5C/ Making OAuth2 Secure
Reinventing National Identifier Systems
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
How can governments use the new self- sovereign identity technologies might be used by governments to support citizens interacting with them but getting out of the challenges that persistent correlateable identifiers like SSN present.
Here are some parts of the paper that Kaliya wrote based on the conversation from the session.
Markus also drew on the conversation to present to the Austrian Government the weekend after IIW.
This report lays out the case for a new federal agency, The Non-Identity Agency (NIA), that would over five years completely replace the Social Security Number with Invisible Identity Numbers (IINs) that will be usable by citizens across the federal government. The new system will be largely resistant to identity fraud caused by the current system design that uses a persistent correlateable identifier, the Social Security Number (SSN). Cryptography allows IINs to be masked and will completely transform how individuals interact with governments because no persistent correlateable identifiers are used, so there is nothing to “steal” and use in other contexts. Each time an individual uses the IIN, they share a cryptographic proof of the number rather then he actual number. IINs use several relatively new technologies in combination: mobile phone applications, distributed ledger technology and cryptographic proofs.
Infrastructure for Invisible Identity Numbers
Several technologies are available to create this new system including a combination of mobile phone technology and cloud technology that enables individuals to have software agents working on their behalf. Three different types of cryptography are used:
- Public Key Infrastructure using pairwise identifiers to support the creation of secure cryptographic tunnels for communication between and between individuals and institutions.
- Zero Knowledge Proofs (ZKP) lets individuals obtain claims issued by another party (typically an institution) and then produce and share proofs derived from the claim without reveling the actual claim. So for example an individual could take claim such as a birthdate issued on a state drivers license and use it to share with a bar only the fact that the individual presenting it was over 21. The zero-knowledge proof would not reveal the exact birthdate or their mailing address.
- CL Proofs that allow Zero Knowledge Proof claims issued by institutions to be revoked.
Distributed Ledger Technology is used to support the management of the public-private keys and agent pointers for individuals and institutions along with verifiable references to the ZKP and CL Proofs. The core of this network is a permission-based distributed ledger that is kept current by the validator nodes on the network. A distributed ledger means that the database doesn’t live in one location, but rather exists across the whole network of nodes. As information is written to the database it is permanent— it cannot be changed. Everything written into the ledger is public. In this unique governance model set up by the Sovrin Foundation, which is very different than the Bitcoin or Ethereum ledgers, all validator nodes are run by institutions like banks, universities, hospitals, credit unions etc. They sign an agreement to join the network and are bound by the conditions of this trust framework.
Creating New Identity Assets
Using these infrastructure pieces, how does the government issue Invisible Identity Numbers to individuals that can replace the Social Security Number system? The first step is to setup a system of enrollment so people can get the new IIN. There will be a process for identity proofing that is rigorous, using a points system similar to how New York State issues Drivers Licenses (NY State, 2015), with different types of documents providing a different number of points that are acceptable for identity proofing. Individuals will present themselves at the NIA with this documentation, including their Social Security Number, Birth Certificate, Drivers License, Passport and other documents that are used to prove they are indeed the person that a given SSN points to. The government would then issue the claim of an IIN to the individual. The government would also publish a record in a public database stating that the person with a particular SSN now has and IIN. This would “retire” the SSN so that everyone knows to not accept it from anyone claiming to be that person because the “real” person has an IIN and should be using that. There will also have to have a dispute resolution system in place as fraudsters will try to attain IIN’s that really belong to other people. To get the claim of an IIN from the NIA, an individual must sign up with an Agency and download on to their phone an application that provide them with a IIN Agent. A company named Evernym makes the software code and in the future there will be different companies that will also make agent codes so individual will have a choice of agent provider . This is the secure application that enables the individual to store their claim information and manage all their interactions using these claims. Both the individual (via their mobile app and agent) and the NIA would next register a DID on the Sovrin Distributed ledger. A DID (decentralized identifier) is a globally unique long number generated cryptographically. With each DID comes a DDO—a JSON document containing the public key from a public-private key pair. Both the individual’s agent and the NIA get unique public private key pair that allows them to open a secure cryptographic tunnel for secure communication. Though this tunnel the NIA sends the IIN to the individual’s Agent. The NIA also writes to the Sovrin ledger a cryptographic proof that they issued the IIN. This proof does not reveal the IIN, but will enable the individual to prove to any institution or agency that the individual has a unique valid (non-revoked) IIN.
Using the IIN
Now that the individual has an IIN, they can use it to interact with their employers, banks or government agencies. With every agency or institution that they interact with they go through the same ceremony using the Sovrin ledger to create a unique cryptographically secure communication tunnel. When that tunnel is established they send along the proof that they have an IIN and proof it was issued to them by the NIA. They never send the actual IIN. They use Zero Knowledge Proof technology that transforms the IIN into a cryptographic proof when it is shared so the actual IIN isn’t reveled. This is what makes it very secure—and can virtually end identity theft/fraud as we know it. This can seem hard to understand because the fancy math can accomplish something that is not possible using ordinary paper-based physical systems that are usually used to track identity. It is critical that we leapfrog the mental models that paper and traditional systems of unique identifiers like SSNs have created for us, We need to leverage the strong new security and privacy-protecting properties these new types of cryptographic identifiers can provide.
Adoption and Use
Employers will be encourage to switch away from using SSN’s (with all its ensuing security risks) to accepting IIN proofs. Individuals can create a cryptographic tunnel with their employer, in the same way they did with the NIA. They share the proof they have of their IIN with the employer who then passes along a proof of the proof to the government when submitting their taxes and other government benefits. If an individual has three different employers - each employer has a unique proof of the IIN of the individual. When the individual goes to file one’s taxes the individual can support the Tax agency knowing the three different they proofs they of the same individual from three different employers actually represent the same individual. This totally leap frogs the SSN in terms of its ability to keep individuals and businesses secure.
Relating to Other Agencies
An individual will be able to use the proof of their IIN with a whole range of government entities. Each agency an individual interact with creates a cryptographic tunnel with the citizen’s agent, in the same way they did with the NIA to get the claim of the IIN. They use this tunnel to communicate the Zero Knowledge Proof of their IIN, not the actual IIN. In this way the agencies know it is the same individual they are interacting with over time. The individual will also be able to communicate with the agency via the cryptographic tunnel - messages about needed updates, payments, to or from the government, services, appointments. This could include text messages or phone calls. The NIA does not interact directly with any other government agencies and shares no identity information with them directly. The main way that other government agencies know that the IIN proof they have from an individual is unique is via the proof they record to the Sovrin ledger that other agencies can check to see if indeed the IIN proof they have from an individual is legitimate. They can also use the other proofs the individual presents, see the Appendix below about how Jain uses it to open a bank account for filling the know your customer requirements.
- New York State Department of Moter Vehicles (2015), Proofs of Identity, Document number ID-44 (12/15). https://dmv.ny.gov/forms/id44.pdf