Self-Sovereign ID Tech Is Being Advanced By Security Failures, Privacy Breaches

Lucas123 writes: There is a growing movement among fintech companies, banks, healthcare services, universities and others toward disintermediating the control of online user identities in favor of supporting end-user controlled decentralized digital wallets based on P2P blockchain. Self-sovereign identity (SSI) is a term used to describe the digital movement that recognizes an individual should own and control their identity without intervening administrative authorities. The wallets would carry encryption keys provided by third parties and could be used to digitally sign transactions or provide access to verifying information, everything from bank-issued credit lines to diplomas -- all of which are controlled by the user through public key infrastructure (PKI). The blockchain ledger and PKI technology is hidden behind user-friendly mobile applications. Currently, there are more proof-of-concept projects than production systems involving a small number of organizations. The pilots, being trialed in government, financial services, insurance, healthcare, energy and manufacturing, don't yet amount to an entire ecosystem, but they will grow over the next few years, according to Gartner.

SQRL

[Mike Van Pelt]

SQRL looks promising -- Web sites you log in to have no secrets to keep, at least, as regards your login credentials.

And there is *no* central authority handing out identities or keys or any such thing.

Re:

[Mike Van Pelt]

... and no blockchain. ("Bury it in the desert. Wear gloves.")

Re:

[rmdingler]

... and no blockchain. ("Bury it in the desert. Wear gloves.")

And for the sake of Jesús Malverde, leave your subscription cell phone at home.

Re:

[Lucas123]

... and no blockchain. ("Bury it in the desert. Wear gloves.")

Separate from cryptocurrencies, which are an app running on top of blockchain, what is it specifically about blockchain you don't trust or think is flawed? I'd honestly like to know for my own edification. Thanks!

Re:

[Mike Van Pelt]

... and no blockchain. ("Bury it in the desert. Wear gloves.")

Separate from cryptocurrencies, which are an app running on top of blockchain, what is it specifically about blockchain you don't trust or think is flawed? I'd honestly like to know for my own edification. Thanks!

Partly it's just a reaction against the "Blockchain solves *EVERY* problem!" meme that's going around.

Mostly, it was a joke, reference to this XKCD : https://xkcd.com/2030/ [xkcd.com]

Re:

[arglebargle_xiv]

disintermediating the control of online user identities in favor of supporting end-user controlled decentralized digital wallets based on P2P blockchain. Self-sovereign identity (SSI)

Buzzy buzzy buzzword buzz buzz buzz bzzz...

Is this a case of algorithmic journalism, or just a really slow news day?

Re:

[Retired ICS]

That is bogus.

The website/authenticator has to maintain (1) your UserID and (2) a trap-door key. The user/client has to maintain (1) the website/server/realm for credential use (2) the userid and (3) the other trap-door key. *RSA is a common trap-door algorithm though there are others* This is not a "new" technology and it has been in use for at several decades, ever since "trap-door" cryptography was "discovered".

It does have the advantage that the security of the system is entirely and only dependent o

Re:

[Retired ICS]

No. The system has no resistance whatsoever to government (or third-party) attack.

Bitcoin wallets

[Dan East]

And just like bitcoin wallets, these will never, ever be stolen or compromised. And since there is no other central authority to intervene on your behalf, they can never be recovered or repossessed by the actual person. Nope, I don't see any problems at all rolling this out to your average "dumb" consumer.

Re:

[bickerdyke]

The difference is: if your wallet is stolen or compromised on or from your storage or computer, that's your fault.

If your user credentials are stolen because some start-up-hobbyist never heard of salted hashs for password storage, there is nothing you can do.

Re:

[SoftwareArtist]

If a malicious website exploits a zero day in your browser to install malware on your computer, that is not your fault. Even security experts sometimes get hacked, and most people aren't security experts. Consumer technology needs to work reliably for ordinary consumers.

If this is supposed to be another way for companies to blame the user and avoid responsibility for flaws in the technology they created, no thanks.

Re:

[cereusb]

Bitcoin is a poor comparison. A better comparison is your identity documents. You have a birth certificate, you have a passport. These documents you control and keep in your home. Someone, somewhere else doesn't keep them on your behalf.

If your wallet becomes compromised, just like in real life it sucks, but you re-apply to the issuing agencies and get new copies of your ID documents.

A bitcoin cannot be reissued.

Here is a good explainer https://bitsonblocks.net/2017/05/17/gentle-introduction-self-sovereign- [bitsonblocks.net]

Self-Sovereign

[rossdee]

Self - Sovereign ?

I never heard that phrase before, but it does seem like some title that the 45th President would use.

Bollocks

[Retired ICS]

What a load of buzzword laden bollocks from the masters of fraud, Gartner! Not even worth the electrons used to disseminate the babble of bullshit.

GnuPG

[ShoulderOfOrion]

It's been done. It's called PGP. It doesn't require blockchain. It does require consumers with a clue and businesses to give up vested monetary interests, which is why it isn't going to happen anytime soon.

Re:

[bickerdyke]

PGP is not a single-sign-on tool just because it is another application of asymmetric cryptography. (Like not everything blockchain is "bitcoin")

If you really want to compare it with something existing, then it's logging into a website or remote machine using private SSL user certificates.

Re:

[ShoulderOfOrion]

Not currently, but it could be used as one. The necessary infrastructure, from key generation to webs of trust to revocation etc are all there, and fees to 'trusted authorities' are not necessary. The important part is that--like private SSL certificates--control over the process is given to the USER and not the company running the server.

Re:

[bickerdyke]

Yes. But that's called PKI and mentioned already.

Same stuff that broke OSI?

[skovnymfe]

Is this the same thing that made Bruce Perens leave the OSI? https://news.slashdot.org/stor... [slashdot.org]

Time

[jythie]

Yeah.. the biggest problem I see with stuff like this is people are not thinking long term. When you look at banks and other long term record holders, there are reasons they keep systems going for decades and tend to rely on well tested and supported technologies.

Stuff like this? The consumer tech community assumes you are locked into a constant upgrade cycle, replacing cell phones every few years and moving from wiz-bang-api-v1 to wiz-bang-api-v2 on a similiar treadmill. Migration isn't an issue once o

Sovereign Citizens unite!

[goodminton]

If you need people to try it out I'm sure the Moorish Science Template of America will get on board... queue the "I'm not driving, I'm traveling" crowd in 3, 2, 1...

Encryption keys provided by who exactly?

[snowsnoot]

The wallets would carry encryption keys provided by third parties

Errrr, that doesn't sound very secure to me.

PKCS 12

[fulldecent]

PKCS #12 certificates already solves this problem, right?

Blockchain is a nice deluded idealism.

[BAReFO0t]

In reality, blockchain relies on a large set of non-colluding people to check each other for cheating.

And if Bitcoin (and TOR) taught us anything, that is a laughably unrrealistic delusion.

It is trivial for a powerful actor, to host the dominant majority, and force whatever they want to be reality.

The whole thing sounds like another installment of "socially incompetent people trying to solve social problems with unsocial mechanisms".

In this case: The problem of trust in a society too large for empathy. Wher