Ref. http://kantarainitiative.org/confluence/display/certification/Identity+Assurance+Certification+Program

I’m particularly concerned that generic identity proofing is all relative. The new framework specifies a sliding scale:
AL1 “Minimal criteria – Self assertion”
AL2 “Moderate criteria – Attestation of Govt ID”
AL3 “Stringent criteria – stronger attestation and verification of records”
AL4 “More stringent criteria – stronger attestation and verification”

Look at one of the examples of AL4: to establish the ability for someone to dispense controlled drugs. It is not enough to merely prove their identity with “More stringent criteria – stronger attestation and verification”. You need to specifically check their medical qualifications.

So “more stringent” id proofing is not sufficient to authorise someone to prescribe drugs. Moreover, it’s not even a necessary condition! What I mean by that is that until recently, I don’t think medical bodies were consciously applying criteria like “stronger attestation and verification” when they credential doctors. Rather, they applied carefully constructed local criteria and business rules (like university results, licensing requirements, medical board memberships, professional standing etc).

In fact, I cannot think of any real world case (outside the military and government security circles) where we deal with strangers on the basis of a generic “level” of identity. Rather, we deal with people on a binary basis: are they authorised or not to transact on a certain domain according to a set of rules meaningful on that domain? For instance:
- Is the person a qualified medical professional?
- Is the person a qualified medical professional and board certified cardiologist?
- Is the person not only a board certified cardiologist but are they specifically employed by this hospital?
- Is the person a certified tax accountant?
- Is the person employed by ACME Inc.?
- Is the person specifically a purchasing officer of ACME Inc.?
- Is the person a student at the University of Sydney?
- Does the person have an insurance policy at Most Excellent HMO Inc.?

For each of these examples, there will be a set of established business rules that codify how the person gets credentialed, who recognises the credential, what the credential entitles them to do, and what the risk and liability arrangements are. These characteristics are what constitute the much derided “silos” in IDAM, but experience proves that you cannot modify silos without incurring great indirect costs.
I have a theory about this: I think the focus on Levels of Assurance is an artefact of orthodox PKI where we spent a great deal of effort on two pursuits: (1) a universal, multi-domain, all-purpose digital certificate that would confer “trust” online, and (2) cross certification, namely an attempt to establish that credentials held by strangers Alice and Bob are equivalent.

The notion that one person’s LOA is equal to or higher than that of another can be traced to Security Classifications. In government security, it does make sense that Bob with SECRET clearance can send a marked document to ALICE because she has TOP SECRET. But in most other business domains, counter parties to a transaction are either qualified or they are not.

What’s the point of codifying generic Levels of Assurance? I think the main objective has been to enable cross recognition, and I have to say that that effort has been something of a wild goose chase. The US Federal Bridge CA remains problematic and burdensome. In other parts of the world, PKI jurisdictions have tried to avoid Bridge CAs. See http://www.lockstep.com.au/partners/asia_pki_forum/oasis_apkif_trip_report_sep05.pdf We should heed and abstract from these experiences when trying to design generic identity proofing principles.

If interoperability is the goal of establishing LOAs then I suggest that we re-visit how interoperability works. Here are two one page papers on the topic. While they are PKI-focused, there are lessons for digital identities more generally:
http://www.lockstep.com.au/library/babysteps/babystep_5_pki_interoperabili.pdf
http://lockstep.com.au/library/babysteps/babystep_8_a_critical_look_at.pdf

I have reached the conclusion that if someone wants to operate in four or five different domains, then it’s probably easier and less costly to manage four or five different identities, each valid on one domain, than it is to try and establish a single general purpose identity that “interoperates” across all domains. Calculating the Total Cost of Ownership of multi-domain identities has to include the cost of analysing and managing elevated risks when we break open old established silos and change the fundamental ways in which people deal with each other.

Cheers,

Stephen Wilson, Lockstep
http://www.lockstep.com.au.