My thinking catalyzed by the great dialog among national healthcare identity experts at the ONC/CARIN Identity Summit in Washington DC June 4th, a notion I’ve been worrying for some time finally precipitated out: identity is turtles all the way down. There is not a digital identity separate and distinct from one’s legal identity. There is only one thing, an Informational Identity.
There are two conceptual shifts we need to take to see the turtles.
The first is understanding that credentials have dual utility. Their primary, commonly-understood value is in their use by agents as virtual keys unlocking gated access to resources in an identity domain.
But they have another value. Their very existence demonstrates the agent holding them, being them, or knowing them met the identity proofing bar for the identity domain authority that issued them.
The second conceptual shift is understanding that the identity evidence required in proofing, as described in the NIST standards, for example, consists of those self-same credentials.
Putting these two together, it becomes clear that the review of identity evidence in proofing is actually the authentication of credentials for their secondary value, as evidence of that upstream proofing.
What can we see from this new perch?
For an individual, their overall identity is a directed graph of proofed identity nodes connected by authentication edges. This graph overlays their timeline, their personal journey through time and space. Each proofing happens at a point in time, in a real or a real-and-virtual location.
The quality of proofing of a given node is a function of the number of ‘upstream’ identity nodes it is connected to, and, for each of those connections, the quality of the type of credential and its authentication as represented by the edge, and the quality of proofing of the upstream node itself. Which is a function of the quality of proofing of nodes even farther upstream, and the qualities of their edges, and so on. Turtles all the way down.
An individual’s ‘Informational Identity’ (their legal + transactional + digital identity) is the entire graph. Their ‘legal’ identity per se is the subgraph – the component – whose nodes’ domain authorities are government agencies. Their ‘digital’ identity is the component consisting of nodes in digital identity domains.
Credentials as used in their primary role are supported by the ‘weight’ of the graph upstream of the proofing node with which they are associated.
When a credential expires, the quality of proofing of all downstream nodes already in existence at the time of expiration is unaffected. But any further growth of the graph from the proofing node of the expired credential is stopped.
Key to this perspective is the idea that proofing is the authentication of credentials for their secondary utility. Here is an example to illustrate.
I am an identity domain authority. I proof you by authenticating your Oregon driver’s license, a credential issued by the state which authorizes you to drive on public roads in that state. To get that driver’s license from Oregon, you had to provide a proof of ‘legal presence/identity’ and a proof of your current residence address.
‘Proof of legal presence/identity’ is a passport, birth certificate, certificate of citizenship, or one of a list of similar documents. Those are all credentials issued by some other upstream identity domain authority. A passport authorizes you to travel to other countries and return. A birth or citizenship certificate authorizes you to vote when you are 18 or older, become President of the United States when you are 35 or older, and other useful things.
The quality of the ‘edge’ connecting us to that upstream proofing event is a combination of the nature of the credential – biometrics are stronger than passwords, etc. – and how well I authenticate it. My authentication of that driver’s license may be more or less sophisticated – I check that the photo is you, see if it is current, examine the license for tampering, look for the watermark, maybe shine an ultraviolet light on it (not sure what that reveals, but TSA does it). I may image it and submit that to a service that does additional authentication. I may contact the state and validate their stored picture matches the one on the license.
Proof of current residence is a ‘softer’ credential – pretty much any official kind of thing that has your name and an Oregon address on it – the same document you used for proof of legal presence, if it has the address, or a utility bill, or an insurance policy, or a loan agreement, or W-2, etc.
Again, these are all kinds of credentials which bind the individual to an identity domain: customers of Pacific Gas and Electric, who are authorized to use electricity, people who have checking accounts with Washington Federal, who are authorized to deposit money to the account, write checks, take withdrawals, and so on. When the individual entered each of those agreements, there was some level of identity proofing required.
So it looks like turtles all the way down…till what?
In our Oregon driver’s license example, if we look at the DMV’s list of acceptable ‘proof of address’ documents and treat it like a ‘which of these is not like the others’ question on an IQ test, this jumps out: “[a] verbal statement from any person living at the same residence address you listed on your application.”
It seems that identity proofing consists of two classes of proofing.
The first is the validation of credentials for their secondary utility as described above. That gets us to our Informational Identity Graph.
The second is attestation of your identity by some other individual.
How does that impact our picture?
Consider this – you may have to squint just a little. A person who vouches for another’s identity is serving as a kind of ‘human credential’. The applicant – the person being proofed – is in some relationship with the voucher. We can extend our list of types of credentials to something you have, something you are, and something or someone you know.
In some cases, a ‘someone you know’ credential can be used for its primary utility – you can be authorized to use the country club for the day if a person who is member vouches for you.
But it can also be used for its secondary utility, in proofing.
Like any credential, the quality of authentication varies. In the Oregon example, the person vouching for your address has to provide a proof of address credential they have for the same physical address. In the NIST 800-63A standard, these vouching persons are called ‘trusted referees.’ The referee has to be proofed to the same standard to which you are trying to proof the candidate. And CSP’s “SHALL determine the evidence required to bind the relationship between the trusted referee and the applicant”.
We can incorporate referees into our model as types of credential.
So where do the turtles end? When there are no more credentials upstream.
The very first credential usually issued to an individual is their birth certificate (sometimes a ‘Consular Report of Birth Abroad’).
Historically births were recorded, when recorded, primarily in churches, but that moved to government agencies in the late 19th and early 20th centuries in support of tax and conscription rolls.
The birth certificate is a credential that authorizes you to vote when you are of age, to hold government office when you meet the age requirements, to enlist in the military when you are of age. It is the cornerstone of our Informational Identity.
In a birth certificate, your parents – and frequently the doctor or midwife – attest to your birth, and bind your name, birth date, biometrics – frequently cute little footprints – place of birth, and so on together in a legal document.
In Oregon the official instructions for filling out the ‘Oregon Report of Live Birth’ don’t require any review of the parents’, doctors’ or midwives’ identity credentials, or any proof of their relationship to the newborn. (They do require the parents’ Social Security numbers to comply with the Family Support Act of 1988.)
So under the turtles? Clay, not bedrock. The cornerstone of our Informational Identity is weakly proofed (I have not reviewed the quality of authentication required in all states, but expect they are much like Oregon.)
We obviously have the technology to do this better. We can capture better biometrics at birth, starting with DNA. A test recently developed by Eurofins Scientific can even distinguish the DNA of identical twins. We can bind this to other biometrics in a durable electronic ledger. Then a generation after its adoption, by having all those present attesting to the birth present their such own biometric credentials, we could have much more strongly rooted Informational Identity Graphs.
In today’s political climate, that is, of course, a pipedream. In the US in particular, widely held beliefs of personal freedom, drawn on a cultural historical canvas associating explicit identification with Fascism, make it unlikely to be realized any time soon.
Until we do, what will have to serve is the existing weight of the Informational Identity Graph that sits behind every use of a credential.
We need to be able to quantify that weight. Widespread adoption of standards around the quality of authentication in proofing such as those coming out of NIST combined with explicit knowledge of an individual’s graph will enable us to calculate the overall level of trust at each point of authentication.
But until all of the authentication is automated, human variability will make the graph strength uncertain.
And until durable biometric-based identities, we will be backing our way up a long ramp toward a consistent, high level of trust.
It seems obvious in hindsight. Whether your identity is recorded with a quill pen on parchment, or recorded on a server in the cloud, or existing only as information in a trusted referee’s memory, it’s still the same kind of thing.
From an IT architecture perspective, seeing identity from a graph perspective opens the door to the possible application of graph-theoretic solutions to particular problems – a powerful pattern when it appears. (Next post about Informational Identity here.)
Stay tuned.
Health IT Architect 
One thought on “Identity: Turtles All the Way Down”