Trust and Internet Identity Meeting Europe 7.-8. Feb. 2018

Session 21 <Effect on data portability in nationalistic countries> (10:45/Room A07)

Session 21 <Effect on data portability in nationalistic countries> (10:45/Room A07)

Effect on data portability in nationalistic countries (Colin Wallis)

Some random states would leave the EU, if states would go more nationalistic.

What impacts on Federated IDM/Attribute Exchange across national borders, if National States become inwards looking ("Nationalistic").

USA is a rich country with many different religions and cultures. With the current administration, what would happen in the worst extreme? Could we still get Identity Federation to work?

We could provide our IP outside the USA.

To do Federated IDM you need eID and IDCard.

Add a very low level of assurance?

The line has to be drawn between public, institutional (F&E) sector and commercial.

Workarounds :

  • Estonian eIDcard
  • "Physical Passport"
  • Decentralize identity federation
  • Levels of assurance, individual reputation based: one person vouches for another's identity
  • New PKI GPG: Web of Trust vs Chain of Trust

Public-sector-line would be much deeper. At the nation state level I do have a passport and it is accepted anywhere I go.

At public layer of IDM I had "to back to the wild west".

To do something in the US you need a US license.

You could use a UK-Identifier or an Estonian passport to identify in the US.

At a policy level there needs to be only one executive order which says that the US doesn´t recognize anything from Estonia anymore.

While architecting our systems we should decentralize identity federation.

We have the responsibility to design the identity systems.

If many people vouch for me, then the confidence-level will be higher than if only one does (E.g. Web of Trust).

We should not invent a punishment system because that would be abused by many.

"Underground Federated (decentralized) Identity"

It is also a federation of higher trust IdP.

If the IdP goes corrupt, you lose the whole tree under the IdP.

How are we robust against these attacks?

Against corruption: multiply identities for IdPs

If one of them falls I will still be known by the other IdPs.

IdPs hierarchy of identities

University able to federate identity outside national community.

Is a national IdP not just a walled garden? (Chinese, North-Korea, Iranian, ..). They do WIFI-P2P-Network Connections.

P2P-Identity? Web of Trust-Identity? We have PGP to do this. You can trust the keys by a chain of trust (personally asking) of E-Mail-Signature.

What would a P2P-Identity-Network look like?

The problem is that you´ve got to have at least a masters-level to install this stuff. The machine cannot install PGP with the people's keys on their own.

  1. 1)One problem with Signal: centralized server (but it supports decentralization) Snowden's answer to WhatsApp etc. = Signal from Open Whisper Systems. Signal-App: Secure WhatsApp-Alternative. They see only who is talking to whom.

Is XAMPP (Jabber ) not more decentralized? ORT (Off-the-records) is just an encryption layer above XMPP.

  1. 2)How to make attestation process simple?
  2. 3)an online repository of keys

The government is not allowed to see what we do (not quite exactly what has been said).

We need a federated ID-System that also works in Iran.

If someone controls the underlying infrastructure, it is extremely open to attacks.

War-scenario

How do I find enough people to vouch for someone to say that he is not a bad guy?

Running our own infrastructure? Web of WIFI-Networks. Not secure by default.

  1. 1)How do I make myself anonymous?
  2. 2)How do I get recognized?
  3. 3)Use another countries network

In the middle-east they use the infrastructure from abroad that can be trusted so that they can build something for their own country, where the infrastructure cannot be trusted. Anonymous in the country, not anonymous outside.

If there is no access to a central server which has stored identity-information it gets quite hard to prove someone's identity.

Natural disaster

  • –First responder use-case
  • –How do we establish credentials if everything is unknown? Someone could vouch.
  • –"6 degrees" of Kevin Baker
  • –Decentralize an ORCID ID?
  • –Education would benefit from federated systems.
  • –There is ORCID which tries to do that.