Anil John
Making Digital Services Secure and Trustworthy

Anil John

Identity Establishment, Verification and Validation

 Tweet  Share  Share  Comment  Print  Email

I believe that that there is a role for the public sector in the establishment of identity. Depending on the audience, that statement is sometimes mistaken as support for a single public sector issued credential. Ah... No! This blog post provides some foundational terminology and raises some concerns regarding the outsourcing of identity establishment.

From both a philosophical and practical perspective, I am not a fan of the "One ring to bind them all" approach to credentials, whether the ring was created by a government or by a private sector entity.

But in order to have a productive discussion on this topic, first and foremost, we need to understand that identities and credentials are not the same. Secondly, given the pervasive conflation of terms such as "credentialing", "proofing", "enrollment" and the like, we need some foundational terminology in place.

Identity Attributes
A set of attributes that uniquely describe an individual within a given context
Establishment
Creation of a new identity record, in an authoritative source, where none has existed previously
Validation
Confirmation of the accuracy of the identity information as established by an authoritative source or by corroborating different sources of information when no single authoritative source is available.
Identity validation does not ensure that an individual is asserting their own identity information, only that the identity information is accurate and timely
Verification
Confirmation that the identity information relates to a specific individual.
Identity Verification ensures that the identity information is not being fraudulently used

There are very few entities (and they are all typically in the public sector) that are in the "Identity Establishment" business and "own" the authoritative sources; Vital records agencies, agencies that deal with immigration etc.

The concern that I have is that relying parties inside and outside government, in the absence of access (with consent) to these public sector authoritative sources, have started (at least in the U.S.) to rely on secondary transactional/financial/social data sources for identity validation. All too often they, mistakenly, tend to consider these sources to be authoritative.

This has resulted in a situation in the online world where we have for all intents and purposes outsourced a core function of the public sector, which is to vouch for us when we are asked the question "Who are you?", to private sector entities who do not work on our behalf, do not need our consent, and are motivated purely by the desire to monetize the information they can acquire and hold about us. This is A Bad Thing!

UPDATED 4/5/14: Further clarification of the definition of identity validation

UPDATED 5/18/14: Renamed "Identity" to "Identity Attributes" in order to avoid the swirling-whirlpool-of-doom conversation around the metaphysical nature of identity

RELATED INFO


Did you find this interesting? Don't miss any new posts. Sign up to automatically receive them now!

I will never share, rent, or sell your information to anyone. Cancel anytime.

This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.

Topic(s):
By on |

Continue The Conversation ...

I would love to know your thoughts on this blog post. Please leave a comment below!

I am a digital security coach. I help technical leaders make digital services secure and trustworthy. Learn more »

Free Updates

I will never share, rent, or sell your information to anyone