Anil John
Making Digital Services Secure and Trustworthy

Anil John

Identity Establishment, Management and Services

 Share  Print  Email

Delivering high value digital services to a particular individual requires knowing who that individual is with a high degree of assurance. That identity assurance in turn has dependencies on the sources used to validate the information and the techniques used to verify that the validated information belongs to the person claiming it. All too often, we focus on verification techniques while neglecting the whole chain of trust that goes into validation.

I spent a good portion of last week interacting with some smart, passionate people who are trying to move the ball forward in the identity space. That in turn triggered some thoughts on common terminology (or lack thereof), as well as around responsibility and accountability. So this is my attempt to write my way to clarity on some of those topics.

Identity EstablishmentIdentity ManagementIdentity Services
  • Creator of the initial identity record of a person in a particular jurisdiction at birth or entry
  • Apex authoritative source for identity
  • Public Sector - De jure, not de facto
  • Vital records agencies and agencies with citizenship and immigration authorities
  • Responsible for lifecycle management of identity information
  • May be the manager of authoritative identity information if an apex authoritative source
  • May manage attributes outside the scope of identity such as affiliation, entitlements, eligibility and be authoritative for them
  • May offer identity resolution services
  • May offer identity validation services
  • May offer identity verification services
  • Authoritativeness of services offered has dependency on access to apex authoritative sources of identity
  • May offer validation and verification of attributes outside the scope of identity if it has access to identity managers who are authoritative for them

All entities that are responsible for identity establishment are also identity managers. The reverse is not true. A good example of this, at least in the US, are the State DMVs. In order to issue a Driver’s Licence to you, they typically ask as evidence your name, date of birth, legal status, social security number and principal residence address.

A DMV is not the apex authoritative source for any of the information requested but is very much an identity manager as part of its process for issuing the driver’s licence. It could, if it so chooses, offer identity services very easily (Hello, Virginia!).

As I’ve mentioned before, the validation piece where the public sector can play a critical role is something that is very much missing in the US and that impacts the level of assurance available to high value digital services. Verification capabilities, on the other hand, are something that are relatively mature in the US market. We need both!

As a counter-point, I am watching the public beta of the GOV.UK Verify service with a great deal of interest. The UK IDAP have deployed an identity validation service which backs against passport and drivers licence information. But the beta roll-out for new UK DFRA CAP schemes which uses that service for validation, and an external provider for verification are providing very real lessons that are relevant to all of us in this space.

Question: Are there any examples out there of where the identity establishment, management and service offerings are done by the same entity?

RELATED INFO



This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.

Topic(s):
By on |

Continue The Conversation ...

I would love to know your thoughts on this blog post.
Meet me over on Mastodon to join the conversation!

I am a public interest technologist. I help organizations and leaders make digital services secure and trustworthy.
Learn more »