Warning: this is part three of what is intended to be a nine-part blog looking and expanding on what identity is!
If you have arrived here directly, then please go back and start at part 1 - after all, in the Identity world context is everything! [sorry for the identity in-joke].
If you have arrived here directly, then please go back and start at part 1 - after all, in the Identity world context is everything! [sorry for the identity in-joke].
https://www.globalidentity.blog/2022/11/mistaken-identity-part1.html
Part Three - Consuming attributes and understanding persona to derive context
Being presented with an attribute of my identity without some form of context is somewhere between meaningless and slightly useful. Let's take the example of buying a bottle of whiskey and asserting my age;
In real life, unlike the computer world, there are few if any absolutes, everything we do, and more importantly the decisions we make are based on context. If I were a social scientist, I would now be making an argument about context being predominantly learnt prejudice, but let's not go there.
- In person, grey hair, probably OK, no further attribute required
- In person, entering bar, Chicago, grey hair, mandatory photo ID (with date-of-birth) required
- In person, UK, look under 25, photo ID with DoB probably required
- Over the Internet; some countries, no problems, just buy it!
- Over the Internet; in country, with country specific ID, you stand a chance
- Over the Internet; without being enrolled in “their” age verification system, probably not
- We need to understand who is truly authoritative for the attribute I am asserting. In my case the UK Government, thus there are generally two authoritative documents issued by the UK Government generally acceptable as they have both photo and date-of-birth; namely my UK Driving Licence and my Passport.
- Because of international treaties, my passport generally works globally, and my driving licence less so.
- I say that because I was at a US conference where a booth was showing their tech that enrolled you into their identity verification system, validating your age via your driving licence, so I gave them my UK licence and was told - “Oh no, this only work on new US ‘strong’ driving licences”.
- Had I managed to enrol my UK Driving Licence into their system, then asserting my identity via that US service in the UK is probably a complete waste of time, as a UK supplier will not recognise it at all, and certainly not as authoritative.
- In fact, even the big UK banks, which generally are fairly “joined up” and consistent, will not accept each other's assertions for KYC (know your customer) checks.
- Our corporate account is with Barclays, obviously with full KYC checks. As a trustee on my late-Father’s trust for his grandchildren would Halifax accept this? - of course not; despite both being British high-street banks, subject to the same UK banking regulations – Halifax required that I turn up in-branch with passport, proof of address etc. - all so a very junior employee could take photo-copies of them.
Why? Because the entity receiving them is able to understand them in context, so for example for my whisky sold over the Internet the contextual decision goes something like this;
- Is over 18 AND IF in USA over 21 - signed by relevant government
- Will pay for it, signed by VISA OR MasterCard OR Amex OR PayPal
- Have valid delivery address signed by relevant Post Office AND not a prohibited country
In reality, we constantly assert attributes from multiple personas, that all need to be provably linked. Easy in real-life (remember that photo linking my personas), however in the digital world we need cryptography and common (single & anonymous) cryptographic roots of trust - but more on that in a later blog.
References:
https://collaboration.opengroup.org/jericho/commandments_v1.2.pdf
https://collaboration.opengroup.org/jericho/Jericho%20Forum%20Identity%20Commandments%20v1.0.pdf
https://www.globalidentityfoundation.org/downloads/Identity_30_Definitions.pdf
https://www.globalidentityfoundation.org/downloads/Authentication_to_Risk_Triangle.pdf
https://www.globalidentityfoundation.org/downloads/Identity_30_Principles.pdf