The Jericho Forum, an IT security association dedicated to advancing secure business in a global open-network environment, recently handed down their "Identity Commandments" for the planning of an identity eco-system.
In a Jericho Forum press release, Lord Eroll commented that “Jericho Forum builds on the work of NSTIC by providing an effective direction going forward. The creation of a large centralized database containing key identifiers and information is far too dangerous. The private sector must avoid the Big Brother approach proposed in the now abandoned UK national ID card scheme. In the Jericho Forum Identity Commandments, ownership of essential personal data stays with the individual and cannot be compromised or exploited by any powerful player.”
The new Commandments "encompass all the “entities” – both human and digital – and promotes a comprehensive and complete view of identity entitlement and access management." They are:
1. All core identities must be protected to ensure their secrecy and integrity.
2. Identifiers must be able to be trusted.
3. The authoritative source of identity will be the unique identifier or credentials offered by the persona representing that entity.
4. An Entity can have multiple, separate Persona (Identities) and related unique identifiers.
5. Persona must, in specific use cases, be able to be seen as the same.
6. The attribute owner is responsible for the protection and appropriate disclosure of the attribute.
7. Connecting attributes to persona must be simple and verifiable.
8. The source of the attribute should be as close to the authoritative source as possible.
9. A resource owner must define Entitlement (Resource Access Rules).
10. Access decisions must be relevant, valid and bi-directional.
11. Users of an entity’s attributes are accountable for protecting the attributes.
12. Principals can delegate authority to another to act on behalf of a persona.
13. Authorised Principals may acquire access to (seize) another entity’s persona.
14. A persona may represent, or be represented by, more than one entity.
The report concludes that a new identity eco-system holds the triple promise of "lower cost, higher security/trust, and increased flexibility" and will positively impact how the world innovates and trades. However, the Jericho Forum believes that there is a major infastructure investment required to create the identity eco-system.
See the bottom of the Commandments for a glossary/defined terms; the definitions can be a bit tricky.