Why Isn’t Identity Easy?
Mobile credentials are easy when they’re not conflated with “identity”.
This is a written summary of my speech at this year’s Identiverse conference.
From the beginning of e-commerce, we have tended to complicate “digital identity”. Its relationship with “real” identity has never been clear and loosely defined metaphorical efforts like “electronic passports” have never fixed liability. The Anglophone (Five Eyes) countries have no tradition of National ID; occasional proposals have been roundly rejected by the public, which has poisoned most of the discourse of identity capability building. Private sector initiatives in banking and technology sectors (e.g. Identrus and Infocard) came and went. British and American efforts at grand public-private federations attracted very few Relying Parties (despite the urgency of better identity) and spawned no commercially sustainable identity businesses. Scandinavia and the Baltics have seemed successful with multi-purpose digital IDs but these are backed by specific legislation. A few free market identity frameworks remain in development in Australia and Canada. Progress has been disappointing and their futures remain uncertain.
The hottest developments in digital identity today are not about identity! Instead, Verifiable Credentials are digitally signed data structures which convey details of the credential issuers and other conditions specific to different use cases. Verifiable credentials are bound to cryptographic keys controlled by the credential holders, so they can’t be copied, spoofed or counterfeited. Fresh verifiable credential standards are being developed that update earlier PKI certificates. Multiple credentials and identifiers can be conveniently carried in personal data wallets or data carriers, which ideally feature secure elements to house the all-important private keys.
In digital life and work, we need to show things about ourselves, typically discrete pieces of important data, backed up by metadata that proves origin, Ts&Cs, regulatory commitments, consent and so on, depending on context. If we generalise from credit cards ― including terminal, data carriers, standardised contracts and service providers ― we could build truly global infostructure for verifying everything we routinely need to know, with provenance and fidelity.
The payment card processing networks provide a wonderful precedent. Not only do they show how attributes (in their case, account numbers) can be presented and validated, instantly and easily, anywhere in the world, they show how verifiable data sharing could be delivered on a commercially sustainable basis in a network business model. Cracking the Two Sided market has been the Hoy Grail of digital identity for decades.
In conclusion, we in the industry have made digital identity hard by solving for the wrong problem! Personal human identity is always going to be rich, relative and analogue but the challenges in the digital domain boil down to trustable data. We know how to solve for data reliability, by blending cryptography and governance. Our industry has been evolving and shifting focus from identity through attributes to arrive now at Verifiable Credentials. Let’s keep up the good work, let’s be clear about where actual identity problems lie, and use our tools to build infostructure for verifiable data across cyberspace and the digital economy.