Indirect Identity Control: delegation, guardianship, and controllership – Daniel Hardman

Please download to get full document.

View again

All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
 3 Daniel Hardman, Chief Architect, Evernym / Secretary, Technical Governance Board – Sovrin Foundation, will compare and contrast three forms of indirect identity control that have much in common and that should be explored together: delegation, guardianship, and controllership. Daniel will recommend mechanisms that allow identity technology to model each with flexibility, precision, and safety. These recommendations can be applied to many decentralized identity and credentialing ecosystems. Daniel has been a software engineer, architect, and dev leader for a quarter century–much of it intersecting with the fields of cybersecurity and digital identity. He developed the original specs for Hyperledger Indy’s SDK, and has contributed code or guidance to most of the Indy codebases. He writes regularly on identity topics. He’s also worked in machine learning/AI, supercomputers, public and private cloud, big data, SaaS, and enterprise software, and he’s founded and sold a dot com. He has graduate degrees in computational linguistics and business. He currently serves as the secretary for the Technical Governance Board of the Sovrin Foundation.
  • 1. Indirect Identity Control delegation, guardianship, and controllership Daniel Hardman, July 2019 · CC BY-SA 4.0 International theme: Silvia, by
  • 2. 1. Empower global SSI communities 2. Open to everyone interested in SSI 3. All content is shared with CC BY SA Alex Preukschat @SSIMeetup @AlexPreukschat Coordinating Node SSIMeetup objectives · CC BY-SA 4.0 International
  • 3. Sources ● These slides: ● Indirect Identity Control RFC: ● Appendix C of Sovrin Glossary: ● Sovrin Guardianship Task Force: · CC BY-SA 4.0 International
  • 4. See Appendix C of the Sovrin Glossary. Guardianship, delegation, controllership See Appendix C of the Sovrin Glossary: · CC BY-SA 4.0 International
  • 5. · CC BY-SA 4.0 International
  • 6. Delegation A corporation is governed by a Board of Directors, executives, and employees with multiple levels of delegated authority. The control relationships are dynamic and complex. · CC BY-SA 4.0 International
  • 7. Guardianship Parents typically manage the identities of their young children. Adult children may need to exercise the identity of a parent with dementia, or of a parent who recently passed away. · CC BY-SA 4.0 International
  • 8. Controllership A self-driving car may be capable of many independent actions, but behind such a smart device must be a human entity that takes legal responsibility. A pet needs a proxy because it can’t be self-sovereign. · CC BY-SA 4.0 International
  • 9. ◦ Mya (orphan girl in refugee camp) ◦ Patrick (father with family after hurricane destroys home; no digital access) ◦ Tom (homeless, mentally ill, drug addict) ◦ Gayle (elderly, has moderate autonomy, needs digital assistance) ◦ Sofia (trail runner disappears in the mountains) ◦ Rover (pet dog) ◦ Unprofitable, Inc (company in receivership) ◦ Hertz and Dave (rents car, gets delegated authority) See “Persona and User Stories” at Formal Work on Use Cases · CC BY-SA 4.0 International
  • 10. Guardianship: internal risk is pivotal In SSI, risk mostly comes from external attacks. But guardianship isn’t self-sovereign, by definition. Guardians are an internal risk to dependents who can’t manage keys or advocate/defend. Pure crypto and cybersecurity don’t prevent abuse. Protections must come from elsewhere. · CC BY-SA 4.0 International
  • 11. Moments of risk ◦ When a transition happens ◦ Should it be happening now? ◦ Are the right people giving and getting the baton? ◦ Are the conditions, limits, and safeguards understood, evaluated, and honored? ◦ When a constraint needs to be enforced ◦ Is there a limit on the time, place, or circumstances of guardianship? ◦ When stakes are high Risk exists constantly; these are just hot spots. Small, incremental actions away from these hot spots can change the evaluation at key moments. · CC BY-SA 4.0 International
  • 12. Who appoints a guardian 1. Dependent (“while I’m unconscious during surgery, Alice is my guardian”) 2. Legal authority (Court makes adult child a guardian for their parent with Alzheimers) 3. Self (girl wanders from jungle into refugee camp; lacking options, camp appoints itself) 4. Circumstances (parent or pet owner; implicit) These methods do not carry equal trust, and they are not equally formal. · CC BY-SA 4.0 International
  • 13. Evaluating conflicting guardianship assertions Deciding who is the “proper” guardian requires human judgment. The process may use credentials, but that’s not all it will use. NGO: “I’m the guardian of Mya. Here’s my self-attested guardian cred.” Fim (dad?): “No, I’m the guardian of Mya. Here’s Mya’s birth cert with my name on it.” Ana (mom?): “No, I’m the guardian of Mya. Here’s Mya’s ration card with her photo.” Court: “No, Ana is the guardian of Mya. Fim’s parental rights were terminated.” Sometimes the proper guardian isn’t available, so we choose the best available alternative. · CC BY-SA 4.0 International
  • 14. Limits on guardians 1. Time (for what period(s) guardian has that status) 2. Place (in what physical or virtual locations guardian is valid) 3. Function (legal vs. medical vs. educational) 4. Circumstances (for particular event(s)) 5. Biometrics (for dependent involvement) 6. Relationships (who guardian can connect to) 7. Attributes (data/credentials -- what guardian can prove) 8. Agents (what software/devices guardian can use) 9. Cooperation (with joint approval) 10. Oversight (audit trail, reporting) · CC BY-SA 4.0 International
  • 15. “All of these forms of identity control share the issue of indirectness. All of them introduce risks beyond the ones that dominate in direct identity management. All of them complicate information flows and behavior. And they are inter-related; guardians and controllers often need to delegate, delegates may become controllers, and so forth. The solutions for each ought to have much in common, too · CC BY-SA 4.0 International
  • 16. A proxy trust framework that specifies the rules and conventions in force for a particular class of indirect identity control use cases. A proxy credential that binds a controlled entity to its proxy and clarifies the nature and limits of the control for that specific relationship. A proxy challenge that evaluates the proxy credential in a particular context, proving or disproving the legitimacy of indirect control and creating opportunities for auditing and enforcement. Common Solution Elements · CC BY-SA 4.0 International
  • 17. Questions a trust framework answers ◦ What is its formal name and version? ◦ In what geos and legal jurisdictions is it valid? ◦ What are required or recommended behaviors, and how are they enforced? ◦ On what bases are proxies appointed? kinship, court_order, self_assigned... ◦ What are possible permissions of a proxy? financial, medical, travel, relationships, admin... ◦ What are possible constraints on a proxy’s scope? geo_radius, jurisdiction, biometric_freshness... ◦ What auditing mechanisms are required or supported? ◦ What appeal mechanisms are required or supported? ◦ What proxy challenge procedures are best practice? ◦ What freshness rules are used for offline mode? ⇨ Example at · CC BY-SA 4.0 International
  • 18. “ Answers to name: Mya Dependent Gender: Female Birthdate: 2014-01-01 Identifying marks: birthmark left shoulder, long scar above left wrist Answers to name: Zo Guardian 1 Gender: Female Birthdate: 1953-01-01 Identifying marks: arthritis, misshapen knuckles, both hands Preparing to issue a proxy credential · CC BY-SA 4.0 International
  • 19. “ …(metadata not shown)… trustFramework auditURI appealURI credentialSubject holder basisURI role name birthDate gender identifyingMarks photo constraints boundaries circumstances proxied permissions photo name birthDate gender identifyingMarks camp UNICEF <blank> <blank> <blank> <blank> “Lotus” camp until resettled Mya 2014-01-01 F birthmark left shoulder, long scar above left wrist {“grant”: [“medical”, “school”, “food”], “when”: {“roles”: “kin”}}, {“grant”: [“school”, “food”, “delegate”], “when”: {“roles”: “camp”}}, {“grant”: [“unenroll”, “travel”], “when”: {"n”: 2, “roles”: [“kin”, camp”]}} UNICEF’s credential
  • 20. “ {“let”: “kin”, “do”: [ “medical”, “school”, “food”]}, {“let”: “camp”, “do”: [ “school”, “food”, “delegate”]}, {“let”: {"n”: 2, “of”: [“kin”, “camp”]}, “do”: [ “unenroll”, “travel”]} …(metadata not shown)… trustFramework auditURI appealURI credentialSubject holder basisURI role name birthDate gender identifyingMarks photo constraints boundaries circumstances proxied permissions photo name birthDate gender identifyingMarks kin Zo 1953-01-01 F arthritis, misshapen knuckles, both hands <blank> <blank> (same as UNICEF’s) Mya 2014-01-01 F birthmark left shoulder, long scar above left wrist Grandma’s credential
  • 21. Answers to name: Mya Dependent Gender: Female Age: about 6 Looks like this? Answers to name: Zo Guardian Gender: Female ✔ ✔ ✔ ✔ Show more ways to check... ✔ ✔ ✔ Looks like this? Show more ways to check... ✔ Has ‘food’ permission for dependent ✔ No constraints Proxy Challenge (food tent)
  • 22. Answers to name: Ri Dependent Gender: Female Age: about 6 Looks like this? Answers to name: Kapa Guardian Gender: Female ✔ ✔ ✔ ✔ Show more ways to check... ✔ ✔ ✔ Looks like this? Show more ways to check... ✘ Has ‘travel’ permission for dependent when acting jointly with another guardian with role “camp”: Add guardian... Proxy Challenge (travel)
  • 23. Questions? ● These slides: ● Indirect Identity Control RFC: ● Appendix C of Sovrin Glossary: ● Sovrin Guardianship Task Force: ● ● @danielhardman on · CC BY-SA 4.0 International
  • 24. Appendix
  • 25. Transparent vs. opaque guardians Transparent ◦ Guardian is obvious in all or most interactions. ◦ May be necessary to improve safety. ◦ Easy to audit. ◦ Less private for dependent and for guardian. Rover (pet). Unprofitable, Inc. Law firm resolving affairs of someone recently deceased. Talent agent for child pop star. Opaque ◦ Guardian impersonates dependent. ◦ May be necessary to prevent discrimination and hassle. ◦ Riskier to dependent and relying parties. Limited auditability. ◦ More private for dependent and for guardian. Gayle (digital assiantance). Parent gives adult child password, asks them to transfer funds on their death to avoid probate court. · CC BY-SA 4.0 International
  • 26. Modes of Guardianship Holding-based Dependent doesn’t have DIDs or a link secret, but credentials about the dependent are held by the guardian. Guaranteed to be transparent because subject of credential is never the holder. Impersonation-based Dependent has a link secret that guardian knows. Credentials can be issued where dependent = subject, but creds are held by Guardian. DIDs and DID Docs can be created by guardian using dependent’s link secret. Opaque unless forced into transparency. Doc-based Guardianship declared in DIDDoc to force transparency. · CC BY-SA 4.0 International
  • 27. Holding-Based Guardianship ◦ Exists implicitly (parent holding a birth certificate, owner holding pet license) ◦ Can be supplemented with an explicit guardianship credential ◦ Guardianship challenge can be answered with either explicit or implicit proof ◦ Diffuse trust may be partly forced (e.g., both parents must consent) ◦ Implicit creds as a basis introduce revocation problems ◦ Birth certificate may not be revoked if parental rights are terminated ◦ Pet license may not be revoked when dog is sold · CC BY-SA 4.0 International
  • 28. ◦ Can be supplemented with an explicit guardianship credential ◦ Age proofs can force a guardian to break impersonation and share this - improves safety! ◦ So can biometrics ◦ Not dangerous for controllership or delegation ◦ Adult dependents without biometrics have no real protections ◦ Revocation is a problem -- must be done in every relationship ◦ Use agent authz policy to prevent new relationships from forming? Easy and doable today. Dangerous. Safeguards may need to be much higher in trust framework (frequent challenges, biometrics required, etc.) Impersonation-based Guardianship · CC BY-SA 4.0 International
  • 29. { "authorization": [ {"let":"#1", "do":"cred"} ] } Doc-Based Guardianship Do a guardianship challenge to find out what they can do. DID Doc for dependent declares a key that belongs to guardian and says, “Do guardianship challenge to evaluate authorization.” Issue: must be done in every DID Doc (good and bad) DID Doc of Dependent · CC BY-SA 4.0 International
  • 30. Guardians often need to delegate ◦ Red Cross delegates work, some decisions for Mya to 1+ aid workers ◦ Parent delegates to babysitter while they’re out of town ◦ Mom delegates digital assistance for grandma to teen Solution: delegatable credentials · CC BY-SA 4.0 International
  • 31. Offline operation ◦ Cached versions of trust framework and well-known schemas, cred defs, issuers ◦ How fresh is guardianship challenge? ◦ Evaluate conflicting guardianship assertions without appeal or research ◦ Save up audit reports for batch upload later ◦ Freshness of DID Doc knowledge · CC BY-SA 4.0 International
  • 32. Revoking guardianship Revoking guardianship cred can be done today, quickly and efficiently. Won’t be detected until next guardianship challenge. · CC BY-SA 4.0 International
  • 33. Basis ◦ Basis for controllership could include: ◦ ownership ◦ delegation from owner ◦ court-appointed ◦ Basis for delegation is always someone who is in control ◦ Identity owner ◦ Controller ◦ Guardian ◦ Delegate · CC BY-SA 4.0 International
  • 34. Delegatable Credentials Hertz, Inc owns a car and, on the basis of that car, is its controller. Delegates limited controllership to a local Hertz franchise. Fred rents the car and receives delegated credential to control in more limited fashion. Fred drives the car to a fancy restaurant and delegates even more limited controllership to valet parking. Hertz Inc ⇶ franchise ⇉ Fred → valet Each cred contains pre-proof of delegation. Validating requires checking revocation status for each link on ledger, but no coordination among delegates. · CC BY-SA 4.0 International
  • Related Search
    Similar documents
    View more
    We Need Your Support
    Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

    Thanks to everyone for your continued support.

    No, Thanks

    We need your sign to support Project to invent "SMART AND CONTROLLABLE REFLECTIVE BALLOONS" to cover the Sun and Save Our Earth.

    More details...

    Sign Now!

    We are very appreciated for your Prompt Action!