GF.Identity Validation

From OIAr
Jump to navigation Jump to search


This is a Generic Function document GF Identity Validation Version: 0.2 OIAr logo
Document type: Generic Function Owner:

J.A.H. Schoonderbeek



Description

This Generic Function belongs to Working Area Middleware. The Identity Validation function offers the ability to validate a digital identity. In essence, it can answer the question "how do I know I can trust this entity?". The facility can be offered an identity (in the form of a set of digital identity attributes) and one or more corresponding credentials; the facility then validates that the credentials match the offered identity.
An example of an identity attribute and matching credential would be a login name and a password; the Identity Validation facility must respond with a message, either confirming that the identity is valid, or not.

Identity Validation is an important part of Authentication and Authorization. Beware, however, that Identity Validation is NOT synonymous to Authentication. Authentication roughly looks like this:

  • A priori, for a particular authentication process, a security officer determines what identity will be proffered (e.g. someone shows up in person), and what type of credentials will be required (e.g. passport)
  • The credentials of the correct type are distributed to the entities that are entitled to them (e.g. the issue of passports to people)
  • Where the authentication is required, a process is put in place that can test the credentials (e.g. airport passport check)

When the above process for credential checking is automated (e.g. a passport scanning machine at an airport gate), then the facility deciding on the validity of the offered credential is performing Identity Validation functionality. Note that the functionality is NOT delivered by the scanning machine per se, but rather by the combination of that scanning machine and the backend against which the scanned passport is checked. The scanning machine offers the passport data scanned (which contains both the data on the identity and the credentials), and the Identity Validation facility signals back that the identity in the passport is (or isn't) valid. That is not to say that the passenger presenting the passport truly IS who the passport claims it is, only that we have a certain degree of certainty about it; a degree of certainty that (we believe) is very high when the credential is a passport - certainly higher than when we'd used a library card as credential.

Note that Authentication means that someone (himself authorized to do so) makes a decision on the trustworthiness of credentials; thus the process of authentication always involves a security officer. Identity validation is only an automated means for part of that process, the correct deployment of which must itself be checked by a security officer.

To validate a digital identity, the Identity Validation facility often needs access to an Identity Store. Note that the identity repository in itself is not part of the Identity Validation facility.

Icon

The image "Icon GF Identity Validation.png" (shown below) can be used to represent this infrastructure function in graphical Pattern representations that it might be part of:

Icon for this function
Icon for this function

Generic Patterns using this Generic Function

The following Generic Patterns use this function:

Semantic query
Semantic query
Applied PatternOwnerMaturity
Authentication & AuthorizationJ.A.H. Schoonderbeek3

Applied versions of this Generic Function

The following variants of this function have been defined:

Semantic query
Semantic query

No Applied Pattern based on this Generic Pattern (yet)