Skip to main content

POST The good doctor

I think we all understand that the identity infrastructure that we have now is not suited for the connected world that it was never designed for.

On the one hand, the problem seems obvious. We all need some kind of consistent digital identity (think virtual ID "card") that can identify and authenticate us not only to all our devices, but also to all our online services, commerce and banking accounts, and essentially anywhere where we need to digitally, or even physically, verify who we are.

From The Digital Identity Dilemma | Seeking Alpha

Now, in my world, words such as “digital identity” and “virtual identity” are not bandied around with gay abandon. To me, they mean something very specific and I am of the strongly-held opinion that it’s not possible to discuss such topics without some agreed model to work with. At Consult Hyperion we used “three domain identity” (or “3DID” model) to help our clients to develop their strategies for digital identity and its use in the mass market.

Three Domain Identity Model

The very kind people from Security Printers 2016 invited me down to Seville to deliver keynote about next generation identity today. I used the 3DID model to explain that in the connected world, all transactional interactions are between virtual identities and that the virtual identities ought to be constructed to allow for partitioned and partial identities. It is more than a decade since Kim Cameron published his seminal “seven laws of identity” that included the key principle of minimal disclosure, the idea that system should disclose the least amount of identifying information possible to effect a transaction.

To illustrate this point, I got one of my old “psychic ID” presentations out of the closet and used Dr. Who to illustrate my point about showing only what the relying party needs to (and is authorised to) see. But I finished up by talking about it will mean to have “smart” identity built on top of some sort of identity infrastructure (whether the 3DID infrastructure that I was talking about or some other infrastructure). This led into some pretty interesting discussions later in the day, so I thought I’d jot down a couple of notes here.

First, I explained that making something smart does not mean either putting a chip in it or putting on the blockchain. I was using smart in a more domain-specific way, unrelated to the particular implementation. I defined a smart ID to be an ID that can not present only those attributes that a relying party needs for a transaction and is authorised to see but can also verify the attributes presented by another smart ID. In other words, my smart driving licence can check whether your smart driving is real when you turn up to test drive my car . Your psychic paper can check that your date’s psychic paper is not lying when it says they have a Barclays account and are UK resident when you log in to online dating. The nightclub bouncer’s psychic paper (Android watch) can check that a patron’s psychic paper (iPhone app) shows he has a real VIP invite to the club. 

Comments

Post a Comment

Popular posts from this blog

We could fix mobile security, you know. We don't, but we could

Earlier in the week I blogged about mobile banking security , and I said that in design terms it is best to assume that the internet is in the hands of your enemies. In case you think I was exaggerating… The thieves also provided “free” wireless connections in public places to secretly mine users’ personal information. From Gone in minutes: Chinese cybertheft gangs mine smartphones for bank card data | South China Morning Post Personally, I always use an SSL VPN when connected by wifi (even at home!) but I doubt that most people would ever go to this trouble or take the time to configure a VPN and such like. Anyway, the point is that the internet isn’t secure. And actually SMS isn’t much better, which is why it shouldn’t really be used for securing anything as important as home banking. The report also described how gangs stole mobile security codes – which banks automatically send to card holders’ registered mobile phones to verify online transactions – by using either a Trojan...
Post a Comment
Read more