8 years, 3 months ago

Identity Standards: ISO 24760-1

Link: http://dougnewdick.wordpress.com/2013/02/10/identity-standards-iso-24760-1/

I’m currently looking at international identity standards and thought that I might post some thoughts about them as I look at them. The first that I have looked at is ISO/IEC FDIS 24760-1:2011(E) “A framework for identity management – Part 1: Terminology and concepts”. This standard is supposed to define key terms for identity management and specify core concepts in identity and identity management. My view is that it should be avoided. The reasons for this are many: it is confused, it is unclear, and doesn’t use terms in the way that they are standardly used in the identity industry.

The definitions are mostly unclear and imprecise:

  • In many cases they use terms that are just as unclear as the one they are trying to define (e.g. a “domain” is an “environment” – which is undefined – you might as well tell me a domain is a domain).
  • Synonyms are given for terms that are clearly incorrect (e.g. “unique identity” is clearly not a synonym for “identifier” which is an attribute, not an identity).
  • They sometimes confuse different concepts (“verification” is confused with “validation” for instance).
  • They redefine commonly used terms in the industry (authentication is redefined to mean a form of verification).
  • They are inconsistent in their use of other terms defined in the standard.

The section on concepts is if anything, even more problematic.

  • It is entirely ICT focused (though at other times it claims otherwise) which is unhelpful in the context of a general framework for identity.
  • The discussion of concepts seems very specific. It seems to favour particular implementations and approaches to identity instead of being entirely general.
  • The concepts slip from being descriptive (this is what the concept means) to being normative (this is how a system should behave).
  • It seems to be a somewhat idiosyncratic discussion – not in line with other ones I’ve seen on the same topic.

These were among the reasons that a nmber of key countries voted against this standard. Unfortunately it was adopted. In short, avoid this standard. There are other ones out there which do a better job of describing the key concepts of identity and identity management. I’ll be describing some of those in other posts.