Identity 3.0

Identity 3.0 is a term used to define the next generation of digital identity, which moves beyond basic Digital Identity and Identity 2.0. The key principles were defined in 2014 by the Global Identity Foundation, a not-for-profit organisation working to define the components of a global digital identity ecosystem, following on from work by the Jericho Forum started in 2009 and culminating in 2011 with the publication of their Identity, Entitlement & Access Management Commandments.[1] The need to move beyond Identity 2.0 to Identity 3.0 was first identified by Phillip Hallam-Baker in his book The dotCrime Manifesto: How to Stop Internet Crime[2] and echoed in a March 2008 opinion piece by Tim Mather titled "Get ready for Identity 3.0".

Principles of Identity 3.0

The principles[3] behind the assertion of the need for a paradigm shift in digital identity is outlined in a white paper[4] from the Global Identity Foundation, and outlined in a presentation given by Paul Simmonds at the Identity Management Conference in London in June 2014.

Risk

  1. Decisions around identity are taken by the entity that is assuming the risk; with full visibility of the identity and attributes of all the entities in the transaction chain.
  2. Attributes of an Identity will be signed by the authoritative source for those attributes.
  3. Identity will work off-line as well as on-line; with a lack of on-line verification simply another factor in the risk equation.

Privacy

  1. Every entity shall need only one identity which is unique and private unto the entity; there will be no body issuing or recording identities.
  2. The Identity ecosystem will be privacy enhancing; attributes will be minimised, asserting only such information that is relevant to the transaction.
  3. Entities will only maintain attributes for which they are the authoritative source.
  4. The identity of one entity to another will be cryptographically unique; negating the need for user-names or passwords and minimising attribute aggregation.
  5. The biometrics (or other authentication method) of an entity will remain within the sole control of the entity; biometric information will not be used, exchanged or stored outside of the entities sole control.

Functionality

  1. The digital representation and function of an entity type will be indistinguishable from another entity type, and will be interchangeable in operation.
  2. The Identity ecosystem will operate without the need for identity brokers, CA of last resort or other centralised infrastructure.
  3. Identity will be simply expandable to encompass the security of data; E-mail (for example) can be encrypted simply by having an entities e-mail attributes shared with them.
  4. Identity shall be (as much as possible) invisible to the end user; identity and attribute verification and exchange should be a background operation until such time that increased levels of user verification is required.
  5. Everyone plays their part – no more!

Entity Types

The principles are based on a digital identity working identically and interchangeably for all five entity types: People, Devices, Organizations, Code and Agents; as defined by the Jericho Forum in their Identity, Entitlement & Access Management Commandments.[5]

Entitlement

The work on Identity from the Global Identity Foundation, the Jericho Forum and the Cloud Security Alliance uses the term "entitlement" to refer to a risk-based set of rules to define access. Entitlement, in the context of identity, is defined[6] as;

Other Related Work

The implementation of an Entitlement-based Identity 3.0 ecosystem is outlined in the Cloud Security Alliance's document "Security Guidance for Critical Areas of Focus in Cloud Computing v3.0".

References