To quote from an upcoming Open Identity for Business Interop - this sentence got me really going
"Some services can be accessed anonymously, others require higher levels of authentication."
This sentence lays bare the implicit that services that are accessed or used anonymously require a lower assurance level as opposed to those services that use identity. For some services, you might not care about the relative truthfulness of identity, or identity at all, but it is a mistake to equate this with anonymity or with a lower level of assurance.
There are many examples where anonymity requires a high assurance. Identity authentication may not be required, but for users to trust the site, there still is a requirement for a high assurance of anonymity.
The most current and famous example is wikileaks.org WikiLeaks is a website whose purpose is to "protect whistleblowers, journalists and activists who have sensitive materials to communicate to the public". For contributors to trust this site, they don't want to be identified. Period. Instead, they want a high assurance that they won't be identified. This is almost the reverse of authentication, but for contributors to trust the site, a high assurance (of anonymity) is required nonetheless.
According to WikiLeaks, "WikiLeaks combines the protection and anonymity of cutting-edge cryptographic technologies" - in other words, it provides a high assurance of anonymity to individuals who wish to remain anonymous when they disclose (or leak) sensitive documents to the public.
Wikileaks attempts to provide a high assurance of anonymity by distributing itself over several jurisdictions and by not keeping logs. There are other measures, but they are not willing to disclose. Wikileaks recommends that the strongest way to preserve anonymity is through a combination of "postal (i.e. snail mail) and electronic techniques". It should be noted that these measures are the total opposite of providing a high assurance identity authentication, but the high assurance (of anonymity) is required nonetheless.
While Wikileaks may be a sensational example where high assurance anonymity is required, there are many examples in our daily and work lives. Responding to an online employee or public opinion survey, where an assurance is given that your anonymity will be preserved so that you can provide your true opinion without sanction.
Another very traditional example - when you vote in an election. When you show up at the polling booth, the electoral authorities need to know who you are (i.e. identify you), but by the time you cast your vote, all identity is stripped from the ballot before it goes into the ballot box. High assurance of anonymity of the cast ballot is the fundamental underpinning of democracy.
To conclude - just as many services require a high assurance of identity (such as access to electronic health records), there are other services that require a high assurance of anonymity. Break away from the assumption that anonymity is a lesser thing that identity. It's a separate thing and just as important.
The real lesson in this example, is to separate the assurance concept from identity. Just as assurance applies to the veracity of identity, it applies equally well to the preservation of anonymity.
This current assumption of many of the identity assurance models has a tight linkage to identity and anonymity sits on the lower level rungs. That assumption is simply not correct.
Just as we need a high level of identity assurance, we also need a high level of anonymity assurance. If you doubt this requirement, just ask whistle blowers, people under witness protection, or anyone who votes in an election.
To solve this problem conceptually, it is necessary to decouple assurance levels from identity and associate it with something more fundamental - trust - assurance is related to how deeply you trust a site, service or organization, whether you are identified or not.
Of course, identity assurance is still a critical component, but there is a more fundamental association when you are dealing with partners in a federation or other organizations or jurisdictions. This more fundamental association is also at play when your organization is dealing with individuals or the public-at-large. This is trust, and identity is only a small part (but important part) of this trust equation.
There is a simple model that ties this all together with trust - this will come in another blog entry.
