› 
When does a key become an identifier?

StephenWilson's picture


I wonder ...

Is a passport an "identifier"?
Is a drivers licence an identifier?
Is a credit card an identifier?
Is a professional membership card an identifier?
Is a building access card an identifier?
Is a house key an identifier?
Is a car key an identifier?

Or putting the questions another way ...

Is a car key a "key"?
Is a house key a key?
Is a building access card a key?
Is a professional membership card a key [to access an association]?
Is a bank card a key [to a payments system]?
Is a drivers licence a key [to access the privileges of road usage]?
Is a passport a key [to enter another country]?

I look in my wallet and I see a host of plastic cards that are viewed by many people as identity documents. In Australia we have regulations that formally score the "strength" of most of my cards as proof of identity. And so the urge has arisen to try and "federate identities", in order (it is claimed) to streamline access to third party services that are unrelated to the purposes for which my various identities were originally issued.
In stark contrast I look at my keyring and I see, well, keys. None of them can be presented as "identities" to third parties.
Yet there are some gadgets on my key ring that are thought to be pushing the envelope, like USB dongles and SecurIDs issued for very specific purposes to access particular services.
Most of the cards in our wallets actually represent very precise relationships between us and their respective issuers. A card is issued as evidence of the bearer having met a prescribed set of requirements, including typically a promise to comply with certain Ts&Cs when using the card. As such, they are much more like keys than "identities".

Maybe we should re-vist the intuition that identities can (and should) be federated? I am not sure it is any more logical to federate a bank card, a Medicare card and a security association membership card, than it is to "federate" a car key, a house key and an office key. What new type of mathematics could yield a meaningful answer to the equation:

Car Key House Key Office Key = X

Comments

Who owns your identity?

Interesting point of view, Stephen. Even more interesting question is who actually owns your identity? Those who want to federate it? If so, which one of those service providers can claim 'primary' ownership? And when is it that such 'ownership' starts infringing on your right as an individual to own and manage your 'identity', or the multiples of it? Accessing services is one issue, 'federating' information on your behaviour in utilising those services is another kettle of fish all together.

Stephen & ja - useful

Stephen & ja - useful thinking. A question instead of an answer to start off with.

By talking "identifier" are we starting in the right place?

We are really talking about a subset of the concept "assertion". I assert I have the right to enter this house (I am presenting this key that will let me in); I assert that I am allowed to enter this work place (I present my photo pass or building key); I assert that I have the right to withdraw money from this bank account online (I insert the mag stripe card into the ATM combined with the PIN - ie here 2 factors are being presented for authentication - something I have & something I know).

Each of these assertions is then authenticated in some way. The door lock has a series of delicate pins that test the peaks & troughs on the inserted key to see if they match the allowed combination that means the barrel in the lock can be turned; the ATM support process tests if the card has been revoked & whether the PIN is correct etc.

An assertion about identity is just a subset of this concept. I assert that I am Malcolm by showing my Australian Passport & then some authentication processes kick in, including the Customs folk looking at the photo & comparing it with the face in front of them plus checking the passport machine readable data against a database including my acceptability to enter the country etc.

Some of the things that present these assertions about identity are called identifiers.

While the question asked by Stephen at the end, ie what is the mathematical operator in the equation probably shows that it is not answerable, is there a better way of formulating the issue?

For example, maybe the equation is:

I present this assertion + another party has backed/authenticated the assertion = the degree of confidence that the other party (OR any other party) might place in that assertion.

In other words, under the right conditions, one bank might decided to rely on an assertion that is then authenticated by another bank but might think it too risky to rely on the same assertion if it was only authenticated by the Road Traffic Authority.

Or to put it yet another way, this is all about risk management by all of the parties concerned, each of whom makes risk based decisions on whether to engage.

If this is a useful way to think about the topic, then 'federation' may be a useful term for some people to consider the matter. Indeed, projects like Liberty Alliance have put in mountains of effort into 'federated identity'. However, it is even more useful to stay well grounded in the underlying objective - risk management.

The problems arise when only one of the parties is able to understand & reduce their risk by such a process especially if in doing so, they increase the risks faced by the other parties. Far too many "identity management" processes do just this. Hence it is hardly surprising that other parties have been saying, in effect "no deal" and "user centric ID management" has become the catch cry .....

Malcolm

It's not broke, don't fix it.

Every day thousands of different instituitions answer this question for themselves according to their own requirements. A bank requires a higher level of identity to open an account than a card holder needs to make a purchase at a supermarket - so what? Practises evolve to the satisfaction of everyone. They don't need a government to make the decision of which documents they'll accept or not, they'll assess their own risks and consumers will make their own decisions based on that. If one bank starts demanding your grandmother's birth certificate and a phial of blood to open a new account then it'll find itself going out of business pretty quick.

The public already pay through the nose for driving licenses and passports, which are accepted by pretty much everyone as proof of identity, so why is yet another card needed? Firms and individuals are best placed to make their own decisions about how much identity information they require to complete a transaction and any heavy handed government intervention in this field simply slows down everything and drowns everyone in red tape. It doesn't need a rigorous mathematical base, anymore than a cricketer needs to know calculus to catch a falling ball. People's identies don't need to be 'federated'. The state is the servant of the people, the people are not vassals of the state.

Nick Mallory wrote:

Nick Mallory wrote:

"People's identies don't need to be 'federated'" ... I agree but perhaps for different reasons. My argument to start with was that there is an intuition amongst those that lean towards federation that identities can be aggregated as if there is a calculation that says "ID1 + ID2 + ID3" = something sensible. I seriously doubt that this maths is possible -- you cannot meaningfully "add" apples and oranges!

But here is where we may differ. Nick also wrote that:

"The public already pay through the nose for driving licenses and passports, which are accepted by pretty much everyone as proof of identity, so why is yet another card needed? "

There is a serious category error at play when people think of driver licences as proof of ID. And I am not thinking of the nice criticism that drivers licences were only ever meant to be proof of one's permission to drive a car.

Yes, licences are widely accepted as "identity" when enrolling for a new service (as in the classic case of video store membership). But they are not your identity as a video store member. For that, you have a new membership card. So there is no long lasting "federation" of driver licence with the video store.

A less trivial example is your identity as an employee of Company X. Most HR departments like to see your driver licence on your first day on the job, to make sure they get your legal name correct. But thereafter, you carry an ID Badge for Company X. That's your identity in that context. You don't present your driver licence to get in the door of your own company.

The question implict in federation debates is How many identities do we need? Well it depends on how you live your life. When you change jobs and go to Company Y, you really do have a new identity. And this is a good thing.

Likewise, one's identity as a bank account holder is quite different from one's identity as an employee. Try this thought experiment: Your identity as an employee of Company Z is destroyed suddenly one morning when you are made redundant. How would you like your bank to know about this state of affairs right away, before you've had a chance to make plans, evaluate your options, get another job? Your right to privacy could be deeply affected in a world where we arbitrarily hang different identities off the one handle.

But I digress. Beware the category error in identity. I definitely agree that we don't need a new all-purpose proof-of-personal-identity (like an Australian Card). But we do need identity frameworks (like the Microsoft developed Identity Metasystem aka Cardspace) that permit as many "identities" as there are contexts in which we assert ourselves.

Cheers,

Stephen Wilson.