|
Identity Quality Is
Measurable.
While we're used to thinking about how we identify
ourselves, we also need to rely on the authenticity of identity
assertions made by others. Yet there's so much inauthenticity on the
Internet that we've become
accustomed to assuming that nothing can be trusted. Let's change that.
For example, suppose that you could know with
measurable certainty that the age and gender of everyone in your
child's favorite online chat room has been established in a
face-to-face process.
Or, suppose that you want to try an interesting
but obscure piece of software. If that software were digitally signed
by an individual professional examiner, you would know with a degree of
certainty that it could be trusted. It's
all based upon the reliability of the identities involved. The
reliability, or quality, of a claim of identity may be measured in six
ways:
The Six Dimensions of
Identity Quality™
1. Quality of Ownership Does the user
have “skin in the game” or are the credential issuing organization’s assets the only ones
at risk? The only reliable way to prevent credential sharing is with
credentials that protect the user’s own
financial, reputational and identity assets. To what extent
does the identity protect those personal assets?
2. Quality of Enrollment Practices What
type of enrollment procedure was used? Did it involve PII
corroboration? Was it face-to-face notarial or was it
remote? How is provisioning performed? How is the process supervised
and audited? How many eyes are watching? Each risk profile and highest
protected digital asset value will call for a particular enrollment
procedure.
3. Quality of Means of Assertion Does the
credential support OpenID, i-Name, Shibboleth, CardSpace? Does it use
SAML assertions? A well-used identity is a more reliable identity; the
more places it is used the better.
4. Quality of Attestation Who attests to
the validity of the assertion, that is, the claimed identity? Is the
attesting party a certification authority? How reliable are their
attestation practices? How is identity status reported: CRL or OCSP or
another method?
5. Quality of the Credential What are the
characteristics of the credential and its carrierl? Is one
key pair used for everything, or are different key pairs or simple
serial numbers used for different applications? The carrier of the
credential is equally important. Some risk profile / asset value
situations call for two, three or four factor hardware tokens, or a
one-time password, while a soft credential in the client computer will
suffice for others.
6. Quality of Assumption of Liability If
fraud is committed with the use of the credential, who carries the
liability? Is that commitment bonded? What are the terms of the bond?
What is the source of funds for fulfillment of the bond? Are there
caveats or is the commitment absolute, regardless of the circumstances
that made the credential available to the perpetrator? To protect
assets and processes of the highest value, where a compromised identity
would have the most serious consequences, there should be both civil
and criminal liability involved in the issuance and ongoing use of the
credential. Equally important is protection against fraudulent
repudiation. Nonrepudiation is perhaps the most difficult goal for a
trust system to achieve, but it is necessary for the system to be
useful to relying parties where significant transactions are involved.
By upgrading your Reliable Identity Credential,
you'll get the benefit of your Personal Information Ownership
Infrastructure.
Let's take a look at how upgrading your Reliable Identity Credential brings you protection of your privacy.
CONTINUE>>
|
