The story concerns a fraud against Lehman Brothers in Japan. They lent a Japanese company $350 million, The load was guaranteed by a well-established Japanese trading house. Bankers from Lehman met an executvie from the trading house — at the trading house’s office — to sign the contract. When the firm in question defaulted, Lehman went to the trading house to get their money, but the trading house claimed no knowledge of the deal. The executive had been an imposter and the contract was fake. When someone gives you their business card, you assume that it is true (by custom and practice — you don’t explicitly validate it) and when they put a letterhead in front of you, you take it to be real. Oops.
Now imagine how it should work. I’m down at the printers and I order 500 copies of some flyer: let’s say, for example, the Consult Hyperion newsletter, that august journal CHYPpings. What’s the point of me showing them a business or a letterhead? Or physically signing anything? What should happen is this…
I open up my phone and select my identity application — downloaded from the operator, or the government or wherever — and it asks me who I want to be, In the pop-up menu is "Dave Birch from Consult Hyperion", "An Executive Officer of Consult Hyperion", "David Birch" and "The Notorious 15Mb".
The virtual identities in the pop-up menu are actually public key certificates stored in the handset. Each one has a corresponding private key in the SIM (some of the virtual identities share the key pairs, or digital identities as we call them).
- "Dave Birch from Consult Hyperion" is signed by Consult Hyperion.
- "An Executive Officer of Consult Hyperion" shares the same public key as "Dave Birch from Consult Hyperion" but it is signed by Barclays Bank because Executive Officers are allowed to sign cheques (etc).
- "David Birch" is signed by me.
- "The Notorious 15Mb" is signed by WordPress to prove that I own the blog 15Mb.
Don’t try and resolve the certificate chains, they’re just made-up examples. Anyway, I select the second. So when I touch my phone to the other guy’s phone, that virtual identity is transferred to his phone. His phone resolves the certificate chain (his phone already has Barclay’s root certificate cached) and away we go. Now he has a business card that is far more useful than a piece of cardboard: not only does it go straight into his phone book, but it can be coloured green because it’s been attested to by a third party that he trusts (ie, Barclays). And digital signatures mean that no-one can forge their "business card".
The identity transaction between us is taking place not in some kind of virtual reality but in what Umberto Eco would call a "hyper reality": not reaiity as it is, but reality as it should be. Not an emulation of cardboard business cards but something better than cardboard business cards. This really ought to be a guiding principle in the identity cards world.
These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]