Anil John
Making Digital Services Secure and Trustworthy

Anil John

A Simple Framework for Trusted Identities

 Share  Print  Email

What does it take to enable a person to say who they are in the digital world while having the same confidence, protections and rights that they expect in the real world? This guest post by Tim Bouma explores the question in a manner that is relevant across jurisdictions, independent of delivery channels and technology neutral.

One of the interesting data points from my recent reader survey was that about half my readership self-identify as Government, and close to half are non-US based. So going forward, I will be more intentional about including, soliciting and sharing a more Global public sector perspective.

In that spirit, here is a Guest Post from my friend Tim Bouma (@trbouma), who thinks deep and wide about identity assurance (he has a job similar to mine but for the Government of Canada). He has been distilling some concepts around identity in the digital world to what he calls the One-page Identity Trust Framework.

This is especially of interest to those seeking a common vocabulary to have a meaningful conversation regarding the use of identity information across jurisdictions.

Needless to say, this blog post is a personal opinion and does not necessarily represent the views of anyone else, especially our respective employers. If you misconstrue this as an official position (which it absolutely is not), that would be… silly!

Enter Tim.


The One-Page Identity Trust Framework defines the high-level requirements that enable a person to say who they are in the digital world while having the same confidence, protections and rights that they expect in the real world.

A Trusted Identity is a real-time representation of a person (usually in digital form) of sufficient quality and integrity such that it can be relied on as a legally-recognized alternative to the traditional in-person and document-based evidence presentation processes.

  1. A Trusted Identity can be ASSURED when the following requirements are met:

    1.1. That the individual can be:

    • 1.1.1. **UNIQUELY DISTINGUISHED** from all other persons
    • 1.1.2. Determined as the **SAME PERSON** as established in a previous transaction

    1.2. That the identity information about the individual has been:

    • 1.2.1. **VALIDATED** - identity information is accurate and relates to a **REAL** person
    • 1.2.2. **VERIFIED** - identity information is claimed by the **RIGHTFUL** person

    1.3. That the individual has provided:

    • 1.3.1. **PERMISSION (CONSENT AUTHORIZATION)** for the use of, and/or disclosure of identity information subject to conditions within an agreed on context
  2. An assured identity can be FEDERATED when additional requirements are met:

    2.1. Implementations can:

    • 2.1.1. Be **ASSESSED** using an accepted trust framework and by an objective party
    • 2.1.2. **INTEROPERATE** with one another with no compromise (security, privacy, etc.)

    2.2. Enabling infrastructures (infrastructure, broker, provider, etc.):

    • 2.2.1. Are **TRANSACTING SECURELY** between all endpoints, including all involved intermediaries
    • 2.2.2. Retain **SUFFICIENT EVIDENCE** to support dispute resolution and remediation
    • 2.2.3. Are **NEUTRAL** when carrying out interactions on behalf of different parties

What’s most important about these requirements is that they can be implemented separately and be provided as capabilities or services by independent players acting in a larger ecosystem. The public sector may implement some, the private sector others (for a profit, of course) and finally, the non-profit sector may choose certain requirements to implement.

The key here is that these requirements eventually need to work together in a way that is fair for everyone – relying parties, authoritative parties, and most importantly, the individual. How this ecosystem looks like in the long run, nobody knows today, and that is what we need to figure out next.

In the meantime, when someone comes knocking on your digital door, use these requirements as a guide or as a litmus test to ask yourself a series of questions to make sure you are dealing with the right person.

Question: Do you see yourself responsible for implementing one, several or all of these requirements? Do you rely on others? Do others rely on you?

RELATED INFO



This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.

Topic(s):
By on |

Continue The Conversation ...

I would love to know your thoughts on this blog post.
Meet me over on Mastodon to join the conversation!

I am a public interest technologist. I help organizations and leaders make digital services secure and trustworthy.
Learn more »