I am hugely looking forward to attending the W3C Workshop on Strong Authentication and Identity. It is going to be a place for me to validate my current ideas and understanding of the identity space with a group of experts. I hope that it will be a breeding ground for new ideas and possibilities to explore. I am grateful for the university and Blockpass funding my trip to Seattle and am determined to make the most of the trip.
I am interested in pretty much everything in the identity space but as part of applying to the Workshop, you had to complete a position statement suggesting areas you could contribute to and topics you were interested to learn more.
However times have changed, two weeks of reading, thinking and learning have gone by and I would like to rewrite my goals and objectives for the Workshop. This is that rewritten version.
There are two main ideas that I will be discussing and looking to build on at the workshop.
Anonymity vs Compliance
These two concepts seem at odds to me. I recognise the need for privacy in identity systems and understand how a credentials based identity approach can support privacy through unlinkability of credential presentations and pairwise pseudonymous DID’s. The question that I have is how can we build identity management systems that support these privacy-preserving systems while retaining trust and accountability? How can we have the oversight and audit trails that nation states require?
I have some ideas around this. In particular, using conditional and revokable anonymity which enables entities to commit to revealing certain agreed upon identifying information when certain conditions have been met. I think this is interesting because entities would have to decide in advance the private information they need to be able to access for accountability if the entity meets some certain conditions. Presumably being a bad actor.
Defining Policies Based on Verifiable Credentials
By this I mean how can we create authentication protocols that require a certain verifiable credential issued by a certain set of trusted DID’s to gain access to a system. Healthcare could be a perfect example of this. You can access the digital health records of a patient assuming that you are:
- A doctor registered in the correct country
- A doctor employed by the hospital you are treating the patient in (Credential only issued by this specific hospital)
- A doctor actually supposed to be on shift at the time the request is issued
This is just a rough idea but it seems an obvious next step to me. In fact, there are probably numerous people already working on this. My hope it at this workshop I can learn about any current work in the space and identify where I could build on top of the current ideas.
These are still very rough ideas and thoughts that I have been having about identity management systems over the past few weeks. I hope this workshop will help me build on them and connect with people thinking about similar things. I hope to build relationships that can support me throughout the duration of this PhD and beyond.
Most importantly for me, I want to identify areas in the identity space that need research. I want to do relevant research, I want to help push this space forwards. I think this is a great opportunity for me to do just that.