The LSPI Protocol

An open standard for digital identity 

At the dawn of urbanisation a technology was invented to solve a growing problem, derived from profession, location or physical traits the surname made it possible to identify people with the same first name. As towns became cities another problem arose, in Europe buildings were identified with symbols but in Vienna in the 1800’s a golden eagle marked twenty-nine different buildings, this problem was solved with the invention of the numerical address. With each subsequent era, new forms of identity emerged to solve the problem of the day. War and mobility gave us the passport, trade and modern banking the account number and the information age, the telephone number, e-mail address and password. Today these attributes are widely accepted as identity information and used by companies and governments. As the number of organisations holding personal information has grown, driven by the internet and personal computing the threat to individual privacy and security has increased exponentially. To combat rising fraud and identity theft organisations ask for more personal information, creating a vicious cycle that has begun to exclude people from vital services. This has become a global problem, affecting benefit recipients in Britain, school children in India and refugees in Europe. Just as the use of symbols became untenable in the 1800s, today the widespread use of personal information has become unsustainable. Instead of asking users for personal information, organisations can ask other organisations using authorisation delegation protocols such as OAuth. To use OAuth organisations must first register with the provider but to offer access to APIs organisations face the inordinate challenge of persuading others to include their authorisation option. This presents a discovery problem that limits the diversity of available resources, impedes access to existing APIs and restricts the development of new APIs. The localised, self-propagating identifier (LSPI) protocol changes the way that organisations access information. Within an OAuth framework, the LSPI protocol enables third party authorisation of API access requests. Changing how organisations access information will change the mechanics of identity. Personal information can then be replaced with secure alternatives like claims, tokens and zero-knowledge-proofs.

The use of personal information to communicate individual identity is  unsustainable. Alternative methods of identity assurance require the secure exchange of information between organisations and the use of claims, tokens and zero-knowledge-proofs to protect personal privacy and security. OAuth provides a mechanism for connecting two organisations but requires clients to include numerous authorisation options that users find redundant. This limits OAuth authorisation and APIs to a handful of large companies with the scale to justify the inclusion of OAuth options. The LSPI protocol addresses this problem by allowing service providers to authorise access to API’s maintained by other organisations. By enabling greater connectivity between organisations, the way that companies and governments use information will also change. Without forging these connections personal information will prevail, fraud and identity theft will continue to exponentially increase and more people will find themselves without a viable form of identity. 

The advent of networked computing has exposed significant flaws in the use of personal information as a vehicle for identity. The lead researcher of the British Governments National Technology Team has compared this problem to antibiotic resistance, the more personal information is used, the weaker it becomes, a statement reinforced by a 57% annual increase in identity theft. In April 2018 we published The LSPI Protocol Draft Version 0.5. In partnership with standards bodies, key companies and advisors the LSPI Project will oversee the development of the LSPI protocol to an accepted open standard.

The LSPI Protocol is designed to make accessing or exposing resources significantly easier for organisations and support the secure exchange of claims, tokens and zero-knowledge-proofs instead of personal information.

The LSPI protocol expands the role of OAuth service providers to include authorising access to APIs operated by other organisations. Service providers using the LSPI protocol will match scopes requested by a client to scopes available from other clients, authorise requests and send pairwise request tokens and other parameters. Request tokens and other parameters are then exchanged directly between clients for access tokens or refresh tokens. This approach will be incorporated by adding one parameter to an OAuth request and painting an LSPI database. 

The LSPI Protocol can be seamlessly incorporated with no action from the user required. No account created and no identity issued. The LSPI Protocol uses existing practices to forge new connections between existing data silos and enables more secure forms of identity such as tokens, claims or zero-knowledge proofs. 

Developed as an open standard any organisation will be free to use the LSPI protocol as a way of requesting access to API's. By using standard scopes any organisation that with an available scope for say, secure identity will be matched to organisation that want to access a secure identity once the user has consented to the connection.

The LSPI protocol builds on existing systems used by billions of people. Additional connection options are added to prompt message that user are familiar with. These exchanges of digital information would require an internet connection but users would not be required to learn anything or adopt a new practice. 

A technical specification for the LSPI protocol open standard will be developed with the Internet Engineering Task Force. Once published we will encourages organisations to use the LSPI protocol to both access and expose resources and highlight the advantage of claims, tokens and zero-knowledge proofs. 

The Department of Culture Media and Sport

"I’ve been following the LSPI project since February 2017 while working with GDS and DCMS. Open protocols that let citizens leverage their digital identities are key to a functioning identity ecosystem. The LSPI protocol is an elegant solution to this complex problem. In addition, this approach fits very well with Government's approach to open standards as laid out in the GDS Open Standards Principles and I would encourage it’s ongoing development."

Thom Townsend, Head of data policy, UK government 

The LSPI Project is lead by Jonathan Nash. Jonathan has run technology companies in the US and UK, built engineering teams, developed products and raised capital. As co-founded of Mainstream, he developed a live video streaming platform with former Facebook and ABC executives and as the founder of Slight launched an anonymous messaging service. Our engineering team includes experts on privacy and digital identity. Justin Richer is a respected contributor to open standards specifications and open source implementations, Colin Wallis has 15 years experience contributing to international standards and Devin Hunt is an engineer and former CPO of Lyst.

Money. Developing standards costs money and the benefits are so broadly distributed that grant funding is the primary, viable source of funding. 

As with any standard, a significant number of parties need to use the standard for it to become useful. The LSPI protocol overs significant advantages to all parties and adoption by dominant OAuth service providers would significantly advance uptake,