Blockchain/ Distributed Ledger

  • 1.  Decentralized Identity

    Posted Jul 06, 2020 04:03:00 PM
    Edited by Ken Huang Jul 06, 2020 04:24:28 PM
    All:

    DHS has recently released a RFP for Decentralized Identity and Security, 

    https://www.dhs.gov/science-and-technology/news/2020/06/22/news-release-st-opens-second-solicitation-prevent-forgery-certificates-licenses

    I just saw this today and although I am very interested in submitting a bid, timewise, it will not work. If anyone from this Circle is planning to submit a bid and would like security and architecture inputs and review, please do let me know. We will certainly be glad to help.

    Thanks



    ------------------------------
    Ken Huang , Chair, Blockchain Security Working Group, CSA GC
    ------------------------------


  • 2.  RE: Decentralized Identity

    Posted Jul 09, 2020 07:45:00 AM
    A related note is NIST "Digital Identity Guidelines" with more info at:

    SP 800-63-3 Digital Identity Guidelines https://doi.org/10.6028/NIST.SP.800-63-3
    SP 800-63A Enrollment and Identity Proofing https://doi.org/10.6028/NIST.SP.800-63a
    SP 800-63B Authentication and Lifecycle Management https://doi.org/10.6028/NIST.SP.800-63b
    SP 800-63C Federation and Assertions https://doi.org/10.6028/NIST.SP.800-63c


    ------------------------------
    Kurt Seifried
    Chief Blockchain Officer and Director of Special Projects
    Cloud Security Alliance
    [email protected]
    ------------------------------



  • 3.  RE: Decentralized Identity

    Posted Jul 10, 2020 07:55:00 AM
      |   view attached
    This is what DHS presented in the IdentityNorth2020 event (see file). It provides some background for the RFP. I found it interesting.

    ------------------------------
    Carlos Dominguez CISSP, CISA, SABSA SCF
    ------------------------------

    Attachment(s)



  • 4.  RE: Decentralized Identity

    Posted Jul 10, 2020 09:59:00 AM
    Sadly one key takeaway: certificate revocation is still a mess and unsolved in 2020 (for values of "has privacy, reliability, security, scalability, etc."). Also I appreciate how they explicitly call out patent free, royalty free and  free to implement.

    ------------------------------
    Kurt Seifried
    Chief Blockchain Officer and Director of Special Projects
    Cloud Security Alliance
    [email protected]
    ------------------------------



  • 5.  RE: Decentralized Identity

    Posted Jul 13, 2020 07:29:00 AM
    Certificate revocation is usually a thorny process which is made more difficult with decentralized solutions. Is not surprising that identity solutions using blockchain data structures for transactions will have a challenge due to immutability. Any blockchain using the UXTO model for keeping state will have challenges reconciling old transactions signed with a revoked certificate. The answer to the challenge for private/permissioned DLTs is not technical but governance related: have the transaction participants agree to recreate old states using new certificates, which still leaves the old invalid states in the chain. The governance workaround for certificate revocation may not be workable in the decentralized identity context.

    Accenture has a patent for an editable blockchain which was not well received at the time. An editable blockchain solves data management challenges by creating other challenges with trust, so immutability remains a design goal for all blockchains as a foundation for trust.

    ------------------------------
    Carlos Dominguez CISSP, CISA, SABSA SCF
    ------------------------------



  • 6.  RE: Decentralized Identity

    Posted Jul 13, 2020 11:29:00 AM
    There's a lot to unpack here: the certificate issue is especially interesting, one problem with any "solution" is it assumes the "owner" of the transaction is still around, e.g. to re-sign it. Relying on the signature of the transaction to see if it's valid or not vs the fact it is in the blockchain and part of the shared truth is problematic. The rules around what is in the blockchain and what it means need to be decided, e.g. does stuff simply need to exist in it, or does it STILL have to have a valid signature? (which will inevitably fail unless the signatures have no expiry, but there is a lot of transient data that expires so maybe data with expired signatures is fine, it all depends on your business/technical system). 

    As far as immutability goes it is simple: data in the blockchain is either immutable, or it isn't. If it isn't it becomes hard to trust the data. Also it's important to remember you can have immutable data but mutable state, e.g. your bank doesn't simply change transactions if something goes wrong, they do a corrective transaction. The other benefit of this is you can recreate state for any point in time.

    ------------------------------
    Kurt Seifried
    Chief Blockchain Officer and Director of Special Projects
    Cloud Security Alliance
    [email protected]
    ------------------------------