Overview of the Anatomy of Tapestry IO's Decentralized IAM

The identity concept can be seen from different perspectives and is applicable in different domains, depending on the objective for which digital identity is used. In general, personal identity in philosophy refers to the answer to the question, ‘Who am I?

It consists roughly of those properties that make the individual unique and different from others. Precisely, identity refers to a set of qualities and characteristics that make an entity definable, distinguishable, and recognizable compared to other entities. However, in the digital world, “identity” is a set of digital records that represents a user. These records are saved and managed in a standard format by entities that provide the identity information or assurances needed to complete transactions. A digital identity also accepts and integrates new records to create a rich view of the user. Following are five properties which should be applied to contribute in more detailed and provisioning solution of a blockchain based identity system.

Entities According to its definition, an entity is an object that exist or has its own independence existence. Entity conduct as representation from unit which bears the legal rights for the system, e.g., individuals, businesses, and affiliates. In a digital system, some types of entities require digital identities, including people, machines or devices, organizations, codes, and agents. Those entities can be specifically categorized into three types. Locally-installed identity agents run on devices that are with the user, like smartphones and laptops. Remote identity agents reside on the network. They have their own private and public keys and can be run by parties that have certain user credentials, such as banks, universities, or other entities that are trusted by the user. The last type consists of Relying parties, which represent a party with which a user intends to interact, essentially, an online service provider; however, in a peer-to-peer system, relying parties can be other users.

Attribute Type The attribute type is used to identify the entity. It commonly consists of three attributes; who you are, context, and profile.

Who you are.
This is the attribute that uniquely identifies a single entity in a real-world context. It can include knowledge or data that is only know by that entity, unique physical characteristic of that entity, or items that the entity possesses.


Context.
This can refer to the type of transaction or organization that the entity identifies itself as, as well as the manner in which the transaction is made. Different constraints on digital identity maybe implemented depending on the context. For instance, transferring sensitive information relating to birth certificates over phone or the internet maybe prohibited. Context is also used to determine the amount and type of identity information that is needed in order to provide the appropriate level of trust. For example, in an email context, the amount of identifying information necessary is usually only two things: a username and password.

Profile.
A profile consists of the data needed to provide services to users once their identity has been verified. User profiles can include what entities can do, what they have subscribe to, what groups they are members of, their selected services, etc. A user’s profile can change during the course of an interaction with the service provider.

Lifecycle
There are three fundamental steps to creating digital identity: registration, including enrollment and validation; issuance of documents or credentials; and authentication for service delivery or transactions.

Enrollment.
This stage is divided into two parts: enrollment and validation. Enrollment entails registration steps: capturing and recording key identity attributes of a person who claims a certain identity. This may include biographical data (e.g., name, date of birth, gender, address, email), biometrics (e.g., fingerprints, iris scan), and the other attributes. Once a person has claimed an identity during enrollment, this identity is then validated by checking the presented attributes against existing data

Issuance.
Before it can be used by a person, a registered identity goes through an issuance or credentialing process. For an identity to be considered digital, the credentials or certificates (e.g., birth certificate, passport) issued must be electronic, in the sense that they store and communicate data electronically. Types of electronic credentials including smartcards, 2D barcode card, mobile identity, and identity in the cloud.

Authentication.
After users have been registered and credentialed, they can use their digital identities to access public or private services. For instance, citizens may use their eID number to pay their taxes through an online portal, while bank customers can use smart debit cards or mobile financial services. In order to access services, the user must be authenticated using one or more factors, for example, password, pin, or fingerprint. During the lifecycle stages, digital identity providers manage and organize the identity system, including its facilities and staff, record keeping, compliance and auditing, and updating the status and content of digital identities. For example, users may need to update various identity attributes, such as address, marital status, profession, etc. In addition, identity providers may need to revoke an identity, which involves invalidating the digital identity for either fraud or security reasons or terminate an identity in the case of the individual’s death.

  • Policies Policies are used to manage the identities. This is a set of rules, defined by the resource owner, for managing access to a resource (asset, service, or entity) and for what purposes it may be used. The level of access is conditioned not only by the identity but is also likely constrained by a number of further security considerations, such as the company policy, the location (i.e., inside a secure corporate environment, connected via a hotspot, or an internet cafe, and others), or the time of day.
  • Technology To ensure usability, security, and privacy, digital identities must be implemented using advanced technical methods. Therefore, technology must be applied in at least three areas: authentication, security protocols, and storage improvements.

Authentication Technique.
Authentication technique. The authentication techniques range from single factor to multi-factor authentication. Below is a list of common methods used in authentication systems:

  • Password or personal identification number (PIN) Password authentication is a traditional method in which the user is provided with a username and password. However, many have shown this technique to be ineffective since the username and password are often easy to guess or steal. In order to make the authentication process more secure, an advanced form of password usage called a one- time password (OTP) is used. The user only enters the password once and must request another from the server at the next attempt to log in or make a transaction. This advanced method involves hashing and the techniques and data are then exchanged with the server and stored. The PIN technique basically has the same mechanism as a password, but it consists of a numeric term only (usually with four to six digits). A PIN-based authentication mechanism is commonly used for financial services such as ATM banking and credit card payments.
  • Token - This works using the two-factor authentication (2FA) principle. Instead of using a username and password, a level is added on to obtain time-limited token (typically a cryptographic key or password) that is used for further transactions during the session. Generally, it has a physical display, and the authenticating user simply enters the displayed number to log in. The physical device for tokens mostly does not require an internet connection because it communicates using mobile telecommunication service operator services such as voice calls, SMS, or USSD .
  • Public key cryptography This method utilizes cryptographic mechanisms that, as their underlying theory, engage an asymmetric key pair: a public key and a private key. Public-key encryption uses that key pair for encryption and decryption. The public-key is made public and is distributed widely and freely. The private-key is never distributed and must be kept secret.
  • Biometric- Biometric authentication requires a completely different style of authentication process. Biometric authentication, or just biometrics, is the process of making sure that people are who they claim to be. This approach is based on a person’s biological uniqueness and it can be used for the biometric identification of a person, using, for example, fingerprint or iris recognition. A pattern-matching technique is essential for measuring the characteristic. Biometrics also require sensor devices to collect the characteristic from the user.
  • Smart Card When used for logical access, smart card technology typically comes in two forms: a credit-card-sized plastic card or a USB device, each with an embedded computer chip. Using a smart card to store password files is its simplest application.

Security Protocols.
These are valued for their strong identity verification and authentication attributes. Specifically, they are designed to transfer authentication data between two entities. The widespread authentication protocols used to address security issues within open networks are Secure Sockets Layer (SSL), IP Sec, Secure Shell (SSH), and Kerberos.

Storage.
New technologies contributing to storage improvement hold considerable implications for the creation of robust digital identity systems. There are two new technologies that may offer improved methods in database storage. The first is distributed ledger technology, or blockchain combined with encryption and cloud storage, and this allows information to be held and transferred point-to-point in a dispersed, immutable network. The second consists of federated identity standards, such as SAML 2.0, which create interoperability between identity management networks and external applications, allowing federated identity systems to scale to accommodate large numbers of identity providers and relying parties.

Tapestry IO Decentralized Identity Access Management
Digital identity is critical in many business and social transactions. However most recent conventional identity systems are costly and hinder the innovation and greater customer experience. By using Tapestry IO, it introduces a new way of managing the identities. The core characteristics that Tapestry IO had: Decentralized Identity Access Management and handshake mechanism. These characteristics are what makes Tapestry IO differs from another identity solutions. It also presents the current implementation of blockchain-based digital identity from different similar solutions on the market today.

Blockchain has the potential to be adopted as a digital identity system. Instead of storing all data and transactions in a secure and open way, creating an identity on the blockchain makes it easier for people to manage their identities and to grant control over who has their personal information and how they access it. This is called Decentralized Identity Access Management (DIAM). There are 10 specific principle which attempt to ensure the user control that is at the heart of DIAM.


Existence
Users must have an independent existence. Any DIAM is ultimately based on the ineffable "I" that is at the heart of an identity. It can never exist in a wholly digital form. This must be the kernel of self that is upheld and supported. An DIAM simply makes public and accessible some limited aspects of the “I” that already exists.

Control
Users must be in control of their identities. They should always be able to refer, update, or hide them.

Access Users should have direct access to their own identities and all related data. All data must be visible and accessible without gatekeepers.
Transparency Systems and algorithms must be transparent. The systems used to administer and operate a network of identities must be open, both in how they function and in how they are managed and updated.


Persistence Identities should last forever, or at least for as long as the user wishes. Though private keys might need to be rotated and data might need to be changed, the identity should remain. In the fast-moving world of the internet, this goal may not be entirely reasonable, so it is a minimum requirement that the identities should last until they are replaced by newer identity systems.


Portability All information about identities must be transportable. The identity must not be held by a single third party.
Interoperability Identities should be as widely usable as possible. Regimes may change, users may move to different jurisdictions, but transportable identities ensure that users remain in control of their identities regardless of this, and this can also improve an identity’s persistence over time.
Consent Users must agree to the use of their identities and the sharing of all related data. Any identity system is built around sharing that identity and its claims, and an interoperable system increases the amount of sharing that occurs.


Minimization The disclosure of claims must be minimized. When data is disclosed, that disclosure should involve the minimum amount of data necessary to accomplish the task. For example, if only a minimum age is called for, then the exact age should not be disclosed, and if only an age is requested, then the more precise date of birth should not be disclosed.


Protection The rights of users must be protected; when there is conflict between the needs of the network and the rights of entities, the priority should be the latter.

Tapestry IO introduces a proprietary cryptographic algorithm procedures that occur in the digital identity system. The critical process underlying an authentication mechanism is called a handshake mechanism. This mechanism eliminates the need for a third party to provide authentication by constructing a direct interaction between the user and the service provider.

Service provider can be a protected "Hardware wallet" app that requests the service. The mechanism can then be divided into three main steps:

  1. Login. In this first step, instead of using a username and a password for login, the app uses a QR code as an authentication method, since using QR codes makes it easier to encode the authentication request. The next step is to verify the request and create the response.
  2. Verify Request. This step contains procedures that ensure authentication. First, the public key cryptography is completed to verify that the request data is legitimate and that the app is what the user is expecting to use. It allows the app to sign the request, which is then published, either through blockchain or a certificate authority. To support a simple transition, it begins with the certificate authority system used in TLS for HTTS. Then it transitions into a full blockchain authentication by creating an app-identity on the blockchain. After that, the user clicks a "verify login" button.
  3. Create response. The last stage is to create a response after the user clicks the "verify login" button. After this action, the app creates a response, signs it, and then sends it back to the user through a specified route on the app. This request is then verified using a PKI on the protected app and the user is then logged in.