- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Mon, 20 Oct 2014 11:23:59 -0400
- To: public-credentials@w3.org
On 10/18/2014 12:22 PM, ottonomy@gmail.com wrote: > This article doesn't get deep into technical details, but it does > say Estonians can authenticate their ownership of an identity and > sign documents (and they have two corresponding PINs for their ID > card.) And if cards are lost they can be cancelled. Yep, important lessons to be learned from the Estonians: http://en.wikipedia.org/wiki/Estonian_ID_card http://siteresources.worldbank.org/EXTEDEVELOPMENT/Resources/Martens_Estonia.ppt It's basically a chip-and-pin card based on open standards, public/private key crypto, and X.509. These same fundamental things underpin the Secure Messaging[1] and Identity Credentials[2] specs. For example: 1. It's based on public key crypto and is compatible w/ X.509. The technology can be used for digital signatures and encryption. 2. Credentials are assigned to a single identity. 3. An identity always has a public key associated with it so that the identity can use their private key to prove ownership over a particular credential. This is important because receivers want to have proof that the sender of a credential is also the entity that the credential was initially assigned to and that they authorized the credential to be sent to the receiver. 4. If a private key is stolen, the public key can be deactivated by the owner of the identity. Assigning a new public key is a fairly trivial process. The downsides for the Estonian system: 1. It requires a government issued card. 2. Centralized certificate authority (privately run, government-backed monopoly). 3. Sledge-hammer approach. Required if you're over the age of 15. Requires you to walk into a regional office (no gradual steps to go from "unidentified" to "weakly proofed identity", to "strongly proofed identity"). It's really an impressive feat considering they started working on this back in 1997, when PKI was /really/ bleeding edge. -- manu -- Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny) Founder/CEO - Digital Bazaar, Inc. blog: High-Stakes Credentials and Web Login http://manu.sporny.org/2014/identity-credentials/
Received on Monday, 20 October 2014 15:24:21 UTC