So, what is behind
that assertion?
Blockchain is just a database – yes, it’s a special kind of database, with some
interesting properties around pseudo-privacy and provable immutability, but also
with some interesting issues as it’s a public ledger – more on that
later. But the bottom line is that I’m
with Vint Cerf on this one as my starting point for a debate.
Second: Blockchain does not
pass the "sniff" test for a global identity solution. It does not
pass the acid test of "will the Chinese use a US run solution or vice
versa". - remember - someone has to own, control, manage and upgrade the
model etc. even if its distributed. Global governments want to have a large
portion of control of the Identities (or more correctly Identity Attributes) that
matter to them, particularly around citizen attributes.
Third: The locus-of-control
problem - see Jericho Forum Commandment[i] #8 “Authentication, authorisation and accountability must
interoperate / exchange outside of your locus / area of control”. This is
the “we can only make it work if we control everything ourselves” – it’s the mentality
the security and identity industry has had for over half-a-century, whether it’s
“put it all into AD”, “everyone must have my product for it all to interoperate”,
or the “we can only make identity work if I run the central database” (look at
any government developed identity system).
This is really key, because it goes to trust and risk; how do you trust (or perform a risk calculation on) something you do not manage – and the reality is you generally don’t – you insist on doing your own identity proofing and creating an identity that YOU manage, in your identity system – which is why corporates end up with poorly managed contractors and third parties alongside (reasonably managed) staff identities; or governments end up creating dummy citizen identities so foreign nationals can pay tax.
Fourth: We've already seen the
need to fork bitcoin[ii], or Estonia (the poster child for state-mandated ID systems) who
found a security problem with its ID cards[iii] - can you imagine needing to do this for 7.5bn people (let
alone 20bn+ IoT devices).
Fifth: A truly distributed
blockchain cannot handle the growth or transaction rate for 30bn+ (and growing)
identities together with all their attributes. Think how many identity
transactions need to be carried out on a global scale - unless it’s a private
blockchain (but then go back and see the second problem above).
Sixth: Identity and attribute revocation
– once it’s on the blockchain, how do you revocate? - a total or binary revocation
is often unwanted; example my old passport even if expired (revoked) while I
cannot use it for border entry, it is still a government issued document with
my photo and (immutable) date-of-birth; depending on the risk-assessment by the
entity I assert it to, this may be perfectly adequate for proving my age. Conversely,
under GDPR “right to be forgotten”, how can I completely erase any trace of an
aspect (or persona) of my identity, when it’s stored on an immutable public ledger?
Seventh: Blockchain, or to
give it its full name “public distributed ledger” can have serious problems when
it comes to privacy, given its public and distributed nature. Any solution will
need to store SPI (sensitive personal information) and while I agree there are
technological measures to protect said attributes, often the very existence of
an attribute (but not its contents), or a reference to an external organisation
or system can lead to inferences being drawn. For example: a reference to a
particular ethnic group may result in an entity being arrested, targeted or
killed.
Eighth: Blockchain relies on
the always-on, or certainly the always-accessible, nature of its design. While
there are proposed solutions that allow a currency transaction to take place
between two off-line parties that is then later uploaded; the real-time verification
of a UK drivers’ licence in the mid-west USA where there is no Internet for
miles is a problem yet to be solved (or I suspect, even thought about) in the
blockchain world.
Ninth: Most of the blockchain identity
solutions rely heavily on PKI to make it secure; the problem for a PKI solution
is that within the short-term life-cycle of a global identity ecosystem, quantum
computing will likely break PKI as it stands. Therefore, a heavy reliance on
PKI may not be an optimal design solution.
Tenth (and finally): Smart
contracts are cited by many as the way you make Identity on the blockchain work.
I like the David B. Black quote[iv] “They’re not smart. They’re not contracts. They’re
rife with security issues. And they violate the core principles that are
supposed to make blockchain wonderful. Other than that, they’re great!” A smart
contract is visible to all users of the blockchain including bugs and security
holes and may not be quickly fixed – indeed if fixing the bug requires a fork
of the blockchain, once implemented on a global scale it may be impossible to
fix.
Conclusion:
I have no doubt that many of these
issues can be technically solved, but in solving the problems the solution
becomes increasingly complex, convoluted and difficult to understand/implement.
If I have learnt nothing from a long security
career, it is that complexity is the enemy of good security. The global identity
ecosystem model must be simple if it’s to stand any chance of working, let alone
achieving global adoption.
I would commend the Identity 3.0 key principles[v] that we developed to try and get the fundamentals right.
There ARE better solutions, see the
work out of the Jericho Forum and the Global Identity Foundation - but it all
starts with needing to get your mindset out of trust = a central system that I
control.
References and
footnotes:
Jericho Forum Commandments Jericho
Forum Identity Commandments: https://www.globalidentityfoundation.org/downloads/Identity_30_Principles.pdf
Jericho Forum Identity videos:
[v] Identity 3.0 Key Principles: https://collaboration.opengroup.org/jericho/Jericho%20Forum%20Identity%20Commandments%20v1.0.pdf