e-Dictum meum pactum

[Dave Birch] There's a story about identity in The Economist magazine that I read on the plane to Washington ("My bow is my bond", p.98, 26th April 2008) that connects directly with something I'm working on for a client at the moment. Naturally, neither the client or the assignment will be discussed here, except to note that I've been playing around with some ideas on value-adding identity services for the mass market. I'd also recently received an e-mail from an august body, which won't be discussed here either, asking if I'd like to provide (for free!) some ideas on how to get private companies to use the U.K. identity card: I ignored the request, of course, but I did jot down a few notes. For both of these reasons, the story caught my eye.

The story concerns a fraud against Lehman Brothers in Japan. They lent a Japanese company $350 million, The load was guaranteed by a well-established Japanese trading house. Bankers from Lehman met an executvie from the trading house -- at the trading house's office -- to sign the contract. When the firm in question defaulted, Lehman went to the trading house to get their money, but the trading house claimed no knowledge of the deal. The executive had been an imposter and the contract was fake. When someone gives you their business card, you assume that it is true (by custom and practice -- you don't explicitly validate it) and when they put a letterhead in front of you, you take it to be real. Oops.

Still practising

[Dave Birch] I went to a European Commission "epractice" seminar to share best practice about electronic identity -- and in particular the interoperability thereof -- in Europe. Consult Hyperion have been doing a lot of work in this area -- we were commissioned by the EU to study identity interoperability last year -- and so I thought it would be very useful to come along and exchange ideas. It was gratifying to discover that the conclusion of our work for the Commissin was congruent with the findings of all of the other studies for the Commission: not only is there no interoperability whatsoever at a European level, there's precious little of it at the local level either (ie, you can't use your HMRC login to log on to DVLA and so on). There were some studies that have gone down another level, and they discovered that one of the reasons for the lack of interoperability is that none of the European identity schemes are using a standard-based approach (with the except of SAML that is being used in a small number of schemes).

It was quite well-attended (there must have been more than 40 people there) and while there were a few familiar faces, I enjoyed the opportunity to listen to some new(to me) perspectives. One of the points made at the beginning was, I think, key not only at the international level but at the national level too. It was that the focus should be on interoperability rather than harmonisation. There is no need for everyone to use the same identity management scheme, identity cards, identifiers and all the rest of it. Hence one of the ways forward is to imagine a set of technology-neutral national gateways and interconnect through those gateways.

In the afternoon I went into the breakout to discuss mobile e-identity, which I'm becoming increasingly enthusiastic about. The reasoning is that in order to make some form of electronic identity useful to citizens, it has to do some interesting things. But a card can't do anything interesting things, whereas mobile phones can and --- and I think this is central to the discussion looking forward two or three years -- what's the point in issuing another smart card when the entire population has a mobile phone already.

ID cards, management, PKI

Another thing invented by lawyers

[Dave Birch] Over at SecureID News, Daniel Butler was asking whether digital identity can curb spam. Apart from reminding me that the first ever Internet e-mail spam came from a couple of lawyers in Phoenix -- who in April 1994 hired a programmer to post a message advertising their services around the U.S. green card lottery to thousands of newsgroups -- it also made me reflect yet again on why nothing is happening. The most obvious way forward would be to use encryption and signing: since both S/MIME and SSLv3 were standardised many years ago (in fact it's difficult to buy a mail package or web server that doesn't have them) it's a puzzle that we don't use them. Requiring all e-mail to be digitally-signed, and instructing mail servers to throw away any mail that didn't have a valid signature, would be an obvious way to stop spam from reaching inboxes, because it raises the cost of sending a spam e-mail from zero to very little: but that's enough.

identity, PKI

Population-scale PKI

[Dave Birch] The Land Registry, the government agency that records who owns Britain's land and buildings, has spent the past decade developing an e-conveyancing system to make buying and selling houses easier and more certain. It's going to be using PKI to secure the system. Authorised parties will be able to exchange information quickly, securely and reliably with each other and the Land Registry. Documents will be encrypted and "signed" with a digital certificate, and people will require a secure token, username and password to produce and read the documents. Final testing is underway and when it goes live, expected in early summer, it will be able to process up to 300,000 documents a day and support up to half a million security "certificates" from property professionals such as conveyance attorneys.

identity, PKI

Some best practices

[Dave Birch] The European Commission's ePractice.eu is hosting a free workshop on electronic identity in Brussels on February 14th. I'll be going along to hear three best practice presentations -- from Spain, Belgium and Estonia -- and to join in the discussion about how to learn from and build on them. See below for more details if you want to come along too.

ID cards, identity, management, PKI

Mart Parve, Look at World Foundation

[Dave Birch] Estonia has been in the news recently, but we've been interested in it for a long time.  One of the most e-enabled societies in the world, their efforts to deliver a national smart identity card for both on and offline use have many lessons for other schemes.  In this week's podcast, Mart Parve (an Estonian) tells us something of the card and it's use to support e-business and e-government

Technorati Tags: government, ID cards, identity

Working digital identities in the corporate space

[Dave Birch] A perfect target group for digital identity are corporate treasurers.  They have to send important messages where authentication and encryption are required and they are busy people who don't want to mess around with complicated solutions.  What's more, since each of them may be dealing with a number of different banks and each bank on they use may require different levels of integration and security, they have desks cluttered with smart cards, USB tokens and key fobs for different log-ins and transaction approvals.  SWIFT and our good friends at Identrust have been running a pilot to change all of this, showcasing a new "double" digital signature information delivery model in which a corporate payment order file, layered with SWIFT's PKI security protocol, as well as an IdenTrust digital certificate identifying a specific corporate employee (required for Sarbannes-Oxley and such like), is delivered and then verified by two separate institutions.  And it works.

Technorati Tags: identity

Stephen Mason, Digital Evidence

[Dave Birch] This podcast is a chat with the barrister Stephen Mason, editor of the Digital Evidence Journal, about electronic signatures and the law.

Technorati Tags: internet, podcast, security