identity – Terence Eden’s Blog

How do you link Verifiable Credentials to a human?

@edent — Sat, 19 Jun 2021 11:37:51 +0000

Verifiable Credentials are a brilliant standard to help... well... Verify Credentials. How do you know that someone has an MBA from Harvard? It's pretty easy to fake a degree certificate, or to change your name to George W. Bush, or simply lie. The same is true with any attestation - it's often hard to contact the issuer of a claim and check that it is genuine.

Verifiable Credentials aims to solve that. The standard describes a document which includes the claim (this person is an airline pilot), the person's identity (name, DOB, etc), the party making the claim (Name, ID, date of issuing), and a digital signature to tie it all together. (It is a lot more complicated than that, obviously.)

Let's take a look at the data inside COVID Vaccine "Passport". I've removed some of the metadata for simplicity, but you can read the full spec if you're interested.

   {
   "ver": "1.0.0",
   "nam": {
     "fn": "Smith",
     "gn": "Jo",
   },
   "dob": "1984-02-29",
   "t": [
     {
       "tg": "840539006",
       "tt": "LP217198-3",
       "tr": "260415000",
       "ma": "1232",
       "sc": "2021-04-13T14:20:00+00:00",
       "dr": "2021-04-13T14:40:01+00:00",
       "tc": "GGD Fryslân, L-Heliconweg",
       "co": "NL",
       "is": "Ministry of VWS",
       "ci": "urn:uvci:01:NL:GGD/81AAH16AZ"
     }
   ]
},
"YR/yMsyE3AOysWLCXuDc/Rlu507gH0/wgok+P8dxJtCwy0ydsIE2J5MeMxbynynU3n//zgOKSTB20FN0Fs1bgQ=="

It tells you the person's name, date of birth, when they had the vaccine, which vaccine it is, who administered it, some administrative codes, and then gives it a digital signature which can be verified without needing an Internet connection. Nifty!

The same is broadly true with academic qualifications. It lists your names, birthday, university, level obtained. Or your employment history can be encoded with your employment dates, salary, references.

So you can show the above - encoded as a QR code - to anyone. They can scan it and verify that it is authentic! AWESOME!

Except...

How do you prove that you're the person mentioned in the credential?

You could show your passport or driving licence at the same time. Assuming you can afford either of those documents. But that still leaves the same problem. How do you prove that the passport belongs to you? Perhaps you grabbed it at the same time you stole the certificate.

Humans are not very good at recognising faces from photos. So comparing the picture of me in my passport (young! clean shaven! well lit!) with the person in front of you (old and tired! beardy! under a street lamp!) is always going to be error prone.

This isn't a problem which can be solved by adding more digital signatures. Even if I co-signed the credential with my private key - you have no way of linking that key to a corporeal human being.

A Verifiable Credential could also contain a hash of biometric data like a fingerprint, for example. But that leads to further problems. Are people comfortable giving away their biometrics to lots of different organisations? Do verifiers want the extra expense of getting fingerprint readers? That might work for an airport, but is probably prohibitive for a café. You could use proxies - did I see this person unlock their phone to present the claim - but these are weak ties at best.

To be clear, this problem isn't limited to vaccine certificates. It applies to any Verifiable Credential. Whether it is an academic qualification, a health certificate, employment status, or any other claim.

This isn't something which can be solved by putting a claim on a blockchain (lolsob) - it is a fundamental limitation of the fact that humans don't come with built in, irrevocable, digital signatures.

One Avatar To Rule Them All

@edent — Wed, 11 Mar 2020 13:35:40 +0000

Someone took a nice photo of me recently. I'd like to use it as my avatar photo everywhere to present a consistent image. This is not easy to do.

I've had to manually change it on a dozen different Slacks, a bunch of social networks, a few forums, all my email accounts, and I'm still not done.

I just want to change my photo once. Because I'm vain and lazy.

For a nerd like me, the solution is obvious:

My latest avatar image has a permanent web address - https://edent.tel/avatar.
When I register for a service, it should ask me for my homepage address and automatically detect the URl for my avatar.
Periodically, it should check for an update.

What about Gravatar?

The Globally Recognised Avatar project from WordPress is supposed to be a solution to this problem. But it doesn't work, for two main reasons.

Not everywhere uses it.
Works on a per-email basis.

Nothing we can do about (1), but I find (2) is annoying. I use a different email address for each website I use. Which means I have dozens of Gravatars!

Because Gravatar uses MD5 hashes, there's no way around this. It's also a (minor) privacy concern.

What about Libravatar?

The Libravatar project is basically an open source version of Gravatar. It also uses hashes for email addresses. And, sadly, very few sites use it.

What about Webfinger?

The documentation for Webfinger is comically absent.

What about Microformats?

Standards like microformats2 let you add an image to your profile.

This sort of exists. Services like Avatars.io let you use you Twitter & Facebook avatars as a URl - for example avatars.io/twitter/edent.

Sadly, the service isn't maintained any more, has broken images for Instagram, and doesn't include newer services like GitHub.

Regain Control

There are two fundamental mistakes we're making.

An email address is not an identity.
A 3rd party service is not an identity.

Given that Gravatar is promoted by WordPress - the largest website provider on the planet - and it still isn't universally accepted, I don't think there's any hope for smaller services.

So, I guess what I need is an app which can log in to all my accounts and automatically change the avatar whenever I want.

Or is there some other practical action I can take?

Can I own my identity on the Internet?

@edent — Wed, 22 Feb 2017 19:19:42 +0000

The ultra secure messaging app, Signal, requires a mobile phone number in order to sign up to it. This, as my friend Tom Morris, points out, is madness.

People don't own mobile phone numbers. They are rented from mobile operators. Yes, you may be able to move "your" number between a limited set of providers - but it ultimately doesn't belong to you. An operator can unilaterally take your number away from you.

If you move to a different country, you will almost certainly have to change your number - thus invalidating any account which relies on a mobile being your primary identifier.

That's before we get on to how hideously insecure phone numbers are. Transmitting an SMS with a sensitive one-time code over a cleartext which can be easily intercepted is not a sensible approach to security. Modern phone networks are designed to accommodate Lawful Intercept - and suffer from a range of security weaknesses.

Fine. Whatever. Let's use emails as our primary ID. Bzzzt! Wrong! Email addresses are just as ephemeral as mobile numbers.

If you use a service like Gmail, Yahoo, or Hotmail, then you're at the mercy of those providers. They can revoke your access at any time. They can give away your cherished address. And, like phones, they can be legally compelled to give access to certain 3rd parties.

Social Media IDs are equally rubbish. Your presence on Twitter or Facebook is little more than virtual sharecropping. You don't own or control your ID. If the provider goes bust, you've lost the ability to identify yourself.

OK, here's an answer! What if I run my own domain? Then I'll be in control of my identity. And my email as well!

No. Not really. Your domain is only temporarily leased from your registrar. Perhaps you forget to renew your domain. Or renewal prices will jump and you can't afford your "home" any more. Perhaps a global corporation insists that they alone have the right to use your name and take you to court. That kills off the ability to use something like IndieAuth.

Umm... How about IP addresses? Again, for most people these are leased from ISPs and are dynamic. Even with a switch to IPv6, there's no way to own an address permanently and move it between ISPs.

I want an online identity which is immune from 3rd parties to take back. Something unaffected by Eminent Domain. That - no matter the social and technological changes of the Internet - will remain valid throughout my lifetime.

Let's craft a problem statement

As a user, I want to have an identifier on the Internet which can only be revoked by me.

(That's not a perfect story, of course. It says nothing about security, access rights, or usability. But it is a simple starting point.)

Does such an identifier exist today?

Something like a Public/Private keypair is almost right. Ignoring the many usability issues with things like PGP, it is conceivable that you could authenticate yourself to a service by cryptographically signing a challenge they send you which is then verified against your public key.

This is more-or-less how FIDO UAF works. You generate and store your keypair on a piece of cryptographic hardware and use that for authentication and identification.

But there is a more fundamental flaw - a keypair doesn't provide a method for delivering a message or a service.

At the moment there's no way to say

"Visit my website at impossibly long cryptographic string" or
"Give me a call at ..." or
"Let's exchange data via ..."

OK, I can add multiple email addresses to a PGP key and hope that all the major email providers don't go bust, or sell me out.

I'm sure there are hacks which will turn 000D05F640557C62 into a DNS entry for a website. But that still falls back on requiring an existing domain name. Which can be taken away from you.

(As an aside, if you're an intergovernmental agency registered by an international treaty, you can apply for a .int domain. That's probably harder for someone to unilaterally revoke.)

The Internet, so we are told, routes around damage. But where does it route to?

I don't have an answer to this. It seems like a fundamental design flaw with existing Internet infrastructure. How can I carve out a permanent home here?

Mydex XSS Flaw (Disclosed & Fixed)

@edent — Thu, 06 Feb 2014 12:03:40 +0000

Ever heard of Mydex? Here's how they describe themselves:

Mydex provides the individual with a hyper-secure storage area to enable them to manage their personal data, including text, numbers, images, video, certificates and sound. No-one but the individual can access or see the data.

Not just secure, but hyper-secure! They've been signed up by the UK Government to provide Identity Assurance. Pretty impressive, eh?

Let's ignore the fact that their website doesn't use SSL and concentrate on the XSS flaw on the site.

Cross-Site-Scripting (XSS) is, in simple terms, a way to force a web page to run some malicious code against the wishes of its owner. Let's take a look at a simple example:

By searching for

test

We can force the page to display in italics.

This is because the search box's input isn't sanitised. You can put whatever you want in there and the web page will display it. For example, if you paste in the HTML code to display a photo, then this happens:

Ok - so that's a bit annoying, but nothing too bad. So, what happens if we try to inject JavaScript into the page? Aha! Now we can run arbitrary code on this website. In fact, we can completely take it over. Using JavaScript we can tell the page to redirect to some other website, we can switch on the user's microphone and camera - all sorts of naughty tricks.

To Mydex's credit, a few minutes after reporting the flaw it was fixed.

There's absolutely no suggestion that any user's personal data was at risk here. I would consider it extremely unlikely that anything entered into that search field could have caused an SQL injection attack.

Mydex also operates a strict separation of their "publicity" site and their Personal Data Service - which really does seem very secure.

It would, however, have been very easy for a scammer to set up a JavaScript redirection to a phishing site in order to trick a user into entering her personal details. Similarly, an attacker could have sent Mydex staff a link saying "Please reset your admin password - click here" and been granted the keys to the kingdom.

The Open Web Application Security Project list their top ten most critical web security risks facing organizations. XSS is number 3.

If you're running a website - especially one which deals in security - please take the time to read over the list and understand how to protect your business and your users.

Timeline

January 23rd - Reported and fixed.

February 5th - Publication agreed.

Social Media Camp London 2008 - #smclondon08

@edent — Sun, 05 Oct 2008 10:57:00 +0000

((Work In Progress - still need to add pics, videos and links))
Yesterday, myself and a few hundred other bloggers, geeks, marketing droids and other social media maverns descended on Wallacepace St Pancras for the inaugural Social Media Camp London 2008.

This is just a quick post to say what I did, what I liked and what I thought could go better,

First off, enormous thanks to Vero for single handedly organising the whole shebang. Her Whuffie must be through the roof by now. The venue was fantastic and - perhaps a first for a BarCamp - the food was freshly cooked and delicious.

There were around 150 participants - many of whom I'll name check - all of them interesting in their own special way. It was great to meet technology writer (and fellow log-haired scruff) Bill Thompson.

Our rampant twittering pumped us to the top of the twitter trends for the day. You can find all sorts of digital footprints from searching for our tag #smclondon

So, on to the sessions I attended.

1) "I Have Nothing To Say".
Someone -I have no idea who - put up a session called "I Have Nothing To Say". I think they meant it as a joke - because no one turned up to say anything. So, being the extrovert that I am, I moderated a session on why people abandon their blogs (via an unsuccessful attempt at why women don't speak out more in technology - see Suw's posting on the subject).

We looked at what reasons people have for starting to blog and what prevents them from blogging. It's often a time constraint but - more often - it's the fear that nothing one says will be of interest.

We looked at a few semi-abandoned blogs that participants had started. Zoe from Girl With A one Track Mind, talked about her anonymity being blown and the effect that had on her blogging. Annie Mole talked about the pressure to write on Going Underground and how she sometimes feels constrained by her subject matter from venturing into other areas that interest her. ((I'll try and put up the other blogs as I remember them!))

For me, there's a clear divide between writing in order to attract an audience and writing to satisfy a creative itch. I think my blog falls into the latter camp. I'm hugely gratified when people read and comment - but it exists primarily as a way to get my thoughts out of my head. That some of those thoughts might has a positive affect on others and perhaps change the world is, to me, a fringe benefit.

It has inspired me to keep this blog going. I'll try an put more of my thoughts down in long form rather than just 140 Character brain dumps on Twitter.

I'd like to thank whoever placed the topic up there. It really helped me warm up for my presentation and I think all the participants found it a useful discussion. I want to reiterate it wasn't my idea or session!

2) "Social Media Activism"
This session focused on Miro and its role in activism. An interesting session which showed off some of the reasons behind the software and how it is being used. While interesting, I would have appreciated a bit more focus on how and why.

It will be interesting to see if "counter culture" ever breaks in to the mainstream. We're now seeing User Generated Content popping up in the news - but it's only in terms of footage from an event. I hope it's not too long before commentary can become part of the discussion.

3) "How To Present To Big Scary Companies* *And Look Like You Know What You're Doing"
My presentation! I was lovely to see so many people turn up. Some kind soul has done a write up of my presentation. I'll write a full blog post in the next few days expanding on some of the themes.

Critically, I over-ran and didn't cover some of the points that I wanted to make. I'm also worried that I didn't create enough discussion in the room. Some of the best sessions I attended were discussions lead rather than presenter focused.

I'll let the other attendants have their say about me - and I'll link to them from here if I find any!

However, it was great to teach a new group of people my favourite tongue-twister "Peggy Babcock"

4) "Alternate Reality Games"
Hosted by Miss Geeky - AKA Melinda Seckington this was a fascinating look in to the ARG phenomenon. I'd seen things like the Heroes ARG but I'd never really been bothered to play. I thought they'd take up too much time and would be to US focused. This presentation really opened my eyes to how much fun they can be.

I'm a little worried that most of them are - at heart - marketing campaigns. I get a fun game to play in return for being marketed to and becoming a marketeer for the product. It's a reasonable trade-off, I suppose. Not much different from getting a free TV show in return for watching adverts.

5) "Managing Your Online Reputation"
Vero's presentation was well attended. It started with the rather brazen assertation that "Your CV Sucks!" It's true. Your CV only shows a fraction of your life. If future employers (or friends) want to know you better - they're heading off to Google, Linkedin, twitter and facebook.

As with all good sessions, this rapidly became a heated discussion. Should we teach children digital literacy - or will they teach us? Does seeing a picture on facebook of a potential employee drunk, taking drugs, misbehaving at university colour your judgement? If you post about your sexuality - or any other subject - can it land you in hot water?

Again, I have so many things to say about this, it might become another blog entry!

6) "Social Media - How Not To Get Fucked"
Zoe from Girl With A One Track Mind gave a brief presentation about what it was like to lose her anonymity. While I generally like presentations that turn in to discussions - I really would have liked to have heard more from Zoe about how she coped with - as she put it - getting fucked.

That said, it was fascinating to see how people perceive their digital identities as - contrasted with Vero's talk - how they compartmentalise them. The ramifications when those compartments break down was also a subject of interest. As some bright spark put it, the reasons weddings are so traumatic is that you have your friends, your family and you colleagues all in one place. Those compartments totally break down and - in extreme cases - can become toxic.

7) "6 Degrees of Separation - Now 3"
Ben gave a high level overview of FOAF, it's implications in the semantic web and social media. It was great to see a "techie" talk. Well put together and with an excellent interpretation of Dunbar's Number.

8) "Social Media Bingo"
A litt le bit of fun for the end of the day. Slightly chaotic and disorganised - but that may have been part of the charm. The highlight was the projector screen showing the tweets of participants.

Overall, the day was fantastic. The only criticisms I'd make is that the venue wasn't wonderfully accessible for those with mobility issue (or, in my case, the plain lazy). It might have been nice to stick a copy of the day plan in each room, just so people didn't over-run their slots and participants knew where to go without crowding round the main board.

Also, I should have won the year's free Sky HD. ;-p

Too knackered to write anything else. The day was a roaring success. It's great to meet new friends.