My blog has moved and can now be found at http://blog.aniljohn.com

No action is needed on your part if you are already subscribed to this blog via e-mail or its syndication feed.

Thursday, August 12, 2010
« Future of Identity Management is… Now! | Main | Notes on making the switch from PC to Ma... »

There has been a great deal of excitement about the US Federal Government's ICAM initiative that provides for the development of Trust Frameworks, and providers of same, that has resulted in the emergence of identity providers who can issue credentials to citizens that can be used to gain access to Government websites/applications/relying parties. In all of the discussions surrounding these efforts, the focus has been on leveraging existing OpenID, Information Card or other types of credentials issued by commercial or educational organizations to access Government resources.

But, is that all we want from our Government?

In this blog posting, I am going to consciously side-step the concept of the Government as an Identity Provider. In the United States at least, much more thoughtful people than I have discussed, debated and argued about the feasibility of this and I do not believe that I can add much value here. The general consensus to date seems to be that the value proposition around the concept of a "National Identity Card" has many challenges to overcome before it is seen as something that is viable in the US. Whether this is true or not, I leave to others to ponder.

But what about the US Government vouching for the attributes/claims of a person that they are already managing with our implicit or explicit permission?

My last blog post "The Future of Identity Management is...Now" spoke to the pull-based future of identity management:

  • ...
  • "The input to these decisions are based on information about the subject, information about the resource, environmental/contextual information, and more, that are often expressed as attributes/claims.
  • These attributes/claims can reside in multiple authoritative sources where the authoritative-ness/relevance may be based on the closeness of a relationship that the keeper/data-steward of the source has with the subject."
  • ...

There are certainly attributes/claims for which the US Government has the closest of relationship with its citizens and residents and as such remain the authoritative source:

  • Citizenship - State Department
  • Address Information - Postal Service
  • Eligibility to Work in the US - Department of Homeland Security
  • Eligibility to Drive - State Government DMVs
  • More...

I may be wrong about which agency is responsible for what, but I hope you see my point. There are some fundamental attributes about a person, that in the US, that are managed through its life-cyle by the Government, whether Federal or State.

I firmly believe, as someone who has been involved in demonstrating the feasibility of pull based identity architectures for delivering the right information to the right person at the moment of need using current commercial technologies and standards, that we have reached a point in time where the combination of the maturity of approaches and technologies such as the Federal ICAM Backend Attribute Exchange or the Identity Meta-system technologies and the willingness of the Government to engage with the public in the area of identity, that it is time to have a discussion about this topic.

The questions are definitely NOT technical in nature but are more around need and interest, feasibility and value with a heavy infusion of privacy. Some initial questions to start the conversation rolling would be:

  • What are a core set of attributes that can serve as a starting point for discussion?
  • Who would find value in utilizing them? How is it any better than what they have in place right now?
  • What are the privacy implications of specific attributes? How can they be mitigated (e.g. Ask if this person is old enough to buy alcohol vs. What is your birthday/age?
  • Liability in case of mistakes
  • How would the Government recoup some of the costs? We pay for passport renewals, we pay for driver's license renewals; don't expect this to come for free
  • Much, much more....

I would be curious to find out if there is any interest in this topic and if so what your reactions are. If there is interest, and given that the next Internet Identity Workshop is for the first time going to be held on the East Coast (Washington DC) on September 9-10 with a focus on "Open Identity for Open Government", and given its un-conference nature, was going to propose this as a topic of discussion.

UPDATE: Ian Glazer, Research Director for Identity and Privacy at Gartner has agreed to tag team with me on this topic at IIW in DC. Ian's research and interests sit at the very important intersection of Identity and Privacy, and I think he will bring that much needed perspective to this conversation.

He also thought that the topic should be more correctly termed "Government's role as an Oracle" rather than as an Attribute Provider, and since I agree, that will more than likely end up being the topic

To see what is meant by an Identity Oracle and what it is NOT, read this and this blog posts by Bob Blakely

Tags:: Architecture | Security
8/12/2010 8:43 AM Eastern Daylight Time  |  Comments [0]  |  Disclaimer  |  Permalink   
Comments are closed.