Learning Digital Identity: Design, Deploy, and Manage Identity Architectures 9781098117696

Why is it difficult for so many companies to get digital identity right? If you're still wrestling with even simple

124 41 12MB

English Pages 469 Year 2023

Report DMCA / Copyright

DOWNLOAD EPUB FILE

Table of contents :
Foreword
Preface
Who Is This Book For?
Conventions Used in This Book
O’Reilly Online Learning
How to Contact Us
Acknowledgments
Credits
In Memoriam
1. The Nature of Identity
A Bundle of Sticks?
Identity Is Bigger Than You Think
No Universal Identity Systems
The Road Ahead
2. Defining Digital Identity
The Language of Digital Identity
Identity Scenarios in the Physical World
Identity, Security, and Privacy
Digital Identity Perspectives
Tiers of Identity
Locus of Control
Reimagining Decentralized and Distributed
A Common Language
3. The Problems of Digital Identity
Tacit Knowledge and the Physical World
The Proximity Problem
The Autonomy Problem
The Flexibility Problem
The Consent Problem
The Privacy Problem
The (Lack of) Anonymity Problem
The Interoperability Problem
The Scale Problem
Solving the Problems
4. The Laws of Digital Identity
An Identity Metasystem
The Laws of Identity
User Control and Consent
Minimal Disclosure for a Constrained Use
Justifiable Parties
Directed Identity
Pluralism of Operators and Technologies
Human Integration
Consistent Experience Across Contexts
Fixing the Problems of Identity
5. Relationships and Identity
Identity Niches
Relationship Integrity
Relationship Life Span
Anonymity and Pseudonymity
Fluid Multi-Pseudonymity
Relationship Utility
Transactional and Interactional Relationships
Promoting Rich Relationships
6. The Digital Relationship Lifecycle
Discovering
Co-Creating
Propagating
Using
Updating or Changing
Terminating
Lifecycle Planning
7. Trust, Confidence, and Risk
Risk and Vulnerability
Fidelity and Provenance
Trust Frameworks
The Nature of Trust
Coherence and Social Systems
Trust, Confidence, and Coherence
8. Privacy
What Is Privacy?
Communications Privacy and Confidentiality
Information Privacy
Transactional Privacy
Correlation
Privacy, Authenticity, and Confidentiality
Functional Privacy
Privacy by Design
Principle 1: Proactive Not Reactive; Preventive Not Remedial
Principle 2: Privacy as the Default Setting
Principle 3: Privacy Embedded into Design
Principle 4: Full Functionality—Positive-Sum, Not Zero-Sum
Principle 5: End-to-End Security—Full Lifecycle Protection
Principle 6: Visibility and Transparency—Keep It Open
Principle 7: Respect for User Privacy—Keep It User-Centric
Privacy Regulations
General Data Protection Regulation
California Consumer Privacy Act
Other Regulatory Efforts
The Time Value and Time Cost of Privacy
Surveillance Capitalism and Web 2.0
Privacy and Laws of Identity
9. Integrity, Nonrepudiation, and Confidentiality
Cryptography
Secret Key Cryptography
Public-Key Cryptography
Hybrid Key Systems
Public-Key Cryptosystem Algorithms
Key Generation
Key Management
Message Digests and Hashes
Digital Signatures
Digital Certificates
Certificate Authorities
Certificate Revocation Lists
Public-Key Infrastructures
Zero-Knowledge Proofs
ZKP Systems
Noninteractive ZKPs
Blockchain Basics
Decentralized Consensus
Byzantine Failure and Sybil Attacks
Building a Blockchain
Problem 1: Sending money
Problem 2: Uniquely identifying coins
Problem 3: Distributing the bank
Problem 4: Preventing double spending
Problem 5: Stopping network hijacking
Problem 6: Ordering transactions and handling disagreements
Other Ways of Countering Sybil Attacks
Classifying Blockchains
Should You Use a Blockchain?
The Limitations of PKI
10. Names, Identifiers, and Discovery
Utah.gov: A Use Case in Naming and Directories
Naming
Namespaces
Identifiers
Uniform Resource Identifiers: A universal namespace
Cool URIs don’t change
Uniform Resource Names
Zooko’s Triangle
Discovery
Directories
Directories are not databases
LDAP
Domain Name System
WebFinger
Heterarchical Directories
Personal Directories and Introductions
Distributed Hash Tables
Using Blockchains for Discovery
Discovery Is Key
11. Authentication and Relationship Integrity
Enrollment
Identity Proofing
Biometric Collection
Attribute Collection
Authentication Factors
Knowledge Factor: Something You Know
Possession Factor: Something You Have
Inherence Factor: Something You Are
Behavior Factor: Something You Do
Location Factor: Somewhere You Are
Temporal Factor: Some Time You’re In
Authentication Methods
Identifier Only
Identifier and Authentication Factors
Passwords
Password management
Password reset
Biometric factors
Challenge-Response Systems
Digital certificates and challenge-response
FIDO authentication
Token-Based Authentication
Classifying Authentication Strength
The Authentication Pyramid
Authentication Assurance Levels
Account Recovery
Authentication System Properties
Practicality
Appropriate Level of Security
Locational Transparency
Integrable and Flexible
Appropriate Level of Privacy
Reliability
Auditability
Manageability
Federation Support
Authentication Preserves Relationship Integrity
12. Access Control and Relationship Utility
Policy First
Responsibility
Principle of Least Privilege
Accountability Scales Better Than Enforcement
Authorization Patterns
Mandatory and Discretionary Access Control
User-Based Permission Systems
Access Control Lists
Role-Based Access Control
Attribute- and Policy-Based Access Control
Abstract Authorization Architectures
Representing and Managing Access Control Policies
Handling Complex Policy Sets
Digital Certificates and Access Control
Maintaining Proper Boundaries
13. Federated Identity—Leveraging Strong Relationships
The Nature of Federated Identity
SSO Versus Federation
Federation in the Credit Card Industry
Three Federation Patterns
Pattern 1: Ad Hoc Federation
Pattern 2: Hub-and-Spoke Federation
Pattern 3: Identity Federation Network
A secure, protected environment
Identity networks are more complicated than financial networks
Addressing the Problem of Trust
Network Effects and Digital Identity Management
Federation Methods and Standards
SAML
SAML Authentication Flow
SCIM
OAuth
OAuth basics
Getting a token
Refresh tokens
OAuth scopes
Using a token
OpenID Connect
Governing Federation
Networked Federation Wins
14. Cryptographic Identifiers
The Problem with Email-Based Identifiers
Decentralized Identifiers
DID Properties
DID Syntax
DID Resolution
DID Documents
Indirection and Key Rotation
Autonomic Identifiers
Self-Certification
Peer DIDs
Benefits of peer DIDs
Making peer DIDs trustworthy
Peer DID authentication and authorization
Key Event Receipt Infrastructure
Self-certifying key event logs
Prerotation of keys
Delegation
The KERI DID Method
Other Autonomic Identifier Systems
Cryptographic Identifiers and the Laws of Identity
15. Verifiable Credentials
The Nature of Credentials
Roles in Credential Exchange
Credential Exchange Transfers Trust
Verifiable Credentials
Exchanging VCs
Issuing Credentials
Holding Credentials
Presenting Credentials
Credential Presentation Types
Full Credential Presentation
Derived Credential Presentation
ZKPs and credentials
Correlation and blinded identifiers
Answering Trust Questions
The Properties of Credential Exchange
VC Ecosystems
Alternatives to DIDs for VC Exchange
A Marketplace for Credentials
VCs Expand Identity Beyond Authn and Authz
16. Digital Identity Architectures
The Trust Basis for Identifiers
Identity Architectures
Administrative Architecture
Algorithmic Architecture
Autonomic Architecture
Algorithmic and Autonomic Identity in Practice
Comparing Identity Architectures
Power and Legitimacy
Hybrid Architectures
17. Authentic Digital Relationships
Administrative Identity Systems Create Anemic Relationships
Alternatives to Transactional Relationships
The Self-Sovereign Alternative
Supporting Authentic Relationships
Disintermediating Platforms
Digitizing Auto Accidents
Taking Our Rightful Place in the Digital Sphere
18. Identity Wallets and Agents
Identity Wallets
Platform Wallets
The Roles of Agents
Properties of Wallets and Agents
SSI Interaction Patterns
DID Authentication Pattern
Single-Party Credential Authorization Pattern
Multiparty Credential Authorization Pattern
Revisiting the Generalized Authentic Data Transfer Pattern
What If I Lose My Phone?
Step 1: Alice Revokes the Lost Agent’s Authorization
Step 2: Alice Rotates Her Relationship Keys
What Alice Has Protected
Protecting the Information in Alice’s Wallet
Censorship Resistance
Web3, Agents, and Digital Embodiment
19. Smart Identity Agents
Self-Sovereign Authority
Principles of Self-Sovereign Communication
Reciprocal Negotiated Accountability
DID-Based Communication
Exchanging DIDs
DIDComm Messaging
Properties of DIDComm Messaging
Message Formats
Protocological Power
Playing Tic-Tac-Toe
Protocols Beyond Credential Exchange
Smart Agents and the Future of the Internet
Operationalizing Digital Relationships
Multiple Smart Agents
Realizing the Smart Agent Vision
Digital Memories
20. Identity on the Internet of Things
Access Control for Devices
Using OAuth with Devices
OAuth’s Shortcomings for the IoT
Device limitations
Where’s the owner?
Magically working together
The CompuServe of Things
Online Services
Online 2.0: The Silos Strike Back
A Real, Open Internet of Things
Alternatives to the CompuServe of Things
The Self-Sovereign Internet of Things
DID Relationships for IoT
Use Case 1: Updating Firmware
Use Case 2: Proving Ownership
Use Case 3: Real Customer Service
Relationships in the SSIoT
Multiple Owners
Lending the Truck
Selling the Truck
Unlocking the SSIoT
21. Identity Policies
Policies and Standards
The Policy Stack
Attributes of a Good Identity Policy
Recording Decisions
Determining Policy Needs
Business-Inspired Projects and Processes
Security Considerations
Privacy Considerations
Information Governance
Meeting External Requirements
Feedback on Existing Policies
Writing Identity Policies
Policy Outline
The Policy Review Framework
Assessing Identity Policies
Enforcement
Procedures
Policy Completes the System
22. Governing Identity Ecosystems
Governing Administrative Identity Systems
Governing Autonomic Identity Systems
Governing Algorithmic Identity Systems
Governance in a Hybrid Identity Ecosystem
Governing Individual Identity Ecosystems
Credential Fidelity and Confidence
Credential Provenance and Trust
Domain-Specific Trust Frameworks
The Legitimacy of Identity Ecosystems
23. Generative Identity
A Tale of Two Metasystems
The Social Login Metasystem
The Self-Sovereign Identity Metasystem
Generativity
The Self-Sovereign Internet
Properties of the Self-Sovereign Internet
The Generativity of the Self-Sovereign Internet
Capacity for leverage
Adaptability
Ease of use
Accessibility
Generative Identity
The Generativity of Credential Exchange
Capacity for leverage
Adaptability
Ease of use
Accessibility
Self-Sovereign Identity and Generativity
Our Digital Future
Index

Learning Digital Identity: Design, Deploy, and Manage Identity Architectures
 9781098117696

  • 0 0 0
  • Like this paper and download? You can publish your own PDF file online for free in a few minutes! Sign Up
Recommend Papers