NSTIC – Update From NIST and Roundtable

From IIW

Session Topic: NSTIC: Update from NIST & Roundtable

Tuesday 4E

Convener: James Sheire

Notes-taker(s): Kaliya Hamlin

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

NSTIC = National Strategy for Trusted Identities in Cyberspace

It is the National Strategy to form an Ecosystem ~ where people can voluntarily choose and ID and login.

Privacy, Interoperability, User-Friendly, More Secure ---> User have to create dozens of account.

Problems it seeks to address - Re-Use over and over of passwords.

They (the NPO) is facilitating a private sector lead group.

The purpose is to create the policies, rules and standards and framework that governs the interactions in the ecosystem.

Getting Federal Government Programs to get being early adopters and use 3rd party credentials.

Access to government services, file a medicare claim.

FCCX (pronounced F6) service users login approved credentials. Choose from IDP's that are approved.

Q: Do any of them let them control their ID.

A: At higher level of assurances must have it be bound.

Vouch for Individual

What about allowing users vouch self where the individual holds externally vouched for attributes?

Dialogues will emerge on different efforts.

LOA - 1, 2, 3, 4

Digital Certificates of Proof

The hardest part is the business process - record keeping etc.

Robin: HIS model where brokering system where credentials themselves come from bank.

Update: become independent entity with its own capabilities. 501( c )3

  • -comment from crowd - "so it is a charity"

IDESG will have funding through Grants

FCCX (USPS) (Contract with Secure key) to build the HUB - processes for ID and for departments who will pulg in.

It has better privacy capabilities.

It will have a consistent experience for citizens. <---starts new behavior

What is the business model for FCCX

  • Cost reduction
  • Agencies will/do subscribe
  • Tired of paying for proofing vs. authentication again and again.
  • Payment for Authentication.

Question: States? get involved?

  • Legislation to expand

Struggling with attempts to integrate access via single ID

Citizen authentication strategy

Virginia DMV

others HHS (Health and Human Services)

Hurdle 1 - create place for 1 credential

Then 2 - accepting third party

requirements - verify eligibility.

Ken K. 700 Credential service providers

  • not approached about getting $

Jims comment Agencies want Identity proofing - wants to be stateless

Tensions and Challenges - ID Resolution - Do I have right dataset?

As CSP (credential service provider)

They don't have all the attributes they need - even if we had moving them in back.

The way NSTIC coordinate ONC

see potential

TrustedID = better proofing of ID better security + privacy options

How same patient @one place is another place.

Inora Healthcare 3rd party private access - Google, MSFT.

Personal Health Records


What does that mean?

  • Standards?
  • how you do it?

Direct Protocol - well established

Digitally signed email

RESTful health exchange

Feature Speaker ONC

Awarded 12 pilots to catalyze 2 states 10 innovations


greatw ay to meet pilots

Round 3 is being announced in early fall.

Might have a 4th round.

Question to facilitate.

Market 2011 - when issue, where now?

Mobile Device

OpenID Connect is the answer

of course privacy a lot of attention.

Real marketplace competition

Wanted to stimulate broad spectrum of identities to choose from. greater level of offering

In coming year - write framework requirments

  • work
  • intention
  • resources

Its a "round table" always looking for feedback.

2 schools of thought - credit agency, VRM Proofs

look at Scandinavian model

The truth about NSTIC - what is a trusted (verified) ID

Financial services - IDProofing/Authentication

Three aspects

  • Session
  • Authentication
  • ID

They are different

Pilot in NY with Broadridge

IdP -> KYC

  • attribute
  • exchange
  • networks

timeframework 2010-2011 IdP "do" everything

My thought while listening - what to do to create a real learning community

Power / Info Asymmetry

with IdP / AP / Relying Party

Why FB make change, fine grain

Indepth privacy assessment

one for internal / one for external

they are now enabling anonymous login - sell in aggregate form to the later

NSTIC language "unobtrusively" IdP

FCCX - double blind unobservability

still a lot to be done have consumers fully participate. In value of data

Privacy enhancing workshop series at NIST

Full value exchange

How to leverage against include services

changing user expectations