Towards an "Identity Ecosystem"?

The US Department of Homeland Security issued a draft report proposing a National Strategy for Trusted Identities in Cyberspace this past weekend. I found the document intriguing in the context of some of my thoughts on trust and identity, and my own recent participation in the ORCID project to create an identity standard for authors and other contributors to scientific research publications.

The draft report comes with a call for public commentary, and there are already some interesting comments that have made me think a little harder about what we're all trying to do here. The time seems ripe for some sort of digital identity standard, but there are an awful lot of concerns that need to be addressed. There are solutions that can be imposed from above (say a government-issued physical id token that connects to trusted infrastructure to identify who you are) but they all have somewhat draconian police-state implications anathema to a free society. We do all have social security numbers or something like that of course (drivers license numbers, credit card numbers, passport numbers, ...) - but the number isn't sufficient. Anybody who knows a valid number can use it, whether it's there's or not - identity theft is a real problem. Digital identity as it stands right now consists of many disjoint associations like those many different numbers associated with a given individual, each with its own set of risks and burden in upkeep.

So the scheme proposed in the draft report for a more open "identity ecosystem" was something I found very interesting and encouraging.

The draft report describes the "identity ecosystem" in general terms as follows:

It is an online environment where
individuals, organizations, services, and devices can trust each other because authoritative sources
establish and authenticate their digital identities. Similar to ecosystems that we find in nature, it will
require disparate organizations and individuals to function together and fulfill unique roles and
responsibilities, governed by an overarching set of standards and rules. The Identity Ecosystem also
enables anonymity for individuals interacting with services that do not require strong identification and
authentication.

There follow a set of definitions of the different components of this ecosystem:

  • An Individual is the person engaged in an online transaction. A digital identity, which is a set of attributes, represents an individual in a transaction.
  • A non-person entity (NPE) may require authentication in the Identity Ecosystem. NPEs can be an organizations, hardware, software, or services and are treated much like individuals within the Identity Ecosystem. NPEs may engage in a transaction or simply support it.
  • Individuals and NPEs are collectively referred to as the subjects of a transaction.
  • An Identity Provider (IDP) is responsible for the processes associated with enrolling a subject, and establishing and maintaining the digital identity associated with an individual or NPE. These processes include identity vetting and proofing, as well as revocation, suspension, and recovery of the digital identity. The IDP is responsible for issuing a credential, the information object or device used during a transaction to provide evidence of the subject’s identity; it may also provide linkage to authority, roles, rights, privileges, and other attributes.
  • The credential can be stored on an identity medium, which is a device or object (physical or virtual) used for storing one or more credentials, claims, or attributes related to a subject. Identity media are widely available in many formats, such as smart cards, security chips embedded in PCs, cell phones, software based certificates, and USB devices. Selection of the appropriate credential is implementation specific and dependent on the risk tolerance of the participating entities.
  • An Attribute Provider (AP) is responsible for the processes associated with establishing and maintaining identity attributes. Attribute maintenance includes validation, updates, and revocation. Attributes are a named quality or characteristic inherent or ascribed to someone or something (e.g., “Jane’s age is at least 21 years”). An attribute provider asserts trusted and validated attribute claims in response to attribute requests from relying parties. In certain instances, a subject may self-assert attribute claims to relying parties; however, relying parties often depend upon attribute assertions from trusted third parties capable of validating the accuracy of claims. Trusted, validated attributes form the basis by which relying parties will authorize subjects.
  • A Relying Party (RP) makes transaction decisions based upon its receipt, validation, and acceptance of a subject’s authenticated credentials and attributes. Within the Identity Ecosystem, a relying party selects and trusts identity, credential, and attribute providers of their choice based on risk and functional requirements. Relying parties are not required to integrate with all permutations of identity media. Rather, they will trust an identity provider’s assertion of a valid subject credential as appropriate. Relying parties also typically need to identify and authenticate themselves to the subject as part of transactions in the Identity Ecosystem.
  • Participants refer to the collective subjects, relying parties, identity media, service providers, and NPEs within a given transaction.
  • A Trustmark is a badge, seal, image or logo that indicates a product or service provider has met the requirements of the Identity Ecosystem, as determined by an accreditation authority. To maintain trustmark integrity, the trustmark itself must be resistant to tampering and forgery; participants should be able to both visually and electronically validate its authenticity. The trustmark provides a visible symbol to serve as an aid for individuals and organizations to make informed choices about the providers and identity media they use.
  • The Identity Ecosystem Framework is the overarching set of interoperability standards, risk models, privacy and liability policies, trustmark requirements, and enforcement mechanisms that govern the Identity Ecosystem.
  • A Governance Authority oversees and maintains the Identity Ecosystem Framework and defines the rules by which a product or service provider in the Identity Ecosystem attains trustmarks. In addition, the Governance Authority is accountable for certifying organizations that wish to become Accreditation Authorities.
  • An Accreditation Authority assesses and validates that identity providers, attribute providers, relying parties, and identity media adhere to an agreed upon Trust Framework.
  • A Trust Framework defines the rights and responsibilities of a particular set of participants in the Identity Ecosystem; specifies the rules that govern their participation; and outlines the processes and procedures that provide assurance. A Trust Framework considers the level of risk associated with a given transaction and its participants. Many different Trust Frameworks can exist within the Identity Ecosystem, as sets of participants can tailor them to their particular needs. However, the participants must align the Trust Frameworks with the overall Identity Ecosystem Framework.

The report goes on to describe three "layers" of functioning - the "execution layer", where a subject makes use of their identity in transactions with "relying parties", the "management layer", where a subject establishes their identity, and the "governance layer", where the identity and attribute providers (and relying parties? Not clear to me why they don't just function at the management layer) are registered and certified.

All this sounds quite reasonable - of course it's not the only such effort around. Aside from ORCID, there's also the International Standard Name Identifier which seems to be setting up a similar infrastructure of registration agents for identities associated with people or organizations that are involved in published works. And then there are existing open services like OpenID and OAuth, as well as proprietary systems like Facebook Connect, or the many places you can use a Google account, for example. It seems like the DHS proposal is taking all these developing offerings into account, and proposing a way to federate them all (or those who will participate). Good idea? Will it work?

There is still that fundamental question of trust - if the government becomes the underlying fundamental trust layer, well, how much do you trust it? Hmmmm....