What Does “interoperability” really mean (and what should it mean) in the context of NSTIC? (W3B)

Session Topic: NSTIC Interoperability (W3B)

Convener: Jeremy Grant

Notes-taker(s): Hank Mauldin, Iana Bohmer

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Notes from Hank

Interoperability is one of the 4 principles that NSTIC has

Definitions review - wanted to know if NSTIC has the right definitions
 * want to accept a variety of credentials
 * want portability

2 types of interoperability
 * technical
 * policy-level - most complex

Questions posed:

What does interoperability mean?

How can multiple solutions?

Is there a single architecture?

Can trust frameworks achieve the goal?

What else should the steering group consider?

Policy: under a regulatory industry there are laws and regulations and self-regulatory organizations
 * self-regulatory organizations work well
 * However, if you get complacence officers in a room, they will interrupt the regulations differently
 * Also, the regulations need to be open-ended so as technology or processes improve it is possible to move easier to the better processes.

Trust Framework is a system problem, but we are still tackling the problem with silos
 * What is needed is the system requirements, not an architecture.

Attribute Providers - some data has more than 1 owner
 * complex relationships - want to separate roles clearly and yet operate together

Policy - legal actions liability
 * every group has new contracts and need a way to understand level of liability
 * government can not define or get it the way

user experience - why should a user adopt a particular technology
 * other side of argument is users adopt around value propositions

some opportunities could save $billions with regard to meeting compliance

Question around which use cases is NSTIC being scoped for?
 * Only consumer to government?
 * Who are the users?

One thought we needed to escalate above everyone's use case

What is Cyberspace? is it just the web? Consensus is no. Cyberspace is more than the web.

User Experience does not need to interoperate with IdP

Want an interoperable identity to cyberspace

Three layers are all needed
 * Regulations - Laws
 * Legal Agreements
 * Technology

Question around if interoperability is too large a goal for now. Should Consistency be used as the standard?
 * Consistent user experience
 * Are there ways to be consistent with all players?

What happens to portability if there is not interoperability from all actors viewpoints (RP, IdP, AP)

Set the bar high and do it right from the beginning. It is hard to fix later.

Discussion around the PKI forum and the 4 bridges forum. described how 4 independent groups have come together to create cross bridge environment.

How to get the private sector involved and what they need
 * liability
 * scalability
 * bi-lateral agreements

Get the proper rules around roles (both technical and legal)

need to think about these as active roles not entities

Many people have more than 1 credential

Need a way to connect credentials together and/or keep them separate

It is really hard to pull back any information

Is NSTIC focusing on identity or credentials? Credit cards are not about identity, but credit.

Answer: what is appropriate to the transactions. it is a fuzzy line.

'''Notes from Iana: NSTIC Interoperability Jeremy Grant Wednesday, 10/19/11, 11:30 am - 12:30 pm.'''

Jeremy Grant showed slides related to interoperability from the NSTIC Strategy document. He discussed the concept of technical interoperability vs policy-level interoperability. He then put up on the screen the following five questions as a basis of discussion:

1.	What does interoperability really mean (and what should it mean) in the context of NSTIC? Are there aspects of the NSTIC definition that deserve more thought or attention?

2.	How can multiple solutions, i.e., different technology and policy “stacks” coexist in Identity Ecosystem? Different business models?

3.	Is there a single architecture that can support multiple solutions?

4.	Can trust frameworks be the way to achieve and enforce interoperability?

5.	What else should the Steering Group consider?

The group did not really stick to a discussion of answers to the questions. Following is a summary of the comments made during the session:
 * The current rules and regulations that exist for cyberspace are based on old technology. Furthermore, government is years behind in even the existing technology.
 * Implementation of a broad trust framework is a system-wide problem, but it is being tackled as a silo problem. Stakeholders are locked into monopolies and self-perpetuating siloes rather than looking at the issue as a system-wide problem.
 * While it is the private sector that needs to develop and implement an identity ecosystem, giving it totally over to industry may be shirking the responsibility on the Government’s part. While no one would want the Government to dictate how the Identity Ecosystem should be implemented, they should have a facilitation role. A good example of this is the Federal Government’s dissemination of TFPAP.
 * However, attribute providers need to be treated differently than IDPs and RPs. Attribute providers could manage attributes for specific industries rather than on a system-wide level. Required attributes can be defined within industries/communities – but the question will be how can they be extended across communities, i.e., interoperability? Is it possible to have a certain number of templates that work across communities?
 * What is needed is some standardization within communities and enough standardization to transverse across communities.
 * There is also the issue of legal interoperability because of the related liabilities, particularly the U.S. requirement for liability insurance.
 * An example discussed was that of the credit card/debit card systems because of the effectiveness of their related legal agreements. But identity is different than credit cards.
 * It is important to leverage the architectures that already exist (e.g., http) and determining whether the protocols can be enhanced to solve technical issues associated with identity interoperability. One question that needs to be answered: is cyberspace limited to the Web? Is it the entire Internet?
 * There are many related areas that will require standardization in order for the Identity Ecosystem to work, e.g., data modeling. Many connectors will be needed, but standardization will be the key to success. The Identity Ecosystem needs to establish federated standards, but we have to recognize and accept that we need to allow more than one way dictated on how interoperability will be accomplished.
 * The value proposition to underlying entities also must be addressed. For example, the financial services industries could save a lot of money with the standardization of secure authentication. Ideally, a user could use a single token to access any of its banks. Stakeholders may need to come together to agree on how to achieve widespread use and cost savings.
 * Importance of taking the user’s experience into consideration. A user needs to authenticate to their particular identity provider, but what has to be determined is how to convey assertions to/from relying parties. User experience has to do with relationship of the user with his identity provider. It is important to remember that once a user lets his/her identity to go, it’s impossible to pull it back.
 * Need to address that the Identity Ecosystem needs to be addressed broadly and quickly; otherwise there will be weak intermediate solutions that may be as bad as what we already have.
 * Another successful example discussed was the Federal PKI Bridge. Communities leveraged the functionality of the Federal Bridge, e.g., Biopharma and Aerospace &Defense, by creating bridges to the Federal Bridge. These are successful examples of federation and interoperability using a single technology. Question: How can these bridges be scaled and extended?
 * A good starting point would be to extend PKI to accommodate privacy enhancing technologies. PKI, for example, drove the x509 standard to be what it is today.
 * Must differentiate between roles and entities IDP is a role, not necessarily an entity. Need to define the right roles around technical interoperability.