Visionary Capability: Please describe in 6 to 10 sentences how you have demonstrated an understanding of and made contributions to the multi-disciplinary aspects of the Identity Ecosystem and the specific goals of the Strategy.
I have been deeply involved in NSTIC from a very early stage, having reviewed pre-drafts of the Strategy before it was released and provided significant comments to the White House team that was drafting it. Many of the suggestions from these early drafts, whether received from me or from others, have since been incorporated into the Strategy. I have also involved in workshops such as the semiannual Internet Identity Workshop for several years.
An example (from late 2009) of my thinking about identity ecosystems can be found in a presentation of mine at http://www.slideshare.net/jim_fenton/identity-systems-8537393.
Team Effectiveness: Please describe in 6 to 10 sentences how you have demonstrated an ability to work effectively within the scope of a governing board.
As a document editor in the IETF DKIM Working Group, I had the responsibility of weighing input and contributions from stakeholders, and shaping the document under consideration to match the rough consensus of the Working Group. In some cases, this consensus did not match with my personal opinion, but I was successful in representing the sense of the group nonetheless. I served in this role for two standards-track documents (RFC 4871 and 5617) and one informational document (RFC 4686).
Outreach: Please describe in 6 to 10 sentences how you have demonstrated an ability to clearly communicate the actions of a management group to subsidiary groups in order to facilitate consensus building and support the work required to achieve results.
In one of my roles at Cisco, I had the opportunity to manage teams of engineers on three continents across a wide range of time zones. Much of that effort involved the communication of Business Unit level initiatives and direction to the managers of these respective groups, and ensure that the teams function together and that they are aware of each others' activities and to build relationships among the teams.
Expertise: Please describe in 6 to 10 sentences the field of endeavor where you are recognized as an expert.
I am recognized in the area of signature-based authentication mechanisms and key management. Specifically, my work on DomainKeys Identified Mail (DKIM) involved development of a mechanism that both anticipated the ways that messages could be modified in transit and ways in which bad actors might attempt to attack that mechanism. I was also a co-author of Author Domain Signing Practices (ADSP), which attempts to strengthen the use of authentication on a legacy medium (email) by providing a means for domains to advertise their use of email signing.
I have since become more generally recognized in the area of authentication as a reviewer for NIST SP 800-63-1 and in more clearly defining the role of attributes as compared with authentication.
Commitment: Please describe how much time per month and what effort you are willing to contribute to the role.
While it is difficult at this stage to estimate the time requirements for IESG leadership participation, I am prepared to contribute approximately 40 hours per month, subject to adjustment as needed.
Breadth of Experience: Please describe in 6 to 10 sentences how you have demonstrated breadth of experience.
My career has gone in several different directions, many of which have bearing on the role of NSTIC. Early in my career, I worked in the electronic defense field, which gave me significant experience with a number of Federal agencies and international customers. Upon entering the networking industry, I became involved with security and authentication associated with remote access technologies before moving to network security mechanisms such as firewalls and intrusion detection.
My introduction to identity was through the development of a domain identity mechanism, Identified Internet Mail, which later became part of DomainKeys Identified Mail, a signature-based mechanism for verifying the provenance of email messages. This led to an interest in more general identity mechanisms, and a realization that many existing technologies (such as enterprise identity technologies) do not have the scaling and other characteristics to operate at full internet scale.
Identity Management: Please describe in 6 to 10 sentences the contributions you have made to the identity management community.
My significant involvement in identity began with the development of Identified Internet Mail and eventually DomainKeys Identified Mail (DKIM, which establishes a domain-based identity for email messages) in about 2004. Following the release of DKIM, I focused on mechanisms for determining the use of email authentication (Author Domain Signing Practices) and also more broadly on the application of identity to individuals. It became quickly apparent to me that many of the identity mechanisms used by enterprises were both too limited in scope and did not scale adequately to this task.
I have made several presentations at Internet Identity Workshops, have been a speaker and on the Program Committee for the IDTrust Workshop held annually at NIST, and provided significant input to and served as the outside reviewer for NIST's revision of "Electronic Authentication Guideline", SP 800-63-1.
Board Experience: Please describe in 6 to 10 sentences how you have demonstrated the ability to effectively lead a significant organization or organization's board.
I have served as Board Chair, as a Board member, and as Singer Council President of Schola Cantorum, a San Francisco Bay-area community choir. Schola Cantorum is a 501(c)(3) nonprofit organization. At the time of my service, Schola had approximately 120 members and an annual budget of approximately $200,000.
Jim Fenton is Chief Security Scientist at OneID, Inc. Prior to joining OneID in late 2011, Jim spent 16 years at Cisco Systems. Working as a Distinguished Engineer in Cisco’s Corporate Development Technology Group, Jim focused on issues and technologies surrounding user-centric identity and email security. He was a co-author of DomainKeys Identified Mail, an IETF standard for cryptographically signing email messages to aid in fraud detection. Jim also led initiatives in router-based security, including firewall, intrusion detection, address translation, and encryption technologies. Jim was also a key member of the team that established Cisco in the dial access market.
Prior to Cisco, Jim worked as Director of Technology for Combinet, Inc (acquired by Cisco), an early vendor of remote access bridges and routers employing ISDN technology. He previously held a variety of management and engineering positions at Watkins-Johnson Company, an electronic defense vendor.
Jim holds Bachelor of Science and Master of Science degrees from the Massachusetts Institute of Technology.
Statement: Please provide a statement so that voters can know who they are voting for and why they should support your nomination.
I am a strong believer in the need for NSTIC to support a large ecosystem comprising many identity providers, attribute providers, and relying parties. Technologies and other mechanisms that support only a few large providers are deficient in the area of user choice; it is very important that users trust their identity provider, and a large number of identity and attribute providers is needed to achieve that level of trust.
I also strongly support the vision of an identity ecosystem that supports privacy, in many cases to a greater degree than the offline world. NSTIC has an opportunity to provide both pseudonymous access to resources and to provide strong assertions of personal identity when that is legitimately needed and authorized by the user. I believe this characteristic will enable new and unanticipated uses of personal identity. Many of the characteristics of such a privacy-enhancing ecosystem are outlined in the NSTIC Strategy.
Trust is an important requirement for a successful identity ecosystem. All of the types of trust (trust by users, by relying parties, etc.) are difficult to achieve simultaneously, but principles that give users control over their information coupled with a strong accreditation framework for identity and attribute providers have the best chance of succeeding where prior efforts have failed.