US Gov't To Issue Secure Online IDs

Hugh Pickens DOT Com writes "Tom Groenfeldt reports in Forbes that the U.S. Postal Service has awarded a contract to SecureKey to implement the Federal Cloud Credential Exchange (FCXX) designed to enable individuals to securely access online services at multiple federal agencies — such as health benefits, student loan information, and retirement benefit information — without the need to use a different password or other digital identification for each service. SecureKey already operates a trusted identity service in Canada using identification keys provided by one of five participating Canadian banks. It allows Canadians to connect with 120 government programs online with no additional user names or passwords for everything from benefits queries to fishing licenses. The SecureKey program is designed to connect identity providers — such as banks, governments, healthcare organizations, and others — with consumers' favorite online services though a cloud-based broker service. The platform allows identity providers and online services to integrate once, reducing the integration and business complexity otherwise incurred in establishing many-to-many relationships."

Super Timing

[mtrachtenberg]

The United States government has never had better timing! I'd sign up now, but I figure you guys have got it covered already, OK?

Re:Super Timing

[Jeremiah+Cornelius]

Read as: "License to use the Internet".

Pretty fucking clever. Soon, you won't be able to get a stock-quote or the latest XKCD without this thing - much less, send an email.

Re:Super Timing

[drakaan]

Plus, it makes identity theft that much more convenient!~

Re:Super Timing

[RelaxedTension]

The NSA wants to streamline it's work with a single foreign key...

Re:Super Timing

at least if it were a sign on we could end trolls

We'll all miss you.

Re:Super Timing

[FuzzNugget]

I was just thinking... a single set of credentials for every online service, what could possibly go wrong?

Re:Super Timing

[Beardo+the+Bearded]

I was just thinking... a single set of credentials for every online service, what could possibly go wrong?

... created by the government and sent to the lowest bidder on a system with no accountability for failure.

We'll be lucky if the oxygen tanks work properly.

Re:Super Timing

why would we read it as that?

Because of past history, the government has been trying to force a national ID on everyone since at least the early 2000's. Remember the Real ID Act?

coming up for a single sign in is good efficiency, and cost savings.

It might be good efficiency, but having a single log in for everything is the absolute worst security model you can have. It would only take one web site infected by malware to compromised your entire online presence. Even us old timers know that you don't put all your eggs in one basket.

Re:Super Timing

[lightknight]

It's cool, they're going to beta it with a key with a chip in it, but by the time the public uses it, it'll just be a barcode that they stamp on your forehead or right hand.

Kind of looks like three sixes, but I'm sure that's just a coincidence.

Future Mandatory Requirement

[cosm]

How long until these become mandatory for all websites. Here's how I could see this going down:

- First, all major government websites require usage of this.
- As more and more brick-and-mortal government offices close, more and more people start using the id.
- VISA, MasterCard, et al begin requiring these for all online banking.
- Taxable web transactions somehow get tied by law to having to use these.
- Soon, ISPs require you to log in with it periodically, (remember AOL internet 'sessions'?)
- All utilities, bills and such paid online start requiring it.
- Social networks require it for 'think of the children' safety.

...Tinfoil futures are a sure bet....we're losing the internet right in front of our faces.

Re:Future Mandatory Requirement

[TheNarrator]

You just have to send your id in the bottom 64 bits of your ipv6 address to access the internet. Why make the address space so large unless you were going to stuff authentication credentials into every packet? Then they could easily just turn you off whenever necessary.

Better Acronym

[PincushionMan]

What a terrible acronym! How are we supposed to say FCXX anyway?

So, I came up with a better one for them:
Federal User Credential Keyfob (for Your Online Utopia)

Re:Better Acronym

[Em+Adespoton]

What a terrible acronym! How are we supposed to say FCXX anyway?

So, I came up with a better one for them:

Federal User Credential Keyfob (for Your Online Utopia)

In Capitalist America, government FCXX you?

Re:Brilliant!

Posting AC because I worked on this proposal for one of the seven other candidates for this bid.

The oversight/selection committee for this consisted of people from GSA, NIST, and several other agencies. Speaking as a privacy/security nut myself, I can say their requirements were very privacy-friendly.

This system is intended to allow people to use third-party authentication mechanisms (provided by Equifax, etc.) to access government systems. The kicker is that neither side is allowed to know who the other side is. The FCCX is intended to be an anonymizer-like service to completely disassociate the public information from the federal systems.

Regardless of what some other agencies are doing (illegally, immorally, etc.), these guys were really striving - at least in the RFQ/RFP - to do it the right way.

Yes.

[goodmanj]

Identity verification should be a core function of a national government. This can be done right: by creating an agency that does not aggregate data, and serves no other function than to confirm that you are who you say you are when you ask it to. With proper use of two-factor keys and public cryptography, this agency can make data aggregation very difficult: your bank would know you by a different ID# than your cell phone provider, and neither would need to know your name or social security number.

It's true that a corrupt government can do identity verification very badly, turning it into a panopticon. But corporations don't have the longevity, security, or nationwide reach to be able to do the job well, and a corrupt government can simply force corporations to hand over identity data. So in the worst case scenario, identity verification by corporation is no better than by government. And having no centralized authority at all doesn't work either: the fragmentary system we use now is easy to aggregate, and its resistance to identity theft is only as strong as its weakest link -- which is typically very, very weak.

With identity verification managed by government, we can at least use electoral pressure to hold the identity agency responsible for its actions, and fight corruption within it. If it's managed by anyone else, we have no control over it at all.

Re:Yes.

[EmperorArthur]

Agreed. I would love it if my drivers license was a smart card. Provided that it's initialized properly so the private key never leaves the card. The corporation could then act as a gpg keyserver. If everyone had easy to use public key cryptography, I'd call that a win.

For people who keep talking about all businesses requiring it, have you looked at how the US does SSN. For non US readers, every American citizen is assigned a number at birth, or trying to work, etc.... Congress practically shouted that this number was not to be used for anything else. Take a guess how well that worked out. Identity theft in the US basically boils down to knowing someones name and SSN. The problem is EVERYONE NEEDS YOUR SSN. Hell, a Social Security card can be used in conjunction with a drivers license to prove US citizenship. I kid you not, since most people in the US don't have passports that's what they use. The card just has a name and a number on it. It never expires. Hell, because it's normally issued at birth there isn't even a photo.

Now, back on topic. There are quite a few ways for this electronic ID to go bad. The most obvious is if the government or corporation has copies of the private keys. If so, then the system is useless. Another is if the government logged every authentication request. That's pretty easy for them to do.

Re:Brilliant!

Same AC.

Depends on the site and the level of authentication required. INS will have a different requirement than the IRS, for instance. Different identification services will use varying levels of identification for enrollment, and FCCX will pass on the level of assurance to the relying party. It's a complex system. I don't know how the bid winners will handle the back end, but there's a lot of new tech that needs to be developed. (How do you give data to two parties without telling each who the other is, when you're not supposed to know the content of the message? Not an easy problem.)

Looks like RMS was right...

[karlandtanya]

http://www.gnu.org/philosophy/right-to-read.html

Once your extreme views become fact, you're no longer a crackpot.