Customer, How do I know thee?

One of the main contentions of the Identity Metasystem, NSTIC and like models is that banks, governments, telcos, universities and so on will be able to generalise their roles as Identity Provider, so that their customers can use their identities with other system participants. See for example “Envision it” No. 5 in the NSTIC strategy paper:

Ann learns that her recently issued bank card and her new university card are both Identity Ecosystem-approved credentials She also discovers that her email provider and social networking site accept both of these credentials, while her health care provider and local utility companies accept the higher assurance bank card.

I agree it’s useful to model banks and other institutions as issuing identities to their customers, but it’s only a model. “Identity” is really a metaphor here; to be precise, digital identities are proxies for the relationships that certain organisations have with their members or customers. They cannot be taken out of their traditional contexts and bent without limit to suit other contexts without eventually breaking them. The identities issued by banks are special purpose and cannot be easily opened up to new Relying Parties. Past attempts to open up banking identities and federate them into other domains — like the Australian Trust Centre and the Internet Industry Association Two Factor Authentication hub — could not convince banks that the risks were manageable while delivering a positive nett benefit.

There is a promise in many federated identity formulations — like NSTIC — that banks will be able to become IdPs for external Relying Parties, based on the fact that they already know their customers so well, and the system will provide arrangements for others to rely on that knowledge. How would that work in detail?

A would-be IdP must work out what knowledge it has about its customers that it is prepared to warrant to outside RPs, and for what purpose, and with what limitations. At present, a bank knows its customers with sufficient precision to suit its own purposes (and banking regulators). But underwriting identity assertions for the benefit of outsiders brings new risks to the bank that they have never before had to contemplate.

If the bank wants to productize the identification of its customers, then it needs to analyse its liability in the event that transactions go wrong between its customers and those external RPs. This is a tough problem when the bank has no necessary connection with those RPs, nor any control over the transactions. Of course, the bank might seek to gain some control, by qualifying just what it is that its customers are allowed to do with their bank-issued identities. But then this starts to look like the fine print that helped to sink Big PKI over a decade ago.

I reckon that the cost of even analysing the risks, much less putting new contractual (or legislated) liability arrangements in place will outweigh the costs of merely maintaining the diverse and separately evolved identities we have today. There is a middle road, where IdPs could qualify what their identities are good for (e.g. Bank A might support Health Care Providers P, Q, T and W and no others) but this would significantly dilute and devalue the vision of NSTIC. It’s not what the strategy promotes.