Identity In Transit

In my last job, one of the things that kept me up at night was the notion of electronic identity “in transit” or “on the wire.”  Specifically, I was concerned with protecting the electronic credentials of our customers from any kind of eavesdropping, spoofing or tampering as they were transiting the network at the moment a person entered them in a web form, login box on a computer, on their smart phone, or anywhere else they used their officially issued username and password.

Now I find myself in physical transit, from Iowa to Pennsylvania.  Along with that transition comes the need to re-prove who I am to a number of different agencies and institutions.  Those agencies are rightfully concerned with the prevention of any kind of tampering or spoofing of my identity in physical transit.  Along with that concern comes the need for rigorous forms of identity proofing and vetting in order to obtain new credentials.

Because I do this for a living, I knew the kinds of checks that were going to be required to prove my identity in my new location.  I was atypically well-prepared.  Before the movers arrived, I carefully packed all my incredibly precious, practically irreplaceable, highly combustible paper government-issued proofs of identity in a special box in the center of my car’s back seat.  Like a baby.  I knew that the checks to prove who I am to the Commonwealth of Pennsylvania would be burdensome, but I never really had the opportunity to experience them first-hand, and all at once, before.  Here are my experiences so far.  Please note that these experiences are likely nearly identical in every state in the union (thank goodness I didn’t move to California or my ability to drive would have been in question and I would have had to get fingerprinted!)

The Drivers License

I started with what appears to be the “intermediate certificate” in the trust chain rooted in US citizens’ birth certificates and social security cards: the state-issued drivers license.  This form of physical identity has the following attributes:

  1. It’s highly vetted
  2. It’s issued by a state agency
  3. It has your photo and signature on it
  4. It has your address of record on it
  5. Its issuance is rooted in more deeply-entrenched forms of identification
  6. It’s not so irreplaceable that you can’t carry it with you everywhere, like you can’t with a birth certificate
  7. You must carry it with you everywhere to effectively operate in the modern world
  8. You can’t get one if you don’t already operate effectively in the modern world

As such, most other forms of daily identity proof are rooted in the state-issued drivers license.  To obtain this, I had to drive 10 miles out of town (good thing I have a car and an existing drivers’ license) to a small building where I had to write a check (no cash or credit accepted – are government agencies even permitted to not accept US currency?) to the PennDOT and surrender my Iowa license, present a Social Security card (why?) and any of the items from list A and two of the items from list B:

A

  1. Birth Certificate with raised embossed seal (not a copy)
  2. Certificate of US Citizenship
  3. Certificate of Naturalization
  4. Valid and original US passport (not a copy)

B

  1. Tax records
  2. Lease agreements
  3. Mortgage documents
  4. W2 form
  5. Current weapons permit (US citizen only)
  6. Current utility bills

Note that were I any less than a fully employed and housed person of good means (I carry a passport, and can afford a safe deposit box in which to keep my social security card, birth certificate and passport) I would have an extremely difficult time obtaining a license or photo ID in Pennsylvania (which, were it not due to the action of the ACLU, would be required to vote in an election here.)  If I didn’t have an Internet connection or at least access to a phone, I wouldn’t have been able to determine what I needed to take with me beforehand, and might have needed to make multiple trips, in the car which I thankfully own and am licensed to drive.

Luckily, the address on my check was not required to match my Pennsylvania address of residence, doubly so due to the tear in the space time continuum that would have been caused by identity in transit issue number two:

The Bank

I like credit unions- they exist to serve the membership.  The credit union I currently use in Iowa is a community credit union, meaning it has a community charter, and anyone in the area (a huge area) can use it.  I can still use it because I have existing business with them.  I want to get a new account at a credit union in Pennsylvania because I don’t want to pay ATM fees for withdrawing cash here, and I need to get a safe deposit box to put my incredibly precious and practically irreplaceable, highly combustible paper government-issued identity documents in.  The credit union here does not have a community charter, which means I need to have proof of employment at my new employer to get an account.  That’s fine, I can just do that when I start work at my new employer.  Here’s the fun one though: the credit union asked for my Pennsylvania drivers’ license.  Imagine if the drivers’ license office had decided that the address on my check (no cash, credit or Trobrian Island yams accepted!) needed to match my official Pennsylvania address of record.

Car Title

These next two things are not technically personal identity issues, although they deal with the state-issued identity of my car, which is almost as tightly controlled as the state-issued identity of me as a person.  When I went to the credit union in Iowa (which owns the lien on my car) to ask them about transferring the title to Pennsylvania, they said “don’t move to Pennsylvania.  Anywhere but Pennsylvania.  That is the worst state to transfer a title to.”  I’m not kidding, that’s verbatim.  So, clearly that’s not going to be a problem.

Vehicle Inspection

Iowa does not require any kind of periodic vehicle inspection (this shows in many of the cars on the road) and does not have what the EPA considers to be an air pollution problem, so does not require California Air Resources Board (CARB) certification.  You can legally (and actually) buy a car in Iowa that does not comply with CARB specifications.  If you take your car to Pennsylvania when you move, it’s MY2008 or newer, and it doesn’t have CARB certification, it must have over 7,500 miles on the odometer or you are out of luck, I guess.  Perhaps you could just drive to the King of Prussia Mall a few times to run up the clock before your 20 days to register your car expires.  Of course, in your formerly non-coastal, more-polluting, non-CARB-certified, extra-dinosaur-burning-mobile, that would just cause more pollution, not less.

Neighborly Identity

For the past week, we have had numerous neighbors in our condo association stop by to say “hi” – this was nice the first few times it happened.  Now it is becoming clear that they are investigating whether we are going to depreciate their property values and/or throw wild parties all night.  We are a prematurely elderly, workaholic grad student/professional couple with no kids.  Hopefully they will figure that out and stop ringing our doorbell while I’m on conference calls.

The Grocery Store

Loyalty programs abound!  They are all slightly different and all have weird different rules.  To obtain today’s lowest price on spaghetti sauce, I had to create an on-line identity at the new and different (to me) grocery store and print out a temporary loyalty card on my laser printer, which I bought at Staples, with a discount, using another loyalty card, with another on-line identity.

I understand the need to do many of these things, even most of them.  On the other hand, they are extraordinarily onerous and not at all customer-friendly.  In some cases (voter ID laws) they are blatantly and intentionally disenfranchising of certain segments of society.  That’s a problem.

Update (4/13/2013) – Title and Registration

I don’t know what the credit union thought would be so difficult about getting the title and registration transferred.  Within a couple days of me sending a form to them asking them to send the title to Pennsylvania, I had a new title issued in Pennsylvania, plus my registration and license plate.  It was probably the easiest thing to do yet.

Why Are Google and Verizon Fighting Over The TPM Chip In Your Phone?

I’ll give you a hint: it’s not about using NFC to exchange business cards, and it’s not even primarily about mobile payments. Why does Google want the TPM/NFC module in your phone integrated into the phone, and Verizon wants it in the SIM card? Simple: Identity ecosystem lock-in. Verizon and Google both have a huge vested interest in providing you with an electronic identity which you can use to execute high-stakes transactions. The only good way to do that for the general public is by putting a TPM chip in everyone’s phone and wirelessly provisioning high-assurance credentials to it via their trusted service manager of choice (much like “The Highlander,” there can be only one in control of the keys for each TPM, and they each want it to be theirs).

Why do I think this? Take a look at the OIX-certified FICAM Trust Framework-approved list of identity providers. What do you notice? Verizon is LoA 1, 2 and non-crypto 3 approved, and Google is LoA 1 approved but likely wants to be at LoA 2 and 3. Why is Verizon at LoA 2 and 3? Because they have a very well-established business relationship with their customers. They know, with a high degree of assurance, who they are. How will Google establish this high-assurance relationship with their customers? Google Wallet, Google Voice and their controversial “Real Names” policy.

So why do these companies want to be your default high-assurance identity provider? Simple: vendor lock-in. Can you imagine a more powerful lock-in effect for a specific platform than the one created when you not only use it for all your financial transactions, but also to open all the high security physical doors you use? With the advent of cloudsourced security, we aren’t just talking the front door of your house or starting your car. Your workplace will likely soon move to outsourced identity for login to your workstation, access to the VPN, and even the doors to the data center. Why? It’s much cheaper and easier (and less risky) to sign a contract with Verizon or Google to provide this service than to hire the people and purchase the infrastructure to manage it yourself. It’s also much less cumbersome to use a phone which everyone in the company normally already carries, than to set up some kind of expensive and cumbersome smart card system.

So which vendor will companies buy high-assurance identity from? The one with the largest installed base.

An Idea For Remote Proofing and InCommon Silver

The InCommon Silver assurance profile has a section that allows for remote proofing of identity subjects. Many people I’ve asked about this are saving this section for “later” and aren’t going to try to do remote proofing to begin with. Someone said something to me the other day about the availability of notaries that makes me think this is possible to do in a not too terribly difficult way. Here’s the relevant section of the assurance profile:

4.2.2.4.3 Remote proofing
1. The RA shall establish the Subject’s IdMS registration identity based on
possession of at least one valid government ID number (e.g., a driver’s license or
passport) and either a second government ID number or financial account
number (e.g., checking account, savings account, loan or credit card) with
confirmation via records of either number.
2. The RA verifies other information provided by the Subject using both of the ID
numbers above through record checks either with the applicable agency or
institution or through credit bureaus or similar databases, and confirms that:
name, date of birth, and other personal information in records are on balance
consistent with the application and sufficient to identify a unique individual. If
this appears to be the case, the RA authorizes issuance of Credentials.
3. If the record checks do not confirm the Address of Record, it must be confirmed
as described in §4.2.2.5 below.

Note that it says if you can’t confirm the information provided via record checks, you have to register the subject via the address of record. Everyone seems to be focusing on the technical problem of verifying the source document numbers via Equifax or other credit bureaus, and/or state motor vehicle registries. I think people are so shocked by this requirement that they’re misdirected away from the critical pieces here:

1) You only need to register the facts of the documents presented – you can do that via notaries public that are available free of charge for customers at all banks in the US.

2) You can confirm the identity of the individual by delivery of a registration secret to an address of record. What is an address of record?

Conveniently, section 4.2.2.5 (2)(b) says:

For an electronic Address of Record, the RA confirms the ability of the Subject to receive telephone communications at a telephone number or e-mail at an e-mail address.

So you can just e-mail them a short-lived registration bearer token after you receive their notarized paper form containing their identity documentation back. Can it really be that simple?  An idea for some legalese to include on the form (I am not a lawyer) might be:

I hereby declare that the e-mail address supplied on this form by me is a valid email address that is acceptable for use in official communications with me.  I am the only person who has access to this email address.

Update: 5/30/2012: Thanks to Mark B. Jones for this interesting international tidbit on consular services and the notary function: http://travel.state.gov/law/judicial/judicial_2086.html

Oxytosin and the Economic Benefit of Trust Fabrics

The global higher education IT community is doing something pretty amazing. They’re weaving together a trust fabric to allow shared services via robust federated authentication and attribute-based authorization (see: InCommon, UK Access Federation, GakuNin, EduGAIN, REFEDS, many others).

At any scale, it’s hard to extend trust from “my tribe” to “your tribe”- but once we’ve done it, the return on the trust is almost magical. With federation in higher education, suddenly services and projects a school would be hard pressed to support on its own become easy to leverage.

So how does this scale beyond higher education? Trust is the basis for lowering barriers to collaboration and lubricating the machinery for an effective economy (See Paul Zak’s fascinating TED talk on Oxytosin). I think this suggests that higher education is once again leading the way in building a framework for increased global trust, global research collaboration and global wealth production.

InCommon Silver With Active Directory Domain Services Cookbook Feature-Complete

For more than a year, I’ve been leading an effort within the Committee on Institutional Cooperation (CIC – the academic wing of the Big 10, plus The University of Chicago) and a number of other InCommon participants, to define an approach to mitigating risk within Active Directory Domain Services, with the goal of achieving InCommon Silver assurance. The work on that cookbook is now largely complete. You can take a look at it here: https://spaces.internet2.edu/x/w56KAQ

Whew.  That took a while to do.  I hope that at some point some school actually achieves Silver using it.

Putting Two And Two Together

So in the course of my evening of NFC/ISO 14443 smartcard/platform/API “literature” review, I put Steve Yegge’s rant together with an analysis piece about what Google thinks about NFC, and came to an unfortunate conclusion.  Google’s lack of NFC APIs, combined with them being the current best hope for getting NFC-enabled, ostensibly open smartphones into the mainstream, does not bode well.  My project must be tempered with realism.

Weekend Identity/Convergence Stream-of-Consciousness

I’ve been wanting to get a Galaxy Nexus phone for a while- as soon as I found out it was coming to Verizon.  This summer I almost ditched Verizon for Sprint to get a Galaxy S 4G with an NFC chip in it, but held off because I knew this newer Nexus was just around the corner.  I want to mess around with the NFC feature and see if I can make it store X.509 certs and act as an ISO 14443 smart card for things like workstation logon and door access.  The secure element in the Galaxy Nexus is an NXP chip which supports a lot of different NFC protocols, but Google has been pretty open about their non-support for card emulation.  This means there’s not a built-in way to handle this stuff yet.  But then I found this: http://code.google.com/p/seek-for-android/

Neat!

For a while I was hoping that InfoCard would be a champion for identity selection and user-centric identity.  Now I hope it’s smartphones.  We’ll see how well this turns out.  I’ll be happy if my wallet can go away at some point.  It would be great to have payment, drivers’ license, passport, work login/door credentials, etc, all on the phone.  Some people probably think that’s a terrible idea and maybe slightly Orwellian (Dvorak: http://www.pcmag.com/article2/0,2817,2395071,00.asp) but I think it just makes sense.  The secure elements in these phones truly are secure, until they aren’t any more.  By that time we’ll have other things to replace them, and probably lots of other things to worry about.