I will bet that nearly 100% of you had a scam phone call in the last week. Someone called, pretending to be someone they weren’t. The caller ID confirmed what they said. Here in Canada we see a lot of CRA scams (CRA is the tax agency), someone calls, tries to convince you that you should buy some online gift cards or go to jail. Mutual identity is hard to know.
Identity is a funny thing. We can all identify a friend, in-person. Its a combination of how you look and act. But bringing this to an online world is complex. The most common case you see is e.g. opening the web site of your bank. You enter ‘https://mybank’, and you look for the ‘green’ lock icon. It means that the site is who it says it is.
But, a few questions spring to mind:
- Is it what I think it is? Maybe it should be https://my-bank?
- How can they identify me? This should be mutual
In the phone world we tend to trust the caller-ID. But, you should not. It is very simple to spoof the caller-ID. This might never be fixable. So this means a phone number is not a valid method of asserting identity.
So too in the online world an IP address is not a trustworthy means of establishing identity. We need something stronger.
This gets even harder when we realise this crosses trust domains. I trust my bank, my bank trusts its own databases, but also external providers they may use. Federated identity is even more complex.
We use a mutual TLS standard (based around Istio and SPIFFE) to allow us to do workload to workload identity. In this video I talk a bit about why.