Who do you trust?

Today we’ll take a look at some of the key concepts introduced in the Open Group’s white paper “Identity Management” (link below), which I introduced in the last issue.

A number of people felt that the term “identity” was both adequate and sufficient even though I’d written it off because of the possibility of confusion with the entire realm of identity management. I thought it would be like using a term to define itself. The opening paragraph of the white paper’s introduction proves my point: “…people can have different identities when working with different systems, or can have more than one identity when working with a single system, perhaps when working in different roles.” Keep sending your suggestions in, by the way, I’m still tabulating.

The paper identifies the key concepts as trust, authentication, provisioning, authorization and directories. We’ll look at each in turn, beginning today with “trust.”

One of the best features of the section on trust is the listing of what trust is not. That is, in common usage people may believe these qualities are part of a “trust relationship,” but in a formal system (such as identity management) they should play no part. According to the author, trust is:

* Not transitive (cannot be passed from person to person).

* Not distributive (cannot be shared).

* Not associative (cannot be linked to another trust or added together).

* Not symmetric (I trust you does not equal you trust me).

* Not self-declared (trust me – why?).

Trust is hard to quantify, but “risk” could be quantified to a certain extent. An entire industry has grown up around the concept of quantifiable risk and risk management. Trust, then is balanced against risk in a zero-sum fashion so that as risk is decreased then trust is increased. While we can decide to trust a process (such as certificates of authority), this is really a way to attempt to minimize risk rather than an increase in actual trust.

In terms of identity management, then, it’s not so much that we trust the credentials with which someone is using to identify themselves, but that we have minimized the risk that the credentials are false. Often we do this by putting our trust in a third party who can vouch for the authenticity of the credentials. This authority, in turn, may have been vouched for by another party. Ultimately we are basing our decision on an explicit trust in some person or an implicit trust in some institution in which the chance of risk has been reduced almost to zero. After all, even your mother didn’t always tell you the truth (remember the pet hamster that “escaped” while you were at school?).

Next time, we’ll look at authentication.