Mistaken identity; the mistakes we make and a lack of understanding about what identity actually is - part 3

Warning: this is part three of what is intended to be a nine-part blog looking and expanding on what identity is!
If you have arrived here directly, then please go back and start at part 1 - after all, in the Identity world context is everything! [sorry for the identity in-joke].

https://www.globalidentity.blog/2022/11/mistaken-identity-part1.html

Part Three - Consuming attributes and understanding persona to derive context

Being presented with an attribute of my identity without some form of context is somewhere between meaningless and slightly useful. Let's take the example of buying a bottle of whiskey and asserting my age;
In real life, unlike the computer world, there are few if any absolutes, everything we do, and more importantly the decisions we make are based on context. If I were a social scientist, I would now be making an argument about context being predominantly learnt prejudice, but let's not go there.
  • In person, grey hair, probably OK, no further attribute required
  • In person, entering bar, Chicago, grey hair, mandatory photo ID (with date-of-birth) required
  • In person, UK, look under 25, photo ID with DoB probably required
  • Over the Internet; some countries, no problems, just buy it!
  • Over the Internet; in country, with country specific ID, you stand a chance
  • Over the Internet; without being enrolled in “their” age verification system, probably not
Apart from being a complete lottery when presenting attributes, we need to look at why it sort-of-works face-to-face and generally fails when not face-to-face.
  1. We need to understand who is truly authoritative for the attribute I am asserting. In my case the UK Government, thus there are generally two authoritative documents issued by the UK Government generally acceptable as they have both photo and date-of-birth; namely my UK Driving Licence and my Passport.
  2. Because of international treaties, my passport generally works globally, and my driving licence less so.
  3. I say that because I was at a US conference where a booth was showing their tech that enrolled you into their identity verification system, validating your age via your driving licence, so I gave them my UK licence and was told - “Oh no, this only work on new US ‘strong’ driving licences”.
  4. Had I managed to enrol my UK Driving Licence into their system, then asserting my identity via that US service in the UK is probably a complete waste of time, as a UK supplier will not recognise it at all, and certainly not as authoritative.
  5. In fact, even the big UK banks, which generally are fairly “joined up” and consistent, will not accept each other's assertions for KYC (know your customer) checks.
  6. Our corporate account is with Barclays, obviously with full KYC checks. As a trustee on my late-Father’s trust for his grandchildren would Halifax accept this? - of course not; despite both being British high-street banks, subject to the same UK banking regulations – Halifax required that I turn up in-branch with passport, proof of address etc. - all so a very junior employee could take photo-copies of them.
Bottom line, in real-life we assert an attribute from a persona, often multiple attributes from disparate personas (that are linked at the root - i.e. me), and as long as the entity requiring these attributes is able to validate the entity that signed them, to their level of satisfaction, the transaction is able to proceed.
Why? Because the entity receiving them is able to understand them in context, so for example for my whisky sold over the Internet the contextual decision goes something like this;
  • Is over 18 AND IF in USA over 21 - signed by relevant government
  • Will pay for it, signed by VISA OR MasterCard OR Amex OR PayPal
  • Have valid delivery address signed by relevant Post Office AND not a prohibited country
In reality, we constantly assert attributes from multiple personas, that all need to be provably linked. Easy in real-life (remember that photo linking my personas), however in the digital world we need cryptography and common (single & anonymous) cryptographic roots of trust - but more on that in a later blog.
For now, let's just leave it as Identity (Authentication, Sameness, Personas and Attributes) that all allow the derivation of context, and from context we get into risk-based decision making - but that’s part 4.