The Future of Federations
Alternate realities / Distributed identity credentials / Accommodating the many faces of a digital identity credential
By Laura Paglione (ORCID)
Early this year I attended the 26th Internet Identity Workshop (IIW) in Mountain View, CA. This biannual event uses an unconference format to talk about all things digital identity from a fairly broad perspective. There is no agenda for the meeting, but the proceedings are published. Since my previous exposure to identity and access management (IAM) had been through a Research & Education (R&E) lens, I wasn’t adequately prepared for the conversations being had there, which focused on self-sovereign identity instead of federations; zero knowledge proofs rather than attribute release; and immutable ledgers versus trust in identity providers.
To be sure, the discussions were unapologetically on the bleeding edge of digital identity handling; very little seemed like something that will displace the status quo tomorrow. But it did get me wondering if the R&E community should be at the forefront of these discussions. So much in universities is based on the underlying tenet that the individuals there are independent from the institution. Academic freedom is a core value to these institutions, even creating the tenure system that was developed to ensure that faculty members could pursue their independent research even if their findings might differ from the opinions of the institution where they do their work.
And yet, when I think of IAM on a campus, in most cases digital identity credentials are thought of as being the property of the institution itself. There are really good reasons for them to be handled in this way. In most senses they are more like an expression of affiliation than identity. Institutions are the supplier and steward of these affiliation relationships; they typically have a rigorous admission and acceptance process that they control. So, it is natural for the institution to see these credentials as something that they control and own, and the individual as the recipient of the privileges that these credentials enable.
The many faces of a digital identity credential
I often think about the identity management protocol (SAML) used in many institutional applications as a business to business (B2B) structure. Institutions negotiate with each other about how the credentials will be used, what information is exchanged about an individual, and under what conditions — often without input from or even the knowledge of the individual him/herself. This structure can cause some inherent concerns in privacy and control when used outside of the institution, particularly when negotiating the many different types of information that often are expected:
- AUTHENTICATION: This information is most commonly used for authentication
- Sign-in Info: Consistent information that the person signing in is the same person who signed in before.
- AUTHORIZATION: This information is usually used for authorization purposes.
- Personal Info: Information about the person him or herself, sometimes including Personally Identifiable Information (PII) like name, citizenship, age or gender
- Bestowed Info: Attributes bestowed upon the person through his/her actions or experience, for example, a degree or a title
- Affiliation Info: Information related to the individual’s affiliation with the institution providing the information, like the individual’s status a student or a faculty member, or the his/her institutional email
- Entitlement Info: Information about what the individual is entitled to do, for example, gain access to a resource, use a piece of equipment, or enter a building
The decision to share some of this information seem appropriate to rest with the institution, for example, information about the individual’s affiliation with the institution, and perhaps entitlement information specific the individual’s use of resources at the institution. But, the decision to share other information seems better placed with the individual, for example, sign-in and personal information. For bestowed information, it would be helpful to know that the institution that “bestowed” the credential (for example, a degree) vouches for its authenticity, but that individual has made the decision to share it.
In-person identity: a case study
Should digital identity credentials work more as they do for in-person identity verification and access? In person, an individual presents him or herself and makes decisions about what pieces of information to share in each situation based on what is needed. At times the individual can just show that (s)he had been there (authenticated) before, perhaps even being recognized from past interactions just by showing up. Other times the individual needs to show an official ID or provide a credential (share attributes) to gain authorization to access to what he or she needs. Usually this information comes from several different sources. In some cases, the individual may even need to wait until the information can be verified by the issuer for authenticity or current validity.
For many R&E identity providers, authentication (sign in info) and presentation of the institution’s “affiliation information” attributes is conflated to some degree. For service providers (SPs), R&E institutional sign in is attractive often because of the implied affiliation of the individual with a research or education institution. Though, with this tight coupling between sign in and affiliation, it is difficult (if possible at all) to gain information that may be within the scope of a different institution, for example, a past degree, or membership on a project team, or access rights to a research resource. Taking cues from the in-person model above, there could be some benefit to conceptually de-link sign in authentication from authorization attributes, and enable a more distributed composite of information to aid authorization decisions.
An individual could then hold a set of this distributed information like virtual “ID cards.” These cards each could be issued by different institutions, each containing authorization attributes for which the institution is an authority. The individual could virtually choose and present the cards as appropriate, in a way that is associated with, but separate from the digital sign in. To access an article, the home institution card would be best. To chat with the project team, the team card would work. When appropriate, ID cards containing bestowed information (like degree, affiliation, service activity, etc) could be provided to the individual in a verifiable manner, making them available for use by the individual using their personal sign in credentials, even if the the individual is no longer affiliated with the organization bestowing the credential. This arrangement would be a vast improvement over the more temporary way that these attributes often are tied to an institutional sign in. There are challenges with uniquely and consistently identifying people over long periods of time, particularly when their affiliation changes; and often an individual’s relationship with their scholarly services outlives their relationships with any single identity provider.
These “ID cards” would still need to be tied to one or more sign-ins, perhaps in “bring your own identity to work” style. Of course, this model doesn’t happen today. A faculty member usually has no option to bring their own digital identity to work; in fact, alternate identities are often outright banned either as a policy or lack of support. And when someone leaves the institution, it is unlikely that (s)he is invited to take his/her sign in with him/her. A growing number of service providers that are adopting a “bring your own identity” approach for authentication, supplementing it with their own flavor of authorization, essentially attaching their own service provider-specific “ID card” access credentials to the sign-in provided. The research collaborations represented by the FIM4R (Federated Identity Management for Research) community take this approach, allowing individuals to use the identity of their choice to access resources, regardless of the specific attributes that the related identity provider releases — or doesn’t.
How could this idea work in a Federations 2.0 world?
1. Embrace “social identities” for authentication
Considering individuals as the stewards of their identity, initiating access to services through an identity should persist as long as their career does. Often described as “social identities” within the FIM community, these identities often have security and tamper features that are on a par with those of FIM identity providers. In addition, these identities have the benefit of staying associated with the individual for longer periods of time, even if their affiliation or status changes.
2. Consider today’s IdP as tomorrow’s “ID card” credentials
From a service provider’s point of view, a compelling value in today’s identity providers is in the association of the provider’s digital credential to its institution’s reputation and trust fabric, and in understanding of the individual’s relationship with the institution. The community how this information might be “attached” to social sign ins in a verifiable way where the individual can make choices on when to present it, like virtual ID cards. As in the physical world, the digital cards would need security features to prevent counterfeiting, and assure proper connection to identities and effective revocation and renewal processes. Finally, there would need to be a simple way to for systems to request and check these ID cards from individuals upon authentication.
3. Explore zero-knowledge approaches to exchange more sophisticated/sensitive information
Simple ID cards are not going to be enough for some use cases. There will be times when more sophisticated information is needed about the individuals using FIM services. Rather than discussing what attributes need to be exchanged, it would be helpful to better understand the questions we are trying to answer, and the minimal amount of information that can be exchanged to do so. If you need to know whether someone is an active researcher, you might establish this by using sensitive information, such as the details about the individual’s last grant or publication, but just provide a simple “active / not active” answer without exchanging the sensitive information itself. If you need to know whether someone is eligible for EU programs, you can use their country of citizenship to provide the answer without sharing the country details. The community should determine a set of common questions that can uniquely be answered by IdPs, and develop high-assurance, secure ways that are compatible with evolving practices in order to answer these questions without divulging sensitive information. This capability would give IdPs a hugely compelling and translatable value proposition that could be deployed beyond the current R&E footprint.
These ideas for the future are far easier to describe than to deploy, and would require careful application to start. However, given the stagnation in the attribute release discussion and the growing prominence of social identities, it’s worth a try. I definitely would welcome the conversation!