One of the reasons that digital identity can be such a challenging topic to address is that we all swim in the sea of identity every day. We don't think about what is really going in the transactions....and many different aspects of a transaction can all seem do be one thing. The early Identity Gang conversations focused a lot on figuring out what some core words meant and developed first shared understanding and then shared language to talk about these concepts in the community.
I'm writing this post now for a few reasons.
There is finally a conversation about taxonomy with the IDESG - (Yes! after over a year of being in existence it is finally happening (I recommended in my NSTIC NOI Response that it be one of the first things focused on)
Secondly I have been giving a 1/2 day and 1 day seminar about identity and personal data for several years now (You can hire me!). Recently I gave this seminar in New Zealand to top enterprise and government leaders working on identity projects 3 times in one week. We covered:
- The Persona and Context in Life
- The Spectrum of Identity
- What is Trust?
- A Field Guide to Internet Trust
- What is Personal Data
- Market Models for Personal Data
- Government Initiatives Globally in eID & Personal Data
I created a new section of this presentation to cover some core concepts that I realized needed to be fully articulated to talk about
Identifiers are pointers.
A description of an object and a location can be an identifier for it - "The green chair in the corner."
Names are identifiers.
The names of people are ways to identify them in the context of the society in which they live. Different societies have different conventions for naming people.
Names are asserted by people about themselves.
Some people use different names in different contexts.
Names are often not unique (that is more then one person will have the same name as another person).
Identifiers in modern systems
In modern society governments, organizations and businesses all provide services to people (citizens). If names are not unique the builders of these systems needed to figure out how to identify them to do the record keeping. A sensible solution to this was to assign a unique identifier number to people so that interactions between the person and the system could be correlated.
An identifier that people in the United States have to track their engagement with the pension system is the Social Security Number. It is issued or assigned to people by the Social Security Administration. Today it is common practice for this number to be issued at birth to babies born in the US. People born outside of the US who come to the country can apply to get a number.
It is normal practice to register children's births with the jurisdiction in which they are born. A form is filled out by the parents and signed by a physician and submitted. Then a birth certificate is issued. The birth certificate has a serial number on it that identifies it as a unique document.
Note: Billions of people world wide do NOT have this type of document.
Companies issue numbers to their customers to track them and their interactions with a company. When you call a company to interact with them they ask you what your customer number is. The bar code on loyalty cards encodes a customer number and when they scan it with a purchase - which then links that purchase with prior ones.
Identifiers with End-Points (Digital Identifiers)
The above type of identifiers that are issued by bureaucratic systems that point to particular people. They are however not end-points on a network. Information can not be sent to them. The person who the identifier points at can not do a technical authentication to prove that indeed at the end of the end point to receive the information.
One type of network with an end-points that we are familiar with is relatively modern but presides electronic networks is the street address system. Integrity in this system is backed up by laws in the US that impose sever consequences for its use for fraudulent purposes. It is also illegal to open mail not addressed to you.
In electronic systems we have identifiers that point to people and are end points. These include phone numbers, e-mail addresses, debit card numbers, employee login's etc. Information is sent to these identifiers and access to resources is available via the end-point. To protect the information, to make sure it is only seen by the person who it was for (the person that the identifier points at) and only that person can access resources. These electronic systems support the person claiming they are indeed the person that a particular identifier points at - proving they are that person. This requires that systems provide ways to do Technical Authentication AuthN.
This can be done in a variety of ways - sharing a secret only they know (password or PIN), sharing a changing secret that only they have access to it (a code that changes on a token or in software generating a one time password), scanning a body part to see if it matches the body part that matches one that was enrolled, having a thing that only they have (a phone with the SIM card in it, a debit card). Different types of technical authentication are possible for different systems but they have the basic function of supporting the person who the identifier points at being able to prove to the system that they are the person a particular identifier points at.
More sophisticated systems issue both a "core" identifier that is the primary pointer at a particular person AND a different identifier that is an authentication end-point. This has an advantage because if control over the authentication end-point is lost then it can be re-issued but the core identifier stays the same.
Attributes are things about a person (or an entity).
They include personal details like birthday, age, gender, residence, place of work, income, preferences and habits, credentials from educational institutions, record of employment.
Claims can include identifiers (both authenticatable end-points, identifiers that are not end-points / not resolvable) and attributes.
Proofing / Verification
This is the process where the certain things that you claim about yourself are checked to see if the assertions line up with how you presented yourself in the past or how facts about you were recorded in record keeping systems.
One way that proofing is done is the presentation in person of formal government issued paperwork that affirm certain claims: a birth certificate asserts a birth date, a passport asserts citizenship, and has a photo asserting likeness, a drivers license has a photo for asserting likeness, a residential address (asserted by the person when getting the license),
Another way to do proofing is to look up claims by people about themselves in databases managed by data brokers.
This is the process where documents presented can checked to see if they are valid - were in fact issued by the authority and the name on the presented document matches the one on file. These are typically set up so that the person viewing a document presented by an individual can type in the document information, serial number, birthdate, name and find out via a yes-no answer if it is a valid document.
The e-verifiy program for employers is a system designed to do this. It should be noted that this process does have negative impact on particularly transgender people who have hidden their gender at birth from their employer and who are rejected by the system when the gender they present to their employer does not match the one in the social security administration records.
This is the process that people go through to be issued an identifier in a system. This is true for identifiers with and with-out Authentication end-point. What information do they need to present? How is it checked or verified? Do they need to it in person? Does it involve the collection of a biometric (photo, fingerprint, iris scan)? The end result of an enrollment process is the issuance of an identifier and often some type of credential that can be used to authenticate into a system. For example: a student ID card at a university has a student number on it AND a magnetic stripe (with an identifier for that particular card) that can be used to authenticate (via swiping it in a card reader) the student to gain access to the student dorm one lives in or libraries on campus.
Authentication - AuthN
This is what happens after one is enrolled in a system and an individual has an end-point that they want to use - they have to Authenticate via any one of a number of methods to prove they are indeed the person who set up the account or was issued the identifier.
(repeated from above) This can be done in a variety of ways - sharing a secret only they know (password or PIN), sharing a changing secret that only they have access to it (a code that changes on a token or in software generating a one time password), scanning a body part to see if it matches the body part that matches one that was enrolled, having a thing that only they have (a phone with the SIM card in it, a debit card). Different types of technical authentication are possible for different systems but they have the basic function of supporting the person who the identifier points at being able to prove to the system that they are the person a particular identifier points at.
Authorization - AuthZ
Once Authentication is done in a digital system the question is what resources can be accessed and what can be done to them (just read them, read and write them, delete them) - What is Authorized.
One way Authorization is managed is by defining roles and determining access based on roles.
More definitions to come soon include : Delegation, Triangulation, Persona, Role, Context