enisa

On the joint conference of the enisa and the eema I not only had the chance to present our initiative GenericIAM but also to attend several workshops and round tables on selected topics from the information security field.

Although attending several conferences and less spectacular event, I seldom came across with expert communities with a comparable high level of expertise. Many of them represent a long record of intensive work on the very forefront of secure electronic communication.

They take their job serious and try to come up with good results, no, with even excellent results. And perhaps that's the fault. Why? Well excellent sounds like near 100%. And everybody dealing with security knows, that 100% means it can't be done as long as humans are involved - at least those still alive.

A discussion for example on the electronic identity cards revealed the full colourful picture of European differences and peculiarities - as expected. I further expected that following the very European principle of subsidiarity these local solutions would be mutually accepted. As Dr. Ingo Neumann from the German BSI pointed out: In the physical world we do have valid and mutually accepted documents - passports and national Id-cards. Why can't we transfer this principle of mutual trust to the electronic world? In addition Anthony Whitehead from NordicEdge a British citizen living in Sweden demonstrated how easy this can be - by presenting his Swedish driving licence, Swedish id card, credit cards and more. The Swedish authorities simply trusted his British passport.

Instead a long discussion raged on the unification of the different levels of trustworthiness of the national enrolment processes for identity documents. Obviously this can't be successful - at least on short timeframes. Why can't work out in the e-world, what we practise in the physical world? Because we here traditionally and intuitively take a risk based, a risk balanced approach. Live is risky and will stay risky - at least as long as it lasts. (Afterwards the situation improves quite a bit!)

But there was an example demonstrating nearly the opposite danger: Not always it might be a good idea to transfer physical objects to the e-world unchanged. As a special indication Ulrike Linde from the Association of German Banks mentioned, that according to German data protection law the date of birth must not be on the Germen eID-card. But as banks require it, you would not be able to open a bank account with an eID-card, whereas by means of its paper equivalent you can. According to Kim Camerons Laws of Identity/ (who by the way showed up at the same conference as well), banks shouldn't be interested in our age anyway - just in the information, that I'm over 18 years old. But that's another story.

Another question may have even more impact. Why should this information on an eID-card anyway? Ok, I understand that in the physical world, there was no other chance to deliver this information in a comparable trustworthy way.

But in the e-world? Wim Coulier from the Belgium Certipost gave a good example in his short presentation: an electronic Identity reduced to its identifying nature without any additional attributes. Whenever these attributes are requested, e.g. for opening up a bank account, the attribute provider can decide to deliver it to the requester, a principle well known in the movement of the user centric Identity. Here the user decides if it is worth disclose the information - well, who else?

So the question arises: How much information should an identity carry? Not too much, I would say. It could otherwise unnecessarily disclose information. It could conflict with national data protection law. It could become difficult to agree on the appropriate set of information resulting in turn in an unnecessary high need for identity federation and so on.

Following Occams razor and taking it to the limits, the eIdentity should be reduced to its bare identifying nature.

Every answer just raises the next question: What should this natural set of identifying data be like? "Excellent" question the hard nosed sales man would reply. But there is a natural unique set of data: Remember when you were baptised or just given your name. It was done with the idea in mind to be able to uniquely identity and address you. The name should be your and unique in the personal context.

This context is the key of course. It is made of time and location: during the moment of birth in your local context. So, the natural GUID is composed of name & time and the regional context (City, town, village, …). Ok, I understand. It is not that easy: the idea might be compelling. But fixing the local context is the weak point as it doesn't map with the local birth registration office - at least in many cases.

But back to the minimal identifying data set: I once wrote, that there is a mismatch of the natural perception of the word "identity" which is indicating the sameness of two things and the use of the term "digital identity". Perhaps this is the reason why Kim Cameron interdicted the use of the term "identity" internally in his team. It only causes confusion.

In the natural perception a human can only have one identity everything else is schizophrenia. Whereas in de digital world - there is a broad consensus - we can have several "digital identities". But the relaxed view on having multiple identities is in danger. Biometrics has the potential to damage this consensus as it will uncover doublettes - even if they are considered as tolerable.

It will push for the use of a GUID instead of just an ID. But in this case the Identity must not carry any additional attributes besides the pure identifying information itself.

Posted by Horst Walther, Fri June 15th, 2007 to the GenericIAM Blog

Horst Walther, Hamburg