Internet Society: Cryptocurrency probably not an identity system
ID on a blockchain? Maybe. ID on Bitcoin? Forget it
Too many cryptocurrency people are trying to force-fit blockchain technology into identity solutions, when ID needs its own solutions.
That's the opinion of Steve Wilson of Lockstep Consulting, who this month co-authored a paper on identity for the Internet Society: Do Blockchains Have Anything to Offer Identity? with Steve Olshansky and contributor Robin Wilton, both of the Internet Society.
Speaking to Vulture South, Wilson said while there are plenty of people advocating “put ID on the blockchain” – usually blockchain experts rather than identity specialists – “it's very rare for people to come up with a fully-elaborated use-case for identity”.
A transaction, he said, is single and self-contained: Bitcoin's brilliance was allowing a simple transfer of value between people who may not either know each other, or need to know each other.
In a Bitcoin transaction, identity looks simple: a source wallet and a destination wallet, both of them only identified by a number.
It's never that simple for real humans, Wilson told El Reg: “Identity is not transactional. It's a means to an end, anyway, not the end – it's quite rare for someone to go around identifying themselves all day.”
And that's in spite of a simple truth, that in different circumstances, “Richard Chirgwin” will name not one, but many identities.
“The day in the life of an identity is much more complicated than people think,” he said.
Even “authentication” is multifaceted, he said: “Sometimes you authenticate to register for a service. Other times you authenticate to prove who you are to access the service, or to assert your right to operate a service (for example, the PIN that unlocks a phone)”.
Someone who's identified themselves to their banking application, and who's then authenticated themselves to access the application, might have to re-authenticate for a transaction the bank considers high-risk.
“These things are all slightly different when you give them a squeeze, and it's not clear which of them have a natural fit with the blockchain”, Wilson said.
There's another way in which the cryptocurrency blockchain model is at odds with identity services, Wilson said: the question of mining.
Mining has a specific purpose in Bitcoin and its cryptocurrency cousins: it's the incentive that gets people trying to win the lottery of getting another Bitcoin into circulation.
Leaving aside the question of energy, Wilson said, it was a brilliant conception turned into a dystopia by the mining consortia, “bullies” that distort the system with a concentration of power.
Creating a new identity entry on (say) Bitcoin would incur a mining cost, but that's not the only model available. Wilson mentioned more recent initiatives like Hedera (based on the Hashgraph algorithm, with participants maintaining the ledger for small payments), Vera One (a fee-for-service blockchain that charges a few cents per transaction), and others.
Those models are far more transparent than Bitcoin, he said, another important consideration for identity services.
Any identity service needs to handle a few identity primitives at a minimum: adaptability to different types of transactions involving identity, a proof of identity sufficient for registration, access (that is, “it's me again”), and a permanent (probably PKI-based) signature.
As the paper said, these kinds of requirements are “fundamentally different from that of enterprise IAM [identity and access management], which typically requires much more rigorous key lifecycle management and access controls than public blockchains offer.” ®
Sponsored: Becoming a Pragmatic Security Leader