zaterdag 20 juni 2009

Jim Harper and identity claims

The best book about identities that I read is Identity Crisis by Jim Harper. After you read the book, please come back and check this concept:

A digital identity is issued by an identity provider. The relying party has to be able to interpret the data in order to act on them. Important information is the trustworthyness of the identity provider (trust level). But just as important is the trust level of the identity information. An identity provider can issue digital identities based on a visual verification of a person, but also based on nothing more than an email address. The IdP may be trusted, but the value of the identity based on visual verification can be different from the identity based on an email verification.

Identity Providers should add this value of the identity in the digital passport. A claim should be used to differentiate identity trust level. The same goes for authentication (I will come back to this later).

Jim Harper identifies 4 different kinds of identity:
  • something you are
  • something you are assigned
  • something you know
  • something you have
This classification is not at all developed for the purpose of digital identification (and it is not meant as a classification for authentication, read the book!) But could it be used for the IdentityTrustLevel claim?
The first type of identity can be verified by visual verification of a physical id by the Identity provider. The IdP could check a user's passport or driver license. It is a very strong identity, based on some form for biometrics: visual check of the photo on an official document.
The second type of identity is the assigned identity. That could be an email address. It can be verified by addressing the identity (a claimed email address can be verified by e-mail verification).
The something you know identity is the shared secret. The IdP can verify by using a payment from a bank account. That fact that someone can make a payment through a trusted source must have some value in itself.
The last type is just an id issued by an IdP, without any verification. It's just handed over to a person (probably after an identity check, but that's not important, because that would make it a type 1 identity)
If the IdP would add a claim based on the type of identity and if relying parties would know how to interpret this identity, the trust level could be objectively identified.

I suppose that better classifications and claims could be defined, but I just like Harpers ideas. I just tried to analyse some of Harpers concepts, sorry for any trouble :)
Een reactie plaatsen