zaterdag 20 juni 2009

Jim Harper and identity claims

The best book about identities that I read is Identity Crisis by Jim Harper. After you read the book, please come back and check this concept:

A digital identity is issued by an identity provider. The relying party has to be able to interpret the data in order to act on them. Important information is the trustworthyness of the identity provider (trust level). But just as important is the trust level of the identity information. An identity provider can issue digital identities based on a visual verification of a person, but also based on nothing more than an email address. The IdP may be trusted, but the value of the identity based on visual verification can be different from the identity based on an email verification.

Identity Providers should add this value of the identity in the digital passport. A claim should be used to differentiate identity trust level. The same goes for authentication (I will come back to this later).

Jim Harper identifies 4 different kinds of identity:
  • something you are
  • something you are assigned
  • something you know
  • something you have
This classification is not at all developed for the purpose of digital identification (and it is not meant as a classification for authentication, read the book!) But could it be used for the IdentityTrustLevel claim?
The first type of identity can be verified by visual verification of a physical id by the Identity provider. The IdP could check a user's passport or driver license. It is a very strong identity, based on some form for biometrics: visual check of the photo on an official document.
The second type of identity is the assigned identity. That could be an email address. It can be verified by addressing the identity (a claimed email address can be verified by e-mail verification).
The something you know identity is the shared secret. The IdP can verify by using a payment from a bank account. That fact that someone can make a payment through a trusted source must have some value in itself.
The last type is just an id issued by an IdP, without any verification. It's just handed over to a person (probably after an identity check, but that's not important, because that would make it a type 1 identity)
If the IdP would add a claim based on the type of identity and if relying parties would know how to interpret this identity, the trust level could be objectively identified.

I suppose that better classifications and claims could be defined, but I just like Harpers ideas. I just tried to analyse some of Harpers concepts, sorry for any trouble :)

donderdag 18 juni 2009

Claims and white lists

Since there's no trust hierarchy for identity providers yet, some other mechanism should be developed to be able to trust third party identity providers. At least if we want to be able to use identity information within the digital identity, the digital passport, to act on. As long as a digital identity is used instead of userid and password, there is no problem. Any digital identity used on a site is as good as a self managed identity and password. But if a digital identity is used in a transactional way or if someone wants to access confdential information, some trust in the reliability of the digital identity of a user is needed to be able to control access.

As long as there's no structural solution for trust hierarchy in identity space, white listing is the answer. In a white list a service provider could state which identity provider's identities can be trusted. But that's just the first step.

The second step is that a service provider could allow the use of claims defined by the white listed identity provider. The service provider might accept specific claims issues by a specific identity provider.

In an earlier post I wrote that we would need only a few standard claims to be able to identify the value of a digital identity. What's needed is the level of verification of the identity by the identity provider and the authentication method. If these two claims would be standardised across identity providers and service providers, we would only have to whitelist an identity provider to be able to differentiate user authorizations based on the value of the digital identity.

Yesterday there was an interesting meeting of some potential Dutch OpenID relying parties and OpenID identity providers.
I will participate in a working group to explore the possibilities of standardising claims and trust level of identity providers. That second part is the tough one, it will require some form of accreditation. But if this works for OpenID, it will also work for Information Cards, of course.