Filed Under: Uncategorized

Making credentials practical

Leave a Comment

When I’m talking about identity, I sometimes joke that our ill-thought out perspectives on the topic have led to the bizarre situation that in the UK it is much easier to get a job with a bank than an account. In The Daily Telegraph for 29th January 2011, I read under the headline “False CV Fooled Bank” that:

A fraudster used a false CV [claiming degrees from Oxford and Harvard] to gain a £165,000 per annum job at a City investment bank.

I assumed that everybody made up stuff on their resumes, but it turns out that it’s against the law, so the culprit, Mr. Peter Gwinnell, was prosecuted and given a suspended sentence (I assume he’ll skip over this on his next CV). We keep being told that employers use Facebook profiles nowdays (I hope they use mine: it says that I am the most intelligent person alive today and that Nelson Mandela queued for my autograph) so perhaps CVs will soon be a thing of the past. Just out of curiosity I googled Mr. Gwinnell and found that as well as his empty LinkedIn profile, the bald fact of his departure is there on the web.

PETER GWINNELL Appointment terminated as director on 15 Feb 2010 (Document)

[From AHLI UNITED BANK (UK) PLC of W1H 6LR in LONDON UNITED KINGDOM]

To be honest, if an employer wanted proof of my A-Level in Mathematics or O-Level in British Constitution or the Degree I scraped through with in 1980, I’d be hard pressed to provide it. I don’t have the faintest idea where the relevant certificates are. I suppose I could ring the University and ask them to send me a letter, but how would the employer know I hadn’t forged the letter. And how would Southampton University know that it is me calling? Or, for that matter, how would they know that I hadn’t forged the O-Level in British Constitution certificate?

When I started my first job after university, I don’t remember being asked to provide any such proof. Come to that, I don’t remember being asked to prove who I was either. In those days, all you needed was a national insurance number. But if employers are going want proof, like the actual certificates, then there will be a bit of a premium on the certificates. Once the certificates are worth something, they will be stolen. This is what happens in China.

Local officials said the files were lost when state workers moved them from the first to the second floor of a government building. But the graduates say they believe officials stole the files and sold them to underachievers seeking new identities and better job prospects — a claim bolstered by a string of similar cases across China.

[From Files Vanished, Young Chinese Lose the Future – NYTimes.com]

How are we going to deal with this digitally? It shouldn’t be that complicated for Harvard to create a digital certificate to attest to the fact that the owner of a particular identity did, in fact, graduate. If there were some sort of device or token, perhaps some form of card, that contained my educational identity (ie, key pair) then Harvard could simply sign the public key with their private key and the whole problem is fixed (glossing over, of course, where this device or token might come from, and so on).

Something does have to be done though. The current system is simply a joke. It’s quite funny when someone cons a bank into giving them a senior position despite knowing nothing about banking (imagine!) but one of the areas that really bothers me, and probably should bother you too, is the ease with which medical credentials are forged.

A conman from Lancashire who posed as a vet and nearly killed a pony by botching its castration has been jailed for two years. Russell Oakes also masqueraded as a doctor, carried out an intimate examination and charged for false diagnoses, Liverpool Crown Court heard. The 43-year-old, of Hesketh Bank, admitted 41 charges of fraud, forgery and perverting the course of justice.

[From BBC News – Bogus Lancashire vet jailed after botched castration]

How did he do this? Was he a master forger, capable of producing an authentic-looking medical school diploma using specially-aged paper, his engraving skills and authentic ink procured from the correct German manufacturer? No, of course not: this is a post-modern crime.

He bought a fake university certificate off the internet, the court heard.

[From BBC News – Bogus Lancashire vet jailed after botched castration]

Now imagine an alternative infrastructure. I am asked to prove that I have a degree from Southampton University. I log on to the university using my OpenID id.dave.com and answer some questions, provide some data, to satisfy the university that I am, indeed, the relevant dave. My OpenID profile includes a public key, so the university creates a public key certificates, signing that key and some standard data that they provide. I can now give this certificate to anyone, and they can check it by verifying the signature using the published Southampton University public key, resolving the certificate chain in the usual way.

the BBC suffered another embarrassment today after a man interviewed on Radio 4’s World at One who claimed to be a Liberal Democrat MP was revealed to be an imposter.

[From Radio 4 follows Jeremy Hunt gaffe by interviewing fake MP | Media | guardian.co.uk]

How would the proposed infrastructure help here? The system has to be so easy to use that a harassed BBC researcher can use it. Come to that it has to be so easy that military installations, the police and other can use it too.

During the period of January to June 2010, undercover investigators utilized fraudulent badges and credentials of the DoD’s military criminal investigative organizations to penetrate the security at: 6 military installations; 2 federal courthouses; and 3 state buildings in the New York and New Jersey area

[From Schneier on Security: The Security Threat of Forged Law-Enforcement Credentials]

Step forward the mobile phone. Every single one of the people who were “verifying” IDs in these stories has a mobile phone, so there’s no need to look any further. The military policeman’s mobile phone should be able to check your ID. And your mobile phone should be able to check his ID. And if you’re both using mobile phones, both IDs can be checked simultaneously. We already know that symmetry is an important property of an identity infrastructure: the bank needs to be able to check it’s me, but I need to be able check it’s the bank. And the mobile phone can do both. So next time Peter shows up for an interview, the interviewer can simply tap Peter’s NFC phone against their NFC phone and see a full list of his credentials.

(Law enforcement has special additional issue though: sometimes, the policeman doesn’t want to reveal that he’s a policeman, but that’s a topic for another day.)

These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers

Leave a Reply

Your email address will not be published. Required fields are marked *