Trust is a one way affair

Cleaning up my blog and I found this snippet of text, waiting for further investigation. Feel free to join the discussion:


Any digital identity can only be trusted, as much as the identity provider (who provided the digital identity) can be trusted. If you don't trust an identity provider, you shouldn't trust it's identities. Seems logical. And even if you do trust the identity provider, you don't have to trust the digital identities from that provider. And you may trust the identity provider, but that is no guarantee that you can trust the digital identities. Or better... there is still no guarantee that there is a real individual behind the digital identity. It all depends on the identity management processes of the provider. But how can you tell which digital identities belong to real individuals?

What's the problem: if someone creates an account on my site, is that identity more reliable than an identity from a third party identity provider, that I may or may not trust?


If the identity is used only for identifying a website user for personalization purposes, then why not allow the use of any identity, trusted or not. If you allow extra permissions for that identity user, then that's up to you.

Allowing permissions for whatever task, should be based on a risk assessment, thereby taking into account classification of information and processes. Then you decide what level of trust is required. And it's up to you to decide what kind of identity is sufficient. It could imply that a gmail or twitter identity is enough for users to log into your site.


Perhaps that's why I don't like current trust models. They are too complex for most purposes. If people trust you to service them, that in itself is no need for you to trust them as well. Why should you? Only if you want them to service you, or get stuff from you and then pay you for it, then you should trust them. Until then, trust is a one way affair.