In Sweden, we have a similar system. The major Swedish banks issue BankID, which is typically a Java applet you run on your computer which is provisioned with a certificate you use to sign things.
You need this to use the online benefits and tax systems and so on.
And it works horribly.
The hassles I've seen people have running Java and so on is horrifying. And the security - or lack of it - is staggering. It basically only works under Windows and on increasing insecure legacy browser configurations and so on.
They also use some PDFs with scripts in sometimes for forms that you have to 'sign'. I don't understand why they do this, but they do.
Oh, yay, security with Java! That's something you definitely want installed.
>> According to the recently [Dec 2012] published Kaspersky Security Bulletin 2012, Oracle Java was the most frequently exploited software by cybercriminals during the year, with Adobe Reader and Adobe Flash Player ranking in the second and third places, respectively.
The Java implementation of BankID hasn't been used for years on any of the sites I use. At least on the Mac, Nexus Personal is used for storing certificates and has a plugin for all major browsers. There is even an app for iOS, and it works really well in my opinion.
I think it has improved lately because it runs on Windows, Mac and Linux (at least Ubuntu). I have not had any problems with. Works okay.
The problem I have is that I need to carry around a card reader for my credit card to get BankID working because my the credit card has the BankID signature in a chip to be able to use the software. I use the bank SEB.
The java applet version isnt used anymore (or shouldnt be at least). The one that we have now is great and i haven't had any problems for many years actually. It works on all browsers ive used. What youre saying is very outdated i would say.
In Norway, we have BankID as well (works well on mac/chrome, though), but we also have a choice to use non-java MinID ("MyID") for logging in to do taxes/healthcare/education/etc. Signing electronically is still only BankID and java, as far as I know.
From a convenience-viewpoint, I think it works quite well, but I don't know how secure it is if an adversary is determined enough.
It's basically (birth number) + (personal password) + (either a key sent to your phone or a randomly chosen PIN from a paper you've been sent through regular mail)
That's not even remotely what he said. He was making two separate points:
1) the problems of having to teach users how to enable Java applets. Having done time on a customer support desk in a past life, I know full well that talking someone technologically inept through something like that would be hell on Earth.
2) and a point about how this idea works out less secure in practice as you're allowing 3rd party code to run natively on your machine, desensitising users to running 3rd party Java applets (or even encouraging people have the enabled to run by default). And scripts running inside PDFs are a known vector for attack as well.
I also disagree with the practice of pushing proprietary solutions which are only able to work on a single platform - which it sounds like their solutions are in-spite of Java and PDF being open and cross platform standards (I'm having to take the OPs word on that point - as I'm not a resident of the same country)
Also the same US Gov whose identifiers are routinely required to fly, interact with banks and insurance companies, have a job, pay your federal taxes, etc.
If they were to mandate use of this system for, say, forum comments, I'd be worried. All they're proposing is a more secure and efficient way to identify yourself in situations where you already need to use a real identity.
I know! It's almost like there are a bunch of different federal agencies, with different schedules and wide-ranging and sometimes contradictory sets of goals.
Think of all the money the US taxpayers will save by not needing all that NSA gadgetry anymore! They'll just log in as you when they want to know what you're up to
This stuff is based on plain old identity federation. SAML protocol using SAML assertions.
The problem is that they're outsourcing identity provision - ref. "...such as banks, governments, healthcare organizations, and others..." in the linked article.
The article also (correctly) states that "The credential exchange will be designed to transmit credential information securely without knowing users’ actual identities."
This is neat, for sure, but isn't always required (how would a health care provider be useful if they didn't know who you are), and is only half of what they should be doing.
So the relying party shouldn't always need know who the user actually is, but (much more importantly) the identity provider should never need to know where the user is conducting his or her affairs.
As an example:
You're laid off at work, and need to claim benefits. You have a mortgage, and because you feel you can get a new job before you run out of savings that service the mortgage, you don't want your bank to know that you're been laid off. But guess what, your bank is your identity provider, and will know that you've logged into the jobless benefits site. So the bank flies your mortgage into the side of the mountain. No survivors, call off the search.
Providing this kind of asynchronous privacy (where, at the user's discretion, the relying party cannot determine who the user is, and the identity provider cannot determine who the relying party is) is not difficult. U-Prove is tech from Microsoft (acquired from Credentica) that does it, and is open-source.
What do you mean "there goes your mortgage"? Banks don't swoop in and foreclose on your home just because you don't have a job. If you're still making the monthly payments then your mortgage is still in good standing. They don't care if the money is coming from a salary or your savings.
Except it doesn't illustrate the point because it's completely inaccurate and doesn't make any sense. If you're still making payments, what does the bank have to gain by "flying your mortgage into the side of a mountain"? What do you even mean by that?
I get that there are ways that the bank could screw if they're your identity provider. What you stated is not one of them.
Hm, every new bit of news relating to the US government and the Internet makes me question what exactly the Internet is doing for me and if I could live without it.
Lately I've began to realize that within the next 5 years my Internet usage will be extremely minimal(if at all) unless there is some kind of huge change.
I'd rather just cancel all of my accounts on major websites than be forced use this creepy ID system.
How long until Gov ID is required to log into Facebook and Google ? Then the government doesn't need to even ask these annoying companies to access your data.
The difference is the credit card company is motivated to keep you happy as a customer. The government is more like: "Assuming this really happened -- what's he going to do - move to Liberia?"
Here is the thing, people use insecure password storage because secure password storage retrieval is seen as either "too slow" or it is seen as "not required". For example, how many people are still using md5 hashing for password storage?
It seems like all the govt issuing a secure online id will do is add another unused standard to the pile without changing the behavior that makes things less secure in the first place.
Except that the government can require this standard's use to file taxes, access certain important government accounts, etc. They have the ability to create a standard and make it stick.
They can make it stick for government benefits and taxes and so forth. ("Use our IRS-ID or you can't file your taxes and we'll jail you for tax evasion.")
I doubt if they can make it stick in areas where people have a choice.
I can think of a few: the US dollar, the railroad gauge, encryption algorithms, etc. The government is often the largest single customer of things so what they demand, someone provides. And since marginal cost is usually smaller than unit cost, one large guaranteed customer means that product or service is cheaper for everyone else than some competing product or service.
When military technology enters the mainstream, and becomes the basis of technology in widespread use by the public, it goes without saying that the original military specifications are the initial "standards" present for that technology.
This isn't the same as the government attempting to mandate standards for public use, especially with the intent to alter the way people are already using technology.
In your list, only GPS represents a technology originally used by the military, whose initial military specification still mostly describes its current function. Everything else, and especially the Internet - which grew out of a DARPA project, but certainly isn't one any longer - is either a vague category (electrical/safety standards), areas in which standards have not originated from government mandates (telephony, the Internet, time zones), or areas in which government attempts to shift standards have been demonstrable failures (metric usage in the US).
Thus proving my point. The US government has on multiple occasions attempted to propel the metric system into dominance in the United States, hand has consistently failed every time.
> Maybe the mini USB connectors used for charging mobile phones counts, too.
And yet my iPhone still has has a proprietary charging port.
Well, I suppose this shows more a problem with Americans themselves than with government standards. How come the rest of the world was able to adopt these government-mandated standards, but Americans (or an US company in the case of Apple) can't?
Reminds me that it's also the same with A-sized paper, with basically just the US and Canada stuck with letter/legal/whatever.
I'm not really seeing a "problem" here - uniformity in standards is a recipe for stagnation. There's no need for everyone to do everything the same way, and even less need for prescriptive standards that attempt to change people's behavior than descriptive ones that just document what people are already doing.
I'm a bit confused about the paper sizes thing, though A4 and Letter are simply two different paper size standards.
Well, it's fairly clear that standards for military technology will be set by the military organizations that are generally the sole users of military technology.
These aren't "standards" in the sense that they define the parameters for ineroperability of technology in widespread use by many disparate parties.
> They have the ability to create a standard and make it stick.
This was created by the USPS. Government agencies can't even agree on a standard to use amongst themselves. Through the public in this mess, and now the wikileaks mess and this thing ain't going anywhere.
The USPS contract is being led to have a contractor implement a solution compliant with Federal guidelines on authentication, though. The ideal is certainly that you'd eventually be able to use this same system to sign-on to other Federal government citizen-facing portals, if I'm understanding the article correctly.
Doesn't mean you couldn't implement your own secondary key though. Sign it with your ID and use that key for key exchange and you've defeated the escrow.
The impression I got was that it was nothing more serious than an identity authentication scheme, not an encryption mechanism... they don't need to "escrow the key" (nor would it matter), they'd already be able to reset your account whenever they feel like it anyways.
Reliably verifying real-world identities online is a hard problem. I personally don't enjoy faxing my driver's license several times to get it to come through legibly, handing out my SSN like candy, scanning bank statements, answering questions about previous residences, and waiting for a 48-hour manual review process just to do any sort of business that's tied to a real identity.
The existing system is archaic, fundamentally insecure, and horrendously broken from a UX standpoint. As far as privacy, the federal government is already an identity provider required by many services (in the form of social security numbers). I have no objection to it performing that role more securely and efficiently.
Trying to navigate the spin, but this company appears to tie things like your existing, bank issued, two-factor hardware dongle to your government identify.
Best line of the article: "The cloud-based service follows federal guidelines to protect privacy, said SecureKey, although exactly what that means after the Snowden revelations is not clear."
Seems unlikely to fly; surely some big megacorp - or cartel of them - wants an exclusivity deal to make government approved ids.
BTW does anyone find it ironic that libertarian leaning programmers are so high in demand, and well paid, by the surveillance state.
Anyone else thinks this is a start of slippery slope? Once enough people are using it any other form of login could be made illegal and "citizen sheep" can be tracked much easier by big brother NSA
Well, has anything really changed? With the exception of a few small companies shutting down to "stick it to the man", what honestly has changed? No one has been removed from office and no revolution has started. We all sit here and watch as it happens.
You need this to use the online benefits and tax systems and so on.
And it works horribly.
The hassles I've seen people have running Java and so on is horrifying. And the security - or lack of it - is staggering. It basically only works under Windows and on increasing insecure legacy browser configurations and so on.
They also use some PDFs with scripts in sometimes for forms that you have to 'sign'. I don't understand why they do this, but they do.
All in all, No No NO!