Identity Experiences & Ideas: January 2011

Friday, January 28, 2011

Moving ahead with reduced identities

I had lunch last week with an old colleague. During the lunch we had a good chat on NSTIC. One of the points she brought up was the education aspect - the fact that to most people this whole cyber security thing is very foreign and that there are many things that exist today that people do not realize bring additional trust to what they do online.

I have been thinking about that for a while. Especially in relation to the work that I have been doing on what effectively is credential re-use. She was correct in that most people do not know to look for the green bar in the browser indicating the extra diligence to validate the site. I think that it is a case of people not knowing why it is there and what it brings. But I also think the same is true of identity re-use. I think people do it today and do not realize it.

Now I do not mean just the re-use of drivers licenses, Social Security numbers and the such but of online identities. I started to think about my own environment. I use my Google identity to use many things today - the normal Gmail, Calendar etc but also using it to log onto other applications on my iPad, laptop and Android phone. I use my OpenID to access ToodleDo and other sites and many applications that I use leverage SAML, Oauth and OpenID to allow me to take advantage of credential re-use. Of course in a lot of these cases I also see Facebook and Twitter options for login so I have to imagine that people are using these rather than create yet another account.

I think the strength and advantage of NSTIC is the possibility that in a few years I will be able to do all my online functions using a small set of identities. I may always have that Yahoo mail address so getting rid of all but one is unlikely but if I can get to 3 that would be great. And at that point I hope I will be able to do what I do today with my OpenID identity and use functions like CallVerifID when the transaction calls for that level of additional authentication.

So yes there is possibility - and now we just need to decide which we need to do first - get infrastructure available or get people educated as to what they can do today as a staring point.

Some things for thought .... I hope.

- Posted using BlogPress from my iPad

Who I am ....

An interesting thing on a blog about identity .... who is the author?

Well .... I guess it is a case where you want to divulge enough to have people stay interested but not too much as to create an identity issue.

I started in the data communications arena in the earlier part of the '80s. My first foray into security was helping solve an accounting issue in a switch at the German Bundespost. For the next few years after that I applied all those years of math, graph theory and computer science logic to designing data networks for banks and governments around the world.

In the early-mid '90s I was giving the opportunity to get involved with public key technology and have spent the last 20 plus years helping organizations and governments on the technical, application and policy side of "federated" identity. Over the last few years I have continued work on identity but now beyond PKI.

There is so much potential here ... we just need to be logical ... and not just technically logical but also logical in implementation and operational ideas and logical in considering what it is that people want and need.

Check the link in Datapoints below for "More About Me"

Friday, January 28, 2011

Moving ahead with reduced identities

Follow Me ... RSS