Trust and Internet Identity Meeting Europe
2013 - 2020: Workshops and Unconference

TIIME2017 Session 23: What if a "credential" is simply a container of identifiers?

(Andrew Hughes)

The way how identity changes are evolving is getting very interesting.

We are trying to notice what is exactly changing over the time.

In the future 5-10 years from now the way that everyone gets access to service providers is that they have a large number of identifiers or attributes and the service provider says give me 5 out of 100 from the sources I trust.

What if you have an infinite number of authorities you can choose from?

They can't trust every possible authority that is out there.

What if you can say as a service provider show me Q,R,S from any 2 of AA

For example finger prints, time of day, possession of stuff (devices, etc.)

For example Netflix, you don't need to prove that you have a Netflix account you just need to prove that you are coming from the right geological position.

In most cases this is being proven by just logging in (from a single event of occurrence) which is not good enough for today's standards.

What do we need to do to get there?

  1. Service provider asks you for some kind of prove like position, fingerprint, etc.
  2. You go to the registration process where you prove your identity,
  3. Information records to the attribute authorities,
  4. Here is your Receipt / Identifier (your account),
  5. Some key is generated which provides an identifier which proves that you are in the possession of the key,How does this differentiate from others?

It does not the only different thing is that there are unlimited number of authorities which you can chose from.

Similar to ABC Trust.

For example time of day is just an observable attribute.

This is basically an extension of the existing technology, it is based in today's world but what if we have thousands of observable attributes, what if we have thousands of authorities?Identity oracle.

User managed access.

User submitted terms (it means that I can negotiate these kind of things)

Vendor Relationship ManagementIf you can have people looking at it with just specific attributes you cannot have user data (Vendor Relationship Management).

It is a risk based view of things.

It is a post federal world.

If this ever comes to be there is no more federal management access (you don't need to have the federal agreement).

You don't have to federate authentication anymore.

Extension of DNS lookups.

The LOA was contextual based.

Levels of assurance.

What are the milestones needed to reach this?

Risk based access control - this exists as today.

Attribute based access control (where we don't need to have a federal agreement) - that's the missing part.


  • OIDC Federation - standard
  • UMA/OAUTH - standard
  • Code of Practice - Socially / market acceptable - standards in very limited area as today
  • Code of Conduct - Socially / market acceptable - standards in very limited area as today
  • JNNCThe problem is that it needs to become user negotiable.

2005 Identity Oracle

2004 User Managed Access

Federation is going away in this plan.

This means when we today click ok on a website nobody thinks of it as a contract but it is a contract. In this scenario the contract and ok will be replaced with the User Submitted terms / Vendor Relationship Management.