search

credentials / irma_mobile

IRMA app for iOS and Android
Apache License 2.0
25 stars 11 forks source link

Multiple citizenship requires walled off identities #71

Closed alexxroche closed 5 years ago

alexxroche commented 5 years ago

If the user has multiple citizenship, each country may make requirements about their disclosure of attributes. This means that the client MUST have sufficient abstraction for the grouping of a single citizen "identity" under a separate, (or the same) PIN. This will also help with the duress resistance and deniability features that the client app require.

It would be nice if the user also has the option to view all attributes in all of their citizenship's at once, (but some very good UI/UX is required to help the user sign with their intended citizenship.)

Additionally this will help with heirloom identities that can/will be passed between users. (If I become Dean of another University, I can import that attribute from my predecessor, to show continuity.)

davidv1992 commented 5 years ago

Sorry for the late response. Currently the ideas described are not on our roadmap. In terms of remote disclosure, not revealing whether you have an attribute is already covered, since the protocol used during sessions does not disclose whether a session was cancelled due to the user not wanting to give the requested data, or the user not having said data.

For the physical (somebody standing next to you) attack scenarios, it is actually near impossible to implement this securely on phones. If a government entity manages to force you into unlocking your phone, they will unfortunately always be able to read the information currently in the app (whether the app wants this or not), and there is no realistic way of encrypting data to prevent this.

For heirloom identities, irma doesn't really work that way. Irma itself isnt organised in identities, but rather in terms of credentials, which are sets of information about you, verified by some 3rd party. So you dont really have an identity in the app immediately, as much as you have an attestation that you have that identity. Hence, should an heirloom identity move on to another person, the flow is that that person should request a new credential attesting that they now have that heirloom identity.