IAB Teleconference (Techchat)
1. Roll-call, agenda-bash, administrivia, approval of minutes
Ron Bonica (IESG liaison to the IAB)
Alissa Cooper (incoming IAB)
Joel Halpern (incoming IAB)
Russ Housley (IETF Chair)
Olaf Kolkman (IAB Chair)
Dow Street (IAB Executive Director)
Tim Polk (NIST)
Lucy Lynch (ISOC)
Aaron Falk (IRTF Chair)
Lynn St.Amour (ISOC Liaison)
Vittal Krishnamurthy (IAB Scribe)
No agenda items were added.
No administrative items were discussed.
1.4. Meeting Minutes
No meeting minutes were reviewed during this call.
2. Techchat on USG’s Evolving Identity Eco-System and NSTIC
Tim Polk led the IAB in a discussion of the U.S. Government’s National Strategy for Trusted Identities in Cyberspace (NSTIC), and the larger identity ecosystem that is evolving for the web. He opened the discussion by stating that web identities are the focus at present, and that many of the technologies needed to make this effort successful will come from the IETF.
Tim walked through a set of slides, beginning with a short history of the identity landscape. A long standing goal has been to move away from passwords, and to develop approaches that provide a range between anonymity, privacy, and security. He summarized the early FIPS-112 work, and then described the move to X.509 schemes. As these technologies were deployed there were a variety of policy challenges that emerged. He then described the OMB M04-04 and SP 800-63 documents, the latter of which came to be seen as sufficient guidance as long as an agency wants to issue their own credentials. Many do not, however, and a lot of work is needed if another agency’s credentials are to be used. He also noted the broad public resistance to schemes that appear to head toward a national ID card, or a ‘driver’s license for the Internet’. As such, most use of this technology so far has been limited to government agencies and controlled data stores, rather than more public-facing uses (e.g., taxes, voting, etc.)
The board discussed the various disincentives for commercial use of stronger authentication, such as the liability that can be incurred. For businesses it is much easier to conduct a cost-loss assessment, and in many instances there is not an incentive to deploy schemes that depart from ‘industry standards’, even if the scheme is more secure. For similar reasons there are potential liabilities involved with using another organization’s credentials, or encouraging or authorizing another organization to use one’s credentials, so this has resulted in most organizations issuing their own, and staying with those of lower cost and within business norms (i.e., passwords). Bernard pointed out that in the private sector the cost of any losses due to fraud can simply be passed on to the consumer.
Tim went on to describe the use of strong credentials between government agencies and their partner companies, especially in the aerospace and defense industries. For these uses there is no real need for or interest in privacy, so the requirements are different than those for the web at large. Hannes pointed out that it is the combination of the password and the authentication mechanism that matters; weak passwords on top of a strong authentication system can work reasonably well, maybe even up to the needs for financial information, health records, etc. Tim agreed that it is the act of associating a credential with a human that is the difficult and/or expensive part of the operation. This led to a discussion of leap- of-faith models, where stronger schemes can be added based on an existing (weaker) credential, thereby avoiding the need to re- associate a credential with a human actor.
The meeting closed with a discussion of the IETF role in this area. It was suggested that the IETF continue to focus on credential issuance, ensure that protocols are developed in a credential-agile manner, and to support privacy-enhancing technologies whenever possible. The group considered various models for trust frameworks, and how they apply to IETF protocols in different business cases. Hannes used SIP as an example where the designers made some assumptions of what federations would look like, but then the commercial use went in a different direction.
Tim noted that there will be a series of workshops coming up; he will forward information once it becomes available. He added that NSTIC has strong industry support, so he expects it will see solid funding in the upcoming budget. The health care industry has been one area where stronger credentials are beginning to be deployed, but so far it has been primarily between providers and clearing houses, not end user services. He noted that HIPAA does create some disincentives to do something innovative if it falls outside of industry standard practices. In other areas health care has lagged behind the best practices of other industries, such as in securing wireless networks that carry sensitive patient information.