Distributed Identity Assurance
Full Title or Meme
Identity Proofing has often been viewed as a centralized function of a Credential Service Provider (CSP), but it can be more efficiently be realized using existing Identity Proofing in many real-world locations.
Context
This concept of Distributed Identity Proofing is described here as a use case for attaining IAL2 identifier assurance in a Trustworthy Healthcare Ecosystem.
Goal
To allow online patient's of one provider to leverage existing Identity Proofing with other providers.
Actors
- Actor: Patient of one healthcare provider seeking services at another (refereed) provider.
- Actor: Patient's Phone as Health Care Credential
- Actor: Verifier of claim with Identifier.
- Actor: Existing provider of health care services.
- Actor: Referred provider of health care services.
Note that it is possible that the patient's guardian (parent) is acting on the patient's behalf in this use case, but that should have no appreciable impact on the flow described here.
Preconditions
- The Patient has acquired a mobile phone for any major provider.
- The Patient has registered at a [primary] healthcare provider (PHP).
- The Patient has been (or will be) referred to another healthcare provider.
Scenarios
Primary Scenario:
- Patient visits their PHP for an ordinary visit and receives a paper at the end of the visit with instructions for establishing a strong authentication credential on their mobile phone.
- Patient uses their phone to acquire the native app specific to their device. (Today this would be the Apple or Android app store.)
- Patient starts the app and picks a friendly name for a new medical identifier that will be assigned by the appropriate process.
- Patient asks the app to "bind" the new identifier to the Identity Proofing claim that is also on the paper received from the PHP.
- Typically the patient will use the phone's camera to "enter" the claim into the phone (keying in the claim is possible, but not enjoyable.)
- Typically the CSP will download a certificate into the users phone
A different path using biometrics:
Failed Paths:
- Patient has no tolerance for technology and ignores the instructions.
Results
Accepted Risks:
- The patient loses the paper allowing some other person to attempt to steal their identity - mitigated by sign up process as described.
Post Condition:
- If validation accepted by the CSP, the patient has a phone that can be used for sign in to any participating healthcare provider.
Examples:
Dependencies::
- Web Sites must be trusted before any user information is released.
- Trust federations can be used to help users make informed decisions.
- User consent and trust must begin with no user information transferred.
- Standards exist to collect needed attributes where-ever they may be.
Workflow
When patient goes to their phone there are several messages that need to be created.
The Format of the Distributed Identity Proofing
The DIP will contain (typically on a single page of white paper):
- The means to access the appropriate phone apps, including instructions.
- The patient's semi-public record locator in DOI form (this MUST not be the patient's subject identifier internal to the practice).
- The date that the DIP was issued in Linux Epoch form (seconds since 1970-01-01:00:00:00) as a unique identifier with the DOI
- The page that contains this information in QR format MUST not have any other patient information than the DOI and date.
- The page may have have the PHP identifiers but not even the primary care physician name or number.
For example: doi:com.regence.iosd79JyyHB98;iat:150938403 or if any weirdness exists in the record locator doi:"com.regence.iosd79JyyHB98-o.dd";iat:150938403 where the doi: and iat: are optional for programmer's convenience during development.
Acquisition of the mobile App
The only interesting limitation on the mobile app is that it be certified as HIPAA compliant by a competent authority. The following features seem appropriate:
- contains more than one identifier that can be used by the patient/guardian
- accepts the validating information - something the patient knows - for example a birth date, other TBD
- maintains one or more notification address as selected by the patient to receive alerts - for example email address or SMS capable phone number
- supports the interchange standards as appropriate
Registering with the CSP
- The use enters the QR code and supporting information to the app and clicks "Create Binding".
- The app creates the following JSON object and sends to the CSP
{ doi: -- from PCP iat: -- from PCP sub: -- subject id to use for our interactions (at least 128 bits of entropy) bdate: -- part of patient proof of possession - may need more here - tbd ssa: -- software statement from phone app jwks: -- patient public key signature using patient private key ( specification/negotiation of key type tbd ) }
Certificate returned by the CSP
{ sub: purpose: aal2 identity: from pcp tbd iat: -- issue date for this cert exp: -- expiry csp: -- csp name as url or doi - must allow anyone to get public key of csp somehow signature of csp }
Sign in process at another provider
This is described in other documentation.
References
- The Identity Proofing Use Case describes the existing, centralized Identity Proofing with a Registration Authority and Credential Service Provider.