Naming and Certificates: An Identity Policy


As I mentioned, over the coming weeks I'll be discussing some identity policies from my book on Digital Identity.

Common identity policies include authentication and authorization, naming, directories, encryption, software development, software licensing, networking, privacy and federation. The number and type of policies depends on an organization's size and purpose. Today, I'm going to discuss naming.

A policy on naming forms the basis for other identity policies and for security policies. Naming can refer to many different things including domain names, usernames, uniform resource locators, documents, phone numbers, employee identity numbers, and physical assets such as conference rooms, printers, and computers. Tailored for a specific company, a policy may not concern all of these, only the ones that are important now. Other facets of naming can be added as necessary or delegated to the appropriate parties.

The naming policy should be concerned with the form of names and who is responsible for naming. Most companies, for example, own one or more domain names. Other people in the organization will want subdomains from those domain names. Someone in the organization should be responsible for maintaining the domain name asset and assigning subdomain names. This role is typically called the "registrar."

Most organizations also own a number of digital certificates. Digital certificates associate identity information with a public key in a signed data structure. I/ve chosen to include the policy information for certificates with naming because I prefer using the registrar for managing an organization's certificates as well as domains. In common practices most of the certificates will be associated with domain names and the asset tracking system being used to manage domain names and subdomains can frequently be used to manage certificates as well. Another place to talk about certificates would be in the policy on encryption and digital signatures.

A policy on naming can also help enforce data standardization efforts. Such a policy might include requirements to use information from the metadata repository or to use identities in established data stores in preference to creating new identities.

One of the most important naming roles a policy can perform is to grant authority for creating enterprise-wide identifiers. For example, how are email identifiers created? Who has authority to determine the format of employee numbers?

I've created a sample identity policy on naming (PDF or WORD) that you can use as a template. You'll see that it addresses many of the issues I bring up above.