In the near future most people will have a digital ID along with an accompanying biometric link such as a fingerprint, face print, voiceprint, iris or retina scan. The combination of digital ID and biometric will enable you to establish yourself as a completely unique person. At last you have the ability in the digital world to establish that you are who you say you are just as you can in the physical world! Step one is to get a digital ID from someone that knows for sure who you are and who is trusted by others as a reliable source for authenticating you. And who would this someone be?
The Certificate Authority, or CA, is the place. The CA will ask you for information to validate that you are who you say you are. The degree of certainly they require will depend on your intended use. For routine things like email an online process where you provide your name and mailing address will be adequate. If you are going to use your digital ID to make millions of dollars worth of purchases for your employer then a personal appearance may be required where you show multiple forms of identification and then the CA gives you a smart card, or other physical token to contain your digital ID.
Over time there will be many CAs. Federal and state governments will operate them as will banks, companies, and institutions of all kinds. In theory there could be one national or international CA that authenticates everyone and you would have just one digital ID. In theory you could have a “national” drivers’ license in your wallet (actually, most countries outside of America do) or a “universal” credit card and that one card could be used for all purposes. In theory, but not in practice. Can you imagine that VISA or MasterCard or American Express will give up their logo on the card and be part of a generic ID? I don’t think so either. Not only do they not want to give up their marketing presence on the card they also don’t want to take on the liability for providing a general purpose digital ID that you could potentially use to go to the hospital for a leg amputation. If the hospital happens to take the wrong leg off of the wrong person the credit card company will surely not want to be liable for having validated that you were who you said you were. Just like we have multiple physical id’s in our wallet we will have multiple digital id’s.
The important thing is for a CA to be able to be quite certain that you are who you say you are before they issue you a digital ID. This can happen in various ways. For example, Equifax is a consumer credit reporting company that has information about 200+ million people. They know your name, your last few addresses, your phone number, and in many cases your mortgage balance! So when they ask you for certain information they can compare it to what is in their database and if there is a match the odds are very high that they can indeed be sure that you are who you say you are. With this assurance they can issue you a digital ID or provide the information to another third party who will issue the digital ID.
Digital IDs are actually being issued already in some parts of the world. Malaysia, Singapore and Taiwan have established guidelines that provide for CA’s. Europe has established a directive that will enable CA’s across the continent. In fact the Ministry of Finance in Spain issues digital ID’s that allow citizens to make their tax payments over the Internet. A Spanish citizen can log on to the site by entering their password into their browser. The digital ID is stored in the browser and does not have to be passed over the Internet in the clear. Once authenticated, the Spanish citizen can pay taxes or check the status of tax payments. The U.S. government in July 2000 passed legislation that will allow CA’s to be established that can enable digital signatures to be used anywhere in the country. There are many projects around the world using some of the technology I learned about at the Inside ID conference.
Once you get a digital ID, where do you keep it and how does it work? There are two parts to your digital ID; a public part and a private part. The public part is something you want to make easily available to anyone. I will describe this in the next part of the series. The private part of your ID is something you will keep very private and never share it with anyone. Good security over the private key is critical. A simple password is not adequate. The biometric data is the best way but a pass phrase is a good substitute in many cases. A password can often be guessed. A passphrase like "The name of my favorite composer is Wolfgang Amadeus Mozart" is quite a bit harder. (Note: there are various tools available to simplify the management of passwords. I use Passphrase Keeper).
Where will your digital ID be stored? There will be a lot of choices including on our PC hard drive, in our mobile phone, in smart cards in our wallet, in a PCMCIA card, in an electronic ring on our finger, or in a token we wear around our neck. I keep my Verisign digital ID and my PGP key ring on an IBM Memory Key. It has a capacity of 256 MB and is a convenient place to store pictures, music, or any data files you may want to share. All PC’s manufactured over the past five years or so has a slot to insert the USB key. The IBM Memory Key has a built-in security system. It requires a password to access the files on it. If you lose the key, and have a non-trivial password, you can reproduce it with your backup copy which you should maintain on your PC. You can even go a step further and encrypt the files on your USB key using PGP and a required pass phrase to access the files.
Wherever you keep it, the digital ID is a very empowering capability. Does a digital ID mean we lose our privacy? No, quite to the contrary. By having a Digital ID you can establish not only who you are but what privacy preferences you want to stand by. Over time I expect that PC’s and handheld devices will not accept any form of incoming information unless that information is signed with a digital ID.