In the digital world, identity is a cornerstone of trust, security, and authenticity. Public Key
Infrastructure (PKI) plays a vital role in establishing and maintaining this trust by providing a
framework for secure communications and transactions. Within the realm of PKI-based digital
identity, there are two primary concepts to consider: assumed identity and assigned identity.
Understanding the distinction between these two is crucial for appreciating how digital identities
are managed, verified, and utilized in various online interactions.
What is PKI?
Before diving into the nuances of assumed and assigned identity, it’s essential to have a basic
understanding of PKI. PKI is a set of roles, policies, hardware, software, and procedures needed
to create, manage, distribute, use, store, and revoke digital certificates. These certificates are
used to verify that a particular public key belongs to a specific entity, ensuring secure data
exchanges over networks.
Assumed Identity
Assumed identity refers to the identity an individual or entity claims or adopts in a digital context.
This identity is typically self-asserted and not verified by a trusted third party. In simpler terms,
when you assume an identity, you are essentially declaring who you are without any external
validation.
Examples of Assumed Identity
1. Usernames and Passwords: When you create an account on a website using a username and
password, you are assuming an identity. The website might not verify your real-world identity,
allowing you to assume any name you choose.
2. Social Media Profiles: On platforms like Twitter or Instagram, users often assume identities by
choosing usernames and profile pictures. These identities can be pseudonymous or entirely
fictitious.
Limitations of Assumed Identity
While assumed identities offer flexibility and privacy, they also come with significant drawbacks:
– Lack of Verification: Since there is no third-party verification, assumed identities can easily be
fabricated or misrepresented.
– Trust Issues: In the absence of verification, it is challenging to establish trust, making assumed
identities less suitable for high-security transactions or communications.
Assigned Identity
Assigned identity, on the other hand, is an identity that is verified and authenticated by a trusted
third party. In the context of PKI, this involves the issuance of digital certificates by a Certificate
Authority (CA). The CA verifies the identity of the individual or entity before issuing a digital
certificate, which serves as a digital credential.
Examples of Assigned Identity
1. Digital Certificates: When a CA issues a digital certificate, it assigns an identity to the certificate
holder after verifying their credentials. This certificate can be used for secure communications,
such as SSL/TLS for websites.
2. Government-Issued Digital IDs: Some governments issue digital identities that can be used for
online authentication and transactions. These are typically assigned after thorough verification of
the individual’s identity.
Benefits of Assigned Identity
Assigned identities offer several advantages over assumed identities:
– Verification and Trust: The involvement of a trusted third party in verifying and assigning the
identity ensures a higher level of trust and security.
– Compliance and Accountability: Assigned identities are often used in contexts where regulatory
compliance and accountability are crucial, such as in financial services or healthcare.
PKI and Digital Identity Management
PKI is fundamental in managing digital identities, especially when it comes to assigned identities.
The process involves several key steps:
1. Identity Verification: The CA verifies the identity of the applicant using various methods, such as
document verification or biometric checks.
2. Certificate Issuance: Upon successful verification, the CA issues a digital certificate that binds
the verified identity to a public key.
3. Usage and Authentication: The certificate holder uses their digital certificate to authenticate
their identity in online transactions, ensuring secure and trusted communications.
4. Certificate Revocation: If the certificate is compromised or no longer valid, the CA can revoke it
to prevent misuse.
Conclusion
In the context of PKI-based digital identity, the distinction between assumed and assigned
identity is crucial. While assumed identities offer flexibility and anonymity, they lack the verification
and trust that assigned identities provide. PKI, with its framework of digital certificates and trusted
third parties, plays an essential role in establishing and maintaining secure and reliable digital
identities. As our world becomes increasingly digital, understanding these concepts and their
implications is vital for navigating the complexities of online identity management and security.