Why is it difficult for so many companies to get digital identity right? If you're still wrestling with even simple identity problems like modern website authentication, this practical book has the answers you need. Author Phil Windley provides conceptual frameworks to help you make sense of all the protocols, standards, and solutions available and includes suggestions for where and when you can apply them.
By linking current social login solutions to emerging self-sovereign identity issues, this book explains how digital identity works and gives you a firm grasp on what's coming and how you can take advantage of it to solve your most pressing identity problems. VPs and directors will learn how to more effectively leverage identity across their businesses.
This book helps you:
• Learn why functional online identity is still a difficult problem for most companies
• Understand the purpose of digital identity and why it's fundamental to your business strategy
• Learn why "rolling your own" digital identity infrastructure is a bad idea
• Differentiate between core ideas such as authentication and authorization
• Explore the properties of centralized, federated, and decentralized identity systems
• Determine the right authorization methods for your specific application
• Understand core concepts such as trust, risk, security, and privacy
• Learn how digital identity and self-sovereign identity can make a difference for you and your organization
Author(s): Phillip Windley
Edition: 1
Publisher: O'Reilly Media
Year: 2023
Language: English
Commentary: Publisher's PDF
Pages: 469
City: Sebastopol, CA
Tags: Information Security; Internet of Things; Risk; Privacy; Cryptography; Digital Identity; Access Control; Authentication; Confidentiality; Integrity; Nonrepudiation; Federated Identity; Digital Identity Architectures; Generative Identity
Cover
Copyright
Table of Contents
Foreword
Preface
Who Is This Book For?
Conventions Used in This Book
O’Reilly Online Learning
How to Contact Us
Acknowledgments
Credits
In Memoriam
Chapter 1. The Nature of Identity
A Bundle of Sticks?
Identity Is Bigger Than You Think
No Universal Identity Systems
The Road Ahead
Chapter 2. Defining Digital Identity
The Language of Digital Identity
Identity Scenarios in the Physical World
Identity, Security, and Privacy
Digital Identity Perspectives
Tiers of Identity
Locus of Control
Reimagining Decentralized and Distributed
A Common Language
Chapter 3. The Problems of Digital Identity
Tacit Knowledge and the Physical World
The Proximity Problem
The Autonomy Problem
The Flexibility Problem
The Consent Problem
The Privacy Problem
The (Lack of) Anonymity Problem
The Interoperability Problem
The Scale Problem
Solving the Problems
Chapter 4. The Laws of Digital Identity
An Identity Metasystem
The Laws of Identity
User Control and Consent
Minimal Disclosure for a Constrained Use
Justifiable Parties
Directed Identity
Pluralism of Operators and Technologies
Human Integration
Consistent Experience Across Contexts
Fixing the Problems of Identity
Chapter 5. Relationships and Identity
Identity Niches
Relationship Integrity
Relationship Life Span
Anonymity and Pseudonymity
Fluid Multi-Pseudonymity
Relationship Utility
Transactional and Interactional Relationships
Promoting Rich Relationships
Chapter 6. The Digital Relationship Lifecycle
Discovering
Co-Creating
Propagating
Using
Updating or Changing
Terminating
Lifecycle Planning
Chapter 7. Trust, Confidence, and Risk
Risk and Vulnerability
Fidelity and Provenance
Trust Frameworks
The Nature of Trust
Coherence and Social Systems
Trust, Confidence, and Coherence
Chapter 8. Privacy
What Is Privacy?
Communications Privacy and Confidentiality
Information Privacy
Transactional Privacy
Correlation
Privacy, Authenticity, and Confidentiality
Functional Privacy
Privacy by Design
Principle 1: Proactive Not Reactive; Preventive Not Remedial
Principle 2: Privacy as the Default Setting
Principle 3: Privacy Embedded into Design
Principle 4: Full Functionality—Positive-Sum, Not Zero-Sum
Principle 5: End-to-End Security—Full Lifecycle Protection
Principle 6: Visibility and Transparency—Keep It Open
Principle 7: Respect for User Privacy—Keep It User-Centric
Privacy Regulations
General Data Protection Regulation
California Consumer Privacy Act
Other Regulatory Efforts
The Time Value and Time Cost of Privacy
Surveillance Capitalism and Web 2.0
Privacy and Laws of Identity
Chapter 9. Integrity, Nonrepudiation, and Confidentiality
Cryptography
Secret Key Cryptography
Public-Key Cryptography
Hybrid Key Systems
Public-Key Cryptosystem Algorithms
Key Generation
Key Management
Message Digests and Hashes
Digital Signatures
Digital Certificates
Certificate Authorities
Certificate Revocation Lists
Public-Key Infrastructures
Zero-Knowledge Proofs
ZKP Systems
Noninteractive ZKPs
Blockchain Basics
Decentralized Consensus
Byzantine Failure and Sybil Attacks
Building a Blockchain
Other Ways of Countering Sybil Attacks
Classifying Blockchains
Should You Use a Blockchain?
The Limitations of PKI
Chapter 10. Names, Identifiers, and Discovery
Utah.gov: A Use Case in Naming and Directories
Naming
Namespaces
Identifiers
Zooko’s Triangle
Discovery
Directories
Domain Name System
WebFinger
Heterarchical Directories
Personal Directories and Introductions
Distributed Hash Tables
Using Blockchains for Discovery
Discovery Is Key
Chapter 11. Authentication and Relationship Integrity
Enrollment
Identity Proofing
Biometric Collection
Attribute Collection
Authentication Factors
Knowledge Factor: Something You Know
Possession Factor: Something You Have
Inherence Factor: Something You Are
Behavior Factor: Something You Do
Location Factor: Somewhere You Are
Temporal Factor: Some Time You’re In
Authentication Methods
Identifier Only
Identifier and Authentication Factors
Challenge-Response Systems
Token-Based Authentication
Classifying Authentication Strength
The Authentication Pyramid
Authentication Assurance Levels
Account Recovery
Authentication System Properties
Practicality
Appropriate Level of Security
Locational Transparency
Integrable and Flexible
Appropriate Level of Privacy
Reliability
Auditability
Manageability
Federation Support
Authentication Preserves Relationship Integrity
Chapter 12. Access Control and Relationship Utility
Policy First
Responsibility
Principle of Least Privilege
Accountability Scales Better Than Enforcement
Authorization Patterns
Mandatory and Discretionary Access Control
User-Based Permission Systems
Access Control Lists
Role-Based Access Control
Attribute- and Policy-Based Access Control
Abstract Authorization Architectures
Representing and Managing Access Control Policies
Handling Complex Policy Sets
Digital Certificates and Access Control
Maintaining Proper Boundaries
Chapter 13. Federated Identity—Leveraging Strong Relationships
The Nature of Federated Identity
SSO Versus Federation
Federation in the Credit Card Industry
Three Federation Patterns
Pattern 1: Ad Hoc Federation
Pattern 2: Hub-and-Spoke Federation
Pattern 3: Identity Federation Network
Addressing the Problem of Trust
Network Effects and Digital Identity Management
Federation Methods and Standards
SAML
SAML Authentication Flow
SCIM
OAuth
OpenID Connect
Governing Federation
Networked Federation Wins
Chapter 14. Cryptographic Identifiers
The Problem with Email-Based Identifiers
Decentralized Identifiers
DID Properties
DID Syntax
DID Resolution
DID Documents
Indirection and Key Rotation
Autonomic Identifiers
Self-Certification
Peer DIDs
Key Event Receipt Infrastructure
Other Autonomic Identifier Systems
Cryptographic Identifiers and the Laws of Identity
Chapter 15. Verifiable Credentials
The Nature of Credentials
Roles in Credential Exchange
Credential Exchange Transfers Trust
Verifiable Credentials
Exchanging VCs
Issuing Credentials
Holding Credentials
Presenting Credentials
Credential Presentation Types
Full Credential Presentation
Derived Credential Presentation
Answering Trust Questions
The Properties of Credential Exchange
VC Ecosystems
Alternatives to DIDs for VC Exchange
A Marketplace for Credentials
VCs Expand Identity Beyond Authn and Authz
Chapter 16. Digital Identity Architectures
The Trust Basis for Identifiers
Identity Architectures
Administrative Architecture
Algorithmic Architecture
Autonomic Architecture
Algorithmic and Autonomic Identity in Practice
Comparing Identity Architectures
Power and Legitimacy
Hybrid Architectures
Chapter 17. Authentic Digital Relationships
Administrative Identity Systems Create Anemic Relationships
Alternatives to Transactional Relationships
The Self-Sovereign Alternative
Supporting Authentic Relationships
Disintermediating Platforms
Digitizing Auto Accidents
Taking Our Rightful Place in the Digital Sphere
Chapter 18. Identity Wallets and Agents
Identity Wallets
Platform Wallets
The Roles of Agents
Properties of Wallets and Agents
SSI Interaction Patterns
DID Authentication Pattern
Single-Party Credential Authorization Pattern
Multiparty Credential Authorization Pattern
Revisiting the Generalized Authentic Data Transfer Pattern
What If I Lose My Phone?
Step 1: Alice Revokes the Lost Agent’s Authorization
Step 2: Alice Rotates Her Relationship Keys
What Alice Has Protected
Protecting the Information in Alice’s Wallet
Censorship Resistance
Web3, Agents, and Digital Embodiment
Chapter 19. Smart Identity Agents
Self-Sovereign Authority
Principles of Self-Sovereign Communication
Reciprocal Negotiated Accountability
DID-Based Communication
Exchanging DIDs
DIDComm Messaging
Properties of DIDComm Messaging
Message Formats
Protocological Power
Playing Tic-Tac-Toe
Protocols Beyond Credential Exchange
Smart Agents and the Future of the Internet
Operationalizing Digital Relationships
Multiple Smart Agents
Realizing the Smart Agent Vision
Digital Memories
Chapter 20. Identity on the Internet of Things
Access Control for Devices
Using OAuth with Devices
OAuth’s Shortcomings for the IoT
The CompuServe of Things
Online Services
Online 2.0: The Silos Strike Back
A Real, Open Internet of Things
Alternatives to the CompuServe of Things
The Self-Sovereign Internet of Things
DID Relationships for IoT
Use Case 1: Updating Firmware
Use Case 2: Proving Ownership
Use Case 3: Real Customer Service
Relationships in the SSIoT
Multiple Owners
Lending the Truck
Selling the Truck
Unlocking the SSIoT
Chapter 21. Identity Policies
Policies and Standards
The Policy Stack
Attributes of a Good Identity Policy
Recording Decisions
Determining Policy Needs
Business-Inspired Projects and Processes
Security Considerations
Privacy Considerations
Information Governance
Meeting External Requirements
Feedback on Existing Policies
Writing Identity Policies
Policy Outline
The Policy Review Framework
Assessing Identity Policies
Enforcement
Procedures
Policy Completes the System
Chapter 22. Governing Identity Ecosystems
Governing Administrative Identity Systems
Governing Autonomic Identity Systems
Governing Algorithmic Identity Systems
Governance in a Hybrid Identity Ecosystem
Governing Individual Identity Ecosystems
Credential Fidelity and Confidence
Credential Provenance and Trust
Domain-Specific Trust Frameworks
The Legitimacy of Identity Ecosystems
Chapter 23. Generative Identity
A Tale of Two Metasystems
The Social Login Metasystem
The Self-Sovereign Identity Metasystem
Generativity
The Self-Sovereign Internet
Properties of the Self-Sovereign Internet
The Generativity of the Self-Sovereign Internet
Generative Identity
The Generativity of Credential Exchange
Self-Sovereign Identity and Generativity
Our Digital Future
Index
About the Author
Colophon
