Doing Away with Trust
This article appeared as my column for Connect Magazine in July 2005.
Identity credentials have contexts. Consider, for example, a Government issued passport and a coffee club card. The context for the passport is a border crossing. The context for the coffee club card is buying coffee.
Identity credentials are often used out of context. Sometimes, an out of context use doesn't make much sense--imagine presenting your coffee club card during a border crossing. Other times, however, using credentials out of context is a good way to establish a relationship or transfer trust.
As an example, you might use a credit card to pay for your purchase at the coffee shop and be asked to present some kind of identity credential. In that case, using your passport at the coffee shop would be out of context, but you'd be doing so because the coffee shop cashier is willing to recognize your passport as a means of establishing your identity.
The driver's license is an identity credential that's frequently used out of context. If you ask the head of the state driver's license bureau if the driver's license is an identity document, you'll probably be told no--its official purpose is to authorize you to drive.
The recent move by the Utah Legislature to issue driving privilege cards (DPC) instead of driver's licenses to illegal aliens belies that. Issuing a DPC sends the message, loud and clear, that the driver's license is an identity document that is frequently used out of its original context. Of course, as a private citizen, you're free to recognize the DPC as an identity document if you like. I suspect, for example, that it will be readily accepted as proof of age by convenience stores that want to sell beer and cigarettes. That kind of out of context use will continue.
But, the legislature specifically ruled out its use in certain contexts. For example, the DPC cannot be used to identify yourself when you fly. Nor can it be used to claim certain government benefits. Getting a driver's license opens the door to all kinds of opportunities in our country. The intent is that the DPC will not.
The term trust carries an enormous amount of baggage, so it would be better if we could understand what's happening without relying on it. When we speak of trust in the context of digital identity, we're really talking about surety and risk management. Gaining trust in another entity is the process of gathering evidence that can be used to estimate the level of risk for a transaction. Let's use that concept to work through the coffee shop scenario without using the word "trust."
The clerk asks to see a form of ID (a credential) along with the credit card to reduce the risk of fraud. The clerk expects that you will produce a credential that is easily authenticated. Moreover, the clerk will evaluate the risk based upon his perception of the level of care the issuing organization has taken to vet the person, his familiarity with the organization, and how difficult the credential is to fake.
The clerk is gathering evidence, even though he might not think of it that way, and evaluating the evidence in an effort to reduce the risk and gain surety that the transaction will be honored. In business, transactions frequently happen in the context of overarching agreements and understandings that include building blocks such as business relationship, legal contracts, key management, asserions, shared policies, technical assurance, and audits and accredidation.
The most interesting work in digital identity is focused on allowing more of these building blocks to come into play in short-term relationships. You can think of that as eliminating the need for trust, if you like. Credit cards did this same sort of thing in the 70s. Before credit cards, credit was based on a long-term relationship that had many of these same building blocks, or close counterparts. What credit cards did, was move those building blocks from a point-to-point relationship between the creditor and borrower and into a networked relationship where the business relationship, legal contracts, policlies, tokens, and technology were maintained at the infrastructure level.
Many have doubts that this sort of thing can happen in the identity world because risk and financial reward are not as easily offset as they are in the case of credit cards. I'm optimistic that we'll find a solution, because the rewards for doing so are significant. So far, the solutions I've seen do a nice job of solving the technical problems, but it remains to be seen whether or not identity providers will spring up who enjoy the same reputation as do the Federal and state governments. I believe that for reasons of risk management alone, governments may need to act as identity providers in the online world in the same way they've become de facto identity providers in the physical world.
Phil Windley teaches Computer Science at Brigham Young University. Windley writes a blog on enterprise computing at http://www.windley.com and is the author of a forthcoming book on digital identity published by O'Reilly Media. Contact him at firstname.lastname@example.org
Last Modified: Wednesday, 18-May-2005 18:43:55 MDT