Re: Room for government DIDs? from =Drummond Reed on 2017-12-04 (public-credentials@w3.org from December 2017)

From: =Drummond Reed <drummond.reed@evernym.com>
Date: Sun, 3 Dec 2017 17:29:22 -0800
To: Luca Boldrin <luca.boldrin@infocert.it>
Cc: Markus Sabadello <markus@danubetech.com>, "public-credentials@w3.org" <public-credentials@w3.org>
Message-ID: <CAAjunnYQaw8Bh2-0kRiQv_aXDA9WFwP2ZQ7_ZmhA2kj+AHS=UA@mail.gmail.com>
Thanks, Luca, that is very helpful.

=Drummond

On Fri, Dec 1, 2017 at 4:09 AM, Luca Boldrin <luca.boldrin@infocert.it>
wrote:

> Hi,
>
> As far as I know EU regulation is not that specific on the generation of
> the key pair for electronic ID.
>
> The normative reference is technologically neutral, see
>
> http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=
> CELEX:32015R1502&from=IT,   annex 2.2
>
> There are analysis suggesting that FIDO can be used to some extent, e.g.
>
> http://referaat.cs.utwente.nl/conference/26/paper/7611/
> authentication-assurance-of-biometric-authentication-
> protocols-on-mobile-devices.pdf
>
>
>
> The situation is quite different for “qualified electronic SIGNATURE”
> (which has a completely different status).
>
> In that case, the CA issuing certificates must verify, among other things,
> that private keys are stored in an appropriate device.
>
> See http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=
> CELEX:32014R0910&from=EN  article 29.
>
>
>
> Best,
>
>
>
> --luca
>
>
>
>
>
> *Da:* Markus Sabadello [mailto:markus@danubetech.com]
> *Inviato:* giovedì 30 novembre 2017 11:48
> *A:* public-credentials@w3.org
> *Oggetto:* Re: Room for government DIDs?
>
>
>
> Yes! I was just about to reply in a similar way.
>
> You would have to prove that your DID was created in a secure way, in
> order to be acceptable for government and other "high assurance" use cases.
>
> Not sure however if current regulation (e.g. eIDAS in the E.U.) is
> compatible with this approach.
>
> Markus
>
> On 11/30/2017 11:02 AM, =Drummond Reed wrote:
>
> Markus, I agree with David: the argument that the government needs to
> create your key pairs is never going to fly with the crypto community
> (amongst others).
>
>
>
> But the decentralized solution, which I've been anticipating may be
> required for "high assurance DIDs", is a verifiable claim from a TPM or
> other trusted computing device that IT generated the key pair.
>
>
>
> =Drummond
>
>
>
> On Wed, Nov 29, 2017 at 1:42 AM, David Chadwick <D.W.Chadwick@kent.ac.uk>
> wrote:
>
> Hi Markus
>
> what is the opinion of the knowledgeable person about keys created by
> FIDO devices using software and hardware provided by mobile phone
> providers? Will they be happy to accept these keys or not?
>
> regards
>
> David
>
>
> On 28/11/2017 21:38, Markus Sabadello wrote:
> > I was made aware of a potential problem by someone who is very
> > knowledgeable in E.U. national eID systems.
> >
> > There's a question of liability when you create you own key pair.
> > If a government creates keys for you through a process they control,
> > then they can guarantee that the key is created in a secure way.
> > (At least that's the theory, the recently discovered weakness in 750,000
> > Estonian identity cards is a different story).
> >
> > If you create your own key (for your DID), then perhaps you're using a
> > bad random number generator.
> > You may receive a few verifiable claims for your "bad" DID, but later
> > your private key is broken and your identity stolen.
> >
> > Who is liable now? You, because you created a bad DID, or the issuer of
> > the verifiable claim?
> >
> > A government would want to reduce potential liability as much as
> > possible, and may not be willing to actually issue a verifiable claim
> > for a DID that may be insecure.
> >
> > Markus
> >
> > On 11/28/2017 08:06 PM, Steven Rowat wrote:
> >> On 2017-11-28 9:23 AM, Markus Sabadello wrote:
> >>> So you would model your natural, "self-sovereign" identity by creating
> >>> DIDs, and you would model "legal identity" not by issuing new DIDs, but
> >>> by issuing verifiable claims that make assertions about your DID.
> >>>
> >>> E.g. the government could issue claims for you about citizenship, date
> >>> of birth, national identifier (such as the Peruvian DNI you mentioned),
> >>> driver's license, and everything else that constitutes the "legal self"
> >>> you are talking about.
> >>
> >> +1 This seems so straightforward that I'd hope it can work everywhere.
> >>
> >> But in case there are technical/political reasons why governments
> >> might want to issue their own DID, could it be set up to be optional
> >> -- so that both systems would work together?
> >>
> >> I.e., some governments could set up their own, while others could
> >> merely issue verifiable claims as you suggest?
> >>
> >> Steven
> >>
> >>
> >>>
> >>> I think this topic on "legal ID" and "self-sovereign ID" is a great
> >>> example where we can align our technological tools with "how identity
> >>> works in the real world".
> >>>
> >>> Markus
> >>>
> >>> On 11/28/2017 02:52 AM, David E. Ammouial wrote:
> >>>> Hello,
> >>>>
> >>>> I recently joined the few identity-related workgroups, out of interest
> >>>> for the general subject of decentralised digital identity. I like the
> >>>> idea of DIDs a lot because I find it refreshingly realistic to
> >>>> acknowledge the existence of multiple identity "worlds" rather than
> >>>> trying to create one meant to be the only one. I'm using the world
> >>>> "refreshingly" because it really brings back the original spirit of an
> >>>> internet that is diverse at all levels.
> >>>>
> >>>> Back to the subject of this email. Governments' attempted monopoly of
> >>>> the concept of people's identity is something I personally dislike.
> >>>> You are not defined by what a government accepts or says about you,
> >>>> but by what you say and accept about yourself, and maybe by what the
> >>>> people you care about say and accept about you. However, in some
> >>>> situations those "people you care about" do include governmental
> >>>> entities, for practical definitions of "caring". :)
> >>>>
> >>>> To give a concrete example, you might want to allow your "legal self"
> >>>> to act upon your Sovrin/uPort/V1/X identity through an institution or
> >>>> a company. For example if a government entity provides a facial
> >>>> recognition API to authenticate people, that would correspond in
> >>>> practice to a service of a "did:gov" method. Proving that you are who
> >>>> you say you are (in legal terms) can be something desirable.
> >>>>
> >>>> What would be the practical steps of introducing a "did:gov" method?
> >>>> I'm thinking of a schema like:
> >>>>
> >>>>      did:gov:XX:xxxxxxx
> >>>>
> >>>> Such an identity would be issued by the government of country XX (e.g.
> >>>> US, FR, PE, etc.). The last bit would depend on the rules of each
> >>>> particular country. For example Peru has different types of identity
> >>>> documents: DNI (documento nacional de identidad) for nationals, CE
> >>>> (carné de extranjería) for residents that are not nationals, and a few
> >>>> others. In that context, Peru would perhaps define DIDs around the
> >>>> lines of "did:gov:pe:dni:1234345", but that would obviously be up to
> >>>> the Peruvian government to define those rules.
> >>>>
> >>>> What do you think? There are probably technical aspects, legal
> >>>> aspects, practical aspects... I apologise if this topic has already be
> >>>> brought up in the past and I didn't read about it before posting. I
> >>>> did some basic research on the list's archive and couldn't find
> >>>> anything.
> >>>>
> >>>
> >>>
> >>>
> >>>
> >>
> >
> >
> >
>
>
>
>
>
Received on Monday, 4 December 2017 01:29:57 UTC