OK, it’s been out a couple of months now with the usual “ZOMG it’s RealID all over again” worry-mongers raising their heads.
So we’re going to go through what NSTIC is and isn’t and some “colorful” (or “off-color” depending on your opinion) use cases for how I would (hypothetically, of course) use an Identity Provider under NSTIC.
The Future Looks Oddly Like the Past
There are already identity providers out there doing part of NSTIC: Google Authenticator, Microsoft Passport, FaceBook Connect, even OpenID fits into part of the ecosystem. My first reaction after reading the NSTIC plan was that the Government was letting the pioneers in the online identity space take all the arrows and then swoop in to save the day with a standardized plan for the providers to do what they’ve been doing all along and to give them some compatibility. I was partially right, NSTIC is the Government looking at what already exists out in the market and helping to grow those capabilities by providing some support as far as standardizations and community management. And that’s the plan all along, but it makes sense: would you rather have experts build the basic system and then have the Government adopt the core pieces as the technology standard or would you like to have the Government clean-room a standard and a certification scheme and push it out there for people to use?
Not RealID Not RealID Not RealID
Many people think that NSTIC is RealID by another name. Aaron Titus did a pretty good job at debunking some of these hasty conclusions. The interesting thing about NSTIC for me is that the users can pick which identity or persona that they use for a particular use. In that sense, it actually gives the public a better set of tools for determining how they are represented online and ways to keep these personas separate. For those of you who haven’t seen some of the organizations that were consulted on NSTIC, their numbers include the EFF and the Center for Democracy and Technology (BTW, donate some money to both of them, please). A primary goal of NSTIC is to help website owners verify that their users are who they say they are and yet give users a set of privacy controls.
Stick in the Mud photo by jurvetson.
Now on to the use cases, I hope you like them:
I have a computer at home. I go to many websites where I have my public persona, Rybolov the Hero, the Defender of all Things Good and Just. That’s the identity that I use to log into my official FaceBook account, use teh Twitters, log into LinkedIn–basically any social networking and blog stuff where I want people to think I’m a good guy.
Then I use a separate, non-publicized NSTIC identity to do all of my online banking. That way, if somebody manages to “gank” one of my social networking accounts, they don’t get any money from me. If I want to get really paranoid, I can use a separate NSTIC ID for each account.
At night, I go creeping around trolling on the Intertubes. Because I don’t want my “Dudley Do-Right” persona to be sullied by my dark, emoting, impish underbelly or to get an identity “pwned” that gives access to my bank accounts, I use the “Rybolov the Troll” NSTIC ID. Or hey, I go without using a NSTIC ID at all. Or I use an identity from an identity provider in a region *cough Europe cough* that has stronger privacy regulations and is a couple of jurisdiction hops away but is still compatible with NSTIC-enabled sites because of standards.
Keys to Success for NSTIC:
Internet users have a choice: You pick how you present yourself to the site.
Website owners have a choice: You pick the NSTIC ID providers that you support.
Standards: NIST just formalizes and adopts the existing standards so that they’re not controlled by one party. They use the word “ecosystem” in the NSTIC description a lot for a reason.