Monday, September 20, 2010

Authentication is a user-centric activity

My view of what it takes to authenticate something requires attention to two key attributes:
1. Verification that you are getting the item that you intend to authenticate from a reputable source that can represent that the item is authentic, and
2. verification that the item has integrity, i.e., that it hasn’t changed since it was presented by the reputable source.

If you think about it, if you want to be assured you can access authentic government data, where do you go – in the paper world, you go to a depository library (verification #1). You then get access to a copy of a document that may contain the data you are looking for, probably with the help of a document librarian. The document you get access to appears in a form (bound and denoted to be authentic, etc.) that you can trust to be authentic. Given these two validations, you, the user of government data, can conclude that the document is authentic.

There are some key points affecting the electronic world.
1. Replicas are provided, originals are not sent.
2. Replicas are always modified from the original. The digital world has accomplished this almost seamlessly – documents are rendered to adapt to your browser and environment, print-ready documents are RIPed to deliver a similar look-and-feel to the original. The term RIP is probably very telling when you look inside one of these sausage machines.
3. The challenge that we face is one of determining whether the user or receiver of the replica has sufficient information to confidently determine whether the replica is authentic.

Authentication is a user-centric activity.

The tools that the U.S. Government Printing Office (GPO) has adopted to support authentication are targeted to address validation #2 – integrity. Fortunately, GPO qualifies for validation #1, as long as we maintain our reputation for being a trusted repository of official and authentic government documents. But, this is why we have invested in FDsys and need to continue to maintain this repository to sustain the level of trust we have earned.