Identity Establishment, Verification and Validation
I believe that that there is a role for the public sector in the establishment of identity. Depending on the audience, that statement is sometimes mistaken as support for a single public sector issued credential. Ah… No! This blog post provides some foundational terminology and raises some concerns regarding the outsourcing of identity establishment.
From both a philosophical and practical perspective, I am not a fan of the “One ring to bind them all” approach to credentials, whether the ring was created by a government or by a private sector entity.
But in order to have a productive discussion on this topic, first and foremost, we need to understand that identities and credentials are not the same. Secondly, given the pervasive conflation of terms such as “credentialing”, “proofing”, “enrollment” and the like, we need some foundational terminology in place.
- Identity Attributes
- A set of attributes that uniquely describe an individual within a given context
- Establishment
- Creation of a new identity record, in an authoritative source, where none has existed previously
- Validation
- Confirmation of the accuracy of the identity information as established by an authoritative source or by corroborating different sources of information when no single authoritative source is available.
Identity validation does not ensure that an individual is asserting their own identity information, only that the identity information is accurate and timely - Verification
- Confirmation that the identity information relates to a specific individual.
Identity Verification ensures that the identity information is not being fraudulently used
There are very few entities (and they are all typically in the public sector) that are in the “Identity Establishment” business and “own” the authoritative sources; Vital records agencies, agencies that deal with immigration etc.
The concern that I have is that relying parties inside and outside government, in the absence of access (with consent) to these public sector authoritative sources, have started (at least in the U.S.) to rely on secondary transactional/financial/social data sources for identity validation. All too often they, mistakenly, tend to consider these sources to be authoritative.
This has resulted in a situation in the online world where we have for all intents and purposes outsourced a core function of the public sector, which is to vouch for us when we are asked the question “Who are you?”, to private sector entities who do not work on our behalf, do not need our consent, and are motivated purely by the desire to monetize the information they can acquire and hold about us. This is A Bad Thing!
UPDATED 4/5/14: Further clarification of the definition of identity validation
UPDATED 5/18/14: Renamed “Identity” to “Identity Attributes” in order to avoid the swirling-whirlpool-of-doom conversation around the metaphysical nature of identity
RELATED INFO
- Identity Establishment and the Role of the Public Sector
- IDMGOV Info: FICAM TFS Component Identity Services Terminology
- Context and Identity Resolution
This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.