White House Unveils Plans For "Trusted Identities In Cyberspace"

Presto Vivace writes with news that the Obama administration's cyber-security coordinater, Howard Schmidt, yesterday unveiled a national plan for "trusted" online identities. Schmidt wrote, "The NSTIC, which is in response to one of the near term action items in the President’s Cyberspace Policy Review, calls for the creation of an online environment, or an Identity Ecosystem as we refer to it in the strategy, where individuals and organizations can complete online transactions with confidence, trusting the identities of each other and the identities of the infrastructure that the transaction runs on. For example, no longer should individuals have to remember an ever-expanding and potentially insecure list of usernames and passwords to login into various online services. Through the strategy we seek to enable a future where individuals can voluntarily choose to obtain a secure, interoperable, and privacy-enhancing credential (e.g., a smart identity card, a digital certificate on their cell phone, etc.) from a variety of service providers — both public and private — to authenticate themselves online for different types of transactions (e.g., online banking, accessing electronic health records, sending email, etc.)." You can read the full draft of the plan (PDF), and the White House is seeking public comments on it as well.

OpenID?

[koreaman]

One ID you can use anywhere? Sounds a lot like what the OpenID project is already trying to do. It's a nice concept, but I don't like the idea of anything like this being run by the government. Government interference with the internet seems to be the fastest way to dystopia, these days.

Re:OpenID?

[gclef]

It's actually a little better and a little worse than what you think. They're proposing setting up a "ecosystem" of identity providers, so commercial organizations will issue identity certs with the gov't just setting the standards they all live by to interoperate, etc. On that front, that isn't as bad as it could have been.

On the other hand, there is an enormous amount of naivete in their "strategy" about how the identity providers will act. Their examples talk about having your cell phone provider be the organization that issues your identity cert for use in this system. What happens when you change providers? When I shift from Verizon to AT&T, can I move the AT&T cert to my Verizon phone? Also, am I forevermore tied to AT&T for my identity verification? What if that company goes bankrupt? What if you *want* to change identity providers? If you can change providers, what happens to the records that provider kept? What about the records that other information providers tied to the old cert? Do they keep the certificate (and therefore the ability to impersonate you online)? What happens if I lose my phone (and therefore lose my cert)?

The effort isn't completely crack-addled, but it is hopelessly naive. I think it'll fail unless it gets a big dose of reality shortly.

A solution looking for a problem

[selven]

The problem of authenticating yourself many times to different websites is solved by OpenID. The problem of having a secure web identity is also solved - anyone can put a public key on their homepage and sign everything they write. The inclusion of credit cards and electronic health records suggests the true motive for this policy: trying to tie people's internet identities to real life identities. Thanks, but given that the opinions I post here have already earned me 3 'foes' I'd rather not have every potential employer take a look at my Slashdot account.

Re:A solution looking for a problem

[selven]

You are assuming that one of my identities is the "actual" me and that all the others are pseudonyms. I reject this view, and believe that 'selven' is an identity on equal footing with the one on my passport. People call me (insert my so-called 'real name' here) therefore I am that person. People call me 'selven' therefore I am also selven. There is nothing inherently more real about one name than the other. So if I set up a public key and start signing all of my posts, anyone who knows my public key can prove that any of my posts was in fact made by me (or with my permission). People who have an established relationship with and trust 'selven' do not need to know my other identity in order to deal with me.

Quite a few problems

[king+neckbeard]

1. I don't trust the government to be competent with this
2. I don't trust the government to not abuse this power
The government is perhaps the single most important entity to protect yourself from. If cashflows and internet security are under the government's thumb, then contaband and actions to protect yourself from the government are going to be much harder to come by. I don't want a government ID credit card, I want a closer equivalent to cash, so i can make online purchases with LESS of a paper trail.

Re:Envision it!

[tverbeek]

Yeah, it's like having a master key that unlocks your house, your car, your office, your filing cabinet, your pot and porn stash, your firesafe, your safe deposit box, your storage unit, etc... and keeping that key on a chain around your wrist, where you'll always be sure you have it. Until someone copies it while you're sleeping, and suddenly they have access to everything.

Fighting the Anonymous Cowards

[roman_mir]

Read this proposal for what it is: a different way to name an attempt of removing anonymity from the web.

The NSTIC, which is in response to one of the near term action items in the President's Cyberspace Policy Review, calls for the creation of an online environment, or an Identity Ecosystem as we refer to it in the strategy, where individuals and organizations can complete online transactions with confidence, trusting the identities of each other and the identities of the infrastructure that the transaction runs on. ...

- I am sure this is going to be made a requirement for a site to operate at some point, add this to the 'Internet kill switch', add the Patriot Act to it, multiply by Home Land Security and don't forget to factor in the rendition, you are going to have an interesting situation.

The President will be able to shut down portions of the Internet, he will be able to identify who was saying what and when, this entire thing reeks of totalitarianism - complete control by the government over the dissemination of information and total knowledge of who was saying what on which topic plus ability to take action - shut down the dissenting portions of the web and then 'taking the necessary care' of those, who dare to oppose the government in any way, be it direct opposition to specific policies or be it simply providing information to the people that government wants to keep quiet and providing a forum to discuss this information.

Re:Yet another OpenID

[bendodge]

It's not even that. I'm shocked that here on Slashdot the first couple dozen posts actually take this seriously. IT'S A TRAP. This should be blatantly obvious. The entire point of this is to get rid of online anonymity, which government and legal trolls hate.

Read this post a few screens up: http://yro.slashdot.org/comments.pl?sid=1699416&cid=32702330

I know President Obama is popular here, but everything his administration has proposed for the Internet has sinister long-term ramifications.

Eric Holder Advocated Internet "Restrictions"
The Internet "Kill Switch"
Obama's "Internet Czar"
Obama's Version of "Net Neutrality"

These plans do not exactly champion freedom and free speech. Rather, they seek to slowly erode the power of the online masses.