Identity Terminology Part 3: Corroboration

Part 1 · Part 2 · Part 3

A pair of email address and password is one of the most common way of attesting to an entity’s ownership of an identity, such as that on social media. Photo by William Iven on Unsplash.

As exemplified at the end of the previous part of this article series, credentials are devised to attest to a variety of affairs. Some are to attest to competence. Some are to attest to qualifications. Some are to attest to entitlements. However, here we concern ourselves with only those that serve to attest to identity.

Identities are akin to possessions. Each has its rightful owner. By claiming that their attributes are of such and such values, an entity claims to own the identity those attributes constitute. Such identity claim must be corroborated adequately, so that the verifier to whom it is presented knows without doubt, or within a tolerable level of doubt, that the identity genuinely belongs to the entity. The process of backing up identity claims is referred to as identity corroboration. Credentials play a major role in this process.

An issuer who provides credentials for identity corroboration is also referred to as an identity provider, commonly abbreviated as IdP. To be pedantic, such issuer does not provide an entity with an identity; it provides a credential that substantiates the entity’s ownership of an identity, within an applicable context. The verifier in that context, who relies on identity corroboration before conducting any business with the entity, is referred to as a relying party, or RP for short.

There are two ways in which identity corroboration is proven, depending on where an identity in question resides. To talk about the first, it is helpful to be reminded that it is possible for an identity to be a representation of a fictitious entity. When you encounter an entity along with their identity claim for the very first time, you must make sure that such fabrication is not the case. The process of proving that an identity whose ownership is being claimed corresponds to a real-world entity, and indeed the claimant, is called identity proofing. The identity in question is external or unknown to you at the time of identity claim.

Entity 1 holds Credential 1 and presents it to Verifier 1 to claim ownership of Identity 1. Some identities are already known to Verifier 1. Some are unknown.

If, however, the identity in question is internal or already known to you, identity corroboration is proven by comparing identity information presented by the claimant against existing records at your disposal. The process of proving that an identity corresponds to one previously established within the context is called authentication.

This might sound like a convoluted way of defining authentication, which is commonly understood as just what happens when one successfully logs into some computer system with a valid pair of username and password. In fact, authentication is broader than that. A less obvious example is when you check in at your regular dentist’s; when the receptionist asks for your patient card, you are being authenticated. Another familiar example is when you unlock your smartphone with your fingerprint; that act of unlocking is authentication.

A pair of username and password is one example of authentication factors. It is of the type that is usually referred to as “something you know”. A patient card is also an authentication factor, of the type called “something you have”. Another type is “something you are”, of which an example is a fingerprint.

The identity of Entity 1 is already known to Verifier 1. When Entity 1 meets Verifier 1 again, an inherent attribute could be presented for authentication. Credential 1 is no longer needed. Attribute 1 could be, for example, a fingerprint, of which Verifier 1 already has a record.

At this point, you may ask how an external identity becomes internal. When you encounter a claimant and their identity claim for the first time, you perform identity proofing. Once that gives a positive result, you onboard them into the domain of known entities. An unknown identity becomes known, associated with existing attributes that you may record (such as the fingerprints), and new attributes that you may assign (such as an identifier of some kind, or a pair of username and password) for various purposes, such as internal reference and subsequent authentication.

Attributes 4 and 5 could, for example, be a username and password (login credentials), in which case Entity 1 is supposed to just remember them. Another example is that Attributes 4 and 5 are a patient number and date of patient registration, in which case Credential 2 could be realized as a card for Entity 1 to keep and present for authentication later. Note that in providing Credential 2, Verifier 1 also acts as an issuer.

The identity of Entity 1 is already known to Verifier 1. When Entity 1 meets Verifier 1 again, Credential 2 could be presented for authentication (such as by filling out login credentials in a web form, or handing over a patient card).

Authentication factors are therefore inherent or assigned attributes whereby known identities are anchored to real-world entities.

Identity corroboration in the digital age leverages digital credentials. As they are basically electronic documents, their IdPs have to lay out their data in some structure that prospective RPs are able to parse, and the holders have to be able to store them in repositories of some kind on electronic devices. The context must provide some infrastructure that dictates, for example, appropriate communication protocols between the parties.

Variation in the specifics of how that is implemented gives rise to a vast landscape of digital identity systems. We shall find out more about them in Part 4.