Several new development and pilot projects funded by the National Institute of Standards and Technology are set to begin this summer that, if successful, may lay the foundation for the first large-scale reuse of identity credentials.
Engineers from the Georgia Tech Research Institute, working under a grant provided by the National Strategy for Trusted Identities in Cyberspace program office at NIST, have started developing a set of reusable standards and criteria for identity credentials called trustmarks. NIST is banking on trustmarks to provide the glue that is needed to ignite widespread commercial adoption of standard identity mechanisms for the online world.
Michael Garcia, the deputy director for implementation of the NSTIC at NIST, described trustmarks as a way to indicate that a product or service provider has met the requirements of the identity ecosystem. They would enable a federation of interoperable credentials across organizations and communities of interest, he said.
“Pretty much everyone does their own identity management and they’re not very good at it,” Garcia said, speaking Thursday at a conference sponsored by the National Association of State Chief Information Officers. “The new way to do it is modularity.”
During the early years of the Internet, applications controlled a user’s identity, said John Wandelt, a research fellow at GTRI. The Internet then moved to a single sign-on and eventually to the concept of federated communities of interest. But until now, there hasn’t been an easy, cost-effective way to tie all the federated identity silos together and get them to trust credentials that have been issued by other organizations.
Trustmarks would serve as the glue between the various identity frameworks in place across the private sector and government, said Dave Burhop, deputy commissioner and chief information officer for the Commonwealth of Virginia’s Department of Motor Vehicles, which plans to begin major trustmark pilot projects next month.
Burhop described trustmarks as digital versions of notary seals. He also likened them to the “Intel Inside” sticker that comes on new computers powered by Intel Corp. processors, or the Norton Secured seal, which is issued by Symantec Corp. to indicate a safe website. Trustmarks will be owned by the creator of the requirements and will be licensed to manufacturers of compliant goods and services.
Trustmarks “will have to be as formidable as the driver’s license is today in the physical world,” Burhop said. “If we can extrapolate that model, we will be successful.”
Next month, the Virginia DMV will begin a pilot project with the commonwealth’s Inova Health System that will leverage a new trust framework and the trustmark model for patient and health provider access to electronic health records.
The pilot project will use a multi-factor authentication model — cell phone, email address, PIN or voice print, according to Burhop. Users will then receive email instructions on how they can tie their existing online credentials, such as those from Yahoo or Google, and strengthen them using a so-called attribute provider.
“We need to think about this in an ecosystem perspective. It’s very hard to draw a dotted line around any community of interest,” Wandelt said.
So far, Wandelt’s engineers have developed 94 different trustmarks in eight categories, such as identity assurance, privacy and technical interoperability. GTRI is also developing tools to enable commercial product manufacturers and service providers to insert machine-readable trustmarks in their products and services.
“We call this the trustmark marketplace,” Wandelt said. But the key is that “everyone doesn’t have to implement every trustmark.”