Think of an identity provider as someone who has done some checking and provides an assertion that this person is over 21.
Whereas the ONLY authoritative source in my case is the UK government who issued my birth certificate.
Every other source of my age is secondary, or worse.
So an IDP who uses my Driving Licence as its source is already two levels removed from authoritative. Same for passports.
Use a source for identity with a less than stellar reputation for identity verification (say a Ugandan* passport) and then how much do you trust that assertion??
The problems comes when an IDP checks my DoB using a dodgy foreign driving licence and yours via a (new strong) US driving licence.
I then use that IDP to verify RUover21 and you get back a binary YES. I'd argue that it's of little use to you and you cant differentiate the quality of the original checking.
This is the reason that most banks want to do KYC themselves, so they know the level of trust they can place in the "evidence" presented.
It's also the reason that we as global citizens actually need to be able to assert "I am over 21" signed by the AUTHORITATIVE source.
*used as example as both US & UK governments require a visa so they can do independent validation on the person applying.
------------------------------
Paul Simmonds
CSA UK Chapter & Global Editor for Guidance Section 12 (at version 3)
------------------------------
Original Message:
Sent: Jun 15, 2021 11:49:24 AM
From: Jenna Morrison
Subject: IAM: Identity provider vs authoritative source?
Hi,
In Module 5 Unit 6 of the CCSK training, they talk about IAM. I was wondering, what is the difference between the identity provider and the authoritative source?
Would someone be able to help clarify this for me and perhaps give a real world example?
Thanks :)
------------------------------
Jenna Morrison
Training Department Intern
Cloud Security Alliance
------------------------------