If Identity is the New Money, Standardized Assurance is the Currency of Trust
Many of the current conversations about identity are triggering echoes in my mind of the Cycle of Time quote from Battlestar Galactica “All of this has happened before, and all of it will happen again”. So in the interest of not reinventing the wheel, I wanted to provide pointers to some existing definitions regarding Assurance Concepts and Trust Frameworks that could serve as the foundation for meaningful conversations.
The phrase “Identity is the New Money” is something I saw first on Dave Birch’s blog post and the concept became much more real to me when he provided a synopsis of a recent SXSW Session on “Identity+30” by Sam Lessin, Head of the Identity Product Group at Facebook. It yielded some very interesting insights about the role of identity at some of the big players in the industry, and how it is driving their current behaviour.
At the same time, in order to get to an operational “trust and trade layer” leveraging the social graph and/or credentials, standardized identity assurance is needed as the currency of trust. As such, clarity on assurance and related aspects are foundational to understanding the big picture.
Unfortunately, this is where I see a lot of re-inventing the wheel happening these days.
So, if you are looking for a model on assurance and related concepts, a good place to start from are the definitions in the Pan-Canadian Assurance Model. [Credit to Tim Bouma from Canada TBS who put the above model together, and from whom I got the phrase “standardized assurance is the currency of trust”] The only minor terminology issue I have with the Pan-Canadian Assurance Model is their use of “Credential” instead of “Token”.
As to the definition of a Trust Framework, I like the one from the American Bar Association’s Federated Identity Management Legal Task Force:
An Identity Trust Framework is the governance structure for a specific identity system consisting of:
What Is an Identity Trust Framework? (PPT)
- the Technical and Operational Specifications that have been developed
- to define requirements for the proper operation of the identity system (i.e., so that it works),
- to define the roles and operational responsibilities of participants, and
- to provide adequate assurance regarding the accuracy, integrity, privacy and security of its processes and data (i.e., so that it is trustworthy); and
- the Legal Rules that govern the identity system in order to
- regulate the content of the Technical and Operational Specifications,
- make the Technical and Operational Specifications legally binding on and enforceable against the participants, and
- define and govern the legal rights, responsibilities, and liabilities of the participants of the identity system.
RELATED INFO
- Dave Birch: “Identity is the new Money”. Brilliant - I wish I’d said that
- Dave Birch: Social “hacks” are going to be replaced by computations across the social graph
- ABA: What Is an Identity Trust Framework? (PPT)
- Gov of Canada Approach to Separating Credential (Token?) and Identity Assurance
This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.
I am a public interest technologist. I help organizations and leaders gain clarity and understanding on complex architecture, information security, privacy practices, and market dynamics, so they can enable secure, trustworthy digital services. 
