Tuesday, April 4, 2023

Digital Credentials

The Organization for Economic Co-operation and Development (OECD) is seeking feedback on a recently published draft of guidelines for digital credentials.  The guidelines are intended to make digital credentials widely acceptable and accepted, even across national borders, for example a digital passport.  https://www.nfcw.com/2023/03/28/382786/oecd-seeks-feedback-on-digital-identity-recommendations/

Let me start by noting that this is not a proposal for a single or national credential.  I have always feared such a credential because it could be used by an authoritarian regime to control, or even restrict, rights to, for example, work, travel, healthcare, education, or food, clothing, and shelter.  Rather, I have always preferred a pluralistic system with multiple issuing authorities, granting different, if limited, privileges and employing different criteria for the granting of the credential.  

In today's world, if one wants to recognize and authenticate a stranger, one might well use a drivers license, issued by the state in which the person resides and including an image, date of birth, and a name and address, and a credit card issued by a bank.  Two credentials issued by different authorities in the same name.  Similarly, one might use drivers license and a passport.  

For example, in my Apple digital wallet I have ten different credentials issued by ten different authorities.  Most are merely digital copies of physical credentials. All of these can be identified visually, though some relevant information may be hidden for reasons of security and privacy.  For example, on debit and credit cards, part of the Primary Account Number (PAN) may be hidden.  Most can be read digitally by means of NFC and/or QR tags.  

At the time of this writing, residents of three states can include their drivers license in their Apple Wallet.  Three more states issue their own electronic licenses.  Note that a policeman presented with an electronic license will be able to automatically verify it, check its currency, and check for any outstanding "wants or warrants," in real time.  

In a different "wallet app" I have nine digital images, front and back, of card credentials only one of which is also in my Apple Wallet.  These credentials can only be read visually but nothing is hidden.  

In a folder in DropBox I have digital images of twenty credential documents issued to me by various authorities beginning with my birth certificate, and including my social security card, my high school diploma, my college degree, my record of military service, and my passport.  While any one of these might be a forgery or fraudulently obtained, collectively they reliably document everything significant about my identity.  Of course, the only identifying information that all these documents share in common is my name.

These documents are recorded in the Portable Document Format, that is as PDFs.  A PDF file, I.S.O. Standard 32000, preserves text, fonts, format, vector graphics, raster images, color, and even discoloration, all properties of the original useful in authenticating the copy and resisting forgery,  Even the Internal Revenue Service (IRS) accepts PDFs as authentic.  

Which brings up the issue of a unique identifier.   A few of us enjoy a unique name, one that we share with no one else, but most of us share even our full name with others.  This is the problem which the Social Security Number solved.  Modern information technology does not need it to uniquely identify us but it remains useful as tie breaker when other identifiers result in a collision.  

What and how much information does it take to uniquely identify us.  First our name, place of birth, and date of birth, uniquely identifies us.  No one else born on your birthday in the same place as you were was given the same name as you.  Similarly, name and address are unique; no one else with your full name lives where you do.  While there were a few errors of assignment in the early days, the ten digits of the SSN are sufficient, not only to give one to each of  us but also to include a little information about where it was assigned.  Though collisions are possible, it is likely that there is no one else living in your postal code with the same birth date as you.  Similarly the last four digits of your SSN will distinguish you from all those others that might share your name.  

Now if you clicked on the link at the start of this post, you know the properties of electronic credentials that the OECD thinks are valuable.  I have a different list.  By definition they are for paperless credentials.  

One starts with wanting the credentials to be readable, first visually but also electronically.  Visually because that is how we have always reconciled credentials and electronically for convenience in exchange with those who wish to rely on or verify the credential.  Most mobile computers, i.e., phones, can read a QR tag.  A tag might contain the unique number of the credential, for example a license number or account number, or it might contain a link (URL) to a copy of the credential.  

One would want the credential to be portable across wallets or devices.  This might be by means of purpose built apps or by more general and flexible capabilities such as URLs, SMS or e-mail.  Many digital objects have a "share" button to make portability both convenient and flexible. One might want a copy on paper, a desktop or laptop, a digital wallet, "wearables" like watches or rings, or in the cloud.  Similarly one would like the credential to be authentic and easily verified.  Note that one accepting a digital credential may be interested in both its currency as well as authenticity; online realtime access to the issuers database will always be useful and in some applications necessary.  

We are very close.  Form, use, and acceptance are becoming routine.  I have paid for dinner with my American Express Card by clicking on a QR tag on the check.  I have also paid with the image of my card in the wallet on my iPhone, giving the iPhone to the waiter just as I would have given the physical card.  The image of the card was accepted without question or comment.  Similarly, I voted using the image of my drivers license, again accepted without question or comment.  I recently boarded a train using an electronic ticket.  The ticket included a QR tag to be read by the conductor's mobile.  It demonstrated that I had a reservation and had paid for a particular seat on a specific train.  While I might have printed out a paper copy, and some travelers were using one, the conductor checked all using the QR tag, paper or digital.  

The key to all of this is reliable, routine, convenient, and universal acceptance.  Note that in the example scenarios above, one might have been embarrassed if the digital credential had not been accepted.  We need maturity and standards, to include those that we already have like PDF, QR, NCF, and SMS, as well as such as those proposed by the OECD.

Finally, a word about privacy and security.  Trust and acceptance will rely at least in part upon those mechanisms that resist both forgery and misuse as well as those that resist application fraud.  

While the PDF standard preserves many of the properties that resisted forgery in the traditional credentials, they do not preserve them all.  For example, it does not preserve texture and materials such as we use to resist counterfeit currency.  On the other hand, digital implementations give us the ability to use cryptographic mechanisms such as hashes and digital signatures.  We already have experience using these mechanisms in such applications as code signing and digital currency.  While in the early applications, so far we have not seen instances of forgery, we know how to address them should the properties preserved by the PDF standard prove inadequate.  

We will resist misuse by controlling access to the credentials using secure digital wallets, strong authentication, and biometrics.  To misuse the copies of my American Express one must first possess the copies and meet any conditions for their use such as biometrics or PINs implemented in the device in which they are stored, e.g., mobile phone or cloud storage.  We can also lock the credential to the device so as to resist "screen scraping."  

Finally, trust in credentials, digital or otherwise, will depend in part upon the issuing authority, representations made by the authority, and the rigor with which the authority issues the credential.  Having already told you more about this subject than you likely wanted to know and more than I intended when I began to write, I will defer that discussion to a later post.