eAuthentication Forum Notes

November 21, 2002

Owen Ambur, U.S. Fish & Wildlife Service

The forum was hosted by GSA with several hundred participants in the audience. The E-Authentication site is at http://www.cio.gov/eauthentication/ and the presentations from the forum are at http://www.cio.gov/eauthentication/presentations.htm Links to 17 vendors who sponsored the forum are also provided there. Here are the key points that I noted.

Jeanette Thornton, e-Authentication Portfolio Manager, OMB



          eGov is the linchpin for all five of the President’s Management Agenda initiatives

          Uncle Sam has 33 million Web pages

          Under the Paperwork Reduction Act (PRA) and Government Paperwork Elimination Act (GPEA), we are reengineering how government conducts business

          Uncle Sam conducts about 5,600 different kinds of transactions

          With respect to the four eGov portfolios, the objectives include:

                      G2C – Improve cycle time

                      G2B – Use XML & streamline

                      G2G – Vertical as well as horizontal integration of data

                      IEE – Streamline & integrate (e.g., eTravel, payroll, recruitment)

          eGov successes thus far include:


                      gov benefits portal (150 programs)

                      EZTax filing


          eGrants will be coming out with some new things soon

          Most eGov applications require eAuthentication

Steve Timchak, e-Authentication Program Manager, GSA

e-Authentication: Where We Are, How We Arrived



          President’s Management Agenda calls for citizen-centered services

          President has personally inquired about status of eGov initiative

          Goals of e-Auth include:

                      Enable mutual trust

                      Minimize burden on public when obtaining services across all levels of gov (single sign on)

                      Common, interoperable authentication services

          DoEd has already issued 20,000 credentials for students

          Gateway simplifies & unifies interoperability

          e-Auth is not PKI only; is a broad array of credentials

          The Gateway:

                      Is NOT

                        -          An issuer of credentials or repository of personal information

                        -          The Federal PKI bridge authority

                        -          eSecurity, which will be determined by each application for itself

                      IS a validation service

          Funding was only received in May 2002 but have accomplished a lot:

                      Collaborative effort with many agencies

                      MitreTek Lab is testing state of the art technology

                      Conducted facilitated meetings with 6 of the eGov projects; will do the rest soon

          The National Finance Center considered e-Auth in the Time & Attendance application to be a competitive advantage for them in the competition for Governmentwide payroll services

          The production gateway will be operational by September 30, 2003

          In meantime, the prototype will be maintained in the lab

          54 responses to the request for information (RFI) were received

                      Want industry to solve the problem for us

          Electronic authentication is currently:

                      Focused on the enterprise rather than interenterprise

                      Centrally managed rather than distributed

          Industry is moving toward Security Assurance Markup Language (SAML)

                      We will not consider proprietary solutions

[Note: The XML Working Group was briefed on SAML in December 2001 and will receive an update at our December 17, 2002, meeting. http://xml.gov/agenda/20021217.htm]

          The Federal Government has applied to join the Liberty Alliance

[Note: The Liberty Alliance was unable to present at the December 2001 meeting of the XML Working Group, but I arranged for them to brief the CIO Council’s Architecture and Infrastructure Committee (AIC). Their Web site is at http://www.projectliberty.org/]

          The e-Authentication gateway will provide service to the 24 eGov projects but also others

                      Come to us with requests

                      Other applications include homeland security and pay.gov

David Temoshok, Director, Identity Policy/Management, GSA


          ACES was intended to issue trusted credentials

                      Previously nothing was available to enable compliance with GPEA

                      Two dozen or more agencies using

                      But have not seen large-scale implementation

          e-Auth is not just a PKI solution

                      Want to leverage other credentials too, e.g., user IDs & passwords

                      But must be able to assess the quality of the credentials

          Scope is not just 24 eGov projects but all of government and perhaps beyond

                      States are very interested

                      Exploring interest in commercial sector too

          Working with Industry Advisory Council (IAC) on three focus issues:

                      Business rules – reliability & liability

                      Business case – need to understand

                      Insight into potential credential providers – obtain feedback from

          While principal target is Federal requirements, want to understand non-federal requirements and add value in the private sector as well

Jeanette Thornton, OMB

Determining Authentication Levels



          e-Auth policy will be issued soon by OMB

                      Can be used by agencies & by industry too, not just by e-Auth project

                      Draft will be issued for 30-60 days of public review & comment

          Needs include:

                      Consistency across government

                      Framework for future guidance on:

                        -          E-credential providers

                        -          Credentialing

                        -          Technology solutions

          Goals include:

                      Allow policymakers & process stewards to select levels of authentication

                      Establish authentication levels based upon need for certainty

          Proposed process steps include:

                      Identify business processes that require authentication

                      Assess the risk

                      Identify suitable technology solutions, using NIST guidance, etc.

[Note: The new eGov Act requires NIST to establish minimum requirements for information security. http://xml.gov/draft/eGovXML.htm]

          OMB is watching the privacy issues

          Emphatic yes to question about coordination with the Federal Enterprise Architecture, particularly the Component-Based Architecture

David Temoshok, GSA



                      Is not authorization (i.e., rights, permissions, or priviledges)

                      Is just verification of ID

          Our interests in the Liberty Alliance include:

                      How can we use the specification for the gateway & agency applications

                      Mediation of business rules through the gateway

          The gateway will be funded with appropriated dollars and/or in partnership with industry

          The level of authentication will map to the requirements of the application and the gateway will do that

Roopangi Kadakia, Director of Systems, Security & New Technology, GSA

Getting an Application on the Gateway



          FirstGov is expanding to become a transaction-based portal

                      Becoming front door to Federal Government

                      Goal is to enable citizens to interact more easily with government

          The integrated future of the Office of Citizen Services includes:

                      Shared-service infrastructure

                        -          Contact center

                        -          Content management

                        -          Knowledge management

                        -          etc.

          Phase I, e-Auth & FirstGov, includes:

                      Risk assessment for interoperability


                      Links to all applications using e-Auth gateway

                      Guidance on how to be authenticated

          Phase II will address:


                      Evaluation of options, e.g., strong Customer Relationship Management (CRM)

                      Opt-in strategy so that citizens aren’t forced to go through gateway to get info

          Cited USA Services in response to a question on the authorization (as opposed to authentication) component

David Tomoshok interjected that convenience for citizens will require data covered by the Privacy Act, and GSA wants to proceed slowly and cautiously in that regard. A followup questioner noted that most commercial applications combine authentication with authorization. David responded that the gateway envisions distributed authorization so as to proceed quickly with authentication. That will require agency applications to control authorizations, but in the future agencies may request for the gateway to address roles and privileges.

Mark Liegey, National Finance Center, USDA

e-Authentication Initiative



          Need to understand the applications that are out there – not just eGov apps but all authentication requirements

          User IDs & passwords are expensive to maintain & can be cumbersome for users

          Can existing credentials be reused?

                      If not, ensure that new ones can be

          Vision: One UID & map appropriate credentials to applications

          Don’t have to be an eGov initiative to use e-Auth

                      If have authentication requirement, let us know

          Share knowledge

                      Help each other avoid mistakes already made

          e-Auth will work with agency applications to:

                      Determine appropriate authentication levels

                        -          Conduct e-Auth Risk Analysis (E-RA)

                      Link appropriate credentials to apps

          Can also help to determine how to maintain user authorization, access control, and privilege management for protected resources

          Can enter agreement with e-Auth gateway and activate link on FirstGov

Rich Corelli, Software Engineering Institute

e-Authorization Risk Analysis



          E-RA approach:

                      Risk-based requirements definition

                      Uses transactions as primary driver (i.e., protection of data)

                        -          Map transactions to e-Auth levels

          Risks are context driven

          Have already worked with four eGov projects:



                      Business Compliance One-Stop

                      Gov benefits

          Have initiated contact with:

                      Integrated acquisition


          Many folks don’t think they need e-Auth but we challenge them to look at the data set

          Application risks can be assessed in about six hours in a facilitated workshop

Tice de Young, NASA


          Trying to reach beyond the 24 eGov projects

          Hired Mitretek to give unbiased advice

Monette Respress, Principle Engineer, Mitretek Systems, Inc.

e-Authentication Gateway



          Conducted rapid prototyping

                      Using whatever was available

          Technical side is easier than policy side

          Looking for open standards, e.g., SAML, LDAP, etc.

          Demo’ed System for Time & Attendance Reporting (STAR)

          Current intent is to include no privacy data in gateway

                      But for prototype had to work with what was available

Judith Spencer, Chair, Federal PKI Steering Committee

The Need for Trustworthy Credentials



          Four levels of trust

                      No confidence

                      Balance of probabilities

                      Substantial assurance (evidence)

                      Beyond reasonable doubt

          Five types of evidence

                      Personal statement

                      Documentary evidence

                      Third-party corroboration


                      Existing relationships

          Someone suggested sixth type – reputation

[Note: In terms of eCommerce, all of these types actually involve comparing E-records provided at the time of the transaction to another set that is already available and, hopefully, which has the attributes set forth in ISO 15489, the international standard for records management.]

          There is no such thing as “Security”!

                      There are risks & there are countermeasures

[Neither is there any such thing as a “trusted network” – only records of varying degrees of quality. http://xml.gov/documents/completed/eRegCOP/sld005.htm]

          Should adopt the minimum degree of e-Auth assurance that meets your requirements

                      Higher assurance entails higher costs

[That is questionable – since lower levels of assurance inevitably lead to waste, fraud, abuse and, in extreme circumstances like 9/11, catastrophe! Low levels of assurance may no longer be as “affordable” as they were in the past. Moreover, distributing the costs of certainty among stovepipe applications does not eliminate or even reduce those costs. It merely hides them, thereby resulting in “tragedy of the commons.” http://members.aol.com/trajcom/private/trajcom.htm It is anything but citizen-centered. Nor is it consistent with the intent of the FEA. http://www.feapmo.gov/fea.htm]

David Temoshok, GSA

The Intersection of the Gateway and ECPs



          In past applications agencies haven’t taken citizen-centered approach

          Need balance of centralized and distributed management

          Half of the respondents to the RFI said don’t know how can separate authentication from authorization

                      May need to provide more in the gateway, i.e., roles and privileges

          Most responses to RFI suggested federated approach, e.g., the Liberty Alliance

          Technical aspects are important but so too are the policies (business rules)

                      Need to normalize business rules across communities of interest

                      Discussing with Liberty Alliance & IAC

          Federal PKI bridge entails more than 180 requirements

          Need classification scheme for different degrees of trust

          Transactions in the e-Auth gateway are yes or no

                      The credentials are valid or not

          Estimated that 20% of State-issued credentials are fraudulent

          Sign on to internal agency network will probably not be covered

                      But intent is to provide single sign on across agencies

In the concluding Q&A, Steve Timchak said the 300 Exhibit identifies two potential ways to fund the gateway: 1) pass the hat, or 2) dedicated appropriated funds. When asked if agencies have requested funding for their shares of the cost, he said such funds have been requested for the five eGov projects that GSA manages. In response to a question about an authorization component, David Temoshok reiterated that the gateway will not address ID management or authorization management, but that doing so is part of the Federal Enterprise Architecture initiative. Finally, regarding nonrepudiation, David indicated the responsibility lies with the agency application (relying party) to record and maintain the necessary data for nonrepudiation, as well as for validation of digital signatures if PKI is used.

[In other words, there’s no such thing as a free lunch when it comes to the need to create and maintain the appropriate business-quality records to support our business processes. However, hopefully, at some point, as required by the new eGov Act, NIST, NARA, GSA and OMB will provide sufficient guidance and tools to save us all from having to reinvent the wheel in that regard. http://xml.gov/documents/completed/eGovXML.htm]