U.S. government plans online ID gateway

R. A. Hettinga rah at shipwright.com
Tue Jul 16 19:26:30 EDT 2002 

http://news.com.com/2102-1017-943924.html


U.S. government plans online ID gateway
By Margaret Kane
Staff Writer, CNET News.com
July 15, 2002, 11:35 AM PT
http://news.com.com/2100-1017-943924.html

The federal government is working on a plan that would require citizens and
business to pass through one central online gateway when they need to get
their identities certified with the federal government.

The General Services Administration (GSA) is expected to release a request
for information as early as this week in preparation for coming up with a
detailed technical proposal. A prototype system is scheduled to launch by
the end of September.

The GSA is working with Mitretek Systems, a nonprofit research and
engineering company, to develop the prototype system, which will serve as a
"proof-of-concept" for the full-scale gateway.

Much of the discussion around centralized government authentication has
focused on national IDs. But the e-authentication system is not intended to
serve as an offline identifier. Rather, it's meant to be a one-stop online
shop for people and businesses to establish their identities with the
federal government. The applications could range from something as minor as
reserving a campground space in a federal park to a contractor selling
parts to a government agency.

The gateway would be attached to the FirstGov Web site, which is intended
to be an entryway to all manner of government services.

"Initially the number of users and applications may be limited, at least
until the full scalability of the gateway is assured, but ultimately, all
federal agencies with e-government processes requiring authentication will
be able to use the E-Authentication gateway," Steve Timchak, program
manager for the e-authentication joint program management team at the GSA
said last month.

Currently government agencies use a patchwork of systems to authenticate
users. Many agencies do not use any online verification, instead requiring
companies and consumers to verify their identities through physical means,
such as showing a drivers' license or presenting a signed, notarized
document.

The online push
There have been several efforts to move this process online. One push was
the Government Paperwork Elimination Act of 1998, which mandated government
agencies to make services available electronically by 2003. To process
services electronically, of course, you have to have some means of
establishing who you're dealing with.

The current administration has pushed for the new central gateway as part
of President Bush's 24 e-government initiatives, a broad plan intended to
"improve the efficiency and effectiveness of the federal government's
transactions through the use of improved technology," according to the
Office of Management and Budget.

There has already been significant work in setting up online
authentication. A group of nearly two dozen government agencies formed the
Federal Public Key Infrastructure Steering Committee to oversee and help
develop a public key infrastructure to support electronic commerce and
messaging within the government.

Instead of establishing a single federal PKI program, in June of last year,
the Federal PKI Steering Committee opened the Federal Bridge Certification
Authority, a hub designed to help different agencies' public key
infrastructures to interoperate, allowing one agency to accept a public key
certificate issued by another agency.

Currently the General Services Administration oversees the Access
Certificates for Electronic Services program, which allows government
agencies to buy service contracts from major PKI vendors including AT&T and
Digital Signature Trust.

The forthcoming gateway would work with the PKI programs in place, Timchak
said. The current problems that the authentication team is working on deal
with how to set up "less-than-PKI" levels of clearance.

"I'm looking at what's out there between no authentication required and
not-strong authentication (required)," he said. E-loans would probably
require strong authentication, but recreation requests, like reserving a
campground at Yellowstone, probably wouldn't, he said.

Citizens using either application would go through the same central
gateway, he said. And by linking everything through that gateway "that
burden and associated costs is no longer born by that application, and that
agency," he said.

Efficiency vs. privacy
While combining various authentication schemes under one roof should help
the government cut costs and speed transactions, it does pose other
problems, including privacy issues. A major concern of electronic privacy
advocates is that the more linked the data becomes, the easier it will be
for the government to track the data and profile users based upon it, said
Chris Hoofnagle, legislative counsel at the Electronic Privacy Information
Center.

Such systems have a way of expanding their roles. Because users can be
authenticated, they will be authenticated, whether the security really
calls for it or not, he said.

"We've had a strong tradition in the U.S. of allowing anonymous access to
records. You can walk into the Library of Congress and ask for a book or
record without revealing who you are," he said. "Authentication systems can
change that."

Timchak said the GSA has been working the Social Security Administration
and its privacy forums to help understand those concerns.

Other groups have expressed concern about the government's possible use of
online ID systems from private companies such as Microsoft, Entrust, RSA
Security and VeriSign, among others, in its online efforts.

Timchak said the government hasn't decided on a specific technical plan.

The new gateway might also allow certificates issued by non-governmental
trusted authorities, such as financial institutions, to be accepted. In
cases where strong authentication is not required, such as the campground
example, the authentication could be as simple as getting a PIN and
password from an Internet service provider (ISP).

"What is the value of an ISP-furnished PIN and password? On the surface not
much," Timchak said. "But if the user has been paying on that with a credit
card, then that PIN and password has more value. And different applications
may further challenge the user (to get stronger identification).

"The idea is, to provide a common service you will have one credential,
whatever that is, to do business with the government," Timchak said. "If
you are strongly credentialed, say, with PKI, then you have access to every
application. If you are less-than-strongly credentialed, you have access to
a subset of applications. But it's one central place that handles both."



 Go to Front Door  |  E-Business  |  Search  |  One Week View

-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list