Mobile: +61 (0) 414 488 851
Email: swilson@lockstep.com.au

Over-engineering a No-No except in Digital Identity!

Why should digital identity be so tricky? The past decade is littered with earnest initiatives that failed to meet expectations (like the Australian Trust Centre) or consortia that over promised and under delivered (such as Liberty Alliance). Over time I’ve been a part of three promising federated identity initiatives, all of which failed to launch. For the past decade we’ve had countless deconstructions of “trust” and dissertations on “identity” but none of this work has led to the sort of breakthrough that’s clearly needed.

Now we have Kantara in Liberty's place, and the Open Identity Exchange (OIX) which is said to reflect an "ecosystem" of identity providers and consumers. The National Strategy for Trusted Identities in Cyberspace (NSTIC) has coopted the OIX architecture as a given.

In spite of its conspicuous failures, and the revolving door of security industry consortia, Federated Identity has become an orthodoxy. NSTIC takes “federation” as a given.

All federated id models start with the intuitively appealing premise that if an individual has already been identified by one service provider, then that identification should be made available to other services, to save time, streamline registration processes, reduce costs, and open up new business channels. It's a potent mix of supposed benefits, and yet strangely unachievable. True, we can now enjoy the convenience of logging onto multiple blogs and social sites with an OpenID, or an unverified Twitter account. But higher risk services like banking, e-health and government welfare stand apart, still maintaining their own identifiers and sovereign registration processes.

What’s “open”?

“Open” is one of those feel-good words that are self-evidently desirable. Like “interoperable” and “ecosystem”, the term is bandied about without much examination. What exactly does “open” identity mean?

There is a strong implication in “open identity” that identities issued by different organisations can be (nay, should be) treated equally. But when I look at any of the ’serious’ identities used when transacting with business and with government, there is almost always an obvious preferred issuer for each of them. Banks issue credit cards; health agencies issue health identifiers; governments issue driver licences, SSNs, tax file numbers and passports; employers issue employee IDs; registration bodies issue professionals’ credentials.

So these types of identities are not actually “open” on the issuer side.

Now, if there is usually a one-to-one relationship between a type of identity and the natural issuer of that identity (or in other words, if there is usually just one preferred issuer for each given identity), then a great deal of the open identity framework seems to be over-engineered.

Making things too complicated

This is just one example of the wide ranging abstractions that characterise orthodox identity thinking, the aim of which is to create "trust frameworks" sufficient to enable business to be conducted amongst strangers. To this end, federated identity proponents implore banks and government agencies to re-invent themselves as "Identity Providers" in accordance with the weird and wonderful Laws of Identity. This is an unfamiliar role for many institutions which have evolved over many decades to manage their members and business in tight silos.

The Laws of Identity and the new frameworks are chock-full of novel generalisations. They deconstruct identities, attributes and services, and imagine that when two parties meet for the first time with a desire to transact, they start from scratch to negotiate a set of attributes that confer mutual trust. Yet in practice, it is rare for parties in business to start from such a low base. Instead, merchants assume that shoppers come with credit cards, patients assume that doctors come with medical qualifications, and banks assume that customers have accounts. If you don't have the right credential for the transaction at hand, then that's just bad luck. You simply can’t do business, and you may have to go back, out of band, and get yourself appropriately credentialed.

Perhaps the most distracting generalisation in the new identity ecosystem is that Service Providers, Identity Providers and Attribute Providers are all different entities. In reality, these roles are usually fulfilled simultaneously and invisibly by banks, governments, social networks and so on, each serving the needs of distinct albeit overlapping groups of users.

All federated identity projects I have worked on were undone by the legal complexity and loss of control when customer relationship silos are broken down. It seems obvious with 20:20 hindsight, yet federation projects can battle on for years before they hit the wall.

If we are to avoid wasting more time and energy, we urgently need a new set of simplifying assumptions, instead of complicating generalisations. Fresh thinking about digital identity won't only demystify the grand plans for federated identity, but it will also help to improve more immediate challenges like electronic verification (EV) of identity, and bank account portability.


A great deal of effort has been wasted on federated models and open identity frameworks, catering for a utopia where parties have no prior business arrangements. We don't do routine transactions in the real world without context, and I can't see the point of designing radical new frameworks with untold liability implications to enable business to be done 'freestyle' online.

The urgent problems of identity theft and cyber fraud can be dealt with directly, by addressing the reliability of digital identity data. We don't need to change or extend the meaning of existing identities, nor the ways in which service providers deal directly with their clients. The generalisations in the open identity frameworks may be intellectually fascinating but they mostly only complicate matters.

Effective action in cyber security demands simplification, and not academic abstraction.

Posted in Security, Privacy, Identity

Post a comment

If you are a registered user, Please click here to Sign In

Your Name*

Your Email Address* required, but won't be displayed on this site

To help prevent spam in our blog comments, please type in "Digital" (without the quotation marks) below*