I was reading an interesting article today from Aviation Week on airport security screening. Of course we all have heard about, and large numbers of us have complained about, the recent changes at the airport. We jockey lines to try and avoid the full body scanners and possible pat-downs. I know most people are not doing this to avoid security but to avoid embarrassment or at least perceived embarrassment. This article made me think more about identity and traveling and some of the work that is being done today to improve identity and authorization decisions within the government sector.
We all have heard that air travel is a privilege - one generated out of the convenience of time. I can go anywhere without having to fly - it just may take a lot longer. In that vein I begin to wonder if people are ready to accept the need for better identity assurance at a security screening checkpoint to make traveling easier and maybe safer. What if we had a card based credential that allowed a user to scan the credential prior to entering a metal detector? The credential would ideally carry the same level of assurance of any ICAO travel document and could be issued by a nation, such as a passport, or could be issued by the private sector. The traveller would scan their card immediately before entering the metal detector. While the traveller is passing through the scanning device an automated check of the credential would allow personnel to know if the credential presented was valid and combined with the visual check of the card would allow match of person to the credential. Using this combination could increase the level of assurance of identity of the traveller. If the credential does not properly validate then some additional screening could be performed.
If we take it one step further we could incorporate some of the work being done in the government with Backend Attribute Exchange, aka BAE, which would allow the system to reach back to the credential issuer or potentially a National Travel Blacklist, to see if there are any reasons to further screen the individual. These checks could be performed in seconds, the time it takes for a person to step through a metal detector and make it through the security area.
Of course in such a idealized system one would need to consider the issues of privacy and the need to ensure tracking information is not being maintained in the system. Integrity and availability of the system would be critical to ensure minimized additional screening. For the frequent, trusted, traveler this may mean a faster and easier trip through security at the airport and could provide a basis for a system that adds to the security environment for all air passengers.
Something to think about.
- Posted using BlogPress from my iPad
Some personal thoughts on improving security for users of online services.
Wednesday, February 9, 2011
Sunday, February 6, 2011
Mixed Messages
The beginning of this past week I was getting on a plane to head to the left coast when I saw, what I thought was, a good piece on Headline News on the National Strategy for Trusted Identity in Cyberspace aka NSTIC. It was a quick overview but they seemed to have gotten the message right - that it was an effort to get industry to improve the capabilities for online identity. The idea around NSTIC is that the government and industry would work together to define/refine standards to ensure that it was not a set of stovepipe identity solutions that could not interoperate; work together so that the systems would be secure; and to, in the process, protect privacy as appropriate.
I was somewhat encouraged - mainstream media had seemed to actually understand the effort .... and then a few hours later I saw the headline Why You Should Trust Apple More Than the U.S. Commerce Dept. With Your Universal Online ID
POP goes the bubble. Here we have someone writing for Fast Company proposing a corporately patented idea as the right approach. Now we know that as the standards evolve there will be patent issues and, as in the past, I expect them to be resolved for the greater good, but this article seems to suggest that Commerce is going to hold your identity and everything is in the governments control. This is not the vision of NSTIC that I see, or anyone that I know and work with sees.
If you want a vision of what NSTIC is look no further than the US Government employee ID, the PIV card. Here a standard was developed for internal government use. It had technical and policy aspects and required the use of Government run or Government contracted identity providers. But then industry realized that the technical specifications of the card provided a good base for non-governmental people. What happened next - well government and industry worked on refining the standard for non-governmental work. The identity issuers were now private industry. The card issuers we now private industry. The only thing the government did to stay involved was to crate a test program around the standard that would ensure that the credential could be trusted ... and PIV-I was born.
This is what NSTIC envisions - a public-private partnership where good standards are made better through joint discussion; testing programs are put in place to ensure that products and services meet a set of standards and private industry provides these products and services to the masses.
How hard is that to understand? I hope Fast Company spends some time researching so they can criticize where it is deserved.
- Posted using BlogPress from my iPad
I was somewhat encouraged - mainstream media had seemed to actually understand the effort .... and then a few hours later I saw the headline Why You Should Trust Apple More Than the U.S. Commerce Dept. With Your Universal Online ID
POP goes the bubble. Here we have someone writing for Fast Company proposing a corporately patented idea as the right approach. Now we know that as the standards evolve there will be patent issues and, as in the past, I expect them to be resolved for the greater good, but this article seems to suggest that Commerce is going to hold your identity and everything is in the governments control. This is not the vision of NSTIC that I see, or anyone that I know and work with sees.
If you want a vision of what NSTIC is look no further than the US Government employee ID, the PIV card. Here a standard was developed for internal government use. It had technical and policy aspects and required the use of Government run or Government contracted identity providers. But then industry realized that the technical specifications of the card provided a good base for non-governmental people. What happened next - well government and industry worked on refining the standard for non-governmental work. The identity issuers were now private industry. The card issuers we now private industry. The only thing the government did to stay involved was to crate a test program around the standard that would ensure that the credential could be trusted ... and PIV-I was born.
This is what NSTIC envisions - a public-private partnership where good standards are made better through joint discussion; testing programs are put in place to ensure that products and services meet a set of standards and private industry provides these products and services to the masses.
How hard is that to understand? I hope Fast Company spends some time researching so they can criticize where it is deserved.
- Posted using BlogPress from my iPad
Location:the stratosphere
Subscribe to:
Posts (Atom)