Digital Identity

Digital Identity, the last frontier of Internet

Digital identity is a complex, critical and unresolved issue in the digital world. Internet security and the enforcement of the right to privacy depend largely on it.

For a wide-range of purposes, Internet functions as a space where individuals can assert their own identity, remain anonymous or use pseudonyms, without being obliged to use their real, civil identity, in the presence of a third instance that validates it.

In fact, the notion of digital identity is obscure. The Boston Consultancy Group on a recent study (The Value of Our Digital Identity) provides this definition… all the bits and pieces of information about us that are readily and increasingly available in digital form; data that is collected and analyzed to create a surprisingly accurate, and ever-improving, picture of who we are, what we do, what we like (and what we dislike too)”… adding … “irrespective of its degree of validity, its form and its accessibility…”.

However, the aggregation of personal data, part of which is confidential and private, does not constitute a proof of identity in a legal sense. What happens is that “personal data management” is confounded with “digital identity” and here lies a large and complex issue with lots of practical consequences is our daily lives, as explained in the “Data Protection” and “Third Trusted Parties” sections of this website.

The focus of the OISTE Foundation is pure identity, more specifically: certified digital identity.

Technical infrastructure

A secure, verifiable, authenticated, legally valid digital identity requires a set of hardware, software, people, policies and procedures whose aim is to create trust in electronic transactions and communications. Data confidentiality, data integrity, authentication, and non-repudiation are the end results of a series of operations that take place within a public key infrastructure (PKI). A PKI is at the base a mathematical tool (see cryptography) that allows a “protected” exchange of information between two or more entities (people and/or objects), which cannot be tampered with. The goal sought is to guarantee that the two end points of the communication are who they really are from a legal point of view. When this happens, there are digital certificates that are exchanged. In other words, a digital certificate contains a legal guarantee that the identity is reliable.

The OISTE Foundation owns a cryptographic root upon which a public key infrastructure (PKI) is operated. The OISTE Foundation is on top of a hierarchy of Certification Authorities (CA) that delivers digital certificates.

The specificity of OISTE among other recognized certification authorities lies in:

  • Its character of not-for-profit foundation regulated by article 80 et seq. of the Swiss Civil Code
  • Its character of organization in special consultative status with the Social and Economic Council of the UN (ECOSOC)
  • Its belonging to the Not-for-Profit Operational Concerns (NPOC) constituency of the ICANN
  • Its membership to the International Telecommunications Union (ITU), holder of the X.509 technical standard on digital certification
  • Its advocacy work on issues related to human rights in the digital space
  • Its militance on the fight against illicit trade and counterfeiting

The Mozilla Certification Authorities repertory (http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/included/)lists OISTE under WISeKey,

which is the operator of OISTE’s cryptographic root.

A secure personal identity using a trusted third party – test it!

Click the link below if you want to test a free digital identity using the OISTE root of trust operated by WISeKey:

https://account.wiseid.com/

Designed to overcome PKI obstacles – OISTE’s trust model

The OISTE Root CA operations and certification services provision are in constant evolution taking into consideration the technological and regulatory realities worldwide. The regulatory environment has been of great concern in recent years due to the fact that in many jurisdictions, regulators have sought to promote the development of electronic commerce by enacting rules intended to provide legal certainty for the use of electronic records and signatures. In doing so, the drafting methods have varied from detailed rules on the technology or technological implementations to be deemed legally valid, to general technology-neutral rules dependent on the fulfilment of specific conditions for the satisfaction of legal requirements. This has resulted in a patchwork of regulatory approaches and acceptable technology standards that create the potential for unnecessary obstacles to the development of electronic commerce and the use of electronic media in general.

OISTE is deploying its PKI in a jurisdictionally fragmented manner allowing, to the extent possible, for each certification service provider to adapt to local regulations while maintaining minimum common high-security requirements that must be complied with across the OISTE PKI worldwide. The local certification service providers that form part of the OISTE PKI are, where possible, chosen by taking into consideration their position as trusted entities in the provision of more traditional roles within their respective communities. In addition to this, OISTE pursues to model its certification practices and policies in accordance with emerging international standards and guidelines and thus leveraging the local and international developments.

Who are you in the Internet?

  • The end user
  • An IP number: IP for Internet Protocol – learn more about it at http://www.myipnumber.com/
  • A logged in subject
  • A signed-in person
  • A username
  • A pass-worded individual (most likely, with multiple passwords, most of them weak and a lot forgotten)
  • A mail box address (or several e-mail addresses)
  • A PIN enabled user (PIN for Personal Identification Number)
  • The ultimate receiver
  • The victim of a hack attack
  • The victim of phishing
  • A surveyed user
  • The victim of an identity theft
  • A tracked consumer

Identity is context dependent

Our identity or the identity of others, which is an issue with deep and complicated philosophical and psychological connotations, is dealt with in our physical world in a relatively simplistic fashion: it is a civil matter, ruled by law.

Identity as a human right

International legal instruments, such as the Convention on the Rights of the Child state that … “The child shall be registered immediately after birth and shall have the right from birth to a name (article 7) … “States Parties undertake to respect the right of the child to preserve his or her identity, including nationality, name and family relations as recognized by law without unlawful interference” (article 8).

The Universal Declaration of Human Rights states that “Everyone has the right to recognition everywhere as a person before the law” (article 6). In other words, each individual has a distinctive identity, first and above all, as a subject of law.

In fact, our physical world is segmented as per people’s legal identity. If you are a child, there are attributions and limitations. If you are a teenager, the law frames your rights, duties and obligations. Whilst in cyberspace, “nobody knows that you are a dog”[1]

300 billion – the cost of missing the opportunity to entrench digital identity in Internet!

The Boston Consulting Group estimates that “two-thirds of the potential value generation of digital identity management – or Euro 440 billion in 2020 alone – is at risk if stakeholders fail to establish a trusted flow of personal data… To unlock the full value, organisations need to make the benefits of digital identity applications very clear to consumers. Just as importantly, they need to embrace the new digital identity paradigm: It starts with responsibility”.

[1]  Famous caption of a cartoon by Peter Steiner, The New Yorker, July 5, 1993 (Vol.69 (LXIX) no. 20