Identity Terms Provide Value along the Supply Chain: How We Know When to Buy the Farm
Identity plays a critical role in supply chains. Stakeholders place value on unambiguous identifiers for governments, organizations, people, devices, and assets. As supply chains grow more complex, we mitigate risks by codifying the relationships between these stakeholders and the actions they have taken over time into identifiers using shared terms to assess value.
We will explore the relationship between identity terms and supply chain using the purchase of organic strawberries as an example.
Introduction to Identity: A Strawberry Story
Identity in daily practice is shorthand for every action we take.
Bob buys fruit at the grocery store.
Each element in that sentence combines identifiers, claims, knowledge, logic, and likely several credentials to provide key stakeholders with the confidence they need to ensure a stable and trustworthy supply chain. Using organic strawberries as an example, a crop that grossed almost US $321 million in sales in 2019, how those terms are defined and applied demonstrate the tangible value of identity in the supply chain.
Identifiers
What is the difference between an identity and an identifier?
Identifiers are labels for identities, or a way to recognize and establish identity.
In the context of supply chains, prudent stakeholders establish identifiers to avoid harm that might come from confusion over identity and protect value that is derived from certainty regarding identity and provenance. In practice, we mostly use identifiers as a way to describe separate entities and their interactions.
When we write policy, we mean for it to apply to identities, but when we convert that policy to software, it can end up applying only to identifiers. Following the 2022 Russian invasion of Ukraine, the US government placed stringent export controls on Russia. That policy is written using the English language identifier for Russia, but it is meant to enforce all language identifiers for Russia, including Россия. Software designed to implement the policy effectively should account for all identifiers associated with the restricted identity.
In the sentence about Bob’s shopping trip, there are multiple identifiers that can be added or altered that change nothing for the subjects of the sentence.
Robert buys strawberries at S-Mart.
In this way, identity is an abstraction used to communicate sameness, a way to say that two or more things are in fact the same thing.
Person = Robert, Bob
Goods = fruit, strawberries
Vendor = grocery store, S-Mart
Zooko’s Triangle and Identity
Names as identifiers highlights one of the most challenging aspects of applying identifiers to supply chains, or any network protocol, often referred to as Zooko’s triangle, an identity trilemma that maintains no single name can achieve more than two of: human-meaningful, secure, and decentralized.
In supply chain use cases, this triangle has often been addressed by trading decentralization for human readability, typically through the use of registries managed by trusted entities, for example:
GS1 EPCIS — Relies on a standards process for describing supply chain activity.
Sigstore — Relies on email addresses and a centralized database.
Identifier registries solve for global uniqueness and discoverability by sacrificing privacy and decentralization, but there are many use cases where this trade off makes a lot of sense, for example:
Claims Help Us Choose
Identifiers and claims are meaningless without each other.
Knowing who said something is just as important as what they said, or about whom they said it.
Most often, we encounter two kinds of claims:
Self Attested
Self attested claims are when an identity claims something about itself or something it controls. When you “agree to terms of service”, you are claiming to have read and understood the terms of service. The consequences of self attested claims are generally individualized, and the more valuable claims in the supply chain are made by reputable third parties.
Third Party Attested
Third Party Attestations are claims about a subject (identity) made by a different identity. In some US states to acquire a driver’s license, you need to present a physician’s signature to approve your medical authorization to drive because the state does not trust you to make these claims by yourself. Third party attestations are a common building block for establishing trust, and removing conflicts of interest.
One of the most common types of claims is a claim about the relationship between identifiers. Email verification to complete actions like signing up for a newsletter or establishing a new social media account helps the newsletter service links two of your personal identifiers together around your identity.
Third party attestations solve for Zooko’s triangle where we must associate a secure globally unique identifier with a human readable identifier. Leveraging a third party attestation for this allows us to get the benefits of multiple identifier formats at the cost of trusting the identity provider to make claims of equivalence.
Supply chain stakeholders can request third party attestations like an independent audit of a manufacturing or food producing facility; a third party security review of a cryptography library; or an independent review of a company’s financials before it can be bought or sold.
Bob buys organic strawberries at S-Mart
In this example, the claim is that the strawberries are organic. All strawberries carry the same identifier, but Bob prefers the strawberries that claim to be organic.
Logic Applied to Identifiers and Claims
“Logic is a particular way of thinking, especially one that is reasonable and based on good judgment.”
Claims that leverage identifiers and logic, are better than claims that don’t. Not every identifier-claim pairing can be taken at face value because they don’t all map to logical assumptions.
- If there is a conflict of interest to misreport a value, it’s not logical to accept self attested claims regarding that value.
- If the identifier for a subject might not be unique enough, how will we know which identity is making the claim.
By taking care to design claims that leverage identifiers and their critical properties as noted by Zooko, we can remove ambiguity, reduce the chances of human errors that arise from confusion and poor communication, and increase the ability to process claims using automated systems that can exploit logic.
Bob buys organic strawberries at S-Mart.
Because claims can quickly become too complex to verify, it can be helpful to use logic to navigate a claim’s construction. If we apply logic to the claim that the strawberries are organic, we can immediately identify questions that verify or increase our confidence in the claim, such as:
- Where do the strawberries come from?
- Is the organic claim made by the producer (labeled on the packaging) or S-Mart (unlabeled)?
- Does S-Mart have a history of selling organic produce?
- Does the product carry the USDA certified organic label?
Knowledge as Context
Knowledge comprises all the information about an identity, including identifiers, claims, and the results of applied logic.
It’s important to agree to common representations for knowledge so that claims can be understood with context. Shared vocabularies and ontologies can help remove ambiguity and reduce the possible complexity of claims, which in turn can unlock more efficient knowledge processing.
In the context of supply chains, we require knowledge about the details of each transaction in order to proceed safely and profitably:
- A container with a weight of 667 with no units can’t be safely loaded onto a ship.
- An outstanding invoice of 100.50 with no currency can’t help us answer questions about how much in USD we owe.
Instead of processing all invoices and containers in all possible currencies and physical units, supply chain stakeholders share knowledge by agreeing to a subset defined in a specific document. By rejecting data that does not meet those agreed-upon knowledge requirements, they can improve the quality of the data that is processed, and save on expensive and possibly dangerous normalization computations.
Not every supply chain system can use knowledge management to limit claims. For example, when processing real world data in many languages, you cannot just ignore claims in other languages. If you are dealing with historical data, there could be documents which you must process which may have complied with regulations at the time, but which are not compliant with current regulations.
Just as claims can change over time, so too can knowledge management systems.
Bob’s knowledge about his organic strawberry purchase could be augmented by S-Mart claims to source their strawberries from a local farm; a comparison between the cost of conventional versus organic strawberries at S-Mart; or an outbreak of hepatitis caused by strawberries.
Credentials for Efficiency and Protection
When a claim is made by an identifier (issuer), in such a way that it can be attributed to the issuer’s identity, and is protected from being tampered with, some call it a credential, certificate or license.
Credentials about products are only meaningful when you trust the identity making the claim. If you are importing or exporting products that might have a national security, environmental or social impact, you probably need a special credential from a government to engage in that activity. When the stakes are that high, the most valuable credential comes from a reputable, mutually agreed upon third party.
If you learn you are interacting with an identity which has lost their license several times in the past few years, you search for a new vendor or evaluate if the price of the goods or service is worth the risk to your business.
Supply chain credentialing in the form of bills of lading, certificates of origin, or letters of credit is used to protect honest parties and their merchandise from being confused with dishonest parties or entities that are engaged in unethical practices, such as environmental destruction, or forced labor.
The best credential Bob can look for in the United States is the USDA organic sticker on his strawberries. But it’s not just a helpful credential for Bob. Producers who violate the USDA’s organic terms face up to $11,000 per violation and a revocation of the producer’s organic certificate.
To incentivize the credentialing process for producers, obtaining USDA certification opens doors to participating in an organic trade agreement where Canada, the EU, Japan, and Taiwan also recognize the USDA’s organic certification. The US producer that controls 60 percent of the organic strawberry market — Driscoll’s — made US $473 million in 2018.
The value producers, consumers, and trade partners place on credentialed identifiers for this single commodity demonstrates the necessity for defining and securing identity terms across the entire supply chain.
Written by Jessica Tacka, Product Marketing Manager Transmute
