Dave Nikolesjsin is the CIO for the Prov. of British Columbia. No less an authority on identity than Dick Hardt has told me that I really had to see what they were doing in identity. So, when I saw that Dave as speaking at DIDW, I knew that was one session I had to attend. Serendipitously, I sat with Dave at breakfast and got a chance to get acquainted.
The title of Dave's talk is "Citizen-Centric Identity." He shows a picture with a citizen, in this case a little girl from a dysfunctional family, at the center surrounded by ministries, agencies, and private sector assets that might provide service in this scenario. If this girl shows up in the emergency room, how do you know its her, reliably and securely deliver relevant information from government networks to the private-sector physician, and so on?
Right now there are no easy answers. The silo'd data sources and applications have little interoperability. Where are the online equivalents of the driver's license, birth certificate, professional credentials, and so on that can be used to provide trust in the online environment.
Dave turns the time over to Ian Bailey, an Identity Management Architect for the BC Government. He's talking about an identity program called BCeID. BCeID is a shared digital identity credential that can be used for personal and business users. BCeID is about authentication, not authorization. Corporate identity is actually easier since the government is the authority who decides who is and who isn't a corporation.
When a person wants to access an eGovernment service, they apply for a BCeID account and then go to an government office (I presume almost any one will work) to prove they are who they say they are by presenting two forms of ID. There's even handy "nearest office" functions with maps to show you where o go.
There's a complementary application that the government agent uses to verify the identity and ensure the data submitted by the citizen was correct (matches the data on the physical credentials). Once completed the identity is part of the citizen directory and is available for eGovernment applications.
There is a basic BCeID that doesn't require validated. This can later be converted to a verified BCeID so that the transaction history isn't lost.
Knowing what kind of user ID is necessary for a particular eGovernment service can be difficult so BC has built a online directory of services that clearly indicates what kind of ID is required.
A business has only one BCeID. You can find out if your business is already registered to that you don't waste time registering only to find you don't need to.
Having only one ID per business seems problematic to me. When an employee leaves, I don't want them to be able to impersonate the business. I'd rather like for each person to have their own BCeID and give the business the ability to delegate authority, and revoke it, to individuals. Ah, later Ian shows how a business can create more than one BCeID for their business for individual users. During the question and answer sessions, they acknowledge that using federation with large organizations makes sense.
Because of the registration data that BC has for each corporation, they have a body of shared secrets that they can use to verify the person creating the BCeID for the business is really associated with the business. Businesses have the ability to list data about their business in a directory of BC businesses.
The BC government has 75 services that are using the BCeID authentication. There are 20,000 business who have registered, which is about one in five. There are 75,000 individuals registered. There are 4.3 million residents, so they've got a ways to go there. BCeID is voluntary right now (services that want to use it can) but soon, it will be required and be the only authentication service for BC goverment services.
Dick was right--this is very cool stuff. As Dave says, there are lots of people who talk about identity proofing being a good thing, but these guys are really doing it.