National ID? How about a World Global ID Tracking System?*

Maggie Biggs
Computer World

August 12, 2007 (InfoWorld) The Federation for Identity and
Cross-Credentialing Systems (FiXs) -- a little-known group of
nonprofits, government contractors, commercial entities, and government
agencies -- has just unveiled a first-of-its-kind global infrastructure
to support distributed, integrated identity management and
cross-credentialing across organizations. The implementation combines
several existing security technologies along with a set of trusted
models, policies, and operating rules to insure the accurate identity of
personnel accessing physical sites or logical systems.

Already in a pilot mode at a handful of government agencies and defense
contractors, the FiXs identity management initiative does not have a
hard date for broad deployment, although the impediments do not appear
to be technical. "The cultural gap with the public in general is still
too wide," said Dr. Mike Mestrovich, president of FiXs. "I think there
would have to be a public consensus to move us in that direction and I
don't see that happening until at least 2009 or beyond."

Founded in 2004 and based in Fairfax, Va., FiXs counts among its members
the Department of Defense, Wells Fargo, Lockheed Martin, EDS, and
several others. Modeled after secure electronic payment systems and
initially implemented by the DOD's Defense Manpower Data Center (DMDC),
the FiXs initiative meets the objectives set forth in the October 2006
Homeland Security Presidential Directive (HSPD-12).

"Until now, cross-bordering policies between government and industry had
not been established," said Mary Dixon, director at the DMDC. The FiXs
implementation does not assign roles, grant or deny access, or otherwise
act as a gatekeeper. Rather, the mission of FiXs is simply to
authenticate the identity of participants within its member
organizations. Once verified by FiXs, individual site managers and
systems administrators assign or designate access controls based on the
role of the individual and the policies of a given organization.

FiXs' capabilities allow it to cross between both public and private
sector organizations using a federated trust model. The implementation
is available worldwide in local or remote settings via both wireless and
wired environments. Access is available in real time. An individual's
specific identity data remains within their vetted source organization.

"By its very nature, the federated solution aids in privacy because
there is no central database and individual data can be stored in only
one [vetted] place," Dr. Mestrovich said. Yet the distributed design and
cross-organizational model found in the FiXs implementation does offer
the possibility of a future national or international identity
management system that might cross borders and organizational
boundaries. "The federated approach can actually take the place of a
mandated National ID system," Dr. Mestrovich stated.

Still, the head of FiXs does not see a national or international
identity management implementation as a near-term reality for a couple
of reasons. First, no schedule has been defined to implement such a
system on the federal, state, or local level, let alone among the
broader private sector. "We are speaking to a couple of States about
using FiXs, but no timetable has been set," Dr. Mestrovich said.

More to the point, even though the federated identity management
approach could power a national or international system, policy and
implementation agreements would be needed among federal, state, and
local government agencies as well as corporate governance boards, civil
libertarians, foreign governments, and the population at large.

The initial DMDC pilot leverages the trust model, operating rules,
policies, and security defined by FiXs and it can be considered a
reference implementation. Several technologies underpin this early
federated identify management and cross-credentialing deployment. Among
these is the Common Access Card (CAC), which contains individual
information housed in a barcode and within an integrated circuit chip.
The card is used to secure both physical sites and for systems access.

In this implementation, CAC is combined with the Defense Biometric
Identity System (DBIDS) to accurately identify personnel -- whether full
time employees (FTEs) or contractors. Beyond CAC and the DBIDS, FiXs
also includes cross reference capabilities that include photographs,
textual, and fingerprint data. Industry standard encryption is used to
secure the identity management process.

The FiXs organization currently has just under thirty member
organizations, but the group is open to additional members. With this
early implementation, group members can help to shape identity
management policies and technologies as FiXs begins to be leveraged by a
broader number of public entities and private sector firms.