KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
|
Blockchain is everywhere, and blockchain promises to solve any kind of problem, including that of the digital identity. This presentation will take a critical look at the promises, and look at possible scenarios for identities on the blockchain, as well as why this may not be a good idea. |
|
Blockchain is everywhere, and blockchain promises to solve any kind of problem, including that of the digital identity. This presentation will take a critical look at the promises, and look at possible scenarios for identities on the blockchain, as well as why this may not be a good idea. |
Okay. I guess this is the worst lot over day, right, right after lunch. Everybody's cool. Everybody's sleep is over. Okay. I'll try to, to keep it weekend. Lot of talk about blockchain this morning, lot of interesting information. I had some good discussions in the breaks and so on, on blockchain. And it's also topic that I talk about.
However, I felt there was too much positive on the blockchain. So I felt maybe I needed to, you know, keep someone other side of the coin as well. I come from an identity background. So I of course look at everything, including blockchain from an identity perspective. And of course that's what I'm gonna be doing here as well. So I be looking first at a digital identity. I'll give all your, my perspective of blockchain and please arrest me if I'm wrong on that. I'll look at how you can handle your identity and blockchain will. And part of that, and I'll end up with quick summary.
So first of all, what is a digital identity? We talked about digital, right? Or in general you could ask questions, identity.
I mean, it's a difficult question. I mean, from AKI, it says it's a, it's a information used to represent something personal organization or something. Or the ISO definition says it's a set of attributes, set of attributes, identifying me as a person. Right. And if we take the last one and see, okay, what are these attributes that represent me? There are some static attributes that never changed or almost never changed. Like my name, oh, I can't change my name. And in general it says the same. My date of birth, of course, that's static in countries. I come from Norway.
So in, in my country we have a social security number that's issues. When you are born, that's pretty static. And a place over is also you, some bio properties, like your retina, your fingerprint, something that sort of defines you as a biological individual. Some what I call semi state, like your email, your phone number Analyst. I've had my phone for, I don't know how long I have a Gmail address that I had for a long time. But then again, you also have email addresses. You changed depending on your employer. And then you have these sort of in between static, semis, static, the social media.
I mean, we keep them over a long time. The ID could be the email address, but it could something be something else could have these IDs. Then of course you have the typical, very dynamic one, like your address, you move around, you have a credit card number, your SIM card ID. Then of course you have your relations, what companies you are affiliated with, what people, you know, be related to and about to prove your identity, to prove who you are. You present some of these attributes to show your right identity, right?
And if I present enough of these attributes, well, I can convince you, Hey, this is really, you know, somebody else, they identity attributes are power individual. I mean, they are my, they are my activists. They're different from ice or marks or whatever's attributes. They're about an individual. Nobody should able be able to change them. And they're sensitive. That's a very important aspect with attributes. They are sensitive cause it's somebody, you know, gets access to all my attributes they can. So how do I prove who I am?
Well, this is a typical way, right? We get a passport. The government has stopped some of these attributes into passport. In addition added by passport number and some things that can look issue. And you present this document to somebody to prove who we are, right? You do that at border control. You do that. If you're asked to identify yourself, you show this document and that gives away a number of these attributes that are stored And how do we do this digitally or pretty much the same way we pass over all these attributes.
I need digital to prove to a new bank, new organization who I am, and I send them all these attributes as proof of who I am, including critically a copy of our password, Which of course ends up with this situation here where my identity attributes are spread all over the place. Of course my government, in my case, Norway has issued a lot of them and they have them, my bank, all my banks have them. Of course the social media have them a lot more.
Of course, that we're talking about the identity attributes, et cetera, health insurance, web stores. So I have these attributes spread all over the place. And of course that's a challenge. If there's a breaking in one of these places, my identity attributes are over place. So the weaknesses with this model is too many copies of my identity information, right? All these parties hold these identity information. And as mentioned, if they're exposed well, there's a risk of identity theft, which is a big problem.
I mean, we had Equifax, such small model data and too many know too much. Well do all these parties really need to store all this information. Do they want to store it?
I mean, now GDPR is coming feeling really high requirements on how you handle your private data. Of course, there's the thing there organizations they want to know a lot about before marketing, but then again on the GDPR side, well they need to be careful on what they collect and how they use it. And you might sent to. And also another thing is that challenge, which is, you know, not really for me and I guess for most of you that they are validated or attested by a single entity.
The government had issued my identity, which in my case, coming from a country where I trust the government, not a big problem. And we know which trusted people, we trust everybody. So that's not a big problem, but the whole world doesn't look like that.
I mean, if you look at the ID 2020 product, trying to, you know, embrace the billion people without an identity, you have a challenge and you have all the countries as well. I mean, I even look at, we are doing some research on identities in Europe and just looking from the numbers we collected on that research, it looked like Germans didn't trust the government German. I dunno if you can confirm that or not. But anyway, it is a challenge that the attributes are then, you know, tested by a single entity to the government.
And if your government is overturned, we're taken on by another government. What happened to the people? And especially if you want to, you know, isolate some group or ethnic people, you can have a challenge. Okay. So I'm coming back to the entities. Let's just do, do my little look on, on blockchain. And I normally give out a little warning. There are a lot of what I call new Asian blockchain leaders. There's a lot of hype around this. As you all know, it's being hyped unlocked, it's gonna solve all kind of problem. And I guess this is one of my favorite slides.
I'm just gonna leave it up there. And these are actual quotes of everything that blockchain can do for you. And sometimes when I read about, you know, challenges that gonna be solve by blockchain, I get sort of these kind of impression.
I mean, if you have a hammer, everything is a name, right. You've seen block, okay. Blockchain solve it. And I'm missing out some of the critical questions, right? It's something like you. Okay. Yeah. We're gonna solve this using blockchain. Okay. That's fine. Instead of start asking, okay, what's it going do for him?
Well, blockchain is a data store. And I can't remember to say this, but somebody said, it's the worst database ever. It's slow. It has limited storage and it's expensive. So I use blockchain.
I mean, now I've, you know, said all this bad things. Of course, blockchain has some very interesting properties. And of course it has some very interesting usage areas. The I immutability is very important. You cannot believe or modified data. And in the cases where you really need that, well, blockchain is fantastic, right? It's distributed data structure does not require the central resource doesn't mean you cannot have one, but you can set up a network without a central problem.
And it's also double spending problem, which of course is, was something that was a big problem for a long time, but really has solved. I can't spend my same cyber coin in two places. Or if we use blockchain to whole properties, for example, I can transfer my property to two different people can only be transferred to one. But I think the bottom line is don't use it if you don't really need these properties. If these are the properties you need, well fine.
I mean, any kind of ownership, somebody said that blockchain is a history of ownership, which is fine, but it doesn't solve all kind of problem, which hasn't been mentioned earlier as well. David Birch said what's in the blocks. That's the important question. That's what I always ask. When I come into projects, somebody talks about, yeah, we're using log check. My question is okay, what's in the blocks. What you store in that block check. And I think that's important because that really answers a lot about the project. Many cases that person has, will have no idea at all.
Then you need to find somebody else desk on That. Okay. So that was, you know, my high level view on a blockchain are very high level. Back then to the identity in for sharing as mentioned, I share too much information for too many. I want to limit that sharing. Why am I need to provide all this information to everybody? If I'm gonna buy alcohol or something that has an age limit, why do I have to provide more information than that? That double Right? There's no need.
I mean, we're so used to using the physical I cards, right? So when I go to the store, buy beer, I'd ask for my identification. And I show my ID card, which is in general, not a problem because it's a person looking at it and just verifying, you know, my data work is before a certain time and the person doesn't remember anything. But when I do this online, of course, all that information is gonna be kept. So I want a mechanism where I can only show I'm operating. I'm allowed to do this, or I'm allowed to drive a car. You don't need to know I renting the car.
I just need to prove I'm allowed to drive one or that I work for CIG cash or that I'm an Norian citizen, whatever. Just prove some specific thing without giving away anything else. And then the one side I want to share as possible. And then from the GDPR perspective, I, this my take on this as providers, they don't want the responsibility of storing all this information As mentioned. Typically attributes are attested by the government I have in my passport. These proved attributes on the, on the top left there, my face, my name, my social security number.
If I have one, the government check knows who I work for and what my address is. So I have this tested by a single entity. So how to get around that?
How can I, the challenge where I will not depend, I don't want to depend on single authority. I want to have multiple. And of course, nothing prevent me from having setting up a system where each attribute can be tested by multiple entities. Right?
My name, well, lot of entities can watch many by name, my trustee, right? You know, Annie, I can go to my employer.
It can, you know, attest to it, to my friends, et cetera, my telco and the same with these other attributes. And this is a way to avoid that single point of dependency or attributes. I set up a system where I have an attribute, my name as, Hey Mike, can you test?
Yeah, you can hear, this is what you say. Can do I go to my bank?
Say, can you test? I have lot of different ATEST ATEST on my, my attributes. And then I avoid a single point of dependency.
Of course, we run into a new charge. Who do I trust? Do you guys trust Mike? When he says so generic, right? And how you check that? And I often find it comes back to an issue of trust. That is a challenge. So we're gonna storing all these attributes. Then I want to have something. I call it an identity world. I want to have some place to store this. Okay. I have all this attributes. Now I have in my tested by Mike and my government and my et cetera. And I want to store them somewhere, somewhere safe. I want to have a way of storing them.
So I don't have to expose all of them at the same time I can select, okay. I only need to prove my name. I can do that to one single person to one single organization. I want to prove that I'm over operating, but I can do that. I don't have to expose all the information. So have this done encrypted storage, where I keep all these attributes, there are a tested and make sure that it's tested so somebody can verify it's managed by me and I can share. S sounds pretty good. Right? So then the question is where do I store this wallet? Because it stored somewhere. It needs to be available.
And of course the first answer is blockchain, right? You store it on the blockchain. You have that available. It's secure. And then I can, you know, show single attributes and you can trust that. But I don't think so. Can you put sensitive data with blockchain?
Of course, the answer is no, you cannot. You have combination of blockchain where data is never removed. It's there. And forever created a long time and you have encrypted data and encryption algorithms will be blocked, right? If you store your data in the database, what you do when you see algorithms are the process of exploring. It's not like they bring overnight, but you see that they're over time. People expose, well, you re-encrypt your data, but how you do that in the data store where you cannot change anything you just add on to music, which means eventually the data will be exposed.
And you don't know when that is. You only know that it be exposed. Maybe there's a mathematical breakthrough next week, but break some of the algorithms. Maybe there's a technology breakthrough, quantum computing, etcetera. So you know that you cannot store sensitive data. Okay? So that's not the place to store. Of course we could store a hash of the data on the launch, but of course we could fall the same.
Well, hash S are eventually broke. Will it at one point, if possible, to generate data that matches existing hashes. Yes it will. And then you may run into similar kind of problems.
And again, because you can never delete anything. And again, storing a note, blockchain would only prove the existence, not the right. That's why you need still need the at the station. So you could prove that your data exists. And also it could simplify the zero knowledge proof example, proving one, single a without exposing my identity. So there are some interesting ways of doing that. Who would running, such be running such a blockchain?
Well, anybody wants to run a Bitcoin and note, right? Because if you buy a block, you get money. Or if you do some transactions, you get money who would want to set up notes for running an identity, blockchain what's in it for who would pay, who would be paid for doing this? And how would you price this information? And also I question, okay, self sovereign identity. I'm in control of my own. I control if I had the key, etcetera, do we really want that? And are we able to do that in general? A lot of people have lost their key to their Bitcoin board. And of course lost a lot of money.
Everybody has heard about some, I guess I'm not the only one that lost my PGP private key access to my private key and thereby lost data that I'm encrypted actually read quite interesting article that said, do not encrypt your data. We're so used to there somebody to help us, right? If I lost my password to a website or do I click, I click on recent password, fine. If I break my key to my, my door, I lose my, you know, key to access to my house. Will I just call somebody?
Well, if I use strong encryption here and I lose my, my encryption key, who do I call? There is no. Or this should not be any backdooring this encryption on Christmas. What about responsibilities? Right? Let's talk about, well, I store this wallet on my cell phone. Okay. Only on your cell phone. What about backup? What about data? Breaches and responsibility. What about legal disputes? When you are pretty much on your own in general, as a person, I like to have somebody to call. If I have a problem, That's a third party then again, who do you trust with your life? Right.
To store all this sentiments. Would I want Facebook to hold my identity all?
No, I don't think so. Google, not sure by government well being innovation. Yeah. I would do that for my bank, but I guess there will be different answers to that. So this is a conflict problem, right? I want to have all these, so I won't have control them, but I don't want have the responsibility of that control. Cause I need somebody to call if control them. I want somebody to, to call if there's a dispute, if we get their agreement, disagreement or something. So to summarize the challenges with this ideolog, where is where you store it, how do you keep it safe? Who do I call?
If I have a problem, responsibility and liability. If the data from my private wallet is accidentally exposed, am I then liable to Sue myself according to GDPR? And what about trust? What's the trust model, Especially If you have a public blockchain, what's the trust model, blockchain again, blockchain for identity that is who would run this kind of blockchain. If the private key is compromised, of course my identity exposed could big data and analytics on a blockchain be used for exposure.
I dunno, guess nobody else knows either. And who's the data controller who's liable. If there's a problem. Blockchain is interesting. I've talked it down a little. I look from the perspective, I'm trying to get some real to, to some discussion, cause there's so much over overlap, but it has some very interesting properties.
And I, I definitely see that, but from an identity perspective, not so sure data exposure is a time, of course. And I think also with identities, the actual storage is the easy problem. We have all these liability. We have to trust issues, everything around it, which shall be context. So I'll leave you with this quote from the Coca green or the ID 2020 product. Guess you all familiar with ID 2020 briefly mention it about getting identities for older people that cannot prove their identity basically saying, well, maybe there is no technology. Maybe there is no permanent solution Personally.
I, don't not really sure blockchain. Well, it's not the solution by itself. It may have some important roles in there, but this is a difficult problem. All right. Thank you.
Well, thank, thank you very Much.
