SOPA lining up to poison identity federations, expert says

The government has committed multi-millions to helping the private sector build an identity layer for the Internet. But one analyst says either the Stop Online Piracy Act (SOPA) and the Protect IP Act (PIPA) could result in one government action rendering another moot and bungling the promise of secure IDs.
Written by John Fontana, Contributor

Is the government on the verge of poisoning its own multi-million dollar plans to help create an identity ecosystem and damaging a burgeoning identity infrastructure with designs on helping secure online transactions?

Given the Stop Online Piracy Act (SOPA) and the Protect IP Act (PIPA) that might just be the case, according to Ian Glazer, a research director on the Identity and Privacy Strategies team at Gartner.

SOPA and PIPA have brought howls of protest, rumors of Internet blackouts and now has the potential to alter the identity and access management landscape.

"There are interdependencies of services that are not immediately obvious and identity is one of those services," says Glazer.  "It's hard to black out part of a domain and think it will not have consequences in other areas."

Glazer argues that the protocol layer of connections that define the relationships between sites that provide user identities (called an identity provider or IDP) and sites that rely on those identities to validate users (called relying parties or RPs) is in jeopardy under SOPA and PIPA.

He says sites such as universities, multiple-service ISPs and credential providers hit with a SOPA DNS lockout would not be able to share identity information and therefore would not be able to authenticate users.

He gives the example of a university professor who logs into her network and uses that credential, via identity federation protocols, to authenticate to an online document service. In that model, the university domain and the document service domain must communicate. If either side is invisible within DNS the professor is locked out of her service.

"If you have credentials and user attributes you can't gather from a domain, all the down stream RPs fail, and that breaks the federation," said Glazer.

Users would be locked out or left registering a username and password with each individual site they visit on the Web.

"That is opposite of what NSTIC is trying to do," says Glazer, who blogged about the issues on the Gartner blog network.

NSTIC is the nearly year-old National Strategy for Trusted Identities in Cyberspace, which just received $16.5 million in funding in the 2012 federal budget.

NSTIC, introduced in April last year, outlines the parameters for an "identity ecosystem" to be built and managed by the private sector. For example, Google, PayPal, Symantec and Equifax are already certified ID credential providers.

The program, now under the control of the Commerce Department, is not about a national ID card, but about an infrastructure to help stimulate and secure online interactions and transactions.

In addition, emerging identity technologies, such as OpenID Connect and OAuth, protocols used to share authentication data on the Web and secure API calls between domains and mobile devices, uses the same protocol layer.

Glazer says SOPA or PIPA induced blackouts will look like a service outage. "It's not a good idea to introduce service outages into law as remediation for a copyright complaint," says Glazer.  "It's unclear how much due diligence there is going to be in terms of targeting these take down requests."

"Identity federation provides a convenience and agility," says Glazer. "But it also represents a relationship. If the federation is broken at the protocol level I can't represent that relationship anymore."

Editorial standards