Posted by Kevin on May 21, 2015.
The basis of all information security is the protection of confidential information from unauthorised access. This requires the ability to differentiate between authorised and unauthorised subjects.
For years passwords have done this. A unique password issued to the authorised subject has assured that only that authorised subject is granted access. But passwords are no longer enough. The nature of the internet has changed. It no longer simply holds information but has become a vehicle for conducting financial transactions.
Simply owning a password proves only that someone or something has the password – it does not prove the identity of the subject who holds the password. With financial and other high value transactions now being done over the internet we need to be able to prove the identity of the subject seeking access (not simply that he or she has found, guessed or stolen someone else’s password). The future of the internet now rests on developing a foolproof and acceptable method of proving identity – and a solution remains elusive and fragmented.
One major problem in developing a universally accepted system for identity management is that most current development is based on furthering vested interests rather than solving a user problem. Thus
(Incidentally, the UK’s Verify approach is an abomination that needs and deserves to be consigned to the dust-heap of history as soon as possible. It must be rejected by the people. The government will try to force its adoption by making certain bureaucratic functions – tax, licenses, rebates, e-voting, benefits – available only via Verify. This must be resisted.)
It is against this background that the Jericho Forum started to investigate the identity problem. From this investigation has emerged the Global Identity Forum (GIF), founded by one of the co-founders of Jericho (Paul Simmonds), and also a not for profit organization. The proposed solution is known as Identity 3.0.
People want privacy. In our daily lives we are only required to provide the minimum personal information necessary to allow a particular process; and that’s the way we like it. So if we wish to buy alcohol and need to prove we are old enough, we don’t wish or need to supply our home address or telephone number. In fact, we don’t even wish to provide our date of birth – only that we are ‘old enough’. In this instance, ‘old enough’ is a persona that we offer and is accepted by the purveyor. In fact it is a derived persona, derived from our actual birth date persona.
A privacy-protecting digital identity system should behave similarly – only asserting, providing and confirming the minimum personal information necessary for the transaction in hand.
In the real world we operate with multiple personas for different transactions. If challenged, we will need to prove those personas (through presentation of a driver’s licence, audited accounts, utility bill, passport or the minimum of whatever is necessary). And we must go through that process time and time again.
In the real world, proof of those personas comes from different authorities. The proof of our age comes from government via a driver’s license or passport; our address comes from the Post Office via delivery of ‘official’ mail. It is those root authorities that should attest only those personas they are able to universally affirm.
It works (very basically) like this. The entity (we’re talking about people, but the principles hold good for devices, processes and entire organizations) owns a unique cryptographic key – the ‘core identity’. This is the person, the root ‘ME’. Whenever ME requires an additional persona for a specific purpose I will obtain one from the relevant authority for those attributes of me the person. I will have to go through the physical process of proving that I an ME – but only once for each persona: the authority will generate a cryptographic attestation that ME owns those attributes of that persona based on and therefore tied to the public key of ME. This cryptographic proof is tied one way only to the root cryptographic ME. This ensures that the authority proving my age cannot determine my address in the process.
It also, incidentally, means that if any single persona gets compromised, that persona cannot be linked to other personas or back to ME.
By associating the different personas I eventually have a combination not only that I am who I say I am, I am also what I say I am (such as old enough, resident at a certain address, credit-worthy etcetera). This can then be used as required. If I’m buying something, the vendor needs to store none of my personal details beyond an account number.
This image, taken from the GIF whitepaper Global Identity: Challenges, pitfalls and solutions, shows how different personas can be combined to provide the identity verification necessary for different purposes.
The way forward
So, in summary, the Global Identity Foundation is proposing a cryptographically sound identity system using
When President Obama launched the US National Strategy for Trusted Identities in Cyberspace (NSTIC) initiative he said that the solution must be privacy-enhancing and voluntary. Verify, incidentally, is neither. But the Global Identity Foundation takes both – and more – to a different level. It is exactly what people would want if they knew it was available.
And what about business? No more identity provisioning. No more password resets. No more costly temporary identities for visitors and contractors. Users will bring their own trusted identities with them.
But it won’t be easy to get it in place. For this reason the GIF has this week launched an appeal for industry and academic support.
The GIF is actively looking for vendors, academics and security experts to contribute to the continued development of Identity 3.0 as research sponsors and partners. In the first project phase, the GIF will define practical use scenarios, future directions for development, and run pilot projects to determine the viability for a global deployment of the solution.
If you are in any position to help this project, I implore you to do so. Take personal identity out of the hands of governments and hackers, and give it back to the people: