Identity Basics

‘Identity’ is composite, defined by multiple attributes/claims. For example, an individual’s identity is composed of a name, home address, birth date, maybe a government-issued citizen/passport number, family structure etc.

In an identification context, each of these attributes will have an associated level of assurance, or confidence, in the accuracy of the attribute – essentially an attribute “strength”. Identity frameworks in use today define the processes behind these levels of assurance and verification in order to standardise how “trust” is asserted for each of the claims presented.

The advancement of decentralised ‘platforms’ brings up discussion around zero trust, concepts of self-sovereign identity (SSI), and mechanisms for implementation such as W3C Decentralised Identifiers (DID). However, underpinning all of this are the same attributes (attestations in DID speak) that require a level of trust in the party verifying the claim.

Due to their role as society’s trusted third parties, banks, governments, and certain industries are at the heart of defining the raw components and attributes of what our society considers a usable commercial or citizen identity (both in real life and online). Ecosystems and technologies have been established to envelope, enhance, and communicate such identities and their attributes. This enables secure, efficient, and trusted business, helps eliminate identity fraud, and provides modern, cost-effective online citizen services.

Let’s look at two industries in particular, Certificate Authorities and Legal Entity Identifier issuers, and how they have created (somewhat connected) solutions that use a concept known as trust anchors at the heart of identity assertions:

Trust Anchors in the Certificate Authority (CA) ecosystem

In the Public Key Infrastructure (PKI) cryptographic architecture used by CAs, a root certificate is the trust anchor from which the whole chain of trust is derived. The trusted root certificate is distributed via browsers and operating systems. The CA must demonstrate very specific and standardised legal and operational controls to maintain the trusted status for the root certificate.

The CA, as the authoritative trusted party, uses the root certificate to manage a PKI hierarchy that issues end-entity digital certificates to servers (websites), devices, and individuals. End-entity certificates will be verified by the root certificate to establish the chain of trust. This concept is well developed and understood with billions of digital certificates having been issued and utilised in many different use-cases.

The CA industry has very clear definitions of attribute sets and verification levels and has standardised products based on such verification levels. For example, the verification levels used in TLS/SSL certificates span from basic domain validation (DV) to organisation validation (OV) to extended validation (EV) and incrementally offer a deeper assurance of the entity behind the certificate subscriber.

The Legal Entity Identifier (LEI)

Legal Entity Identifiers (LEI) are G20-endorsed, globally unique organisation identifiers that can be freely queried and referenced by counterparties in transactions, KYC, onboarding, etc. LEIs are issued by a select number of accredited Legal Operating Units (LOU).

In the world of LEI issuance, the role of the LOU closely parallels that of the CA. Only accredited LOUs can publish LEIs to the globally accessible live database of LEIs.

The validation checks required for the issuance of an LEI are very similar to those required for OV certificates. CAs are audited under the WebTrust framework yearly, and LOUs are audited by the Global LEI Foundation (GLEIF) yearly. In both cases, the audits ensure that operations are truly governed by the requirements of the appropriate identity framework.

The LOU is responsible for verifying the various attributes of the presented organisation, for example via business registry data, but must also verify that the person applying for the LEI for the given organisation has a right to request that the LEI is issued (as an authorised representative of that organisation).

Introducing LEI-based trust anchors

The very act of issuing an LEI requires the validation of a “Right to Request”, i.e. establishing that the applicant has the appropriate level of asserted legal authority to make the application for the LEI. This is determined either through delegated rights, for example a letter of authority from a verifiably authoritative representative to another individual, or through direct rights granted through being an executive of the company, verified through independent sources.

This check creates a link between the highly assured organisation data and the user requesting the LEI – it creates a new, LEI-based, trust anchor.

If the user requesting the LEI is not a company director, they will only have a “Right to Request”. However, if they are a director then they have a “Right to Represent”, which represents a valuable and well-governed trust anchor when realised through technology. Through modern IAM techniques (such as those developed by Ubisecure) it is possible for an employee to invite an Executive Director to the platform, run a second round of executive checks and then assign a Right to Represent marker to the director, thereby enabling a Right to Represent for the organisation.

The value of “Right to Represent”

Having the ability for an individual to represent an organisation through an online (digital) assertion brings efficiency, security, governance and compliance benefits which translate to business value.  For example, LEI-based Right to Represent will lower the high costs usually endured for organisation KYC, onboarding and AML processes for banks, financial and legal services, and B2B supply chains.

Further, having the ability to delegate some or all of those representation rights, potentially with authorisation limits, brings an exponential increase in value.

This capability effectively moves corporate governance processes from administrative to technical. Permissions, rights and limits can be digitally conveyed and assured in online transactions.

A well-established case where the business value of Right to Represent is already realised is through the Katso platform, deployed in Finland. The trust anchors used in the Katso platform parallel the LEI-based trust anchor, but use local definitions for organisations rather than the globally applicable identity provided via the LEI. The system records an organisation’s legally authorised representative, and gives that representative the ability to both assert their Right to Represent and delegate their Right to Represent.

The Katso platform contains 500K registered individuals and 420K registered organisations, and is used by government organisations and departments. The government publishes a significant amount of data regarding its public operations and from this public data it can be seen that the tax office usage of the platform has resulted in a 99% decrease in transaction costs, underpinned by a 20% year on year staff reduction. The data also shows an average saving of six to ten euros per transaction. Download Ubisecure’s Katso case study for further information.

Establishing trust anchors in the Right to Represent scenario has significant (already proven) cost saving opportunity for those organisations that employ them, and significant revenue opportunity for those organisations that provide trusted representation assertions.

To discuss leveraging or offering Right to Represent services, get in touch with Ubisecure & RapidLEI.