An Authentication Claims Exchange Bus

Last week I had the very great pleasure of participating in the first MIT Legal Hackathon, organised by Dazza Greenwood and Thomas Hardjono for the MIT Media Lab, Kerberos Consortium and wwPass. I say first because they plan to hold a monthly hangout! I hope and expect that this will become a strong, dynamic new forum for multi-disciplined explorations of Digital Identity.

In Dazza’s wrap-up of the event, he pondered the potential for “open public infrastructure for identity”:

… like a big bus of some sort for essential claims from public or other sources, utilised foundationally for identity functions.”

His idea builds out logically from a proposed system of claims verification services that I presented to the hackathon, and blogged about a few weeks ago. So for discussion, here’s a further development of the schematic. A variety claims verification services would be made available over a common bus as Dazza suggested, and used by a Relying Party to assemble the particular fractions of information they decide will make up a Subject’s identity in a given transaction context.

Something I really I like about this architecture is that it supports several different modes of identification. For one, it could be used in real time by an RP faced with a fresh user for the first time; the RP could in real time seek out ‘attribute providers’ in the OIX or Identity Metasystem way of working. Alternatively, for well-worn e-commerce transactions where the necessary claims are well known in advance, the Subject could put together a basket of claims in advance and carry them in an identity wallet to be presented directly to the RP.

The diagram also shows a visualisation of the claims of interest to the RP for the transaction at hand, and the necessary degree of confidence i each of them (i.e. 90% in name, residential address and date of birth). I discussed this way of looking at different claims sets as surfaces in another blog last year.

As we rethink identity orthodoxies in forums like the MIT Legal Hackathon, I propose we shift perspectives a little. For instance:

 

    • We should drop down a level, and focus on ways to exchange information about elements of identity, rather than rolled-up “identities” themselves; that is, we should fractionate identity into its important component parts, guided by transaction context.

 

    • When building identification services frameworks, we should avoid imposing particular business protocols on organisations, so they remain free to select which claims and combinations of claims they want Subjects to exhibit.

 

    • We can avoid technicalities like the difference between “authentication” and “authorization”, and indeed we can remove ourselves from the philosophical debates over “identity”; the proposal simply provides uniform market-based mechanisms for parties to assert and test elemental claims as a precursor to doing business.

 

    • Life looks much simpler under the neutral definition of “authentication” adopted by the APEC eSecurity Task Group over a decade ago: the means by which a receiver of an electronic transaction or message makes a decision to accept or reject that transaction or message.

 

None of this is actually radical. We’ve always thought about claims and attributes, all the authentication protocols deal with attributes, the good old Laws of Identity were actually all about claims, and there is infrastructure to deal with claims.

I think we just need to shift focus. We technologists shouldn’t be so preoccupied with identity per se; let businesses continue to sort out identities as they see fit, and just give them the means to deal digitally with component claims. Let’s not put IdPs ahead of APs. It may turn out we don’t need IdPs at all. It’s all about the claims, and only about the claims.

Comments welcome!