Decentralized Identity's Big Vulnerability
The most important question in the world’s information infrastructure was asked in 1978 by Pete Townshend, the co-lead-singer of The Who.
The question: “Who are you?”
This video shows how the reliability of identity claims in banking is rapidly eroding. Banks rely on identity claims being legitimate. Banks are “relying parties” when it comes to identity claims.
“I’m not a bank, so that’s not my problem” you might think. But how much inconvenience and cost is borne by you and me – individuals, not institutions – because of identity fraud?
We are all relying parties. We all depend upon the identity assertions made by others we encounter online.
Identity reliability is about attestation. “So you claim to be Mary Smith. Before I believe that claim, someone I trust needs to attest to its validity.”
A number of schemes have been developed over the years for what I will call “collegial attestation.”
Collegial attestation is where the claims of a member of a community are attested to by other members. Of particular interest these days is the claim of identity.
As the name suggests, an academic community is a good example of a collegial community. Essentially, a collegial community is one whose interactions involve ideas, art, literature, psychology, etc.; even the study of business. Basically the headings in a university course catalog, including physical activities, define a collegial community’s activity. The category also includes ethnic and avocational communities.
Now let’s think about what’s largely, but not completely, missing from a collegial community.
It’s the focus of what goes on every day beyond those ivy-covered walls of alma mater or beyond the doors of the nonprofit’s clubhouse.
It’s that thing, the love of which is said to be the root of all evil. For instance, the evil of identity fraud.
It’s money, of course!
When money – that is, real money, which could be defined as “amounts that exceed two years’ salary of the average member of the community” gets moved around in transactions within a community, that community ceases to be collegial. It becomes a real-life type of community.
The rule of thumb is:
Collegial attestation will be corrupted whenever the amount of money involved in the potential corruption is sufficient to justify the effort.
(I’d add something about risk, but criminals seldom anticipate getting caught.)
In a collegial community where identity is established by collegial attestation, how much effort is required to recruit a dozen individuals to attest to each others’ fake identities?
Actually, it’s just an application of Bernoulli’s Principle of Decision Making – a method that was codified by Daniel Bernoulli a few hundred years ago (yes, the same Bernoulli who showed that airplanes are possible.)
In English, the method goes like this: The benefit we can expect from an action is the product of two things: the probability that this action will allow us to gain something, and the value of that gain to us. If we can estimate and multiply these two things, we can know exactly what we should do.
If we value our relationships in the community and our reputation more highly than a fairly large sum of money (tenure will surely arrive any day now) then the benefit of the money to be gained by ganging up with thieves to defraud others in the community is just not sufficient.
If on the other hand we’re not members of the community and therefore have no relationships and reputation to preserve, then… tell me again how much the take would be if I got a half dozen friends to join the community with me?
Phil Zimmerman’s PGP, a PKI-like scheme with no certification authority, has been around for decades. It’s baked into email clients and other software, and it works well – for collegial communities.
But PGP never took hold in business. Now you know why.
Identities for non-collegial communities – that is, identities in the real world – must be attested to by (horrors) an authority. That’s why your driver’s license, passport, and birth certificate are not issued by this guy:
PKI Done Right uses DCPA – duly constituted public authority – in the form of legally accountable Attestation Officers – Remote Online Notaries – commissioned by the U.S. Commonwealth of Virginia to gather eight forms of EOI – evidence of identity – in a live session with the enrollee.
Concerns about centralized authority are very legitimate. That’s why PKIDR uses the services of Virginia RONs, who practice independently and who do not report to any central authority.
Learn more about PKI Done Right here.