NSTIC Identity Ecosystem Marketplace Roles and Concepts


This post is a follow-up to our April 15, 2011 whitepaper and accompanying presentation.

NSTIC envisions a secure “Identity Ecosystem Framework,” or “the overarching set of interoperability standards, risk models, privacy and liability policies, requirements and accountability mechanisms that structure the Identity Ecosystem.” While the Identity Ecosystem will provide value to any participant which needs to verify a User’s identity, the Ecosystem will provide tremendous opportunities to streamline the further commoditization of human identity. Without regulation, the NSTIC Identity Ecosystem will create new markets for businesses which thrive on the commoditization of human identity. I identify this resulting market as the “Identity Ecosystem Marketplace.” An Identity Marketplace already exists, and has been admirably illustrated by Luma Partners, LLC and Improve Digital.

The Identity Ecosystem Marketplace includes at least six major roles, as illustrated here. A single organization may fill multiple roles in any given Identity Ecosystem transaction. Some of the definitions here may differ or even conflict with official NSTIC definitions, usually because the official definitions lack clarity within the context of this analysis.


Major Identity Ecosystem Roles and Concepts

Major Identity Ecosystem Roles and Concepts

  • A Subject or User is an individual or Non-Person Entity (NPE) which must assert its identity to a Relying Party in order to receive a benefit such as access to a trusted network, bank account access, or access to premium content online.
  • An Attribute Provider (AP) creates, stores and allows others (such as the Identity Provider and Relying Party) to access or analyze User Attributes, usually under conditions. An Attribute Provider is also usually a Third Party. In the Identity Ecosystem, an Attribute Provider must be trusted as an authoritative source of information. Typical examples of attribute providers might be a government title registry, national credit bureau, or commercial marketing database.
  • An Attribute is a fact related to a User. Attributes may include traditional PII, information about authority, roles, rights, privileges, or any other fact asserted by a User, Attribute Provider, or Third Party. NSTIC defines “Attribute” as “a named quality or characteristic inherent in or ascribed to someone or something.”
  • An Identity Provider (IdP) is an organization certified as trustworthy through an accreditation authority. An IdP issues a credential, which corresponds to a piece of information known to the User (such as a password), a biometric attribute, or information stored on an Identity Medium (not represented herein). An IdP is responsible for verifying the credential when used as evidence of a User’s identity. An IdP may collect attributes about the User from Attribute Providers, store those attributes, and compare them against assertions made by the User to a Relying Party. Identity Providers do not guarantee the correctness of attributes obtained from Attribute Providers, but may instead confirm that a Claim made by a User matches information from Attribute Providers. Identity Providers may share User attributes, personal information, and Transaction Information with Relying Parties, Third Parties, Parent Companies and Attribute Providers, in accordance with the Data Usage Policy.
  • A Data Usage Policy is a contract between a User and Identity Provider, governing the use and disclosure of User information held by the Identity Provider.
  • Transaction Information is a record of the benefit provided to the User from the Relying Party, and is analogous to a receipt. Transaction Information may include the name of a product purchased, a log of network access and User activity, or services provided.
  • Identity Medium refers to the physical device that stores an NSTIC-compatible identity credential. Examples of Identity Mediums include cell phone apps, smart cards, or USB computer dongles. Identity Media are not visually represented, and are not required for a transaction.
  • A Relying Party (RP) is a person or NPE that requires some degree of identity assurance and possibly User Attributes before it will provide a benefit to the User.
  • A Parent Company is a company which owns or is affiliated with the Identity Provider and/or the Relying Party in such a way that by action of law, ownership or contract, the Parent Company has right to access and use the Identity Provider or Relying Party’s data assets, unless expressly prohibited by law or regulation.
  • A Third Party is any person, organization, system, or device which has no direct affiliation with the User or the transaction in question. A familiar example of a Third Party is an online advertiser.
  • For purposes of my discussions, I define a Claim as an assertion that an Attribute is truthful or correct. A Claim may be made by any party. Examples of User Claims are, “I am over 18 years old,” “I am a constituent or citizen,” or “I am authorized to enter your network.” Claims are not visually represented here. In technical circles, a “claim” is an assertion that may be derived by comparing or analyzing one or more Attributes.
  • According to NSTIC, the Identity Ecosystem Framework is “the overarching set of interoperability standards, risk models, privacy and liability policies, requirements, and accountability mechanisms that structure the Identity Ecosystem.”
  • The Identity Ecosystem Marketplace is the Identity Marketplace created by the Identity Ecosystem, where Identity Ecosystem Participants may commoditize and trade User identities and Attributes in exchange for benefits. Not all Identity Ecosystem transactions necessarily commoditize human identity. The exchange of identity information in many e-commerce transactions is ancillary to the transaction, and the User pays directly for the benefit of the transaction (e.g. a money transfer, music or movie download). Notwithstanding, the Identity Ecosystem Marketplace enables Participants to more easily commoditize identity as an additional source of revenue. NSTIC recognizes that Participants should not be allowed to buy and sell identity information within the Ecosystem, but does not yet identify a credible mechanism to enforce this requirement.
  • Fair Information Practice Principles (FIPPs) are Transparency, Individual Participation, Purpose Specification, Data Minimization, Use Limitation, Data Quality and Integrity, Security, and Accountability and Auditing. NSTIC identifies FIPPs as core requirements in the Identity Ecosystem, but stops short of mandating FIPPs.

The NSTIC guiding principles are:

  • Identity solutions will be privacy-enhancing and voluntary.
  • Identity solutions will be secure and resilient.
  • Identity solutions will be interoperable.
  • Identity solutions will be cost-effective and easy to use.

Through these guding principles NSTIC aims to accomplish its primary goals of:

  • Privacy
  • Convenience
  • Efficiency
  • Ease-of-use
  • Security
  • Confidence
  • Innovation, and
  • Choice.

Future posts will explore the interaction of these roles in the Identity Ecosystem Marketplace, and under what conditions NSTIC will be able to meet its goals.

  1. No comments yet.
(will not be published)