Trust and Internet Identity Meeting Europe
2013 - 2020: Workshops and Unconference

Digital Identity “MythBusters”

(Colin Wallis)

Colin will be on a panel at the KNOW conference in Vegas and is collecting input fom the community.

Conference in Vegas that Colin will attend

The world of digital identity suffers from a lot of common myths and misunderstandings related to the concepts belonging to it. The panel wants to use the participants experience of implementing digital ID in real life and bring down a few common misunderstood and confused terms. The idea is to collect all of these suggestions and play them back to the audience.

Robin: Are you asking for more elaborate statements at this state or examples that disprove existing statements?

Colin: We are using these big examples as a way to attract the audience. New ones are always welcome

Suggestions for myths out there:

  • It is only metadata (5)
  • If you have nothing to hide, you have nothing to fear (6)
  • It’s a good idea to implement these protocols yourself (6)
  • Let’s do a local user DB in the first release and think of authentication and federation later (2)
  • Just do the provisioning implementation first, and the deprovisioning can be done later (4)
  • You need unique single logout
  • If you can do authentication, then you solved the authorization problem as well
  • E-mail address is the best unique identifier & the best way to find out where the user is from (5)
  • Anything with an @ sign in it, is an email address (3)
  • We need a common policy for everything - risk mitigation, control, capabilities (1)
  • There is no way to reduce the level of risk
  • I have a precise definition of identity / trust / privacy (4)
  • We are doing open science - we don’t need access control (1)
  • Every authentication is based on username/password combination (1)
  • SSO is less secure than individual registration
  • A good IAM solution includes every possible feature available (3)
  • Blockchain is secure (1)

If the relying party will add attributes to fix sector related issues, they might as well implement the entire capabilities.

In the ISO standards for data security techniques, it defines the cryptographic key as the piece of data which controls the operation of the algorithm. It is a nonsense definition but it’s the only one that they could get approved by everyone in the room.

It is important to have precise definitions or at least a good substantial debate about them.

The room is voting on the proposed myths, to decide which ones of the suggestions should be taken by Collin and added to the official list. There are 16 participants in the room, each has three votes. Voting conclusion is noted within brackets in the list of suggestions.