Daring to question the "open" in Open Identity
Stephen Wilson's Babysteps
Ideas to demystify identity, privacy, authentication and safety online.
I’m developing a detailed submission on the National Strategy for Secure Online Transactions and the fit between the OIX model and the needs of e-business and e-government. But can I please test one of my concerns in this forum?
Something about the word “open” has never sat well with me in the context of “open identity”. I wonder if the open identity community has coopted the word and subconsciously twisted it a little? Open standards and open government are obviously good things, and open source has a lot of goodness associated with it. But what exactly does “open” mean in open identity?
There is a strong implication in “open identity” that identities issued by different entities can be (nay, should be) treated equally. But when I look at any of the ’serious’ identities used when transacting with business and with government, there is almost always a natural preferred issuer for each of them. Banks issue bank accounts and credit card numbers; health agencies issue health identifiers; governments issue SSNs, tax file numbers and passports; employers issue employee IDs; medical registration bodies issue doctors' credentials.
So these types of identities aren’t actually “open” on the issuer side. How could they be?
So, if there is usually a one-to-one relationship between a type of identity and the natural issuer of that identity (or in other words, if there is usually just one obvious issuer for each given identity), then isn’t a great deal of the Open Identity Trust Framework overly complicated?
In particular, in so many cases, the Relying Party and the Identity Issuer are one and the same. While there is a strong intuition that RPs like government agencies can reduce costs by using identities issued by other entities, and that users may find it more convenient to re-use a smaller set of identities across a bigger set of RPs, I respectfully submit that that intution is probably often wrong; see In defence of identity silos. Experience shows that the business process re-engineering and legal work far outweigh any benefits when one institution tries to use another institution's identities to save having to issue their own.
I think to make progress in identity frameworks, we need more simplifying assumptions, and fewer complicating generalisations, like the spawning of new and possibly unnatural Identity Issuers.
Steve WIlson, Lockstep.