Re: Digital Identity and Blockchain

Caute_cautim · ‎03-20-2019

Digital identity and Blockchain: Interesting set of concepts and technologies involved here. However the functions of a digital identity system are:

Registration

Credentialing

Authorisation

Authentication

Trans. Intermediation

And the associated roles are: Users; Identity Providers; Credential Service Providers; Registration Authorities; Intermediaries; Attribute Providers and Relying Parties.

So the basis of Digital Identity is to have a unique way for stakeholders i.e. Network Providers; External stakeholder such as Government; Regulative bodies etc; and Financial Institutions to be able to register human beings - from birth to death and any life changing events in between.

However, Blockchain is a technology which at its heart will provide an immutable record of transactions - which then has to be held for at least 110 years over the potential life span of an individual.

The user is normally is given control of the accuracy of the records, except whereby they are too young to make such determinations, or too frail or incapacitated in some form or means etc.

There is great potential savings to stakeholders worldwide to have a digital identity system for each nation with international adherence to standards etc - but obviously everyone wants to put forward their own solution, and make some profit from it in some form or means. However, the inherent issues of both digital identity and block chain is technology moves on, cryptography morphs into something else as standards and technology changes. The savings to nations is perceived to be enormous over time - but the benefits in terms of the stakeholders including users is deemed to be tremendous. But can we guarantee that the original providers in terms of their organizations will exist in 100 years time, that storage systems and formats have not changed and that the immutable records and transactions in terms of integrity and availability will be maintained. Plus on top of this ensuring the privacy of the individual being maintained accurately, with confirmation and that the chief stakeholders can obtain the information they require in a timely manner.

Thoughts?

Caute_cautim

CraginS · ‎03-31-2019

In the past two years I have read several articles proposing blockchain as a suitable technology for identity management. I have yet to see a concrete proposal describing precisely what personally identifiable information (PII as used in US law and federal regulations) should be wrapped in the blockchain content, or what transactions should be recorded in the blockchain. Several of the articles have pointed out the challenge of adequately protecting privacy, both in terms of the PII used an in terms of the transactional use of the blockchain as it would be used for authentication of identity.

I'd appreciate seeing a more definitive operational description of what should be in an identity management blockchain, and how it would be used.

On particular question comes to mind on reading this statement from the OP:

"However, Blockchain is a technology which at its heart will provide an immutable record of transactions - which then has to be held for at least 110 years over the potential life span of an individual."

In some implementations, it is essential to record every transaction of identity authentication and subsequent access authorization. In some of those instances, it is also essential to record actions taken once authorized access. The operational parameters of an identity management blockchain system should clearly define which categories of authentication should be recorded, and which ones are to be handled as ephemeral, leaving no trace of the authentication for later inspection.

So far, my impression is that throwing the magic of blockchain technology at the complexities of a multi-component identity management and access authorization system is still at teh OOO SHINY stage of development.

More thoughts?

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts

Caute_cautim · ‎04-01-2019

@CraginSWe have seen the UK Government Verify identity project fail to a vast sum of money invested. I am seeing a good number of people jumping on the bandwagon, including those in New Zealand pushing their developers and carts out to the world - all in the hope that someone somewhere will adopt and buy into their particular approach involving Blockchain. However, I am currently volunteered to work with Digital Identity New Zealand (DINZ), in the hope that the real problems and business drivers are truly identified, and that as you state 110 years to exist for a singular or a number of different technologies to last that long, without considering the underlying principles and standards that need to be applied to promote its longevity is often forgotten. I have discussed with my Blockchain colleagues.

However, without pushing the boat out, or providing false hope at all - we are attempting to do something about it, by exploring and partnering with various organisations - as we truly believe no singular vendor or solution provider can overcome the issues you and others have raised. So here is a starting point:

https://www.ibm.com/blogs/blockchain/2019/03/ibm-and-evernym-work-to-accelerate-adoption-of-decentra...

I am not going to comment, as yet, but what I want to do is concentrate on the underlying principles to get Digital Identity fully accepted, which means having to do some prototyping, lots of DevOPs and testing and exploring with collaboration with others.

I agree with the points you have made, do we actually need a Blockchain in this case, is it the appropriate technology or can we use a database and simply migrate the accumulated data seamlessly as the underlying technologies change? There is too much hype around, and not enough looking holistically at the problem and potential frameworks, in which the appropriate current technology can support solve. I don't believe technology alone can solve this particular issue, we need solid principles, business requirements, Use cases and agreements on standards whether it is country wide or global considerations, it needs to be interoperable, scalable and constantly tested, and the best parts developed to complete the whole picture.

Regards

Caute_cautim

rslade · ‎04-01-2019

> CraginS (Advocate I) posted a new reply in Tech Talk on 03-31-2019 11:22 AM in

> In the past two years I have read several articles proposing blockchain as a
> suitable technology for identity management. I have yet to see a concrete
> proposal describing precisely what personally identifiable information (PII as
> used in US law and federal regulations) should be wrapped in the blockchain
> content, or what transactions should be recorded in the blockchain.

Bingo.

> On particular
> question comes to mind on reading this statement from the OP: "However,
> Blockchain is a technology which at its heart will provide an immutable record
> of transactions - which then has to be held for at least 110 years over the
> potential life span of an individual." In some implementations, it is
> essential to record every transaction of identity authentication and subsequent
> access authorization.

As I've noted before, the devil is in the implementation details, and there is no
common agreement of how even basic blockchain is to be implemented.

> So
> far, my impression is that throwing the magic of blockchain technology at the
> complexities of a multi-component identity management and access authorization
> system is still at teh OOO SHINY stage of development.

Exactly.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Here in the NW we believe in @almightygod the way we believe in
the sun. Can't see it, but we know he's there.
- https://twitter.com/#!/Jamichuk/status/156124323688620033
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468

rslade · ‎04-01-2019

> Caute_cautim (Community Champion) posted a new reply in Tech Talk on 04-01-2019

> However, I am currently
> volunteered to work with Digital Identity New Zealand (DINZ), in the hope that
> the real problems and business drivers are truly identified

Good luck. About 20 years ago I attended a meeting with the guy in charge of
(then) PKI for the province of BC. In the fullness of time (only a few years ago)
this came to fruition as a smart card for (almost) all your government needs
(optional and at extra cost). (No, I didn't bother getting one.)

> I don't believe technology alone can solve this particular issue,
> we need solid principles, business requirements, Use cases and agreements on
> standards whether it is country wide or global considerations, it needs to be
> interoperable, scalable and constantly tested, and the best parts developed to
> complete the whole picture.

... and I remember "smart passports," too ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Men listened to me expectantly, waiting in silence for my
counsel. After I had spoken, they spoke no more - Job 29:21,22a
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468