OIX paper identifies the DNA of Digital ID trust frameworks
The Open Identity Exchange (OIX) today launched its latest paper, Digital ID DNA Interoperability Across Trust Frameworks, which outlines the organization’s vision of a shared digital ID that can be used in a trusted way across the globe. The launch presentation summarized findings on common characteristics and values across frameworks, compared identity assurance policies, and touched on gaps in standards, roaming wallets and other topics covered in the forthcoming paper, a product of eighteen months’ work by OIX analysts.
Their analysis covered general policy areas, characteristics and values for eight different trust frameworks: the UK Digital Identity and Attributes Framework (DIATF), the EU eIDAS2, the U.S. NIST Version 4 draft, Canada’s DIACC Pan Canadian Trust Framework, Bank ID Sweden, Thailand’s ETDA Trust Framework, Singapore’s Singpass, and the Modular Open Source Identity Platform (MOSIP). Selected frameworks were intended to be a mix of mature ones implemented at scale and evolving frameworks that are moving to embrace wallets, and to cover government-issued and non-government-issued digital identity.
As an example, for a policy area of verification, the characteristic (what) of verification method combination might have an attached acceptable value (how) of biometric selfie verification.
OIX conducted its own analysis of UK, EU and U.S. trust frameworks, searching for common policy characteristics and values, and ratified their questions and observations with the respective standards organizations. For the other five frameworks, a questionnaire was created based on the initial round of analysis and sent out for completion. The results that came back were mapped against common characteristics and values identified across the first three.
For complex identity assurance analysis, OIX directly analyzed the policies of the five frameworks that have them.
From this overall process, OIX has teased out what it calls Digital ID DNA – according to Nick Mothershaw, the Chief Identity Strategist at OIX, “all of these frameworks categorize things in the same way, they have the same characteristics, and within those a range of values.” Just like genetic DNA, digital ID DNA provides the building blocks for vital digital ID systems. The paper identifies 15 general policy areas that all the frameworks address, containing 75 policy characteristics with 289 possible values. It also finds similarities in methodology for identity assurance policies covering credentials, fraud checks and so on.
Interoperability, therefore, should be achievable.
However, Mothershaw drops something of a bombshell in saying OIX is “not thinking, now, that the frameworks will ever normalize to have the same characteristics and values. The characteristics may normalize but the values will remain different – because they’re different for a reason. These frameworks are driven by different legal, ethical, political and technical backgrounds, they meet local policy needs and different attitudes and approaches to privacy… so, we don’t see that changing to any kind of global norm anytime soon. We need to respect those differences.”
As a potential solution, OIX is developing a tool to try and smooth over the differences that are not going away. The Open Criteria Exchange Tool (OCET) is an open tool that each party can use to publish policy criteria in a way other trusted parties can read, using OCET characteristic and value combinations and key-value pairs.
Paper identifies five “golden credentials” and recommends improved standards
As far as identity assurance frameworks go, the goal is to allow digital IDs to work with the frameworks of varying territories, and to have agreement on frameworks of assurance. OIX names five “golden credentials” referenced in many frameworks – national ID cards, passports, bank accounts, driver’s licenses and telco accounts – and recommends implementing and solidifying global standards for these.
“If our hypothesis is correct,” says Mothershaw, “and the key to interoperability is these golden credentials being standardized in wallets, so I can formulate levels of assurance wherever I go, we’re going to need standards” for verification and validation, which will in turn enable what OIX calls roaming wallets.
The digital DNA paper is available here.