Links

Ben Laurie blathering


Ben’s Laws of Identity

Kim Cameron has his Laws of Identity, so why can’t I have mine? Mine are simpler and probably not complete, but they arose from the paper I wrote with Mary Rundle as a better way to explain what I’m getting at.

I claim that for an identity management system to be both useful and privacy preserving, there are three properties assertions must be able to have. They must be:

  • Verifiable
    There’s often no point in making a statement unless the relying party has some way of checking it is true. Note that this isn’t always a requirement – I don’t have to prove my address is mine to Amazon, because its up to me where my good get delivered. But I may have to prove I’m over 18 to get the porn delivered.
  • Minimal
    This is the privacy preserving bit – I want to tell the relying party the very least he needs to know. I shouldn’t have to reveal my date of birth, just prove I’m over 18 somehow.
  • Unlinkable
    If the relying party or parties, or other actors in the system, can collude to link together my various assertions, then I’ve blown the minimality requirement out of the water.

OK. So now we’re all on the same page, I gave my shortest talk ever recently at Stanford – under three minutes – on why X.509 (and all methods of making verifiable assertions I know of that are widely used) doesn’t work for identity management. The essence is this: standard X.509 statements are verifiable, but not minimal nor unlinkable. You can try to fix the minimality by having some third party issue single use certificates with minimal assertions in them on the basis of X.509 certificates you already have in your hand – but these are still not unlinkable, so bad people can get together to link everything back together again. Or, you can try self-signed certificates – minimal and unlinkable, but sadly not verifiable. I’m not aware of any other options. QED.

Another important point often glossed over is that unless the underlying network provides anonymity, then you are screwed anyway, since everything is linkable.

Of course, methods do exist that don’t have the problems of X.509 certificates – the best, IMO, being zero knowledge and selective disclosure proofs. But no-one uses them (yet).

Also, there’s hope for anonymity, in the shape of onion routing.

Incidentally, at the same workshop Dick Hardt gave the most fun presentation on identity management I’ve ever seen. Check it out.

10 Comments »

  1. [...] However, as I’ve shown, this is not actually possible with any traditional type of signed assertion. [...]

    Pingback by Links » InfoCard Is Not All Its Cracked Up To Be — 13 Oct 2005 @ 11:00

  2. Ben, you are very right.

    The problem is in my view more complex, but indeed solvable.

    We are, however, facing a lot of myths and challanges:

    a) Government and infrastructure entities determined to take “ownership” of people. “Consent”, Data regulation, “Trust” seals and Privacy Policies are (ab)used as excuses to deny citizens basic security.

    b) Naive assumptions on security, such as biometrics increase security, are undermining security. For isntance the rapidly increasing problems of Identity Theft is caused by bad security and cannot be solved by more of the same.

    c) The assumption that we can or should try to have perfect security. The problem of present approaches is that security everywhere is weakened by wiretapping requreiments, while the bad quys in reality is finding it easier to both hide their communication and attack citizens made defenseless by the surveillance-industrial complex.

    d) The trust and identity crisis are escalating, because those that were supposed to solve the problem are doing the opposite persuing control models instead of security models.

    Try having a look at this talk at a EU Security workshop – here we discuss solutions to both RFID as “the world of thins” and Anti-identity theft Identity Managment based on context build-up.
    http://www.securitytaskforce.org/dmdocs/workshop2/stephan_engberg.pdf

    Indeed, we are going to need some sustainable “laws on identity”. Consent is turning into blackmail – an impossible choice of Sevices without Security or Security without Services.

    Comment by Stephan Engberg — 20 Nov 2005 @ 19:39

  3. [...] Bob Aman posted a response to my Laws of Identity. In short, his point is that if someone were to create a completely minimal and unlinkable identity, then no-one would trust them. This is an excellent point, and one I agree with totally – in fact I wrote a paper on privacy for the Security Protocols Workshop a couple of years ago which was all about what a terrible place a world where everyone was absolutely anonymous would be. [...]

    Pingback by Links » Identity, Privacy, and Accountability — 13 Dec 2005 @ 22:43

  4. The point is not perfect unlinkability but controlled unlinkability, ie. to ensure that unlinkbility is the default unless some predefined conditions occours.

    Some of these conditions can be mathematically integrated such as double spending of a digital coin. Some require a generic but controlled method of recreating linkability.

    The main question is of course who is in control, which kind of fallbacks are implemented, how can we assure against hidden backdoors etc.

    But there is no reason to think that we cant make an idenitity that is for all normal purposes unlinkable, but still trusted in the sense that it is subjected to basic laws. You should, however, ensure some kind of strong and transparant checks and balance between the control of laws, courts and the distributed control mechanisme of recreating linkability.

    Comment by Stephan Engberg — 6 Jan 2006 @ 16:37

  5. [...] OK, its nice that Microsoft are developing identity management software that might not suck (but remember, it still doesn’t satisfy my Laws of Identity) but the question that’s being posed about Google applies equally to Microsoft, and, indeed, anyone else with an identity silo. [...]

    Pingback by Links » Comparing Apples and Apples: Microsoft and Google Authentication — 1 Aug 2006 @ 15:17

  6. [...] OK, its nice that Microsoft are developing identity management software that might not suck (but remember, it still doesn’t satisfy my Laws of Identity) but the question that’s being posed about Google applies equally to Microsoft, and, indeed, anyone else with an identity silo. [...]

    Pingback by Kim Cameron’s Identity Weblog » Yes or No? — 2 Aug 2006 @ 21:40

  7. [...] Cardspace does not meet Law #4: presented identity credentials can readily be linked back to their issuance when issuers and relying parties compare notes. In particular, the default CardSpace protection mechanism associates universally unique cryptographic keys with identity credentials that can readily be used to trace their presentation to their issuance. For a lucid elaboration, see Ben Laurie’s post on this. [...]

    Pingback by The Identity Corner » IPC extends the Laws of Identity with key insights from privacy arena — 18 Oct 2006 @ 19:18

  8. [...] None of which is to say Kim’s 7 laws are wrong or bad. They’re really quite good, apart from being way too verbose and hard to read – unlike my 3 laws. [...]

    Pingback by Links » Ontario’s Private Love Affair with Microsoft — 19 Oct 2006 @ 5:04

  9. [...] Many moons ago, I wrote my Laws of Identity. Yesterday, my friend Cat Okita pointed out a deficiency, so here’s an update… I claim that for an identity management system to be both useful and privacy preserving, there are three properties assertions must be able to have. They must be: [...]

    Pingback by Links » Laws of Identity, Revised — 2 May 2007 @ 10:28

  10. [...] it’s nearly five years since I first wrote about this and now it finally seems we might get to use selective [...]

    Pingback by Links » Selective Disclosure, At Last? — 4 Mar 2010 @ 5:34

RSS feed for comments on this post. TrackBack URI

Leave a comment

Powered by WordPress

Close
E-mail It