Phil Wolff Digital identity is a bunch of ideas and tools that technologists use to answer rude questions. Like, “Who are you?” “Can you prove it?” “Why should I trust you?” “Are you old enough?” “Is this yours?” “Can you keep a secret?”
People have been working on identity for a long time, even before computing. And we’re still evolving new identity technologies for a tomorrow where there is more of all things digital. So widerfolk Michael Shea, Damian Glover, and Phil Wolff are talking about where this is going.
Michael Shea So there’s certificates and credentials. So I’ll go first with certificates. “Digital certificate” is the technical name for X.509, which is the specific protocol. And it is a certificate that’s issued by an authority that is installed on a device, that could be on your phone or computer.
One that most people will interact with is a certificate in their browser. So that when you go to a website, and a little lock shows closed in the browser bar in your browser, there’s a digital certificate that’s been exchanged from the website, or the web server to the browser. And the browser has inspected the certificate, it’s cryptographically valid, the information hasn’t expired.
If the certificate is expired, the browser will automatically warn you “do you want to proceed, there’s a risk here because this certificate has expired.” Or, or if there’s something that’s not right with the certificate, it might give you some sort of a warning.
Phil Wolff And what’s the “certificate authority”?
Michael Shea A “certificate authority” is an organization that has done some level of diligence on establishing themselves, making themselves known. Such that it’s trying to build trust. So if, if you fail, set up a certificate authority, and you follow the process, and you became known, and then I set up a certificate with you and Damien set up a certificate with you.
And, you know, the more and more certificates you end up issuing, and they are deemed legitimate to be proper and functioning, it builds up what’s called “a web of trust” that people start to see more and more certificates. They’re trustworthy, they’re done correctly. And people then start to say, okay, “Phil, is a legitimate certificate issuer,” because we start to see these things. And we build up a sort of a breadcrumb trail or a trail of evidence or a web of trust because everybody sees that it’s all coming from this one certificate authority.
Damian Glover Yep. And for me, this is where the questions start. Because I get that and I get that sort of, you know, you’ve probably heard of some of the bigger names. I’ve heard of companies like, Thawte®, (that’s the one that springs to mind). And so you should trust them by default, because, you know, that’s what they do. That’s the business they’re in.
But what I don’t understand about this is, how did they verify that the certificate they’re issuing, that the website, if it’s a website, or the device, or whatever, is a legit thing. So what’s the criteria for them to issue a certificate saying this is kosher?
Michael Shea So it’s been a little while since I’ve been through the actual cert issuing but it is something I have done in the past. When you sign up with a certificate authority, like Digicert (I’m actually looking at Zoom’s cert right now on the zoom website and it’s issued by Digicert). If you or I or any of us called up and said I’d like to get a certificate for zoom.us, they’re going to ask for certain pieces of information to prove that we actually are, you know, who we say we are, working for who we say we are.
Damian Glover So you have to prove your ownership of the domain, for example.
Michael Shea Ownership of the domain, also other key pieces of information within the business.
Damian Glover How about if it’s a device? So in IoT world, presumably, that’s much harder to do, to prove your ownership of a device. And even if you can prove ownership of it, does that mean that it’s safe for other parties to sort of interact with it?
Phil Wolff Yeah. So what happens is that certificate authorities, as I understand it, basically say “We’re verifying a few claims about this entity,” whether it’s a thing or, or an app, or whatever. So they have their own verification process, whatever that happens to be.
Say this person once had a photo taken of them as a clown in makeup. A CA can certify to that, to just that. It may not be worthy of a broader remit, like, I don’t necessarily trust that person to come to my kids party, but it’s good for having been in clown drag at least once, right? The CA would define that aspect of that clown’s qualifications.
Damian Glover They do do some basic and very specific verification, I guess. Because obviously, yeah, with a website they can check that you own the domain. But I just don’t get what they can verify in the case of a device, for example. or perhaps it’s that you own the or you’re in control of the network.
To be continued…