BT.Identity Validation

From OIAr Archive 2013
Revision as of 00:22, 12 November 2012 by Jan Schoonderbeek (talk | contribs) (start)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Informational
Informational
Page maturity
This page has maturity level 3 (usable)

This is a Building Block document

Document icon BT Identity Validation Version: 0.1 OIAr logo
Document type: Building Block Type Owner:

J.A.H. Schoonderbeek


Informational
Informational
Create commentary

Description

This Building Block Type belongs to Working Area Middleware (MW). An Identity Validation facility offers the ability to validate a digital identity. In essence, it can answer both questions "who is this entity?" and "how do I know I can trust that entity's answer?". The facility can be offered an identity (a set of identity attributes) and one or more corresponding credentials; the facility then validates that the credentials match the offered identity.
An example of an identity attribute and matching credential would be a login name and a password; the identity validation facility must respond with a message, either confirming that the identity is valid, or not.

Identity Validation is an important part of Authentication and Authorization. Beware, however, that Identity Validation is NOT synonymous to Authentication. Authentication roughly looks like this:

  • For a particular authentication, a security officer decides on a type of credentials (e.g. passport)
  • The credentials of that type are provided to the entities that are entitled to them (e.g. the issue of passports to people)
  • Where the authentication is required, a process is put in place that can test the credentials (e.g. airport passport check)

When the above process for credential checking is automated (e.g. a passport scanning machine at an airport gate), then the facility deciding on the validity of the offered credential is an Identity Validation facility. Note that this facility is NOT the scanning machine itself, but rather the system with which that scanning machine communicates to check the scanned passport against. The scanning machine offers the passport data scanned plus the identity offered (presumably from a scanned air ticket), and the Identity Validation facility signals back that the passenger is (or isn't) who the ticket claims it is. That is not to say that the passenger truly IS who the ticket claims it is, only that we have a certain degree of certainty about it; a degree of certainty that (we believe) is very high when the credential is a passport - certainly higher than when we'd used a library card as credential.

Note that Authentication means that someone (himself authorized to do so) makes a decision on the trustworthiness of credentials; thus the process of authentication always involves a security officer. Identity validation is only an automated means for part of that process, the correct deployment of which must itself be checked by a security officer.

To validate a digital identity, the Identity Validation facility often needs access to an identity repository. Note that the identity repository in itself is not part of the Identity Validation facility.

Icon

The icon below can be used to represent this infrastructure function in graphical Pattern representations that it might be part of:

Icon for this function
Icon for this function


Variants of this Building Block Type

The following variants of this function have been defined:

Semantic query
Semantic query

No Pattern Variants based on this Pattern Type (yet)


Pattern Types using this Building Block Type

The following Pattern Types use this function:

Semantic query
Semantic query
Pattern VariantBrief DescriptionOwnerMaturity
PAT.Authentication+AuthorizationAuthentication & AuthorizationJ.A.H. Schoonderbeek3