Pointer to article:
Hi. I’m back.
This research project puts me in mind of “assurance,” which is the ephemeral trust bedrock on which identity management infrastructures rely.
First, my core definition of “assurance”:
• Assurance: the ability of an entity to ascertain, resolve, and verify others’ identities in a fashion that is consistent with the entity risk profile, and to refrain from or repudiate interactions in which such verification is lacking
Fundamentally, assurance depends on three strong “bindings” that our IdM and trust infrastructures should enable:
• Strong binding of an application interaction session to a presented digital identity/credential(s)
• Strong binding of a digital identity/credential(s) to a private key
• Strong binding of a private key to a private embodiment of DNA (i.e., to an actual human being)
The great chain of assurance: It all comes down to ascertaining that the real McCoy is presenting their actual credentials, and that those credentials were issued to that individual subsequent to a registration, vetting, and proofing process designed to bind it all to their genome.
Their DNA, and/or the outward phenotypical expression thereof. I can’t underline this more emphatically. As I said in my recent Network World column “Identity theft threatens federation”:
• “In the face of never-ending identity thefts, the only way out of this downward spiral is to continue reissuing new credentials to affected users, but only after reputable agents have proofed those users to strong assurance, and only if the new credentials rely on biometrics for strong authentication.”
The great enemy of assurance is impersonation, in which someone/thing acquires enough of our identifiers, attributes, and/or credentials to impersonate us online and elsewhere; to loot our assets; to apply for new bogus credentials in our name; and to generally trash our credit ratings and our lives.
Perhaps the word “assurance” is too vague to go to heart of the problem. Where unseen others find it so easy to impersonate us, maybe the solution is for us to “personate” ourselves ever more strongly. The triad of strong authentication goes part way there: authenticating ourselves online with something we know, something we hold, and something we are. But what if someone impersonates us in order to acquire all of those “something” factors under the guise of them being us? What then?
Which brings me back to DNA, which is our “birth day credential” (or rather, conception moment credential, but first presented publicly on our birth day). Why do we take a baby’s footprint upon birth, but not their DNA print? Why aren’t DNA prints strongly bound to a digital master of our very first identifier: our birth certificate? Absent that, how can we know for sure whether the person claiming to be Jane Doris Doe for the purpose of applying for a credit card account is in fact the person who was born with a particular DNA print and assigned that name at birth (or assigned a name that they later changed to Jane Doris Doe, perhaps upon marriage or adoption)? If we can’t strongly bind a person’s human name to their DNA at birth, and bind each new name (legally changed) to their previous legal name, always anchoring it all in their birth day credential, then assurance is never strong.
And impersonation is a constant threat. Hence the specter of identity theft. Whether or not my DNA flows from a pool plenished by Vikings or beekeepers is an entirely separate issue. Lots of people have the same general mix of DNA sources as me.
But only I embody this particular swirling eddy in that genotypical tidal pool that is currently clattering these fingers on this keyboard. And that deoxyribonucleic whorl/whirl/swirl is my inalienable credential. Considering that it’s available to anybody who finds a single strand of hair that falls from my balding head, it’s as public as the photograph that accompanies my column.