Mistaken identity; the mistakes we make and a lack of understanding about what identity actually is - part 2

Mistaken identity; the mistakes we make and a lack of understanding about what identity actually is - part 2

Warning: this is part two of what is intended to be a nine-part blog looking and expanding on what identity is!
If you have arrived here directly, then please go back and start at part 1 - after all, in the Identity world context is everything! [sorry for the identity in-joke].

https://www.globalidentity.blog/2022/11/mistaken-identity-part1.html

Part Two - Entities have identity, not just people

Back in Part One of this blog, I talked about computer professionals being fixated with digital identity for “people”. If you think about where we have come as an industry, we started with computers (which when they were only mainframes were god-like and implicitly trusted) and we then introduced the concept of “users” - people who, if they were lucky enough, were granted the privilege of being able to interact with these entities.

From there, we went to multiple computers which needed a central computer managing user authentication, which (sort of) worked, but ONLY if all the users were managed in our “Locus-of-Control” [See: Ref 1, command #8] (a system that we own, manage, and of course vet the users prior to giving them a user account) - historically for most organisations this ended up being Active Directory. But the instant we need to involve users or systems outside of our locus-of-control then things start to get difficult and compromises start to occur (a topic for a different blog).

So let's go back to first principles and look at how identity operates in-real-life, and what we are doing wrong.

We, as humans, need to interact with a wide variety of entities; from organisations to devices and of course to other humans.  Back over ten years ago this led us to explain this in terms of five basic entity types that explain the breadth of what we are describing; People, Devices, Organisations, Code and Agents. But in fact it’s wider than that; and you could generalise an Entity as being “any unique instance of a ‘thing’”.

Why are entities so important? #1 Because they enable personas

If you generalise how identity and attributes work: then the join of two entities forms a unique persona, populated with some (hopefully) authoritative attributes. 

Let's think about this with a few examples;

  • The join between Entity:Me and Entity:UK Government creates my unique “Citizen Persona

  • The join between Entity:Me and Entity:Simmonds Family creates my unique “Family Persona

  • The join between Entity:Me and Entity:UK DVLA creates my unique “Driving Licence Persona

  • The join between Entity:Me and Entity:ACME Plc. creates my unique “ACME Plc. Staff Persona

In the first example above, my citizen persona (in my case as a UK citizen, what is on my state-issued birth certificate) contains attributes issued by the authoritative source for children born in the UK, which are:

  • Date of birth (immutable)

  • Place of birth (immutable)

  • Name [at birth] (could change)

  • Sex [at birth] (could change)

  • Right to British citizenship (could change)

If you’ve been into any financial institution for a KYC (know-your-customer) check then you will know that they insist on original documents from (mainly) authoritative entities, one of which must be photographic (passport or driving licence etc.) so that they can tie the name on the other paperwork to your face, thus having an acceptable level of Immutable Linkage between yourself and all the attribute assertions you are making, as a linked-set (i.e., they all have the same name).

Effectively you are asserting different attributes, each “signed” by a source that the bank recognises as authoritative, as a linked set with you at the root of that assertion.

Why are entities so important? #2 Because over a network you can’t (easily) distinguish a person from any other entity type.

In reality, you don't actually know whether it's a person, an AI, an IoT device, a system or a hacker at the end of the conversation. It's a bit like a modern Turing Test, only more difficult, because not only are you trying to determine whether is a particular type of entity, you are also trying to determine that the credentials match the actual entity claimed - just because the password matches, or even the API says “biometric match” does not make it 100% the entity claimed.

It’s a bit like being robocalled by an AI, or a hacker using a deep-fake - and they are getting better day-by-day - so it takes a while to understand (and test) whether it’s actually a person. We should be validating the person randomly calling; does the Caller-ID match? Can they provide evidence of the organisation they are calling from? Can they prove who they are? - Of course, if it is someone we know personally, or even intimately, then it’s easier to check for “shared secrets”, but otherwise, as numerous politicians who have been prank-called by radio-stations have found out, it can be very difficult.

So, when communicating remotely, we should care about the fidelity of an entities assertions of who/what they claim to be, as well as the level of immutability between the entity and the claim.

In Part 3, we will examine why consuming attributes and understanding personas is key to deriving context.

https://www.globalidentity.blog/2022/12/mistaken-identity-part3.html

References:

  1. https://collaboration.opengroup.org/jericho/commandments_v1.2.pdf

  2. https://www.globalidentityfoundation.org/downloads/Identity_30_Definitions.pdf

  3. https://www.globalidentityfoundation.org/downloads/Authentication_to_Risk_Triangle.pdf

  4. https://www.globalidentityfoundation.org/downloads/Identity_30_Principles.pdf

Mistaken identity; the mistakes we make and a lack of understanding about what identity actually is - part 1

Identity has a problem! 

Not just that we are unable to make digital identity work properly without loads of compromise; no, it’s the fact that IT Architects, Security professionals and (dare I say it) even many claimed identity specialists, do not understand what identity is, misusing the term and even getting the wider aspects of identity fundamentally wrong. 

Without properly understanding identity, its facets and nuances, it will be impossible to develop a frictionless global identity ecosystem, or leverage identity for cloud, zero-trust, collaboration, encryption and proof of age, or other essential attributes.

Warning: this is intended to be a nine-part blog looking and expanding on what identity is, starting with this blog!

Part One - Identity fundamentals, or “what is identity?” 

Strictly, Entities have Identity, (but that’s going to be part 2!so first, let's start with people, as that’s what you and I best relate to:

“I am me” - I am a unique entity, we call this Sameness; I am the same entity yesterday, am today and will be tomorrow.

As a unique person I have multiple “facets” of my overall identity, some of which I care to share and some I may never share with anyone, all maintained personally by myself; some attributes we just know (for example family relationships) and some we maintain “pointers” to; references to the authoritative source, such as the assertion that I’m a British Citizen because my passport says so (and is authoritative for this assertion). We refer to this as the “core identity”, all the attributes that make up me as a person.  

Those “facets” of my overall identity consist of attributes; some like my height, the colour of my eyes, and a rough approximation of my age which I am unable to keep private if you meet me in real life, but others such as sexual-pursuasion, the football team I support, my favourite colour, my family etc. I may choose to share with you depending on my perceived sensitivity of the attribute, how much I trust you, and your need for that information to process our relationship; in reality I perform a risk-assessment, based on my personal risk-appetite.

In reality; we have sets of attributes that pertain to a particular aspect of our lives, and we call these personas - a group of related attributes that define us in a particular context. Examples would be:

  • My citizen persona: (in my case as a UK citizen, what is on my state-issued birth certificate) date of birth, place of birth, both of which are immutable,  name at birth, sex-at-birth and right to British citizenship - all of which could change.

  • My family persona; parents, partner, children, aunts, uncles etc.

  • Employment persona(s)

  • Sporting persona(s)

You get the idea; and in reality each of us as humans operate with hundreds, if not thousands, of personas, and we assert attributes from multiple disparate personas as required for our day-to-day lives and our interactions with other entities.

What normal humans glibly call “Identity” actually consists of three distinct components.  

  • Authentication”; the “how do I uniquely prove that I am the same person that you previously met”

  • Sameness”; the “I am me, and always will be” part that contains personas, and attributes

  • Personas & Attributes”; The parts of my core identity that I decide to share

Authentication is key to interacting with other entities; in real life humans, due to millions of years of evolution, do authentication using faces - in fact we are so good at it that if you meet someone you have not met for ten years there is a good chance you will remember who they are. 

Faces are so key to human life that phrases pertaining to this interaction are embedded in our language; “it’s nice to finally see you”, “they are two-faced”, “put on a brave face” or even “put your cards face up”.

When we see someone, we assign the attributes they share (consciously or unconsciously) against an (internalised) unique identifier of their face. In other words, Authentication (by whatever method, and however tenuous) is the key to Sameness.

This is why your driving licence or passport has your face on it; to link the person to the attributes contained on that document with a degree of confidence.

This level to which a person is bound to the authentication is known as the level of Immutable Linkage (or Immutable Binding), and it's important to understand the level as part of your risk-calculation; with what degree of certainty the actual person is linked to the identifier. - I look enough like my brother that if you have not seen us for ten years it’s not unusual for friends of my parents to get us wrong when they meet just one of us (but not I suspect if they met both of us together).

However, the problems start when we cannot interact “face-to-face”, and for many thousands of years civilization has grappled with this problem, accepting a set of compromises, usually based on the bearer holding a set of documents to which some degree of provenance can be given - read the history of the passport!

So, in summary; we as people can derive a model for how identity works in real life. But, as people ourselves, we are fixated on how to extrapolate this to the wider, non-face-to-face, world; which is why we are in the current mess with digital identity.

So in Part 2, we will examine why the identity of people is just a small part of the overall identity picture.

https://www.globalidentity.blog/2022/11/mistaken-identity-part2.html

References:

https://en.wikipedia.org/wiki/Passport
https://www.globalidentityfoundation.org/downloads/Identity_30_Definitions.pdf
https://www.globalidentityfoundation.org/downloads/Authentication_to_Risk_Triangle.pdf