Sxipping In, User Centric Identity and its Relationship to a CA

Sxip, OpenID, CardSpace(formerly InfoCard) and i-names are user centric models of identity.

I find the whole idea about this extremely interesting, but there are some things to consider.

Privacy… am I going to give this site my real info?

Authority… how are sites to know that I am providing my real info, or do they care?

These user centric models of data mean that the user can create their own persona to carry around from site to site, in some cases I may want absolute anonymity, say if I am Chinese and trying to blog, in other cases I may want 100% certainty that I am who I say I am. These user centric models mean that I can claim anything I like, and that is fine for anonymous access, so I am more concerned with providing reasonable certainty that I am who I say I am.
Let’s face it, with spammers and phishers and every other kind of creep out there, its really hard to state that a person visiting your site is who they claim to be. So how can I state that I am who I say I am in a trustworthy way. You could think of this as something like trying to validate that an email came from the person listed in the “from”.
On the internet just about everything is easy to fake, only encryption can really help. So we come to Public/Private key encryption. As I have stated before PGP is only good for anonymous and psuedo-anonymous encryption, but actually any keypair that isn’t backed up by a statement from a trusted source is going to have the same problems. This is because without a trusted source, there is no validation that you are getting the key you think and not a well crafted fake. The only people capable of making trustworthy identity assertions are governments (ok, this is a bit of an exaggeration but its the closest to the truth as I am going to bother with), the only other group that is trying to make identity assertions are Certificate Authorities, like StartCom and Verisign. However, not all CAs have the same rules about validating the identity of its users.

The assertion of an identity is a tricky business, and I have set forth the plan earlier on how to make it reliable, but the ruling has been that relying on volunteers means that their is no reliability. Still, the ability for a user to associate a persona with a particular certificate, or group of certificate would be like having a choice of ID cards, some very reliable, like a drivers license, some not, like a library card. I see a great deal of value in making a CA a homesite, as making a CA a membersite.

As a homesite, users could have a choice place to share their data from, that is authoritative. As a membersite, a CA could speed up user registration.

Either way there seems to a lot of reasons to make the association between a user-centric account, and a CA account or certificate.

Making a Digital Identity Assertion like the Notary Public System

In the real world when you have a very important document that needs to be signed and the identity of the signor be validated, you get a Notary Public involved. The Notary checks the signors ID, witnesses the signature, and then countersigns the document and stamps it. Then if the Notary is following the “model notarial act” they and the signor sign a notary journal. This makes the signature more legally binding than a normal signature. This notarization process is necessary on many documents like wills, loans and adoption papers.

This whole process is necessary because you can’t imprint your photo ID onto a piece of paper, and even if you could somehow imprint it onto the piece of paper it wouldn’t be a good idea to have all those details on a piece of paper.

An X.509 certificate is very much equivalent to an inked signature and in some states here in the US they are just as legally binding. But what about a Notaries countersigning capability? Well, if we look at Class 3 and Class 4 certificates and the checking that is supposed to be done for them, then the Notarization process is already done, because the ID check is done. This makes the Notary process almost completely unnecessary, or it would be if the certs were protected, say on a smartcard, to prevent misuse.

Because of the fact that most people don’t protect their certificates properly, and the TIME of a signature is very important, eNotarization, becomes reasonable again.

So how would a CA do due diligence for identity validation, to create a class 3 or 4 certificate that means what it is supposed to. Well the obvoius answer is to model a system after a real world system that is supposed to address the same problem, and try to eliminate the problems that have presented themselves.

So what should a Notary be doing?

Narrowing the various powers of a Notary Public down to what the office. This sounds like what a Web of Trust Notary should be doing
Ignoring the fact that lots of states don’t require any training or testing for Notaries, a Notary should be familiar with the photo ids, and should be able to identify a fake. So they can validate the signature.

What process does a Notary follow?

Ideally this

So what would need to be done for persona validation for an electronic Notariztion?

Ideally, exactly the same thing with a few considerations.

• Notary seals are used to show that 1, they are a notary, and 2 that it is the Notary doing the validation, not someone forging a signature.  The only way to get this kind of certainty in the electronic world is to protect the Notarys cert on a smartcard.
• Notary Publics must be bonded (and sometimes insured) electronic Persona validation means nothing if the Notaries aren’t similarly covered.
• Notary Publics are subject to malfeasance rules, electronic Notaries must also be subject to such regulations.
• Notary Publics (in states that have updated laws) must show knowledge of the laws that govern them AND have manuals that help them spot fake IDs. Electronic Notaries also need to have this knowledge and be able to prove it.

Identity and Certificate Authorities

The need for a validated identity in the digital world is becoming more and more pronounced, still most people aren’t even aware that there are solutions to provide a digital identity. But then again, what is a digital identity and who is it that would issue something equivalent to a digital drivers license.

We could sit and kick around all the possibilities for a digital drivers license, PGP, X.509 certs, Federated Identity etc…. and discuss the strengths and weaknesses of each, but I am more interested in moving towards the future.

Identity 2.0 is a very interesting idea, if you haven’t seen it I highly recommend you that you watch this and this. But how do we know that any of the data for a sxip persona has been validated, that this person is who they say they are. Its a sad state of affairs, but when someone signs up for your website, you have no idea if that person is who they say they are, if they are the age to claim to be or even that they are a human.

Certificate Authorities are supposed to validate their users, but in most cases they have failed miserably, and now a whole new class of “highly validated” or “high assurance” certificates is emerging. If we stop and think though, you are supposed to be able to tell the validation level of a cert by looking at the class level. Class 1 certs are email validated, class 2 are “reasonable checking” which varies from CA to CA, and class 3 are “strong checking”, and these class 3 certificates are supposed to be as good as need be. The validity of these things have been watered down by bad practices, but if you could trust that the CA was doing what they are supposed to be doing, then class 3 email certificates would be an excellent place to start your “digital drivers license”.

Well, without mentioning names of Certificate Authorities that haven’t done their job, there are 2 that are definitely trying, StartCom and Thawte. StartCom is following all the “best practices”, including such things as issuing the different class levels of certificates from different Sub-CAs, so it is easy to identify the class level of a certificate simply by looking at the issuing chain.

If we suppose that a class 2 certificate is good enough (class 2 certs from StartCom are more thoroughly checked than class 3 certificates from other CAs) we have a good starting point, but how do we pass this around, and how do you go about protecting this bit of data especially with digital signatures being legally binding in different circumstances.

Protecting a certificate on a smartcard gives you some real benefits, not the least of which is limiting how many copies are lying around (how many copies of your drivers license do you want lying around?).

Still, if you say that a client certificate is equivalent to a digital drivers license, they you have to ask, what good is it, what can I do with it. I am hoping that with input and ideas from others that client certificates will be able to be used as strong authentication for systems like Sxip.

Systems like Sxip are trying to solve the issue of who you are when you hit a website, but do I trust that the homesite did due diligence when validating you? Since we can’t trust the big names in the CA world to do it, how can we trust these other sites?

It seems like the only way we can trust identity claims, is if we trust the source, so which source do we trust? In the real world we assume that drivers licenses and passports are subject to due diligence, but we aren’t 100% sure, and then we have the problems of fake IDs.

Identity is a bit of a sticky-wicket if you want to be sure that you are talking to who you think. But with things like HIPPA it becomes VERY important, even if the laws aren’t written terribly well.

I am hoping that the StartSSL community (a.k.a. the StartCom Web of Trust) will be able to come up with solutions, and pave the way to a bright future.