A new theory of digital identity

Identities evolve

While the federated identity movement calls for a new ecosystem to be built, proponents seem oblivious to the existing ecology of business which has spawned very specific arrangements for managing risk in different sectors and communities-of-interest.

As discussed in Part A, business is conducted in circles, or communities-of-interest. There are always membership rules that govern how an individual joins a business circle―whether it be a company, a professional association or a payment scheme―to help all parties manage their risks. Some rules are set freely―by employers, merchants, associations and the like―while others are legislated in industries like aviation, healthcare and finance. In each setting, whether it’s regulated or entirely laissez faire, protocols are fine-tuned over time to cope with changing conditions. That is, they evolve.

In this light, there’s a special term that applies. The conventions, rules, professional charters, laws, regulations and technical standards that control how we identify in different contexts are memes; namely, heritable units of cultural transmission or of imitation The Selfish Gene Richard Dawkins, Oxford University Press, 1976.. For many decades, a whole spectrum of identity memes have been passed on from one business generation to the next:

• Anti-counterfeiting features for original identity documents are constantly innovating. Simply adding the photo of the document holder transformed driver licence and citizenship papers many years ago. Many traditional measures are a variation on the theme of making document features difficult to replicate without specialist printing plant. These include microprinting, guilloche artwork, holograms and optically variable dyes. More recently, electronics have been added―most notably chips―which are copy-resistant, and bring added powers such as biometric storage against which the person presenting the document may be verified.

• Most countries legislate Know Your Customer (KYC) rules for how financial institutions must prove the identity of their account holders. In Australia, the Financial Transaction Reports Act 1988 created the “100 point” check where varying weightings are given to each of a schedule of identity documents. International banking accords from time to time bring pressure to bear on local KYC rules, often seeking to harmonise them. Developments in organised crime led to a broadening of KYC rules under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 to non-bank sectors, while at the same time enabling online presentation of document details to open some types of purely online bank accounts.

• Driver licences have come to be widely used to prove identity in retail transactions, despite the fact that many roads & traffic authorities wish they simply remained as permits to operate motor vehicles. It is not clear that licence issuers ever officially sanctioned licences as proof of identity but it has obviously been mimicked across many different sectors, and slowly adapted and varied in many ad hoc ways. So identification by driver licence is a meme that has jumped across many different identity species, a phenomenon often seen in bacterial genetics.

• The number of “authentication factors” has grown over time to counteract ID theft and account takeover. There are many variations on the multi-factor meme, including Card Authentication Protocol (CAP) readers that generate one time codes using a Chip-and-PIN card, the texting of passcodes to customers’ phones, and hybrid biometrics.

• Password practices have become ever stricter. Minimum recommended lengths get longer all the time, and the practice of mixing up characters became necessary in response to more powerful brute force and dictionary attacks.

• Cryptographic algorithms never stand still for very long. Ongoing cryptanalysis strives to stay ahead of potential attackers, actively searching for weaknesses and forcing enhancements over a succession of standards: from MD5 through SHA-1 to SHA-2 and the imminent SHA-3 for message digests, and from RC4 and DES through DES-3 to the current state-of-the-art AES cipher.

As business environments change, risk management rules respond. And so identity management processes and technologies are subject to natural selection. An ecological treatment of identity recognises that selection pressures act on the many separate facets of digital identity, generally strengthening them. On occasion however, some environmental pressures act to actually weaken identity practices. For example, heightened privacy awareness is leading to some employers collecting less identifying information from new starters than they might otherwise prefer. 

If we think ecologically, we can better explain the surprising power of context in identity management. It is ironic that the Laws of Identity emphasise the importance of context, and yet federated identity programs repeatedly underestimate how IDs resist changing context.

The tight fit that evolves between each given identity and the setting in which it is intended to be used is best described by the term ecological niche. As with real life ecology, characteristics that bestow fitness in one niche can work against the organism or digital identity in another.

Identity “silos” are much derided but we can see nowthey are a natural consequence of how all business rules are matched to particular contexts. The environmental conditions that shaped the particular identities issued by banks, credit card companies, employers, governments and professional bodies are not fundamentally changed by the Internet. As such, we should expect that when these identities transition from real world to digital, their properties―especially their “interoperability” and liability arrangements―cannot readily adapt.

So taking a mature digital identity, like a university student ID, out of its natural niche and hoping it will interoperate in another like banking is a lot like taking a salt water fish and dropping it into a fresh water tank.

On the other hand, the ecological frame neatly explains why the purely virtual identities like blogger names, OSN handles and gaming avatars are so highly interoperable: it’s because their environmental niches are not so specific. Thinking about how quickly and widely social identities like Facebook Connect have spread, in a very real sense we can describe them as weeds!

The way forward: Identity conservation

We all know that the hardest parts of any digital transformation project are to do with change management and process reengineering, and not technology. The underlying reason that so many identity schemes struggle should now be plain to see: we’ve not only been looking at relatively unimportant problems, they’ve been the most intractable problems. If we focussed instead on conserving context and faithfully replicating existing real world identities in non-replayable forms, most routine transactions could take place safely online, without the incalculable cost of overturning long standing business practices.

One of the most robust ways to render a digital ID non-replayable is to bind it by digital signature to whatever transaction it is being used to authorise. This is how the most secure modes of the CAP protocol work for paying by Chip-and-PIN card online; the customer inserts their card into a portable standalone reader, enters details of the payment together with their PIN, and a private key within the chip transforms the data into a unique and non-reversible code.

Along with resistance to replay attack, digital certificates and signatures deliver the missing ingredient of context. This is perhaps the greatest untapped power of PKI. Public key certificates always include a “Policy Object Identifier” which points to precise detailed specifications of what each type of certificate is for, the conditions under which it was issued, the applications it is intended for and so on. In short, the Certificate Policy nails down the context for the identity.

Context has been bland and underdeveloped in “Big PKI”. Historically, commercial CAs issued a limited range of general purpose certificates; the only variables in orthodox Certificate Policies tend to be a non-specific ‘Level of Assurance’, the name of the issuing CA, the liability limits they usually imposed, and any warranty they were prepared to offer. Yet the Certificate Policy can specify so much more.

When special purpose digital certificates are issued in a closed community of interest, the Policy can set out the precise relationship between the Subjects and the CA acting on behalf of the community. So for instance, one type of digital certificate might convey the fact that the Subject is an accredited surveyor in the state of New South Wales with a given licence number; another can represent that the Subject is a Director of a company with a certain securities commission registration number (note that the same individual might carry both of these certificate types, using one them to sign survey reports and the other to sign company returns). Unique X.500 Object Identifiers for these different ‘species’ of certificate can be globally registered. Relying Party software in different contexts can easily be configured to look for the anticipated Policy that signals a party’s authority to transact.

And so digital certificates provide the means for precise contexts to be conserved and unambiguously bound to respective identifiers. Some of my previously published R&D has demonstrated how context rich digital certificates can deliver anonymous e-health transactions A novel application of PKI smartcards to anonymise Health Identifiers, Stephen Wilson, AusCERT2005 Refereed Academic Stream, 2005 http://conf.isi.qut.edu.au/auscert/proceedings/2005/wilson05novel.pdf. and anonymous e-voting An easily validated security model for e-voting based on anonymous public key certificates, Stephen Wilson, AusCERT2008 Refereed Academic Stream, 2008 http://conference.auscert.org.au/conf2008/Proceedings-SETMAPE.pdf..

Next: Further work

Copyright © SC Magazine, Australia