We think we're talking about a thing when we refer to identity provisioning, or "Bring Your Own Identity", or the "choice" of identity that's axiomatic in NSTIC and similar federation proposals. The Laws of Identity encouraged us to think in terms of identity as a commodity, but at the same time the Laws cannily defined Digital Identity as a "set of claims" (that is, attributes of the identified Subject).
So identity is not a thing.
Rather, identity is a state of affairs: Identity is How I Am Known.[Update February 2013. I am embarrassed to admit I have only just discovered the work of Goffman and his "dramaturgical" analysis of identity. Goffman found that identity is an emergent property from social interaction, that it comes dynamically from the roles we play, and that it is formed by the way we believe others see us. That is, personal identity is partly impressed upon us. This is the sort of view I have arrived at with Digital Identity. Read on.]
Digital identity is really just the conspicuous surface of a relationship we have with a service provider or counterparty. That relationship grows over time, starting from the evidence of identity gathered at registration time (classically a KYC check to open a bank account), after which we get an identifier. But identifiers are really just macros for the relationships we have with our service providers, which can be deep and unfolding, and often more complex than any identifier on its own would suggest. The original evidence of identity is just a boundary condition; it might be common across several relationships for a time, but it's not actually what the ongoing relationship is all about.
So what can it mean to try and exercise a choice of identity? In business it's the Relying Party that bears most of the risk if an identity is wrong, and so it is that the Relying Party is very often the "Identity Provider", for then they can best manage their risk. And here the choice of business identity is moot. If you don't have an identity that meets the RP's needs, then they have the perogative to turn you away. Think about a store that doesn't accept Diners Club; do you have any prospect of negotiating with them to pay by Diners if that's your choice of card? Can it make any difference to the store owner that you might have extra credentials to present in real time?
However, in social dealings, identity is different. Here we do narrate the visible surface of own life stories, and thus curate our own identity (or identities, plural).
What's going on here? How do we reconcile these contradictions of self determination in some cases, and all those counterparty interests across many other cases? I find it helps to describe two different orders of Digital Identity:
And every now and then, Expressed and Impressed identities come into conflict, never more viscerally than in what I call the High School Reunion Effect. Most of us have probably experienced the psychic dislocation of meeting old school friends for the first time in decades at a reunion. You've changed; they've changed; all our current lives and contexts are unknown to our peers of old. Instead, the group context is frozen in time as it was at school, and we all struggle to relate to one another according to old identities, while editing ourselves to reflect the new individuals that we have become. But here's the thing: our old identities actually return, to varying degrees, impressed on us by how the group as a whole used to be. It's a vivid demonstration of how identity is plastic, and how it's shaped by different forces, some outside our control. High school reunions showcase the dynamic mixture of Impressed and Expressed identities. The way we choose to express ourselves is molded (to a point) to fit an inter-personal context impressed upon us by a community.
Another example - of greater practical importance - of the tension between impressed and expressed identity is the "Real Name" policies of Google and Facebook. Here we saw a mighty clash of the rights of people to define how they are known in distinct spheres, and the interests of social network operators to "know" their users (to put it clinically, index them) for commercial purposes. Perhaps that type of conflict would be better understood if we saw how different orders of identity have different degrees of freedom? Identity is literally relative.
And then there is the Bring Your Own Identity movement, another battle ground where competing intuitions about identity are playing out. Here the claimed right to use whatever identification method one likes butts up against the enterprise's need to set its own standards for identification risk management. Some BYOI advocates say this is not just about user convenience; businesses may save serious money through BYOI because it will save them from issuing their own IDs, just as BYOD can reduce device support costs. But in most cases, the cost to the business of mapping and integrating all the expressed identities that users might elect to bring simply exceeds the cost of the organisation impressing IDs for itself.
Digital Identity is a heady intersection of social, technological, business and political frames of reference. Our intuitions - not surprisingly really - can fail us in cyberspace. I reckon progress in NSTIC and similar initiatives will depend on us appreciating that identity online isn't always what it seems.
Those who wish to implement a third party identity provider system have a problem. As you state, identity is a surface characteristic associated with relationships. Another way of thinking about identity is to visualise identity in a network. The vertices of the network are individuals or organisatins. The edges, or connections, between the vertices are relationships. In such a model identity is a property of an edge - not a vertice. As such there are two parties involved and they have to agree on how they identify each other. Google can insist that it will not have a relationship with a person unless they know who they are, however Google should not force a condition on a relationships between other parties using Google+. The BYOI is a starting point in the establishment of the identity of a relationship but because identity is a property of the relationship then a label on the vertice is not sufficient for a identity. This means that identity is established for each new relationship. The insistence on systems designers to ignore this means that efforts, such as Australia's healthid, are going to result in a very expensive systems to run and operate because the system does not reflect the underlying reality of relationships and identity.
Kevin, interesting. If identity is a link on a graph joining the Subject and Relying Party, then in general there should actually be two links per pair: one where A identifies itself to B and the other where B identifies itself to A.
If my idea of Expressed vs Impressed identity has validity, then we can think of Expressed identity as A revealing itself to B in a way determined more or less by A, and Impressed identity as A revealing itself to B in a way determined by B.
As for Australia's health ID efforts, for individuals and providers, I agree it's a basket case, but maybe for different reasons from you. Fundamentally I have no problem with health authorities impressing a unique UHID on us ... if that UHID is carefully managed via privacy enhancing, replay-resistant smart technologies, and if the UHID is not necessarily universal. It must co-exist alongside other unlinked optional identifiers, used for example in:
- insurances private and public
- local clinical practice
- workplace PEHR
- sensitive segmented clinical domains like mental health
- research & clinical trials, and
- medical social networking.
A few of these would be expressed identities, but it makes sense to me that most health IDs be impressed.
I agree wholeheartedly.
I understand why you make the comment that the "RP is the Identity Provider". However, at least to me, that comment raises some confusion in my mind. I would suggest that they are actually an "Identity Consumer" in the context you have expressed.
That being said, if they decide, based on the information they have collected, that they want to become an Identity Provider to others then that is another role that they would play in the identity ecosphere. That is why the confusion is in my mind.
For most high risk identities, the RP quite literally is the Identity Provider, for their own purposes. Employers provide employee IDs. Universities provide student numbers. Banks provide bank account numbers. Health Departments provide health identifiers (which might be relied upon by other RPs but only in a tightly bounded community of interest covered by legislation that recognises the identifiers and circumscribes how they are used).
In fact, I have yet to find an example of an "LOA 4" identity being provided by an IdP and relied upon on its own by an independent RP. In the days of Microsoft's Laws of Identity and Information Cards, it was widely tipped that banks would do as you say and take on the role of Identity Provider in the "identity ecosphere" but it has yet to happen, except for Scandinavia where there is special legislation to federate government and banking RPs/IdPs. Banks acting as IdPs hasn't even happened under NSTIC where you would expect there to be lots of incentives to experiment. The reason I suggest is actually ecological. Specific identities evolve to meet the needs of specific transactions with specific risk profiles. It doesn't realy matter how much information an RP collects about its Subjects; to turn that information into an identity that is reliable for other parties outside the RP's niche that RP to anticipate the risks and needs of those other parties. That's Policy Mapping. And it has always proven too expensive for the marginal benefit of being able to re-use high risk identities across contexts.
For completeness, I will say again that low risk identities do federate very nicely across contexts, the classic example being social logon. But here the IdP doesn't really assert who the user is, and the RP doesn't really care who the user is. It was trivial for Google Facebook, Twitter and LinkedIn to extend their businesses into low risk IdPs. There was no "Policy Mapping" to be done.
How many web masters for sites accepting social logons (that is, acting as RP to say Google's IdP) bother to read the Ts&Cs for the social identity they (the web masters) are relying on?
Agree fully Steve.
I am also a strong believer that Identity Providers can only provide an assertion about the set of attributes that they have collected regardless of whether they are validated by an authoritative source or they are collected as the result of repeated physical or social interactions. In my opinion, there are not many RPs that need that identical set of attributes to mitigate their identification risk. As such, a RP will not likely be willing, other than at LOA1, to rely on the assertion from a single IdP. This lack of being able to rely on the assertion from a single IdP is most likely the reason that so few RPs are willing to participate. This lack of participation will continue, in my opinion, until the industry changes from discussing "identity" to discussing "identification."
As you have said, RPs have identification risk that they need to mitigate. They each have identified, through some type of threat risk analysis (formal or historical), what they need to do to undertake that mitigation. As I have said above, having an individual IdP say that they can solve that issue for a RP is most likely, from the perspective of the RP, difficult to believe. At best, a RP would probably have to rethink their approach identification risk mitigation - something I do not believe that many are willing to undertake at the present time. In my opinion, a focus on how an IdP can contribute to mitigating, rather than solving, the identification risk would further adoption by RPs.