1 / 17

The Need for Trusted Credentials

The Need for Trusted Credentials. Information Assurance in Cyberspace. Judith Spencer Chair, Federal PKI Steering Committee www.cio.gov/fpkisc. State Driver’s License. Identification Number Expiration Date P-123-456-789 01-01-2010

abeni
Download Presentation

The Need for Trusted Credentials

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Need for Trusted Credentials Information Assurance in Cyberspace Judith Spencer Chair, Federal PKI Steering Committee www.cio.gov/fpkisc

  2. State Driver’s License Identification Number Expiration Date P-123-456-789 01-01-2010 Birth Date Issue Date 12-31-1975 12-20-2000 Height Weight Sex 5-06 130 F JaneQSmith Jane Q. Smith 123 Main Street Anytown, USA Doing Business with the Public Today Written Request JaneQSmith Face to Face Telephone IRS Form 1040 Line 32. . . . . . . . . . . . . . . . . . . . . . . . . . . . . $98,765

  3. Defining the Risk Signature Required High Risk Identity Verification Required Factors Business Processes Low Risk Identity Verification NotRequired Change Request Benefits Application General Information Personal Information Proprietary Information Privilege Management

  4. Are There Levels of Trust? • No confidence is placed in the asserted real-world identity of the client or no real-world identity is asserted. • On the balance of probabilities, the registrant’s real-world identity is verified. • There is substantial assurance that the registrant’s real-world identity is verified. • The registrant’s real-world identity is verified beyond reasonable doubt. Courtesy of the UK Government, Office of the E-Envoy

  5. Types of Evidence • Personal statement. • Individual provides personal data about him/herself • Documentary evidence. • Individual provides collateral documents to confirm the information provided. • Third party corroboration. • A trusted entity that can confirm information provided. • Biometrics. • Physical evidence tying individual to the asserted identity. • Existing relationship. • Individual’s previous interactions with the registration agent. (e.g. Bank customer) Courtesy of the UK Government, Office of the E-Envoy

  6. Doing Business with the Public Tomorrow Statutory Requirement to offer an electronic option: • Government Paperwork Elimination Act, October 1998 • Commitment to on-line government • Public electronic access by October 2003 . . . A signature may not be denied legal effect simply because it is electronic. . .

  7. Your Choices • Automated Telephone Interaction • E-mail interaction • Web services

  8. Today’s E-Government Requirements • Government agencies need to innovate at an ever increasing pace • E-Government success requires broad interoperability • Within an enterprise • Between business partners • Across a heterogeneous set of platforms, applications, and programming languages • Internet technologies are assumed, Interoperability is required • E-Government platforms enable more rapidly developed interoperability

  9. But . . . Without trust and security Web Services are dead on arrival

  10. Facets of Building Trust Thanks to Karl Best, Director of Technical Operations, OASIS

  11. Facets of Building Trust Thanks to Karl Best, Director of Technical Operations, OASIS

  12. But . . . What About Identity Assurance in Cyberspace? • No Physical Presence • No Photo ID • No Physical Document with Signature • No Human Voice On the Internet, Nobody Knows You're a Dog!

  13. A Few Facts • The Internet is perceived as being inherently anonymous • In order to conduct trusted transactions, we must know with whom we are dealing • Knowledge must be within reasonable risklimits • Trusted electronic credentials provide the means to link an asserted identity in the electronic medium to physical credentials

  14. Preconditions for Credential ‘Trustworthiness’ • Unique to the person using it • Under the sole control of the person using it • Capable of verification • Credential Pedigree • Institutional Standing of the Provider • Governance • Establishment of Identity • Credential Control

  15. E-Authentication Will: • Evaluate Electronic Credential Providers • Apply a common set of universally understood Assurance Levels • Provide a tool for performing Risk Assessment • Interact with FirstGov portal and Agency business processes to broker identity assurance • Provide the public with a single sign-on capability and a common interface for doing electronic transactions with government through the Gateway

  16. Assessing the Need • Perform Transaction-level Risk Assessment on your e-Government process • Review OMB e-Authentication Guidance • Choose the e-Authentication assurance level that meets your needs Then • Work with the e-Authentication team to ensure Gateway interoperability

  17. Thank You For your Time & Attention

More Related