[Cryptography] Verification of Identity

[Kevin W. Wall]

On Feb 17, 2017 2:56 AM, "Paul F Fraser" <paulf at a2zliving.com> wrote:
>
> Hi,
>
> ProveId is a system I am developing for the
> purpose of  having a way to prove your
> identity at very low cost.
> The plan is to have users obtain an
> identity name,  an X509 client certificate
> and an online image, that is publicly
> accessible by the identity name.
>
> SDSI certificates develop trust through
> multiple acquaintances signing an SDSI
> certificate, I think 5 is the desired no of
> signatures so I have picked 5 as a starting
> number for verification.
>
> I intend to verify users by having them
> provide a list of 5 email addresses that
> the system will email with basic details
> and an image and expect a reply with a a
> Yes/No type response.
>
> immediate family member
> extended family member
> a close friend
> an associate
> an acquaintance
>
> In effect I am treating the recipients of
> the emails as referees. I keep this list of
> referees with the users identity record.
>
> Other techniques are also planned to add to the verification.
>
> Before I finalize the system for release I
> thought I would throw the idea to the
> experts and stand back for the flack :-)
>
> All thoughts and opinions appreciated.

First off, I am not an "expert" nor do I play
one on TV. So a few questions.

Do you intend the identity to merely be
consistent across time or correspond to some
official recognized identity that could be
used on official government documents, etc.?
The latter is much harder to do and your
initial verification attempt by 5 people (or
20 for that matter) to vouch for you via
email is worthless there. It is trivial for
me or anyone else to provide N email
addresses to vouch for me, all of which I
have set up beforehand. Heck, I already have
more than 5 email addresses to use for that
should I so desire.  So one problem from the
start is how are you planning to verify the
email identities of the proposed

> immediate family member
> extended family member
> a close friend
> an associate
> an acquaintance

who you expect will provide attestation to
the claimant's identity in the first place?
That somewhat seems like a catch-22. If your
intended use of this proposed identity
management system is important enough to
require some sort of additional 3rd party
attestation in the first place, then you are
stuck with checking the claimant's references
to see if they are valid and actually "know"
the claimant.

So I don't even think your problem statement
is 100% clear at this point.

All the X.509 certificate does is to bind
some (rather ambiguous) identity to some
particular key pair (or more specifically,
the public key), but it doesn't guarantee that
 the "John Q. Public" or "john.q.public at example.com"
on the CN or SubjectAltName corresponds to some
real life "John Q. Public". Because of fake IDs,
this problem is even difficult in real life,
so if you have that expectation, I think you
need to rethink it. And while there are
partial solutions that have been suggested
(e.g., have the state of Motor Vehicles
attest to one's identity or some attorney or
the passport office), none of them will be
cheap. That's going to have to wait for the
dystopian day when we're all implanted with a
non-removable identity chip at birth.

-kevin
--
Blog: http://off-the-wall-security.blogspot.com/  |  Twitter:  @KevinWWall
NSA: All your crypto bit are belong to us.