The National Strategy for Trust Identifies in Cyberspace (NSTIC) project effort inspired me to think about the problems with Internet and Web security and what could be done about them. The NSTIC strategy document claims that there are three main problems, namely
- passwords usage leads to identity theft and fraud,
- customer account maintenance is a burden for businesses,
- identity proofing, and attribute assurance is expensive.
With these identified problems the strategy document then focuses its attention on how to get to a Web SSO solution deployed, which also causes secondary problems to arise. To deal with those trust frameworks come in the picture. Trust frameworks extend the technical components with operational and legal aspects.
In reading the strategy document I was wondering whether this is the only way to approach the problems they had outlined, and whether there are other problems that need to be addressed. On top of the identified problems, the NSTIC strategy document lists a few guiding principles and I was wondering whether I can agree with them and whether there are some missing.
With this starting point I started to talk to various Web security experts (together with my IAB colleague Andrei Robachevsky) to hear what their views are. There are some common aspects in the feedback we had gotten but there is obviously a lot of variation.
I have seen some solution specific contributions to the IETF on specific areas of the problem space during this year. For example, many folks agree that there is a problem with a non-cryptographic session management (as it is done today in HTTP with cookies). The solution ideas obviously vary a lot but I believe there is probably consensus that this needs to be fixed. When it comes to authentication using passwords a common view is non-existent from what I can tell. Some want to get rid of passwords altogether, some others suggest to introduce Web SSO solutions that at least lower the number of passwords from the Relying Parties and push them to much fewer Identity Providers, again others are more convinced about introducing strong password based protocols, yet others see the problem in the way how passwords are used in HTML forms, then there are ideas for flexible authentication frameworks, etc. The list goes on with other aspects.
Wouldn’t it be good to have the big picture articulated and discussed by the experts in the community? Starting the work on specific solutions (in the IETF, W3C, or somewhere else) potentially in various different directions is so much easier to-do having a rough idea where to go.
Together with Mike Hanson and Sean Turner we have compiled a first draft version together.
Please have a look at it and provide your feedback.