woensdag 9 april 2008

Trust level Identity Providers

I would like my company to use infocard with claims as an identification/authentication method for customers and personnel, even as an authorisation scheme. We are a relying party, mapping claims to user authorisations in our information systems. But what is the level of trust of an infocard that's presented by a user.

In order to verify an on line identity, a relying party will validate the supplied digital identity (infocard) and check claims.
A relying party can distinguish managed cards from self issued cards. That way an IP can identify trusted (managed) identities from untrusted (self issued) identities. These identities in fact obtain the same level of trust as userid's and passwords, very little trust.

But, can a relying party distinguish between identity providers that supply managed cards? I have not yet found information on this matter, still studying. Unless there is a standard 'Identity Provider trust level' definition, every 3rd party IP is alike. Every IP could give out the same claims. But some claims are more valuable than others. Some can be trusted, where others cannot.

If there were a standard 'Identity Provider trust level' definition, such a mechanism should be certified. An Identity Provider could than demand proof of the trust level of identity providers.
Besides there should be several standard claims about the authentication method used at issuing. Face to face, physical passport used, digital passport used. That way we can identify what rights we can assign to a user, based on the trust level of his digital identity and on the authentication method used for presenting the infocard.

We might even become an Identity Provider ourselves, issuing valuable digital identities (infocards of course). But in order to do that, we must know how to make our digital identities standard trusted identities, that cannot be mistaken for digital identities issued by less trusted Identity Providers.
Een reactie posten