Identity-Based Decisions

I thought I'd follow-up on my post from this weekend and add some additional context around the need for strong proofing across the Internet as a precursor to an AzaaS model.   There is a very valid question that we all must ask - who do you think you are?  Without some form of strong identity proofing, your reputation is what defines you.  Unless there is a trusted 3rd party to vouch for you, then your identity is self-asserted.  Back in the day, the "my word is my bond" technique for trust was acceptable, but not so much today.

So what? For low value transactions, this is just fine.  At the end of the day, it doesn't matter if your Facebook profile is a real person. For higher value transactions, however, this is extremely important.  This is particularly true for the enterprise, where relationships with businesses, organizations, and consumers is the lifeblood of the organization. After all, the Service Providers need to make decisions based on the identities using the service. And if the identity is inaccurate, it's going to be a poor decision. When my supplier accesses my invoicing system, I really want to make sure that the person logging in is from the supplier.  If I'm buying a car and completing a title transfer online, I want to make certain that the person I'm giving my money to really owns the car.  This applies to virtually every area of online services - businesses, government, health care, etc...

Wouldn't it be interesting to imagine an online world where every identity is proofed to some level, and the level of that proofing follows the identity from place to place?  Would Service Providers make different decisions?  I think they would.  If you proved your digital identity in-person at, say, your local DMV and they gave you a strong credential to assert this proof, I'd be much more comfortable buying your car online. 

Authorization decisions are just another type of decision that a Service Provider must make about how someone uses their service. In order for us to starting thinking about a Trust Framework model to authorization across the Internet, the proofing problem needs to be solved. And there are, unfortunately, more questions than there are answers.  There are some consumer-based solutions out there now (the Symantec/Experian solution, for example), but we've got to break out of the bounds of the enterprise and make identity proofing available to the general public in wide-spread form.  NSTIC is laying these foundations, and I believe a hybrid public/private approach is the right approach - as long as the privacy-enhacing technology is in place as an identity mediator.