Digital identity is the theme of the discussion that I recently had with Ravi Jagannathan, MD and CEO, 3i Infotech Consumer Services Ltd, Bangalore >(http://bit.ly/F4TRavi3i) . While identity carries multiple meanings, the apt meaning associated with digital identity can be derived from the following definitions in Oxford Dictionary, he traces:
(a) Identity -- “the fact of being who or what a person or thing is… serving to establish who the holder, owner, or wearer is by bearing their name and often other details such as a signature or photograph: an identity card.”
(b) Identification -- “means of proving a person’s identity, especially in the form of official papers.”
Excerpts from the interview.
First, why a digital identity?
While the cyber civilisation is rapidly growing across the globe, the adoption of technology beyond basic purposes (such as browsing, chatting, and emailing) by the average Indian is just in the offing.
Over 40 per cent of the population being less than 25 years of age, who grew up with technology, they will use technology for more than basic purposes. Technology will be extensively used by millions of individuals for banking, insurance, ecommerce and government-related transactions.
This social and economic development will throw up serious cyber crime threats if the digital identity crisis is not addressed right away. Similar trend was prevailing in other developed nations a decade ago but given the physical unique identity system such as Social Security or Citizen Card they were able to manage the crisis with simple techniques such as username and password.
Lacking such identification system in India we will have to adopt stronger identification techniques that will secure the individual’s asset, privacy and anonymity. Password technique is too weak for any serious security process.
User identification is the most critical need for protecting one’s information assets. Securing the cyber transactions upfront is the critical step we should take before the cyber civilisation grows to unmanageable size.
How does one establish one’s identity?
One’s name added to relationships one has, schools one went to, employment one served and locations one lived etc. all contribute to one’s identity. When it comes to a transaction, we make our identity with wet signatures on paper.
Signatures have been in existence for thousands of years to authenticate any kinds of transactions. Signatures are meant to be reliable, authentic, non-repudiable, and to offer assurance that the transaction or document is complete and unaltered.
A wet signature can be forged, documents can be altered after they’re signed, and whoever had signed the documents can later claim that they did not. Yet signatures were considered as a strong form of authentication for any physical transactions.
As we transition to digital transactions, there is a need for an appropriate and comparable signature protocol, namely digital identity.
So what defines one’s identity in cyberspace?
Something one knows, something one owns, and who one is, are the three characteristics by which one can identify himself in the cyber world. “Something one knows,” is the simplest and weakest means of user identification – say a personal identification number (PIN), a social security number, a password or anything you keep in your head. “Something one owns” involves possession of a device or one time password (OTP) tokens, ATM cards etc.
However, the future of our digital identities lies in a combination of all these three characteristics which will be tough to break. A PKI-based DSC (digital signature certificate) will be the one that will be considered to be a powerful digital ID as the user will have his private key (something he owns), will use a PIN to activate the key (something he knows) and will have his digital signature certificate (something to say who he is). PKI stands for Public Key Infrastructure.
A brief overview of the digital signature process
Real digital signatures are mathematical algorithms that interact in a variety of ways with the documents/ transactions they’re attached to. For example, a digital signature application “measures” the document. If the document/transaction changes after being measured, the digital signature will no longer validate properly, telling the receiver that the document/ transaction has been tampered with in some way since it was signed.
Digital signature certificate is the only form of legally accepted digital identity in India recognised by the Information Technology Act, 2000. The Act defines a detailed process and the regulations about DSC.
A detailed credential verification process is carried out before issuing a certificate by a Registration Authority. Thus a DSC issued by a licensed Certifying Authority (CA) defines who you are in the system. One can thus have a digital signature certificate that identifies one in the cyber world legally in India.
On the challenges
Certificate and key management are probably the two most complex issues related to PKI. Added complexity is the issuance of certificates by multiple CAs. World over, interoperability efforts are being made to ensure that DSC certificates are issued and recognised in a standard way.
Imagine a situation of one person having digital signature as his own identity that he can use for all his cyber as well as physical transactions, may it be accessing his email, logging into his bank account, chatting in a social media site, drawing cash from ATM, accessing any building or airport. Of course it is the way to go.
Hope this is what the U.S. White House is also hoping for as we can understand from the blog of its cyber security coordinator Howard Schmidt. A rising tide of identity theft, online fraud and cyber intrusions, the proliferation of usernames and passwords that individuals must remember and the need to deliver online services more securely and efficiently prompted the White House action to consider a national strategy for trusted identities in cyberspace, he says.
“No longer should individuals have to remember an ever-expanding and potentially insecure list of usernames and passwords to login into various online services,” Schmidt writes. “Through the strategy we seek to enable a future where individuals can voluntarily choose to obtain a secure, interoperable and privacy-enhancing credential (e.g., a smart identity card, a digital certificate on their cell phone, etc.) from a variety of service providers -- both public and private -- to authenticate themselves online for different types of transactions.”
Schmidt speaks of how the identity ecosystem would allow users to have more control of the private information they use to authenticate themselves online, and will not have to reveal more information than they need to.
**
>InterviewsInsights.blogspot.com
