W3C home > Mailing lists > Public > public-credentials@w3.org > December 2017

R: Room for government DIDs?

From: Luca Boldrin <luca.boldrin@infocert.it>
Date: Fri, 1 Dec 2017 12:09:01 +0000
To: Markus Sabadello <markus@danubetech.com>, "public-credentials@w3.org" <public-credentials@w3.org>
CC: Luca Boldrin <luca.boldrin@infocert.it>
Message-ID: <VI1PR0102MB33429DF51321604C7164CC6C82390@VI1PR0102MB3342.eurprd01.prod.exchangelabs.com>
Hi,

As far as I know EU regulation is not that specific on the generation of the key pair for electronic ID.

The normative reference is technologically neutral, see

http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015R1502&from=IT,   annex 2.2

There are analysis suggesting that FIDO can be used to some extent, e.g.

http://referaat.cs.utwente.nl/conference/26/paper/7611/authentication-assurance-of-biometric-authentication-protocols-on-mobile-devices.pdf




The situation is quite different for “qualified electronic SIGNATURE” (which has a completely different status).

In that case, the CA issuing certificates must verify, among other things, that private keys are stored in an appropriate device.

See http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32014R0910&from=EN  article 29.



Best,



--luca





Da: Markus Sabadello [mailto:markus@danubetech.com]
Inviato: giovedì 30 novembre 2017 11:48
A: public-credentials@w3.org
Oggetto: Re: Room for government DIDs?



Yes! I was just about to reply in a similar way.

You would have to prove that your DID was created in a secure way, in order to be acceptable for government and other "high assurance" use cases.

Not sure however if current regulation (e.g. eIDAS in the E.U.) is compatible with this approach.

Markus

On 11/30/2017 11:02 AM, =Drummond Reed wrote:



   Markus, I agree with David: the argument that the government needs to create your key pairs is never going to fly with the crypto community (amongst others).



   But the decentralized solution, which I've been anticipating may be required for "high assurance DIDs", is a verifiable claim from a TPM or other trusted computing device that IT generated the key pair.



   =Drummond



   On Wed, Nov 29, 2017 at 1:42 AM, David Chadwick <D.W.Chadwick@kent.ac.uk<mailto:D.W.Chadwick@kent.ac.uk>> wrote:

      Hi Markus

      what is the opinion of the knowledgeable person about keys created by
      FIDO devices using software and hardware provided by mobile phone
      providers? Will they be happy to accept these keys or not?

      regards

      David


      On 28/11/2017 21:38, Markus Sabadello wrote:
      > I was made aware of a potential problem by someone who is very
      > knowledgeable in E.U. national eID systems.
      >
      > There's a question of liability when you create you own key pair.
      > If a government creates keys for you through a process they control,
      > then they can guarantee that the key is created in a secure way.
      > (At least that's the theory, the recently discovered weakness in 750,000
      > Estonian identity cards is a different story).
      >
      > If you create your own key (for your DID), then perhaps you're using a
      > bad random number generator.
      > You may receive a few verifiable claims for your "bad" DID, but later
      > your private key is broken and your identity stolen.
      >
      > Who is liable now? You, because you created a bad DID, or the issuer of
      > the verifiable claim?
      >
      > A government would want to reduce potential liability as much as
      > possible, and may not be willing to actually issue a verifiable claim
      > for a DID that may be insecure.
      >
      > Markus
      >
      > On 11/28/2017 08:06 PM, Steven Rowat wrote:
      >> On 2017-11-28 9:23 AM, Markus Sabadello wrote:
      >>> So you would model your natural, "self-sovereign" identity by creating
      >>> DIDs, and you would model "legal identity" not by issuing new DIDs, but
      >>> by issuing verifiable claims that make assertions about your DID.
      >>>
      >>> E.g. the government could issue claims for you about citizenship, date
      >>> of birth, national identifier (such as the Peruvian DNI you mentioned),
      >>> driver's license, and everything else that constitutes the "legal self"
      >>> you are talking about.
      >>
      >> +1 This seems so straightforward that I'd hope it can work everywhere.
      >>
      >> But in case there are technical/political reasons why governments
      >> might want to issue their own DID, could it be set up to be optional
      >> -- so that both systems would work together?
      >>
      >> I.e., some governments could set up their own, while others could
      >> merely issue verifiable claims as you suggest?
      >>
      >> Steven
      >>
      >>
      >>>
      >>> I think this topic on "legal ID" and "self-sovereign ID" is a great
      >>> example where we can align our technological tools with "how identity
      >>> works in the real world".
      >>>
      >>> Markus
      >>>
      >>> On 11/28/2017 02:52 AM, David E. Ammouial wrote:
      >>>> Hello,
      >>>>
      >>>> I recently joined the few identity-related workgroups, out of interest
      >>>> for the general subject of decentralised digital identity. I like the
      >>>> idea of DIDs a lot because I find it refreshingly realistic to
      >>>> acknowledge the existence of multiple identity "worlds" rather than
      >>>> trying to create one meant to be the only one. I'm using the world
      >>>> "refreshingly" because it really brings back the original spirit of an
      >>>> internet that is diverse at all levels.
      >>>>
      >>>> Back to the subject of this email. Governments' attempted monopoly of
      >>>> the concept of people's identity is something I personally dislike.
      >>>> You are not defined by what a government accepts or says about you,
      >>>> but by what you say and accept about yourself, and maybe by what the
      >>>> people you care about say and accept about you. However, in some
      >>>> situations those "people you care about" do include governmental
      >>>> entities, for practical definitions of "caring". :)
      >>>>
      >>>> To give a concrete example, you might want to allow your "legal self"
      >>>> to act upon your Sovrin/uPort/V1/X identity through an institution or
      >>>> a company. For example if a government entity provides a facial
      >>>> recognition API to authenticate people, that would correspond in
      >>>> practice to a service of a "did:gov" method. Proving that you are who
      >>>> you say you are (in legal terms) can be something desirable.
      >>>>
      >>>> What would be the practical steps of introducing a "did:gov" method?
      >>>> I'm thinking of a schema like:
      >>>>
      >>>>      did:gov:XX:xxxxxxx
      >>>>
      >>>> Such an identity would be issued by the government of country XX (e.g.
      >>>> US, FR, PE, etc.). The last bit would depend on the rules of each
      >>>> particular country. For example Peru has different types of identity
      >>>> documents: DNI (documento nacional de identidad) for nationals, CE
      >>>> (carné de extranjería) for residents that are not nationals, and a few
      >>>> others. In that context, Peru would perhaps define DIDs around the
      >>>> lines of "did:gov:pe:dni:1234345", but that would obviously be up to
      >>>> the Peruvian government to define those rules.
      >>>>
      >>>> What do you think? There are probably technical aspects, legal
      >>>> aspects, practical aspects... I apologise if this topic has already be
      >>>> brought up in the past and I didn't read about it before posting. I
      >>>> did some basic research on the list's archive and couldn't find
      >>>> anything.
      >>>>
      >>>
      >>>
      >>>
      >>>
      >>
      >
      >
      >





Received on Friday, 1 December 2017 12:20:24 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:18:17 UTC