We hardly ever need to know "who people are" online (or in real life for that matter); we just need to know certain specifics about them. So let’s get over identity, and devote our energies to critical infostructure to supply the reliable data and metadata so urgently needed for an orderly digital economy.
It's not about identity, it's about data.
Identity is metaphorical shorthand for being in a particular relationship, defined by the RP (for it is the RP that carries most of the risk if an identification is faulty). Identity is not the sort of good or service that can be provided; it is a state that is defined and conferred by RPs. The metaphor of identity provision is all wrong; canonical Digital Identity is a false idol.
subjects carry risks if the RP is spoofed. mutual auth should be default, regardless of channel
The truth is that Identity Providers, as imagined, can’t deliver. Identity is in the eye of the Relying Party. The state of being identified is determined by a Relying Party (RP) once it is satisfied that enough is known about a data subject to manage the risk of transacting with them.
The problems of auth will always be centered around the RP. data that is not used to verify is not useful.
Yet it doesn’t have to be so. Here’s what really matters: What do you need to know about someone or something in order to deal with them? Where will you get that knowledge? How will you know it’s true?
Key questions for service providers to ask themselves when preparing for onboarding