White House Unveils Plans For "Trusted Identities In Cyberspace"

Presto Vivace writes with news that the Obama administration's cyber-security coordinater, Howard Schmidt, yesterday unveiled a national plan for "trusted" online identities. Schmidt wrote, "The NSTIC, which is in response to one of the near term action items in the President’s Cyberspace Policy Review, calls for the creation of an online environment, or an Identity Ecosystem as we refer to it in the strategy, where individuals and organizations can complete online transactions with confidence, trusting the identities of each other and the identities of the infrastructure that the transaction runs on. For example, no longer should individuals have to remember an ever-expanding and potentially insecure list of usernames and passwords to login into various online services. Through the strategy we seek to enable a future where individuals can voluntarily choose to obtain a secure, interoperable, and privacy-enhancing credential (e.g., a smart identity card, a digital certificate on their cell phone, etc.) from a variety of service providers — both public and private — to authenticate themselves online for different types of transactions (e.g., online banking, accessing electronic health records, sending email, etc.)." You can read the full draft of the plan (PDF), and the White House is seeking public comments on it as well.

Envision it!

[neoshroom]

From the Document Itself:

"Envision It!

An individual voluntarily requests a smart identity card from
her home state. The individual chooses to use the card to
authenticate herself for a variety of online services, including:
        Credit card purchases,
        Online banking,
        Accessing electronic health care records,
        Securely accessing her personal laptop computer,
        Anonymously posting blog entries, and
        Logging onto Internet email services using a
pseudonym."

I always want to use a self-identifying card when anonymously posting blog entries. Seems like this also could be easily abused by a government who conducts warrantless wiretaps and other illicit snooping.

"Imagine a world where individuals can seamlessly access information and services online from a variety of sources - the government, the private sector, other individuals, and even across national borders - with reduced fear of identity theft or fraud, lower probability of losing access to critical services and data, and without the need to manage many accounts and passwords."

Honestly, this doesn't seem like a good idea from a security standpoint either. Let's say I wanted to commit fraud or identity theft or any of the other things this card is supposed to prevent. Now, originally, I would have to compromise your 30 passwords. If I hacked your blog, I wouldn't be able to access your bank account because they have different passwords. Now, if a blackhat hacker hacks this universal access method they get universal access. Scary.

NOBODY WANTS THIS...

[Panaflex]

I should know, we spent 3 years building the most secure commercial internet authentication system, with a 5 site redundant cloud of authentication services. 3 of 5 sites were necessary to pass an authentication, so we could handle two complete site thefts, or two complete site disasters and still authenticate safely (auth material was split utilizing a secret sharing algorithm). Each of our data sites were military-grade EMI/Faraday cages, under separate corporate ownerships.

In other words we spend millions on building the easiest & safest way to authenticate a user on the 'net, with most of that on auditing, code reviews, facility buildout etc...

And nobody wanted it!! Not for any price... not even for 50 cents/user a year!! Banks said users would NEVER type in two passwords,... HA!