What's Going On With NSTIC? Pilots! Steering Groups! - (1A)

NSTIC Update & Identity Intro (1A)

Convener: Jeremy Grant

Notes-taker(s): Allan Friedman

Tags for the session - technology discussed/ideas considered:

NSTIC, federal, DoC, pilots, grants,...

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Not NSTIC 101

Good news: lots going on
 * Funding! - $16.5 M

Bad news: Lots going on slowly
 * Inter-agency review

Steering group
 * Privately led, with some govt funding
 * Still in review
 * Look for an organization to convene the group by application
 * Goal: want all stakeholders involved
 * Ideally open to everyone who wants to participate
 * Want to impose some structure, but don't want to hand-choose
 * Govt as one stakeholder at the table, albeit an active one

Staffing up - 6-7 hires

$10 NSTIC pilot program
 * Focus on testing & demonstrating new ideas, not in the market place today
 * Begin with motivation for govt involvement- market failure, lack of standards
 * Objectives - primarily non-technical barriers
 * Multi-sector
 * Public-private partnerships
 * Establish consumer demand
 * liability clarity
 * privacy-enhancing tech in business models
 * interoperability across different niches
 * user-centric frameworks for attribute exchange
 * trust frameworks with multiple RP
 * New interfaces
 * Usability --> consumer uptake
 * Role of public sector for improving private sector adoption
 * RFP in early Feb
 * Potential 2-step process to allow NSTIC to select more promising proposals for full applications

Explicitly NOT about purely technical solutions - we have those

Q: Role of Chamber of Commerce?

A: Hosted the launch, but not involved more than an interested stakeholder

Don Thibodeau - The broad perspective
 * Takeaway - action-forcing events
 * Different areas of activity
 * Smart cards tying physical with information architecture
 * UMA enabling interoperability of data ecosystems
 * OASIS working on trust elevation
 * How attributes are verified & exchanged for risk
 * User-driven assertions vs. automatic attributes
 * Defining the terms - ABA vs. other
 * Attributes are actionable, definable, monetizable
 * List of organizations
 * NIST - NSTIC, standards
 * Open Identity Exchange (OIX) - trust frameworks for the exchange of attributes
 * Can customize for different communities & use cases
 * InCommon

Going to see a top-down & bottom up merge
 * Common standards between competitors

Q: Will trust frameworks certify?

A:

- See Kaliya's diagrams of protocols & organization -
 * Focused on Discovery
 * Another on the evolution of community
 * Eve - "venn of identity" and others

Alphabet soup
 * Open Web Foundation -
 * W3C - Fed Soc Web, Browser ID

Shift between identity and management of attributes

Notes-taker(s): Ross Foard

Got funded with 16+ M in 2012

I establishing a Steering Committee

Next 45 days will release details

$10M on a grant next 45 days

Pilots that can demonstrate real pilots

Products and Frameworks that are not in the marketplace today

Government role in NSTIC is that Market has failed to solve Identity and Privacy

Challenges

Gov't may be able to help overcome this

No clarity on liability

Monetizing transactions

Common standards for privacy protection and data reuse

How to engage user in permissions granting use

Interoperability has high assurance level has been a challenge

Pilot objectives

1. How to demonstrate feasibility of identity eco system across domains and providers

2. How to demonstrate both public and private sectors in lieu of passwords (ID Exchange Hubs)

3. How to create solutions that have inhibited strng credentials adoption

4. ID framework that provides assurance on liability

5. Strong set of user centric privacy protections

6. Demonstrate privacy enhancing technology

7. Demonstrate interoperability across solution stacks

8. Demonstrate attribute exchanges

9. Expand use of trust credentials

10. End user choice in adopting and using technologies

11. Advancement in usability and interoperability

12. Public sector entities to prove id to private sector parties

Government RFP will be a Statement of Objectives, and a response and reward

Perhaps a two step process of the issuance of the grants for the Private sector

To be on steering group what does one have to do

1. Everyone should be able to participate on the working group

2. Don't want to hand choose participants

3. Want this to be private sector lead

4. Set up a .com or .org and not government run

In private sector pilot will try and address non-technology issues

Make things that would not otherwise be done

What is the output of these working groups?

Solutions that could transition from pilot to practice

What is the long term relationship between your office and steering group?

Can't answer that at this time, going under review

We would find discrete period of time and then transition to the private sector

IDTrust conference

NIST has been running for 8-9 years

Thought was to have the IDTrust to reconcile with the NSTIC

Will be focused on topics of wider interest

March 11-12-13-14 somewhere in there

Go to id commons website as an aggregation site to find topics across the space

Chamber of Commerce hosted the launch

They are one of many interested parties

Have not been asked to do anything