Monday, September 2, 2013

mHealth Identities using trusted intermediary

I introduced the  concept of separation of Identity Proofing from Authentication using a formal Binding mechanism in getting to mHealth solutions - real People. I didn't know it was being formally defined in NSTIC. The idea is that I introduced  leverages the concepts of separation of Identity Proofing from Authentication. Exactly the concept outlined in an NSTIC blog NSTIC Pilot Common Considerations 5: An Identity Ecosystem Functional Model for the Modern Market.

There are five different scenarios depicted using this simple concept. The differences are in the methods of combining these functionality, some using an Intermediary, some just  organizational arrangements.  Each has a strength and an overhead. This is very encouraging work. Corporate identities can combine these as they are done almost at the same time, when you are hired and let go. Internet based identities really need to consider separation of these functional concepts.

The various models are being adopted by Internet providers and governments. 
  • U.S. government’s upcoming Federal Cloud Credential Exchange (FCCX). Architectures using such intermediary layers can also be used to render the operations between participants blind – in such a case, the CSPs and the RPs don’t know who is performing an authentication or transaction, respectively. 
  • the Canadian Cyber Authentication Renewal Project in conformance with the Canadian federal Privacy Act. The scenario where an intermediary can be used to provide an abstraction to a number of different authentication means, but each relying party still performs its own identity proofing. 

For references see: My Topics page

User Identity and Authentication