
White House Proposes Vast Federal Internet Identity Scheme - wglb
http://lauren.vortex.com/archive/000725.html
======
tptacek
This is the third story posted to HN about the same pie-in-the-sky unicorns-
and-fairy-dust identity scheme. Every official workshop ever done on the
Internet identifies lack of authentication and identity management as one of
its top three weaknesses --- going all the way back to Clinton and Magaziner.

(Since these are never conducted by engineers or, for that matter, competants,
nobody ever notes the how this "problem" harmonizes with the end-to-end
argument).

In no alignment of the planets and on no floor of the Alamo including the
basement is the government going to solve the identity problem by fiat. The
company that manages to come up with a tractable solution to this problem is
going to be giving out $100 bills as conference tchotchkies.

~~~
gfodor
A good argument can be made great by working in a Pee-Wee Herman reference.

~~~
JohnnyBrown
Sure, this is being proposed by clueless incompetents. But the worrisome thing
is that they are wealthy powerful clueless incompetents backed by people with
guns, and this is the world they want to live in.

~~~
orangecat
The scary thing is that something like this isn't entirely impossible to
implement. Especially once 95% of the population is using appliances like
iPads instead of general purpose computers.

~~~
tptacek
Yes. First they replace the world wide web, the largest single coherent
computing resource in the world, with the iPad, a device that represents
fractions of a single percentage point of the computer market. Then: they take
over the world!

------
vault_
Assuming you could convince everyone that this was a good idea and that
anonymity/neutrality wouldn't be an issue, the federal government is the last
group of people I'd trust designing this scheme to.

------
protomyth
Give the link to your Christian activist friends and point out Book of
Revelation 13:17-18. That will get some letters and calls to congresscritters.

------
olefoo
I'm really of two minds on this topic:

On the one hand, stable legally enforced identities on the internet that
everyone has possession of would be a boon to ecommerce, they would be the
foundation for any conceivable framework for performing binding transactions
over the internet, and would drive a lot of new business, and enable new
business models.

On the other hand, mandatory public identification of everyone, even in
situations where it's unwarranted would be an Orwellian nightmare. And letting
people require trustworthy identities in frivolous contexts (equivalent to
asking people to show you their driver's license at a party, or to shop at a
supermarket) is a bad idea, an extremely attractive to ethically challenged
marketers bad idea at that.

The gripping hand of course, is that we can't not do this. As a society we
have set ourselves on the path where the benefits outweigh the risks, and the
risks of not creating a trustworthy system of identity that does it's best to
guarantee both the security of transactions (non-repudiation) and the freedoms
that come with pseudo- and ano- nymity outweigh the benefits of sticking with
a broken system of partial identification, where identity theft is a simple
matter of copying the right strings to the right places.

Frankly if you read the PDF referenced in the story, it's not as bad as some
of the comments in this thread seem to think it is, the people involved have
obviously been reading Kim Cameron, and aren't completely at sea on the
privacy issues, or the social implications. That doesn't mean that this
process doesn't bear strong scrutiny, but it does give me hope that this
necessary piece of infrastructure won't get implemented in the absolute worst
way possible.

------
wglb
The site requesting public comment is <http://www.nstic.ideascale.com/>

~~~
jamesbritt
Not even a .gov site for this? I mean, why should I trust this site?

------
SoftwareMaven
I just finished reading Fatal System Error by Joseph Menn (given away at
Gartner's Security and Risk Management Summit) that brought this topic up
specifically. Good book if you want to get scared about going online ever
again. :/

The major problem with an Internet ID (from a security perspective) is that
the bad guys will still figure out how to spoof it and people will be lulled
into more complacency, since the government has solved the problem.

I was surprised at the conference how easy it is for people to get around one-
time passwords, multi-factor authentication and other "really secure"
solutions.

The problem is immense and is going to require immense investment to fix.

~~~
kabdib
And when it fails (as it will), there will be immense political pressure to
"maintain" or deny technical shortcomings, and we'll be right back to where we
started.

At least with someone like Microsoft or Apple you can constructively threaten
publication of cracks, and it is their interest to fix things. If it's the
government, they send people with guns after you, and to some extent those
folks' employment /depends/ on the existence of cracks.

"There's nothing wrong with the Secure Internet. But we need more funding to
catch all these bad guys..."

It's what I call a recursive ecosystem trap, where the rosy picture (things
truly working) is subverted by people who can make money by repeatedly
patching what's broken, and there is no incentive to make real fixes. It's
dirty, and it works; the US prison system is good example of this.

------
jarin
I was talking to a buddy of mine today who works for Election Systems &
Software, and he was saying that something like this is the only way we'll
ever be able to vote online.

~~~
SkyMarshal
Interesting, but I for one have no problem with never being able to vote
online. We have enough problems with fraudulent voting machines already
without throwing the Internet into that mix.

~~~
thwarted
Yeah, when discussing online voting, if it _should_ be done is often
overshadowed by the assumption that we can vote online. I'm sure that there's
some group that would consider lack of online voting to be disenfranchising
them.

------
Pyrodogg
When did the feds decide they want to compete with Facebook Connect, Oauth,
OpenID, etc.?

------
mkramlich
i picture something tied to one's SS#

~~~
narrator
I picture a hashed biometric identifier that goes in the bottom 64 bits of
your ipv6 address, every time you do anything online with any conceivable
connected device.

~~~
olefoo
If you want this porn, push this button after entering the blue text from the
image into this text field.

e.g. if that is required, hacking will be all about getting other people to
issue the dirty bits for you, and leave their fingerprints all over the
evidence.

------
zeynel1
This appears to be very close to what is parodied here
<http://news.ycombinator.com/item?id=1458066> "Before signing on, please
ensure you have received your RealIdentity card from local authorities."

