upvote

points

by VorpalWay13 hours ago |
comments
upvoteby SkiFire1313 hours ago|
next
[-]
Italy's digital ID (SPID) works by having multiple trusted providers that can attest your identity. You can sign up with multiple of them, and if one is not available you could use another one. Not perfect (it's still centralized in the hand of 10-20 providers) but better than nothing. Unfortunately most people only ever signed up with one provider, and the government is now pushing for a more centralized digital ID istead (CieID).
reply
upvoteby vidarh13 hours ago|
parent|
[-]
All of these IDs in the EEA are based on a common set of EU requirements, and in theory that means multiple providers, but in practice in many countries the set of providers is small and with feature gaps. E.g. Norway has several providers, but they provide different levels of security and features, which means in practice most people rely on BankID...

10-20 is fantastic in comparison. Even if people don't have more than one it at least reduces the blast radius..

reply
upvoteby repelsteeltje13 hours ago|
prev|
next
[-]
Agreed, there should not be a tight (temporal) couple.

But it's a trade off. Long-lived TLS certificates have always had the cert revocation problem. OCSP stapling never took off, so in the end the consensus seems to have been to decrease expiry date. (Mostly fueled by Let's Encrypt / ACME).

Relying on expiration rather than explicit revocation of course also assumes (somewhat) accurately synchronized clocks which is never trivial in distributed systems. In practice it put's pressure on NTP, which itself is susceptible to all kinds of hairy security issue.

I like to think of the temporal aspect as a fail-open / fail-close balance. These centralized solutions favour the former, and that's why we see this resulting outage.

reply
upvoteby lxgr13 hours ago|
prev|
next
[-]
For anything as high stakes as eID you need real-time revocation checks, which brings you back to at least some level of centralization.
reply
upvoteby j16sdiz13 hours ago|
parent|
next
[-]
I don't understand. We don't have real time revocation for passports, do we?

In fact, we don't have real time revocation of any document until very recently...

reply
upvoteby xorcist12 hours ago|
parent|
next
[-]
We do. There are centralized databases of passport serial number, for blacklisting (revocation) or just persons of interest.
reply
upvoteby lxgr12 hours ago|
parent|
[-]
For all countries? I was always wondering about that when doing one of these wonderful "take a selfie of you holding your passport" "authentication" procedures...
reply
upvoteby zirror13 hours ago|
parent|
prev|
[-]
don't we? We call somewhere and revoke the Passport, atleast in Germany.
reply
upvoteby lxgr11 hours ago|
parent|
[-]
But does that propagate to every entity worldwide using passports for identification, including all non-government-affiliated companies and KYC providers?
reply
upvoteby Muromec11 hours ago|
parent|
[-]
That's very true for a lot of PKI systems too. The revocation lists are published, but nobody is reading them.
reply
upvoteby lxgr3 hours ago|
parent|
[-]
At least they exist. I've tried looking into this in the past, and I haven't really found any public passport revocation list, even of just numbers (i.e. without disclosing associated names or any other sensitive data).
reply
upvoteby jdmoreira13 hours ago|
parent|
prev|
next
[-]
Sure... but it should degrade to work when the central services are down.

You should still be able to authenticate with each individual service when the centralised service is down.

There is no reason why you shouldn't be able to login to your bank under these circumstances.

reply
upvoteby Ekaros12 hours ago|
parent|
[-]
Finnish system works like that. If central system is down I can still log in to bank. But I can not log into say tax or healthcare system.
reply
upvoteby progbits13 hours ago|
parent|
prev|
[-]
Revocation lists can be distributed.
reply
upvoteby lxgr12 hours ago|
parent|
next
[-]
Yes, but they still originate somewhere, and if that source goes offline, you're still at risk of accepting stolen credentials.
reply
upvoteby VorpalWay9 hours ago|
parent|
[-]
Yes, but under the assumption that downtime is typically short (a few hours), that small risk seems better than a foreign nation state actor being able to block essential services like identifying with healthcare, or sending transactions.
reply
upvoteby 13 hours ago|
parent|
prev|
[-]
deleted
reply
upvoteby designerarvid13 hours ago|
prev|
[-]
BankID is not government backed, and most governmental agencies have alternatives to BankID as well.
reply