My draft thoughts on the chasm between NIST and the EU that seems to be being papered over. Punches would need to be pulled before publication, and in some cases the relevance spelled out for those not close to the subject. It doesn't look anything like a draft for Kantara, and is light on certification, but grateful to colleagues for comments. Please reply-all only if you intend to. DRAFT EU-US TTC Digital Identity Mapping Exercise Report TTC WG1: Technology Standards – Digital Identity Subgroup The comparison is like comparing the navy and the fishing fleet: much common terminology even if only vague distinctions between large medium and small vessels, the same water and icebergs, but a fundamentally different dynamic. Sometimes, as with harbour buoys, the two sides of the Atlantic can differ and the differences need to be known and catered for, but in other cases the seemingly simple fields such as Gender M/F turn out to not work if the field is blank or X for ‘not saying’, let alone anything nuanced or changing over time like clownfish. These disinterested comments come from England, where interoperability with both partners is vital. They include highlighting some of the background issues complication the development or use of common standards in this arena. The European Commission’s own analysis determined that “eIDAS1.0” Regulation had not worked as intended, and the scope of eIDAS2.0 is much broader (including ledgers and wallets, possibly able to hold money) as well as specifically demanding some nation-level components and not just interoperability if they exist. (This was a result of the limitation of the legal basis of action by the European Commission akin to US state’s rights but mostly in reverse. ) It pays less attention to common law concerns and requires a national infrastructure of population registers that most EU Member States already have but that nobody is expecting to see in the US (Canada, UK, NZ nor Australia) and which would, in any case, necessarily take a considerable time to produce. There is explicit provision for “mutual” recognition of the systems of other nations, whereas the appropriate entities might well be the individual US States, (Canadian Provinces or UK devolved governments). This ‘mutual’ expectation causes problems not only for simultaneous starting of any bilateral, but also in cases where one side would already accept the other’s adequacy, e.g. an EU signature would be legally acceptable in the US with no special provision needed, so there is nothing to ‘find equivalent’. It is also worth noting what by European standards is the large number of committee votes against the proposed Regulation, not just abstentions, which must indicate significant unresolved issues. Most of the questions raised will need to be addressed in the devil of the detail of the implementing acts, and it would be premature to comment on those beyond encouraging continuing engagement. The exception is “How should we design and architect…” which presumes it is the role of “we” and might result in the modern equivalent of X.500 e-mail: a camel designed by committee that nobody used voluntarily. The different contexts are important to understand and the implications for public and private use need to be thought through. Lessons should be learnt from the UK’s online-only status checks for (non-Irish) EU residents: they make proof of right to rent a serious barrier as private landlords (who are forced to check) prefer paperwork, but, conversely, it gives a significant advantage to immigrants finding employment online, where the nationals must use paperwork (which they may not have). The issue of ‘pseudonyms’ needs to be clarified, not least to enable interoperability between those places where everyone has a unique official number, an official name with a single registered address at any one time, and the places with a typical English-speaking laissez-faire environment. Even within Europe there is discrepancy in whether the concern is about alternate names, variants, nicknames, abbreviations, previous names, professional names, or about identifiers that have no association outside a context (such as customer number 56223, local policeman 999, or the person currently standing at some very precise location). The US Federal Government may still be holding out against role-based identifiers (such as ‘Navigating Officer of USS Chesapeake’) because policy relating to attributes such as clearances has not been updated. The 2007 OECD paper on Personhood noted philosophical differences (comparing Hegel and Locke) and there is a significant difference between the mindsets of US rampant individualism yet being focussed on authorization and the EU socialist yet ‘self-sovereign’ aspirations. The gory detail of character sets and transliterations will need to be addressed for interoperability to work without opening up an opportunity for fraud or an impediment to anyone with out an ASCII name. (The German government has done a thorough analysis and specification but it may only be available in German. Consistent automated handling of characters -öøłŵæőÞßçéñ and many others is challenging, not least with field length limits.) Many of the everyday inconveniences blamed on GDPR, particularly the abuse as an excuse for inaction, are not based on what is (still) in the Regulation but rather on an incomplete understanding. Concepts such as a (remote) signature service are not widely known about, let alone seen as relevant. Innovative uses cannot be excluded, although the implications for risk and liability are hard to foresee (or limit). There is a common US misperception that GDPR applies to EU citizens, whereas citizenship appears nowhere in the text; the scope is people in Europe, and that’s not the equivalent of ‘US persons’. The eIDAS 2.0 preamble is clear that trust services are “normally provided for remuneration”, i.e. someone is making money out of something for somebody. This will require an associated payment infrastructure (a separate issue from whether the wallet contains cash). Yet, presumably as voters have no enthusiasm to pay for something that they didn’t before, there is also the demand for free ‘non-professional use’ (not yet defined). Tangible benefits are hard to demonstrate online. Even in England, Qualified electronic signatures are often asserted to have mystical legal powers (such as reversal of burden of proof) which are not found in the law as enacted. The distinction between e-signatures and e-seals doesn’t align with Japanese usage, UK company seals or Scottish partnerships, so care will be needed to ensure any distinctions are considered, especially where digital signatures are use for both. Permission to enter a building can expire, but if something in law is required to be signed then it is either signed or it is not, and it makes no sense to have a signature timing out. ‘Levels’ have not been resolved, with the new eIDAS preamble indicating muddier waters ahead. The UK was the source of the original OMB levels, the analysis under STORK of the problems with inconsistencies, the pressure for definitions based on what was achieved, and, in GPG43/RSDOPS, an attempted functional distinction. The lesson was that whereas multiple ‘levels’ made sense for separate aspects of security, when it came to evidence no division such as civil (balance of probability)/criminal (beyond reasonable doubt) could usefully be made for individual items. Having defined-security levels balances the costs of needing to round up with the benefit of common provision, but the issue that integrity and confidentiality levels work in opposite directions makes them hard to define and use. (Copying from high to low is OK in one case and problematic in the other.) The only well-defined definitions for levels were log micromorts, but this is not something that politicians are comfortable using. Although rarely noticed, eIDAS 1.0 put an upper bound of ‘high’ on what can be required by EU public sector services, otherwise a ‘barrier to trade’ is created. But now we find “In order to ensure that the data using a qualified electronic registered delivery service is delivered to the correct addressee, qualified electronic registered delivery services should ensure WITH FULL CERTAINTY the identification of the addressee while A HIGH LEVEL OF CONFIDENCE would suffice as regard to the identification of the sender”. What this means in assurance vocabulary is far from obvious. Outside command economies, relying parties (whether second-party verifiers or third party analysers of evidence) are treated in very different ways, and this looks to be setting an obstacle course. • The US (and Australian) line seems that these need to abide by (and shown to abide by) some specified rules. This (for the US) may be justified by lack of a GDPR and so a need for sector-specific approach to handling personal data. • The EU envisages registration of relying parties, which looks like a barrier to external trade. • The UK framework has accepted that is pointless and counterproductive to limit reliance, not least because it is the requirements of (or laid upon) the relying party that is the whole point of the edifice. (You need to check I’m over/under some age and might not be able to do it without my assistance, but I have no inherent desire to claim/assert the attribute. It’s for your compliance or due diligence, for which I’m not rushing to pay.) Attributes such as nationality or citizenship rarely have the clear and useful distinction made in Mexico (where you have to be an adult to be a citizen), but these really only have one authoritative source for each value, and the relevant state may be unable or unwilling to participate. A Belgian ID card that states that someone is a Canadian is not necessarily useful for asserting Canadian citizenship, but may be evidence that they are not claiming to be Belgian. How could one get an authoritative assertion of being not Chinese (in a country which accepts dual citizenship)? EU annex item 7. Educational qualifications, titles and licenses; [These may be in a previous name; the awarding body may not exist, or may have merged with another] would need to way to handle authoritative sources for the information for qualifications gained long ago, although in some cases professional organisations might suffice without expecting something from the awarding body. That would be separate from item 8: Professional qualifications, titles and licenses; [These too may be in a previous or alternate name] There are many leading universities that do not provide digital certificates for current graduates, let alone those who graduated before computers were in widespread use. There are many pragmatic unilateral trust relationships that will not translate easily into the digital world, e.g. the Philippine requirement for visas for visiting Chinese passport holders unless they already hold a visa from the US, UK, Australia, or Schengen (and probably others). Philippine immigration is a legitimate relying party, using paper visas in this way without getting formal approval from any of the bigger players, nor informing them of any cases. The implications of being reliant on markets to deliver should be noted. The UK and NATO have been able to declare that compliance with NIST standards is sufficient for some applications, but they should never make them mandatory if the US has sole control of what is tested for compliance. US Presidential directives ensure that there is a (large) guaranteed market for compliant products or services. Advice on the pragmatic aspects of certification can be gleaned from interested parties such as Kantara, but note that open source is envisioned by “Member States should disclose the source code of the user application software components of European Digital Identity Wallets”. After more than a decade and despite widespread internet use for purchases, the continuing reluctance of the majority of Belgians or Germans to use the available electronic ID even for national applications is a warning that cross-border use is for a small minority, and the emotive universality is arguably overplayed. To see ourselves as others see us! It would from many a blunder free us, And foolish notion Citizens of countries rarely experience the horrors of the cross-border processes that bewilder foreigners. E.g. The US use of passports from the cheapest supplier, border guards using equipment approved by Canada, a wall to block the tired, poor and huddled masses, export control that covers information that never leaves the US. The perceptions (even without malicious misinformation) can be more important than the reality, and the damage e.g. to tourism should be studied. The UK may be even weirder, and is not a party to this interaction, but may be a source of warnings as it has overlaps with both camps. E.g. in GB, recent voterID requirements have discouraged, inconvenienced or disenfranchised voters without solving a problem that didn’t exist, and diverted attention from areas where ID infrastructure would be useful. Mark