I was invited to speak at the Bitcoin in Education (BCINED) conference held in Groningen, September 5, 2017. Topic of my presentation: “Blockchain & Identity: Why you should avoid the blockchain like the plague“. While listening to the morning keynotes, praising the many benefits of using blockchains in education and for managing (academic) credentials in particular, I realised my message might provide a very much needed counterpoint. The short summary: using blokchain for identity management is ridiculous.

One particular initiative mentioned several times was Blockcerts. Its stated goal: to allow people to issue credentials to the blockchain and to allow other people to verify such credentials. So that people own their own credentials, and have control over who they show them to. Also, the goal is to avoid single points of failure: once a credential is issued to you, you should always be able to prove its possession to others. (Actually, the *real* goal is totally different: to reduce credential fraud when credential issuers are compromised. See further below.)

All very laudable goals indeed. However, you don’t need a blockchain for that. In fact credentials can reliably be used without a blockchain. In fact, blockcerts introduces two problems: *lack of privacy*, and adding *dependency of (another) intermediary*.

All credentials managed through Blockcerts are public. To be clear: they are not stored on the blockchain directly, but a hash of them is (which binds the credential to its issuer and the time it was issued). The credential itself is signed by the issuer, which makes it authentic and binds it its owner. In itself this does not appear to create a big privacy problem, compared to standard PKI certificates. However, one of the keynotes suggested that also uses, i.e. verifications, of credentials could be logged on the blockchain. That information could subsequently be used to make e.g. policy decisions on employability: which academic credentials lead to the best employment opportunities? This is a privacy nightmare.

Moreover, the use of a blockchain adds a middleman, a party on which you (need to) rely for the continuous use of the credentials you own. Creating credentials (and perhaps even using them) is modelled as a transaction for which a significant fee needs to be paid. Moreover, what would happen to all credentials once issued to some blockchain, if that blockchain ceases to operate? The raw blockchain data is of course still available and maintains its blockchain structure. Yet the integrity-preserving features of the blockchain disappear as soon as it is no longer actively used.

To be clear, standard certificates in a public key infrastructure (PKI) suffer from many problems too. Those should be avoided as well. However, so called *attribute based credentials* (ABCs) have been invented some fifteen years ago to overcome these problems. ABCs offer self-sovereign identity management, with superior privacy and availability properties.

In essence, ABCs allows users to obtain credentials from issuers, that express that the owner of the credential has certain attributes. For example that they have a certain high school diploma, with the final grades obtained for the courses. Such a credential is issued by the school, as this is the (only!) institute that can vouch for the veracity of these attributes. Users store these credentials locally, and can make backups if desired. This guarantees availability.

Credentials can subsequently be used to prove possession of certain attributes to relying parties (employers, secondary stages of education). ABCs implement this in a privacy friendly manner, and implements *selective disclosure* which allows you to show the grade you obtained for science, while hiding the grade for math. Even better, ABCs implement *unlinkability*: the issuer does not see where the credential is used, and even a relying party will not be able to see whether a single user is using his or her credential many times with the same relying party. This guarantees a superior level of privacy, compared to the blockchain certificates of Blockcerts. For more information, see our work in this area.

So what made people think that a blockchain would be useful in the context of credentials? That’s revocation. Or rather: to prevent abuse of the credential infrastructure when an issuer is compromised. If the issuer private key, with which it signs its credentials, is stolen the adversary can sign credentials of its choosing and even backdate them, giving them a date before the issuer reported the compromise (and changed its key). When all credentials that are issued are also recorded on a blockchain, the order in which they were issued is fixed. In this case the adversary can no longer backdate credentials when it gets hold of the issuer private key. Provided everyone that verifies a credential checks the revocation status of the issuer key, and checks the blockchain to insure that the credential was indeed issued before the key was compromised. This works as advertised, but using a blockchain is overkill: you don’t need global consensus on the order in which *all* credentials of *all* issuers were issued. All you need is that each issuer keeps a list of all issued credentials in a *local* immutable record (using a simple hash-chain, for example) against which a verifier can check the status of a credential.

Anyway, the real problem of using credentials in education is semantic in nature. For example: what does a credential like “The Frysian University of Franeker certifies that John Doe successfully completed the master programme on Cow Management” actually mean? What guarantees does it give regarding the qualifications of John Doe? This seems hard to solve using technology. Blockchains do not help here.

Another, slightly related, problem is credential binding: how can I be sure that the John Doe standing in front of me is the same John Doe mentioned in the credential? This is a general problem in identity management, for which I have not seen any satisfactory solutions yet.

Identity management is hard. Blockchains do not make it any easier.

Bron: Blog Jaap-Henk Hoepman