NSTIC: Two Roads - Both Impossible
3 views
Skip to first unread message
Anders Rundgren
Jul 21, 2011, 3:37:38 AM7/21/11
to icf-m...@googlegroups.com
Although the NSTIC people probably are not aware of it there are
several "predecessors" out there.
One group originated by IdentTrust back in the late 90'ies tried (still does) creating a commercial ground for TTP-issued credentials.
They have largely failed due to lack of business model. I.e. is it the user or the relying parties that should pay for the credential?
In reality these schemes have morphed into outsourced identity provisioning for government agencies where the government agencies fund the service regardless if the end-user is a citizen or a government employee.
So if NSTIC wants to succeed they can safely put that alternative away since enterprises haven't bought into this scheme.
Another alternative would be creating a more flexible credential solution where you may have multiple credentials. A difficulty is that you indeed must create the technical foundation because the already mentioned schemes typically based on the USG's PIV and CAC cards doesn't really cut it. So what's the problem with creating a flexible credential solution you may wonder? Well, to begin with there is absolutely no consensus what such a thing would be.
There are only three vendors in the world that could create a suitable platform for NSTIC. I have a feeling that they'd hoped for another answer but if we take the financial sector and their half a BILLION of on-line users still having problems with phishing, it is pretty obvious that solving the middle-east conflict or US deficit may be simpler than getting something novel off-the-ground on the Internet for authentication.
One group originated by IdentTrust back in the late 90'ies tried (still does) creating a commercial ground for TTP-issued credentials.
They have largely failed due to lack of business model. I.e. is it the user or the relying parties that should pay for the credential?
In reality these schemes have morphed into outsourced identity provisioning for government agencies where the government agencies fund the service regardless if the end-user is a citizen or a government employee.
So if NSTIC wants to succeed they can safely put that alternative away since enterprises haven't bought into this scheme.
Another alternative would be creating a more flexible credential solution where you may have multiple credentials. A difficulty is that you indeed must create the technical foundation because the already mentioned schemes typically based on the USG's PIV and CAC cards doesn't really cut it. So what's the problem with creating a flexible credential solution you may wonder? Well, to begin with there is absolutely no consensus what such a thing would be.
There are only three vendors in the world that could create a suitable platform for NSTIC. I have a feeling that they'd hoped for another answer but if we take the financial sector and their half a BILLION of on-line users still having problems with phishing, it is pretty obvious that solving the middle-east conflict or US deficit may be simpler than getting something novel off-the-ground on the Internet for authentication.
Reply all
Reply to author
Forward
0 new messages