Four industry leaders breakdown the importance of online credentials
19 December, 2011
There have been many discussions about digital identities and online credentials in 2011. The National Strategy for Trusted Identities in Cyberspace (NSTIC) is picking up steam and organizations are seeking to further secure IT networks as threats from hacking increase.
But questions and uncertainty abound. What are digital identities and how do they work? Will one credential work with another? How will they impact privacy and help address regulatory compliance?
In light of these and other pressing questions, Re:ID editors asked some of the leaders in the space to share their thoughts and vision for online ID.
Participating in the roundtable are: Jeremy Grant, senior executive adviser and manager of the National Program Office for NSTIC; Mollie Shields-Uehling, president and CEO at SAFE-BioPharma; Judith Spencer, former co-chair of the Federal Identity, Credential, and Access Management Subcommittee at the U.S. General Services Administration and now CertiPath’s policy management authority chair; and Scott Rea, board member and director of operating authority at the Research and Education Bridge Certification Authority (REBCA).
CertiPath, SAFE-BioPharma and REBCA along with the U.S. Federal Bridge make up The Four Bridges Forum a network of inter-linked cyber communities. The Four Bridges Forum includes all U.S. government agencies as well as the aerospace and defense and research and education communities.
Why are interoperable digital identities important and what distinguishes them from other forms of electronic identity?
Jeremy Grant, NSTIC
Interoperability is one of the guiding principles for the effective establishment of the NSTIC identity ecosystem. Interoperability is important because it provides members of the identity ecosystem with the ability to choose which credentials they want to use and how they will use them.
The majority of today’s credentials are accepted only by the institutions or communities which issue them. This results in many users and organizations having to maintain multiple credentials and multiple digital IDs with multiple service providers. However, interoperable credentials allow the individual to select one, or more credentials, accepted by a wide variety of participating entities. Additionally, interoperability could enable individuals to use Level four assurance credentials on a level one site, but do so in an anonymous or pseudo-anonymous way. Overcoming current barriers to interoperability is absolutely essential for realizing the vision of NSTIC.
Judith Spencer, CertiPath
In the physical world today we have one or two documents – normally a driver license or a passport – which we use to assert identity to a variety of relying parties. You might say these are interoperable identity credentials because they are widely recognized and trusted.
In the virtual world an interoperable digital identity is the virtual equivalent of the driver license. It is widely recognized and trusted as a valid assertion of identity. The relying parties trust it because they recognize the issuer, know the assurance level – based on an independent assessment and certification – and have access to processes that can verify the validity of the credential. For example, whether it was legitimately issued, whether it was subsequently revoked, etc.
By contrast other forms of electronic identity are purpose-issued and trusted only by the issuing organization. In the physical world this might be a membership card or an employee id card. In the virtual world it is generally a user ID/password issued by the relying party and valid only for access to that relying party’s resources.
Mollie Shields-Uehling, SAFE-BioPharma
Interoperable digital identities are the tools that enable regulatory and business processes to be conducted in cyberspace. They are used to protect privacy and confidentiality.
Unlike their simple electronic counterparts, digital signatures cryptographically guarantee the integrity of documents to which they are affixed. A digital identity authenticates the identity each time it is used.
In the case of the SAFE-BioPharma standard, each individual is part of an entity that has agreed to comply with a set of rules. The individual also agrees. Most other forms of electronic identity are based on self-assertion of the individual’s identity, without valid cross references to the individual’s real identity.
The regulations associated with SAFE-BioPharma digital identities meet NIST Level 3 security requirements.
Interoperable digital identities exist within legally-binding and regulatory-compliant cyber communities known as identity trust hubs. When a trust hub aligns itself with another trust hub, identities by one can be trusted within the other.
Scott Rea, REBCA
Interoperable digital identities enable their holders to participate in multiple trust infrastructures with a single set of credentials. This provides cost savings and convenience to credential holders who do not need to go through multiple identity validation processes associated with credential issuance, do not need to manage multiple credentials – i.e. revocations, renewals, expirations, etc., and can facilitate convenience through single-sign-on operations across multiple environments where this is supported.
This also provides lower operating costs to communities and organizations either issuing the credentials or relying upon then, which can also be passed on to the participants.