There's a lot to unpack here: the certificate issue is especially interesting, one problem with any "solution" is it assumes the "owner" of the transaction is still around, e.g. to re-sign it. Relying on the signature of the transaction to see if it's valid or not vs the fact it is in the blockchain and part of the shared truth is problematic. The rules around what is in the blockchain and what it means need to be decided, e.g. does stuff simply need to exist in it, or does it STILL have to have a valid signature? (which will inevitably fail unless the signatures have no expiry, but there is a lot of transient data that expires so maybe data with expired signatures is fine, it all depends on your business/technical system).
As far as immutability goes it is simple: data in the blockchain is either immutable, or it isn't. If it isn't it becomes hard to trust the data. Also it's important to remember you can have immutable data but mutable state, e.g. your bank doesn't simply change transactions if something goes wrong, they do a corrective transaction. The other benefit of this is you can recreate state for any point in time.
------------------------------
Kurt Seifried
Chief Blockchain Officer and Director of Special Projects
Cloud Security Alliance
[email protected]------------------------------
Original Message:
Sent: Jul 13, 2020 07:29:29 AM
From: Carlos Dominguez
Subject: Decentralized Identity
Certificate revocation is usually a thorny process which is made more difficult with decentralized solutions. Is not surprising that identity solutions using blockchain data structures for transactions will have a challenge due to immutability. Any blockchain using the UXTO model for keeping state will have challenges reconciling old transactions signed with a revoked certificate. The answer to the challenge for private/permissioned DLTs is not technical but governance related: have the transaction participants agree to recreate old states using new certificates, which still leaves the old invalid states in the chain. The governance workaround for certificate revocation may not be workable in the decentralized identity context.
Accenture has a patent for an editable blockchain which was not well received at the time. An editable blockchain solves data management challenges by creating other challenges with trust, so immutability remains a design goal for all blockchains as a foundation for trust.
------------------------------
Carlos Dominguez CISSP, CISA, SABSA SCF
Original Message:
Sent: Jul 10, 2020 09:58:50 AM
From: Kurt Seifried
Subject: Decentralized Identity
Sadly one key takeaway: certificate revocation is still a mess and unsolved in 2020 (for values of "has privacy, reliability, security, scalability, etc."). Also I appreciate how they explicitly call out patent free, royalty free and free to implement.
------------------------------
Kurt Seifried
Chief Blockchain Officer and Director of Special Projects
Cloud Security Alliance
[email protected]
Original Message:
Sent: Jul 10, 2020 07:54:53 AM
From: Carlos Dominguez
Subject: Decentralized Identity
This is what DHS presented in the IdentityNorth2020 event (see file). It provides some background for the RFP. I found it interesting.
------------------------------
Carlos Dominguez CISSP, CISA, SABSA SCF
Original Message:
Sent: Jul 09, 2020 07:45:17 AM
From: Kurt Seifried
Subject: Decentralized Identity
A related note is NIST "Digital Identity Guidelines" with more info at:
------------------------------
Kurt Seifried
Chief Blockchain Officer and Director of Special Projects
Cloud Security Alliance
[email protected]
Original Message:
Sent: Jul 06, 2020 04:03:01 PM
From: Ken Huang
Subject: Decentralized Identity
All:
DHS has recently released a RFP for Decentralized Identity and Security,
https://www.dhs.gov/science-and-technology/news/2020/06/22/news-release-st-opens-second-solicitation-prevent-forgery-certificates-licenses
I just saw this today and although I am very interested in submitting a bid, timewise, it will not work. If anyone from this Circle is planning to submit a bid and would like security and architecture inputs and review, please do let me know. We will certainly be glad to help.
Thanks
------------------------------
Ken Huang , Chair, Blockchain Security Working Group, CSA GC
------------------------------