W3C home > Mailing lists > Public > public-credentials@w3.org > November 2017

Re: Room for government DIDs?

From: Adrian Gropper <agropper@healthurl.com>
Date: Thu, 30 Nov 2017 11:36:23 +0000
Message-ID: <CANYRo8gWOknYxx57zZC_igLv-nHcX=ju=WG4S=jVc2J6u6BM7A@mail.gmail.com>
To: Markus Sabadello <markus@danubetech.com>
Cc: public-credentials@w3.org
I think th FIDO folks dealt with some of this year’s ago. If I recall, the
device has a certificate of some sort. The certificate does not identify
the specific device or user. Apple, I think, does the same thing.

Adrian

On Thu, Nov 30, 2017 at 5:50 AM Markus Sabadello <markus@danubetech.com>
wrote:

> Yes! I was just about to reply in a similar way.
>
> You would have to prove that your DID was created in a secure way, in
> order to be acceptable for government and other "high assurance" use cases.
>
> Not sure however if current regulation (e.g. eIDAS in the E.U.) is
> compatible with this approach.
>
> Markus
> On 11/30/2017 11:02 AM, =Drummond Reed wrote:
>
> Markus, I agree with David: the argument that the government needs to
> create your key pairs is never going to fly with the crypto community
> (amongst others).
>
> But the decentralized solution, which I've been anticipating may be
> required for "high assurance DIDs", is a verifiable claim from a TPM or
> other trusted computing device that IT generated the key pair.
>
> =Drummond
>
> On Wed, Nov 29, 2017 at 1:42 AM, David Chadwick <D.W.Chadwick@kent.ac.uk>
> wrote:
>
>> Hi Markus
>>
>> what is the opinion of the knowledgeable person about keys created by
>> FIDO devices using software and hardware provided by mobile phone
>> providers? Will they be happy to accept these keys or not?
>>
>> regards
>>
>> David
>>
>> On 28/11/2017 21:38, Markus Sabadello wrote:
>> > I was made aware of a potential problem by someone who is very
>> > knowledgeable in E.U. national eID systems.
>> >
>> > There's a question of liability when you create you own key pair.
>> > If a government creates keys for you through a process they control,
>> > then they can guarantee that the key is created in a secure way.
>> > (At least that's the theory, the recently discovered weakness in 750,000
>> > Estonian identity cards is a different story).
>> >
>> > If you create your own key (for your DID), then perhaps you're using a
>> > bad random number generator.
>> > You may receive a few verifiable claims for your "bad" DID, but later
>> > your private key is broken and your identity stolen.
>> >
>> > Who is liable now? You, because you created a bad DID, or the issuer of
>> > the verifiable claim?
>> >
>> > A government would want to reduce potential liability as much as
>> > possible, and may not be willing to actually issue a verifiable claim
>> > for a DID that may be insecure.
>> >
>> > Markus
>> >
>> > On 11/28/2017 08:06 PM, Steven Rowat wrote:
>> >> On 2017-11-28 9:23 AM, Markus Sabadello wrote:
>> >>> So you would model your natural, "self-sovereign" identity by creating
>> >>> DIDs, and you would model "legal identity" not by issuing new DIDs,
>> but
>> >>> by issuing verifiable claims that make assertions about your DID.
>> >>>
>> >>> E.g. the government could issue claims for you about citizenship, date
>> >>> of birth, national identifier (such as the Peruvian DNI you
>> mentioned),
>> >>> driver's license, and everything else that constitutes the "legal
>> self"
>> >>> you are talking about.
>> >>
>> >> +1 This seems so straightforward that I'd hope it can work everywhere.
>> >>
>> >> But in case there are technical/political reasons why governments
>> >> might want to issue their own DID, could it be set up to be optional
>> >> -- so that both systems would work together?
>> >>
>> >> I.e., some governments could set up their own, while others could
>> >> merely issue verifiable claims as you suggest?
>> >>
>> >> Steven
>> >>
>> >>
>> >>>
>> >>> I think this topic on "legal ID" and "self-sovereign ID" is a great
>> >>> example where we can align our technological tools with "how identity
>> >>> works in the real world".
>> >>>
>> >>> Markus
>> >>>
>> >>> On 11/28/2017 02:52 AM, David E. Ammouial wrote:
>> >>>> Hello,
>> >>>>
>> >>>> I recently joined the few identity-related workgroups, out of
>> interest
>> >>>> for the general subject of decentralised digital identity. I like the
>> >>>> idea of DIDs a lot because I find it refreshingly realistic to
>> >>>> acknowledge the existence of multiple identity "worlds" rather than
>> >>>> trying to create one meant to be the only one. I'm using the world
>> >>>> "refreshingly" because it really brings back the original spirit of
>> an
>> >>>> internet that is diverse at all levels.
>> >>>>
>> >>>> Back to the subject of this email. Governments' attempted monopoly of
>> >>>> the concept of people's identity is something I personally dislike.
>> >>>> You are not defined by what a government accepts or says about you,
>> >>>> but by what you say and accept about yourself, and maybe by what the
>> >>>> people you care about say and accept about you. However, in some
>> >>>> situations those "people you care about" do include governmental
>> >>>> entities, for practical definitions of "caring". :)
>> >>>>
>> >>>> To give a concrete example, you might want to allow your "legal self"
>> >>>> to act upon your Sovrin/uPort/V1/X identity through an institution or
>> >>>> a company. For example if a government entity provides a facial
>> >>>> recognition API to authenticate people, that would correspond in
>> >>>> practice to a service of a "did:gov" method. Proving that you are who
>> >>>> you say you are (in legal terms) can be something desirable.
>> >>>>
>> >>>> What would be the practical steps of introducing a "did:gov" method?
>> >>>> I'm thinking of a schema like:
>> >>>>
>> >>>>      did:gov:XX:xxxxxxx
>> >>>>
>> >>>> Such an identity would be issued by the government of country XX
>> (e.g.
>> >>>> US, FR, PE, etc.). The last bit would depend on the rules of each
>> >>>> particular country. For example Peru has different types of identity
>> >>>> documents: DNI (documento nacional de identidad) for nationals, CE
>> >>>> (carné de extranjería) for residents that are not nationals, and a
>> few
>> >>>> others. In that context, Peru would perhaps define DIDs around the
>> >>>> lines of "did:gov:pe:dni:1234345", but that would obviously be up to
>> >>>> the Peruvian government to define those rules.
>> >>>>
>> >>>> What do you think? There are probably technical aspects, legal
>> >>>> aspects, practical aspects... I apologise if this topic has already
>> be
>> >>>> brought up in the past and I didn't read about it before posting. I
>> >>>> did some basic research on the list's archive and couldn't find
>> >>>> anything.
>> >>>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>
>> >
>> >
>> >
>>
>>
>
> --

Adrian Gropper MD

PROTECT YOUR FUTURE - RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
DONATE: https://patientprivacyrights.org/donate-3/
Received on Thursday, 30 November 2017 14:27:10 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:42 UTC