Mobile: +61 (0) 414 488 851
Email: swilson@lockstep.com.au

Remember that Digital Identity is a metaphor

The seminal Laws of Identity define a Digital Identity as a set of claims made by one digital subject about itself or another digital subject.

Crucially, this definition leaves "identity" as a metaphor. It's quite different from the way we casually use the word "identity" day-to-day as if it were a thing, like a label.

There is a presumption online (largely un-examined) that identity can be lifted from one context and freely applied in others. So despite the careful framing of the Laws of Identity - that digital identity is about sets of claims and critically context-dependent - many people still carry around a utopian idea of a singular digital identity. The archetypal online identity metaphor is the passport. The belief in the possibility of a universal digital passport has been a long standing distraction, and terribly unhelpful, because there is actually no such thing, not in the sense the word is used by technologists!

Ever since the early days of Big PKI, there has been the beguiling idea of an all purpose credential that will let its bearer into any and all online services, enabling total strangers to "trust" one another online. Later Microsoft of course even named an early digital identity service "Passport", and the word is still commonplace in discussing authentication products. The idea is that the passport allows you to go wherever you like, yet the concept that the metaphor alludes to doesn't exist.

A real world passport simply does not let the holder into any country. To begin with, a passport is not always sufficient; you often need a visa. Then, you can't stay as long as you like in a foreign place; some countries won't let you in at all if you carry the passport of an unfriendly nation. You also need to complete a landing card and customs declarations specific to your particular journey. And finally, when you've got to the end of the arrivals queue, you are still at the mercy of an immigration officer who usually has the discretion to turn you away based on any other evidence they may have to hand. As with business transactions, there is much more to border control than identity. So if we could create the universal digital identity, we would do well to call it something other than "passport"!

Metaphors are more than wordplay; they are used to teach, and once learned, simplistic mental models like “electronic passport” can be deeply unhelpful. The dream of all-purpose digital certificates derailed PKI. When they tried to implement "digital passports", they turned out to be unwieldy, riddled with fine print and excessive identity proofing, and very rarely could such certificates be used anywhere on their own. So the passport metaphor is lousy. Yet with "open" federated identity frameworks, we're unwittingly repeating many of the missteps of early PKI, largely because people aren't coming to grips with complexities obscured by faulty metaphors.

The well-initiated appreciate that the Laws of Identity and earnest schemes like NSTIC all involve a plurality of identities tuned to different contexts. Many federated identity supporters expressly deprecate a single all-purpose cyber identity. Yet NSTIC especially is easily confused by many with a single new ID; a crazy number of press reports represent it as an Internet "driver licence". The misunderstanding is actually exacerbated by the strategy's own champions when they use terms like “interoperable identity” without enough qualification, and casually suggest that a student in future will log in to their bank using their student card.

The Laws of Identity teach that identities are context dependent. That is, you cannot expect that an ID issued in one context will operate seamlessly in another. If we recall the formal definition of digital identity and set aside the passport metaphor, it's actually obvious that identities don't easily interoperate.

Consider the set of claims made about me in the context of my employment; my corporate digital identity might comprise my employee number, position and department, contact details, and company role, which together amount to my employer's imprimatur to represent the organisation. On the other hand, I were enrolled at university, my student identity might consist of my student number, faculty, the stage of my course, and my eligibility to get into certain labs and access certain online collections. What do these respective sets of such claims say about me in other contexts, say banking or healthcare? Very little. I can identify as Steve Wilson in my company and Steve Wilson at university, but any interoperability of these identities across contexts only happens at the attribute level, where the identity metaphor breaks down.

Post script

"Interoperability" is actually a curious omission in the Laws of Identity. The interoperability of atomic claims like date of birth, home address, credit card number, student number or SSN is almost trivial; some services recognise these claims and have business rules that use them, while others don't care about them. But the "interoperability" of a rolled-up set of claims like "Steve Wilson is employed by Lockstep Pty Ltd." makes almost no sense. The set of claims that make up that digital identity says a lot about me to a Relying Party doing business with Lockstep, but my corporate identity means nothing to retailers, doctors, my personal bank, the police or the video store.

Posted in Security, Language, Identity, Federated Identity

I just don't get Levels of Assurance

IDAM practitioners and government authentication policy makers have settled on a generic way to categorise transaction risk and match it to a broad measure of authentication quality. The idea is to characterise the seriousness of a transaction in terms of "Levels of Assurance" (LOAs) and then match the authentication 'level' of the party you're planning to do business with. LOA schemas are codified in NIST SP 800-63 and described (more loosely) in the Australian National Electronic Assurance Framework (NEAF).

The idea of LOAs can be traced to risk management methodologies and standards like ISO 31000. These approaches involve gauging both the severity and frequency of anticipated adverse events, and combining those metrics to create a rolled-up risk rating for each event on an ordinal scale, like {Negligible, Low, Medium, High, Extreme}. Examples given in the NEAF documentation use severity-frequency tables lifted straight out of the older ustraian risk management standard AS/NZ 4360; see Table 3, p15 of the NEAF Framework document (PDF)).

A powerful feature of modern risk management standards is that each enterprise is empowered (in fact expected) to customise the way it assesses adverse events, in the context of its particular environment. Severity can be gauged in different ways, for example by referencing monetary losses, health consequences, political impact and so on; the most appropriate frame will depend on the business environment. Organisations also set their own policies for what level of risk is acceptable for each anticipated threat. So some will not tolerate residual risks that are worse than Low, while others will live with Medium risks on a case-by-case basis with special contingency plans. Good risk management standards allow that different organisations have different risk appetites.

But what LOA advocates seem to forget is that, as a result, risk determinations made under ISO 31000 and the like are not transferable between organisations. Simply saying that a certain event (for example compromise to a user account) has a risk rating of “Medium” tells someone outside the organisation nothing at all about the details of the threat, its impacts and expected likelihood.

And yet the Levels of Assurance paradigm has us pick and choose externally issued identities based on a generic ratings of LOA 1, 2, 3 or 4. There cannot be any certainty that all "LOA 3" credentials for instance are equivalent, nor that they will satisfy the detailed needs of all Relying Parties conducting "LOA 3" transactions.

In other words, you cannot pigeon hole risk.

I've seen repeatedly a silly situation where Relying Parties looking for say LOA 2 aren't quite satisfied with a given Identity Provider's idea of LOA 2, and they seek to haggle over a special "level two and a bit". Generic LOAs are supposed to save time with generic levels, but in reality, RPs and IdPs still spend a great deal of time on local risk assessment, hammering out their authentication arrangement. That work is entirely appropriate, but the thing is, the idealised LOA bucket becomes irrelevant. Pigeon-holing risk doesn't save time, and it can't save anyone from having to do detailed case-by-case risk analysis.

Here's the source of the mismatch. The idea of discrete standardised LOAs was based on schemas designed to measure and speificy risk within organisations. These standards were never meant for communicating risk assessments between organisations. Discrete assurance levels are fundamentally misleading, for they lead people to oversimplify the necessary matching of Identity Providers's offerings to Relying Parties' needs.

Posted in Security, Internet, Identity, Fraud, Federated Identity