12 July 2006

The Meta-Identity System

Let’s start with a question: “In the Identity Metasystem, how can Identity Providers Exist?”

It seems simple in principle; someone sets up an Identity Provider server which has a Web Services Security Token Service (STS) and a policy engine. The server invites “subjects” to create profiles (lists of identity attributes) and then creates signed tokens asserting those profiles for consumption by Relying Parties. All this is easy to do.

The Paradox of the Identity Provider

What’s hard is:
  • Paying for the Identity Provider server and the service it provides.
  • Convincing Relying Parties that they should rely on information provided by a third party (the Identity Provider) rather than maintaining identity attribute information themselves.
  • Assigning liability when a relying party asserts that a claimed identity attribute is incorrect.
  • Assigning liability when a subject claims that the wrong identity attribute claim was released to a Relying Party.
  • Making subjects whole when a security failure “leaks” subject identity attributes directly from the Identity Provider.
  • Assigning liability and making subjects whole when a security failure “leaks” subject identity attributes from a Relying Party.

There’s a vicious circle here. Relying Parties won’t want to outsource identification of their transaction partners unless they can feel sure that the Identity Provider’s information is better than their own, or unless they can be indemnified against losses arising from mis-identification. Identity Providers, therefore, have to spend a lot of money on data verification, or liability insurance, or both. But to spend a lot of money, Identity Providers need to make a lot of money. This means that either their fees or their transaction volumes need to be very high. To generate high fees and high transaction volumes, Identity Providers need to have a valuable asset. And (here’s the rub) if Identity Providers provide their subjects’ identity attributes to Relying Parties, they don’t have an asset - because they’re giving it away to their customers.

The Potemkin Village

Parenthetically, by giving identity attributes to Relying Parties, Identity Providers turn the Identity Metasystem into a kind of Potemkin Village - a false front hiding emptiness and weakness. The Identity Metasystem's subjects rely on the Identity Provider to safeguard their private information, but the Identity Provider can’t safeguard information which is sitting in Relying Party systems. Unless the Relying Party's systems change, the implementation of the Identity Metasystem does nothing to reduce the total privacy risk of the environment it’s introduced into - though it may increase Relying Parties’ liabilities for that risk, because the Identity Provider’s contracts may create liabilities for Relying Parties who mishandle the information they provide.

The Meta-Identity System

If this seems gloomy, there’s good news. The technical infrastructure of the Identity Metasystem contains the seed of a solution to both problems (“How does the Identity Provider make money?” and “How do we avoid building a Potemkin Village?”). That seed is metadata.

In order to build an asset, the Identity Provider has to stop giving its crown jewels - identity data - to its customers. It can do this simply by changing what it puts into the claims it hands out to Relying Parties. Instead of answering a Relying Party’s query “How old is Bob?” with the claim “Bob is 45”, it can answer “How old is Bob?” with the claim “Bob is over 18”. Instead of answering the query “Is Bob a good credit risk?” with the claim “Bob’s credit history is (fifty-page report goes here)”, it can answer “Is Bob a good credit risk?” with the claim “97% of people with credit histories similar to Bob’s repaid loans of under $200,000 on time.”

Claims like these contain metadata rather than data. From the point of view of the Identity Provider, identity metadata has two big advantages over identity data. The first advantage is that using identity metadata in claims allows the Identity Provider to provide a service to its customers without handing over its core asset - and in fact using identity metadata allows the Identity Provider to build the value of its asset by developing expertise in analyzing raw identity data and transforming it into more and more accurate and useful metadata.

The second advantage of using metadata instead of data is that it allows the Identity Provider to provide a service to Relying Parties while minimizing the disclosure of specific personal information to those parties - thereby reducing privacy risks to subjects. Once the Identity Provider gets out of the business of providing raw identity data, of course, it no longer makes sense to call it an “Identity Provider”; calling it an “identity metadata provider” sounds hopelessly geeky, though, so I propose instead to call it an “Identity Oracle”, since what it’s really doing is answering questions about an identity.

As a technical community and as a society, we can realize a lot of benefits by eliminating Identity Providers. Instead of building an Identity Metasystem with Identity Providers, we should build a Meta-Identity System with Identity Oracles. The technical infrastructure of the Identity Metasystem doesn’t need to be changed - all that needs to change is what we put in the claims and the way we think about the system.

I gave a talk about this at the recent Burton Group Catalyst Conference. The talk includes a lot of material I haven’t discussed here; if you’re interested in listening to the talk, the Burton Group has kindly posted it in podcast form here, along with the accompanying slides.

5 Comments:

Blogger bob blakley said...

I should note that Eric Norlin and Aldo Castaneda have already commented on my talk.


Eric asks if Google is an example of the Identity Oracle. I think the answer is "yes and no". In one sense - in that it indexes data about me and makes the index publicly availble to the whole world - it's exactly the opposite of the Identity Oracle.


But in another sense - a sense Aldo describes in his entry - Google is an Identity Oracle, because it collects information about me with my consent (or at least tacit cooperation) and then uses this to do indirect things like figure out which advertisers should be putting things in front of my eyeballs. When Google puts ads beside my Gmail messages, it's essentially telling advertisers "Bob's your kind of guy" - but without showing them the text of the email on the basis of which this determination was made.


Aldo argues with me on two counts.


First he claims that I've oversimplified the internal logic of corporations by saying that they don't care about your privacy. I did say in the talk that corporations can be made to act as if they care about your privacy through the imposition of regulations and financial incentives, and I believe (though I didn't say it in so many words in the talk) that regardless of fiduciary responsibilities and obligations of directors, corporations "value" profit more than they "value" your privacy, and that (not being real people) they "care about" neither.


Aldo's second objection is that my glasses are too rosy when I suggest that using metadata instead of data will reduce identity disclosures. Here he uses Google as an example, and notes that Google protects privacy against the US government but not against the Chinese government (I can't help but note here that this contradicts his first objection!), and then he goes on to say that Google is leveraging cheap bandwidth in an attempt to become THE Identity Oracle. - but this supports my point rather than contradicting it!

July 12, 2006 9:25 PM  
Blogger Superpat said...

I've participated in discussions along these lines in the past... Presumably, the requestor gets to phrase its question "Is the user over 18"? If so, then the requestor can start to play 20 questions to narrow down the range of values: "Is the user under 65", "Is the user over 41" etc.

So you have to have rules about how many times you can ask about a given attribute, right?

July 28, 2006 5:56 PM  
Blogger Frank Yeh said...

The analogy to the Identity Oracle (I hate that term, BTW it uses a major IT company's name!!!) would be in the way that passwords are one-way hashed. You are able to use the values effectively without being able to discern the actual real data. This is goodness.

However, I haven't seen anything that says that the Identity Provider (cubbyholer? Demographer? profiler? ANYTHING but Oracle!!!) has an implied responsibility to verify that the identities and identity attributes presented are in fact accurate. Anyone can register with a Google or a Yahoo ID and they pretty much enter whatever they want for their identity attributes.

So in order for the Meta-Identity Service Provider to have somthing of value, not only does the identity data and the access to it from all Relying Parties need to respect the privacy of this data, but the data must be validated by someone when entered.

As with most things, the technical challenge is not huge but the social aspects of doing something like this are enormous. VeriSign has the Registration Authority, which essentially serves as a validation point for data BEFORE it enters the system. The Meta-Identity Provider should probably have something similar. Without it, we are faced with a classic Garbage In Garbage Out scenario.

August 01, 2006 9:27 PM  
Blogger TooTallSid said...

I have hatched a simple scheme to use InfoCards for e-commerce that is compatible with Visa's 3-D Secure.

The beauty of it, Bob, is that it implements a payment oracle.

In a nutshell, the merchant sends the transaction details down in the claims. The consumer picks a payment InfoCard. The issuer looks at the transaction details and decides whether to authorize the transaction. If so, the issuer returns a security token along with a pseudo account number, tied to this transaction, but not to the consumer. The merchant uses the account number to route the transaction through the backend payment network along with the security token.

In other words, the merchant asks the consumer to prove that they are good for money. The issuer oracle returns an answer: Yes they are and send this token to this account number, and you'll get paid.

The only identity info that leaks is the name of the issuer that the consumer is using to pay with. No account number, no billing address, no email address, no CVV, no nothing. The pseudo card number has no meaning in meatspace or cyberspace, outside this particular transaction.

So InfoCard and Identiy Oracle are compatible, at least for payments.

Bob, send a message to me and I'll send you a copy.

November 01, 2006 3:10 PM  
Blogger disa said...

This comment has been removed by a blog administrator.

December 27, 2009 5:42 AM  

Post a Comment

<< Home