PDEC's Blog

PDEC's posts

Send ideas for posts to info@pde.cc. Guest authors welcome. We love to announce events with notice and to review new personal data designs and products.

Peer-to-Peer Trust and Identity

Peer-to-Peer Identity

When no central identity provider or governance agreement is present, participants assert their own identities and each individual decides who they trust and who they do not.  Each participant is a peer with equal standing and each can communicate with anyone else in the network.

Examples:  The most familiar peer-to-peer network is probably e-mail. An internet host can join the e-mail network with little more effort than updating its DNS entry and installing some software.  Once a host has joined the network, individual e-mail addresses are easily created with no requirement for approval by any central authority. This flexibility and ease of account creation helped spur the growth of the internet, but also allows spam marketers to create false emails.

The best known secure peer-to-peer identity networks on the Internet have been implemented using public key cryptography, which allows participants to trust messages sent over insecure channels like email.  Products like PGP and it’s open source counterpart gpg are the most common implementations of public key messaging tools.

When To Use: No central identity provider is available but network participants can exchange credentials.

Advantages: No dependence on a central identity provider. No formal agreement needed to join the network. Participants can assert any identity that they want. Secure peer-to-peer technologies can provide a high degree of confidence once identities have been exchanged. Peer-to-peer models are very flexible, and can support a wide range of trust policies.

Disadvantages: No governing agreement or requirement to implement any policies. Secure deployment requires a high degree of technical sophistication and active management. Individually verifying each participant can be labor intensive. Tracking identities that have been revoked can be complex and error prone.

Ability to Scale: If security requirements are low, peer-to-peer networks can grow very large because new members can join easily. Higher levels of security can be complex to deploy and operate, and can impose a practical limit on the size of the network.

 

Centralized Token Issuance, Distributed Enrollment

A special case peer-to-peer network. Participants want to establish trusted identities that can be used securely for ongoing, high-value communication among organizations.  A trusted, central provider issues identity tokens which are then enrolled independently by each service provider. Service providers are not required to cooperate or accept one another’s enrollments.

Examples: The most common examples are RSA SecurID and SWIFT 3SKey.  Hardware tokens are issued by a trusted provider, which are then used to authenticate individual identities.

Each service will require the user to enroll separately, but once the user has registered they can use the token for future interactions.

When the requester wants to use a service, they’re authenticated using the token.  

When to use: Strong Authentication across a range of business entities who may have different enrollment requirements.

Advantages: Can provide a high level of identity assurance to institutions spread across legal and national boundaries.

Disadvantages: Can be expensive and complex to implement. Depends upon the existence of a trusted third party who can issue and ensure the security of hardware tokens.  Hardware tokens can be lost.

Ability to scale: Can scale to large networks.

 

Pairwise Agreement

Two institutions want to trust identities issued by one another, but there is no outside governance or policy framework for them to do so.  They negotiate a specific agreement that covers only the two of them. Each institution trusts the other to properly manage the identities that it issues.

Examples: A pairwise agreement can specify governance, security and verification policies, or specific technical methods.

Businesses might negotiate pairwise agreements with large supplier. Educational institutions may craft specific research agreements.

When to Use: Business or institutional partners want to grant one another access to confidential systems or information, but no standard contracts or umbrella organizations exist.

Advantages: Organizations can grant one another access to scarce resources and confidential information.  Highly customized for the specific situation and participants.

Disadvantages: Time consuming and complex to negotiate, expensive.  Difficult to scale.

Ability to Scale: Pairwise federations do not scale well, because each additional party will need to make a custom agreement with every other party.

Three Party Model

Three Party Model

A trusted third party provides identities to both the requester and service provider. In order to interact with one another, both must agree to trust the same identity provider.

Examples: Google, Facebook, American Express, Paypal, Amazon, iTunes App Store

 

There are two broad types of Three Party Model. If one (or both) of the parties insists on a particular identity provider, we refer to it as a Winner Take All network because other identity providers are locked out. If only technical methods are specified and the requester is free to specify any identity provider they like, we refer to it as a Bring Your Own Identity network.

When to Use: An identity provider may choose to offer a three party model when it can provide identities more efficiently than the requester or service provider can on their own.  Requesters and service providers may choose to implement a three party network for access to an existing market.

Advantages: Separates identity management from the service being provided. In cases where a shared third party is available, this model simplifies the process of exchanging trusted identities.  Malicious actors can be identified and isolated from the entire network.  Requesters can use a single identity with many service providers, and service providers can trust requesters without having to verify each one.

Disadvantages: Because participants can only interact if they have been authenticated by a single identity provider, that provider wields substantial power.  The identity provider effectively controls the requester’s ability to use services and the services’ ability to work with requesters.

For instance, a requester who loses their account with the identity provider also loses all of the services where they used that identity. If you use your Facebook to sign in to other products then you also lose those other products if your Facebook account is closed.

Ability to Scale: Very difficult to get started because a three party network is not interesting to service providers until it has users, but only attracts users if it has interesting services.  Once they are established and functioning, however, a successful three party network can grow extremely large.