W3C home > Mailing lists > Public > public-credentials@w3.org > October 2014

Re: South Korean ID system to be rebuilt from scratch

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Mon, 20 Oct 2014 11:23:59 -0400
Message-ID: <5445290F.5070503@digitalbazaar.com>
To: public-credentials@w3.org
On 10/18/2014 12:22 PM, ottonomy@gmail.com wrote:
> This article doesn't get deep into technical details, but it does
> say Estonians can authenticate their ownership of an identity and
> sign documents (and they have two corresponding PINs for their ID
> card.) And if cards are lost they can be cancelled.

Yep, important lessons to be learned from the Estonians:

http://en.wikipedia.org/wiki/Estonian_ID_card
http://siteresources.worldbank.org/EXTEDEVELOPMENT/Resources/Martens_Estonia.ppt

It's basically a chip-and-pin card based on open standards,
public/private key crypto, and X.509.

These same fundamental things underpin the Secure Messaging[1] and
Identity Credentials[2] specs. For example:

1. It's based on public key crypto and is compatible w/ X.509. The
   technology can be used for digital signatures and encryption.
2. Credentials are assigned to a single identity.
3. An identity always has a public key associated with it so that the
   identity can use their private key to prove ownership over a
   particular credential. This is important because receivers want
   to have proof that the sender of a credential is also the entity
   that the credential was initially assigned to and that they
   authorized the credential to be sent to the receiver.
4. If a private key is stolen, the public key can be deactivated by the
   owner of the identity. Assigning a new public key is a fairly
   trivial process.

The downsides for the Estonian system:

1. It requires a government issued card.
2. Centralized certificate authority (privately run, government-backed
   monopoly).
3. Sledge-hammer approach. Required if you're over the age of 15.
   Requires you to walk into a regional office (no gradual steps to go
   from "unidentified" to "weakly proofed identity", to "strongly
   proofed identity").

It's really an impressive feat considering they started working on this
back in 1997, when PKI was /really/ bleeding edge.

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: High-Stakes Credentials and Web Login
http://manu.sporny.org/2014/identity-credentials/
Received on Monday, 20 October 2014 15:24:21 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:21 UTC