Skip to content

From the Jericho Forum Identity Commandments to the New Identity 3.0 Principles

Jump to bottom Edit New page
Dazza Greenwood edited this page May 22, 2015 · 1 revision

The following came to my attention this week (May 22, 2015) as a welcome update. The Jericho Forum's work is being carried forward. Please review the following principles and update and consider how these contributions can fit with business, legal and technical rules governing user-centered identity federations and personal data sharing trust networks.

Identity 3.0 - Principles

http://www.globalidentityfoundation.org/downloads/Identity_3.0_Principles_v1.1.pdf

© Global Identity Foundation 2014 Version 1.1 – June 2014

Risk

  1. Decisions around identity are taken by the entity[1] that is assuming the risk; with full visibility of the identity and attributes of all the entities in the transaction chain2

  2. Attributes of an Identity will be signed by the authoritative source for those attributes.

  3. Identity will work off-line as well as on-line; with a lack of on-line verification simply another factor in the risk equation.

Privacy

  1. Every entity shall need only one identity which is unique and private unto the entity; there will be no body issuing or recording identities.

  2. The Identity eco-system will be privacy enhancing; attributes will be minimised, asserting only such information that is relevant to the transaction.

  3. Entities will only maintain attributes for which they are the authoritative source.

  4. The identity of one entity to another will be cryptographically unique; negating the need for usernames or passwords and minimising attribute aggregation.

  5. The biometrics (or other authentication method) of an entity will remain within the sole control of the entity; biometric information will not be used, exchanged or stored outside of the entities sole control.

Functionality

  1. The digital representation and function of an entity type will be indistinguishable from another entity type, and will be interchangeable in operation.

  2. The Identity ecosystem will operate without the need for identity brokers, CA of last resort or other centralised infrastructure.

  3. Identity will be simply expandable to encompass the security of data; E-mail (for example) can be encrypted simply by having an entities e-mail attributes shared with them.

  4. Identity shall be (as much as possible) invisible to the end user; identity and attribute verification and exchange should be a background operation until such time that increased levels of user verification is required.

  5. Everyone plays their part – no more!

[1] The five entity types are: People, Devices, Organizations, Code and Agents. (definition source: the Jericho Forum)

[2] Remembering that risk will probably be bi-directional and both entities in a transaction will share the risk, though usually disproportionally.

---------- Forwarded message ---------- From: Paul Simmonds [email protected]
Date: Wed, May 20, 2015 at 10:13 AM
Subject: Beyond the Jericho Identity (Entitlement & Access Management) Commandments
To: xxx

To the old JF Board, and those involved with the JF IdEA Commandments,

It seems a long time ago that we completed the Identity Commandments, and despite talking about the ideas, and plugging the videos the industry still "does not get" the need for a radical overall in how we do Identity.

We created the Global Identity Foundation website with the aim of it being a platform for people to take the JF ideas further, and up to a point that has been a success. However, we have now reached a time where we need to do something fundamentally different; why?

The bad guys are exploiting identity better than we are fixing it, the gap is getting wider! The industry still has no good solution to the identity crisis, and are continuing to kludge fixes to a broken and flawed ecosystem.

The rapid explosion of IoT and BYoD and the need to easily encrypt everything we do is just not viable with existing solutions.

So, our feeling was that the Global Identity Foundation needs to take a more formal footing, and so it is now a properly constituted Global Not-for Profit Foundation, VAT registered etc.

The press releases went out today, ahead of InfoSec Europe in just over a weeks time. http://www.sourcewire.com/news/87297/global-identity-foundation-launches-quest-to-develop-global-digital-identity#.VVxaLEGHo-U

So what can you do?

We would like you involved! and there are number of ways you can be; Tweet, write, blog, re-send etc. both the announcement and hopefully the masses of press coverage we will be getting over the next few days and weeks - we need to create a buzz.

Get involved at whatever level you can; we want to appoint a more robust Management Board and also a Technical Advisory Board, but just your involvement in generating and/or critiquing the Foundations output would be great as well.

Sponsor us; we can accept formal sponsorship of events, as well as charitable donations. Or simply hold an event for us utilising your facilities.

Point us / introduce us to sources of funding. To take the next step we need to fund it!

Finally, tell all your friends and colleagues about the importance of what we are trying to do, and tell them to get involved - not only financially, but also the identity experts and the technologists charged with how they could better exploit a proper global identity ecosystem, if one existed. Please drop me a line, if nothing else to keep in touch, but we would love your help and support in what ever way you can contribute to this initiative. - after all - you are the people who developed this originally!

And I'm sure I've missed someone off the list (memory & old age) so please forward this to anyone who was involved and I've omitted!

Best Regards

Paul

Add a custom footer

Home Site: law.MIT.edu

Affiliated Sites:

Clone this wiki locally