Re: Room for government DIDs? from Markus Sabadello on 2017-11-30 (public-credentials@w3.org from November 2017)

From: Markus Sabadello <markus@danubetech.com>
Date: Thu, 30 Nov 2017 11:48:01 +0100
To: public-credentials@w3.org
Message-ID: <eb03467e-b7a8-5701-e390-82856f4a1442@danubetech.com>
Yes! I was just about to reply in a similar way.

You would have to prove that your DID was created in a secure way, in
order to be acceptable for government and other "high assurance" use cases.

Not sure however if current regulation (e.g. eIDAS in the E.U.) is
compatible with this approach.

Markus

On 11/30/2017 11:02 AM, =Drummond Reed wrote:
> Markus, I agree with David: the argument that the government needs to
> create your key pairs is never going to fly with the crypto community
> (amongst others). 
>
> But the decentralized solution, which I've been anticipating may be
> required for "high assurance DIDs", is a verifiable claim from a TPM
> or other trusted computing device that IT generated the key pair.
>
> =Drummond 
>
> On Wed, Nov 29, 2017 at 1:42 AM, David Chadwick
> <D.W.Chadwick@kent.ac.uk <mailto:D.W.Chadwick@kent.ac.uk>> wrote:
>
>     Hi Markus
>
>     what is the opinion of the knowledgeable person about keys created by
>     FIDO devices using software and hardware provided by mobile phone
>     providers? Will they be happy to accept these keys or not?
>
>     regards
>
>     David
>
>     On 28/11/2017 21:38, Markus Sabadello wrote:
>     > I was made aware of a potential problem by someone who is very
>     > knowledgeable in E.U. national eID systems.
>     >
>     > There's a question of liability when you create you own key pair.
>     > If a government creates keys for you through a process they control,
>     > then they can guarantee that the key is created in a secure way.
>     > (At least that's the theory, the recently discovered weakness in
>     750,000
>     > Estonian identity cards is a different story).
>     >
>     > If you create your own key (for your DID), then perhaps you're
>     using a
>     > bad random number generator.
>     > You may receive a few verifiable claims for your "bad" DID, but
>     later
>     > your private key is broken and your identity stolen.
>     >
>     > Who is liable now? You, because you created a bad DID, or the
>     issuer of
>     > the verifiable claim?
>     >
>     > A government would want to reduce potential liability as much as
>     > possible, and may not be willing to actually issue a verifiable
>     claim
>     > for a DID that may be insecure.
>     >
>     > Markus
>     >
>     > On 11/28/2017 08:06 PM, Steven Rowat wrote:
>     >> On 2017-11-28 9:23 AM, Markus Sabadello wrote:
>     >>> So you would model your natural, "self-sovereign" identity by
>     creating
>     >>> DIDs, and you would model "legal identity" not by issuing new
>     DIDs, but
>     >>> by issuing verifiable claims that make assertions about your DID.
>     >>>
>     >>> E.g. the government could issue claims for you about
>     citizenship, date
>     >>> of birth, national identifier (such as the Peruvian DNI you
>     mentioned),
>     >>> driver's license, and everything else that constitutes the
>     "legal self"
>     >>> you are talking about.
>     >>
>     >> +1 This seems so straightforward that I'd hope it can work
>     everywhere.
>     >>
>     >> But in case there are technical/political reasons why governments
>     >> might want to issue their own DID, could it be set up to be
>     optional
>     >> -- so that both systems would work together?
>     >>
>     >> I.e., some governments could set up their own, while others could
>     >> merely issue verifiable claims as you suggest?
>     >>
>     >> Steven
>     >>
>     >>
>     >>>
>     >>> I think this topic on "legal ID" and "self-sovereign ID" is a
>     great
>     >>> example where we can align our technological tools with "how
>     identity
>     >>> works in the real world".
>     >>>
>     >>> Markus
>     >>>
>     >>> On 11/28/2017 02:52 AM, David E. Ammouial wrote:
>     >>>> Hello,
>     >>>>
>     >>>> I recently joined the few identity-related workgroups, out of
>     interest
>     >>>> for the general subject of decentralised digital identity. I
>     like the
>     >>>> idea of DIDs a lot because I find it refreshingly realistic to
>     >>>> acknowledge the existence of multiple identity "worlds"
>     rather than
>     >>>> trying to create one meant to be the only one. I'm using the
>     world
>     >>>> "refreshingly" because it really brings back the original
>     spirit of an
>     >>>> internet that is diverse at all levels.
>     >>>>
>     >>>> Back to the subject of this email. Governments' attempted
>     monopoly of
>     >>>> the concept of people's identity is something I personally
>     dislike.
>     >>>> You are not defined by what a government accepts or says
>     about you,
>     >>>> but by what you say and accept about yourself, and maybe by
>     what the
>     >>>> people you care about say and accept about you. However, in some
>     >>>> situations those "people you care about" do include governmental
>     >>>> entities, for practical definitions of "caring". :)
>     >>>>
>     >>>> To give a concrete example, you might want to allow your
>     "legal self"
>     >>>> to act upon your Sovrin/uPort/V1/X identity through an
>     institution or
>     >>>> a company. For example if a government entity provides a facial
>     >>>> recognition API to authenticate people, that would correspond in
>     >>>> practice to a service of a "did:gov" method. Proving that you
>     are who
>     >>>> you say you are (in legal terms) can be something desirable.
>     >>>>
>     >>>> What would be the practical steps of introducing a "did:gov"
>     method?
>     >>>> I'm thinking of a schema like:
>     >>>>
>     >>>>      did:gov:XX:xxxxxxx
>     >>>>
>     >>>> Such an identity would be issued by the government of country
>     XX (e.g.
>     >>>> US, FR, PE, etc.). The last bit would depend on the rules of each
>     >>>> particular country. For example Peru has different types of
>     identity
>     >>>> documents: DNI (documento nacional de identidad) for
>     nationals, CE
>     >>>> (carné de extranjería) for residents that are not nationals,
>     and a few
>     >>>> others. In that context, Peru would perhaps define DIDs
>     around the
>     >>>> lines of "did:gov:pe:dni:1234345", but that would obviously
>     be up to
>     >>>> the Peruvian government to define those rules.
>     >>>>
>     >>>> What do you think? There are probably technical aspects, legal
>     >>>> aspects, practical aspects... I apologise if this topic has
>     already be
>     >>>> brought up in the past and I didn't read about it before
>     posting. I
>     >>>> did some basic research on the list's archive and couldn't find
>     >>>> anything.
>     >>>>
>     >>>
>     >>>
>     >>>
>     >>>
>     >>
>     >
>     >
>     >
>
>
Received on Thursday, 30 November 2017 10:48:34 UTC