Credential and Attribute Providers in the NSTIC
This is part of an ongoing series on the National Strategy for Trusted Identities in Cyberspace. The introduction to this series can be found here.
The National Strategy for Trusted Identities in Cyberspace (NSTIC) describes two types of intermediaries between subjects (users) and relying parties: identity providers and attribute providers. This is a separation not frequently found in identity systems. In order to emphasize this distinction, I often use the term “credential provider” or “authentication provider” rather than identity provider to refer to a service that provides authentication services and makes assertions resulting from authentication but does not directly provide attributes about the subject.
A credential provider can be thought of as a key cabinet. The subject authenticates to the credential provider in order to “unlock” the cabinet of credentials. As with a physical key cabinet where different keys inside are used for different things, the credential provider serves different credentials to different services. Ideally, the identifiers used for each of these services would be different; a good identifier is also opaque, meaning that the identifier itself provides no additional information about the subject. Provided that the choice of credential provider itself does not reveal significant information about the subject, a subject can be generally pseudonymous with respect to the relying party until the subject authorizes the release of identifying attributes.
Attribute providers are sources of information about a subject (user). In many cases, an attribute provider would be the source of some trustable or authoritative information about the user. This trust or authority may be very domain-specific: a credit bureau might be authoritative as to the credit worthiness of a subject, but one would look to a healthcare provider to determine the subject’s blood type. The methods of obtaining this trust are themselves complex, and worthy of a separate discussion.
There are benefits to being able to separate the roles of credential provider and attribute provider. This allows a single user to have multiple attribute providers, probably organized (and accredited) for specific types of information. In other words, a relying party could depend on an assertion from a credit bureau to determine credit worthiness, and on an employer’s assertion of employment status.
The separation between these roles could also broaden the choices the user has for credential provider(s). Having a lot of choices is good, and reducing the amount a relying party has to trust the credential provider helps accomplish that. Having an arm’s-length relationship between credential and attribute providers may also benefit user privacy. On the other hand, the separation of credential and attribute providers is a functional distinction; there is nothing to prevent a given entity from operating both a credential provider and a provider for some attributes. Users may find this arrangement convenient since they can enroll with a single provider for both services.
NSTIC provides considerable flexibility on how users organize their own “identity portfolio.” This wide range of choices for both credential and attribute providers allows users to create a portfolio that meets their needs best.