Decentralized Identity’s Big Vulnerability
Over the years, there has been a number of schemes developed for what I will call “collegial attestation.”
When the claims of one member of a community are attested to by other members, that’s collegial attestation. One of the most talked about schemes nowadays is the claim of identity and attestation to it by other members of the community.
Collegial attestation is without a doubt great for collegial communities.
But first, what is a collegial community?
As the name suggests, a collegial community is one in which every member has equal power and authority vested in them. An academic community is a good example. Essentially, a collegial community is one whose interactions involve ideas, art, literature, psychology, etc. Even the study of business. Basically, the headings in a university course catalog, including physical activities define a collegial community’s activity. Ethnic and avocational communities also qualify.
That being said, shall we think about what’s mostly, but not entirely, missing from a collegial community?
Remember that thing, the love of which is said to be the root of all evil?
It’s the focus of what goes on every day beyond those ivy-covered walls of alma mater.
It’s money, of course!
When money – that is, real money, which could be defined as “amounts that exceed two years’ salary of the average member of the community” gets moved around a community, that community ceases to be collegial. Money rules!
The rule of thumb is:
Collegial attestation will be corrupted whenever the amount of money involved in the potential corruption is sufficient to justify the effort.
You’ll probably think, but members would be afraid of risking criminal prosecution. Has criminal prosecution ever prevented people from committing crimes? When the money is right, the crimes keep getting committed. And of course, criminals never think they’re going to get caught.
How much effort is required to recruit a dozen individuals to attest to each others’ fake identities where identity is established by collegial attestation? Very little when money is involved.
Actually, it’s just an application of Bernoulli’s Principle of Decision Making – a method that was codified by Daniel Bernoulli a few hundred years ago (yes, the same Bernoulli who made airplanes possible.)
Here’s Bernoulli’s Principle of Decision Making mathematical expression.
E(u|p,X)=∑xεXp(x)u(x)
You don’t have to struggle to understand the math. I’ll explain it in plain English.
The expression above denotes that the benefit we can expect from an action is the product of two things. One, the probability that the action allows us to gain something, and two, the value of that gain to us. If we can precisely estimate and multiply these two things, we should know exactly what action we should take.
We must have communities in which we value our relationships and our reputations a lot more highly than a fairly large sum of money (tenure is going to arrive any day now). That way, the benefit of the money to be gained by ganging up with thieves to defraud others in the community is just not sufficient.
What if we are not members of the community and therefore have no relationships and reputations to protect?
In that case, how much do you think the take would be if I got a half dozen friends to join the community with me?
Check out Phil Zimmerman’s PGP which has been around for decades, but never took hold in business. Now you know why it never did.
It is a PKI-like scheme with no certification authority. It’s baked into email clients and other software and works well but only for collegial communities.
Identities in the real world don’t exist in collegial communities. They must be attested to by an authority.
Imagine if you came across this billboard when seeking to get your driver’s license, passport, and birth certificate.
PKI Done Right (PKIDR)uses DCPA – duly constituted public authority – in the form of legally accountable Attestation Officers – Remote Online Notaries – commissioned by the U.S. Commonwealth of Virginia to gather eight forms of EOI – evidence of identity – in a live session with the enrollee.
You are probably thinking, isn’t that centralized authority? If that’s the case, your concerns are very legitimate.
That’s why PKIDR uses the services of Virginia RONs (Remote Online Notaries), who practice independently and who do not report to any central authority.
Learn more about PKI Done Right here.