Smart Card Talk : April 2011 : Executive Director’s Letter

Executive Director’s Letter

Dear members and friends of the Alliance,

The term “convergence” gets used a great deal in the smart card industry. Possibly that is due to the many commonalities that exist across the many seemingly distinct and independent markets where smart cards are becoming more and more mainstream in the United States. For example, what does a smart card that is used to securely access a cloud-based Internet service provider like a prescription drug retailer have to do with a smart card that lets me park my car in the commuter parking lot and board the bus that takes me to my job each day?

Well, in reality, these two seemingly independent applications for smart cards–as an identity token that stores a digital credential to access a cloud-based retailer and as a payment token that makes the parking gate go up and down and the green light go on when I board the commuter bus–are performing exactly the same function. Both uses are providing a trusted identifier to the systems they are connecting to and using some attribute or privilege associated with this identity to allow access to a protected entitlement–such as my prescription with the pharmacy or my prepaid or credit-secured parking and bus passes.

So why aren’t we using the same secure identifier for both services–or converging these two applications onto a single smart card token? That is exactly what some smart people in the federal government and the security and payments industry are trying to work out. If you follow the Smart Card Alliance, you have heard of the Personal Identity Verification (PIV) credential and the FIPS 201 standard that are the foundation of more than 10 million federally-issued secure IDs, including the Department of Defense (DoD) Common Access Card (CAC). Representatives from the DoD, the Washington, DC, commuter rail system (WMATA), and the DC Government are all trying to work out a convergence plan that would allow DoD personnel’s CAC cards or the DC government-issued ID cards to be used to access the parking lots, buses, and trains that make up the WMATA commuter transportation system. The key to this successful convergence around a common ID card is to get each system to recognize a common unique identifier and then use each independent service’s back-end systems to determine if the attributes that are stored in those systems and linked to that identifier can independently grant access to the DOD building, or the DC Government licensing web site, or the parking lot where it is presented. Let’s encourage these types of creative uses for smart card technology so that more systems can focus on convergence opportunities that will make it easier for consumers and less expensive for government and transportation authorities to operate their systems.

You may have heard the recent announcement of the final release of the National Strategy for Trusted Identities in Cyberspace, or NSTIC. The NSTIC program is being led by the Department of Commerce with support from the Department of Homeland Security, and is a project advocated by Obama administration since President Obama took office. The strategy document was released this month and sets a definitive course to eventually rid ourselves of insecure user names and passwords. The NSTIC is a bold example of how government can provide leadership and direction without dictating to private industry how to do it, which rarely works out well. I attended the launch meeting held at the Chamber of Commerce in Washington, DC, on April 15th. One of my colleagues, Don Thibeau of the Open Identity Exchange, aptly called the launch meeting “the Woodstock event for the identity security crowd.” Everyone who has a stake in the Internet security and e-commerce markets was present for the launch and Commerce Secretary Gary Locke, Department of Homeland Security Deputy Secretary Jane Lute, White House Cybersecurity Advisor Howard Schmidt, and the NSTIC Program Office Director Jeremy Grant, all gave enthusiastic endorsements for the plan. The NSTIC plan calls for the development of open, standards-based, interoperable, voluntary digital identity credentials that can be shared across multiple parties; these credentials would limit or reduce the proliferation of weak identifiers such as user names and knowledge-based (e.g., mother’s maiden name) passwords to access Internet services. We only hope that in the months and years ahead, the lessons learned from the years of planning and developing interoperable smart card-based identity tokens will have a prominent place in the final set of recommended solutions.

I close this month’s newsletter by reminding you that the 2011 Smart Card Alliance Annual Conference is next week, May 3-5 in Chicago. There is still time to register and attend this great meeting of the payments and identity/security markets all under one roof. The conference includes a wealth of content and wide participation from the industry–providing many opportunities for networking and education. Check out the list of attendees registered for the event on the conference web site. See you in Chicago!

Randy Vanderhoof
Executive Director