Portability, means “the ability to be easily carried or moved”, so when we talk of digital identity and portability, what do we mean? Here in the UK, the Digital Identity Attributes and Trust Framework, investigates the need for digital identity portability, and I think we can all agree that is needed. But again, what do we mean here, what is this government-based paper trying to say we need to be able to do?
To look at this, we have to re-address how “digital identities” were issued, and, in some regards, remind ourselves what digital identity really is.
A domain of identities
My identity is not defined by one thing, for example, my UK Passport provides a very limited view. It is the same with my driving license, again a very limited view. However, put the two together, and yes, a more detailed view starts to emerge. Digital identity shouldn’t be seen as a singular identity, rather it’s a group of identity-based credentials (or in old terms, documents). Identity should therefore be seen as a domain of credentials that can be used to identify me. Now, keep this in mind when we think of portability…
Issuing a digital identity
Now, if a digital identity is a domain of identities, then what we are really saying here is, I am issuing an identity credential – think of it like an identity document. Now, the issuer of my passport has a limited view of claims that identity credential will make about me, but that’s fine, it serves a purpose. When my driving license is issued, that holds different information, different various claims, the digital world is no different.
So, we have multiple issuers of identity-based credentials, each one issuing different information about me and each one, no doubt, used various information and processes when issuing me my identity credential in the first place. From a technology viewpoint, that credential is also cryptographically signed by the issuer, so anyone who reviews that identity credential will know who issued it in the first place.
Can we therefore imagine a world where I ask the DVLA to move my identity credential information over to the passport office? Why would I do that? Even if I wanted to, or could, the passport office won’t be able to support the fundamental claims that make up that credential. How can they stand by the claims made in the credential, they are not the authority to do so, they have never had access to the underlying data, nor do they store that data? To put it blunt, it’s not their credential to maintain because it doesn’t fit their business or use case.
Portability is therefore all about the ability for me, the holder/owner of the issued credential, to move it and store it how I want. Just like my passport, if I want to hold it in my wallet I can, if I want it in my draw at home, I can, if I want it in a safe I can. The digital world should be no different. You want to hold your identity credentials in wallet app A, or you want to move them to your ID Crypt Global mobile vault, it is your choice. You want to effectively port your credentials to another “holder”. That is the crucial issue, that’s the heart of portability in digital identity, the ability for me to choose how I hold and store my identity credentials, the ability for me to share them with who I chose, the ability to be, effectively, in control of my identity.
Too much conversation on portability focusses on areas where there is no use case, no need and certainly no business driver. Whenever we address digital identity challenges, we must always remain focussed on the real issue in hand. In the case of portability, its exactly as it is in the dictionary, the ability for me to move my credentials from point A, (or app A) to point B (app B). Simple…