Date: March 6, 2015
The Internet lacks a scalable infrastructure for trust management, and the Internet engineering community should develop technical solutions to help address this complex problem. That was the conclusion of an Internet Society-sponsored panel entitled, “Is Identity an Internet Building Block?” held 11 November 2014 concurrent with the IETF meeting in Honolulu, Hawaii.
“Identities and the attributes that relate to identities are somewhat key to establishing trust in the Internet,” said Olaf Kolkman, chief Internet technology officer at the Internet Society and moderator of the panel. “When we perform any sort of communication on the Internet, identities are used for that. Attributes are used for authentication. Attributes are used as the basis of opportunistic encryption. Knowing who or what is on the other end of the line is sometimes very important.”
Kolkman asked panelists to discuss what components are necessary to build a scalable, nonhierarchical and reusable trust model for the Internet.
Jeff Hodges, a PayPal engineer who spoke as an individual rather than as a corporate representative, set the stage for the discussion about identity on the Internet.
“The context of the discussion is how do we human subjects interact with various other entities, human or not, throughout the Internet and be known as us or ourselves?” Hodges asked, adding that that this process is not necessarily under our control. “Do we have some control to assert ourselves as us?”
Identity involves mapping human subjects to actions, events, processes, communications channels, and physical devices, Hodges said. He pointed out that identity is involved whenever you log into a Web site or device.
“We also need to keep in mind there are various tensions and tussles involved in the areas of naming, identification, agency, autonomy, privacy, security, and such,” Hodges added. “The more we work to make it smooth and seamless, we also have to take into account the individual’s use case and requirements. Maybe they don’t want to be identified with certain attributes, and they do want to assert other ones. How do we accommodate that and make it seamless across different modes of communication?”
Hodges said it is inevitable that devices will use biometric identification systems, and controls will be needed to determine where the information your device has about you goes. “Not everything can be enforced technological layers,” he added. “We need to keep in mind that [regulation] can be a useful tool.”
Natasha Rooney, cochair of the Web and Mobile Interest Group at W3C and Web technologist at Groupe Speciale Mobile Association (GSMA), provided an overview of the use cases for identity management as well as debates around businesses involved in identity management.
Among the use cases for identity management are situations in which strict security is necessary, such as transferring money or accessing health records, while other services such as social media platforms favor speed over security. Other situations, such as purchasing alcohol or renting a car, require attribute authentication such as verifying age or a valid drivers’ license.
“There is some attribute brokerage that can be done,” Rooney said. “The questions are: who owns the attribute? And can you be trusted to relay that attribute?”
She pointed out that users will want anonymity in some situations.
“There are a number of services on the Internet that I don’t want to know I am this exact person,” she said. “We need to consider that when we talk about use cases.”
Rooney said the Internet engineering community needs to ask questions about the companies that provide identity management services, including whether these companies can be trusted and how they should be handling identity management.
“If we’re going to transport attributes over the Internet, how do we want to do that?” she asked. “How should they be secured?”
Rooney suggested that the IETF start with the simplest use case first: log in services. “Can we just get log-in right? Then would we be able to extend that?” she asked.
Leif Johansson, with the Office of the chief executive officer at Swedish University Computer Network (SUNET), pointed out that identity has more aspects to it than authentication and authorization. Further, he called the push to remove middlemen from the identity management process in order to be more user centric a distraction because it has resulted in the consolidation of identity information in the possession of one or two content providers.
“I understand why user centric strikes a nerve with the IETF crowd because it sounds like the end-to-end principle, but the end-to-end principle is always assisted by infrastructure,” Johansson said. “We don’t really have the infrastructure that we need to do large-scale identity and trust on the Internet.”
Johansson argued that there shouldn’t be an identity layer on the Internet, rather, that identity needs to be supported at all layers.
He said the IETF should concentrate on areas where gaps exist in the identity infrastructure. In particular, he’d like to see the IETF develop a protocol like the Border Gateway Protocol (BGP) for trust and key management.
“We do need an Internet-scalable mechanism for trust management,” Johansson said. “I don’t know what it needs to look like, but I do know we need to focus an effort and figure out a solution for this.”
The panel’s final speaker was Ken Klingenstein, senior director in the Internet2 Trust and Identity area. Klingenstein pointed out that the Internet engineering community is more careful about trust issues than it was 30 years ago, when the original BGP standard was so simple that it was designed on a cocktail napkin.
“It’s not creative noodling on a deploying greenfield anymore,” Klingenstein said. “We are taking some big beasts and making them work together and interoperate, and they don’t all have the same intensions.”
Klingenstein outlined several areas where new technology is being developed to improve the Internet’s trust mechanisms: federated and dynamic metadata, level of assurance and vectoring of trust, attributes and their metadata, reconciling regimes of privacy, managing downstream use of attributes, and scalable privacy with the federated infrastructures to support it.
“All of the scale we get is because of metadata,” Klingenstein said, adding that it is a very powerful mechanism but has its own security needs. “The packets of metadata that we pass around as operators have gotten so big and so volatile that we’ve had to move to dynamic metadata.”
Klingenstein said operators of trust infrastructure spend a lot of time on attributes.
“Privacy and scale both flow from attributes,” he said. “Replacing that access control list of names with attributes gives us not only scale, but it gives us privacy. We need to know a lot of metadata about attributes, such as did you have the authority to sign that attribute and how was it bound to the individual.”
Other challenges include reconciling privacy rules from country to country and managing downstream attributes. “Managing downstream use of anything is really hard. Look at the music industry,” he said. “With identity, it’s about making all of this scale and having the infrastructure to support it.”
Klingenstein identified several building blocks for identity systems, including identity providers, attribute authorities, attribute aggregators, key management, trust management, and consent management.
“We have a lot of aggregators such as portals, and they make things very tricky,” he said. “If a portal is hiding many applications, I don’t want to dump all of my attributes into a single location. I would like to refine my attributes and provide them on a per-application basis.”
Klingenstein noted that policy issues play a role in identity management, too, including what organizations will act as registries, if there will be a registry of registries or a standard format for attributes that is consistent across registries, and how technology will be transferred to emerging nations.
“There are activities around the world trying to set the rules of the road for identity,” he added. “When I think of the purity of the IETF and ISOC, I would recommend that we stay away from [the policy issues.]”
Klingenstein noted that the research and education community has widely deployed federated identity, and that Sweden and Denmark use similar technology for commerce and for interactions between government agencies and citizens.
In the United States, the biggest deployments of federated identity are from Google, Yahoo, and Facebook. On the horizon are deployments for online medical records, and the US government is supporting several pilot projects for government-to-citizen communications through its National Strategy for Trusted Identities in Cyberspace (NSTIC) activity.
Another issue Klingenstein noted is the need for federated identity portability. “This is the ability to move my identity and my preferences for privacy management from one provider to another,” he said. “If we’re going to create a marketplace, we need identity portability.”
In closing the discussion, Johansson emphasized his view that the Internet needs a protocol like BGP for trust. “We have a protocol that runs the network and is used to model business relationships. That is what BGP is,” he said. “We don’t have that for trust.”