Painless Security

As I mentioned, I’ve been in DC for the last two days at the AFCEA Solutions conference on identity assurance. One thing I’ve learned is that the government and those providing services to the government think about identity and some of the related security problems much differently than we do in the Internet standards community and especially the open source software community.

I’m sitting here in a session where people are bemoaning the fact that people put their personal information on Myspace, Facebook, etc. (Interestingly, LJ was not mentioned.) There seems to be inadequate consideration of the value people get for making this information available.

However the most stunning revelation is the strong desire to make sure that people have a single identity and to avoid duplicates. The Kerberos community went down this path a while ago. We found that users really want to have multiple identities in multiple contexts. The example within MIT is that you really probably didn’t want to buy porn using your work credential.

In some of the government contexts, for example giving people security clearances, making sure all the identities are bound together seems really important. However I feel that a strong push to bind everything to a physical identity will be very harmful to privacy in the long run. I’ve found that reputation-based identity has been really critical to online communities.

I’m on a panel discussing the implications of large databases of information on the identity management/assurance problem. The concern is that as you have large databases like national ID databases, credit report databases, medical records, etc, and you want to share information, how do you handle the identity management problems. Sharing is important because it enables new uses of the information. You would like to delegate access to information to services and agents. However, you also want to meet privacy and secrecy objectives. Technologies like oauth are in this space, although I think that this conference would not be interested in that particular technology.

I have not been thinking that much about some of the problems in this space before preparing for this panel. However, it has been a lot of fun to consider and I think there are some very interesting challenges in this space.