Identity and Authentication

Today is a normal working day in Slovakia, but it just fits between weekend and a state holiday, that will be tomorrow. This kind of days is usally peaceful, no ringing phones to call for help, no urgent e-mails. It's good to go through blog entries and articles that I've marked as interesting but did not have time to go through. And here is what that I've encountered:

Both Stefan Brands and Kim Cameron pointend out an editorial by Niels J Bjergstrom that deals with the results and consequences of UK government's Identity Project. I can agree with most parts of the editorial, especially those that the technology is not prepared yet. But I have some remarks:

An identity can only be substantiated through authentication.

The first question is: What is an identity?

Is "identity" the physical person itself? Is "identity" the data record that describes the person? Or what identity really is? Nobody really seems to know.

Because of this darkness in the identity definition I usually try not to use the word "identity" at all. But as others use it, I will think about "identity" as a link between a physical person and a data set that describes him or her. That's the most reasonable definition as we can get in IT, I think.

While "indentity" and authentication are closely connected, they cannot be seen as one. First of all, the "identity" can be established without authentication. That's what police and secret services frequently do. They analyse the activities of an individual or group with a goal to infer the unknown information about them. They are trying to uncover the link between an indivual (e.g. an unknown criminal) and a data record that describes him (e.g. citizen registry entry). That's "establishing identity".

Authentication aims to prove that we have the correct physical person on the other end of the wire. Or that it was the correct device that made specific digital signature (physical persons cannot do digital signatures, only devices can). The authentication allways depends on a data record (persona) already existing in the database. No matter if it is a persona of entity being authenticated entity or some other entiry (e.g. credential authority), you will allways need to have some data before you can do authentication.

But how was that data record (persona) created? How was the record about me in the birth registrar created? How it is maintained (modified, deleted)? Doesn't that record form a part of my "identity"? These questions can get very complicated in some enviromnents.

I think that it is a mistake to think of autentication and "identity" as a single technology. They may both manage the link between the physical person and the data record (that I will call "persona"), but they differ in a way how they do it.