacy concern.
My suspicion is that any system you attempt to use for this purpose is immensely more useful when you ditch the 'strong identity' requirement, as a strong transactional system is good at preventing fraud, and with no (or limited) identity tied to a transaction, there is no substantial risk to privacy, data disclosure, etc, which are the stated goals of the plan.
Re:OpenID? (Score:3, Interesting)
If they mentioned any sort of consideration for things like what I was mentioning above, I'd be much more confident about the program. There is no mention of any of this stuff in their strategy doc (I actually read the PDF, I'm sorry to say). That makes me think they haven't considered it at all.
Mis-use by a provider is one thing, and, yes, I'd agree that I'd expect the gov't to deal with it harshly. But institutional helplessness is a very different beast. Situations that go like "I'm sorry, sir, we can't let you use another company's certificates with our phones. You can still get another identity from us, though." wouldn't be a lock-out, but it would make the system an enormous pain in the ass.
Also, if you can't ever change identity providers, it means companies will be guaranteed a revenue stream from you, perpetually. Even if you decide you want to leave Verizon, if they're your identity provider you would *have* to work with them (and probably pay them). Again, if there had been any consideration made for these sorts of issues I'd be less leery of them...but the PDF was this sunny thing that considered none of the cases where this thing fails.
OpenID is too damn confusing and fragile. (Score:1, Interesting)
A few months ago, I wanted to post a question to StackOverflow. It was the first time I was going to submit something, so it was also the first time I had to log in. I was dismayed to see that they had chosen OpenID, rather than letting me quickly create an account specifically with them.
Now, I don't have an account with Google, or Yahoo!, or AOL or one of the numerous other OpenID providers they support. So I had to go through the process of signing up for a Yahoo! account, which was a pain in the ass, to say the least. Then it was back to StackOverflow, so I could log in, and submit my question. Except it didn't work. I couldn't log in. I'd get sent to Yahoo!'s page to log in, and I'd log in there successfully, but I wouldn't be logged-in at StackOverflow.
I really didn't have any time or inclination to figure out what was wrong, so I went through the hassle of creating a Google account. In the end, it was the same problem as with the Yahoo! account. It just wouldn't recognize that I was logged in.
Maybe it's a problem with my browsers (I tried Opera, Safari, Chrome, IE and Firefox for each provider), or maybe it's a problem with my network infrastructure, although I suspect it's a problem with StackOverflow or OpenID.
Regardless of what the technical problem was, I wasted far too much time just trying to log in to the goddamn StackOverflow site. Authentication is one of the most basic operations of any multiuser and/or networked software system. It's something UNIX has gotten right for 40 years. There's no reason for OpenID to be as shitty as it is.
In the end, I said "fuck it" to StackOverflow. If they want to make it difficult just to log in to their site, I won't use it. I asked my question on a mailing list instead, which worked flawlessly.
Your plan advocates a (Score:2, Interesting)
Your plan advocates a
(x) technical (x) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
(x) Spammers can easily use it to harvest email addresses
(x) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
(x) It is defenseless against brute force attacks
(x) It will stop spam for two weeks and then we'll be stuck with it
(x) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
(x) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
(x) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(x) Asshats
(x) Jurisdictional problems
(x) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
(x) Huge existing software investment in SMTP
(x) Susceptibility of protocols other than SMTP to attack
(x) Willingness of users to install OS patches received by email
(x) Armies of worm riddled broadband-connected Windows boxes
(x) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
(x) Joe jobs and/or identity theft
(x) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
(x) Outlook
and the following philosophical objections may also apply:
(x) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
(x) SMTP headers should not be the subject of legislation
(x) Blacklists suck
(x) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
(x) Countermeasures should not involve sabotage of public networks
(x) Countermeasures must work if phased in gradually
( ) Sending email should be free
(x) Why should we have to trust you and your servers?
(x) Incompatiblity with open source or open source licenses
(x) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
(x) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
( ) Sorry dude, but I don't think it would work.
(x) This is a stupid idea, and you're a stupid person for suggesting it.
(x) Nice try, assh0le! I'm going to find out where you live and burn your
house down!
Envision it! (Score:5, Interesting)
From the Document Itself:
"Envision It!
An individual voluntarily requests a smart identity card from
her home state. The individual chooses to use the card to
authenticate herself for a variety of online services, including:
Credit card purchases,
Online banking,
Accessing electronic health care records,
Securely accessing her personal laptop computer,
Anonymously posting blog entries, and
Logging onto Internet email services using a
pseudonym."
I always want to use a self-identifying card when anonymously posting blog entries. Seems like this also could be easily abused by a government who conducts warrantless wiretaps and other illicit snooping.
"Imagine a world where individuals can seamlessly access information and services online from a variety of sources - the government, the private sector, other individuals, and even across national borders - with reduced fear of identity theft or fraud, lower probability of losing access to critical services and data, and without the need to manage many accounts and passwords."
Honestly, this doesn't seem like a good idea from a security standpoint either. Let's say I wanted to commit fraud or identity theft or any of the other things this card is supposed to prevent. Now, originally, I would have to compromise your 30 passwords. If I hacked your blog, I wouldn't be able to access your bank account because they have different passwords. Now, if a blackhat hacker hacks this universal access method they get universal access. Scary.
NOBODY WANTS THIS... (Score:5, Interesting)
I should know, we spent 3 years building the most secure commercial internet authentication system, with a 5 site redundant cloud of authentication services. 3 of 5 sites were necessary to pass an authentication, so we could handle two complete site thefts, or two complete site disasters and still authenticate safely (auth material was split utilizing a secret sharing algorithm). Each of our data sites were military-grade EMI/Faraday cages, under separate corporate ownerships.
In other words we spend millions on building the easiest & safest way to authenticate a user on the 'net, with most of that on auditing, code reviews, facility buildout etc...
And nobody wanted it!! Not for any price... not even for 50 cents/user a year!! Banks said users would NEVER type in two passwords,... HA!
One Step Closer (Score:2, Interesting)
Re:GPGAuth + OpenID + Smartcards/E-tokens. (Score:3, Interesting)
I would be happy if there was a ban on the import of keyboards, laptops and cellphones without an integrated smart card slot. If readers were common the market would probably workout the details with federated cards or cards issued by companies for specific purposes. I already use smart cards for ssh and other purposes. I am using external readers, PCMCIA readers, and even a Dell keyboard with a slot. One cellphone already has a reader but it's only sold to approved users or I would use it too. Malware won't be able to extract the private key and if the device dies, the card will be usable elsewhere.