The need for a validated identity in the digital world is becoming more and more pronounced, still most people aren’t even aware that there are solutions to provide a digital identity. But then again, what is a digital identity and who is it that would issue something equivalent to a digital drivers license.
We could sit and kick around all the possibilities for a digital drivers license, PGP, X.509 certs, Federated Identity etc…. and discuss the strengths and weaknesses of each, but I am more interested in moving towards the future.
Identity 2.0 is a very interesting idea, if you haven’t seen it I highly recommend you that you watch this and this. But how do we know that any of the data for a sxip persona has been validated, that this person is who they say they are. Its a sad state of affairs, but when someone signs up for your website, you have no idea if that person is who they say they are, if they are the age to claim to be or even that they are a human.
Certificate Authorities are supposed to validate their users, but in most cases they have failed miserably, and now a whole new class of “highly validated” or “high assurance” certificates is emerging. If we stop and think though, you are supposed to be able to tell the validation level of a cert by looking at the class level. Class 1 certs are email validated, class 2 are “reasonable checking” which varies from CA to CA, and class 3 are “strong checking”, and these class 3 certificates are supposed to be as good as need be. The validity of these things have been watered down by bad practices, but if you could trust that the CA was doing what they are supposed to be doing, then class 3 email certificates would be an excellent place to start your “digital drivers license”.
Well, without mentioning names of Certificate Authorities that haven’t done their job, there are 2 that are definitely trying, StartCom and Thawte. StartCom is following all the “best practices”, including such things as issuing the different class levels of certificates from different Sub-CAs, so it is easy to identify the class level of a certificate simply by looking at the issuing chain.
If we suppose that a class 2 certificate is good enough (class 2 certs from StartCom are more thoroughly checked than class 3 certificates from other CAs) we have a good starting point, but how do we pass this around, and how do you go about protecting this bit of data especially with digital signatures being legally binding in different circumstances.
Protecting a certificate on a smartcard gives you some real benefits, not the least of which is limiting how many copies are lying around (how many copies of your drivers license do you want lying around?).
Still, if you say that a client certificate is equivalent to a digital drivers license, they you have to ask, what good is it, what can I do with it. I am hoping that with input and ideas from others that client certificates will be able to be used as strong authentication for systems like Sxip.
Systems like Sxip are trying to solve the issue of who you are when you hit a website, but do I trust that the homesite did due diligence when validating you? Since we can’t trust the big names in the CA world to do it, how can we trust these other sites?
It seems like the only way we can trust identity claims, is if we trust the source, so which source do we trust? In the real world we assume that drivers licenses and passports are subject to due diligence, but we aren’t 100% sure, and then we have the problems of fake IDs.
Identity is a bit of a sticky-wicket if you want to be sure that you are talking to who you think. But with things like HIPPA it becomes VERY important, even if the laws aren’t written terribly well.
I am hoping that the StartSSL community (a.k.a. the StartCom Web of Trust) will be able to come up with solutions, and pave the way to a bright future.
it sounds good. Another CA trying to build a WoT but what will be the liability of Startcom WoT toward the issued certificates. is it going to be “no liability” like in the Thawte WoT ? Because this is the biggest issue.
Comment by Romagny — September 13, 2006 @ 7:22 pm
The Web of Trust Community must work in such a way that the certs can be insured because the StartCom CPS states that all certs issued must be insured.
Therefore these issues must be addressed, hence this blog.
Comment by startssl — September 13, 2006 @ 7:42 pm
The concept is simple, as the StartCom CA will take the responsibilities as the issuing certification authority according to the StartCom CA policy and external intermediate CA policy. Certificates of the Web-of-Trust Intermediate CA will be valued as Class 1, whereas the WoT community adds its own value to the verification process. Liability is somewhat problematic with WoT notary, as liability can’t always be enforced. However the idea is, to provide an added value to the basic Class 1 verifications (which will be performed by the StartCom CA) by the WoT community and for the WoT community and whoever decides to rely on it. However the internal StartSSL WoT policy has not been published yet, once this is done you can get a better picture about it!
Comment by Eddy Nigg — September 13, 2006 @ 7:59 pm
I still don’t quite grok how the WoT relates to Class 2 and Class 3 certs. Let’s say I have a Class 2 cert from StartCom (in fact I do!), can I participate in the WoT with that cert or must I also have a Class 1 cert and use that instead within the WoT? It seems to me that the WoT is something that could be built on top of certs of any class, not just Class 1 (Class 1 is the minimum cert, but if you have Class 2 or Class 3 then so much the better!). But maybe I’m missing something. Oh, and thanks for working on this!
Comment by Peter Saint-Andre — September 14, 2006 @ 5:20 pm
How Classes of Certs for the StartCom WoT relates is up in the air. However other CAs rely exclusively on their WoTs to determine whether someone gets a Class 1 or Class 3 certificate, I have yet to find a CA other than StartCom that will issue Class 2 certificates.
In theory if a Notary/Assurer assures someones identity for the web of trust , you immediately move from a Class 1 validation level to Class 2 or 3 or perhaps even 4 depending on what the rules are and liabilities of the CA.
I want to lay out rules for the WoT that is clear concise and CAN be followed eliminating the proclivity for the mistakes. I feel that done very carefully, the WoT can be used to issue class 3 or 4 certs. After getting the rules laid out, based on Notary law, I plan on bringing the rules to my “Secretary of State” for state approval for StartCom to be added to the Approved List of Digital Signature Certification Authorities.
Comment by startssl — September 14, 2006 @ 5:54 pm
What are Class 4 certificates? Are there industry-wide standards for the meaning of the various classes?
Regarding “upgrades”, my impression is that the WoT would be something rather informal or decentralized built on top of the certificate issuance system. I see the WoT as a community of trust in which certificates are used for identifying people (where the digital identities can be stronger or weaker depending on the certificate class), but the community merely uses (and does not issue) certificates. So I might add someone to my personal web after having met them in person even if they have a Class 1 cert, but I might personally rank the person higher or trust the person more if they have a Class 2 or Class 3 certificate (since that indicates they have provided more information to StartCom in order to get the higher level cert). But I think the decentralized web that emerges will leverage the centralized certificate issuance process, not replace it in any way. Or at least that’s how I think about it.
Comment by Peter Saint-Andre — September 14, 2006 @ 6:11 pm
The definitions for the first 3 are loosely agreed upon by the CA industry.
Class 1 = email address validation only.
Class 2 = reasonable checking. Some CAs confuse this with Class 3.
Class 3 = Thorough Checking.
If we look at the persona validation procedures for other CAs, some will make an automated phone call asking the caller to “press 1 if you requested the cert, press 2 if you have no idea what this phone call is about.” Other CAs check the email charge your credit card and say that is thorough checking. And some actually make you stand in front of someone and show your photo ID.
StartCom policies are published for everyone to see Class 1 and Class 2, however StartCom doesn’t offer Class 3 certs to the public.
Class 4 validation standards (to my knowledge) still up in the air. Essentially the governments of the world are pushing for them. Think of it as the level of validation that you would have to have to work for the DoD. These certs would be ideal for conforming to HIPPA as well as DoD specs for privacy, identity verification and encryption.
As far as a WoT being informal, I feel that has been the problem with WoTs in the past. No liability, no formality, and thus no trust. What is a Web of Trust without trust? What good does it do anyone? If you are using a class 1 cert and its “enhanced” by the WoT countersigning it… you may as well be using PGP and the GSWoT.
Decentralized (to a point) is fine, and necessary, but to assure trust it’s necessary for the CA to remain in control and that the rules are followed. Think of it as going to your local DMV to get your drivers license.
Comment by startssl — September 14, 2006 @ 6:45 pm