
With passwords "broken," US rolls out Internet identity plan - evo_9
http://arstechnica.com/tech-policy/news/2011/04/with-passwords-broken-us-rolls-out-internet-identity-plan.ars
======
ChuckMcM
When Google was struggling with various people being locked out of email and
not being able to get back in (without an alternate channel its really hard to
verify you are who you are without a bad actor in the loop) I proposed a
project for creating an identity token. I was playing with the Yubikey [1] as
a possible approach. I certainly think something like that has the basic
concepts, physical possession of the device which can be queried to provide
strong identity verification.

It was amusing (in a greek tragedy sort of way) to watch the conversation get
de-railed by reductio ad absurdum arguments about perfect security. When in
fact it would benefit over 80% and perhaps as many as 95% of the Internet
users to have something like this.

Still have the business plan. Its a bit capital intensive since it functions
best when everyone has it, but the basics were build the base system in a
"open" documented kind of way (so that folks could verify for themselves it
wasn't snake oil), create a licenseable fob capability that is compatible with
a variety of communication mechanisms (this was pretty straight forward). Have
a 'key' implementation cost less than $5/key in quantity going to less then
$1/key (Difficult but doable I believe) and three key partnerships.

The 'competitors' are soft systems which are implemented on handheld devices
or other token schemes. Russell Coker wrote up a good summary set [2]. The
'secret' sauce of this effort, or perhaps the key learning that makes it
different from other systems, is how it deals with key theft and alternate
identities.

Great systems problem!

[1] <http://www.yubico.com/yubikey>

[2] <http://etbe.coker.com.au/2010/03/15/security-tokens/>

------
iuguy
Reading the comments there's some very strange people out there. The long and
short of it is that this is a state-driven, private sector managed federated
identity scheme. Traditional authentication mechanisms such as OpenID are not
tied to you. That is to say, one minute you could be Bob Bobness, then the
next Dave Daveness and there's no way you'd know.

With this there'd be a level of verification to say actually you are Bob
Bobness. As long as it's voluntary I don't see a problem with it and I think
there could be many practical applications in banking and for government web
sites for example.

For the rest of us, I think we're happy with OpenID and our fictitious alter
egos being linked to other fictitious alter egos :)

~~~
AndrewDucker
With multiple different providers, I'm happy with it. I can be "Andrew Ducker
- Certified by the UK government", but also "Samael, certified by
Slashdot.org", depending on where I'm logging into, and what I'm up to.

~~~
drdaeman
> providers

Excuse me, but I'm against this very term being applied to identities.

I possess my own identity and while I'm fine with others acknowledging and
certifying this fact, I'm totally against others being "providers" of my
identity.

