Difference between revisions of "Identifier or Attribute Provider"

Latest revision as of 17:37, 9 August 2022

Full Title or Meme

Provides service to users to authenticate the user's identifiers or attributes for Relying Parties.

Context

• This term (IAP) is used in place of Identity Provider (IdP) on this wiki to be clear about the full range of function of the service provided.
• This term would encompass the concept of an OpenID Connect Provider (OP) role among other roles, like that of an Attribute Provider or a Credential Provider.
• This meme has been extended in the wiki Identity as a Service.

Problems

It costs a great deal of money for the operation and maintenance of any provider. Besides that, there is the very real risk of being sued by any number of individuals or governments capable of enforcing huge costs. At the same time the users have become accustomed to get any service provided at no cost on the internet. This means that any successful provider will have a business model that provides a significant cash flow, or sovereign immunity from prosecution.

Email Providers

Originally an email provider was a computer with a mail function running on it. When email providers were able to charge money for their services, you only kept the same email address so long as you paid the email provider. Think about AOL.COM or ATT.NET. When High-speed Internet providers began to become common, their email service was "free" only so long as you continue to use their internet services. This was clearly a lock-in capability that those providers enjoyed.

Social IdPs

A number of very successful businesses host "Identifier Providers" (IdPs) as a part of their effort to reach a large number of consumers of goods or services. The most well known in the West are Microsoft, Google and Facebook. The services and federated sign in capability that they provide is very attractive and reduces the Cognitive Overload caused by the large number of sites where the user has registered. Previous to social sign-in, each had their own username and password. But there is a potentially large cost to users who rely on these social IdPs, the risk of losing an identity that is important in their daily lives if that site should disable the account for any reason it might choose.

All of the large social IdPs are now subject to intensive social and governmental pressures to limit socially obnoxious behaviors like "hate speech" or incitement to violence. Their response has been to impose blockages of the user' account for period varying from 1 day to lifetime. If the user has entrusted that IdP with access to a significant part of their Web Site access control, the lost access can put them "out-of-business" on the web. And the real problem is that this can happen through no action of their own. If anyone has ever had their account at one of these sites compromised by a hacker, they will understand that the effort to regain access can be long and grueling with the possibility of requiring the user to "fax" them some corroborative evidence of ownership, such as a driver's license. Something that the attacker is all too willing to provide to gain access to accounts that have some value to them. Losing one's identity in real-life does happen, but very rarely. On the internet it is a daily occurrence for a surprising large number of hapless victims.

The one bit of advice to offer is to select a social network that is least likely to be pressured into stopping access to your Identifier. In the middle of 2018 Facebook was facing the most pressure to disable accounts for hate speech and inciting violence. Their response was to delete a large number of "fake" accounts. If any resources had been bound to those accounts, access would have been lost. The pressures continuing into 2019 for Facebook to "clean up their act" has led to numerous legitimate users being deleted with no real way to recover access to their accounts or any resources that may have been linked to those accounts.^[1]

Telephone Service Provider

Your phone number used to be unique to your household. With the advent of cell phones, the phone number is now a Personal Identifier. Now that cell phone numbers can be moved (in the US) from one provider to another, the mobile number really is a Personal Identifier that is independent of the service provider. See the feature at Zenkey App which is the provider's attempt to regain control of your identifier.

Self-issued Identifier

These types of identifiers have the advantage of being under your personal control. At least so long as you are able to keep control of the private key used to control access to the identifier. While theoretically each person is in complete control of their own identifier, some means of advertising the proof method for the identifier is still required. This function has been called an "Identity Hub" or "Decentralized Web Node" which are another name for the centralization of the access to your identifier. The DWeb Node(s) that the user selects in (mostly) entirely under the control of the user. Provided that the DID method selected by the user is still supported by more than one Node. This flexibility does prevent the provider from disabling your Personal Identifier, since you can move your DWeb Node to any provider. The method for payment of the provider is not clear at this point. If it is by advertising, then it is not clear that this method is substantially different than using a social site, unless the freedom from cancellation is important.

While it is true that a DID gives you control over your signing keys, the same feature is available with the large social site by usinga FIDO 2.0 web authentication key fob.

Solutions

References

1. ↑ Kashmir Hill, Locked out by Facebook, and pounding on the Door. (2019-08-25) The New York Times p. B5