Anil John
Making Digital Services Secure and Trustworthy

Anil John

nymwars and All your real names are belong to US

 Tweet  Share  Share  Comment  Print  Email

I've been following the nymwars with interest from both a personal and professional perspective. Check out the following to gain an appreciation of the ongoing conversation:

In recent days, I have been amused to note that there has been an attempt in some quarters to link the Google+ policy around real names to US Government initiatives such as the National Strategy for Trusted Identities in Cyberspace (NSTIC) program and/or the Federal Identity, Credential and Access Management (FICAM) program (which among other aspects is the US Government's internal implementation of the NSTIC vision).

Thought I would take a quick moment to point out support for anonymity and pseudonyms in both those programs.


"[...] will protect individuals' capacity to engage anonymously in cyberspace. Universal adoption of the FIPPs in the envisioned Identity Ecosystem will enable a variety of transactions, including anonymous, anonymous with validated attributes, pseudonymous, and uniquely identified--while providing robust privacy protections that promote usability and trust"


To understand the techno-speak, know that a credential that you have (i.e. a userid/password, one-time-password key-fob, smart card, etc) can be assigned an "assurance" level on a scale of 1 to 4. This is based on (1) the degree of confidence in the vetting process used to establish the identity of the individual to whom the credential was issued, and (2) the degree of confidence that the individual who uses the credential is the individual to whom the credential was issued. This number is known as the Level of Assurance (LOA) of the credential.

For Level of Assurance (LOA) 1 credentials (userid/passwords, OpenID etc.), there is no requirement to use a real name.

For Level of Assurance (LOA) 2 credentials there is explicit support for pseudonyms: "The name associated with the Subscriber may be pseudonymous but the RA or Identity Provider shall know the actual identity of the Subscriber."

BTW, I really am not expecting to change opinions using facts, but thought I would throw the pointers out there for folks who do want to fact-check on their own.

Did you find this interesting? Don't miss any new posts. Sign up to automatically receive them now!

I will never share, rent, or sell your information to anyone. Cancel anytime.

This blog post first appeared on Anil John | Blog ( The opinions expressed here are my own and do not represent my employer’s view in any way.

By on |

Continue The Conversation ...

I would love to know your thoughts on this blog post. Please leave a comment below!

I am a digital security coach. I help technical leaders make digital services secure and trustworthy. Learn more »

Free Updates

I will never share, rent, or sell your information to anyone