Re: ISSUE-17 (safetoplay): safe to play [Identification + Authentication] from Jose M. Alonso on 2009-05-06 (public-egov-ig@w3.org from May 2009)

From: Jose M. Alonso <josema@w3.org>
Date: Wed, 6 May 2009 19:02:02 +0200
To: <MCrompton@iispartners.com>
Cc: Daniel Bennett <daniel@citizencontact.com>, John Sheridan <John.Sheridan@nationalarchives.gsi.gov.uk>, eGov IG <public-egov-ig@w3.org>
Message-Id: <448D2AE8-B94A-4F5F-8704-315A58588760@w3.org>

Hi again Malcolm,

I forgot to copy the Group before. Copying it now to keep record of  
this exchange wrt ISSUE-17.

Daniel tweaked the section a bit more with your comments in mind. I've  
just uploaded it. I'm having trouble to give you access to a diff so  
I'm attaching it.

We agreed on the call to go ahead and publish the document. Some minor  
tweaking might be possible between today and tomorrow. Hope the  
changes satisfy your comments.

Best,
Jose.

El 03/05/2009, a las 5:51, Malcolm Crompton escribi�:
> Jose et al - thanks for addressing this issue.
>
> I have quite a number of comments to make so won't waste the time of  
> the
> wider group by copying them in unless you think it is worthwhile  
> bringing
> them in.
>
> I found that I could not deal with the drafting without going back  
> to the
> beginning of the section titled Identification and Authentication  
> starting
> at www.w3.org/2007/eGov/IG/Group/docs/note#idauth.
>
> The first point where I would suggest change is under the heading  
> The Myth
> versus the reality, at
> www.w3.org/2007/eGov/IG/Group/docs/note#idauth.what.myth.
>
> Right at that point, we need to have a sentence or two on why  
> globally we
> are getting IDM wrong & hence how to avoid contributing to it.  And  
> the
> error is not just that it is easier to forge on a mass scale.  It is
> massively compounded by making the value of such forgery worthwhile  
> doing.
> And this is happening because we have introduced a vast range of new
> circumstances where the claim requiring authentication is an identity
> assertion rather than some other assertion.
>
> [in the meat world, to buy a book all I have to do is produce a  
> token that
> is unlikely to have been forged (ie money) and is likely to be mine  
> to give
> (ie I have not stolen it) and combine this with a process that makes  
> it
> unlikely I will repudiate the transaction (eg snatch back the money  
> after
> the book gets in my hand).   But online, we have to produce identity  
> claims
> to do this as well.  Hence the trick will be to make any one  
> authenticated
> claim not worth stealing.  And we are just beginning to work out how  
> to do
> this at the technology layer (eg the PRIME & PrimeLife projects in  
> Europe &
> the work of many others such as Higgins & MS CardSpace).]
>
> Thus one recommendation in this work is to recommend very strongly a
> principle that parties only require identity claims to be presented &
> authenticated when no other claim will do AND that when an identity  
> claim
> does need to be presented, it is a context specific claim (eg my  
> health
> identifier is useless & not copyable in any other circumstance).
>
> At that point as well, it is vital to introduce the concept of mutual
> authentication as a matter of mutual respect and as an essential  
> security
> requirement.  It is just as important that the citizen be able to  
> see proof
> that it is dealing with a government agency in a legitimate  
> circumstance as
> it is for the government agency to be able to see proof that it is  
> dealing
> with the right citizen.  The most obvious manifestation of failing  
> to do
> this is phishing, where the individual is tricked into thinking that  
> they
> are dealing with a legitimate organisation (see the short paper at
> www.iispartners.com/downloads/user_centric_id.pdf). Once this is  
> done, there
> are a whole series of places where redrafting & re-balancing is  
> needed.  For
> example, the emphasis in the later para beginning "Personal identity
> verification is not the only aspect of identity in online  
> transactions ..."
> is all wrong because it is dealing only with the citizen identifying  
> itself
> to government, not the equally important part of government  
> recognising it
> needs to be just as careful in identifying itself to the citizen.
>
> Under the heading What Public Policy Outcomes are Related ..., at
> http://www.w3.org/2007/eGov/IG/Group/docs/note#idauth.policy, I would
> rephrase away from suggesting that identity & privacy must be  
> 'balanced'
> against each other.  That immediately implies sub optimal outcomes  
> because
> it limits thinking to trade off options.  But there are also options  
> where
> BOTH can be enhanced at once.  The example given above is one.  If  
> we can
> limit the number of circumstances when the same identity claim has  
> to be
> presented & authenticated, we are likely to have improved privacy AND
> security.
>
> Hence rather than the words "the need for authentication and  
> identity should
> be balanced with:", why not words such as "the need to ensure that
> authentication and identity are designed with privacy in mind from  
> the very
> start so that it is not compromised".
>
> Under the heading at
> http://www.w3.org/2007/eGov/IG/Group/docs/note#idauth.benefits, the  
> big
> missing drawback is the transfer of power to any trusted third party  
> that
> can decide to bring you into digital existence, wipe you out and track
> everything that you do in between (in fact, a digital god).  This is
> probably the most worrying thing about ID management where  
> government is the
> trusted third party doing this, especially when done wrongly.  The  
> Potential
> Drawbacks list does not reflect this concern.  Arguably this is  
> covered by
> the words "decreased privacy" but it doesn�t really get the message  
> across
> because most readers will read "decreased privacy" as involving  
> insufficient
> notice or too much information sharing, all of which can be  
> components of
> the larger concern but that's all.  Perhaps words along the lines of
> "perceptions or even the reality of Big Brother surveillance and  
> control".
>
> Somewhere at about this point, we also need to introduce the extreme
> importance of allowing anonymous or pseudonymous transactions wherever
> possible.  The para underneath that list can be interpreted to be  
> seeking to
> exclude this vital part of human existence.
>
> Bearing all this in mind, under the heading
> http://www.w3.org/2007/eGov/IG/Group/docs/note#idauth.how, Legal
> Dependencies cannot be limited to the considerations currently listed.
> Legal dependencies also include appropriate legal frameworks to  
> protect the
> citizen from misuse by others and misuse by government.  [Part of  
> the debate
> in the UK about the identity card there has come from the inadequate  
> legal
> protections being offered to the citizen should the card go ahead.]
>
> Under the next heading Technological Methods ..., there is no need  
> for the
> word "restrictive" because it implies a step backwards.  Rather,  
> such law
> may in fact be a step forward to ensure that government is kept in its
> place.
>
> Then we get to the Safe to Play words.
>
> Perhaps a better formulation goes along the following lines:
>
> * Fair Risk Allocation (essentially proved consumer protection so that
> citizens do not take on an undue burden of risk).
>
> * Control (essentially ensuring that citizens can be assured that
> information about them is under control and not in a weak security
> environment or will be used in a way that was not expected; if this  
> is not
> possible then the citizen will expect to be able to exert a greater  
> degree
> of control personally)
>
> * Accountability (an important way of ensuring that government does  
> in fact
> bear an appropriate burden of risk by paying for and responding to
> governance mechanisms that ensure that its operations are working as
> intended; unintended consequences are identified and addressed and the
> chances of things going wrong minimised)
>
> * Safety net (given that all human built systems fail at some time or
> another and that the citizen is likely to be the party most affected  
> & least
> able to withstand a failure, how to ensure that the citizen is well  
> looked
> after when things go wrong:  in the case of identity management how to
> ensure that a lost or compromised identity is dealt with as an  
> 'innocent
> until proven guilty' event rather than the other way round.  The way  
> in
> which an organisation, public or private sector, manages failure is  
> one of
> the most important contributors to its perceived trustworthiness.  An
> organisation that is arrogant & won't admit failure let alone  
> contribute to
> addressing its consequences will be considered vastly less  
> trustworthy than
> an organisation that acts in the opposite way.)
>
> I am sorry if this looks hastily written.  It is.  It seemed better to
> provide some thoughts quickly rather than nothing at all which was the
> alternative just at present at this end.
>
> Regards
>
> Malcolm Crompton
>
> Managing Director
> Information Integrity Solutions Pty Ltd
> ABN 78 107 611 898
>
> T:  +61 407 014 450
>
> MCrompton@iispartners.com
> www.iispartners.com
>
>
>
> 	
> -----Original Message-----
> From: Jose M. Alonso [mailto:josema@w3.org]
> Sent: Friday, May 01, 2009 9:26 PM
> To: MCrompton@iispartners.com
> Cc: 'Daniel Bennett'; 'John Sheridan'; 'eGovernment Interest Group WG'
> Subject: Re: ISSUE-17 (safetoplay): safe to play [Identification +
> Authentication]
>
> Malcolm,
>
> Daniel has added some here:
> http://www.w3.org/2007/eGov/IG/Group/docs/note#idauth.issues.citizen
>
> Is that enough to satisfy your comments? If not, could you please
> provide replacement text?
>
> We have a very tight schedule so if we don't hear any objection from
> you by May, 5th, we'll understand is fine enough and go ahead as is.
>
> Thanks much,
> Jose.
>
>
> El 17/04/2009, a las 13:54, Malcolm Crompton escribi�:
>> Jose - thanks.  I will follow responses & comment on input if that
>> would be
>> helpful.
>>
>> Malcolm Crompton
>>
>> Managing Director
>> Information Integrity Solutions Pty Ltd
>> ABN 78 107 611 898
>>
>> T:  +61 407 014 450
>>
>> MCrompton@iispartners.com
>> www.iispartners.com
>>
>>
>>
>>
>> -----Original Message-----
>> From: public-egov-ig-request@w3.org [mailto:public-egov-ig-request@w3.org
>> ]
>> On Behalf Of Jose M. Alonso
>> Sent: Friday, April 17, 2009 8:30 PM
>> To: Daniel Bennett; John Sheridan
>> Cc: eGovernment Interest Group WG
>> Subject: Re: ISSUE-17 (safetoplay): safe to play [Identification +
>> Authentication]
>>
>> Daniel, John,
>>
>> I raised this one on behalf of Malcolm. I attached it to Id&Auth for
>> now, although I believe it touches on other sections such as Social
>> Media.
>>
>> Please, take a look and see if/where a paragraph or two and reference
>> should be addded.
>>
>> -- Jose
>>
>>
>> El 17/04/2009, a las 12:26, eGovernment Interest Group Issue Tracker
>> escribi�:
>>> ISSUE-17 (safetoplay): safe to play [Identification +  
>>> Authentication]
>>>
>>> http://www.w3.org/2007/eGov/IG/track/issues/17
>>>
>>> Raised by: Malcolm Crompton
>>> On product: Identification + Authentication
>>>
>>> The importance of 'Safe to Play' from a citizen's perspective as we
>>> get into
>>> eGov. The most relevant paper is 'Safe to Play' which is
>>> available at:
>>>
>>>
>>
> http://www.iispartners.com/downloads/2008-02Safe-to-play-white-paper-V9POST-
>> NOBELFINALVERSIONFeb08.pdf
>>>
>>> Jose is raising this one on behalf of Malcolm Crompton
>>>
>>>
>>>
>>
>>
>

Attachments

application/zip attachment: id.auth.diff.1.88-1.90.zip

Received on Wednesday, 6 May 2009 17:02:58 UTC