My draft thoughts on the chasm between NIST and the EU that seems to be
being papered over.
Punches would need to be pulled before publication, and in some cases
the relevance spelled out for those not close to the subject.
It doesn't look anything like a draft for Kantara, and is light on
certification, but grateful to colleagues for comments. Please reply-all
only if you intend to.
DRAFT EU-US TTC Digital Identity Mapping Exercise Report
TTC WG1: Technology Standards – Digital Identity Subgroup
The comparison is like comparing the navy and the fishing fleet: much
common terminology even if only vague distinctions between large medium
and small vessels, the same water and icebergs, but a fundamentally
different dynamic. Sometimes, as with harbour buoys, the two sides of
the Atlantic can differ and the differences need to be known and catered
for, but in other cases the seemingly simple fields such as Gender M/F
turn out to not work if the field is blank or X for ‘not saying’, let
alone anything nuanced or changing over time like clownfish.
These disinterested comments come from England, where interoperability
with both partners is vital. They include highlighting some of the
background issues complication the development or use of common
standards in this arena.
The European Commission’s own analysis determined that “eIDAS1.0”
Regulation had not worked as intended, and the scope of eIDAS2.0 is much
broader (including ledgers and wallets, possibly able to hold money) as
well as specifically demanding some nation-level components and not just
interoperability if they exist. (This was a result of the limitation of
the legal basis of action by the European Commission akin to US state’s
rights but mostly in reverse. ) It pays less attention to common law
concerns and requires a national infrastructure of population registers
that most EU Member States already have but that nobody is expecting to
see in the US (Canada, UK, NZ nor Australia) and which would, in any
case, necessarily take a considerable time to produce. There is explicit
provision for “mutual” recognition of the systems of other nations,
whereas the appropriate entities might well be the individual US States,
(Canadian Provinces or UK devolved governments). This ‘mutual’
expectation causes problems not only for simultaneous starting of any
bilateral, but also in cases where one side would already accept the
other’s adequacy, e.g. an EU signature would be legally acceptable in
the US with no special provision needed, so there is nothing to ‘find
equivalent’.
It is also worth noting what by European standards is the large number
of committee votes against the proposed Regulation, not just
abstentions, which must indicate significant unresolved issues.
Most of the questions raised will need to be addressed in the devil of
the detail of the implementing acts, and it would be premature to
comment on those beyond encouraging continuing engagement. The exception
is “How should we design and architect…” which presumes it is the role
of “we” and might result in the modern equivalent of X.500 e-mail: a
camel designed by committee that nobody used voluntarily.
The different contexts are important to understand and the implications
for public and private use need to be thought through. Lessons should be
learnt from the UK’s online-only status checks for (non-Irish) EU
residents: they make proof of right to rent a serious barrier as private
landlords (who are forced to check) prefer paperwork, but, conversely,
it gives a significant advantage to immigrants finding employment
online, where the nationals must use paperwork (which they may not
have).
The issue of ‘pseudonyms’ needs to be clarified, not least to enable
interoperability between those places where everyone has a unique
official number, an official name with a single registered address at
any one time, and the places with a typical English-speaking
laissez-faire environment.
Even within Europe there is discrepancy in whether the concern is about
alternate names, variants, nicknames, abbreviations, previous names,
professional names, or about identifiers that have no association
outside a context (such as customer number 56223, local policeman 999,
or the person currently standing at some very precise location). The US
Federal Government may still be holding out against role-based
identifiers (such as ‘Navigating Officer of USS Chesapeake’) because
policy relating to attributes such as clearances has not been updated.
The 2007 OECD paper on Personhood noted philosophical differences
(comparing Hegel and Locke) and there is a significant difference
between the mindsets of US rampant individualism yet being focussed on
authorization and the EU socialist yet ‘self-sovereign’ aspirations.
The gory detail of character sets and transliterations will need to be
addressed for interoperability to work without opening up an opportunity
for fraud or an impediment to anyone with out an ASCII name. (The German
government has done a thorough analysis and specification but it may
only be available in German. Consistent automated handling of characters
-öøłŵæőÞßçéñ and many others is challenging, not least with field
length limits.)
Many of the everyday inconveniences blamed on GDPR, particularly the
abuse as an excuse for inaction, are not based on what is (still) in the
Regulation but rather on an incomplete understanding. Concepts such as a
(remote) signature service are not widely known about, let alone seen as
relevant. Innovative uses cannot be excluded, although the implications
for risk and liability are hard to foresee (or limit). There is a common
US misperception that GDPR applies to EU citizens, whereas citizenship
appears nowhere in the text; the scope is people in Europe, and that’s
not the equivalent of ‘US persons’.
The eIDAS 2.0 preamble is clear that trust services are “normally
provided for remuneration”, i.e. someone is making money out of
something for somebody. This will require an associated payment
infrastructure (a separate issue from whether the wallet contains cash).
Yet, presumably as voters have no enthusiasm to pay for something that
they didn’t before, there is also the demand for free ‘non-professional
use’ (not yet defined). Tangible benefits are hard to demonstrate
online.
Even in England, Qualified electronic signatures are often asserted to
have mystical legal powers (such as reversal of burden of proof) which
are not found in the law as enacted.
The distinction between e-signatures and e-seals doesn’t align with
Japanese usage, UK company seals or Scottish partnerships, so care will
be needed to ensure any distinctions are considered, especially where
digital signatures are use for both. Permission to enter a building can
expire, but if something in law is required to be signed then it is
either signed or it is not, and it makes no sense to have a signature
timing out.
‘Levels’ have not been resolved, with the new eIDAS preamble indicating
muddier waters ahead.
The UK was the source of the original OMB levels, the analysis under
STORK of the problems with inconsistencies, the pressure for definitions
based on what was achieved, and, in GPG43/RSDOPS, an attempted
functional distinction. The lesson was that whereas multiple ‘levels’
made sense for separate aspects of security, when it came to evidence no
division such as civil (balance of probability)/criminal (beyond
reasonable doubt) could usefully be made for individual items.
Having defined-security levels balances the costs of needing to round up
with the benefit of common provision, but the issue that integrity and
confidentiality levels work in opposite directions makes them hard to
define and use. (Copying from high to low is OK in one case and
problematic in the other.) The only well-defined definitions for levels
were log micromorts, but this is not something that politicians are
comfortable using.
Although rarely noticed, eIDAS 1.0 put an upper bound of ‘high’ on what
can be required by EU public sector services, otherwise a ‘barrier to
trade’ is created. But now we find
“In order to ensure that the data using a qualified electronic
registered delivery service is delivered to the correct addressee,
qualified electronic registered delivery services should ensure WITH
FULL CERTAINTY the identification of the addressee while A HIGH LEVEL OF
CONFIDENCE would suffice as regard to the identification of the sender”.
What this means in assurance vocabulary is far from obvious.
Outside command economies, relying parties (whether second-party
verifiers or third party analysers of evidence) are treated in very
different ways, and this looks to be setting an obstacle course.
• The US (and Australian) line seems that these need to abide by
(and shown to abide by) some specified rules. This (for the US) may be
justified by lack of a GDPR and so a need for sector-specific approach
to handling personal data.
• The EU envisages registration of relying parties, which looks like
a barrier to external trade.
• The UK framework has accepted that is pointless and
counterproductive to limit reliance, not least because it is the
requirements of (or laid upon) the relying party that is the whole point
of the edifice. (You need to check I’m over/under some age and might not
be able to do it without my assistance, but I have no inherent desire to
claim/assert the attribute. It’s for your compliance or due diligence,
for which I’m not rushing to pay.)
Attributes such as nationality or citizenship rarely have the clear and
useful distinction made in Mexico (where you have to be an adult to be a
citizen), but these really only have one authoritative source for each
value, and the relevant state may be unable or unwilling to participate.
A Belgian ID card that states that someone is a Canadian is not
necessarily useful for asserting Canadian citizenship, but may be
evidence that they are not claiming to be Belgian. How could one get an
authoritative assertion of being not Chinese (in a country which accepts
dual citizenship)?
EU annex item 7. Educational qualifications, titles and licenses; [These
may be in a previous name; the awarding body may not exist, or may have
merged with another] would need to way to handle authoritative sources
for the information for qualifications gained long ago, although in some
cases professional organisations might suffice without expecting
something from the awarding body. That would be separate from item 8:
Professional qualifications, titles and licenses; [These too may be in
a previous or alternate name] There are many leading universities that
do not provide digital certificates for current graduates, let alone
those who graduated before computers were in widespread use.
There are many pragmatic unilateral trust relationships that will not
translate easily into the digital world, e.g. the Philippine requirement
for visas for visiting Chinese passport holders unless they already hold
a visa from the US, UK, Australia, or Schengen (and probably others).
Philippine immigration is a legitimate relying party, using paper visas
in this way without getting formal approval from any of the bigger
players, nor informing them of any cases.
The implications of being reliant on markets to deliver should be noted.
The UK and NATO have been able to declare that compliance with NIST
standards is sufficient for some applications, but they should never
make them mandatory if the US has sole control of what is tested for
compliance. US Presidential directives ensure that there is a (large)
guaranteed market for compliant products or services.
Advice on the pragmatic aspects of certification can be gleaned from
interested parties such as Kantara, but note that open source is
envisioned by “Member States should disclose the source code of the
user application software components of European Digital Identity
Wallets”.
After more than a decade and despite widespread internet use for
purchases, the continuing reluctance of the majority of Belgians or
Germans to use the available electronic ID even for national
applications is a warning that cross-border use is for a small minority,
and the emotive universality is arguably overplayed.
To see ourselves as others see us! It would from many a blunder free us,
And foolish notion
Citizens of countries rarely experience the horrors of the cross-border
processes that bewilder foreigners. E.g. The US use of passports from
the cheapest supplier, border guards using equipment approved by Canada,
a wall to block the tired, poor and huddled masses, export control that
covers information that never leaves the US. The perceptions (even
without malicious misinformation) can be more important than the
reality, and the damage e.g. to tourism should be studied.
The UK may be even weirder, and is not a party to this interaction, but
may be a source of warnings as it has overlaps with both camps. E.g. in
GB, recent voterID requirements have discouraged, inconvenienced or
disenfranchised voters without solving a problem that didn’t exist, and
diverted attention from areas where ID infrastructure would be useful.
Mark
