By George Peabody, Glenbrook Partners & Stephen Wilson, Lockstep Consulting
Despite laudable goals, the National Strategy for Trusted Identities in Cyberspace’s identity framework demands a discontinuous leap beyond both what’s needed and achievable for improving online transaction reliability, security, and risk. A lighter touch approach, characterized by context-specific fractional identity, can provide needed authentication and identity services without the legal complexities posed by the wholly novel outsourcing of liability of the NSTIC design.
How is Fractional identity different from federated identity?
The core idea is that the semantics and business rules around component attributes are simpler than for abstract identities. I might be “Steve Wilson” at a bank, and “Steve Wilson” at my employer, but the ‘fine print’ in my respective relationships makes it impossible for either organization to rely 100% on the other’s identification of me.
The handles look the same but they mean different things in different contexts. This proposal works at the lower level of attributes, like name, address, date of birth, citizenship, etc. These properties on their own do not constitute identities and the liability that goes with proving their factual correctness is very simple.
The fractional identity model leaves Relying Parties free to put attributes together as they see fit, to perform identification from one context to another. At the technology and identity management protocol level, fractional identity does indeed look a lot like identity federation, so the model enables services and developers to re-use most of what’s come before. But fractional identity greatly simplifies things at the business rule level.
Trust, that essential attribute of a relationship, is based upon identity and the experience all parties gain as they transact. While in-person identity is reasonably certain, it is especially difficult to establish in the online environment. As online devices increasingly figure in bricks-and-mortar transactions, the transaction domains blur.
To bridge that gap, a number of approaches have been taken, the most recent of which is federated identity as exemplified by the White House’s National Strategy for Trusted Identity in Cyberspace and its cousin, the Open Identity Exchange model of an attribute exchange network. This entirely new approach that injects the new attribute exchange network into every transaction has, on the face of it, strong appeal. What makes more sense than a passport to cyberspace? But, on closer inspection, it fails for a number of reasons.
This article begins with a critical examination of the online identity exchange concept as currently proposed. It continues with a discussion of several evolutionary and implementable models based on existing bilateral trust relationships. These alternative approaches should provide workable identity services while testing both needed infrastructure components and the need for an attribute exchange network-scale identity über-framework.
The Open Identity Exchange’s purpose is laudable. No one doubts the online world badly needs stronger, more consistent and uniform identity mechanisms – coupled with stronger authentication – to curb fraud, speed web site access and enable higher value, higher risk transactions.
The Open Identity Exchange’s stated development goal is to build “Agreements between all parties (that) contractually enforce the business, legal, technology, policy, certification and audit aspects of the Trust Framework, which are established and managed by a Trust Framework Provider via an Attribute Exchange Network.” This describes the complexity of the task. It will take a decade or more of legal development, negotiation, tuning, and, critically, case law to establish itself.
Despite the questionable history of federated architectures, the Open Identity Exchange approach presupposes that its framework is an ideal end state well before it has been subjected to the selective pressures of the marketplace. The model changes elegant, time-honored bilateral arrangements between relying parties and subjects, instead pushing complex and novel trilateral arrangements between relying parties, subjects, and identity providers.
The notion of the attribute exchange network, like all federation architectures, presumes a real time stranger-to-stranger – or context free – identity negotiation for every fresh transaction. In fact, in the vast majority of economically important transactions, the context is already in place and the appropriate credentials can be specified when the rules for a scheme or entire business sector are drawn up, well in advance of the parties ever meeting.
Federation is astonishingly hard
Another, historically fatal concern for the Attribute Exchange Network concept is how it underestimates the barrier to entry created by its complexity. As an approach, the Open Identity Exchange purports to support straightforward integration at low cost. The Attribute Exchange Network document itself states that its “one to many relationship model … reduces barriers to entry in the Identity Ecosystem.”
Based on prior history, this may not be the case if participants find it challenging and legally complex to come to grips with new one-to-many arrangements. If firmly established bilateral arrangements are eschewed, the total cost of implementation is greatly increased by the legal work needed to address liability concerns.