We are happy to announce that the ID4me Association has established the ID4me Operational Trust Specification. Together with the ID4me Verified Identities specification already released in September 2019, this work facilitates the provision of ID4me verified identities, confirmed by a trustworthy party, through the ID4me framework. The operational trust mechanism allows any participant to discover the degree of trust that can be associated to any other participant using the ID4me protocol, using this as a factor in deciding whether the personal information included in the identity can be trusted.
The ID4me protocol was designed to allow the federated login and distribution of personal information across the Internet, without necessarily ensuring that the information provided is “true”. However, for many use cases, it is necessary that the ID4me platform provides some degree of certainty on whether the personal information provided through the login process corresponds to real people in the offline world. To this purpose, an architecture for ID4me verified identities has been designed.
The objective of the standardized procedures and protocol extensions is thus to provide the online services that support login with ID4me identities with an understanding of the credibility of the personal information that they will receive as part of ID4me verified identities.
Website owners are then free to use that information in any way they like; they could decide to accept only identities from operators with a certain minimum level of operational trust, or to accept only identities from specific operators that they pre-vetted on their own, or to skip this check and accept any possible identity and operator. The same applies to ID4me operators: some of them might decide to only provide services to relying parties that meet a minimum level of trust or certain legal requirements, or to refuse working with other operators that have not been vetted by a trusted third party. This is a decision that each party can take accordingly to their specific use case and desired certainty on the value of the claims.
Thanks to these extensions, ID4me can be used for purposes that require higher levels of certainty around the actual identity of the person logging in, such as managing utility contracts or accessing health information. They also allow the establishment of identity federations that, while using normal ID4me identities, are only open to selected participants and/or operators – for example, all employees of a company, or all residents of a city. The flexibility of ID4me is extreme; it can support trust levels ranging from self-hosted, unverified, pseudonymous identities to State-verified identities that can be used for official transactions.
Although the first version of the specifications have been released, we welcome the feedback of the entire ID4me community on this topic and look forward to suggestions and inquiries of all kinds.