olsThe White House revealed June 25 a draft strategy for creating a voluntarily authenticated online identity for Internet users and organizations. The "National Strategy for Trusted Identities in Cyberspace" proposes a system under which identity-certified individuals wishing to conduct online transactions with identity-certified organizations, submit an interoperable, standards-based credential before proceeding with the transaction. Members of the public would utilize it while conducting online banking or even just sending an email, states White House cyber czar Howard Schmidt in a blog post announcing the strategy. Sign up for our FREE newsletter for more news like this sent to your inbox! The credential could come in the form of a smart card, a cell phone, a downloaded software certificate, USB device or security chip embedded into computers. Through the credential, online organizations (called a "relying party" in the plan) could verify two categories of information: An individual's identity, from a public- or private- sector identity provider, and information about that individual (called "attributes" in the plan) from an organization that can verify individual characteristics, such as age. The plan gives a loose idea in a diagram. Relying parties would verify the end user's identity and attributes directly with the identity and attribute providers once they've read the end user's credential. "The user can also provide all validations directly to the relying party through the mediation of privacy enhancing technology," the draft strategy adds. The draft plan says the system will enhance online privacy since relying parties could request to verify only relevant attributes. Transactions could still be anonymous to the extent that relying parties accept a strong credential that nevertheless does not uniquely identify individuals to them, the draft plan states. The system would contain policies and standards would minimize the linkage of individuals' credential use among and between service providers, the plan states. Unclear from the plan is what kind of logs identity and authentication providers would retain of verification requests made through individuals' online activity. The plan states that providers should limit their retention of data "to the period necessary for the provision of services...except as otherwise required by law." Also unclear from the plan is how the identity and authentication providers would verify that individuals are indeed who they say they are and that their attributes are correct. An authenticated online identity is necessary to reduce online fraud and identity theft and also increase the ease of online transactions, the plan states. "The role of government is to address the safety and economic needs of its people," the plan states. The federal government will become an early adopter of the identity technology and possibly encourage its spread through tax credits or breaks, grant programs, loans to first adopters and "cybersecurity insurance." The draft plans call for selection of a lead agency responsible for driving the plan forward; Schmidt, in his blog post, says that the Homeland Security Department has already been "a key partner in the development of the strategy" and the draft plan is hosed on a DHS website. The White House is accepting public comment on the draft strategy through July 19. The plan is slated for final form this fall. |
|
|
