Trusted internet identity [LWN.net]

By Jake Edge
January 12, 2011

The US government has recently been pushing a scheme to create some kind of "trusted" identity for people to use on the internet. At a meeting at Stanford University on January 7th, US Commerce Secretary Gary Locke outlined the problems that he perceives with trust on the internet and how the creation of "trusted digital identities" might alleviate those problems. There is likely some truth in what he says, and trusted identities could well fix some of the problems. Unfortunately, when looking at it from a privacy perspective, that kind of scheme is likely to cause more problems than it solves.

The threats that Locke describes are fairly well-known: "data breaches, malware, ID theft and spam". It's not exactly clear how a trusted identity would fix any of the problems he lists, but that's not really his role. He is trying to build a groundswell of support for these identities, but he is also being rather disingenuous when he says things like:

Let's be clear. We are not talking about a national ID card. We are not talking about a government-controlled system. What we are talking about is enhancing online security and privacy and reducing and perhaps even eliminating the need to memorize a dozen passwords, through creation and use of more trusted digital identities.

PRIVACY Forum moderator (and long-time privacy advocate) Lauren Weinstein has been following this plan (which originates in the US Department of Homeland Security) since at least last June. As he points out, the entire trusted identity scheme rests on those identities being linked to government-issued IDs like driver's licenses or social security numbers. While Locke might be technically correct about national IDs, he is playing rather fast-and-loose with the reality as Weinstein notes:

This entire scheme rests on the ability to link Internet presence/roles with real-world identities. So even if no physical card ever exists, the system as currently understood would very much equate to a national ID card for accessing the Internet.

There are the obvious problems with linking internet activity back to a particular "meatspace" identity, not least that it removes the ability to do some things anonymously. Those records will be an attractive target for fishing expeditions by law enforcement of various sorts. One need not look any further than the current attempts to track down Wikileaks members and supporters via Twitter records as an example of how this kind of data might be misused.

At the meeting, White House Cybersecurity Coordinator Howard Schmidt said that there is no chance "a centralized database will emerge". Even if that's true, it won't be terribly hard to reconstruct an internet trail from distributed databases if the ID is tied to government-issued credentials.

Trusted IDs would also be a juicy target for identity thieves. In short, these IDs suffer from privacy and control issues that have been identified for decades by people like Weinstein and organizations like the Electronic Frontier Foundation. While Locke may be giving lip service to some of those longstanding concerns, it is pretty clear that, at least so far, there is no real intent to address them.

There is also a question of how free software fits into this puzzle. Is presenting a trusted identity going to require running proprietary code? Is it going to require running a Trusted Platform Module attested operating system as well? The latter is clearly something that Microsoft and Apple would be happy to see, but it would run completely counter to the ideas of free and open source software.

Ars technica digs in to some of the technical details of the most recent draft [PDF] of the proposal. That analysis certainly doesn't alleviate any of the issues that Weinstein raises, and in fact raises a few others, such as:

In stage number six, the project will address the "liability concerns of service providers and individuals." It looks as though the project will create rules for the system that allow for the fixing of security breaches without everyone suing each other's brains out, perhaps something like the Digital Millennium Copyright Act's safe harbor provisions. The last three stages involve promoting and improving the Ecosystem, including offering loans, tax breaks, and insurance grants for early adopters.

Another draft is due in the next few months, and Weinstein is not very optimistic:

Revised details of the Internet "Trusted ID" NSTIC plan will reportedly be released within a matter of months. Perhaps there will be wondrous revelations that will transform my current very dark view of the proposal into a ringing endorsement.

Unfortunately, I very much doubt that this will be the case. I wish I did not have to be so cynical and concerned about this project. Contrary to some observers, I don't feel that the proponents of this plan are evil or stupid, nor that their motives aren't in large measure essentially laudable.

But a lack of evil and stupidity does not eliminate short-sightedness, foolishness, and priorities run dangerously amok.

Schmidt is also pushing the idea that acquiring a trusted identity would be voluntary, but if the system gets put in place it's a little hard to believe it will be. The internet is playing a bigger and bigger role in our lives. If the US government succeeds in this plan, it's not hard to imagine that it will be difficult to do anything of consequence on the 'net without having such an ID.

This is an issue that bears watching. One might be forgiven for cynically noting that our best defense against this plan may be the government bureaucracy itself, as it will undoubtedly take some time—perhaps on the order of years—for a proposal like this to actually get implemented. In the meantime, though, privacy advocates and free software users should be making an effort to clearly show the problems inherent in this trusted identity scheme.

(Log in to post comments)

Trusted internet identity

Posted Jan 13, 2011 5:09 UTC (Thu) by wahern (subscriber, #37304) [Link]

Almost 10 years ago I bought a Schlumberger Cryptoflex crypto card. It had secure on-board signing (i.e. it wasn't just a fancy flash drive w/ a password) and a builtin USB controller--you could pop out the chip and insert it into a tiny USB adapter thus creating a keyfob. I bought a pack of 5 for $10 or $20.

Not then nor now is it even remotely possible to use the thing conveniently with Free Software (and I've never tried with Windows or OS X). Almost every part of the necessary stack is missing, broken, or in hopelessly poor shape. (Although notably Mozilla then and now still seems to maintain their PKCS11 support.)

Even the most obvious use, SSH, is still wanting. OpenSC still exists--after being temporarily abandoned for a couple of years, I think--but is still about as useful as it was--not very, and definitely not plug-and-play. OpenSSH support is still mystical. Some sort of PKCS11 support seems to have finally been merged, but I haven't heard much about it (I'm on the mailing-lists), and certainly I wouldn't even know how to begin to get it working on my OS X laptop. (The ssh-pkcs11-helper manpage is basically a stub, and from a cursory look of the source it seems it in turn punts to OpenSSL.)

Even worse I think that there are _fewer_ cryptocard products on the market than when I originally bought my Cryptoflex card. I think the entire industry may be in worse shape today than yesteryear. (Notably, however, there's now a chip with an attached LCD screen so you can see and physically authorize--with a button press--key operations: http://www.ftsafe.com/products/interpass.html. That was the cool feature I was hoping would be one day added because inserting and removing the fob everytime I logged in somewhere would be burdensome, but keeping it plugged in means anyone who rooted your local machine could use it.)

I would love to be able authenticate over SSH and HTTPS hosts with my cryptocard handling key negotiation. But it seems less feasible today than ever.

Using closed source applications for this, however, is definitely out of the question. Too many brochures, and too many applications, spoof functionality by merely saving keys to the flash drive. Often they seem to do this even if the card actually supports onboard key operations. Without Free access to the source you could hardly trust what the software is actually doing. The same applies to the hardware, but that's almost the least of the current issues.

Trusted internet identity

Posted Jan 13, 2011 13:09 UTC (Thu) by ortalo (subscriber, #4654) [Link]

Yep that's enough for some applications. Especially for tax returns declarations. (We have the same kind of scheme - albeit with centralized certificate delivery - in France and it is pretty successfull too.) But well, that's enough trust because declarations are declarative after all.
Do you have enough trust in such a certificate to use it to provide "write" access to your bank account, to provide read access to a personal medical record, to unlock your home? (Maybe btw, I am not trying to diminish the interest of such things - just trying to challenge them a little.)
First of all, from my point of view, I would like to have several different keys for these different things, not just a single one. And I'd like to be able to generate myself some of these keys and share them in different ways. Today, that's not so easy to achieve all these objectives easily.

But sure, for some applications, we have readily usable tools much better than SSN+birthday.

Trusted internet identity

Posted Jan 13, 2011 14:48 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

It's certainly possible to have multiple keys for a person (I have several). Of course, they are all linked to me by my tax ID number.

And yes, I actually use one of them (on a USB hardware token) to work with my bank account. In theory, just one key can be enough, if it's securely locked into hardware device with good security.

Trusted internet identity

Posted Jan 13, 2011 8:30 UTC (Thu) by madhatter (subscriber, #4665) [Link]

enhancing online security and privacy and reducing and perhaps even eliminating the need to memorize a dozen passwords, through creation and use of more trusted digital identities.

The first part of that is suspect; I've never known privacy to be enhanced by the centralisation of anything.

The second is just downright annoying. There's already a perfectly good mechanism for reducing the need for end-users to memorise loads of usernames and passwords, and it's OpenID. But as others brighter than me have observed, commercial sites don't like it because it puts control squarely back in the hands of the users (denying the site owners the opportunity to make money from their users by collecting saleable data). As a result, uptake has been slow.

Any government serious about the desire to reduce the multiplicity of logins available, and who was minded to throw its weight behind some scheme to achieve that, could mandate instead the use of a decentralised identity system (OpenID is one such, but there are others) alongside regular logins. But of course, just as these systems move control out of the hands of business owners, they move it out of the hands of government, too. The only people that have any interest in seeing take-up of such a system are us, the users, and who's asking them?

Trusted internet identity

Posted Jan 13, 2011 8:50 UTC (Thu) by Frej (subscriber, #4165) [Link]

In denmark we have had national identity number since 1968, (stored as magnetic tape records!), and no genocide has happened yet or any known misappropriation.

In general I think fears are overstated when compared to the usefulness for actually limiting the amount of bureaucracy. But i know that cultural acceptance of central governance is quite different in the US :).

What it doesn't do is secure identification, i think most people understand this, but it lessens administration and provides a huge boon to researchers in health and economics. We can get fairly accurate (factual) knowledge instead of speculation, and not doing a manual census across the country which much require quite a lot of money as well ;)

We used to have digital certificates (Xv509) for the last 3-5 years as an online identity/signature when doing anything related to tax, education etc. online. But it was deemed to hard to use, (browsers suck at implementing certificates, somebody fix this!). So we got a new system. Which i'm not entirely happy about.

The 'plot' consists of lobbying from banking industry, who really wanting to get into the business of being identity providers. So we got a new system which are used both for accessing your bank account and contact with government. However it does use two factor authentication (you get a a paper card with ~150 preprinted numbers), so it is more secure for all practical purposes (real users). But now it requires special software for signing mail. (And thus only thunderbird was supported... stupid).

Secondly the private key is then stored centrally, they claim all sorts of hardware crypto to secure access, but theoreticly it is a pretty bad architecture.

Also it sucks for signing data and email (ie, to your local county), since it currently requires special software support. Standard certificates doesn't, but it is just too hard to use :(. This is really bad. But i think it will be possible to generate a limited certificate and some later data, for specific uses like email signing. Further I would love if they didn't force you to use one identity provider, sadly they don't. I think that is the biggest mistake of the current policy.

But what does it solve? I can do everything online, securely and with a minimum of hassle (If it wasn't for the damn paper card. I know it's more safe but it is so cumbersome, even if it only takes about one minute more, and requires me move physically!! ;). But an online identity saves me time, saves time for the other part (government), and thus my puny amount of tax money is spend on other things than bureaucracy. Like hiring more comp.sci people to build such a system (yay!) ;)

Trusted internet identity

Posted Jan 13, 2011 19:07 UTC (Thu) by drag (subscriber, #31333) [Link]

> In denmark we have had national identity number since 1968, (stored as magnetic tape records!), and no genocide has happened yet or any known misappropriation.

In the USA we have a thing called the 'social security number'. Which is our identity number that is not a identity number, but actually really is used as a number that identifies you.

It pre-dates your number by 32 years.

> But i know that cultural acceptance of central governance is quite different in the US :).

If you had a representative democracy that has been around for over 200 years and has turned into our government then you'd probably have a much better idea as to why this attitude is common. Try fluctuation between the Clintons and the Bushes as your 'supreme leader' for a couple decades. :P

Not to mention certain underlining attitudes subconsciously inherited from our grandparents and great grandparents who wanted nothing more in life but to get the hell out of Europe. ;)

Trusted internet identity

Posted Jan 16, 2011 23:34 UTC (Sun) by job (guest, #670) [Link]

200 years? Unless you are female of course. Or in jail. Questionable democracy, in my view.

Trusted internet identity

Posted Jan 23, 2011 2:38 UTC (Sun) by ccurtis (guest, #49713) [Link]

... or negro, or if your local ancestry traces prior to 1492, etc.

Of course, it's not a democracy at all; it's a republic. The extensions of suffrage do seem to have exposed the soft underbellies democracies use to self-destruct, but that may merely be coincidence.

Trusted internet identity and privacy

Posted Jan 13, 2011 12:18 UTC (Thu) by bud (subscriber, #5327) [Link]

I'm pondering these days about privacy issues of digital identities and wanted to bounce off some thoughts to see what feedback I get on this.

I've been active in the European scene of government-issued eIDs for some time (and have promoted the use of open source) and am participating in a European Thematic Network that gives input on where Europe should be going in the area of digital identities. So I have a natural interest in the U.S. NSTIC effort.

I full-heartedly subscribe the objectives which I think are defined really well. Reaching these objectives is certainly very ambitious and challenging and what can be achieved is all to be seen.

Acceptance by users is IMHO the most critical factor to success--and privacy is a key issue in this. (As is clearly stated in the NSTIC document).

After this introduction, here some thoughts that I would like to get feedback on.

We are on the brink of an era where much of our activities are moved from the physical world into the virtual world of cyberspace. Identity is intrinsically linked to virtual activities and we cannot avoid it but have to try to get it right.

In my view, there are two important differences between the physical and the digital world:
* selection (restriction) of audience
* life-time of information

In the physical world, every activity takes place in a certain location that controls the audience who can observe our actions. Someone may speak at a public conference that has press coverage, or have a beer at a bar with her friends. The choice of a location restricts the possible audiences we have and we typically chose different modalities of behavior in different places: For example, language or dress-code that is perfectly acceptable in one location, may be totally unacceptable in another.

The second point is one of life-time of information. In the physical world, the imprints of our actions fade away with time. People forget (forgive), even paper articles disappear in unsearchable paper archives and collect dust. Cyberspace is VERY different and it (potentially) never forgets. Each of our imprint is un-deletable and remains for life (and beyond, just that we may care less afterwards).

Because of these intrinsic differences between physical and virtual worlds, the consequences of our actions may be vastly different. If I drank a beer too many one night at the bar with my friends [which in this wider audience I have to disclaim is purely hypothetical and has never happened], consequences are none or very limited and will be forgotten in a couple of days. If I do something equivalent on some social network, it will be found by a potential employer who mines my behavior and I may not get that job I really need. This negative imprint in cyberspace may not even be true but falsely claimed by someone else...

Evidently, identity, and linking imprints based on identity, is the key problem in this area.

It seems to me that most things in cyberspace are public or close to public since many are clear text in the first place, others are "private" in the hands of third parties whose security meant to protect privacy is insufficient to withstand attacks, policy changes, commercial interests, or national security interests. I personally believe that once it's out there, it can be accessed (maybe not by everyone, but possibly by some who we don't like to know and for purposes that are not in our own interest).

I think for our personal well-being, it is important to have private places to retire to and save harbors where we can refuel before sailing again in the open seas. We have to find ways of doing this in cyberspace too.

The only way I see to achieve this is that we use multiple (digital) identities for different "virtual locations" that are not linkable. We need to have a free choice of an unlimited number of possibly pseudonimous or anonymous identities. This is not because we have something to hide, because we engage in illegal activities, but because this is a normal thing in our daily life experience in the real world.

(BTW, this is not my invention but called "partial identity", a term created by the FIDIS network some time ago).

I'm looking forward to get your reactions on this.

important Credit

Posted Jan 13, 2011 13:02 UTC (Thu) by bud (subscriber, #5327) [Link]

While I gave credit to the FIDIS network [1] for "partial identities", I forgot to mention that the Austrian Government has pioneered the approach of unlinkable, sector-specific person identifiers [2] both in their legislation and in their Citizen Card (that provides a digital identity).

[1] http://www.fidis.net/
[2] www.a-sit.at/pdfs/rp_eid_in_austria.pdf

Trusted internet identity and privacy

Posted Jan 13, 2011 13:44 UTC (Thu) by ortalo (subscriber, #4654) [Link]

Personnally, I would say "of course".

Of course we need several independent "identities" for different usages of computers. In fact, by the way, I would rather say that we use different independent sets of access rights with different security constraints on them, than true different identities (even virtual ones).
We need those because we do not deal identically with our identification toward friends, colleagues, public services, banks, children and family, merchants (different kinds of them), opposite-sex friends, police, democratic governments, other governments, parents, etc. And we do not want our computer(s) either to operate identically in all those usage contexts, especially by using the classical single whole-system-wide user ID authenticated once at connection-time and created once upon a time by a generic 'admin'.

But I would even say that we also need more than "simply" several "named" sets of rights (or identity if you want). We also need identities shared by several people (think to document validation in most companies, big or small, families identification). We need to be able to copy some of them or split them (think to real door keys you share with your family or children). We need to be able to destroy them easily in some cases (and conflicting opinions may have to be arbitrated ;-). In other cases, on the contrary, we need third parties (possibly even a government) to guarantee their persistence and level of trust at the highest possible level.

Note by the way that I have sayed "named" sets of rights. Not "authenticated". In some cases, we do not even need these names to be authenticated - we do no need trust in someone else identity. We just want to identify them. (Well, with some level of trust maybe, but nothing that cannot be done well enough even without a true authentication procedure, especially a password.)

So, for me, saying we need several IDs (or certificates) is just the first step. It's nice because it has allowed us to understand that we need to reach another level. But not yet enough to build the stair needed to go there.

What I think is needed now are new distributed authorization and authentication servers, with an extended set of new functionalities: several different authentications, several authorization schemes, etc.
After all, Kerberos is rooted into 30 years-old work - and never really adressed the authorization aspect. Maybe that area deserves a specification update.

What's annoying is that nobody seems interested in seriously helping even only the specification phase. (Many people are interested in security as a domain, but most fewer are interested in doing actual security work.)

liability for financial losses

Posted Jan 13, 2011 15:11 UTC (Thu) by bud (subscriber, #5327) [Link]

I would like to make two comments:

Financial losses are not the only type possible. Loss of reputation or un-reparable disclosure of personal data (e.g. some medical condition) are very difficult to measure in financial terms and possibly way more harmful.

I believe we should make an effort to evolve from a view where a service provider enrolls people and issues a credential to one of an ecosystem, where enrollment/credential issuance may be reused by many service providers/relying parties. This complicates significantly at determining who is to blame for a loss.

The idea of an ecosystem is also that not every player has to absorb the full cost of a digital identity. The secure enrollment of a person is probably the most costly [1] of all, the issuance and maintenance of a secure token (e.g., a smart card) is very costly too. In an ecosystem, it should be possible that enrollment and token issuance is done once or few times, and then reused by many.

Evidently, plain (very) old X.509 certificates with the equivalent of a Social Security Number as part of the Subject CN, would make such a sharing impossible, unless people would accept to have no privacy at all. More modern approaches that protect privacy are necessary.

[Note 1] Enrollment for a typical government-issued European eID in several countries means that the applicant has to appear in person, that the identity is verified against a population registry, and sometimes that biometrics is used to prevent double-enrollment. Obviously this is the extreme end of the scale; but why redo enrollment and not find ways to derive (unlinkable) potentially pseudonimous or anonimous identities with guarantees for example that a real person of a certain age range is behind it. (Privacy Commissions in Europe run some Anonimization servers and I personally would trust them to derive an anonymous identity from my full government-issued one).

liability for financial losses

Posted Jan 13, 2011 15:26 UTC (Thu) by ortalo (subscriber, #4654) [Link]

I find the scheme you present really interesting.

I wonder if it's really necessary to root such schemes always into a government-issued identity. We certainly need one rooted like this (for public services and official use) maybe even 2 (one for police and control, another for social service, education and healthcare), or more.
But we may have the usage of entirely separate ones IMHO. That fits well with your idea of an ecosystem IIUC, but maybe not with the kind of security underlying hierarchical schemes or PKI.

liability for financial losses

Posted Jan 13, 2011 15:33 UTC (Thu) by michaeljt (subscriber, #39183) [Link]

> Financial losses are not the only type possible. Loss of reputation or un-reparable disclosure of personal data (e.g. some medical condition) are very difficult to measure in financial terms and possibly way more harmful.

Are you referring to loss of reputation or disclosure of personal data due to an imposter obtaining personal information about you by masquerading as you online? If so then even if you can't necessarily measure the damage financially you could still establish some sort of penalty for the people who failed to check your identity properly (in those cases in which there isn't one currently, as most places should have one in place for improperly disclosing medical information).

> The secure enrollment of a person is probably the most costly [1] of all, the issuance and maintenance of a secure token (e.g., a smart card) is very costly too.

I would have thought that re-using existing systems of secure enrollment (like your example below) should be possible today. Here in Germany for example, you can open an account at a bank without appearing in person by having a post office confirm your identity to the bank. And a mobile phone can replace a secure token (like the "MTANs" used by banks) in situations in which five to ten cents is an acceptable price for a secure transaction. Provided of course that you can easily block the phone (as in prevent SMSes from reaching it!) if it is lost or stolen.