xID

xID4The IDentification System

xID is a specification for a global, public, digital identity management and verification system that has the protection of the rights of the individual and their privacy at its heart. The xID specification for a public digital identity management and verification is sufficiently flexible to be implemented in societies with varying degrees of technology penetration, and is informed by the knowledge that there are more then 4 billion people today who have no formal identification.

The purpose of exploring and describing the xID system here is to supplement the good work being done by people around the world in the development of digital human identity systems, see External Links below. Here, we are highlighting important aspects of the system as they relate to privacy and functionality in everyday life and within the framework of The Standards of LIFE.

To create vibrant and sustainable societies it is necessary to leverage information technology for the good of all.

In accordance with The Standards of LIFE for Information, the xID specification uses a distributed storage model that allows data to be held in separated silos that are as close to the people they serve as is practical, given the security requirements. It also specifies the nature of a transaction between trusted and untrusted systems that returns verification results without exposing or compromising the contents of the identity record.
The xID system is concerned solely with identity, and does not store any other data than the xID records. Related data, such as medical records or legal records, are stored separately, and include xID certificate references. Those other records do not include personal identity information, and can only be linked with a person when the xID certificate on them is verified back to a xID. It does not require a card, or other physical token, in order to function.

The Problems So Far

The governmental entities and political leadership of today’s technologically advanced societies have lacked the technical understanding and skills to be able to effectively conceive of and specify digital identity systems that serve the people they represent. The commercial organizations capable of developing an appropriate standard are too attached to developing proprietary specifications that provide them with competitive advantage.
Furthermore the development of digital identity systems has been hampered by:
a fundamental lack of citizens’ confidence in the security and privacy of computerized records management
the absence of a global standard that is sufficiently flexible to accommodate the more than 4 billion people today who have no formal identification
the disparities in available technology in different societies
the linkage of identity with physical tokens such as ID cards, which enhance, rather than deter, the opportunity for forgery and fraud

The specification must be developed altruistically and published openly.

Definitions

  • An xID
    • is a universally accepted digital identity record, called an ‘xID certificate’. The name of the certificate is phrased as “xID:Name:Community:Region:State:Transterritory”
    • can be issued to individuals and to organizations
  • The xID system
    • stores identity profiles and provides identify confirmation to requests received from other systems.
  • Verification Quality (VQ)
    • is a score that provides a guide as to the likelihood that the information provided actually verifies the identity of the person presenting the information. The VQ is determined using :
      • Quality of individually identifying information presented
        • Quantity
          • More is better
        • Uniqueness of characteristics
          • e.g. iris scan v. eye colour
        • Matching detail
          • e.g. ‘green’ v. ‘blue-green’
          • spelling differences
      • Quality of information stored in the xID
        • Quantity
          • More individually identifying information is better
        • Uniqueness of characteristics
          • e.g. iris scan v. eye colour
        • History of the xID
          • Longevity of record
          • Corrections & updates
          • Disputes
      • Quality of the xID store in which the certificate is stored
        • History of the store
          • Longevity of records stored
          • Corrections
          • Disputes
          • Security breaches
            • recent breaches cause immediate downgrade of VQ and warning flag until extent of breach is determined
  • Verification Request Index (VRI)
    • is a unique transaction identifier assigned to each individual Verification Request (VR)
    • there need be no central database of VRIs
      • unique formulation of a VRI is dependent on variables specific to the VR without the need to use a central index

 

Concept

In the home Community of every person, they can establish their identity based on an array of verifiable sources and characteristics, such as parents, blood relations, other human relationships and physical characteristics. Organization xIDs are created based on requests received from verified people.
Having established their uniqueness, they are minted an digital xID certificate.
Whereever and whenever they wish to verify their identity to another party, they present a combination of information that is verified against the xID and a VQ score is returned to the verifying party. Based on the VQ of the response, the party can make their own determination as to whether the person’s identity has been sufficiently verified. Different situations, such as access to the underlying xID information for review, will require higher VQ scores than, say, age verification for controlled substance purchases.
The xID system does not store any other data than the xID itself. Related data such as medical records or legal records are stored separately and simply include xID certificate references, such that those other records do not include personally identifying information, and can only be linked with a person when the xID certificate on them is verified back to an xID in the xID system.

Creating a personal xID

A digital certificate that has two parts: public and private. The public part of the certificate has the kind of information that you would expect to see on a driver’s license, such as name, physical charcteristics and perhaps even a photograph – the sort of information you would be able determine by looking at a person. The private part has the detailed information that describes the uniqueness of that person such as their place of birth, their blood relations and various physical attributes (the more the better). This package of identifying information is that person’s digital “xID”.
Optionally, the person can elect to have an xID card made, that they may carry with them, and use to speed verification requests. The xID card does not establish identity, it simply presents some publically available portion of the xID in human and machine readable form, that can be used to initiate an xID verification request.

Managing a personal xID

The ability to review and update an xID is an important part of the system. The only person who can update an xID is the person to whom the xID belongs. In order to review the full contents of an xID the person must be able to verify themselves with a very high, if not 100%, VQ and they must be using a secure terminal with a secure connection to the xID store, for instance at the Information section of a Community Center. The xID system stores a history of updates with the certificate.

The certificate owner can also transfer their xID between stores in the following circumstances:

  • when they move residence they can elect to move their xID to the store nearest their new address
  • when the VQ score of the store holding their xID falls below a quality threshold, the xID can be moved up a level
  • when an xID store is opened at a lower level in their certificate path
    • e.g. from Regional to Community, when a Community opens its own xID store

 

Using your xID

In certain situations, simply presenting the publically available information from an xID card will suffice, because the need to establish identity is cursory. For instance, access in to an age restricted event may not need more than a matching date of birth and photograph – the security personnel checking ages do not need to know the person’s name.
To conduct a financial transaction the publically available information will have to be paired with some private information to generate a high enough VQ. On the whole, it will be the financial institution’s responsibility to properly verify identity and indemnify their customers against fraudulent identity use. This will spur them to require higher VQs, which they must balance with the inconvenience or discomfort caused to their customers by requesting too much private xID information for a given transaction. So withdrawing a small amount of money from an ATM may require less private data, than would be needed to close an account.
An xID card is not needed to verify identity. Any person can establish their identity by providing some portions of their public and private data. In many cases, simply the xID certificate name and a relative’s name will yield a pretty high VQ. What the xID card does allow, is for the person to be able to swipe their card and input their private information, without disclosing either part to the other party.
It is the right of every person not to carry an xID card.
The VQ response to a requesting party will typically contain only two pieces of information: the Verification Request Index (VRI) and a VQ score. A verifying party may want, for instance, the full xID certificate name and a photograph returned with the response and it will be up to the individual to give their permission for that to be included in the response.
It is the right of any verifying party to request whatever level of VQ they wish and it is the right of every person to decline to provide any part of their xID. Declining to provide information is grounds to allow the verifying party to refuse to provide whatever services they are offering.

Anatomy of an xID system

There are various parts of a complete xID system:

  • certificate store
    • physical
      • premises housing xID systems must have
        • physical access control
        • environmental control
      • logging of all access and environment events
        • these logs to be publically available and form part of the store’s VQ score
    • systems architecture
      • xID systems must run on fully fault tolerant hardware platforms
      • xID operating systems will be independently approved for use and must meet the highest security standards providing
        • separation of administrative access for systems management from data access
        • logging of all access and equipment events
          • these logs to be publically available and form part of the store’s VQ score
    • database architecture
      • xID database software will be independently approved for use and must meet the highest security standards providing
        • runs directly from certified read only media to prevent unauthorized tampering
          • upgrades securely shipped to stores
        • separation of administrative access for database administration from underlying data access
        • logging of all access and database events
          • a summary of these logs to be publically available and form part of the store’s VQ score
      • data encryption
        • each xID record stored with an individual encryption key
      • database backup to at 2 other nodes on the xID network
        • backups to be warm, read only
          • temporarily loss of connectivity to the origin xID store will allow for verification requests to be responded to by a backup node
          • permanent loss of an origin store will require the activation of a backup to read-write status at a new store within 10 days
            • requires approval by xID authorities and notification of all xID holders affected
            • update to existing records will not be possible during this period
            • new xIDs can be minted at the next level up and migrated down to the new origin store once it is active
  • certificate structure
    • record structure and hierarchy
      • Public data
        • Full certificate name
          • Deduplication data to be appended at the database level but not considered part of the xID
        • Requestor History log
          • VRIs only
        • Any other private data elements the holder elects to move across the public-private boundry
      • Private data
        • contact information
        • date metrics
          • birth
        • physical metrics
          • human descriptive: such as height, weight, eye colour, etc.
          • biometric, machine readable: such as finger print, iris scan, blood type
        • relational metrics
          • blood relatives
          • other relations
        • history logs
          • Certificate history
            • Longevity
            • Changes
            • Disputes
          • Search history
          • Verification history
            • VR Index (VRI)
            • VQ returned
    • extensible field structure
      • standardized field appearance
      • minimum World defined field list
        • First, Last, Middle names
        • date of birth
        • place of birth
        • photograph
      • additional fields can be added at different layers in the multi-layer model
      • field validation with standardized typing for each field
    • history log with timestamps of all:
      • changes
        • field updates
        • store transfers
      • requests
        • verification requestor’s public xID name
        • VQ of the xID record that was returned
  • certificate encryption
    • unique public key, private key encryption for each xID record
    • transferable between xID stores
  • secure network
    • between xID stores and secure access points, information can be passed over a completely private network
      • preferably physically private
      • otherwise virtual private network
    • only connection to xID stores – public network interfaces below
  • secure access
    • provision of access points directly on the xID secure network
    • secure, stateless, storage-free terminal runing secure operating system and applications only from read-only media
    • biometric measurement capability commensurate with the terminal’s location and field extensions in place at that layer
      • terminals without biometric capabilities may still be useful but not provide sufficient VQs to enable record updates
  • public interface node (PIN)
    • interface to allow individuals and organizations to make verification requests
      • external systems do not have access to xID stores and stores will only respond to requests from nodes on the xID secure network, so the public network interfaces must provide proxy services for external requestors
  • administrative personnel
    • all personnel with access to, administrative responsibility or security responsibility for any part of the xID system are subject to background investigation
      • their xID names are included in the publically available logs of all events occuring in the xID system, see above

An xID transaction

Whenever the person wishes to verify their identity they provide their certificate name and, if they wish, one or more pieces of information that are stored in the private part of their xID. A verification request is routed to the store that holds their xID certificate, where the information presented is checked against the data in their xID certificate and a response is returned with a Verification Quality (VQ) score.

Here is the transaction path for a verification request:

  1. Verification request (VR) is generated
    1. includes xID of requestor
    2. whatever information the person being verified elects to add to the request
      1. Each element includes
        1. a field descriptor
        2. field content to be matched
      2. Each element also forms part of the key used to read the xID
  2. VR system requests encryption key from nearest xID public interface node (PIN)
  3. VR is encrypted with the key on the requestor’s system
  4. encrypted VR is transmitted to the PIN that issued the key
  5. PIN decrypts the VR and passes it over the secure network to a VR service node (VRSN)
  6. VRSN assigns a unique VR Index code (VRI) using a combination of requestor and time stamp
  7. VRSN verifies that the xID of the requestor can be resolved with a VQ above a certain threshold
    1. If the requestor’s xID does not resolve appropriately the VR is returned to the PIN flagged as unserviceable
    2. PIN notifies the requestor of the verification failure
    3. If possible, VRSN advises store responsible for requestor’s xID of VR failure
      1. Store appends VR failure to requestor’s xID history
  8. VRSN finds origin store for the person’s xID using a combination of the certificate name and store enquiries
  9. VRSN transmits the VR to the store
  10. The store looks up the information from the VR and compares it to the same fields in the xID record
    1. The elements in the VR are used as keys to read the xID
      1. The fewer elements there are in the VR, the less of the xID that can read
  11. Store returns a VQ that is a combination of the VQs of:
    1. the match of data from the VR to the xID’s fields
    2. the overall record
  12. The store uses the VRI to
    1. append the VR details, including the xID of the requestor, to the private history of the xID
    2. append the VRI to all relevant logs in the store
  13. The VRSN modifies the VQ using the store’s VQ
  14. VR is handed back to the originating PIN
  15. PIN encrypts VR and sends it back to requestor
    1. response includes only:
      1. VRI
      2. VQ
  16. Requestor decrypts VR to view the VQ

 

xID searches

Certain public organizations can be authorized to conduct xID searches, such as healthcare, police and taxation authorities. Authorized requestors are limited to searching for xIDs stored at their level and below (search scope); to search at a higher level requires that a search request be submitted by an authorized requestor at the higher level.
Every xID search request must include

  • the xID of the individual authorizing the search
  • the xID of the authorized organization from which they derive their right to conduct a search
  • the authorized scope of the search
  • the VQ threshold for inclusion in results

A search request follows the same path is a VR except that the VRSN may not have a name to start with and so search requests are handled by store enquiries. The authoized scope of stores to be queried is included in the search request and is dependant on the authority level of the requestor.

  1. the VRSN submits the search request to each store in the scope
  2. each store searches the xIDs stored there for matches based on the data presented in the search request
  3. each xID record searched has its history log flagged with the search request’s details, including the xID of the requestor
  4. the store assembles the results set in the form of a list of xIDs with public information enclosed, such as name and photograph
    1. No private information is permitted to be included in search results
    2. only xIDs with VQs higher than the threshold specified in the request are included
  5. the result set is sent to the VRSN which packages them with results from other stores and passes them back to the requestor
  6. the VRSN instructs the stores holding the requesting individual’s and organization’s xIDs to add history log entries to their public xIDs, with the search request details and the quantities of xIDs returned in the results

 

xID investigations

In the event that the legal system authorizes an investigation of an individual, the same process as an xID search can be conducted with the following adaptations:

  1. The legal authority must issue a warrant that includes:
    1. scope of the request
    2. specific elements of private xID data to be included in the results
    3. time scale for the investigation
  2. The xID of the legal authority is included in all logs, in addition to those of the organization and individual requesting the investigation
  3. The search results are timed to expire according to the parameters of the warrant
  4. The search results never leave the secure xID network
  5. The history logs of all xIDs included in the investigation are updated as soon as the time scale expires

 

Next Steps

To move forward to implmentation the following steps need to be taken:

  1. Develop the xID standards to create:
    1. record templates
    2. Verification Quality transaction models
      1. Standardized scoring
    3. Security standards for
      1. software
      2. hardware
      3. facilities
      4. communications
      5. terminals/access
      6. interfaces to external systems
  2. Organize the involvement and support of standards bodies around the world
    1. Create certification standards
  3. Create test and demonstration systems that allow citizens, governments and businesses to see for themselves how the xID system works.
    1. Demonstration facilities that can be visited
    2. Sample systems showing citizens records structure and review processes
    3. Example links to other storage systems, for data such as medical records
    4. Online interfaces for testing interoperability
      1. Between different systems, with different levels of technical complexity
      2. Across language lines
      3. To external systems, such as financial institutions

All standards, templates and models are to be published in the public domain, free of restrictions or copyright.

 

 

External Links

Digital Identity – Wikipedia
IDsec
CryptDB
The conflict between “big data” and personal privacy, Bloomberg Feb 2015

Add your voice

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: