Identity
Author:
Mark Dixon
Wednesday, June 15, 2011
4:56 pm
I had an interesting Twitter conversation recently with @steve_lockstep and @NishantK about Identity Assurance.  It began with Steve’s comment about how Facebook identities were of little worth, unfit to use with valuable transactions.  Nishant suggested that most Relying Parties (RP’s) are content with “soft” identities that have to with personal likes and interests, while significantly fewer RP’s rely on “hard” identities.
Nishant’s observation about “hard” and “soft” identities made me think of the Mohs Mineral Hardness Scale, which assigns an “absolute” hardness value to different minerals. Â Wikipedia’s article uses the following table to illustrate this concept:
Perhaps we could suggest a corresponding mineral and hardness value to each of NIST’s standard four Levels of Assurance (LOA) shown in the following table.
Steve stated on Twitter that “I’m preoccupied with hard identity: doctors, lawyers, bank accts, patients”: scenarios where Facebook just doesn’t work. We could say that Steve is dealing in diamonds (level 4), but Facebook only offers talc (level 1).  Having a tangible example helps illustrate the somewhat ethereal LOA concept.  And over time, perhaps we can come up with a more definitive way to measure just how hard a particular Identity Assurance process really is.
As a parting thought: I have suggested minerals match NIST Assurance Levels 1 and 4. Â What would you suggest for the other two?