The Need for Trusted Credentials

Information Assurance in Cyberspace

Judith SpencerChair, Federal PKI

Steering Committeewww.cio.gov/fpkisc

Doing Business with the Public Today

Face to Face

TelephoneJane Q. Smith123 Main StreetAnytown, USA

State Driver’s License Identification Number Expiration Date P-123-456-789 01-01-2010

Birth Date Issue Date 12-31-1975 12-20-2000

Height Weight Sex 5-06 130 F

JaneQSmith IRS Form 1040Line 32. . . . . . . . . . . . . . . . . . . . . . . . . . . . . $98,765

Written Request

JaneQSmith

Fac

tors

Fac

tors

Privilege ManagementPrivilege Management

SignatureRequired

IdentityVerification

Required

IdentityVerification

Not Required

Low Risk

High Risk

Gener

al

Info

rmat

ion

Change

Reques

t

Benef

its

Applicat

ion

Perso

nal

Info

rmat

ion

Proprie

tary

Info

rmat

ion

Defining the Risk

Are There Levels of Trust?

No confidence is placed in the asserted real-world identity of the client or no real-world identity is asserted.

On the balance of probabilities, the registrant’s real-world identity is verified.

There is substantial assurance that the registrant’s real-world identity is verified.

The registrant’s real-world identity is verified beyond reasonable doubt.

Courtesy of the UK Government, Office of the E-Envoy

Types of EvidencePersonal statement.– Individual provides personal data about him/herself

Documentary evidence.– Individual provides collateral documents to confirm the

information provided.

Third party corroboration.– A trusted entity that can confirm information provided.

Biometrics.– Physical evidence tying individual to the asserted

identity.

Existing relationship. – Individual’s previous interactions with the registration

agent. (e.g. Bank customer) Courtesy of the UK Government, Office of the E-Envoy

Doing Business with the Public Tomorrow

Statutory Requirement to offer an electronic option:Government Paperwork Elimination Act, October 1998– Commitment to on-line government– Public electronic access by October 2003

. . . A signature may not be denied legal effect simply because it is electronic. . .

Your Choices

Automated Telephone Interaction

E-mail interaction

Web services

Today’s E-Government Requirements

Government agencies need to innovate at an ever increasing pace

E-Government success requires broad interoperability– Within an enterprise– Between business partners– Across a heterogeneous set of platforms, applications, and

programming languages

Internet technologies are assumed, Interoperability is required– E-Government platforms enable more rapidly developed

interoperability

But . . .

Without trust and security Web

Services are dead on arrival

Facets of Building Trust

Facet DescriptionIdentification Who are you?

Authentication How do I know you are who you claim to be?

Authorization Are you allowed to perform this transaction?

Integrity Is the data you sent the same as what I received?

Confidentiality Are we sure no one else read the data you sent?

Auditing Record of transactions to assist in looking for security problems?

Non-repudiation Can you prove the sender sent it, and the receiver received the identical transaction?

Thanks to Karl Best, Director of Technical Operations, OASIS

Facets of Building Trust

Facet DescriptionIdentification Who are you?

Authentication How do I know you are who you claim to be?

Authorization Are you allowed to perform this transaction?

Integrity Is the data you sent the same as what I received?

Confidentiality Are we sure no one else read the data you sent?

Auditing Record of transactions to assist in looking for security problems?

Non-repudiation Can you prove the sender sent it, and the receiver received the identical transaction?

Thanks to Karl Best, Director of Technical Operations, OASIS

But . . . What About Identity Assurance in Cyberspace?

No Physical Presence

No Photo ID

No Physical Document with Signature

No Human Voice

A Few Facts

The Internet is perceived as being inherently anonymous

In order to conduct trusted transactions, we must know with whom we are dealing

Knowledge must be within reasonable risk limits

Trusted electronic credentials provide the means to link an asserted identity in the electronic medium to physical credentials

Preconditions for Credential ‘Trustworthiness’

Unique to the person using it

Under the sole control of the person using it

Capable of verification

Credential Pedigree

– Institutional Standing of the Provider

– Governance

– Establishment of Identity

– Credential Control

E-Authentication Will:

Evaluate Electronic Credential Providers

Apply a common set of universally understood Assurance Levels

Provide a tool for performing Risk Assessment

Interact with FirstGov portal and Agency business processes to broker identity assurance

Provide the public with a single sign-on capability and a common interface for doing electronic transactions with government through the Gateway

Assessing the Need

Perform Transaction-level Risk Assessment on your e-Government process

Review OMB e-Authentication Guidance

Choose the e-Authentication assurance level that meets your needs

ThenWork with the e-Authentication team to ensure Gateway interoperability

Thank YouFor your Time & Attention