Digital Identity Management
The issue of Trust and the role of Trusted Third Parties
Having an identity is a foundational human right
From birth to death, each individual human being is unique and at the same time bears equal dignity and rights with their congeners. For this reason, each individual human being needs to be differentiated. This uniqueness is established by law and follows a protocol that starts by registration at birth. Registration at birth is at the same time a right and an obligation. A right to the individual, an obligation to the State. State asserted identity consists of a set of personal data, normally name, date and place of birth, sex and parents. It also consists of some kind of credential that proves the identity. However, there are well documented state malfunctions that fail to provide a 100% coverage of birth registration in over 110 low and middle-income countries in the world1. As a result, an estimated 1.1 billion people living on earth possess no legal identity, which is roughly 14 % of all human beings on this planet. This is a serious problem, as having an identity is the foundational human right from which other rights originate. The right to education, health, justice, political participation and so on emanate from having a recognised civil status as a citizen. International governmental organisations, led by the World Bank, follow the state of birth registration and the processing of vital statistics as a means to good governance and provide valuable data on progress to be made2.
Digital Identity, the last frontier of Internet
Digital identity is a complex, critical and unresolved issue in the digital world. Internet security and the enforcement of the right to privacy depend largely on it.
For a wide-range of purposes, Internet functions as a space where individuals can assert their own identity, remain anonymous or use pseudonyms, without being obliged to use their real, civil identity, in the presence of a third instance that validates it.
In fact, the notion of digital identity is obscure (read more). The Boston Consultancy Group on a recent study (The Value of Our Digital Identity) provides this definition… all the bits and pieces of information about us that are readily and increasingly available in digital form; data that is collected and analyzed to create a surprisingly accurate, and ever-improving, picture of who we are, what we do, what we like (and what we dislike too)”… adding… “irrespective of its degree of validity, its form and its accessibility…”.
However, the aggregation of personal data, part of which is confidential and private, does not constitute a proof of identity in a legal sense.
The focus of the OISTE Foundation is pure identity, more specifically: certified digital identity.
A secure, verifiable, authenticated, legally valid digital identity requires a set of hardware, software, people, policies and procedures whose aim is to create trust in electronic transactions and communications. Data confidentiality, data integrity, authentication, and non-repudiation are the end results of a series of operations that take place within a public key infrastructure (PKI). A PKI is at the base a mathematical tool (see cryptography) that allows a “protected” exchange of information between two or more entities (people and/or objects), which cannot be tampered with. The goal sought is to guarantee that the two end points of the communication are who they really are from a legal point of view. When this happens, there are digital certificates that are exchanged. In other words, a digital certificate contains a legal guarantee that the identity is reliable.
The OISTE Foundation owns a cryptographic root upon which a public key infrastructure (PKI) is operated. The OISTE Foundation is on top of a hierarchy of Certification Authorities (CA) that delivers digital certificates.
The specificity of OISTE among other recognized certification authorities lies in:
- Its character of not-for-profit foundation regulated by article 80 et seq. of the Swiss Civil Code
- Its character of organization in special consultative status with the Social and Economic Council of the UN (ECOSOC)
- Its belonging to the Not-for-Profit Operational Concerns (NPOC) constituency of the ICANN
- Its advocacy work on issues related to human rights in the digital space
The Mozilla Certification Authorities repertory (http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/included/) lists OISTE under WISeKey, which is the operator of OISTE’s cryptographic root.
Designed to overcome PKI obstacles – OISTE’s trust model
The OISTE Root CA operations and certification services provision are in constant evolution taking into consideration the technological and regulatory realities worldwide. The regulatory environment has been of great concern in recent years due to the fact that in many jurisdictions, regulators have sought to promote the development of electronic commerce by enacting rules intended to provide legal certainty for the use of electronic records and signatures. In doing so, the drafting methods have varied from detailed rules on the technology or technological implementations to be deemed legally valid, to general technology-neutral rules dependent on the fulfilment of specific conditions for the satisfaction of legal requirements. This has resulted in a patchwork of regulatory approaches and acceptable technology standards that create the potential for unnecessary obstacles to the development of electronic commerce and the use of electronic media in general.
OISTE is deploying its PKI in a jurisdictionally fragmented manner allowing, to the extent possible, for each certification service provider to adapt to local regulations while maintaining minimum common high-security requirements that must be complied with across the OISTE PKI worldwide. The local certification service providers that form part of the OISTE PKI are, where possible, chosen by taking into consideration their position as trusted entities in the provision of more traditional roles within their respective communities. In addition to this, OISTE pursues to model its certification practices and policies in accordance with emerging international standards and guidelines and thus leveraging the local and international developments.
Who are you in the Internet?
- The end user
- an IP number (IP for Internet Protocol – learn more about it at www.myipnumber.com)
- a logged in subject
- a signed-in person
- a user name
- a pass-worded individual (most likely, with multiple passwords, most of them weak and a lot forgotten)
- a mail box address (or several e-mail addresses)
- a PIN enabled user (PIN for Personal Identification Number)
- the ultimate receiver
Identity is context dependent
Our identity or the identity of others, which is an issue with deep and complicated philosophical and psychological connotations, is dealt with in our physical world in a relatively simplistic fashion: it is a civil matter, ruled by law.
Identity as a human right
International legal instruments, such as the Convention on the Rights of the Child state that … “The child shall be registered immediately after birth and shall have the right from birth to a name (article 7) … “States Parties undertake to respect the right of the child to preserve his or her identity, including nationality, name and family relations as recognized by law without unlawful interference” (article 8).
The Universal Declaration of Human Rights states that…. “Everyone has the right to recognition everywhere as a person before the law (article 6). In other words, each individual has a distinctive identity, first and above all, as a subject of law.
In fact, our physical world is segmented as per people’s legal identity. If you are a child, there are attributions and limitations. If you are a teenager, the law frames your rights, duties and obligations. Whilst in cyberspace, “nobody knows that you are a dog” .
300 billion -the cost of missing the opportunity to entrench digital identity in Internet!
The Boston Consulting Group estimates that “two-thirds of the potential value generation of digital identity management – or Euro 440 billion in 2020 alone – is at risk if stakeholders fail to establish a trusted flow of personal data… To unlock the full value, organisations need to make the benefits of digital identity applications very clear to consumers. Just as importantly, they need to embrace the new digital identity paradigm: It starts with responsibility”… pg 17. See the full report… http://www.libertyglobal.com/PDF/public-policy/The-Value-of-Our-Digital-Identity.pdf