https://ssimeetup.org/indirect-identity-control-delegation-guardianship-controllership-daniel-hardman-webinar-33/
Daniel Hardman, Chief Architect, Evernym / Secretary, Technical Governance Board – Sovrin Foundation, will compare and contrast three forms of indirect identity control that have much in common and that should be explored together: delegation, guardianship, and controllership.
Daniel will recommend mechanisms that allow identity technology to model each with flexibility, precision, and safety. These recommendations can be applied to many decentralized identity and credentialing ecosystems.
Daniel has been a software engineer, architect, and dev leader for a quarter century–much of it intersecting with the fields of cybersecurity and digital identity. He developed the original specs for Hyperledger Indy’s SDK, and has contributed code or guidance to most of the Indy codebases. He writes regularly on identity topics. He’s also worked in machine learning/AI, supercomputers, public and private cloud, big data, SaaS, and enterprise software, and he’s founded and sold a dot com. He has graduate degrees in computational linguistics and business. He currently serves as the secretary for the Technical Governance Board of the Sovrin Foundation.
Indirect Identity Control: delegation, guardianship, and controllership – Daniel Hardman
1. Indirect Identity Control
delegation, guardianship, and controllership
Daniel Hardman, July 2019
ssimeetup.org · CC BY-SA 4.0 International theme: Silvia, by SlidesCarnival.com
2. 1. Empower global SSI communities
2. Open to everyone interested in SSI
3. All content is shared with CC BY SA
Alex Preukschat @SSIMeetup @AlexPreukschat
Coordinating Node SSIMeetup.org
SSIMeetup objectives
SSIMeetup.orgssimeetup.org · CC BY-SA 4.0 International
3. Sources
● These slides: http://bit.ly/2YczZzP
● Indirect Identity Control RFC: http://bit.ly/aries-rfc-103
● Appendix C of Sovrin Glossary: http://bit.ly/svrnglos-appC
● Sovrin Guardianship Task Force: http://bit.ly/svrn-guard-tf
ssimeetup.org · CC BY-SA 4.0 International
4. See Appendix C of the Sovrin Glossary.
Guardianship, delegation,
controllership
See Appendix C of the Sovrin Glossary: http://bit.ly/svrnglos-appC
ssimeetup.org · CC BY-SA 4.0 International
6. Delegation
A corporation is governed by a
Board of Directors, executives,
and employees with multiple
levels of delegated authority.
The control relationships are
dynamic and complex.
ssimeetup.org · CC BY-SA 4.0 International
7. Guardianship
Parents typically manage the
identities of their young children.
Adult children may need to exercise
the identity of a parent with
dementia, or of a parent who
recently passed away.
ssimeetup.org · CC BY-SA 4.0 International
8. Controllership
A self-driving car may be capable
of many independent actions, but
behind such a smart device must
be a human entity that takes legal
responsibility. A pet needs a
proxy because it can’t be
self-sovereign.
ssimeetup.org · CC BY-SA 4.0 International
9. ◦ Mya (orphan girl in refugee camp)
◦ Patrick (father with family after hurricane destroys home; no
digital access)
◦ Tom (homeless, mentally ill, drug addict)
◦ Gayle (elderly, has moderate autonomy, needs digital
assistance)
◦ Sofia (trail runner disappears in the mountains)
◦ Rover (pet dog)
◦ Unprofitable, Inc (company in receivership)
◦ Hertz and Dave (rents car, gets delegated authority)
See “Persona and User Stories” at http://bit.ly/2GnRtTq
Formal Work on Use Cases
ssimeetup.org · CC BY-SA 4.0 International
10. Guardianship: internal risk is pivotal
In SSI, risk mostly comes from external attacks.
But guardianship isn’t self-sovereign, by definition.
Guardians are an internal risk to dependents who
can’t manage keys or advocate/defend.
Pure crypto and cybersecurity don’t prevent
abuse. Protections must come from elsewhere.
ssimeetup.org · CC BY-SA 4.0 International
11. Moments of risk
◦ When a transition happens
◦ Should it be happening now?
◦ Are the right people giving and getting the baton?
◦ Are the conditions, limits, and safeguards understood, evaluated, and
honored?
◦ When a constraint needs to be enforced
◦ Is there a limit on the time, place, or circumstances of guardianship?
◦ When stakes are high
Risk exists constantly; these are just hot spots. Small, incremental
actions away from these hot spots can change the evaluation at key
moments.
ssimeetup.org · CC BY-SA 4.0 International
12. Who appoints a guardian
1. Dependent (“while I’m unconscious during surgery, Alice is my guardian”)
2. Legal authority (Court makes adult child a guardian for their parent with Alzheimers)
3. Self (girl wanders from jungle into refugee camp; lacking options, camp appoints itself)
4. Circumstances (parent or pet owner; implicit)
These methods do not carry equal trust, and they are not equally formal.
ssimeetup.org · CC BY-SA 4.0 International
13. Evaluating conflicting guardianship assertions
Deciding who is the “proper” guardian requires human judgment.
The process may use credentials, but that’s not all it will use.
NGO: “I’m the guardian of Mya. Here’s my self-attested guardian cred.”
Fim (dad?): “No, I’m the guardian of Mya. Here’s Mya’s birth cert with my name on it.”
Ana (mom?): “No, I’m the guardian of Mya. Here’s Mya’s ration card with her photo.”
Court: “No, Ana is the guardian of Mya. Fim’s parental rights were terminated.”
Sometimes the proper guardian isn’t available, so we choose the
best available alternative.
ssimeetup.org · CC BY-SA 4.0 International
14. Limits on guardians
1. Time (for what period(s) guardian has that status)
2. Place (in what physical or virtual locations guardian is valid)
3. Function (legal vs. medical vs. educational)
4. Circumstances (for particular event(s))
5. Biometrics (for dependent involvement)
6. Relationships (who guardian can connect to)
7. Attributes (data/credentials -- what guardian can prove)
8. Agents (what software/devices guardian can use)
9. Cooperation (with joint approval)
10. Oversight (audit trail, reporting)
ssimeetup.org · CC BY-SA 4.0 International
15. “All of these forms of identity control share the
issue of indirectness. All of them introduce risks
beyond the ones that dominate in direct identity
management. All of them complicate information
flows and behavior. And they are inter-related;
guardians and controllers often need to delegate,
delegates may become controllers, and so forth.
The solutions for each ought to have much in
common, too
ssimeetup.org · CC BY-SA 4.0 International
16. A proxy trust framework that specifies the rules and
conventions in force for a particular class of indirect
identity control use cases.
A proxy credential that binds a controlled entity to its
proxy and clarifies the nature and limits of the control for
that specific relationship.
A proxy challenge that evaluates the proxy credential in a
particular context, proving or disproving the legitimacy of
indirect control and creating opportunities for auditing and
enforcement.
Common Solution Elements
ssimeetup.org · CC BY-SA 4.0 International
17. Questions a trust framework answers
◦ What is its formal name and version?
◦ In what geos and legal jurisdictions is it valid?
◦ What are required or recommended behaviors, and how are they enforced?
◦ On what bases are proxies appointed? kinship, court_order, self_assigned...
◦ What are possible permissions of a proxy? financial, medical, travel, relationships, admin...
◦ What are possible constraints on a proxy’s scope? geo_radius, jurisdiction, biometric_freshness...
◦ What auditing mechanisms are required or supported?
◦ What appeal mechanisms are required or supported?
◦ What proxy challenge procedures are best practice?
◦ What freshness rules are used for offline mode?
⇨ Example at
http://bit.ly/2YsZ7b7
ssimeetup.org · CC BY-SA 4.0 International
18. “
Answers to name: Mya
Dependent
Gender: Female
Birthdate: 2014-01-01
Identifying marks: birthmark left shoulder, long scar above
left wrist
Answers to name: Zo
Guardian 1
Gender: Female
Birthdate: 1953-01-01
Identifying marks: arthritis, misshapen knuckles, both hands
Preparing
to issue a
proxy
credential
ssimeetup.org · CC BY-SA 4.0 International
20. “ {“let”: “kin”, “do”: [
“medical”, “school”, “food”]},
{“let”: “camp”, “do”: [
“school”, “food”, “delegate”]},
{“let”: {"n”: 2, “of”: [“kin”, “camp”]}, “do”: [
“unenroll”, “travel”]}
…(metadata not shown)…
trustFramework
auditURI
appealURI
credentialSubject
holder
basisURI
role
name
birthDate
gender
identifyingMarks
photo
constraints
boundaries
circumstances
proxied
permissions
photo
name
birthDate
gender
identifyingMarks
http://unicef.org/tf/camptf/1.0
http://myanmar.gov/oversight
http://myanmar.gov/arbitration
http://unicef.org/tf/camptf/1.0/grandparent
kin
Zo
1953-01-01
F
arthritis, misshapen knuckles, both hands
<blank>
<blank>
(same as UNICEF’s)
Mya
2014-01-01
F
birthmark left shoulder, long scar above left wrist
Grandma’s
credential
21. Answers to name: Mya
Dependent
Gender: Female
Age: about 6
Looks like this?
Answers to name: Zo
Guardian
Gender: Female
✔
✔
✔
✔
Show more ways to check...
✔
✔
✔ Looks like this?
Show more ways to check...
✔ Has ‘food’ permission for dependent
✔ No constraints
Proxy
Challenge
(food tent)
22. Answers to name: Ri
Dependent
Gender: Female
Age: about 6
Looks like this?
Answers to name: Kapa
Guardian
Gender: Female
✔
✔
✔
✔
Show more ways to check...
✔
✔
✔ Looks like this?
Show more ways to check...
✘ Has ‘travel’ permission for dependent when acting jointly
with another guardian with role “camp”: Add guardian...
Proxy
Challenge
(travel)
23. Questions?
● These slides: http://bit.ly/2YczZzP
● Indirect Identity Control RFC: http://bit.ly/aries-rfc-103
● Appendix C of Sovrin Glossary: http://bit.ly/svrnglos-appC
● Sovrin Guardianship Task Force: http://bit.ly/svrn-guard-tf
● daniel.hardman@evernym.com
● @danielhardman on chat.hyperledger.org
ssimeetup.org · CC BY-SA 4.0 International
25. Transparent vs. opaque guardians
Transparent
◦ Guardian is obvious in all or most
interactions.
◦ May be necessary to improve safety.
◦ Easy to audit.
◦ Less private for dependent and for
guardian.
Rover (pet). Unprofitable, Inc. Law firm resolving
affairs of someone recently deceased. Talent agent
for child pop star.
Opaque
◦ Guardian impersonates dependent.
◦ May be necessary to prevent discrimination
and hassle.
◦ Riskier to dependent and relying parties.
Limited auditability.
◦ More private for dependent and for
guardian.
Gayle (digital assiantance). Parent gives adult child
password, asks them to transfer funds on their death
to avoid probate court.
ssimeetup.org · CC BY-SA 4.0 International
26. Modes of Guardianship
Holding-based
Dependent doesn’t have DIDs or a link secret, but credentials about the dependent are held
by the guardian. Guaranteed to be transparent because subject of credential is never the
holder.
Impersonation-based
Dependent has a link secret that guardian knows. Credentials can be issued where dependent
= subject, but creds are held by Guardian. DIDs and DID Docs can be created by guardian
using dependent’s link secret. Opaque unless forced into transparency.
Doc-based
Guardianship declared in DIDDoc to force transparency.
ssimeetup.org · CC BY-SA 4.0 International
27. Holding-Based Guardianship
◦ Exists implicitly (parent holding a birth certificate, owner holding
pet license)
◦ Can be supplemented with an explicit guardianship credential
◦ Guardianship challenge can be answered with either explicit or
implicit proof
◦ Diffuse trust may be partly forced (e.g., both parents must
consent)
◦ Implicit creds as a basis introduce revocation problems
◦ Birth certificate may not be revoked if parental rights are
terminated
◦ Pet license may not be revoked when dog is sold
ssimeetup.org · CC BY-SA 4.0 International
28. ◦ Can be supplemented with an explicit guardianship credential
◦ Age proofs can force a guardian to break impersonation and share this -
improves safety!
◦ So can biometrics
◦ Not dangerous for controllership or delegation
◦ Adult dependents without biometrics have no real protections
◦ Revocation is a problem -- must be done in every relationship
◦ Use agent authz policy to prevent new relationships from forming?
Easy and doable today. Dangerous. Safeguards may need to be much higher in trust
framework (frequent challenges, biometrics required, etc.)
Impersonation-based Guardianship
ssimeetup.org · CC BY-SA 4.0 International
29. {
"authorization": [
{"let":"#1", "do":"cred"}
]
}
Doc-Based Guardianship
Do a guardianship challenge
to find out what they can do.
DID Doc for dependent declares a key that belongs to guardian
and says, “Do guardianship challenge to evaluate authorization.”
Issue: must be done in every DID Doc (good and bad)
DID Doc of Dependent
ssimeetup.org · CC BY-SA 4.0 International
30. Guardians often need to delegate
◦ Red Cross delegates work, some decisions for Mya to 1+ aid
workers
◦ Parent delegates to babysitter while they’re out of town
◦ Mom delegates digital assistance for grandma to teen
Solution: delegatable credentials
ssimeetup.org · CC BY-SA 4.0 International
31. Offline operation
◦ Cached versions of trust framework and well-known schemas,
cred defs, issuers
◦ How fresh is guardianship challenge?
◦ Evaluate conflicting guardianship assertions without appeal or
research
◦ Save up audit reports for batch upload later
◦ Freshness of DID Doc knowledge
ssimeetup.org · CC BY-SA 4.0 International
32. Revoking guardianship
Revoking guardianship cred can be done today, quickly and
efficiently.
Won’t be detected until next guardianship challenge.
ssimeetup.org · CC BY-SA 4.0 International
33. Basis
◦ Basis for controllership could include:
◦ ownership
◦ delegation from owner
◦ court-appointed
◦ Basis for delegation is always someone who is in control
◦ Identity owner
◦ Controller
◦ Guardian
◦ Delegate
ssimeetup.org · CC BY-SA 4.0 International
34. Delegatable Credentials
Hertz, Inc owns a car and, on the basis of that car, is its controller. Delegates limited
controllership to a local Hertz franchise. Fred rents the car and receives delegated
credential to control in more limited fashion. Fred drives the car to a fancy
restaurant and delegates even more limited controllership to valet parking.
Hertz Inc ⇶ franchise ⇉ Fred → valet
Each cred contains pre-proof of delegation. Validating requires checking revocation
status for each link on ledger, but no coordination among delegates.
ssimeetup.org · CC BY-SA 4.0 International