Jericho founder: Get involved in plan for protecting identity online

Respected identity expert Paul Simmonds says the NSTIC's identity project needs European involvement, or it may not meet Europe's needs.

The founder of a leading IT security standards group is urging Europeans to take a more active role in shaping a new standard for online identity and authentication.

The best 
security and crypto experts need to 
work on this, 
pay attention to it, review it when it comes out, and make it a global solution.

Paul Simmonds

Paul Simmonds, a founding member of the Jericho Forum, which is now part of The Open Group, is calling for European organisations to get actively involved in providing input to the US-based National Strategy for Trusted Identities in Cyberspace (NSTIC), a project with the goal of protecting identity online. The NSTIC is designing a standards framework that will reduce identity fraud and allow consumers to operate online around the world without having to remember multiple passwords or carry multiple security tokens.

The NSTIC has solicited feedback from industry and interested parties about the best way to proceed with the project, and Jericho has submitted comments and suggestions, in addition to those submitted by The Open Group. Simmonds, however, is concerned the NSTIC initiative will not meet European privacy standards and hence will fail to address the needs of European end users.

“I don’t have a problem with NSTIC. They are doing the right things and they are the only game in town that stands a chance of doing this properly,” Simmonds said. “But people need to get involved with NSTIC and work with it and review it. If we don’t, then we could end up with a solution driven by US technology vendors.”

NSTIC proposal for protecting online identity
NSTIC developed its initial project proposal for improved Internet identities in early 2011, and has been seeking industry views on how the infrastructure might develop, primarily in the US, but also internationally. The NSTIC programme envisages “a vibrant marketplace that allows people to choose among multiple identity providers -- both private and public -- that would issue trusted credentials that prove identity.”

With the trusted credential, an individual would be able to access different services – such as email, banking or social networking – using the single credential and without having to memorise different passwords or supply his or her full personal details to every website individually.

Although the US government is investing some initial funding to get the project off the ground, the aim is for it to become self-funding. “Our role as a government is to catalyse it, but we don’t want to own it or run it,” said Jeremy Grant, senior executive advisor for identity management at the NSTIC programme.

Grant said the plan is to set up a steering group in early spring 2012, which would then create working groups to work on the technical details. “At its core, NSTIC is focused on creating a user-centric identity ecosystem,” Grant said. “It’s looking at how to give individuals more choices into how their information is shared online, both for online authentication and other online activities that involve the use of their personal information.”

Simmonds said he fears that, once the independent steering group is formed, the project could be dominated by commercial interests pushing their own products and preferences. His biggest fear is that a handful of major identity providers will corner the market and end up holding large amounts of personal data for online transaction authentication. Simmonds said that would not only make the providers a target for hackers, but would also make those data repositories vulnerable to government interference.

Grant disagreed with this viewpoint, saying: “There is no interest in creating a central repository of personal information. We are interested in leveraging privacy enhancing technologies in concert with some better privacy policies, to give the individual more control.”

Jim Hietala, vice president of security at The Open Group, insisted Simmonds’ view did not represent those of the Jericho Forum or The Open Group.

“We are, in fact, supportive of the aims of the NSTIC process, and we are encouraged by the openness and the participatory nature of the process,” Hietala said. He added that The Open Group is one of a handful of industry organisations that could take on the job of managing the NSTIC steering committee.

Jericho Forum Identity Commandments
In early 2011, the Jericho Forum developed its Identity Commandments for an open identity system. They are a set of principles it says should be observed when planning an identity ecosystem, using open and interoperable standards, capable of operating on a global scale. 

The commandments outline a user-centric approach, allowing users to manage and control their identity without having to register their personal details with any single identity provider. Simmonds admitted this approach is less commercially attractive to the big corporations that would likely be needed to finance the creation of a broadly adopted identity ecosystem.

“The way to make money out of identity is by setting up what we would call a super-persona, where the individual deposits all their details," Simmonds said. "The company holding the information earns a micro payment each time the data is referenced to prove the individual’s identity.”

However, Grant said NSTIC had consulted with a wide range of organisations, including privacy advocacy groups, that would create a counter-balance to any commercial interests. He also insisted that openness and privacy would be key priorities of the NSTIC project, adding that international participation was essential to making the project a success.

Nevertheless, Simmonds said the evolution of the NSTIC initiative should be closely monitored to make sure it can operate globally, and he strongly urged European IT professionals to take a more active role in its development. 

“The best security and crypto experts need to work on this, pay attention to it, review it when it comes out, and make it a global solution,” Simmonds said. “If NSTIC is implemented properly, the solution could be implemented by any government or organisation in the world.”

David Lacey, director of research for the security industry professional group ISSA-UK, acknowledged the difficulty of managing such an ambitious project. “Whichever way you do it, a national scheme is hard, and an international one is even harder. Yet without the economies of scale, it's not viable,” Lacey said. “The simple fact is that people won't pay for infrastructure. Unless government pays, it doesn't get off the ground. Even then it's hard. But you've got to give them credit for having a go.”

Jericho will host a free one-hour webinar on Jan. 18, 2012, to discuss the Jericho Identity Commandments and their relevance to the NSTIC programme.

Read more on Identity and access management products