Lockstep

Mobile: +61 (0) 414 488 851
Email: swilson@lockstep.com.au

Forget Identity!

I was selected in a call-for-papers to present my ecological theory of digital identity to the Australian Information Security Association 2013 annual conference. My talk was titled as a gentle provocation: "Forget identity!"

Introduction
There is nothing more personal than identity. And until recently, there was nothing less personal than the Internet! So identity has become something of an obsession.
A merry band of (mostly) engineers dubbed the "Identerati" have spent 10 or 15 years working hard to reinvent it. They've felt the need to write "Laws of Identity". They've developed numerous standards and protocols, created a new security industry sub-sector, forged several private-public coalitions, and even convinced President Obama to put his name to a "National Strategy for Trust Identities in Cyberspace". Much of this work, especially on authorisation protocols, has been invaluable, and is already cemented into our daily experience of the Internet.
This Federated Identity – the idea that an identity created in one context can and should be used in other settings, in order to save time and costs – has become an orthodoxy. But I'm afraid it's based on some false intuitions. Digital Identity is not what many people think it is, and in fact it might be best that we forget all about "identity".
Identity federation is a well meaning response to the important problems we have with online authentication, but it embodies a flawed intuition that identity is a thing that keeps much the same shape in all contexts. Identity is actually more abstract than that; it's a proxy for the relationship we have with those who know us. Digital Identity is a metaphor for the things that people need to know about each other. Identity means different things to different Relying Parties.
On the launch of the US Strategy for Trusted Identities in Cyberspace (NSTIC), White House Security Adviser Howard Schmidt blogged enthusiastically about the potential of high grade authentication, extrapolating from the experience of social logon. It's not that simple.

Conclusions
Identities evolve! We cannot hope to shift identities across contexts if we don't fully account for the natural histories that made them they way they are today, suited to their original contexts.
Context has always featured in identity theory but the practice of Federated Identity has tended to lose touch with the idea. Ecological thinking helps to give context its proper importance. Context is king!
Identity is "in the eye of the beholder", that is, the Relying Party. Identity means different things to different RPs; each RP has its own particular identification needs that address local risks.
Federated Identity has us think globally but Relying Parties will always act locally. No body can force an RP to accept an externally issued identity if the RP's risks are not accounted for. Identification is ultimately performed by the RP, not the IdP. Therefore, in a sense, there are no "Identity Providers", only Attribute Providers, which serve to help RPs ascertain what they really need to know about their users.