Lockstep

Mobile: +61 (0) 414 488 851
Email: swilson@lockstep.com.au

Postcard from Monterey 2 #CISmcc

Second Day Reflections from CIS Monterey.

Follow along on Twitter at #CISmcc (for the Monterey Conference Centre).

The attributes push

At CIS 2013 in Napa a year ago, several of us sensed a critical shift in focus amongst the identerati - from identity to attributes. OIX launched the Attributes Exchange Network (AXN) architecture, important commentators like Andrew Nash were saying, 'hey, attributes are more interesting than identity', and my own #CISnapa talk went so far as to argue we should forget about identity altogether. There was a change in the air, but still, it was all pretty theoretical.

Twelve months on, and the Attributes push has become entirely practical. If there was a Word Cloud for the NSTIC session, my hunch is that "attributes" would dominate over "identity". Several live NSTIC pilots are all about the Attributes.

ID.me is a new company started by US military veterans, with the aim of improving access for the veterans community to discounted goods and services and other entitlements. Founders Matt Thompson and Blake Hall are not identerati -- they're entirely focused on improving online access for their constituents to a big and growing range of retailers and services, and offer a choice of credentials for proving veterans bona fides. It's central to the ID.me model that users reveal as little as possible about their personal identities, while having their veterans' status and entitlements established securely and privately.

Another NSTIC pilot Relying Party is the financial service sector infrastructure provider Broadridge. Adrian Chernoff, VP for Digital Strategy, gave a compelling account of the need to change business models to take maximum advantage of digital identity. Broadridge recently annoucned a JV with Pitney Bowes called Inlet, which will enable the secure sharing of discrete and validated attributes - like name, address and social security number - in an NSTIC compliant architecture.

Mind bending

Yesterday I said in my CISmcc diary that I hoped to change my mind at #CISmcc about something, and half way through Day 2, I was delighted it was already happening. I've got a new attitude about NSTIC.

Over the past six months, I had come to fear http://www.nist.gov/nstic/">NSTIC had lost its way. It's hard to judge totally accurately when lurking on the webcast from Sydney (at 4:00am) but the last plenary seemed pedestrian to me. And I'm afraid to say that some NSTIC committees have got a little testy. But today's NSTIC session here was a turning point. Not only are there a number or truly exciting pilots showing real progress, but Jeremy Grant has credible plans for improving accountability and momentum, and the new technology lead Paul Grassi is thinking outside the box and speaking out of school. The whole program seems fresh all over again.

In a packed presentation, Grassi impressed me enormously on a number of points:

  • Firstly, he advocates a pragmatic NSTIC-focused extension of the old US government Authentication Guide NIST SP 800-63. Rather than a formal revision, a companion document might be most realistic. Along the way, Grassi really nailed an issue which we identity professionals need to talk about more: language. He said that there are words in 800-63 that are "never used anywhere else in systems development". No wonder, as he says, it's still "hard to implement identity"!
  • Incidentally I chatted some more with Andrew Hughes about language; he is passionate about terms, and highlights that our term "Relying Party" is an especially terrible distraction for Service Providers whose reason-for-being has nothing to do with "relying" on anyone!
  • Secondly, Paul Grassi wants to "get very aggressive on attributes", including emphasis on practical measurement (since that's really what NIST is all about). I don't think I need to say anything more about that than Bravo!
  • And thirdly, Grassi asked "What if we got rid of LOAs?!". This kind of iconoclastic thinking is overdue, and was floated as part of a broad push to revamp the way government's orthodox thinking on Identity Assurance is translated to the business world. Grassi and Grant don't say LOAs can or should be abandoned by government, but they do see that shoving the rounded business concepts of identity into government's square hole has not done anyone much credit.

Just one small part of NSTIC annoyed me today: the persistent idea that federation hubs are inherently simpler than one-to-one authentication. They showed the following classic sort of 'before and after' shots, where it seems self-evident that a hub (here the Federal Cloud Credential Exchange FCCX) reduces complexity. The reality is that multilateral brokered arrangements between RPs and IdPs are far more complex than simple bilateral direct contracts. And moreover, the new forms of agreements are novel and untested in real world business. The time and cost and unpredictability of working out these new arrangements is not properly accounted for and has often been fatal to identity federations.

IMG 5412 BEFORE cropped
IMG 5413 AFTER cropped


The dog barks and this time the caravan turns around

One of the top talking points at #CISmcc has of course been FIDO. The FIDO Alliance goes from strength to strength; we heard they have over 130 members now (remember it started with four or five less than 18 months ago). On Saturday afternoon there was a packed-out FIDO show case with six vendors showing real FIDO-ready products. And today there was a three hour deep dive into the two flagship FIDO protocols UAF (which enables better sharing of strong authentication signals such that passwords may be eliminated) to and U2F (which standardises and strengthens Two Factor Authentication).

FIDO's marketing messages are improving all the time, thanks to a special focus on strategic marketing which was given its own working group. In particular, the Alliance is steadily clarifying the distinction between identity and authentication, and sticking adamantly to the latter. In other words, FIDO is really all about the attributes. FIDO leaves identity as a problem to be addressed further up the stack, and dedicates itself to strengthening the authentication signal sent from end-point devices to servers.

The protocol tutorials were excellent, going into detail about how "Attestation Certificates" are used to convey the qualities and attributes of authentication hardware (such as device model, biometric modality, security certifications, elapsed time since last user verification etc) thus enabling nice fine-grained policy enforcement on the RP side. To my mind, UAF and U2F show how nature intended PKI to have been used all along!

Some confusion remains as to why FIDO has two protocols. I heard some quiet calls for UAF and U2F to converge, yet that would seem to put the elegance of U2F at risk. And it's noteworthy that U2F is being taken beyond the original one time password 2FA, with at least one biometric vendor at the showcase claiming to use it instead of the heavier UAF.

Surprising use cases

Finally, today brought more fresh use cases from cohorts of users we socially privileged identity engineers for the most part rarely think about. Another NSTIC pilot partner is AARP, a membership organization providing "information, advocacy and service" to older people, retirees and other special needs groups. AARP's Jim Barnett gave a compelling presentation on the need to extend from the classic "free" business models of Internet services, to new economically sustainable approaches that properly protect personal information. Barnett stressed that "free" has been great and 'we wouldn't be where we are today without it' but it's just not going to work for health records for example. And identity is central to that.

There's so much more I could report if I had time. But I need to get some sleep before another packed day. All this changing my mind is exhausting.

Cheers again from Monterey.

Posted in Security, Privacy, PKI, Language, Identity, Federated Identity, e-health

Postcard from Monterey #CISmcc

First Day Reflections from CIS Monterey.

Follow along on Twitter at #CISmcc (for the Monterey Conference Centre).

The Cloud Identity Summit really is the top event on the identity calendar. The calibre of the speakers, the relevance and currency of the material, the depth and breadth of the cohort, and the international spread are all unsurpassed. It's been great to meet old cyber-friends in "XYZ Space" at last -- like Emma Lindley from the UK and Lance Peterman. And to catch up with such talented folks like Steffen Sorensen from New Zealand once again.

A day or two before, Ian Glazer of Salesforce asked in a tweet what we were expecting to get out of CIS. And I replied that I hoped to change my mind about something. It's unnerving to have your understanding and assumptions challenged by the best in the field ... OK, sometimes it's outright embarrassing ... but that's what these events are all about. A very wise lawyer said to me once, around 1999 at the dawn of e-commerce, that he had changed his mind about authentication a few times up to that point, and that he fully expected to change his mind again and again.

I spent most of Saturday in Open Identity Foundation workshops. OIDF chair Don Thibeau enthusiastically stressed two new(ish) initiatives: Mobile Connect in conjunction with the mobile carrier trade association GSM Association @GSMA, and HIE Connect for the health sector. For the uninitiated, HIE means Health Information Exchange, namely a hub for sharing structured e-health records among hospitals, doctors, pharmacists, labs, e-health records services, allied health providers, insurers, drug & device companies, researchers and carers; for the initiated, we know there is some language somewhere in which the letters H.I.E. stand for "Not My Lifetime".

But seriously, one of the best (and pleasantly surprising) things about HIE Connect as the OIDF folks tell it, is the way its leaders unflinchingly take for granted the importance of privacy in the exchange of patient health records. Because honestly, privacy is not a given in e-health. There are champions on the new frontiers like genomics that actually say privacy may not be in the interests of the patients (or more's the point, the genomics businesses). And too many engineers in my opinion still struggle with privacy as something they can effect. So it's great -- and believe me, really not obvious -- to hear the HIE Connects folks -- including Debbie Bucci from the US Dept of Health and Human Services, and Justin Richer of Mitre and MIT -- dealing with it head-on. There is a compelling fit for the OAUTH and OIDC protocols here, with their ability to manage discrete pieces of information about users (patients) and to permission them all separately. Having said that, Don and I agree that e-health records permissioning and consent is one of the great UI/UX challenges of our time.

Justin also highlighted that the RESTful patterns emerging for fine-grained permissions management in healthcare are not confined to healthcare. Debbie added that the ability to query rare events without undoing privacy is also going to be a core defining challenge in the Internet of Things.

MyPOV: We may well see tremendous use cases for the fruits of HIE Exchange before they're adopted in healthcare!

In the afternoon, we heard from Canadian and British projects that have been working with the Open Identity Exchange (OIX) program now for a few years each.

Emma Lindley presented the work they've done in the UK Identity Assurance Program (IDAP) with social security entitlements recipients. These are not always the first types of users we think of for sophisticated IDAM functions, but in Britain, local councils see enormous efficiency dividends from speeding up the issuance of eg disabled parking permits, not to mention reducing imposters, which cost money and lead to so much resentment of the well deserved. Emma said one Attributes Exchange beta project reduced the time taken to get a 'Blue Badge' permit from 10 days to 10 minutes. She went on to describe the new "Digital Sources of Trust" initiative which promises to reconnect under-banked and under-documented sections of society with mainstream financial services. Emma told me the much-abused word "transformational" really does apply here.

MyPOV: The Digital Divide is an important issue for me, and I love to see leading edge IDAM technologies and business processes being used to do something about it -- and relatively quickly.

Then Andre Boysen of SecureKey led a discussion of the Canadian identity ecosystem, which he said has stabilised nicely around four players: Federal Government, Provincial Govt, Banks and Carriers. Lots of operations and infrastructure precedents from the payments industry have carried over.
Andre calls the smart driver license of British Columbia the convergence of "street identity and digital identity".

MyPOV: That's great news - and yet comparable jurisdictions like Australia and the USA still struggle to join governments and banks and carriers in an effective identity synthesis without creating great privacy and commercial anxieties. All three cultures are similarly allergic to identity cards, but only in Canada have they managed to supplement drivers licenses with digital identities with relatively high community acceptance. In nearly a decade, Australia has been at a standstill in its national understanding of smartcards and privacy.

For mine, the CIS Quote of the Day came from Scott Rice of the Open ID Foundation. We all know the stark problem in our industry of the under-representation of Relying Parties in the grand federated identity projects. IdPs and carriers so dominate IDAM. Scott asked us to imagine a situation where "The auto industry was driven by steel makers". Governments wouldn't put up with that for long.

Can someone give us the figures? I wonder if Identity and Access Management is already more economically ore important than cars?!

Cheers from Monterey, Day 1.

Posted in Smartcards, Security, Identity, Federated Identity, e-health, Cloud, Biometrics, Big Data

FIDO Alliance goes from strength to strength

With a bunch of exciting new members joining up on the eve of the RSA Conference, the FIDO Alliance is going from strength to strength. And they've just published the first public review drafts of their core "universal authentication" protocols.

An update to my Constellation Research report on FIDO is now available. Here's a preview.

The Go-To standards alliance in protocols for modern identity management

The FIDO Alliance – for Fast IDentity Online – is a fresh, fast growing consortium of security vendors and end users working out a new suite of protocols and standards to connect authentication endpoints to services. With an unusual degree of clarity in this field, FIDO envisages simply "doing for authentication what Ethernet did for networking".

Launched in early 2013, the FIDO Alliance has already grown to nearly 100 members, amongst which are heavyweights like Google, Lenovo, MasterCard, Microsoft and PayPal as well as a couple of dozen biometrics vendors, many of the leading Identity and Access Management solutions and service providers and several global players in the smartcard supply chain.

FIDO is different. The typical hackneyed elevator pitch in Identity and Access Management promises to "fix the password crisis" – usually by changing the way business is done. Most IDAM initiatives unwittingly convert clear-cut technology problems into open-ended business transformation problems. In contrast, FIDO's mission is refreshingly clear cut: it seeks to make strong authentication interoperable between devices and servers. When users have activated FIDO-compliant endpoints, reliable fine-grained information about their client environment becomes readily discoverable by any servers, which can then make access control decisions, each according to its own security policy.

With its focus, pragmatism and critical mass, FIDO is justifiably today's go-to authentication standards effort.

In February 2014, the FIDO Alliance announced the release of its first two protocol drafts, and a clutch of new members including powerful players in financial services, the cloud and e-commerce. Constellation notes in particular the addition to the board of security leader RSA and another major payments card, Discover. And FIDO continues to strengthen its vital “Relying Party” (service provider) representation with the appearance of Aetna, Goldman Sachs, Netflix and Salesforce.com.

It's time we fixed the Authentication plumbing

In my view, the best thing about FIDO is that it is not about federated identity but instead it operates one layer down in what we call the digital identity stack. This might seem to run against the IDAM tide, but it's refreshing, and it may help the FIDO Alliance sidestep the quagmire of identity policy mapping and legal complexities. FIDO is not really about the vexed general issue of "identity" at all! Instead, it's about low level authentication protocols; that is, the plumbing.

The FIDO Alliance sets out its mission as follows:

  • Change the nature of online authentication by:
    • Developing technical specifications that define an open, scalable, interoperable set of mechanisms that reduce the reliance on passwords to authenticate users.
    • Operating industry programs to help ensure successful worldwide adoption of the Specifications.
    • Submitting mature technical Specification(s) to recognized standards development organization(s) for formal standardization.

The engineering problem underlying Federated Identity is actually pretty simple: if we want to have a choice of high-grade physical, multi-factor "keys" used to access remote services, how do we convey reliable cues to those services about the type of key being used and the individual who's said to be using it? If we can solve that problem, then service providers and Relying Parties can sort out for themselves precisely what they need to know about the users, sufficient to identify and authenticate them.

All of these leaves the 'I' in the acronym "FIDO" a little contradictory. It's such a cute name (alluding of course to the Internet dog) that it's unlikely to change. Instead, I overheard that the acronym might go the way of "KFC" where eventually it is no longer spelled out and just becomes a word in and of itself.

FIDO Alliance Board Members

  • Blackberry
  • CrucialTec (manufactures innovative user input devices for mobiles)
  • Discover Card
  • Google
  • Lenovo
  • MasterCard
  • Microsoft
  • Nok Nok Labs (a specialist authentication server software company)
  • NXP Semiconductors (a global supplier of card chips, SIMs and Secure Elements)
  • Oberthur Technologies (a multinational smartcard and mobility solutions provider)
  • PayPal
  • RSA
  • Synaptics (fingerprint biometrics)
  • Yubico (the developer of the YubiKey PKI enabled 2FA token).

FIDO Alliance Board Sponsor Level Members

  • Aetna
  • ARM
  • AGNITiO
  • Dell
  • Discretix
  • Entersekt
  • EyeLock Inc.
  • Fingerprint Cards AB
  • FingerQ
  • Goldman Sachs
  • IdentityX
  • IDEX ASA
  • Infineon
  • Kili
  • Netflix
  • Next Biometrics Group
  • Oesterreichische Staatsdruckerei GmbH
  • Ping Identity
  • SafeNet
  • Salesforce
  • SecureKey
  • Sonavation
  • STMicroelectronics
  • Wave Systems

Stay tuned for the updated Constellation Research report.

Posted in Smartcards, Security, Identity, Federated Identity, Constellation Research, Biometrics

Attribute wallets

There's little debate now that attributes are at least as important as "identity" in making decisions about authorization online. This was a recurring theme at the recent Cloud Identity Summit and in subsequent discussions on Twitter, my blog site and Kuppinger Cole's. The attention to attributes might mean a return to basics, with a focus on what it is we really need to know about each other in business. It takes me back to the old APEC definition of authentication: the means by which the recipient of a transaction or message can make an assessment as to whether to accept or reject that transaction.

A few questions remain, like what is the best way for attributes to be made available? And where does all this leave the IdP? The default architecture in many peoples' minds is that attributes should be served up online by Attribute Providers in response to Relying Party's needing to know things about Subjects instantaneously. The various real time negotiations are threaded together by one or more Identity Providers. Here I want to present an alternative but complementary vision, in which attributes are presented to Relying Parties out of digital wallets controlled by the Subjects concerned, and with little or no involvement of Identity Providers as such.

Terminology: In this post and in most of my works I use the nouns attribute, claim and [identity] assertion interchangeably. What we're talking about are specific factoids about the first party to a transaction (the "Subject") that are interesting to the second party in the transaction (the "Relying Party" or Service Provider). In general, each attribute is vouched for by an authoritative third party referred to as an Attribute Provider. In some special cases, an RP can trust the Subject to assert certain things about themselves, but the more interesting general case is where the Relying Party needs external assurance that a given attribute is true for the Subject in question. I don't have much to say about self-asserted attributes.

The need to know

As much as we're all interested in identity and "trust" online, the currency of most transactions is context-specific attributes. The context of a transaction often determines (and determines completely) the attributes that determine whether a party is authorised. For example, if the Subject is a shopper, the RP a merchant and the transaction a credit card purchase, then the attributes of interest are the cardholder name, account number, billing address and maybe the card verification code. In the context of dispensing an electronic prescription, the only attribute might be the doctor's prescriber number (pharmacists of course don't care who the doctor 'really is'; notoriously they can't even read the doctor's handwriting). For authorising a purchase order on behalf of a company, the important attributes might be the employee position and staff ID. For opening a new bank account, Know-Your-Customer (KYC) rules in most jurisdictions will dictate that such attributes as legal name, address, date of birth and so on be presented in a prescribed form (typically by way of original government issued ID documents).

For most of the common attributes of interest in routine business, there are natural recognised Attribute Authorities. Some are literally authoritative over particular attributes. Professional bodies for instance issue registration numbers to accountants, doctors, engineers and so on; employees assign staff IDs; banks issue credit card numbers. In other cases, there are de facto authorities; most famously, driver licenses are relied on almost universally as proof of age around the world.

Sometimes rules are laid down that designate certain organisations to act as Attribute Providers - without necessarily using that term. Consider how KYC rules in effect designate Attribute Authorities. In Australia, the Financial Transaction Reports Act 1988 (FTRA) has long established an identity verification procedure called the "100 point check". FTRA regulations prescribe a number of points to various identification documents, and in order to open a bank account here, you need to present a total of 100 points worth of documents. Notable documents include:

  • Birth certificate: 70 points
  • Current passport: 70 points
  • Australian driver licence [bearing a photo]: 40 points
  • Foreign driver licence [not necessarily bearing a photo]: 25 points
  • Credit card: 25 points.

So in effect, the financial regulators in Australia have designated driver license bureaus and credit card issuers to be Attribute Providers for names (again, without actually using the label "AP"). Under legislated KYC rules, a bank creating a new customer account can rely on assertions made by other banks or even foreign driver license authorities about the customer's name, without needing to have any relationship with the "APs". Crucially, the bank need not investigate for itself nor understand the detailed identification processes of the "APs" listed in the KYC rules. Of course we can presume that KYC legislators took advice on the details of how various identity documents are put together, and in the event that an error is found somewhere in the production of an identity feeder document then forensic investigation would follow, but the important point is that routinely, the inner workings of all the various APs are opaque to most relying parties. The bank as RP does not need to know how a license bureau does its job.

And yet we do know that the recognised Attribute Providers continuously improve what they do. Consider driver licenses. In Australia up until the 1970s, driver licenses were issued on paper. Then plastic cards were introduced with photographs. Numerous anti-copying measures have been rolled out since then, such as holograms, and guilloche, optically variable and micro printing. Now the first chipped driver licenses are being issued, in which cryptographic technology not only makes counterfeiting difficult but also enables digitally signed cardholder details to be transmitted electronically (the same trick utilised in EMV to stop skimming and carding). Less obvious to users, biometric facial recognition is also used now during issuance and renewal to detect fraudsters. So over time the attributes conveyed by driver licenses have not changed at all - name, address and date of birth have always meant the same thing - but the reliability of these attributes when presented via licenses is better than ever.

Imposters are better detected during the issuance process, the medium has become steadily more secure, and, more subtly, the binding between each licence and its legitimate holder is stronger.

We are accustomed in traditional business to dealing with others on the basis of their official credentials alone, without needing to know much about who they 'really are'. When deciding if we can accept someone in a particular transaction context, we rely on recognised providers of relevant attributes. Hotel security checks a driver license for a patron's age; householders check the official ID badges of repair people and meter readers; a pathologist checks the medical credentials of an ordering doctor; an architect only deals with licensed surveyors and structural engineers; shareholders only need to know that a company's auditors are properly certified accountants. In none of these routine cases is the personal identity of the first party of any real interest. What matters is the attributes that authorise them to deal in each context.

Digital wallets

Now, in the online environment, what is the best way to access attributes? My vision is of digital wallets. I advocate that users be equipped to hold close any number of recognised attributes in machine readable formats, so they can present selected attributes as the need arises, directly to Relying Parties. This sort of approach is enabled by the fact that the majority of economically important transaction settings draw on a relatively small number of attributes, and we can define a useful attribute superset in advance. As discussed previously such a superset could include:

  • {Given name, Residential address, Postal address, Date of Birth, "Over 18", Residential status, Professional qualification(s), Association Membership(s), Social security number, Student number, Employee Number, Bank account number(s), Credit card number(s), Customer Reference Number(s), Medicare Number, Health Insurance No., Health Identifier(s), OSN Membership(s)}

Many of these attributes have just one natural authoritative provider each; others could be provided by a number of alternative organisations that happen to verify them as a matter of course and could stand ready to vouch for them. The decision to accept any AP's word for a given attribute is ultimately up to the Relying Party; each RP has its own standards for the required bona fides of the attributes it cares about.

There are a few obvious candidates for digital attribute wallets:


  • A smart phone could come pre-loaded with attributes that have been verified as a matter of course by the telephone company, like the credit card number associated with the account, or proof of age. A digital wallet on the phone could later be topped up with additional attributes, over the air or via some other more secure over-the-counter protocol.

  • A smart driver license could hold digital certificates signed by the licensing bureau, asserting name, address, date of birth, and/or simpler de-identified statements like "the older is over 18". Note that the assertions could be made separately or in useful combinations; for privacy, a proof of age certificate need not name the holder but simply specify that the assertion is carried on a particular type of chip, signed by the authoritative issuer.

  • When you receive a smart bank card, the issuer bank could load the chip with your name, address, date of birth, PANs and/or certified copies of identity documents presented to open the account. Such personal identity assertions could then be presented by the customer to other RPs like financial institutions or retailers to originate other accounts.

Do we need an "Identity Provider" to thread together these attributes? No. While it is important that RPs can trust that each attribute is in the right hands, the issuance process (including the provisioning of attribute carrying tokens like cards and mobile phones) is just one aspect of the Attribute Provider's job. If we can trust say a licensing bureau to verify the particulars of a license holder, then we can also trust them as part of that process to ensure that the license is in the hands of its rightful owner.

In contrast with the real time 'negotiated' attributes exchange architectures, the digital wallet approach has the following advantages:


  • Decentralised architecture: lower cost and quicker to deploy; we can start local and scale up as Attribute Providers gain ground;

  • Fast: digitally signed attributes presented from smart devices diret to Relying Parties can be cryptographically verified instantaneously, for higher performance, especially in bandwidth limited environments.

  • Intrinsically private: Direct presentation of attributes minimises the exposure of personal information to third parties.

  • ”Natural”: Digital wallets of attributes is congruent with the way we hold diverse pieces of personal documentation in regular wallets; unlike big federation model, no novel new intermediaries are involved.

  • Legally simpler: It is relatively simple matter for Attribute Authorities to warrant the accuracy of separate particulars like name, date of birth, account number, without any making any other broad representations of who the Subject 'really is'. There is none of the legal fine print that bedevilled Big PKI Certification Authorities in the past and which proved fatal in federation programs like the Internet Industry Association 2FA pilot.

Notes

  • On a case by case basis, as dictated by their risk management strategies, RPs can revert to an online AP to check the up-to-the-minute validity of an attribute. In practice this is not necessary in many cases; many of the common attributes in business are static, and once issued (or vouched for by a reputable body) do not change. If attributes are conveyed by digital certificates, then their validity can be efficiently checked online by OCSP and near-line by CRL.
  • The patient smartcards already widespread in Europe are an ideal carrier for a plurality of human services identifiers (such as public health insurance numbers, health record identifiers, medical social networking handles, and research tracking numbers; see also a previous presentation on anonymity and pseudonymity in e-research).
  • As other conventional plastic cards are progressively upgraded to chip - such as the proposed US Medicare card modernization - we have a natural opportunity to load them with secure digital assertions too.
  • In the medium to long term, digitally signed attributes could be made to chain through communities of CAs to a small number of globally recognised Root Authorities. For a model, refer to s4.4 "How to convey fitness for purpose" of my Public Key Superstructure presentation to the 2008 NIST IDTrust workshop.

Posted in Smartcards, Security, Identity, Federated Identity, Trust

The IdP is Dead!

"All Hail the Relyingpartyrati!"

I presented my ecological theory of identity to the Cloud Identity Summit last week.

The quote "The IdP is Dead! Hail the Relyingpartyrati" is from my conclusion (reflecting the running inside joke at CIS that something has to die each year). One of my ideas is that because identification is carried out by Relying Parties, it's more correct (and probably liberating) to think of identity as being created by the RP. The best option for what we call "Identity Providers" today may be to switch to providing more specific Attributes or identity assertions. In fact, the importance of attributes kept recurring throughout CIS; Andrew Nash for example said at one point that "attributes are at least as interesting if not more so than identities".

[Now it has emerged during the debates that people might use the word "attribute" in slightly different ways. I said at CIS that I treat 'attributes', 'assertions' and 'claims' interchangeably; I think we should focus functionally on reliable exchange of whatever factoids a Relying Party needs to know about a Subject in order to be able to transact. I'll blog in more detail about Attributes shortly.]

To summarise my CIS talk:

Federated Identity is easier said than done. In response, we should drop down a level, and instead of trading in abstract high level identities, let's instead federate concrete component attributes. We don't really need Identity Providers as such; we need a marketplace of Attribute Providers from which Relying Parties can get exactly the right information they need to identify their users.


  • identities evolve over time in response to risk factors in the natural business environment; we need to understand why authentication has got the way it is before we rush in to federate disparate methods
  • identities appear to be "memetic", composed of heritable traits relating to business rules and practices, conventions, standards, regulations, technologies, algorithms, cryptographic parameters, form factors and so on
  • the dreaded identity silos are actually ecological niches; taking an identity from the context in which it evolved and using it in another is like taking a salt water fish and dropping it into a fresh water tank
  • if identity is memetic then we should be able to sequence digital identities into their constituent memes, and thence re-engineer them more carefully to match desired new applications
  • it is an over-simplification to think of a (one dimensional) identity spectrum; instead each RP's "identification" requirements are multi-dimensional, and best visualised as a surface.

Posted in Identity, Federated Identity, Cloud

The devil is in the legals

Many of the identerati campaign on Twitter and on the blogosphere for a federated new order, where banks in particular should be able to deal with new customers based on those customer’s previous registrations with other banks. Why, they ask, should a bank put you through all that identity proofing palava when you must have already passed muster at any number of banks before? Why can’t your new bank pick up the fact that you’ve been identified already? The plea to federate makes a lot of sense, but as I’ve argued previously, the devil is in the legals.

Funnily enough, a clue as to the nature of this problem is contained in the disclaimers on many of the identerati’s blogs and Twitter accounts:

"These are personal opinions only and do not reflect the position of my employer".

Come on. We all know that’s bullshit.

The bloggers I’m talking about are thought leaders at their employers. Many of them have written the book on identity. They're chairing the think tanks. What they say goes! So their blogs do in fact reflect very closely what their employers think.

So why the disclaimer? It's a legal technicality. A company’s lawyers do not want the firm held liable for the consequences of a random reader following an opinion provided outside the very tightly controlled conditions of a consulting contract; the lawyers do not want any remarks in a blog to be taken as advice.

And it's the same with federated identity. Accepting another bank's identification of an individual is something that cannot be done casually. Regardless of the common sense embodied in federated identity, the banks’ lawyers are saying to all institutions, sure, we know you're all putting customers through the same identity proofing protocols, but unless there is a contract in place, you must not rely on another bank's process; you have to do it yourself.

Now, there is a way to chip away at the tall walls of legal habit. This is going to sound a bit semantic, but we are talking about legal technicalities here, and semantics is the name of the game. Instead of Bank X representing to Bank Y that X can provide the "Identity" of a new customer, Bank X could provide a digitally notarised copy of some of the elements of the identity proofing. Elements could be provided as digitally signed messages saying "Here's a copy of Steve’s gas bill" or "Here's a copy of Steve’s birth certificate which we have previously verified". We could all stop messing around with abstract identities (which in the fine print mean different things to different Relying Parties) and instead drop down a level and exchange information about verified claims, or "identity assertions". Individual RPs could then pull together the elements of identity they need, add them up to an identification fit for their own purpose, and avoid the implications of having third parties "provide identity". The semantics would be easier if we only sought to provide elements of identity. All IdPs could be simplified and streamlined as Attribute Providers.

See also An identity claims exchange bus and Identity is in the I of the beholder.

Posted in Trust, Internet, Federated Identity

An algebra of identity

In my recent post "Identity is in the eye of the beholder" I tried to unpack the language of "identity provision". I argued that IdPs do not and cannot "provide identity" because identification is carried out by Relying Parties.

It may seem like a sterile view in these days of user-centric 'self narrated' and 'bring-you-own identities' but I think the truth is that identity (for the purposes of approving transactions) is actually determined by Relying Parties. The state of being "identified" may be assisted (to a very great extent) by information provided by others including so-called "Identity" Providers but ultimately it is the RP that identifies me.

I note that the long standing dramaturgical analysis of social identity of Erving Goffman actually says the same thing, albeit in a softer way. That school of thought holds that identity is an emergent property, formed by the way we think others see us. In a social setting there are in effect many Relying Parties, all impressing upon us their sense of who we are. We reach an equilibrium over time, after negotiating all the different interrelating roles in the play of life. And the equilibrium can be starkly disrupted in what I've called the "High School Reunion Effect". So we do not actually curate our own identities with complete self-determination, but rather we allow our identities to be moulded dynamically to fit the expectations of those around us.

Now, in the digital realm, things are so much simpler, you might even say more elegant in an engineering fashion. I'd like to think that the dramaturgical frame sets a precedent for thinking in terms of having identities impressed upon us. We should not take umbrage at this, and we should temper what we mean by "user centric" identities: it need not mean freely expressing all of our identities for ourselves, but allowing for the fact that identity is shaped by what others need to know about us. In a great deal of business, identities are completely defined (imposed) by what the RP needs to know.

For more precision, maybe it would be useful to get into the habit of specifying the context whenever we talk of a Digital Identity. So here's a bit of mathematical nomenclature, but don't worry, it's not strenuous!

Let's designate the identification performed by a Relying Party RP on a Subject S as IRP-S.

If the RP has drawn on information provided by one "Identity Provider" (running with the dominant language for now), then we can write the identification as a function of the IdP:

Identification = IRP-S(IdP)

But it is still true that the end-point of identification is reached by the RP and not the IdP.

We can generalise from this to imagine Relying Parties drawing on more than one IdP in reaching the point where the subject is identified, to the satisfaction of the RP:

Identification = IRP-S(IdP1, IdP2)

And then we could take things one step further, to recognise that the distinction between "identity providers" and "attribute providers" is arbitrary. Fundamentally identities and attributes are just pieces of information that factor into an RP's decision to accept or reject a Subject. So the most general formulation would show identification being a function of a number of attributes verified by the RP either for itself or on its behalf by external attribute providers:

Identification = IRP-S(A1, A2,..., A2)

(where the source of the attribute information could be indicated in various ways).

The work we're trying to start in Australia on a Claims Verification ecosystem reflects this kind of thinking -- it may be more powerful and more practicable to have RPs assemble their knowledge of Subjects from a variety of sources.

Posted in Language, Identity, Federated Identity

An Authentication Claims Exchange Bus

Last week I had the very great pleasure of participating in the first MIT Legal Hackathon, organised by Dazza Greenwood and Thomas Hardjono for the MIT Media Lab, Kerberos Consortium and wwPass. I say first because they plan to hold a monthly hangout! I hope and expect that this will become a strong, dynamic new forum for multi-disciplined explorations of Digital Identity.

In Dazza's wrap-up of the event, he pondered the potential for "open public infrastructure for identity":

... like a big bus of some sort for essential claims from public or other sources, utilised foundationally for identity functions."

His idea builds out logically from a proposed system of claims verification services that I presented to the hackathon, and blogged about a few weeks ago. So for discussion, here's a further development of the schematic. A variety claims verification services would be made available over a common bus as Dazza suggested, and used by a Relying Party to assemble the particular fractions of information they decide will make up a Subject's identity in a given transaction context.

Lockstep Identity Claims Bus after Dazza Greenwood 130203

Something I really I like about this architecture is that it supports several different modes of identification. For one, it could be used in real time by an RP faced with a fresh user for the first time; the RP could in real time seek out 'attribute providers' in the OIX or Identity Metasystem way of working. Alternatively, for well-worn e-commerce transactions where the necessary claims are well known in advance, the Subject could put together a basket of claims in advance and carry them in an identity wallet to be presented directly to the RP.

The diagram also shows a visualisation of the claims of interest to the RP for the transaction at hand, and the necessary degree of confidence i each of them (i.e. 90% in name, residential address and date of birth). I discussed this way of looking at different claims sets as surfaces in another blog last year.

As we rethink identity orthodoxies in forums like the MIT Legal Hackathon, I propose we shift perspectives a little. For instance:


  • We should drop down a level, and focus on ways to exchange information about elements of identity, rather than rolled-up "identities" themselves; that is, we should fractionate identity into its important component parts, guided by transaction context.

  • When building identification services frameworks, we should avoid imposing particular business protocols on organisations, so they remain free to select which claims and combinations of claims they want Subjects to exhibit.

  • We can avoid technicalities like the difference between "authentication" and "authorization", and indeed we can remove ourselves from the philosophical debates over "identity"; the proposal simply provides uniform market-based mechanisms for parties to assert and test elemental claims as a precursor to doing business.

  • Life looks much simpler under the neutral definition of "authentication" adopted by the APEC eSecurity Task Group over a decade ago: the means by which a receiver of an electronic transaction or message makes a decision to accept or reject that transaction or message.

None of this is actually radical. We've always thought about claims and attributes, all the authentication protocols deal with attributes, the good old Laws of Identity were actually all about claims, and there is infrastructure to deal with claims.

I think we just need to shift focus. We technologists shouldn't be so preoccupied with identity per se; let businesses continue to sort out identities as they see fit, and just give them the means to deal digitally with component claims. Let's not put IdPs ahead of APs. It may turn out we don't need IdPs at all. It's all about the claims, and only about the claims.

Comments welcome!

Posted in Identity, Federated Identity

Identity is in the eye of the beholder

That is to say, identity is in the eye of the Relying Party.

The word "identity" seems increasingly problematic to me. It's full of contradictions. On the one hand, it's a popular view that online identity should be "user centric"; many commentators call for users to be given greater determination in how they are identified. People like the idea of "narrating" their own identities, and "bringing their own identity" to work. Yet it's not obvious how governments, banks, healthcare providers or employers for instance can grant people much meaningful say in how they are identified, for it is the Relying Party that bears most risk in the event identification goes wrong. These sorts of organisations impress their particular forms of identity upon us in order to formalise the relationship they have with us and manage our access to services.

The language of orthodox Federated Identity institutionalises the idea that identity is a good that is "provided" to us through a supply formal chain elaborated in architectures like the Open Identity Exchange (OIX). It might make sense in some low risk settings for individuals to exercise a choice of IdPs, for example choosing between Facebook or Twitter to log on to a social website, but users still don't have much influence on how the IdPs operate, nor on the decision made by Relying Parties about which IdPs they elect to recognise. Think about the choice we have of credit cards: you might for instance prefer to use Diners Club over MasterCard, but if you're shopping at a place that doesn't accept Diners, your "choice" is constrained. You cannot negotiate in real time to have the store accept your chosen instrument (instead your choice is to get yourself a MasterCard, or go to a different store).

I think the concept of "identity" is so fluid that we should probably stop using it. Or at least use it with much more precision.

I'd like you to consider that "Identity Providers" do not in fact provide identity. They really can't provide identity at all, but only attributes that are put together by Relying Parties in order to decide if a user or customer is legitimate. The act of identification is a core part of risk management. Identification means getting to know a Subject so as to make certain risks more manageable. And it's always done by a Relying Party.

An issued Digital Identity is the outcome of an identification process in which claims about a Subject are verified, to the satisfaction of the Relying Party. An "identity" is basically a handle by which the Subject is known. Recall that the Laws of Identity usefully defined a Digital Identity as a set of claims about the Digital Subject. And we all know that identity is highly context dependent; on its own, an identity like "Acct No. 12345678" means little or nothing without knowing the context as well.

This line of reasoning reminds me once again of the technology neutral, functional definition of "authentication" used by the APEC eSecurity Task Group over a decade ago: the means by which a receiver of an electronic transaction or message makes a decision to accept or reject that transaction or message. Wouldn't life be so much simpler if we stopped overloading some bits of authentication knowledge with the label "identity" and going to such lengths to differentiate other bits of knowledge as "attributes"? What we need online is better means for reliably conveying precise pieces of information about each other, relevant to the transaction at hand. That's all.

Carefully unpacking the language of identity management, we see that no Identity Provider ever actually "identifies" people. In realty, identification is always done by Relying Parties by pulling together what they need to know about a Subject for their own purposes. One IdP might say "This is Steve Wilson", another "This is Stephen Kevin Wilson", another "This is @Steve_Lockstep", another "This is Stephen Wilson, CEO of Lockstep" and yet another "This is Stephen Wilson at 100 Park Ave Jonestown Visa 4000 1234 5678 9012". My "identity" is different at every RP, each to their need.

See also An Algebra of Identity.

Remember the practical experience of IdPs. Despite a decade of hard work, there are still no Relying Parties accepting general purpose identities at LOA 3 or LOA 4. For high risk transactions, RPs like banks and government agencies still prefer to issue their own identities. Seamless operation of IdPs -- where an RP can accept an identity from an external IdP without checking any other authentication signals -- only works at LOA 0, where Identity Providers like Twitter and Facebook don't know who you really are, and the Relying Party doesn't care who you are. And at intermediate levels of risk, we sometimes see the crazy situation where RPs seek to negotiate LOA "one and a half" because they're not satisfied by the assurances provided by IdPs at vanilla LOA 1 and LOA 2. Customising identities makes a mockery of federation and creates new contractual silos.

So much of this complexity would melt away if we dropped down a level, federated concrete attributes instead of abstract "identities", re-cast IdPs as Attribute Providers, stopped trying to pigeonhole risk and identity, and left all RPs free to identify their users in their own unique contexts.

Posted in Language, Identity, Federated Identity

Don't mix business and pleasure

At the recent Gartner Identity & Access Summit, analyst Earl Perkins spoke of the potential for Facebook to be used as an enterprise IdP. I'd like to see these sorts of speculations dampened a little by filtering them through the understanding that identity is a proxy for relationship.

Here's the practical difficulty that shows why we must reframe what we're talking about. If Facebook were to be an Identity Issuer, they would have to be clear about what enterprises really need to know about their staff, customers, partners and so on. There is no standardised answer to that; every business gets to know its people in their own peculiar ways. Does Facebook with its x-ray vision into our personal lives have anything to offer enterprises? If we work out which assertions might be vouched for by Facebook, how would they be underwritten exactly?

And I really mean exactly because liability is what kills off most identity federations. The idea of re-using identity across contexts is easier said than done. Banks have tried and tried again to federate identities amongst themselves. The Australian experience (of Trust Centre and MAMBO) was that banks find it too complex to re-use each others' issued IDs because of the legal complexity, even when they're all operating under the same laws and regulations! So how on earth will business make the jump to using Facebook as an IdP when they have yet to figure out banks as IdP?

I'd surely like to hear from Facebook themselves about how they see their IdP business developing. They're being very coy about even the early forays like Facedeals, which is using biometric data from Facebook to check people into stores by facial recognition. It's a pretty serious app, with very serious privacy ramifications, amplified by the fact that German regulators have thrown the book at Facebook for being underhanded with photo tagging. Under the circumstances, I would have expected Facedeals to have a Privacy Policy, and Facebook to make some public announcements about how they support the third party consumption of their biometric templates. But no, neither has happened.

The old saw don't "Mix Business And Pleasure" turns out to predict the cyber world challenges of bringing social identities and business identities together. I have concluded that identity is metaphorical. Each identity is really a proxy for a relationship, and most of our intuitions about identity need to be reframed in terms of relationships. We're not talking simply about names! The types of relationship we entertain socially (and are free to curate for ourselves) may be fundamentally irreconcilable with the identities provided to us by businesses as a way to manage their risks, as is their prerogative.

Posted in Social Networking, Identity, Federated Identity