SOPA lining up to poison identity federations, expert says

SOPA lining up to poison identity federations, expert says

Summary: The government has committed multi-millions to helping the private sector build an identity layer for the Internet. But one analyst says either the Stop Online Piracy Act (SOPA) and the Protect IP Act (PIPA) could result in one government action rendering another moot and bungling the promise of secure IDs.


Is the government on the verge of poisoning its own multi-million dollar plans to help create an identity ecosystem and damaging a burgeoning identity infrastructure with designs on helping secure online transactions?

Given the Stop Online Piracy Act (SOPA) and the Protect IP Act (PIPA) that might just be the case, according to Ian Glazer, a research director on the Identity and Privacy Strategies team at Gartner.

SOPA and PIPA have brought howls of protest, rumors of Internet blackouts and now has the potential to alter the identity and access management landscape.

"There are interdependencies of services that are not immediately obvious and identity is one of those services," says Glazer.  "It's hard to black out part of a domain and think it will not have consequences in other areas."

Glazer argues that the protocol layer of connections that define the relationships between sites that provide user identities (called an identity provider or IDP) and sites that rely on those identities to validate users (called relying parties or RPs) is in jeopardy under SOPA and PIPA.

He says sites such as universities, multiple-service ISPs and credential providers hit with a SOPA DNS lockout would not be able to share identity information and therefore would not be able to authenticate users.

He gives the example of a university professor who logs into her network and uses that credential, via identity federation protocols, to authenticate to an online document service. In that model, the university domain and the document service domain must communicate. If either side is invisible within DNS the professor is locked out of her service.

"If you have credentials and user attributes you can't gather from a domain, all the down stream RPs fail, and that breaks the federation," said Glazer.

Users would be locked out or left registering a username and password with each individual site they visit on the Web.

"That is opposite of what NSTIC is trying to do," says Glazer, who blogged about the issues on the Gartner blog network.

NSTIC is the nearly year-old National Strategy for Trusted Identities in Cyberspace, which just received $16.5 million in funding in the 2012 federal budget.

NSTIC, introduced in April last year, outlines the parameters for an "identity ecosystem" to be built and managed by the private sector. For example, Google, PayPal, Symantec and Equifax are already certified ID credential providers.

The program, now under the control of the Commerce Department, is not about a national ID card, but about an infrastructure to help stimulate and secure online interactions and transactions.

In addition, emerging identity technologies, such as OpenID Connect and OAuth, protocols used to share authentication data on the Web and secure API calls between domains and mobile devices, uses the same protocol layer.

Glazer says SOPA or PIPA induced blackouts will look like a service outage. "It's not a good idea to introduce service outages into law as remediation for a copyright complaint," says Glazer.  "It's unclear how much due diligence there is going to be in terms of targeting these take down requests."

"Identity federation provides a convenience and agility," says Glazer. "But it also represents a relationship. If the federation is broken at the protocol level I can't represent that relationship anymore."

Topics: Browser, Networking, Security


John Fontana is a journalist focusing in identity, privacy and security issues. Currently, he is the Identity Evangelist for cloud identity security vendor Ping Identity, where he blogs about relevant issues related to digital identity.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Seriously?

    If a foreign domain name is dedicated to distributing intellectual property illegally, then those that have setup a federation using said domain probably should have done their homework before federating with it. It goes without saying that services that are domain dependent get broken when a domain is blocked. That is the point.
    • So we should be able to block ...


      ... access for an entire university, to a slew of services, over an allegation of a single copyright infringement - e.g. the presence of a $1 sound track on the university's web site? Really? Isn't the madness of charging consumers several thousand dollars for infringing a $1 sound track enough? As I see it, all of this should be able to be challenged under the Eight Amendment.
      P. Douglas
    • RE: SOPA lining up to poison identity federations, expert says


      "a foreign domain name is dedicated to distributing intellectual property illegally" Do you think it's the "foreign" domain of my ISP that is exposed in the logs or perhaps the federated identity that I'm using?

      This just demonstrates how screwed up SOPA is and how those who advocate it clearly don't understand the technology behind the Internet....
    • RE: SOPA lining up to poison identity federations, expert says

      @markw2000 If you had read the text of the law, you would understand that they do not need to be convicted first. If I can take out a competitor by killing authentication services with an allegation of infringement, it may be worth the fine I have to pay, if I am ever found guilty.

      Read the law, it does not require a conviction to take it offline. All of this potential harm, and I can bypass it all with one line of script, to get a hosts fine from a trusted source that still has all of the domains there. The trusted source will, of course, include themselves in that list, and I can just schedule the machine to grab an update at regular intervals. The DNS system completely bypassed in 3 minutes of work.
    • Are YOU serious?

      @markw2000 So if someone at a university downloads something illegally and a complaint - NOT a conviction or anything requiring any sort of proof but a complaint - is made then the government is able to shut down that university's internet?!?!? And you think this is okay? Things like SOPA and PIPA run completely counter to the basis of our entire legal system - you know that pesky "innocent until [i]proven[/i] guilty" chestnut... (emphasis mine).

      My point is that SOPA and PIPA are in place so that organizations like MPAA and RIAA can circumvent our legal and judicial system. Apparently going through the legal system costs them too much of their profits.../sarcasm
  • Seriously?

    @P. Douglas
    A single copyright of an infringement does not equate to a site dedicated to infringing activity. Regardless of the cost of the item, it doesn't make it ok to violate the law by distributing it for free.

    Please clarify your point if you want a response.
    • Exactly how do you define ...


      ... "a site dedicated to infringing activity"? I wouldn't be surprised that many in the content industry e.g. regard YouTube as "a site dedicated to infringing activity". Seeing however that YouTube is located in the U.S., other sites such as Etsy, Flickr, and Vimeo, are likely to be regarded as sites dedicated to infringing activity, and could be negatively impacted by the bill.
      P. Douglas
    • RE: SOPA lining up to poison identity federations, expert says

      @markw2000 [b]

      Please clarify your point if you want a response.[/b]

      If you did not get his point then you are just as clueless as mylo suggests.