SOPA lining up to poison identity federations, expert says

Summary:The government has committed multi-millions to helping the private sector build an identity layer for the Internet. But one analyst says either the Stop Online Piracy Act (SOPA) and the Protect IP Act (PIPA) could result in one government action rendering another moot and bungling the promise of secure IDs.

Is the government on the verge of poisoning its own multi-million dollar plans to help create an identity ecosystem and damaging a burgeoning identity infrastructure with designs on helping secure online transactions?

Given the Stop Online Piracy Act (SOPA) and the Protect IP Act (PIPA) that might just be the case, according to Ian Glazer, a research director on the Identity and Privacy Strategies team at Gartner.

SOPA and PIPA have brought howls of protest, rumors of Internet blackouts and now has the potential to alter the identity and access management landscape.

"There are interdependencies of services that are not immediately obvious and identity is one of those services," says Glazer.  "It's hard to black out part of a domain and think it will not have consequences in other areas."

Glazer argues that the protocol layer of connections that define the relationships between sites that provide user identities (called an identity provider or IDP) and sites that rely on those identities to validate users (called relying parties or RPs) is in jeopardy under SOPA and PIPA.

He says sites such as universities, multiple-service ISPs and credential providers hit with a SOPA DNS lockout would not be able to share identity information and therefore would not be able to authenticate users.

He gives the example of a university professor who logs into her network and uses that credential, via identity federation protocols, to authenticate to an online document service. In that model, the university domain and the document service domain must communicate. If either side is invisible within DNS the professor is locked out of her service.

"If you have credentials and user attributes you can't gather from a domain, all the down stream RPs fail, and that breaks the federation," said Glazer.

Users would be locked out or left registering a username and password with each individual site they visit on the Web.

"That is opposite of what NSTIC is trying to do," says Glazer, who blogged about the issues on the Gartner blog network.

NSTIC is the nearly year-old National Strategy for Trusted Identities in Cyberspace, which just received $16.5 million in funding in the 2012 federal budget.

NSTIC, introduced in April last year, outlines the parameters for an "identity ecosystem" to be built and managed by the private sector. For example, Google, PayPal, Symantec and Equifax are already certified ID credential providers.

The program, now under the control of the Commerce Department, is not about a national ID card, but about an infrastructure to help stimulate and secure online interactions and transactions.

In addition, emerging identity technologies, such as OpenID Connect and OAuth, protocols used to share authentication data on the Web and secure API calls between domains and mobile devices, uses the same protocol layer.

Glazer says SOPA or PIPA induced blackouts will look like a service outage. "It's not a good idea to introduce service outages into law as remediation for a copyright complaint," says Glazer.  "It's unclear how much due diligence there is going to be in terms of targeting these take down requests."

"Identity federation provides a convenience and agility," says Glazer. "But it also represents a relationship. If the federation is broken at the protocol level I can't represent that relationship anymore."

Topics: Browser, Networking, Security

About

John Fontana is a journalist focusing on access control, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he writes and edits a blog, as well as, directs several social media channels and represents Yubico at the FIDO Alliance. Prior to Yubico, John spent five y... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.