Mobile: +61 (0) 414 488 851
Email: swilson@lockstep.com.au

Remember that Digital Identity is a metaphor

The seminal Laws of Identity define a Digital Identity as a set of claims made by one digital subject about itself or another digital subject.

It's important that this definition renders "identity" as a metaphor. Unfortunately the word "identity" in day-to-day use is suggestive of a more holistic property and is regarded intuitively as innate and pretty much invariant. So when we move from real world to digital, a presumption is carried over that identity can be lifted from one context and freely applied in others. So despite the careful framing of the Laws of Identity, many people still carry around a utopian idea of a singular digital identity based on a different metaphor: the passport. The tacit belief in the possibility of a universal digital passport has been a long standing distraction, and terribly unhelpful, for there is actually no such thing in the sense the word is used by technologists!

Ever since the early days of Big PKI, there has been the beguiling idea of an all purpose credential that will let its bearer into all manner of online services, enabling total strangers to "trust" one another online. Later Microsoft of course even named an early digital identity service "Passport", and the word is still commonplace in discussing authentication products. The idea is that the passport allows you to go wherever you like, yet the concept that the metaphor alludes to doesn't exist.

A real world passport simply does not let the holder into any country. To begin with, a passport is not always sufficient; you often need a visa. Then, you can't stay as long as you like in a foreign place; some countries won't let you in at all if you carry the passport of an unfriendly nation. You also need to complete a landing card and customs declarations specific to your particular journey. And finally, when you've got to the end of the arrivals queue, you are still at the mercy of an immigration officer who usually has the discretion to turn you away based on any other evidence they may have to hand. As with business transactions, there is much more to border control than identity. So if we could create the universal digital identity, we would do well to call it something other than "passport"!

Metaphors are more than wordplay; they are used to teach, and once learned, simplistic mental models like “electronic passport” can be deeply unhelpful. The dream of general purpose digital certificates is what derailed PKI. When they tried to implement digital passports, as general purpose digital certificates, they turned out to be unwieldy, riddled with fine print, and very rarely could they be used anywhere on their own. That is, "passport" is easier said than done, so it's a really lousy metaphor.

Yet with "open" federated identity frameworks, we're unwittingly repeating many of the missteps of early PKI, largely because people are still failing to see the devilish details beneath the metaphors.

The well-initiated get that the Laws of Identity and worthy schemes like NSTIC all involve a plurality of identities tuned to different contexts. Many federated identity supporters expressly deprecate the idea of having a single all-purpose cyber identity. Yet NSTIC in particular is easily confused by many with a single new ID; a crazy number of press reports represent it as a "passport" or an Internet "driver licence". It's a misunderstanding that is actually exacerbated by the strategy's own champions when they use terms like “interoperable” without enough care, and casually imagine that a student in future will log in to their bank using their student card.

The Laws of Identity teach that identities are context dependent. That is, you cannot expect that an ID issued in one context will operate seamlessly in another. If we unpack the digital identity metaphor, then it's actually obvious that identities don't easily inter-operate. A set of claims made about me in one context such as my employment might include my length of employment, position, purchasing authority, office phone number, superannuation account number, and above all, my employer's imprimatur for me representing the organisation. Or if I were enrolled at university, my student identity might include assertions of my student number, my faculty, the stage of my course, and my eligibility to get into certain laboratories and certain online collections. What can such claims say about me in another context, say banking or healthcare? Very little.

A curious omission in the Laws of Identity has always been interoperability. The interoperability of atomic claims like date of birth, home address, credit card number, student number or SSN is almost trivial; some services recognise these claims and have business rules that use them, while others don't. But the "interoperability" of a rolled-up set of claims like "Steve Wilson is employed by Lockstep Pty Ltd." is almost moot. That claim set says a lot about me to a Relying Party doing business with Lockstep as represented by me, but my corporate identity means nothing to retailers, personal health services, my personal bank, or even the video store.

Posted in Security, Language, Identity, Federated Identity

I just don't get Levels of Assurance

IDAM practitioners and government authentication policy makers have settled on a generic quaternary categorisation of transaction risk and of quality-of-enrolment. Let's recap: the idea is to characterise the seriousness of a transaction in terms of LOA 1/2/3/4 and then match the LOA of the party you're planning to do business with. Quaternary LOA schemas are codified in NIST SP 800-63 and described more loosely in the Australian National Electronic Assurance Framework (NEAF).

The idea of LOAs came from risk management methodologies and standards like AS 4360 and now ISO 31000. These approaches involve gauging the severity and frequency of anticipated adverse events, and combining them to deduce a rolled-up risk rating for each event on an ordinal scale, like {Negligible, Low, Medium, High, Extreme}. Examples given in the NEAF documentation use consequence-severity tables lifted straight out of AS 4360 (see Table 3, p15 of the NEAF Framework document).

A powerful feature of this approach is that each enterprise is empowered (in fact expected) to create its own internal calibrations of adverse events. Severity can be gauged in different ways, by referencing monetary losses, health consequences, political impact and so on, and the most appropriate frame will depend on the business environment. Organisations also set their own policies for what level of risk is acceptable for each anticipated threat. So some will not tolerate residual risks that are worse than Low, while others will live with Medium risks on a case-by-case basis with special contingency plans.

As a result, risk determinations made against ISO 31000 and the like are not transferable between organisations. Simply saying that a certain event (for example compromise to a user account) has a risk rating of “Medium” tells someone outside the organisation nothing at all about the details of the threat, its impacts, its expected likelihood, nor how it might be mitigated.

And yet the authentication LOA paradigm has us pick and choose externally issued identities based on a genericised rating of LOA 1, 2, 3 or 4. There really cannot be any definitive assurance that all "LOA 3" credentials for instance issued by all IdPs are equivalent, nor that they will satisfy the detailed needs of all Relying Parties conducting "LOA 3" transactions.

In other words, you cannot pigeon hole risk. And I've seen repeatedly the rather farcical situation where RPs looking for what they think is LOA 2, have to negotiate with IdPs offering what they think is LOA 2, over the fine print. Generic LOAs are supposed to save time but in reality RPs and IdPs still do local risk management and case-specific liability negotiations.

The idea of quaternary LOAs was based on schemas that are used to communicate risk within organisations. They do not work for communicating about risk between organisations.

Posted in Security, Internet, Identity, Fraud, Federated Identity