Decentralized Identity's Big Vulnerability
A number of schemes have been developed over the years for what I will call “collegial attestation.”
Collegial attestation is where the claims of a member of a community are attested to by other members. Of particular interest these days is the claim of identity.
Collegial attestation works well for collegial communities.
What is a collegial community?
As the name suggests, an academic community is a good example. Essentially, a collegial community is one whose interactions involve ideas, art, literature, psychology, etc. Even the study of business is a suitable subject for a collegial community. Basically the headings in a university course catalog, including physical activities, define a collegial community’s activity. Ethnic, neighborhood and avocational communities also qualify.
Now let’s think about what’s largely, but not completely, missing from a collegial community.
It’s that thing, the love of which is said to be the root of all evil.
It’s the focus of what goes on every day beyond those ivy-covered walls of alma mater.
It’s money, of course!
When money – that is, real money, which could be defined as “amounts that exceed a year’s salary of the average member of the community” gets moved around a community, that community ceases to be collegial.
The rule of thumb is:
Collegial attestation will be corrupted whenever the amount of money involved in the potential corruption is sufficient to justify the effort.
(I’d add something about risk, but criminals never think they’re going to get caught, right?)
In a collegial community where identity is established by collegial attestation, how much effort is required to recruit a dozen individuals to attest to each others’ fake identities?
Actually, it’s just an application of Bernoulli’s Principle of Decision Making, codified by Daniel Bernoulli a few hundred years ago (yes, the same Bernoulli who made airplanes possible.)
The method goes like this: The benefit we can expect from an action is the product of two things: the probability that this action will allow us to gain something, and the value of that gain to us. If we can estimate and multiply these two things, we can know exactly what we should do.
If we value our relationships in the community and our reputation and our own integrity more highly than a fairly large sum of money (tenure is sure to arrive any day now) then the benefit of the money to be gained by ganging up with thieves to defraud others in the community is just not sufficient.
If on the other hand we’re not members of the community and therefore have no relationships and reputation to preserve then… tell me again how much the take would be if I got a half dozen greedy acquaintances to join the community with me?
Phil Zimmerman’s PGP, a PKI-like scheme with no certification authority, has been around for decades. It’s baked into email clients and other software, and it works well – for collegial communities.
But PGP never took hold in business. Now you know why.
Identities for non-collegial communities – that is, identities in the real world – must be attested to by (horrors) an authority. That’s why your driver’s license, passport, and birth certificate are not issued by this guy:
PKI Done Right uses DCPA – duly constituted public authority – in the form of legally accountable Attestation Officers – Remote Online Notaries – commissioned by the U.S. Commonwealth of Virginia to gather eight forms of EOI – evidence of identity – in a live session with the enrollee.
Concerns about centralized authority are certainly legitimate. That’s why PKIDR uses the services of Virginia RONs, who practice independently and who do not report to any central authority. They are bound by law to keep their own records of events in their notarial practice, and those records, by law, are not to be shared.
Learn more about PKI Done Right here.