Identity Management was the topic of Eurim’s latest gathering of gurus. The bad news is that three points came clear:
- The UK has a lacks coordination of both policy and strategy. Each Government department and agency has its own vision and way of moving forward.
- The advance of standards and software will have to be provided by the private sector – and they need a business model that will eventually show a profit. They will need a secure revenue stream for providing identity management services.
- The world is moving forward quite happily without UK input. The UK’s position of leadership will change to that of followership at great cost to the economy. Global trade needs trusted identities with supporting agreements on liability and indemnity. The UK Government is not fully engaged in EU or international deliberations. On opportunity may be missed to become the headquarters of an identity governance industry.
There was only one organisation at the table with an eye on the commercial opportunity. Their national network could extend their services to provide identity registration for the public. 90% of the population are within 10 miles of their facilities. Good for all of us.
Unfortunately, we were left with (at least) three unresolved questions:
- Which third party credentials will be accepted by Central and Local Government agencies?
- Who is responsible for governance of all UK identity schemes? The National Archives as keeper of public records was suggested, but they may not be in the radar of five Cabinet Office working parties.
- Is a ‘root identity’ necessary? There were two strongly voiced divergent opinions on ‘breeder documents’. The Chatham House Rule prevents naming the parties. But Quarkside promotes the management of multiple identities (personae), which do not require a ‘root identity’ or ‘unique identifier’.
The good news is that everybody seemed to agree on a definition of identity assurance levels for electronic IDs that will make sense to our MPs. This is all they have to remember:
- Level 0: Anonymous – no personal data registered.
- Level 1: Self-asserted – likely to be the same person returning.
- Level 2: On the balance of probability – good enough for civil action.
- Level 3: Beyond a reasonable doubt – good enough for a criminal conviction.
This may have the technical experts reeling – but it is more important to get our politicians moving in the right direction than giving lessons on the differences between the five As: Assertion, Assurance, Authentication, Authorisation and Accreditation.