Wave Systems Corp. (fka WAVXQ)

[Fullmoon]

This seems like it was written for Wave!: http://www.nist.gov/itl/csd/upload/Cybersecurity_NOI_0722101.pdf

4. Authentication/Identity (ID) Management
In our listening sessions, several stakeholders urged the Task Force to promote more widespread uptake of state-of-the-art authentication and ID management systems to reduce the incidents of successful cyber intrusions and attacks. Effective authentication and authorization systems establish a user’s right to access resources. Many users currently rely on simple password systems for authentication. More sophisticated systems require multiple factors in the authentication process, for example, something the user knows, plus something that the user possesses (e.g., a physical credential or token).20

The Department seeks comment on the effectiveness of current identity management systems in addressing cybersecurity risks.
On June 25, 2010, the White House released the National Strategy for Trusted Identities in Cyberspace for public comment. This strategy promotes a set of options for enhancing on-line security and privacy so that individuals and organizations use trusted, interoperable identity solution as in a manner that promotes confidence, privacy, choice, and innovation to experience efficient and secure access to on line services.21
Beyond the measures recommended in the National Strategy for Trusted Identities in Cyberspace, what, if any, federal government support is needed to improve authentication/identity management controls, mechanisms, and supporting infrastructures? Do the authentication and/or identity management controls employed by commercial organizations or business sectors, in general, provide adequate assurance? If not, what improvements are needed? What specific controls and mechanisms should be implemented? What role should authentication and identity management controls play in a comprehensive set of cybersecurity measures available to commercial organizations? Are the basic infrastructures that underlie the recommended controls and mechanisms already in place? What, if any, new tools or technologies for authentication or identify management are available or are being developed that may address these needs?
How can the expense associated with improved authentication/identity management controls and mechanisms be justified financially? How can the
U.S. Government best support improvement of authentication/identity management controls, mechanisms, and supporting infrastructures? Is there a continuing need for limited revelation

identity systems, or even anonymous identity processes and credentials? If so, what would be the potential benefits of wide-scale adoption of limited revelation identity systems or anonymous credentialing from a cybersecurity perspective? What would be the drawbacks?
How might government procurement activities best promote development of a market for more effective authentication tools for use by government agencies and commercial entities? Could a private marketplace for ‘‘identity brokers’’ (i.e., organizations that can be trusted to establish identity databases and issue identity credentials adequate for authorizing financial transactions and accessing private sector components of critical infrastructures) fulfill this need effectively? What would be some of the issues or potential impacts of establishing standards and best practices for private sector identity brokers? Should the government establish a program to support the development of technical standards, metrology, test beds, and conformance criteria to take into account user concerns such as how to: (1) Improve interoperability; (2) strengthen authentication methods; (3) improve privacy protection through authentication and security protocols; and (4) improve the usability of identity management systems? What are the privacy issues raised by identity management systems and how should those issues be addressed? Are there particular privacy and civil liberties questions raised by government involvement in identity management system design and/or operations? What other considerations should factor into government’s efforts in this area?