National Strategy for Trusted Identities in Cyberspace (NSTIC)

The Smart Card Alliance submitted the following comments on the NSTIC Framework at http://www.nstic.ideascale.com. If you agree with the Alliance comments, we encourage you to register on the comment site and indicate that you “agree” with our comments. Comments are being accepted until July 19th.

Smart Card Alliance Endorses the NSTIC Framework

The NSTIC initiative correctly recognizes that there are very real problems of identity management, privacy and security in our society today, and brings a much needed focus on solving the problems. Although its scope is limited to cyberspace, the Framework would also establish essential foundational elements that can help to strengthen identity, privacy and security in healthcare, social security administration, immigration reform and other programs in the physical world.

The NSTIC Framework draft is well conceived and written. It is intentionally broad in scope, providing a wide range of trusted identity constructs and identity protection technologies. The Framework is very pragmatic and practical in its approach, because it limits its role to being an enabler, facilitator and accelerator of the Identity Ecosystem development. There is a clear recognition that many different public and private stakeholders will be involved in working out the specifics of the framework and ultimately, using it.

The Healthcare and Identity Councils of the Smart Card Alliance, a non-profit public/private partnership organization whose members include healthcare providers, financial institutions, payment brands, enterprises, government users and technology providers, prepared these specific comments on the NSTIC Framework draft:

1. Section A3, page 27. The Alliance strongly agrees with the ideas of using federal, state and local government and academia programs to accelerate development of the Identity Ecosystem, while leveraging existing procedures, standards and technologies such as FIPS 201 and the Federal Identity, Credentialing and Access Management Roadmap used to achieve Personal Identity Verification (PIV) and interoperability (PIV-I) in Homeland Security Presidential Directive (HSPD)-12, First Responder Authentication Card (FRAC), Transportation Worker Identification Credential (TWIC), Common Access Card (CAC) and other identity programs. While we believe that private enterprise will ultimately embrace the idea of identity management as a cornerstone of best business practices, we expect that federal development of standards and processes for an Identity Ecosystem will foster and accelerate greater acceptance.

2. Section A2, page 26. A suggested idea is to add that the highest priority should be first defining the Identity Ecosystem for the most trusted digital transactions based on an identity medium. The reason for this suggestion is that this part of the Identity Ecosystem can have the greatest positive impact on identity, security and privacy. It is also the least developed and therefore needs the greatest attention and leadership. Many private sector software-based initiatives, such as Open ID, are already commercially available and are suitable for lower assurance identity transactions. What is needed urgently is a way to provide individuals the opportunity to have a trusted digital identity credential that cannot be misused if stolen or misplaced, and cannot be compromised through spyware, phishing or data breaches in either individuals’ own PCs or the information systems of service providers. Using an identity medium that is independent from a PC and that can serve as a secure container for PKI digital identity certificates, biometrics and other identity protection technologies, is the only way to solve all these problems quickly. Ultimately, the identity transaction must begin with a verifiable token, managed by the Identity Provider.

3. “Identity solutions will be cost-effective and easy to use,” page 10. A suggested idea to make high-value identity transactions both secure and easy to use is the familiar approach of a card and PIN as an identity medium; however, to achieve high levels of security, the card must include smart card technology to carry PKI credentials, biometrics and other security features. It could even carry multiple identities or personas for different purposes. The approach of using a card carrying PKI credentials is very easy for the user, because it provides strong digital identity protection without burdening individuals with the complexity, responsibility and risk inherent in keeping PCs free of spyware, or learning how to spot phishing attacks and hacker websites.

4. “Identity Ecosystem Execution Layer,” page 15. In the discussion of the health care cell phone authentication example, we suggest amending the text to include Subscriber Identification Module (SIM) cards and Secure MicroSD cards, in addition to a Trusted Platform Module (TPM), as options for storing the PKI certificate in a cell phone. SIM cards already exist in cell phones and are capable of securely storing digital identity certificates. Secure MicroSD cards are independent of the phone, but can be used in any device that has a MicroSD slot.

5. Section A1, page 26. When considering the choice of a lead federal agency for the management of this initiative, one important selection criterion should be the agency’s own internal experience and track record in using strong authentication to protect its cyber security. For example, the Department of Defense has had exceptional success in strengthening its cyber security by using smart card-based PKI credentials. This type of experience in mass deployment of strong authentication for IT security should be a requirement for the lead agency when making this selection. Other agencies already issuing and employing the Personal Identity Verification (PIV) standards are the Department of Agriculture, NASA and the General Services Administration. Other candidates would be the Department of Commerce (NIST) and the Department of Homeland Security (DHS), which already play a key role in establishing the standards for major ID management programs. In addition for Commerce, this project would fit in the scope as a commerce-enabling initiative.

6. “Summary of Identity Ecosystem Characteristics,” page 20. The first bullet point should include that an Identity Provider organization must act as the guarantor of the identity and is required to be a certified entity.

7. “Appendix A - Glossary,” pages 32-34. Comments on definitions.

   a. Identity Medium. Change “USB” to “USB tokens.” USB is a communications interface and protocol. Many devices, like external storage media, that connect to a computer via USB would not be suitable as identity medium.

   b. Identity Proofing is defined, but Identity Vetting is not. Both terms are used in the document.

   c. Interoperability is defined incorrectly. Interoperability is the ability to properly use a credential and identity medium in independent Relying Party (RP) implementations.

   d. Level of Assurance. Please add to the second part, about confidence that the credential is really being used by its owner, that the degree of confidence is dictated by the number of factors of authentication used AND the strength of those factors. For example, a transaction authenticated with a “strong” password would not have the same level of confidence as one authenticated with a smart card-based PKI certificate and a biometric.

   e. Online. “Internet” should be replaced with “cyberspace” to be consistent with the document.

   f. The definition of standard does not seem consistent with that used by NIST or ISO–that should be checked.

   g. The definition of trustmark does not mention use of digital certificates, which would be the most likely and most secure way to verify the mark electronically.

The Smart Card Alliance is very active in the area of identity management, security and privacy. Its diverse group of members provides a well-rounded perspective on identity issues because of the different stakeholders in the group. The Alliance organization and Councils are available to help the writing and planning team developing the NSTIC Framework, and in its subsequent implementation actions. If there is a public-private workgroup assembled to carefully consider the initiative further, our members would be glad to volunteer time and expertise to assist in the development of final specifications or plans.

As a general comment, an Identity Ecosystem that includes smart card technology as an identity medium for high-assurance online identity transactions will provide a very strong and proven foundation for protecting identities in cyberspace in a secure, privacy sensitive way. This foundation can be put in place without reinventing the wheel. The federal government has already established a set of best practices, standards and technology solutions for smart card-based identity management and authentication that can be adapted to this initiative.

What is the advantage of using smart card technology?

A smart card is a card with a small computer in it. Unlike magnetic stripe or RFID cards, the smart card’s computer provides high levels of security and privacy protection. Unlike PCs and other open systems, smart cards are designed for security and are virtually impervious to malware, forgery and other fraudulent efforts to extract information.

Smart cards can provide a secure tamperproof container for PKI digital identity credentials and biometric identifiers. In addition, they can be delivered in a familiar card format, making them both portable and easy for broad public distribution and use. These capabilities make smart card technology ideal for protecting identities and privacy, and for preventing fraud. Smart cards are readily used online and across networks and deliver very high levels of security over the Internet.

Many readers of the NSTIC Framework may not be aware that all U.S. federal government employees have a smart card-based ID card, the Personal Identity Verification (PIV) card, which can be used to access government facilities and information systems, and to digitally sign documents or online transactions. The new electronic passports in the U.S. and many other countries are based on smart card technology. The SIM cards used in 80 percent of the world’s cell phones are smart cards. Nearly one billion credit and debit cards worldwide are smart cards, based on an interoperable global standard called EMV, named for its original sponsors Europay, MasterCard and Visa.

More information is available at http://www.smartcardalliance.org/pages/activities-councils-identity including the following white papers:

• Healthcare Identity Management: The Foundation for a Secure and Trusted National Health Information Network
• Assurance Levels Overview and Recommendations
• Identifiers and Authentication–Smart Credential Choices to Protect Digital Identity
• Identity Management Systems, Smart Cards and Privacy
• Privacy and Secure Identification Systems: The Role of Smart Cards as a Privacy-Enabling Technology
• Secure Identification Systems: Building a Chain of Trust

Submitted by the Smart Card Alliance
Randy Vanderhoof, Executive Director