In my recent post “Identity is in the eye of the beholder” I tried to unpack the language of “identity provision”. I argued that IdPs do not and cannot “provide identity” because identification is carried out by Relying Parties.
It may seem like a sterile view in these days of user-centric ‘self narrated’ and ‘bring-you-own identities’ but I think the truth is that identity (for the purposes of approving transactions) is actually determined by Relying Parties. The state of being “identified” may be assisted (to a very great extent) by information provided by others including so-called “Identity” Providers but ultimately it is the RP that identifies me.
I note that the long standing dramaturgical analysis of social identity of Erving Goffman actually says the same thing, albeit in a softer way. That school of thought holds that identity is an emergent property, formed by the way we think others see us. In a social setting there are in effect many Relying Parties, all impressing upon us their sense of who we are. We reach an equilibrium over time, after negotiating all the different interrelating roles in the play of life. And the equilibrium can be starkly disrupted in what I’ve called the “High School Reunion Effect”. So we do not actually curate our own identities with complete self-determination, but rather we allow our identities to be moulded dynamically to fit the expectations of those around us.
Now, in the digital realm, things are so much simpler, you might even say more elegant in an engineering fashion. I’d like to think that the dramaturgical frame sets a precedent for thinking in terms of having identities impressed upon us. We should not take umbrage at this, and we should temper what we mean by “user centric” identities: it need not mean freely expressing all of our identities for ourselves, but allowing for the fact that identity is shaped by what others need to know about us. In a great deal of business, identities are completely defined (imposed) by what the RP needs to know.
For more precision, maybe it would be useful to get into the habit of specifying the context whenever we talk of a Digital Identity. So here’s a bit of mathematical nomenclature, but don’t worry, it’s not strenuous!
Let’s designate the identification performed by a Relying Party RP on a Subject S as IRP-S.
If the RP has drawn on information provided by one “Identity Provider” (running with the dominant language for now), then we can write the identification as a function of the IdP:
Identification = IRP-S(IdP)
But it is still true that the end-point of identification is reached by the RP and not the IdP.
We can generalise from this to imagine Relying Parties drawing on more than one IdP in reaching the point where the subject is identified, to the satisfaction of the RP:
Identification = IRP-S(IdP1, IdP2)
And then we could take things one step further, to recognise that the distinction between “identity providers” and “attribute providers” is arbitrary. Fundamentally identities and attributes are just pieces of information that factor into an RP’s decision to accept or reject a Subject. So the most general formulation would show identification being a function of a number of attributes verified by the RP either for itself or on its behalf by external attribute providers:
Identification = IRP-S(A1, A2,…, A2)
(where the source of the attribute information could be indicated in various ways).
The work we’re trying to start in Australia on a Claims Verification ecosystem reflects this kind of thinking — it may be more powerful and more practicable to have RPs assemble their knowledge of Subjects from a variety of sources.