Identity fraud hits mainstream news agenda

I think the joined up thinking was basically PKI, but like X400 for email, it all got just too complicated to practically deliver.  Sometime, somewhere, we will need Certification Authoritys that we actually trust to tell us who people are.

There is a category error in many of the calls for a single global identification system.  We need to be careful about what is meant by "identification". 

There are several weaknesses in the way we go about "identifying" people: some fraud happens by false registration, and some happens by co-opting digital identities after they've been issued.  The latter is far more prevalent ... because it's so easy.  Why go to the bother of opening a fake credit account when I can steal the identifiers for an existing account and replay them in CNP fraud? 

And so a single global digital identity might be disastrous if it weren't vastly more secure in respect of counterfeiting and replay attack.

I urge a careful revisiting of the identity problem.  By and large, we do a good job of identifying people in the real world; there are abundant and effective measures for verifying identity when opening up new accounts.  But then we do an awful job of protecting the digital identities used to exercise our accounts on line.  So I would like to see standardisation of the authentication technologies.  Today we have a crazy profusion of divergent, awkward, novel and imperfect ways of proving ourselves online: one time passwords, CAP readers, visual puzzles, grids, biometrics etc etc.  None of them directly protect the integrity of digital identities, so they're all vulnerable to some degree to replay and Man in the Middle attacks.

John Dring is quite right that Big PKI proved too hard.  Largely that's because it was trying to build something we don't really need: a global identity. As John says, we need to revert to authorities that are already trusted to issue identities.  But we also need to stick to our knitting, and not have existing identity issuers overstep.  Despite what federated identity proponents would have us believe, the identities issued by banks (accounts) are not the same thing as the identities issued by retailers (customer reference numbers) or by governments (social security numbers, Medicare numbers, tax numbers).  Identity silos emerge for a reason: digital identities are actually proxies for customer relationships, and these cannot be mixed up without radically altering business rules and liability arrangements.

It would be a huge breakthough if we simply preserved the existing business processes for issuing identities to customers, and concentrated on conveying those identities using non-replayable authentication technologies.  That's where PKI does come into play.  PK technologies let customers present the right digital identity in each different context, and bind it to the transactions so they cannot be replayed or counterfeited.

We could use the same methods and user interfaces for conveying identities globally, without forcing people into just one identity.  We do this now: all magnetic stripe cards and all phones work the same way worldwide, but we don't have a single phone number or a single bank account.  Equally, with smartcard and smart phone technologies, we could provide people with a universal online authentication experience based on non-replayable PK technologies, while preserving their real world relationships and business processes.