Updated with a link, August 30, 2022.
On one of the identity industry mail lists recently, noted standards author Joanne Knight remarked:
“I replaced ‘identity’ throughout the document with ‘attribute’ and barring a few grammar issues everything still works. Makes me now question what I do for a living ;-)”. See IETF Vectors of Trust email archive.
This tells me we’re getting warm.
Seriously, when will identity engineers come round and do just that: dispense with the word “identity”? We don’t need to change our job descriptions or re-badge the whole “identity management” sector but I do believe we need to stop saying things like “federate identity” or “provide identity”.
The writing has been on the wall for some time.
- As Andrew Nash, CEO of Confyrm Inc. said at the Cloud Identity Summit in 2014, “attributes are more interesting than identity”. The same goes for relationships: witness the Identity Relationship Management (IRM) movement.
- The leading IDAM industry body, the FIDO Alliance, is conspicuously not doing identity but only authentication (of attributes).
- An identity stack is emerging where relationships and abstract identities are layered on top of concrete attributes and signals.
- The problem we’re trying to solve is shifting sharply from “Who are you?” to “What are you?”.
- I’ve been advocating that we drop down a level and try federating attributes instead.
“Identity” is actually a macro for how a Relying Party (RP) knows each of its Subject. Identification is the process by which an RP is satisfied it knows enough about a Subject — a customer, a trading partner, an employee and so on — that it can deal with that Subject with acceptable residual risk. Identification is just the surface of the relationship between Subject and RP. The risks of misidentification are ultimately borne by the RP — even if they can be mitigated to some extent through contracts with third parties that have helped the RP establish identity.
The most interesting work in IDAM (especially the “Vectors of Trust” or VoT, initiated by Justin Richer) is now about better management of the diverse and context-dependent signals, claims and/or attributes that go into a multivariate authentication decision. And that reminds me of the good old APEC definition of authentication — “the means by which a receiver of an electronic transaction or message makes a decision to accept or reject that transaction or message” — which notably made no mention of identity at all!
We really should now go the whole way and replace “identity” with “attributes”. In particular, we should realise there are no “Identity Providers” — they’re all just Attribute Providers. No third party ever actually “provides” a Subject with their identity; that was a naive industrial sort of metaphor that reduces identity to a commodity, able to be bought and sold. It is always the Relying Party that “identifies” a Subject for their (the RP’s) purposes. And therefore it is the Relying Party that bestows identity.
The mangled notion of “Identity Provider” seems to me to have contaminated IDAM models for a decade. Just think how much easier it would be to get banks, DMVs, social networks, professional associations, employers and the rest to set up modest Attribute Providers instead of grandiose and monopolistic Identity Providers!
As Yubico CEO Stina Ehrensvard says, “any organization that has tried to own and control online identity has failed”.
There’s a simple reason for that: identity is not what we thought it was. As we are beginning to see, if we did a global replace of “identity” with “attribute”, all our technical works would still make sense. The name change is not mere word-smithing, for the semantics matter. By using the proper name for what we are federating, we will come a lot closer to the practical truth of the identity management problem, and after reframing the way we talk about the problems, we will solve them.