identity 101: boot camp for identity north 2016
TRANSCRIPT
Internet Identity Workshop
Co-Founded in 2005
Born in Vancouver
Played Water Polo
UC Berkeley
Planetwork
Identity Commons
Identity Gang
Canada
Founded in 2010 ECOSYSTEM
CONSORTIUM
PERSONAL DATA
Today Independent Identity Consulting
Who is
1. Big Picture - What is Identity? 2. Digital Identity - Key Terms
3. ID in Context of Society Enterprise, Government, Commons
4. User-Centric/Self-Sovereign Identity 5. Spectrum of Identity
6. Big Picture - ID Resources 7. Questions and Answers
Outline
Contexts Roles (Persona)
FamilyParent, Child Brother, Sister
Religious Life
Hobbies
Professional Work
Congregant Religious Leader
Creator, Maker Teacher
Employee, Employer Contractor
Professionally Licensed
Atoms
Bits
Easy to move physically between contexts.
To Present Different Selves
Movement Between Different Contexts
Requires Different Non-Correlated Identifiers
Understanding Key Digital Identity Terms
Enrollment Proofing/Verification
Attributes/Claims Identifiers - Directed, End-Points
Credentials Authentication - AuthN
Multi-Factor Authentication - MFA Authorization - AuthZ
Enrollment Technology Thing
Process Policy
Procedures &
Enrollment: The processes that an institution/organization uses to ‘onboard”and create an identity for a particular individual.
Enrollment —> Credential Issuance
Proofing / Verification Triangulation
Identity Proofing or Verification: The processes used to check the veracity of identity claims about a person. This is often done in an enrollment process.
Attributes ClaimsAttributes and Claims can be both self asserted by a
person or ascribed to a person by an institution.
IdentifierIdentifies are pointers at people.
Within institutional or network systems these are often numbers that point particular people.
Identifiers ClaimsSingle String Pairs
Identifiers link things together and enable correlation.
They can be endpoints on the internet.
A claim is by one party about another or itself.
It does not have to be linked to an identifier.
Proving you are over 18 for example and not giving your real name.
Directed IdentifierThese is a types of identifies enable individuals to use different identifiers for different contexts.
The BC Citizen Services card is “one card” but when one uses it in a Healthcare content it has a different identifier then when used within the context of a drivers license. So the identifier is “directed” and only used in one context.
Network End-Point Identifier
Identifiers that are also Network End-Points include Phone numbers
e-mail addresses
Authentication can be performed with the end-point. That is you can prove you are in position of the end-
point with a challenge - such as a being sent code to a phone and then entering it into the site asking to confirm
that you are in control of it.
Authentication AuthN
What you Know (A Password, OneTime Password)
What you Have (A Credential)
What you Are (Biometric)
Emerging: What you Do (Behavior)
Multi-Factor Authentication MFA
What you Have (a bank card) and What you know (The PIN #)
What you Know (Password and What you Are (A Biometric shared at Enrollment)
Using more then one form of Authentication.
Authorization AuthZ
This is very different then Authentication which is just checking that an individual is the same one who
presented themselves with the credentials before.
What are you permitted (authorized) to do in a system?
Employers
Have Employees
Enterprise Identity
Enterprise Single Sign On
Provisioning
Authentication - AuthN
[Power Relationship]
Provisioning
Termination
Enterprise Identity
Access ControlAuthorization - AuthZ
Roles Attributes
Authentication - AuthN
Civic Records
Citizen Identity
Birth
Death
Marriage
DivorceParent
Drivers License
Voting
Other Licensing
Health Care
Social InsuranceTaxation
Citizen Identity The power relationship between the citizen / subject and government entities is NOT the same as the power relationship between the employer and their employee.
The systems used for enterprise identity management CAN NOT be picked up and plopped down on citizen <—> government identity management contexts. It has to work differently.
Enterprise provisioning and termination is clearly not the same as the government issuance of a birth certificate and death certificate.
The Identity DogRepresents 2 things:
* Freedom to be who you want to be
* Freedom to share more specific info about yourself that is validated
User-Centric / Self-Sovereign Identity
Custodianship?
http://www.flickr.com/photos/seektan/2582803300/sizes/z/in/photostream/
Children
Elders
How do people “get” User Centric Digital Identity today?
Google profilesYahoo! profiles
FacebookLinkedIn
Hack it together with handles from web mail providers or on a service like Twitter
Challenge with e-mail addresses as identitiesthe communications token is the “ID”
User-Centric / Self-Sovereign Identity
What are our rights in these commercial spaces governed by Terms of Service?
How are we “citizens” in private space?
In physical life we have protection of our physical self - people will be prosecuted for harming us. What is the equivalent in online spaces?
Freedom to not be “erased” under TOS
User-Centric / Self-Sovereign Identity
Identifier side:
Own their own domain name.
Have a blog?Run an openID server?
Claims based side:
Almost impossible.
Little relying party adoption(Places where 3rd partyor self generated claims
will be accepted)
Little client side app adoption
How do people “get” User Centric Digtial Identity?
User-Centric / Self-Sovereign Identity
Identifier side: Claims based side:
Emerging Today: How do people “get” Self-Sovereign Digital Identity today?
User-Centric / Self-Sovereign Identity
Proposed: Distributed IDentity -> DID
Distributed Ledger Technology
Emerging Networks for their Exchange
ID/DataWeb
W3C: Verified Claims Working Group
Personal Data Banks / Stores / Vaults / etc….
What is the context for people gathering?
“We’re trying to build a social layer for everything.”
- Mark Zuckerburg
User-Centric / Self-Sovereign Identity
Freedom to Peer-to-Peer Link
Freedom to determine how the link is seen by others
User-Centric / Self-Sovereign Identity
Freedom to group and cluster outside commercial silos& business contexts.
Freedom of Movement and Assembly
User-Centric / Self-Sovereign Identity
• Freedom to Aggregate
• Freedom to Disaggregate
• Freedom to not be “erased” under TOS
• Freedom of Movement and Assembly
• Freedom to Peer-to-Peer link & the Freedom to determine if the link is seen by others
• Custodianship is Possible
User Centric Digital Identity is the:User-Centric / Self-Sovereign Identity
Isn’t just a technical problem
TECHNOLOGY
LEGAL
SOCIAL BUSINESS?
User-Centric / Self-Sovereign Identity
Why have we have yet to succeed? It is a REALLY hard problem set to solve for,User Centric Digital Identity that is:
1. open standards based2. the scale of the internet + other digital systems3. that people find usable4. that they understand 5. that is secure6. it requires emergence of new social behavior7. and changes business models & norms
User-Centric / Self-Sovereign Identity
Why have we have yet to succeed? It is a REALLY hard problem set to solve for,User Centric Digital Identity that is:
1. open standards based2. the scale of the internet + other digital systems3. that people find usable4. that they understand 5. that is secure6. it requires emergence of new social behavior7. and changes business models & norms
User-Centric / Self-Sovereign Identity
CAUSE IT IS
REALLY HARD…
We are still working on making the vision real
The Internet Identity Workshop Continues & New Efforts that Complement
* Rebooting Web of Trust * Personal Data Ecosystem
* Re-Decentralize * Personal Data 2016 …
Many protocols emerging - OpenID, OAuth, SCIM,Frameworks To Believe Veracity Exchange of Attributes and Identifiers
User-Centric / Self-Sovereign Identity
?Anonymous
One Site Multi-SiteSelf-Asserted Socially
ValidatedVerified
✓Pseudonymous
?
✓Verified
Anonymity
?Anonymous
One Site Multi-SiteSelf-Asserted Socially
ValidatedVerified
✓Pseudonymous
?
✓Verified
Anonymity
Over 18 years Woman Voter
CA Congressional District 9
Ms.Sue Donna DOB = 1/21/1982 1823 6th Ave. Alameda, CA
?Anonymous
One Site Multi-Site
Self-Asserted SociallyValidated
Verified
✓Pseudonymous
http://www.identitywoman.net
?Anonymous
One Site Multi-SiteSelf-Asserted Socially
ValidatedVerified
✓Pseudonymous
✓✓
Limited Liability Persona
Identity is social. Identity is subjective. Identity is valuable. Identity is referential. Identity is composite. Identity is consequential. Identity is dynamic. Identity is contextual. Identity is equivocal.
OECD Paper At a Crossroads: "Personhood” and the Digital Identity in the Information Society
Properties of Identity
1. User Control and Consent 2. Limited Disclosure for Limited Use 3. The Law of Fewest Parties 4. Directed Identity 5. Pluralism of Operators and Technologies 6. Human Integration 7. Consistent Experience Across Contexts
by Kim Cameron - https://www.identityblog.com/?p=354
Laws of Identity