In a posting on the White House blog yesterday, Howard Schmidt, the President’s Cybersecurity Coodinator, announced a new proposal to establish a new online environment, the Identity Ecosystem, that would provide a robust method of identifying individuals and organizations on the Internet.
Today, I am pleased to announce the latest step in moving our Nation forward in securing our cyberspace with the release of the draft National Strategy for Trusted Identities in Cyberspace (NSTIC). This first draft of NSTIC was developed in collaboration with key government agencies, business leaders and privacy advocates. What has emerged is a blueprint to reduce cybersecurity vulnerabilities and improve online privacy protections through the use of trusted digital identities.
The idea of creating a uniform identity credential, rather than the current hodge-podge of user IDs and passwords for various Web facilities, is not a new one, of course. Systems such as Microsoft’s more or less abortive Passport system, and projects like OpenID, have many of the same objectives. (They do not, of course, have the government’s imprimatur.) Any endeavor like this has to sort out a very complicated tangle of trust and privacy issues, in addition to getting the security right.
To that end, as Mr. Schmidt says in his announcement, a draft version of the National Strategy for Trusted Identities in Cyberspace has been published; the actual draft document [PDF, 39 pp] can be downloaded here.
(The document is being hosted at the Web site of IdeaScale, an “idea and innovation management” firm. The site has a provision for entering comments, which requires you to register. Unfortunately, I have not yet been able to get the registration process to work. I’ll update this if I learn more.)
As with many security projects, the devil is likely to be in the details. I have a copy of the draft report; the Executive Summary is long on ideals and short on details. I’ll post a follow-up note when I’ve had a chance to read it all.
Update Monday, 28 June, 15:35 EDT
The registration function at the IdeaScale project site seems to have been fixed; I was able to register successfully today.
Blizzard Entertainment came out with something called the “Authenticator” for World of Warcraft. It’s a device that is suppose to protect an account from unauthorized access. Unfortunately, hackers figure out a way to get around it. (Links to info below)
While I think NTI is a great idea, the technology just needs one compromise like the Authenticator to bring the whole thing down like a house of cards. NTI is just one piece of a major security puzzle. Without complete end-to-end assured security on both ends (server/desktop), there is always the possibility that a system like this will fail.
Information about the device:
Stories of how hackers were able to exploiting a weakness in the technology: