Full Title or Meme
The Identity Ecosystem needs to be a user-centric online environment – a set of Technology Infrastructures, policies and agreed upon standards that securely supports transactions ranging from anonymous to fully-authenticated and from low to high value.
The National Strategy for Trusted Identities in Cyberspace (NSTIC) describes a vision of the future – an Identity Ecosystem – where individuals, businesses and other organizations enjoy greater trust and security as they conduct sensitive transactions online.
Most of the problems relate to user acceptance, for example:
- Am I being tracked against my will?
- Is all of my privacy information available on the web somewhere?
- Why should I trust anything on the web at all?
- Can I know, in advance, whether I have the credentials I need to get to my destination.
- Can I understand the policies that apply to any action for the data provided as well as the reason for needed it.
The government has a variety of reasons to know about the population including:
- Taxation, that is why Caesar called for all the world to be registered and why William the Conqueror created the doomsday book.
- Social services from the government are only available to some part of the population and should only be supplied once to each applicant.
- Application of punitive laws.
- Public Health.
Liability seems to be a MAJOR stumbling block. Everyone is trying to avoid it, or mitigate it or make money from it.
- If you are not a sovereign state, then touching user private data is a mine field that most companies are either avoiding or seeking the least damaging path through it.
- Finding a private enterprise that will honor user wishes ahead of their own self-interest is an enduring issue ever since Milton Freedman told them that morality was not their problem.
The following image puts the Identity Technology or Identity Infrastructure in conext of the various components that will likely exist.
- The Relying Party is shown here as two components: the Policy Definition Point and the Policy Execution Point.
- The policy is what tell the verifier in the RP what to accept. It is designed to be highly reactive to changes in policy that are to be expected as technologies and regulaltions evolve.
- The Trust Registry will typically only have a data base of entities and attributes of those entities together with assurance data.
- The destination could be a physical venue or just an online resource.
- Governance applies at a high level to both the Trust Registries and to the policy deployed.
- Principles for Digital Trust Networks (2022-02-15) IIF = Institute for International Finance. (nb. The involvement of the OIDF might be overstated here.)
The Open Digital Trust Initiative of the IIF together with the Open ID Foundation has finalized Principles for Digital Trust Networks, identifying at a high level the ‘rules of the road’ that Digital Trust Networks should adopt in order to incentivize a high level of digital trust, user centricity and low cost, while ensuring that these networks are economically viable and the role of Verification Service Provider is adequately rewarded and realistically protected from a liability perspective. The broad vision is for Digital Trust Networks to comprise a set of participants, including both Users (who are also individual Data Subjects for individual data protection purposes in many cases), Verification Service Providers and Relying Parties. There is also scope for other types of intermediaries to be defined by the Network rules.
- GAIN readies for December launch of POC group for digital identity interoperability 2021-11-05
The Global Assured Identity Network (GAIN) is working on a participation agreement for parties interested in joining a proof-of-concept community group which will see real-world relying parties and digital identity providers come together and begin to test the network’s interoperability plans. The Open Identity Exchange (OIX) held a workshop this week on the Global Trust Framework required for the GAIN project. GAIN aims to bring true interoperability for identity globally, meaning an individual could use their credentials from one country to, for example, open a bank account in another. This would be achieved via existing OpenID standards via APIs. The system would allow banks to take on the role of identity information provider as they have already taken customers through KYC. Sparkassen and VR-Banken, Germany’s largest retail and cooperative banks have joined, as has Sweden’s BankID verification system, according to members at the workshop. Consortia of banks from Canada and Australia are expected. Financial institutions from Africa have signed up, as have Adobe, DocuSign, and even Disney. GAIN hopes for a demo platform to be ready in spring 2022, to allow for a clearer roadmap of the next steps to be developed over the summer.
- Trust-over-IP What else is there to say?
WHO WE ARE. We’re an independent project hosted at the Linux Foundation, working with pan-industry support from leading organizations around the world. Our mission is to provide a robust, common standard and complete architecture for Internet-scale digital trust.
- Digital Health Credential System Implementation Guide is just one example of groups trying to create principles bases on non-existent detail, like the following "SHOULD notify consumers when verifiers are asking for more information than required by their entry rules" and verifier rules, none of which exist when the doc was created.
- Legal aspects of Identity Management and Trust Services 2018 Anna Joubin-Bret Secretary UNCITRAL (Thie UNCITRAL effort has been stumbling along for years. The primary issue seems to be liability. No one wants any of that.)
- See the wiki page on Evolution for ways to encourage or discourage the continued growth of the Identity Ecosystem.