NSTIC delayed — for the wrong reasons

Predictably, ratification by the President of the US National Strategy for Trusted Identities in Cyberspace has been delayed. The discussion paper was only released last June, and its champions pressed for Obama’s signature by October. That was never going to happen. We’re talking about sophisticated IT here in a technology-neutral policy environment, not a recipe for speedy resolution.

I myself would have hoped for a delay and a review, but on technical not political grounds. There are all manner of real problems with NSTIC as presented, which need to be worked through.

1. It’s really not an “ecosystem”. True ecosystems grow and evolve naturally; they are not architected. Yes, of course there is a marketplace of authentication services and products, but to call it an ecosystem is an attempt to elevate it above the hurley burley of competitiive IT. This is marketing, not ecology. Using such language aims to position the architecture as something kinda saintly and deserving of government stimulus.

2. The NSTIC paper is really an uplift of the OIX whitepaper. OIX itself is the latest incarnation of a long line of security industry consortia, dating from Liberty Alliance through Kantara and the Infocard foundation. The steady recycling of federated identity concepts is either a sign that the foundations are not yet stable, or that something is not quite right with the basic premise. Either way, these are not the hallmarks of a new industry that government would normally throw money at.

3. The NSTIC paper is silent on important matters like who exactly will step up to the plate and act as Identity and Attribute Providers. If we’re talking general purpose Identity Providers at high levels of assurance, then we’re back on the merry-go-round of Big PKI. High assurance identities tend to become siloed, and useless for cross-domain transactions, because nobody is willing to underwrite liability for misidentification when the stakes are high. I’ve written recently about this.

4. The biggest technical problem with NSTIC and federated identity in general is that it is still so complex. There are way too many complicating generalisations, and too few simplifying assumptions.

5. The identity metasystem is much more novel than people think. Federated identity calls for orthodox, risk-averse organisations like banks and government agencies to re-imagine themselves as “Identity Providers” and to allow their “identities” to be used in brand new contexts. To make this attractive, some schemes have tried to create new revenue opportunities for the players, but this only complicates things even further. The legal novelty is huge: How does a bank write a contract with a customer that allows the customer to use their bank-issued identity to do business with counterparties that the bank doesn’t know? And in transactions that the bank hasn’t even thought of yet? Of course you can’t write such a contract, and so the federated identity arrangements are full of fine print, restrictions, liability caps … all the stuff that bogged down Big PKI.

Come on! If anyone is serious about ecological thinking in this space, then it is high time to re-examine why federated identity is so much easier said than done.

The reason I suggest is because identities have evolved. Each one of the identities one has — with banks, government agencies, employers, professional associations and so on — is really a proxy for the relationship we have in each context. These relationships have conventions and rules and terms & conditions that have evolved over long periods of time, and which rest on crucial simplifying assumptions. We all know identities are context dependent, but it seems that we don’t collectively appreciate why this is so. It’s because the context (environment) has bred the form (or ‘genetics’) of each identity, and it’s no simple matter to take a stable form and expect it to work properly in a totally different niche.