First published April 2018.
For at least five years there has been a distinct push within the identity management industry towards attributes: a steady shift from who someone is to what they are. It might have started at the Cloud Identity Summit in Napa Valley in 2013, where Google/PayPal/RSA veteran Andrew Nash, speaking on a panel of “iconoclasts” announced that ‘attributes are more interesting than identity’. A few months earlier, the FIDO Alliance had been born. On a mission to streamline authentication, FIDO protocols modestly operate low down the technology stack and leave identification as a policy matter to be sorted out by implementers at the application level. Since 2013, we’ve also seen the Vectors of Trust initiative which breaks out different dimensions of authentication decision making, and a revamp of the US Federal Government Authentication Guide NIST SP 800-63 which decomposes the coarse old Levels of Assurance.
Across cyberspace more broadly, provenance is the hottest topic. How do we know what’s real online? How can we pick fake accounts, fake news, even fake videos?
Provenance in identity management is breaking out all over, with intense interest in Zero Knowledge Proofs of attributes in many Self Sovereign Identity projects, and verified claims being standardised in a W3C standards working group.
These efforts promise to reverse an inexorable complication. Identity has long been over-analysed and authentication over-engineered. The more strongly we identify, the more we disclose, and the unintended consequences just keep mounting.
Yet it doesn’t have to be so. Here’s what really matters:
- What do you need to know about someone or something in order to deal with them?
- Where will you get that knowledge?
- How will you know it’s true?
These should be the concerns of authentication. It’s not identity per se that usually matters; instead it’s specific attributes or claims about the parties we're dealing with. Furthermore, attributes are just data, and their provenance lies in metadata.
The conventional wisdom in IDAM now is that few transactions really need your identity. So why don’t we just kill it off? Let’s instead focus on what it is that parties really need to know when they transact, and work out how to deliver that knowledge in our transaction systems.
IDAM has been framed for years around a number of misnomers. “Digital identity” for instance is nothing like identity in real life, and “digital signatures” are very strange signatures. Despite the persistent cliché, there are no online “passports”.
But the worst misnomer of all is the Identity Provider, an abstraction invented over a decade ago to try and create a new order (dubbed at the time, the "Identity Metasystem"). Now, I agree in theory that bank accounts for example may be regarded as “identities”, and it follows that banks could be regarded as “identity providers” (IdPs). But these conceptual models have proved sterile. How many banks in fact see themselves as “identity providers”? No IdPs actually emerged from well-funded programs like Identrus or the Australian Trust Centre, and only one bank ever set up as an IdP in the GOV.UK Verify program. If Identity Providers are such a good idea, they should be widespread by now in all advanced digitizing economies!
The truth is that Identity Providers, as imagined, can’t deliver. Identity is in the eye of the Relying Party. The state of being identified is determined by a Relying Party (RP) once it is satisfied that enough is known about a data subject to manage the risk of transacting with them.
Identity is metaphorical shorthand for being in a particular relationship, defined by the RP (for it is the RP that carries most of the risk if an identification is faulty). Identity is not the sort of good or service that can be provided; it is a state that is defined and conferred by RPs. The metaphor of identity provision is all wrong; canonical Digital Identity is a false idol.
We hardly ever need to know "who people are" online (or in real life for that matter); we just need to know certain specifics about them. So let’s get over identity, and devote our energies to critical infostructure to supply the reliable data and metadata so urgently needed for an orderly digital economy.