Back to the Future (of Identity)
My article about the Jericho Forum’s latest proposal to bring sanity to our world of digital identity chaos is now up on the RSA blog: Jericho Forum Proposes Bring Your Own Identity (BYOI). Here’s a short summary:
In its 25-page “Global Identity: Challenges, pitfalls and solutions” white paper based on its previous “Identity Commandments,” the Jericho Forum diagnoses Internet identity problems and proposes a cure for their ills. The white paper is fundamentally right about privacy and identity in some ways, but in proposing that the industry can create BYOID based on a singular set of standards, [that device makers, platform vendors, governments and applications will all agree to so that one can use a single trusted device and standard protocol for all one’s authentication and authorization needs] it may oversimplify the solution. Jericho’s “Global Identity Foundation” may ultimately achieve success as a knowledge and innovation center, but establishing [it] will be challenging.”
The Fido Alliance has a similar architecture based on specifications for a universal authentication factor (UAF) and a universal second factor (U2F). It came up for discussion by an all-star team of identity experts in a Future of Authentication panel at RSA conference. (I’ve got an article in the queue about that panel as well.) Fido Alliance does have a number of industry heavyweights including Google, Microsoft and ARM. Could it start to achieve Jericho’s dream?
I don’t want to steal the thunder from my article that’s been waiting a couple months for publication, but I’ll just flash to Bob Blakley’s question for the same Fido panel: “It’s the nature of secrets to be ephemeral and devices to be vulnerable; is it a good idea to even put strong authentication on a sub-$500 consumer device that floats around in your pocket?” That rapier-thrust was followed by some speculation on whether identity provider services could further manage the risk. But that discussion devolves into questions on privacy, who controls the services and whether they aggregate too much risk.
So, I’m looking back again now at Kim Cameron’s identity blog for The Identity Metasystem.
“The root of these problems is that the Internet was designed without a system of digital identity in mind. In efforts to address this deficiency, numerous digital identity systems have been introduced, each with its own strengths and weaknesses. But no one single system meets the needs of every digital identity scenario. And even if it were possible to create one system that did, the reality is that many different identity systems are in use today, with still more being invented. As a result, the current state of digital identity on the Internet is an inconsistent patchwork of ad hoc solutions that burdens people with different user experiences at every web site, renders the system as a whole fragile, and constrains the fuller realization of the promise of e-commerce.”
At the same time, federation fan that I am, I can’t dismiss the Jericho’s paper’s statement that federation doesn’t scale because the underlying trust models don’t scale. Indeed we’ve seen that in recently publicized OAuth federations’ covert redirect vulnerabilities. I suppose the world is, and always will be, a Tower of Babel.
How could one design digital identity into this Internet of Babel? It’s actually more than a technical problem and its not amenable to a single technical solution. However, I think we can come up with a better framework and I may write another post about that in the near future.