Lockstep Technologies MDAV Architecture (0.4.3), V0.4, October 2016.

Executive Summary

The Mobile Device and Attributes Validation (MDAV) project is implementing a new method to present personal attributes in a secure manner with minimum disclosure of ancillary personal information of an attribute holder.   The method is especially well suited to use cases where a Relying Party aims only to verify a specific thing about a Subject – in the MDAV use case, a First Responder’s emergency work qualification – and the issuer of that qualification. Lockstep Technologies has researched and developed a way to use anonymous or pseudonymous digital certificates to hold an attribute each, devoid of extraneous PII, and arrange for the certificate to be signed by or on behalf of the attribute issuer or credentialing authority.
The MDAV solution is aligned with a shift in focus in the identity management industry, from personal identity to concrete attributes.  There tends to be more interest now in what someone is rather than who they are.  The MDAV architecture is based on using public key certificates to hold such attributes, rather than identifying information per se, and to use digital signatures to bind those attributes to transactions, as a way of presenting the certificate holder’s credentials.  Certificates will be managed in a digital wallet app on a mobile phone.

This detailed architecture paper is a deliverable of the first “viability” phase of the MDAV project, and forms the basis of a second “execution” phase.

Acknowledgement

The Mobile Device and Attributes Validation project is funded by a Department of Homeland Security Science & Technology grant. The work is conducted by Lockstep Technologies under the auspices of the Kantara Identity and Privacy Incubator (KIPI) and the Command, Control and Interoperability Center for Advanced Data Analysis (CCICADA) at Rutgers University.

Extracts

Vision

MDAV represents a prototype of a new type of infrastructure for identity and access management (IDAM), one that provides for authentication of context-independent attributes with widely understood meaning, instead of abstract identities that are only ever understood locally.  MDAV enables wallets of personal details to be managed through a mature PKI-based system of vouchsafing precise attributes and conveying their provenance in digital certificates.

Such wallets will be able to:

  • present important identifiers like health IDs, Social Security Numbers, customer reference numbers, and account numbers
  • anonymously assert personal attributes like proof of age, location, residency, health conditions, and insurance status
  • demonstrate verified facts about the wallet owner such as date of birth, residential address, passport number and so on, to meet Know Your Customer rules in banking
  • interoperate with a free marketplace of Attribute Authorities which can compete to provide notarised details about individuals
  • show the authority that issued or vouched for the attribute, allowing RPs to distinguish “secondary” sources from “primary” or authoritative sources of information
  • self-assert attributes such as social network handles
  • verify the originality and integrity of attributes in offline and occasionally connected environments
  • be strongly auditable
  • be processed quickly with de-centralized, lightweight and standards-based software modules
  • leverage the native cryptography in modern smart phones, smartcards, and future IoT devices.

PKI configuration

The core innovation in MDAV is a re-configuration of standard PKI digital certificates.  Stepwise capsules embody a new way of thinking about authentication and PKI certificates.  Instead of loading a certificate with personal identity, we store one specific attribute in a special purpose certificate or capsule, issued to a device under the attribute holder’s control.  A strong logical triangle is formed, joining the person, their device and the attribute, baking in the provenance of the device and the attribute issuer.

When such a certificate is used to verify a digital signature, the Relying Party is assured of the attribute and its provenance, without disclosing excessive information about the attribute holder. A signature verified by an MDAV certificate evinces that the signer was in control of a device carrying the associated key, and is therefore authorized to present the attribute concerned.

Relationship Certificates

MDAV makes use of a novel configuration of otherwise standard Public Key Infrastructure, and digital signature capabilities in modern mobile phones to encapsulate personal details in anonymous or pseudonymous digital certificates.

Conventional PKI certificates act to bind an identity to a public key (and hence a key carrier like a smartcard or mobile device) for “authentication” purposes.  Additional “authorization” of an individual under Attributes Based Access Control requires that attribute information be additionally bound to transactions or challenge-response handshakes.  At one point in the early stages of PKI practice, special purpose X.509 “Attribute Certificates” were used for this purpose, and we bound to messages before being digitally signed using an “general purpose identity certificate, being a public key certificate.  The original “Attribute Certificates”  did not hold public keys and could not be used directly for digital signatures.  They proved difficult to implement in practice, largely because there was no standard way to include them in the payloads to be digitally signed.

Circa 2006, Lockstep Consulting and the Australian Government developed the concept of “Relationship Certificates” for conveying context-specific information about users, instead of general identity [1][2].  Relationship Certificates express a relationship between a Registration Authority (RA) and a certificate subject, such as membership of a, community of interest.  Where such membership is subject to formal rules and represented by a membership number or similar, unique on the domain of the community, then a Relationship Certificate can be used as strong proof of membership, and by extension, of authorization to act according to those rules.

Relationship Certificates are not intended to identify their holders per se but to authorize them in the context set by the issuer. Relationship Certificates have been successfully implemented by Medicare Australia [3] and have become dominant in Australian healthcare PKI.

MDAV certificates are a form of Relationship Certificate, issued to support AttribuTE Based Access Control and authorization.  The meaning of an MDAV certificate is nothing more and nothing less than the fact that the holder of the matching private key has the named attribute, according to the issuer which signed the certificate.  It is expressly assumed in the architecture assumed that that a Relying Party is able to reasonably determine the authorization of an MDAV certificate holder to perform duties in a specific context based on little nothing more than the holder’s ownership of an attribute value.