Kaliya Hamlin, an independent industry expert who is the producer of the Internet Identity Workshop, an industry forum for developing and discussing identity management technologies, says the draft document does a good job of identifying several key problems with online identity today. For example, it discusses at some length the usability problems of current systems, such as the need for “secret questions” such as mother’s maiden name that ultimately compromise security. Hamlin adds that many of the scenarios described in the document can be addressed with existing standards, as the plan suggests. For example, a standard called information cards could handle the case of the online pharmacy. Information cards are a standard for digital identity data managed on software installed on a PC. They are designed to confirm particular attributes of a user without revealing further specifics.
Hamlin plans to organize an identity strategy workshop in September in Washington, DC, where industry experts will be able to discuss the government’s proposals.
Paul Nicholas, director of global security strategy and diplomacy for Microsoft’s trustworthy computing group, said in a statement that the draft “represents significant progress to help improve the ability to identify and authenticate the organizations, individuals, and underlying infrastructure involved in an online transaction.”
However, some experts worry that it will be hard to communicate and achieve the vision outlined in the draft. “I just see complications in terms of mainstream adoption and pushing this out to everyday use,” says Fred Stutzman, cofounder of a social Web identity management system called ClaimID. Though he believes there are good technologies out there for solving identity management problems, he also foresees trouble making them easy enough to use.
Hamlin says that in its current form, the draft is accessible to industry insiders, but its message is not reaching the general public. The draft as it stands is vague, she says, and needs to communicate a clearer sense of how government involvement could help.
Hamlin is encouraged by suggestions in the draft that the government could enact laws that would set standards for identity management systems and liability rules for companies offering authentication services. As it stands, identification methods are often stretched beyond the purpose for which they were intended, leaving companies reluctant to develop systems and interconnect with other identity systems. The Department of Homeland Security is taking comments on the draft through July 19. The U.S. government plans to finalize the draft in the fall.