So, what is this “identity” thing, anyway?
When we assert the identity of a person, we are usually asserting that the person presenting a given set of credentials (a passport, a user-ID and password) is identical with the person to whom those credentials were originally issued. Credentials such as Certificates of Birth or Marriage derive their validity from the various forms of proof available at the time of their creation. That validity is often used as the basis for the issuing of subsequent credentials (such as passports), which in turn are used to underpin other credentials (such as visas and airline tickets).
The issuing of the credentials and their subsequent validation are seldom performed by the same entity. (For instance, UK Driving Licenses are issued by the DVLA but usually checked by the police. Passports are issued by the Passport Service but usually checked by Customs & Immigration officials).
This makes explicit several factors which are otherwise often ignored in practice:
- - There are discrete roles for issuing credentials (“Identity Provider”) and using them to authenticate the holder (“Service Provider”);
- - The use of credentials is a very 'transitive' process. Authentication depends on a 'chain of trust', which extends from the issuing of the credentials to the point where they are presented. If the original registration process, the credentials themselves, or the validation process can be subverted, then the chain of trust is broken and the authentication is undermined.
- - Identity is seldom asserted for its own sake; it is usually asserted in order to establish an entitlement to something (whether that is health treatment, or the less welcome 'entitlement' to have one's licence endorsed...).
- - It may be possible to establish that entitlement on the basis of the credentials alone, or it may require some additional piece/s of information. A good example is that a passport may provide good evidence of identity (i.e. that the holder identified themselves to the satisfaction of their passport issuer), but the entitlement to enter the country usually derives from a visa inside the passport which conveys additional information.
It therefore makes sense to think of assertions of identity as the foundation for other layers of assertion: for instance, assertions of entitlement, or other attributes such as creditworthiness, subscriber status, location, or other data relating to this individual or this service request. We can expect multiple instances of data to exist at all these layers, and to be distributed among identity providers and service providers.
In the model adopted by Sun, the Liberty Alliance and the Organization for the Advancement of Structured Information Standards [OASIS], those layers of assertion are embodied in a set of specifications known as SAML – Security Assertions Mark-up Language. This provides an open, standard way of defining and exchanging assertions about authentication (identity), authorisation (entitlement) and other service- or user-related data (attributes).
An emerging requirement is for services to be granted on the basis of attribute-level data while preserving the individual's anonymity at the authentication level. This is represented in the 'Privacy-Enhancing Technology' currently being considered in support of legislation such as the European Privacy Directive.
Posted by racingsnake
@ 11:12 AM GMT+00:00
![[RSS Newsfeed]](/themes/sotto/images/valid-rss.png)
![[This is a Roller site]](/themes/sotto/images/roller-logo.gif){kind=logo}