All your identity are belong to us…

“Integration will drive service providers back to centralised identity.”

I was reading a post on the IDnext site (about platform wars in online education) when I came upon a deeply troubling passage (1).

It’s the pot-of-gold at the end of the efficiency rainbow that bothers me the most:

…the Holy Grail is to have a persistent digital student identity.


In no particular order this makes me wonder the following…

My domain is bigger than your domain…

Digital identity is inexorably bound up with the problem of cohorts.

As far as digital identity is concerned identification is simply unique selection from a group. (Including the more nuanced case where the group itself also needs to be identified).

The terrible, broken thing about digital identity, is that most identity producing and consuming organisations use groups to classify and define identities and entitlements. After which endless process of slicing, dicing, and recombining rumbles on until there are thousands and thousands of different cohorts that no one really understands.

The ‘painful’ issues Dias d’Ullois all flow from yet another cohort design problem. In this case it is a mismatch between the service and identity domains. To create a ‘persistent student identity’ in this case means to redefine the identity domain so that an identifier can select from a broader cohort.

It also means the rule that establishes the group changes from having a relationship to the same school, to being a student (in any school).

The persistent student identity appears to be a bet on identity classification – by which I mean ‘student’ is a type of identity, not a role or relationship that an identity can be in at one time and not at another.(2)

The corollary of this is that the persistent student identity is likely also a bet on extended centralisation over federation. (User-centric is nowhere is sight.)

Federalists are not centralists…

In the world of technology, especially in the sub-disciplines of network engineering and security, access control is the ‘holy grail’ of identity management. Access is the paradigmatic use case for digital identity services, and all problems tend to be viewed from that perspective.

Dias d’Ullois’ ‘holy grail’ brings to the for the ‘other’ use-case for digital identity services: Integration.

Business integration (Dias d’Ullois’ focus), service integration, data integration – it doesn’t really matter. Identifying data is more often than not an essential requirement of functional integration.

Which leads us to the unfinished business of identity federation. To date it has been pretty effective at overcoming the domain problem for access use-cases.

It has proved particularly weak for integration use-cases.

What we see from the integration camp is a continual push back to centralised architecture. And this usually means staking an ontological claim on an identity class, backed up with a new more global identifier.(3)

Identity = Identifier = Credentials = Account = Roles = Groups = Entitlements…. Not!

Another thing that bedevils and complicates digital identity management is that things that are actually different have overlapping functionality. And as a result many of these mechanisms are often thought of as roughly synonymous.

To me calls to reclassify identities and create ever more exclusive domains are both and effect and a cause of these confusions.

Boy, Boy, Crazy Boy….

There is an unacknowledged gang-war going on between the Access-Sharks and the Integration-Jets.

Identity is being innovated into two directions at once.

Personally I think the closest thing I have seen to rapprochement (though it comes out of the access camp) is the work the Open Group’s Jericho project undertook.

Mainly because it set off after a technically viable distinction between the identity domain and the service domain, without trying too hard to shore up an evermore complex set of federation technologies.

The end-game is domainless identity.

Which I hope entails no longer dealing with cohorts by creating more and more identity domains, as if they were…




(1) The article is by Martin Dias d’Ullois. The section I am responding to here reads as follows (the italicised underlines are my emphasis),

The issues around digital identity remain painful. When a school changes its electronic learning platform, all users get new digital identities. As a result, all the history and profiles that have been gathered are lost. This is a nuisance, especially in the domain of digital licensing; students purchase a licence, switch schools and get new digital identities. Once given new identities, they lose their access to their previous licence. How hard can it be to address this issue? Ever since schools have been in “business”, they have identified, registered and administered students and teachers, haven’t they?

This issue is being debated even within the circles of government that are designing the new national digital identity for all Dutch citizens. The people who are designing this new digital identity claim that schools do not identify and register students well enough to deserve high levels of confidence in the associated digital accounts. To me, this sounds contradictory. After all, the government spends billions of euros on issuing diplomas based on the administration done by these very same schools.

Since there is no persistence as yet, many efforts in the digital educational domain are devoted to tackling the resulting problems. A lot of personal information is shared in the form of attributes, frustrating many people as the exchange of such vast personal datasets entails a vast number of legal implications and paperwork. The pending European privacy laws are making matters even worse for the market players, as they have to take huge responsibility and potentially face heavy penalties issued by the watchdogs.

Holy Grail

At the moment, the Holy Grail is to have a persistent digital student identity. In 2013, a project was started to address this issue. Hopefully, this project will generate much interest among the parties involved, as the timeline is already showing. One of the most challenging issues in this project appears to be teamwork, while good governance would help to speed things up. Unfortunately, our legislators do not have a deep understanding of the importance of these issues, so they are not designing any policies, thereby fuelling the struggle. However, I am convinced that somewhere in the near future, persistence will be implemented.

(2) It is important to note in passing, that a characteristic of defining cohorts by identity types is that it is exclusive. Once defined as a student, other types of relationships that might exist – even between that same school and student, are excluded from the ‘student’ identity domain. To integrate other relationships now requires another layer- be it federated authorisation, identity ‘brokering’, or yet another meta-identifier.

(3) Under rigorous legal protection to limit it to a verification function, this is entirely appropriate for the civil identity domain, and well implemented is very useful. New Zealand’s RealMe is an interesting example.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s