Identity Assurance – a matter of Principle & Accountability?

It looks like the government has Big Brother Watch to thank for enabling it to meet it’s 2020 commitment to take a policy-based approach to digital identity.1 Published versions of the UK Digital Identity and Attributes Trust Framework (DIATF) have not defined the principles that would underpin such an approach, so it is refreshing to see that BBW has tried to rectify this omission. Their briefing has been taken on as the basis for the following government amendment to the Data Protection and Digital Identity Bill (DPDI), which is currently in the House of Lords.

Originally proposed by the Privacy and Community Advisory Group (PCAG) in 2014, the nine Identity Assurance Principles are

  • User control
  • Transparency
  • Multiplicity
  • Data minimisation
  • Data quality
  • Service user access & portability
  • Certification
  • Dispute resolution
  • Exceptional cirtcumstances

In November 2023 the PCAG, having met regularly for ten years, was closed and merged with the Privacy and Inclusion Advisory Forum, becoming the One Login Inclusion and Privacy Advisory Group (OLIPAG).

The focus of this new group is solely on the government’s own digital identity scheme – GOV.UK One Login. OLIPAG does not have a remit to assess inclusion and privacy across the ecosystem of digital identity schemes and services that will inevitably develop under the Digital Verification Services (DVS) Trust Framework.

It is also worth noting that GOV.UK One Login is only one of a plethora of schemes that will exist in five years time and citizens may not consider it the most important, as they seek to use their digital identity in all aspects of their daily lives.

The DVS Trust Framework will be the primary governance framework for regulating the UK’s digital identity ecosystem but it’s important that citizens understand that governance is but one element of control designed to provide them with confidence that their identities are secure within the ecosystem. Other elements of control include the proposed trustmark, use of recognized international standards, zero trust policies, implementation of approved technical, cryptographic and biometric standards, fraud monitoring and management, together with cyber security and risk management controls. Evidence that service providers operating under the framework have implemented all these controls will establish that the Identity Assurance Principles are being applied.

Who is going to assess whether the IA Principles are being applied and provide assurance to citizens?

My suggestion is that a new independent supervisory body is established to report on the application of the Identity Assurance Principles across the whole trust framework; an OLIPAG with a remit for the whole ecosystem. This is not a role that can be provided by the proposed interim Office of Digital Identity and Attributes as it’s primary responsibility is likely to be the delivery and management of the trust framework itself. A permanent OFDIA would not be sufficiently independent to hold service providers to account for the application of these principles.

This new organisation would be the Digital Identity equivalent of the Joint Money Laundering Steering Group (JMLSG); lets call it the Identity Assurance Steering Group (IASG). The role of the IASG would be to assist those in the digital identity ecosystem by:

  • providing guidance that enables them to comply with their obligations under the DVS Trust Framework;
  • independently reporting on how members of the digital identity ecosystem are implementing the Identity Assurance principles; and
  • undertaking independent risk assessments of specific use cases that are governed by the DVSTF.

Identity Assurance embraces the whole of the UK’s proposed digital identity ecosystem because it’s all about providing an appropriate level of confidence in that ecosystem to all stakeholders. Ultimately, though, it is the UK public that has most to gain from the digital identity ecosystem but only if they have sufficient confidence to trust their identities to the new system.

More about the importance of Identity Assurance in a future blog!

  1. 2020 government response to Call for Evidence on Digital Identity stated that they would follow a principle-based approach to develop a legal framework to remove regulatory barriers to the use of secure digital identities and establish safeguards for citizens. Those principles were identified in the response as privacy, transparency, inclusivity, interoperability, proportionality and good governance. ↩︎

The protocols underpinning GAIN

Open Banking

The foundations for the remarkable global success of Open Banking over the past 5 years were laid by the creation and implementation of a set of internationally-agreed standards, interoperable protocols and financial-grade APIs. Open Banking enables Business-to-Customer relationships that allow authorised third party applications and services to securely access and process personal financial information maintained by the customer’s bank or other financial institution.

Development of these foundational building blocks has not stopped and the OpenID Foundation, with others, are forging ahead with a number of initiatives to enhance interoperability between global financial institutions. As a major player in GAIN, OIDF will be closely involved in the 2022 Proof of Concept, which is intended to demonstrate that these interoperability enhancements provide an effective, secure and global identity layer for the Internet.

Below is an illustration of how the OpenID Connect suite is underpinned by a range of protocols that together provide a stable and resilient security foundation.

OpenID Connect Protocol Suite, source OID.net

The following tables provide more detailed information about the specifications, standards, protocols and APIs that enable OpenID Connect and will provide enhanced interoperability within the GAIN ecosystem.

  1. Those standards and protocols that provide a secure and resilient underpinning for OIDC;
  2. Those specifications that deliver the complete OIDC capability; and
  3. Those specifications, protocols and APIs than improve interoperability.

Protocol

Developed by

Purpose

OAuth allows a User to grant access to their private resources on one site (which is called the Service Provider), to another site (called Consumer). While OpenID is all about using a single identity to sign into many sites, OAuth is about giving access to your resources without sharing your identity at all (or its secret parts).

JSON (JavaScript Object Notation) is an open standard file format and data interchange format that uses human-readable text to store and transmit data objects. Derived from JavaScript, it is a common language-independent data format with diverse uses in electronic data interchange, including that of web applications with servers.

JSON Web Tokens (JWT) is a compact claims representation format intended for space constrained environments such as HTTP Authorization headers and URI query parameters. JWTs encode claims to be transmitted as a JSON object that is used as the payload of a JWS structure or as the plaintext of a JWE structure, enabling claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.

JSON Web Signature (JWS) represents content secured with digital signatures or MACs using JSON based data structures that are encoded using base64url encoding.

JSON Web Encryption (JWE) represents encrypted content using JSON based data structures and provides cryptographic mechanisms that encrypt and provide integrity protection for an arbitrary sequence of octets.

A JSON Web Key (JWK) is a JSON data structure that represents a cryptographic key. This specification also defines a JSON Web Key Set (JWK Set), a JSON data structure that represents a set of JWKs.

 JSON Web Algorithms (JWA) registers a range of cryptographic algorithms and identifiers to be used with the JWS, JWE, and JWK specifications, including SHA-256/512, ECDSA & HMAC, as defined in NIST & FIPS documentation.

The WebFinger protocol is used to discover information about people or other entities on the Internet that are identified by a Uniform Resource Identifier using standard HTTP methods over a secure transport. A WebFinger resource returns a JSON object describing the entity that is queried, which is referred to as the JSON Resource Descriptor (JRD).

Table 1: Protocols that underpin OpenID Connect

Specification

Developed by

Purpose

OIDC Core

(Minimal implementation)


OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.

Core OIDC functionality is authentication built on top of OAuth's authorisation and the use of Claims to communicate information about the End-User and the security and privacy considerations for using OIDC.

OIDC Core is the minimal implementation for certification; there are optional add-ons (below), depending on the use case.

OIDC Discovery (Optional)

This specification defines a mechanism for an OIDC Relying Party to discover the End-User's OID Provider (OP) and obtain information needed to interact with it, including its OAuth 2.0 endpoint locations.

In order for an OIDC Relying Party to utilize OIDC services for an End-User, the RP needs to know where the OID Provider is. OIDC uses WebFinger to locate the OID Provider for an End-User.

Once the OpenID Provider has been identified, the configuration information for that OP is retrieved as a JSON document, including its OAuth 2.0 endpoint locations.

In order for an OID Relying Party to utilize OIDC services for an End-User, the RP needs to register with the OID Provider (OP) to provide the OP information about itself and to obtain information needed to use it, including an OAuth 2.0 Client ID. This specification describes how an RP can register with an OP, and how registration information for the RP can be retrieved.

This specification complements the OIDC Core by defining how to monitor the End-User's login status at the OID Provider (OP) on an ongoing basis so that the Relying Party (RP) can log out an End-User who has logged out of the OP.

Both this specification and the OIDC Front-Channel Logout use front-channel communication, which communicate logout requests from the OP to RPs via the User Agent. In contrast, the OIDC Back-Channel Logout uses direct back-channel communication between the OP and RPs being logged out. The OIDC RP-Initiated Logout complements these specifications by defining a mechanism for a RP to request that an OP log out the End-User. 

This specification defines the Form Post Response Mode. In this mode, Authorization Response parameters are encoded as HTML form values that are auto-submitted in the User Agent, and thus are transmitted via the HTTP POST method to the Client, with the result parameters being encoded in the body using the application/x-www-form-urlencoded format.

Table 2: Listing of relevant OIDC specifications

Specification

Status

Developed by

Purpose

Financial-grade API 1.0

Published

Based on OAuth 2.0 and OpenID Connect suite of standards, but with less optionality and the requirement to use modern security best practices. Exhaustive conformance tests to allow implementers to ensure their software is secure and interoperable


Part 1: Baseline Security Profile

Part 2: Advanced Security Profile 

Financial-grade API 2.0

Implementer's draft

With a broader scope than v1.0 FAPI 2.0 aims for complete interoperability at the interface between client and authorization server as well as interoperable security mechanisms at the interface between client and resource server. It also has a more clearly defined attacker model to aid formal analysis, includes Baseline Security ProfileAttacker Model. Additional work by this WG includes FAPI2.0: Advanced Security Profile, Grant Management for OAuth 2.0 & Simple HTTP Message Integrity Protocol.

Implementer's draft

The iGov Working Group is developing a security and privacy profile of the OpenID Connect specifications that allow users to authenticate and share consented attribute information with public sector services across the globe. The resulting profile will enable standardized integration with public sector relying parties in multiple jurisdictions. The profile will be applicable to, but not exclusively targeted at, identity broker-based implementations.

Implementers draft

The eKYC and Identity Assurance (eKYC & IDA) WG is developing extensions to OIDC that will standardise the communication of assured identity information, i.e. verified claims and information about how the verification was done and how the respective claims are maintained.

The specification also defines flexible data schemas for request and response as well as communicating information relating to the assured identity data including:

  -  Which data are required
  -  How identity was verified
  -  Which entity performed the ID verification
  -  What evidence was presented
  -  When identity was verified
Planning is underway to add support for conditional claims and support for legal entity and delegated authority use cases. A major element of the WG's work is the development of interoperability between existing assurtance standards, such as NIST SP800-63-3, GPG45 and eIDAS.


Implementer's draft

MODRNA Authentication Profile 1.0 allows RPs to use high quality authentication methods, which can be provided by Mobile Network Operators (MNO). However a RP must be able to describe its demands for an authentication request and it must be able to do this in an interoperable way.

The Profile will specify how RP's request a certain level of assurance for the authentication. Additionally, it will specify an encrypted login hint token to allow for the transport of user identifiers to the OP in a privacy preserving fashion.

MODRNA will support GSMA technical development of Mobile Connect and enable Mobile Network Operators (MNOs) to become Identity Providers.

Implementer's draft

This specification extends OIDC with the concept of a Self-Issued OpenID Provider (Self-Issued OP), an OP which is within the End-User's local control. End-Users can leverage Self-Issued OPs to authenticate themselves and present claims directly to the RPs. This allows users to interact with RPs directly, without relying on third-party providers or requiring the End-User to operate their own hosted OP infrastructure.

Implementer's draft

This specification extends OIDC with support for presentation of claims via W3C Verifiable Credentials. This allows existing OpenID Connect RPs to extend their reach towards claims sources asserting claims in this format. It also allows new applications built using Verifiable Credentials to utilize OpenID Connect as integration and interoperability layer towards credential holders.

Verifiable Presentations are used to present claims along with cryptographic proofs of the link between presenter and subject of the verifiable credentials it contains.

Table 3: OIDC specifications in development

With its huge ‘install base’, OIDC is already used by millions of websites for user authorisation & authentication at the “front door”. Indeed, while a vanishingly small portion of internet users have ever heard of OIDC, it is the nuts and bolts of the most universal and familiar user flow of the contemporary commercial web, including online banking and government services.

The latest development of OIDC– Self Issued OIDC Provider, enables greater integration between OIDC and the W3C DID standard and seeks to address the problem of achieving critical mass in 3 areas – users/holders, IDPs/Issuers and RPs/Verifiers.

The vision of DID-SIOP is a way of bringing decentralised identity concepts into alignment with the ideas of “self-issued” portable identity that the original OpenID innovators had. 

So, what has Decentralised Identity go to do with GAIN?

In order to answer that question we need to look a little more deeply at the various terms that make up the definition of Decentralized Identity.

A globally unique persistent identifier that does not require a centralized registration authority and is often generated and/or registered cryptographically.

“Globally” 

The GAIN proposal seeks to create a global community of trusted Identity Providers that will work together to implement an comprehensive identity overlay to the Internet. By founding the GAIN identity community on the existing global finance and payments ecosystem a solid and reliable basis for identity validation and verification is established.

Given that banks and international financial institutions have global reach, already operate a secure system (international payments) and are required to comply with worldwide Anti Money Laundering legislation, it is clear that they already possess many of the required building blocks for an interoperable international identity ecosystem.

As it expands, GAIN will increase decentralization by recruiting other international and national organisations that currently have a role as Identity Providers – internet, mobile and health service providers, universities, professional bodies, employers of all sorts and online shopping, to mention just a few. Last but not least, GAIN’s security profile is capable of providing sufficient assurance to enable governmental service providers to join, should they so wish.

“Unique” 

In our daily life we are completely dependent on unique identifiers in a variety of different contexts – telephone numbers, email addresses, passport numbers, National Insurance Number, driving licence number, employee number, product serial numbers, web page locators, username and password etc. Each of these identifiers needs to be unique within its’ own context so that, for example, my phone number cannot be allocated to anyone else but the same digits in the same order could actually be the serial number for a piece of equipment I own.

Currently, all identifiers are issued by ‘someone else’ and none are currently under my control; the identifiers can expire, be revoked or compromised, as was the case of my username and password being made available toscammersfollowingthe2012 security breach at LinkedIn.

The use of existing standards, protocols and APIs alongside improvements in encryption techniques now means it is possible to cryptographically prove the ‘uniqueness’ and ‘ownership’ of an identifier.

“Persistent identifier” 

A decentralized identifier not only needs to be valid and available throughout an individual’s lifespan, but it also needs to remain valid and resolvable after their death.

In many ways this is similar to the current banking requirement for account and transaction audit, however, in the future, a similar level of audit will be required for livestock, land, companies, devices and web resources, in fact anything else that needs to be identifiable long after death, upgrade or replacement.

“Does not require a centralized registration authority” 

Following the success of corporate Single Sign On, federated identity started to catch on in the consumer Internet, where it led to the introduction of ‘social’ login buttons on consumer-facing websites, such as those below.

Source: Self-Sovereign Identity 2021 

Each of these service providers was, effectively, operating as self-appointed Identity Providers with the capability of verifying the identities of individual account holders. For a number of reasons ‘social’ logins have, perhaps fortunately, failed to provide the Internet’s missing identity layer:

  • There isn’t one IDP that works with all sites, services, and apps, so users need accounts with multiple IDPs.
  • Because they need to serve so many different sites, IDPs must employ “lowest common denominator” security and privacy policies.
  • Many users—and many sites—are uncomfortable with having a “man in the middle” of all their relationships that is capable of correlating a user’s login activity across multiple sites.
  • Large IDPs represent some of the biggest honeypots for cybercrime.
  • IDP accounts are no more portable than centralized identity accounts. If you leave an IDP like Google, Facebook or Twitter, all those account logins are lost.
  • Lastly, due to security and privacy concerns, IDPs are not in a position to help us securely share some of our most valuable personal data, e.g., passports, government identifiers, health data, financial data, etc.

“Generated and/or registered cryptographically.” 

The DID standard requires the identifier be capable of cryptographically authenticating the DID Controller, who may well be, but not necessarily is, the subject of the DID. Cryptographic authentication enables an identity holder to prove who they are by demonstrating they have control of the private key bound to the identifier. Such a requirement is fulfilled by the implementation of a global decentralized public key infrastructure (DPKI), which has significant security and privacy benefits for the Internet, as a whole.

Initially the GAIN Proof of Concept, will make use of the OpenID Connect (OIDC) protocol that relies on transport layer encryption but does not, in or of itself, enable cryptographic verification of any identity information obtained by a Relying Party (RP). Further posts will explore the integration between OIDC and DID to further improve cryptographic authentication and verification.

Source developer.orange.com 

Decentralised Identity

“A globally unique persistent identifier that does not require a centralized registration authority and is often generated and/or registered cryptographically. … A specific DID scheme is defined in a DID method specification. Many—but not all—DID methods make use of distributed ledger technology (DLT) or some other form of decentralized network.”

Decentralized Identifiers (DIDs) v1.0

By making use of the existing Internet layer for financial transactions, with its thousands of participating institutions, GAIN has the potential to deliver a decentralised identity ecosystem that offers significant benefits for those financial institutions.

  • Turning a cost-centre (KYC processes and systems) into a potential profit-centre (offering Identity Provider services);
  • Simplifying processes, such as customer onboarding, login and password recovery;
  • Enabling cross-border platforms that facilitate scale;
  • Removing barriers (e.g., data sharing within and between institutions);
  • Moving towards comparative legal and regulatory structures that will serve to expand the total opportunity.; and
  • Re-using existing interoperable protocols, such as OpenID Connect and those APIs supporting Open Banking.

Critical developments in decentralised identity

The mission of the W3C’s Decentralized Identifier Working Group is to standardize the DID Unique Resource Identifier (URI) scheme, which includes the data model and syntax of DID Documents and DID Methods. The purpose of the DID document is to describe the public keys, authentication protocols, and service endpoints necessary to bootstrap cryptographically-verifiable interactions with the identified entity. The DID Method specification defines how a DID and DID document are created, resolved, and managed on a specific blockchain or “target system” and also defines, as a minimum, the Create, Read, Update, Delete operations for the DID.

Formed in 2017, the Decentralized Identity Foundation (DIF) promotes the interests of the decentralized identity community, including performing research and development to advance “pre-competitive” technical foundations towards established interoperable, global standards. DIF maintains an incredibly useful general-purpose knowledgebase, in the form of FAQs.

Originally proposed in 2015 the DID model was updated to include significant developments in distributed databases, cryptography and decentralized networks. This work led to the creation of another fundamental standard – Verifiable Credentials (VC) that together with the DID specification became the underpinning standards for Self-Sovereign Identity (SSI).

Self Sovereign Identity

See my previous post “Federated vs Self Sovereign Identity” to find out more about the fundamentals of SSI and the way in which it differs from Federated Identity.

The definition of SSI – “a person’s identity that is neither dependent on nor subject to any other power or state”, has given rise to two myths about SSI, which have, to some degree, cast a cloud over the adoption of the term.

  1. Self-sovereign identity is not ‘self-asserted identity’, it is just as dependent on information provided by trusted sources as one’s identity is in the real world e.g. the issue of a ;physical passport.
  2. Self-sovereign identity is not ‘just for people’, it is equally applicable to organisations and things.

More recently the term decentralised identity has made something of a resurgence with Microsoft throwing it’s considerable weight behind the term in this recent blog post.

Objections to Decentralised Identity

In October 2021, Google, Apple and Mozilla lodged formal objections to W3C approval of the Decentralized Identifiers (DIDs) 1.0 specification; the substance of which relates to concerns over

  • Interoperability,
  • Divergence rather than convergence of DID methods,
  • Centralized DID methods are not excluded, and
  • The impact on the environment by the reliance on blockchain.

Discussions continue and we all look forward to an early resolution of the issues raised.

GAIN – Background

According to the late, lamented, Kim Cameron in his seminal 2005 blog, The Laws of Identity, the Internet was designed and implemented without an identity layer and has developed ever since as a patchwork of identity workarounds and one-offs.

In the November 2019 BBC Dimbleby Lecture, Tim Berners Lee, inventor of the World Wide Web, proposed a mid-course correction for the Web by decoupling data from the application. This, he argued, would give users complete control of their personal data and enable them to make use of decentralized data stores called Pods, developed using the Solid specification.

The GAIN (Global Assured Identity Network) proposal has the potential to deliver both an identity layer for the Internet and this mid-course correction. GAIN addresses the patchwork of identity workarounds and implements a global identity system that enables a shift towards a user-centric and high-trust identity paradigm for the Internet.

The genesis of GAIN

GAIN builds on the remarkable success of the worldwide payments’ ecosystem, implemented by the international financial community and delivering global payments schemes such as Swift, Mastercard and Visa. This financial ecosystem is based on open standards and financial-grade APIs; it can be envisioned as a financial overlay to the Internet.

Trust in the international payments system is underpinned by formal compliance with international banking regulation, such as Sarbanes-Oxley, the Basel Framework, ‘Know Your Customer’ (KYC), Anti-Money Laundering (AML) legislation and PCI-DSS. Financial institutions that are members of the international payments’ ecosystem must provide evidence of:

  • implementing all the required technical controls;
  • applying the rules of the various compliance schemes; and
  • submitting themselves to a process of regular certification.

Membership, technical controls, scheme rules and regular certification are just four of the methods by which trust is maintained between members of the payments’ ecosystem and between financial institutions and their customers. In effect, financial institutions are already required to operate within a global financial payments Trust Framework.

Islands of trust exist GAIN is an interoperable system bridging islands

By catalysing a decentralised and interoperable global network, as has been achieved for payments, Financial Institutions will offer high-trust identity assurance within a safe, sufficiently regulated environment: a major step toward Digital Trust.

GAIN DIGITAL TRUST White Paper

Federated vs Self Sovereign Identity

A couple of weeks ago Covid-19 prevented me from flying to Las Vegas for the Know Identity Conference and made me abandon my plan to write a post on what I discovered there.

So, having had a rethink over Easter, I decided to record my perception of the differences between Federated Identity and Self Sovereign Identity and why I think that Federation cannot provide the Internet’s missing identity layer.

Federated identity management (FIM) is a means to enable users to access the systems and applications of multiple organizations using one login credential. Identity federation allows users to maintain login credentials with multiple credential service providers (CSPs) (e.g., email or social media providers) and then choose among them when logging into different online services

NISTIR 8149

To my mind, the principal beneficiaries of federated identity are the business organisation (Identity Provider) not the citizen, through

  • Increased efficiency and cost savings from not having to manage users’ login information;
  • Improved risk management through multilateral agreements;
  • Reduced privacy risks due to limited replication of users’ personal data across the organisation’s infrastructure;
  • Improved system design criteria based on a defined risk profile that is aligned to the community being served.

But that is not to say that users of federated identity systems do not also derive some benefit, they clearly do:

  • Improved user convenience and reduction in risk resulting from having fewer sets of usernames & passwords to remember and manage;
  • Single Sign-On (SSO), enabled by FIM, is an efficient way for employees to access the corporate resources, applications and data they need to do their jobs.
  • The organisation’s HR department and its associated access control mechanism act as a single source of the truth, preventing users from repeatedly entering personal details when requesting access to shared resources.

The downsides of Federation

But … what about us as Citizens, when we are not at work, when we are managing our online life and when we are using the Internet for our own personal reasons?

To operate effectively FIM needs multilateral and mutual trust between service providers, operating across a clearly identified infrastructure with an understood and consistent risk profile. For example the UK governments Verify solution relied on a common (and crucially) formally assessed risk profile for OFFICIAL information. Once an individual’s identity has been established by the identity providers operating Verify, that identity could be used by the citizen to gain access to various government services, such as benefits, taxes, driving licences, passports etc.

What’s good for the workplace doesn’t necessarily transfer to the wider world…

The Internet does not have the common risk profile and multilateral, mutual trust and governance that Federated Identity Management requires.

But not to worry, that yawning chasm is being filled by GAFAM, the Internet’s Big Five – Google, Apple, Facebook, Amazon and Microsoft!! Each time you come across one of these buttons, you are being offered the opportunity to share your identity with GAFAM.

So what’s wrong with that, you might ask.

Well lets have a look at the UK Information Commissioner’s 2018 Report to the UK Parliament on their investigation into the use of data analytics in political campaigns. Decide for yourself whether Facebook can be trusted with your identity data.

The ICO –

  • Found found that between 2007 and 2014, Facebook processed the personal information of users unfairly by allowing application developers access to their information, without sufficiently clear and informed consent, and allowing access even if users had not downloaded the (personality testing) app, but were simply ‘friends’ of people who had. Facebook also failed to keep the personal information secure because it failed to make suitable checks on apps and developers using its platform
  • Issued Facebook with the maximum monetary penalty of £500,000 available under the 1998 Data protection legislation.
  • Referred Facebook to the Irish Data Protection Commission regarding their targeting functions and techniques used to monitor individuals’ browsing habits, interactions and behaviour across the internet.
  • Investigated other organisations linked to Facebook and engaged in buying and selling personal datasets in the UK, so called data brokers, were also subject to substantial monetary penalties.
  • Concluded that Facebook did not take sufficient steps to prevent apps from collecting data in contravention of data protection law.
  • Established that the personality test app utilised the Facebook login in order to request permission from the app user to access certain data from their Facebook accounts.
  • Found that Facebook did not follow up on a request to Cambridge Analytica that personal data from Facebook be deleted

On the basis of evidence produced by the ICO I, for one, don’t trust the the privacy management capabilities of Facebook. I certainly won’t be trusting them with any more of my identity data and I’m disinclined to ask any of the Big 5 to act as arbiter of my identity.

There simply must be a better way of enabling single sign on to all manner of Internet services, including banking, medical records, online shopping, social networking, interaction with government services, holiday bookings, clubs and memberships, email, educational & professional qualifications, investments & mortgages etc… etc…

And there is…

Self Sovereign Identity

A number of leading lights in the SSI community have come together to write the definitive study of Self Sovereign Identity, which was published in May this year. I strongly the book because I believe it is an excellent and comprehensive source for all things SSI, VC and DI. It is essential reading for those interested in this intriguing and fast developing area of new technology.

Preukschat and Reed identify a number of reasons why the Federated Identity Model does NOT provide the missing Internet identity layer:

  • There isn’t one IDP that works with all sites, services, and apps. So users need accounts with multiple IDPs, and pretty soon they start forgetting which IDP they used with which site, service, or app.
  • Because they have to serve so many sites, IDPs must have “lowest common denominator” security and privacy policies.
  • Many users—and many sites—are uncomfortable with having a “man in the middle” of all their relationships, particularly being able to surveil users login activity across multiple sites.
  • Large IDPs represent some of the biggest honeypots for cybercrime ever created.
  • IDP accounts are no more portable than separate accounts linked to each website (centralised model); if you leave an IDP like Facebook or Twitter, all those account logins are lost.
  • Lastly, due the security and privacy concerns, IDPs are not in a position to help users securely share some of their most valuable personal data, e.g., passports, government identifiers, health data, financial data, etc.

The most important difference between SSI and FIM, though, is that SSI is no longer account-based. Instead there is a direct secure peer-to-peer relationship between the two parties i.e. a shared connection. Neither party “controls” the relationship and this is true whether the parties are people, organisations or things.

The key to the security of these connections is the underlying decentralized public key infrastructure (DPKI) that is supported by blockchain technology. Together these enable:

  • The exchange of public keys directly between any two peers;
  • The exchange of digital identity credentials (aka verifiable credentials) to provide proof of real world identity; and
  • The storage of public keys on public blockchains specifically designed for the purpose.

In the centralized and federated identity models, the locus of control is with the issuers and verifiers in the network. In the decentralized self-sovereign identity models, the locus of control shifts to the individual identity owner, who can now interact as a full peer with everyone else.

SSI, Manning Publications

Preukschat and Reed summarise the differences between the FIM and SSI concepts of operation.

FIM ArchitectureThe user first contacts the Service Provider, is then redirected to the Identity Provider where he/she logs in, and is then redirected back to the SP providing the latter with the user’s identity attributes that the IdP is willing to release.
SSI Architecture using VCsThere is none of this web-based redirection within a defined “federation”—the user as holder obtains VCs from issuers and uses them independently at any verifier that will accept them.

The FIM architecture places the IdP at the centre of the ecosystem, whereas the SSI/VC architecture places the holder at the centre of the ecosystem.

Fundamentally, the SSI/VC philosophy is that users are paramount and it is only they that can decide who to present their VCs to, whilst the FIM philosophy is that IdPs are paramount and they decide who can receive the user’s identity attributes.

Today’s federated identity management infrastructures give issuers (IdPs) great power because they are at the centre of the ecosystem. SSI/VCs turn this model on its head and place users at the centre.

We started out trying to find a solution to the Internet’s missing identity layer; what we ended up discovering was that to solve those problems we needed a shift in control from the centres of the network—the many “powers that be”—to the edges of the network—where all of us exist and interact as peers.

Preukschat & Reed

Three dimensions to Digital Identity

In his June 2018 webinar as part of the SSIMeetup group, Danial Hardman presents an interesting take on digital identity, calling it multi-dimensional and manifesting itself in three separate planes along three separate axes – Relationships, Data or attributes and Agents or Proxies.

Digital identity is multi-dimensional

Agents or Proxies axis

These are the devices, software and services that represent me when I use the Internet, they are effectively acting as my agent or proxy. It is in this category that the proposed digital wallet sits, as it’s purpose is to negotiate identity-related transactions and connections on my behalf. Consider eBay, for example, which represents me to the seller and the seller to me, handling necessary financial transactions to an acceptable level of security; there is no direct connection between the seller and I.

Attributes or Data axis

Facebook, for example, gathers information about its users, which it uses for a number of commercial purposes, some beneficial to the user and some beneficial to Facebook. In the current federated identity model Facebook can act as a trusted identity provider by using my authentication data to allow me to sign on to other sites. On the other hand the Cambridge Analytica scandal shows us that Facebook gathers and uses all sorts of other data relating to us for commercial purposes. They are clearly not impartial or independent intermediaries in these transactions and it is questionable the level of trust we should have in them. One could argue that the true home of a social network should be along the relationships axis.

Relationships axis

We are not allowed to take our relationships with us when we opt to extract our personal data from Facebook and other social network providers and store it elsewhere; we are obliged to close down our account. This renders the extracted data useless for maintaining relationships and reinforces the lock-in to provider services. This situation is much like the early days of online banking when the hassle of moving from one bank to another was out of proportion to the benefits achieved; with Open Banking this is no longer the case.

Who knows what about me?

Currently, this question is impossible to answer. In the future I expect my Personal Online Datastore (POD) and digital wallet to keep track of the personal data that I have chosen to share with those I have established personal or commercial relationships.

When they were breached it took Equifax many weeks to disclose the fact and many more to establish what information had been compromised and even longer for them to get round and notify everyone that their information had been stolen. No one knows where that data is now but some commentators suspect that the proximity of the breach to other major data breaches and the fact that this data has not appeared on the dark web suggest that it has been saved in a huge Chines data lake and is being used to support espionage operations against the West.

Knowing who knows what about me is a critical factor in the maintenance of the privacy and security of personal data.

Which agent or proxy can represent me?

Answering this question is, theoretically, a little simpler that knowing who has my data, in that I have a relationship with my agent or proxy and should be able to control the release of personal data. This may not always be the case as the context of the representation is critical. My solicitor may represent me in court but I wouldn’t expect her to speak on my behalf when arranging a holiday. I would expect my doctor to share relevant medical information with a hospital but I’m a little bit more wary if they are seeking to share the same information with big pharma, without the necessary anonymisation controls in place.

Which agent can share what about me?

I don’t expect eBay to share my credit card details with the seller, I don’t expect commercial organisations to share my phone number and address with partner organisations and I certainly do not want metadata from my social media interactions to be shared with advertisers so that they can personalise the adverts I see online.

Greater granularity, detailed configuration and improved contextual analysis is required to maintain continuous control over the sharing of personal information by agents or proxies on my behalf.

What is Identity, digital or otherwise?

The quality or condition of being a specified person or thing.Concise Oxford Dictionary, 8th ed, 1990

Something I have …

How identity worked in the pre-computer age.

Few of us growing up in the developed world had any choice in the matter. When I was born my parents were legally required to register my birth for which they received a paper birth certificate; a verified credential which, even today, I am occasionally required to produce.

Since then, like most other people in the UK, I have become an avid collector of verified credentials that either enabled me to claim the benefits to which I was entitled or take on the responsibilities they bestow. Registering with the local doctor allowed my parents and I to use the NHS and the issue of a National Insurance number kick started my contribution towards the cost of the welfare state. In 1975 the Met Police confirmed me in the office of Constable and gave me a warrant card which came with the power of arrest; a really powerful credential that acted as both a proof of identity and authority for me to take certain legal actions. On receiving my first pay cheque I opened a bank account and the cheque book I received was another valuable and frequently used credential. Debit cards, credit cards, driving licence, marriage certificates, mortgage certificates, loan agreements, credit rating, insurance certificates, passport, degree certificate, professional qualifications and memberships all followed over the next 45 years. I still have most of these original documents, locked away in a filing cabinet in my office just in case I need to produce them some day.

Occasionally I need to carry some of these credentials so that they are immediately available for inspection; international travel and hiring a car are impossible without a passport and driving licence respectively. Knowing that I will need to present them I carry them with me, either on my person, or in my wallet.

The issuing process for each of my credentials had a number of common factors – I needed to engage with a third party issuer and both parties understood the nature and reason for the transaction, on each occasion I needed to assert my identity to a standard acceptable by the other party and finally I needed to back up that assertion with acceptable documentary proof.

During those, sometimes lengthy engagements, both parties trusted the physical modes of communication, whether they be phone calls, face to face meetings, snail mail, registered post for valuable items or simply the physical exchange of signed and witnessed documents.

None of these transactions could not have happened as they did without there being a prevailing sense of TRUST between all parties. In the pre-computer era impersonation, fraud, forgery, false accounting, misrepresentation, disguise and scamming were all pretty hard to get away without specialist skills, knowledge and native cunning. Besides these, the likelihood of capture and threat of a custodial sentence deterred all but the most adventurous, or desperate.

These important physical credentials are a necessary, and in some cases legal, manifestation of my identity; they do not alone amount to my identity as a person. They are perhaps best seen as tools to enable and support my interaction with the various authorities that make up the nation state.

Before computers, issuing authorities had a clear, settled and documented step-by-step manual process for dealing with applications, employing the right number of people to make the process work but there was little or no sense of urgency.

The advent of computerisation brought opportunities to cut costs and improve the services delivered but the automation of ‘something I have‘ has not been without difficulties. Early attempts to computerise the credential issuing business led to incompatible systems running bespoke processes with first generation operating systems hosted on expensive mainframes provided by a handful of approved suppliers.

I would argue that it is only now with the introduction of the Internet, Cloud computing, ubiquitous encryption and various cross-industry working groups that the true benefits of a computerised ‘something I have‘ can be realised

Something I know …

With the rapid expansion of the Internet without an identity layer, web organisations were forced to authenticate users by the only means available to them at the time – username and password. This method of authentication is now the norm but it is a paradigm that has been completely undermined by our inability to manage these credentials securely in the real world. Don’t just take my word for it, look at the guidance produced by the UK’s National Cyber Crime Centre and the writings of Bruce Schneier on the subject.

To address the failings of username and password authentication we are now being forced down the route of the multi-factor authentication. MFA comes under the category of ‘something I know‘ because for a few seconds I need to know a one time passcode sent to me by an out of band channel (usually SMS) before entering it into the browser. This deeply inconvenient and time consuming authentication method treats only the symptoms of the identity-free Internet, not the causes of it.

There are other attributes of my identity that come under the heading of ‘something I know’. I know the dates that are important to me, my favourite teacher and I also know the answer to the ubiquitous mother’s maiden name question. The most significant problem with using these attributes to authenticate my digital identity is that its entirely possible that with a little bit of research a diligent social engineer may be able to discover all of this information and use it to impersonate me.

Something I am …

Should I die without identification on me and without my mobile phone the police have a number of biometric methods available to them to identify me – fingerprints, DNA and dental records are the most commonly used. In my case, I had my dabs taken when I joined the police service and have also recently had some very expensive dental treatment; these are clearly verified credentials that uniquely identify me.

The fundamental concept underpinning the Who.Me? experiment is the conclusion arrived at by Sariyar & Schlunder in their 2016 paper:

Identification of an individual (based on digital data) means to know a globally unique natural identifier (allowing a singling out), which can be a combination of attributes and to associate them with a set of attributes. Both together allow a singling out and the recognition of the individual. The genome and fingerprints are unique identifiers, and they can stand for the individual, but they are not sufficient to identify an individual without further reference information. In general, there is no fixed set of (reference) information that is always sufficient for identificationSariyar M, Schlünder I. Reconsidering Anonymization-Related Concepts and the Term 'Identification' Against the Backdrop of the European Legal Framework. Biopreserv Biobank. 2016;14(5):367–374. doi:10.1089/bio.2015.0100
The Who.Me? experiment will demonstrate whether it is possible for me, as a standard Internet user, to collect, collate and control my own personal data when using the Internet. As I plan to use my own unique natural identifiers to underpin my digital identity there are a number of key factors I need to take into account:
  • Information storage – How secure is the Personal Online Datastore (POD) in which I will store my biometric data? How will the POD integrate with my digital wallet so that these verified credentials can be made available securely?
  • Information exposure – What information is appended to the ledger and how do I ensure that my biometric data is not exposed?
  • Proportionality – What control do I have over my data being released, how can I ensure only the correct and appropriate information is disclosed?
  • Information format – What is the format of these biometric files and how can a limited and constrained amount of information be released?

Who’s setting the standards?

The World Wide Web Consortium is an international community where Member organizations, a full-time staff, and the public work together to develop Web standards. Led by Web inventor and Director Tim Berners-Lee and CEO Jeffrey Jaffe, W3C’s mission is to lead the Web to its full potential.

The FIDO Alliance is an open industry association with a focused mission: authentication standards to help reduce the world’s over-reliance on passwords. It is working to change the nature of authentication with open standards that are more secure than passwords and SMS OTPs, simpler for consumers to use, and easier for service providers to deploy and manage.

Arising out of the UN’s Sustainable Development Goal (SDG 16.9) that recognises legal identity as a fundamental human right, the ID2020 Alliance is a global public-private partnership with a manifesto to improve lives and accelerate access to digital ID by underserved and vulnerable populations. It is a multi-stakeholder collaboration that advocates the adoption of ethically-grounded digital ID solutions, the definition of individual-centred functional requirements and funds projects to deploy promising solutions.

Formed in 2010, OIX is a technology agnostic, non-profit trade organisation of leaders from competing business sectors focused on building the volume and velocity of trusted transactions online. OIX’s mission is twofold: a) to be the leading industry body driving the digital identity industry; and b) to be a centre of excellence that aligns to open, interoperable standards across the UK and Europe. The organisation operates the OIXnet trust registry, a global, authoritative registry of business, legal and technical requirements needed to ensure market adoption and global interoperability.

Established 2016 as an independent non-profit organization the Sovrin Foundation administers the Sovrin Network, an open source, public service utility based on distributed ledger technology (blockchain) that enables self-sovereign identity on the internet. Charged with administering the publicly created Governance Framework for the Sovrin Network, the Foundation is responsible for ensuring the Sovrin identity system is public and globally accessible and is committed to transparency and neutrality.

Created in March 2019 by the Sovrin Foundation, the Sovrin Alliance is a community of developers, enterprises, business and government leaders, NGOs, Sovrin Foundation staff, and volunteers that ensures the future of self-sovereign identity.

DIF is an engineering-driven organisation focused on developing the foundational elements necessary to establish an open ecosystem for decentralised identity and ensure interoperation between all participants. DIF Working Groups develop specifications and emerging standards for protocols, components, and data formats that inform development. Beyond specifications, DIF members develop open source reference implementations of the technical components and protocols they create and work to align industry participants to advance common interests.

Headquartered in Brussels, EEMA is a leading independent, not for profit, European Think Tank including topics on identification, authentication, privacy, risk management, cyber security, the Internet of Things, Artificial Intelligence and mobile applications. EEMA is a strong supporter of the European Electronic Identification, Authentication and Trust Services , eIDAS and the Go.eIDAS initiative.

In May 2016 the UK Government’s Digital Service launched GOV.UK Verify, an identity assurance scheme intended to provide a single trusted login across all Government Digital Services, verifying the user’s identity in 15 minutes. Although take-up by UK citizens has not been as swift as originally projected there are currently almost 5 million people who have signed up to the service. Five Identity Providers (also called ‘certified companies’) are contracted to verify an individual’s identity by reference to existing government issued credentials e.g. driving licence and passport. The UK’s newly appointed Director of Digital Identity, Lisa Barrett stated in a recent blog that “Digital identity is a vital issue not only for government transformation – as has often been our focus – but also for users who benefit from a safe, effective and  functioning digital economy underpinned by strong digital identity solutions.

NIST has produced a range of Special Publications (SP) on Digital Identity:

  • SP800-63-3 -Digital Identity Guidelines
  • SP800-63A – Enrolment and Identity Proofing
  • SP800-63B – Authentication and Lifecycle Management
  • SP800-63C – Federation and Assertions

SP800-63 contains a useful overarching diagram that describes the Digital Identity Model:

NIST Digital Identity Model

In October 2018 NIST produced an excellent Technology Overview document on Blockchain, concluding that the technology is still new and organisations should treat blockchain technology like they would any other technological solution at their disposal–use it only in appropriate situations

Social Linked Data (Solid) is the technology that underpins a movement led by Sir Tim Berners-Lee to re-orient the web to its original vision of a collaborative/re-writeable/editable web. The removal of editing capability in original browsers spawned an effort to get the write functionality back; dubbed the ‘read-write web’ this effort led to Richard McManus’ seminal article published in 2003.

The issue with writing data, as Wikipedia and others have learned, is that there needs to be a degree of control over who can write what so a process of obtaining and using permissions is needed. To enable these permissions there needs to be a system for identity – a way of uniquely confirming that an individual is who they purport to be; hence Solid’s relevance to the subject of digital identity.

Solid also provides a Personal Online Datastore (POD) within which an individual’s personal data can be stored and managed, and from which can be shared with approved partners.

OWI is a market intelligence and strategy firm focused on digital identity, trust, and the data economy. Through advisory services, events, and research, OWI helps a wide range of public and privately held companies, investors, and governments stay ahead of market trends, so they can build sustainable, forward-looking products and strategies. Since 2017 OWI has been the official host of the KNOW Identity Conference and KNOW Forums.

RAND Europe was commissioned by the British Standards Institution (BSI) in January 2017 to carry out a rapid scoping study to examine the potential role of standards in supporting Distributed Ledger Technologies (DLT)/Blockchain. The resulting report, entitled Distributed Ledger Technologies/Blockchain: Challenges, opportunities and the prospects for standards serves as an overview of the 6-week study and concludes that there is scope for standards to play a role in supporting the technology.

ISO has produced a terminology document for DLT as a first of a range of standards documents that are currently under development.

Hyperledger Indy provides tools, libraries, and reusable components for providing digital identities rooted on blockchains or other distributed ledgers so that they are interoperable across administrative domains, applications, and any other silo. Indy is interoperable with other blockchains or can be used standalone powering the decentralisation of identity.

Hyperledger Aries provides a shared, reusable, interoperable tool kit designed for initiatives and solutions focused on creating, transmitting and storing verifiable digital credentials. It is infrastructure for blockchain-rooted, peer-to-peer interactions. This project consumes the cryptographic support provided by Hyperledger Ursa, to provide secure secret management and decentralised key management functionality.

Now let’s define a few terms…

Claims
According to the Sovrin Foundation Glossary v3 a claim is an assertion about an Attribute of a Subject. Examples of a Claim include date of birth, height, government ID number, or postal address—all of which are possible Attributes of an Individual.
Credentials
A Credential is comprised of a set of Claims and is a digital assertion made by an Entity about itself or another Entity. Credentials are a subset of Identity Data and must be based on a Credential Definition. Examples of Credentials include college transcripts, driver licenses, health insurance cards, and building permits.
Credential – Agent
Once issued, a Credential is typically stored by an Agent.
Credential – Holder
The Entity holding the issued Credential.
Credential – Issuer
The Entity creating and issuing the Credential.
Credential – Relying Party
The Entity to whom a Credential is presented.
Credential – Subject
The Entity described by the Claims is called the Subject of the Credential.
Credential – Verifier
The Entity to whom a Credential is presented for verification.
De-centralized Key Management System (DKMS)
Public key infrastructure based on decentralized identifiers and identity records (for example, DID documents) containing verifiable public key descriptions.
Digital Identity
According to Wikipedia digital identity is information on an entity used by computer systems to represent an external agent. That agent may be a person, organisation, application, or device. ISO/IEC 24760-1 defines identity as “set of attributes related to an entity”.
Digital Wallet
A software module, and optionally an associated hardware module, for securely storing and accessing Private Keys, Link Secrets, other sensitive cryptographic key material, and other Private Data used by an Entity. A Wallet [Wallet Storage] is accessed by an Agent. In Sovrin infrastructure, Wallets [Wallet Storage] implement the emerging DKMS standards for interoperable decentralised cryptographic key management. Darrell O’Donnell’s 2019 paper entitled The Current and Future State of Digital Wallets provides a guide to help understand where the Digital Wallet market is and where it is heading for business and personal use.
Distributed Ledger Technology (DLT) or Blockchain
A distributed database in which the various nodes use a consensus protocol to maintain a shared ledger in which each transaction is cryptographically signed and chained to the previous transaction.
Personal (Online) Data Store (POD)
A personal data store, vault or data locker is a service that lets an individual store, manage and deploy their personal data in a highly secure and structured way. PODs are like secure USB sticks for the Web that can be accessed from anywhere. When others are given access to parts of the POD, they can react to the the content but the data owner decides which things can be accessed by applications and people. A Personal Data Store is NOT a Digital Wallet, it is more like a personal, domestic filing cabinet that stores persoanl data. Solid and Mydex are just two examples of personal data stores.
Self-sovereign Identity (SSI)
Lifetime portable identity for any person, organisation, or thing that does not depend on any centralised authority and cannot be taken away. Also describes the digital movement that recognises an individual should own and control their identity without the intervening administrative authorities. Christopher Allen’s excellent post from 2016 provides another useful overview of the subject.
Trust Framework
A generic term often used to describe a legally enforceable set of specifications, rules, and agreements that govern a multi-party system established for a common purpose, designed for conducting specific types of transactions among a community of participants, and bound by a common set of requirements.
Web of Trust
Phil Zimmerman originated the phrase “Web of Trust” in PGP 2.0 (1992), however, his ‘Web’ had a very limited meaning, focused on peer validation of public keys.
Verifiable Credentials
A digital attestation of one Identity Owner about another, also called Attestations or Claims.
WebID
A way to uniquely identify a person, company, organisation, or other agent using a URI, defined by the W3C WebID 1.0 specification.
WebID-TLS
Enables secure, efficient and maximally user friendly authentication on the Web by authentication onto any site by simply choosing one of the certificates proposed to them by their browser. These certificates can be created by any Web Site for their users.

As a good primer on the subject I highly recommend Sovrin’s White Paper entitled “Sovrin: A Protocol and Token for Self-Sovereign Identity and Decentralised Trust“.