What most people seem to be missing in the NSTIC discussion is the sheer novelty of a weird and wonderful transaction matrix where Identity Providers and Attribute Providers get joined to Service Providers and Customers.
They are going to need a raft of brand new legal agreements to cover off liability for damages arising from misidentification when an Identity Provider has nothing to do with the Service. Experience in Australian identitiy initiatives like the Trust Centre and VANguard shows that such agreements are challenging to draft and extraordinarily difficult for lawyers to accept. Risk management is intractable unless there are conditions imposed on what credentials can be used for, and then the negotiation of the fine print will become critical. New laws are almost certainly needed to limit liability in NSTIC. The possibility of legislation has been touched on but it needs elevating to the very top of the to-do list.
Put simply: In so much business today, the Service Provider is also the Identity Provider. If you change that arrangement by adding a third party IdP, the contractual consequences are enormous. Even if the scheme sponsors can draft new legal agreements for service providers, customers and identity providers, the lawyers for the banks, telcos, governments and so on will say “Wow! We’ve never see a contract like this before.” What then? These are not the words you want to ever hear from a commercial lawyer.
The NSTIC Program Office would do well to appreciate that open federated identity for serious applications like banking, healthcare and professional services is still an unproven idea. In fact it’s a truly radical idea. The proliferation of weed-like social IDs is used as a model for future higher risk transactions, but they tell us very little about serious e-business. Today’s social logons are unverified nicknames, used by websites that don’t care who you are.
It’s not the sort of thing that governments normally jump into with such haste.