Holder, Issuer, Verifier: A Radical Analysis of the 3-party Digital Identity Model
Contributor(s)
Session
Cryptography and Privacy in Context
Abstract
Many digital identity systems proposed for modern use default to a three-party model for presentation of digital credentials: the holder (who has the identity or authorization in question, and wields the credential), the issuer of the credential, and the verifier (who must confirm the identity or authorization). Characterizing the technical components of any digital identity system with this model can shed light on who the developers of the model think of as the adversary, and who the intended beneficiaries of the model are. Under this analysis, many proposed cryptographic digital identity systems reveal that the holder is the primary adversary, and good faith is substantially assumed for the issuer and the verifier, whose controls are assumed to be delegated to higher-level, non-cryptographic policy-based mechanism. This session will examine these assumptions for a handful of real-world ID systems, and try to sketch a path toward systems that would center and benefit the holder.