PromethenoBlogContact ↗

The identity gap

Identity-proofing is a different verification regime. Prometheno consumes it; it doesn't try to redefine it.

Ziyuan (Chester) Guan
Ziyuan (Chester) Guan
7 min read
thesishavenprotocolidentitygap

Now let's think together. In The four primitives I said identity sits outside the protocol's scope. This post says what "outside" means.

The cryptographic primitives from post 3 can prove a signature came from a specific key. They can't prove the key belongs to a specific human. That second question is older than crypto, and the field that answers it has been working at it for forty years. Building a patient- sovereign protocol that tries to redo that work is a category error.

A regime, not a function#

Every claim in a healthcare system gets verified inside some regime. Signatures get checked with math. Audit chains get checked with hash replay. Both live in the cryptographic regime — the truth-conditions are mathematical, the evidence is computable, any honest party with the artifacts reaches the same answer.

"Alice Chen holds this key" isn't that kind of claim. It's a claim about the world. The evidence is a passport, a biometric, a notary's seal. You can audit the procedure. You can't compute it.

Not harder math. A different question.

A four-layer stack labeled Outcome verification, Clinical truth, Identity proofing, and Cryptographic verification. The Identity proofing layer is highlighted.
Four regimes the protocol rides on. Crypto sits at the bottom. Identity proofing is the next layer up, and the subject of this post.

The protocol can use a regime's output — an identity assertion, a quality grade, an outcome label. It can't manufacture that output from below.

What a signature doesn't say#

A signature confirms whoever holds the key signed the message. It says nothing about who holds the key. Three ways that gap bites:

Stolen keys. A signature from Alice's key, after the key has been exfiltrated to Bob, is indistinguishable from a genuine Alice signature. The math doesn't care who's typing.

Shared keys. Alice gives her key to her daughter to manage Alice's records. Every consent grant looks like Alice. The daughter could grant access Alice would refuse, and the protocol has no way to know.

Sybil accounts. One person creates ten patient identities, each with a different key. Signatures all verify. Contributions all look distinct. Cryptography is structurally blind to this1.

Identity proofing is what makes those expensive. Crypto is a coordination primitive — it lets parties who don't trust each other agree on what was signed. It deliberately doesn't try to settle who the parties are. That settlement happens upstream.

What proofing actually means#

NIST 800-63-42 is the U.S. federal standard for identity proofing, last revised in 2024. It defines three Identity Assurance Levels — IAL1, IAL2, IAL3 — each naming what evidence binds a credential to a real human. It predates healthcare-specific concerns by years. The federal government, the financial sector, and most regulated industries already use it.

Three steps ascending from IAL1 (self-asserted, no proofing) to IAL2 (remote or in-person proofing with strong evidence) to IAL3 (in-person plus supervised biometric capture).
NIST 800-63-4 Identity Assurance Levels. The protocol's assurance is bounded by the IAL the implementing system delivers.

IAL1 is self-asserted. You type your name; the system believes you. Fine for newsletter signups. Not fine for an asset binding that gates clinical data.

IAL2 is the working floor for healthcare. Government-issued ID plus a live biometric, remote or in-person. The Cures Act patient-access rule3 effectively assumes IAL2. ONC certified-health-IT requirements align4.

IAL3 adds a supervised in-person step. An authorized agent inspects the evidence and the person presenting it. Federal benefits, defense clearances, some clinical research.

A protocol that demands IAL3 everywhere prices itself out of population scale. A protocol that accepts IAL1 and pretends otherwise prices itself out of credibility. HAVEN doesn't pick — the implementing system picks, and the consent grant inherits whatever assurance the system can deliver.

What Prometheno consumes#

A Consent Attestation names a grantor and a grantee. The protocol doesn't say how either gets resolved to a human. The implementing system mounts an existing substrate.

OpenID Connect5 — federated identity over OAuth 2.0. The standard for "log in with your hospital portal." Token in, identity out, at whatever IAL the provider supports.

Decentralized Identifiers6 — W3C standard for self-sovereign identities backed by verifiable credentials. Useful when patients carry identity across institutions. Doesn't itself produce IAL; relies on the credential issuer.

EHR-issued identity — the provider already proofed the patient at intake. SMART on FHIR7 surfaces that identity to apps via the Patient resource. Most US silent-pilot work starts here, because the proofing already happened in-clinic.

eIDAS in the EU8 — national-level electronic identity with Assurance Levels (Low / Substantial / High) that map cleanly onto IAL1/2/3. Relevant when EU patient pools come into scope.

The whitepaper §9 is explicit: "How you verify patients are who they say they are is up to you."9 That's not a punt. It's the same scoping move SMTP made for institutional directories, OAuth made for existing accounts, OIDC made for OAuth. Building identity proofing into HAVEN would be like asking HTTP to run a passport office.

What HAVEN inherits#

Every weakness in the substrate propagates into the protocol.

If the substrate is IAL1, every signed consent is IAL1 consent. The chain is unbroken; the signatures verify; the audit log holds. And "the patient" is whoever clicked through. Crypto can make the fiction tamper-evident. It can't make it true.

If credential recovery is a security question, an attacker who guesses the answer takes over the credential and signs whatever they like. The protocol records it as a legitimate session. The fix isn't more crypto. The fix is in the identity layer.

If the substrate is high-assurance for the patient but low-assurance for the grantee — the researcher, the AI vendor, the lab — the asymmetry hides. A chain is only as strong as its identity links.

The honest posture: document what the protocol assumes (IAL on grantor, IAL on grantee), make those assumptions explicit in the consent record, reject grants where the substrate can't deliver them.

Why this is a separate post#

Build identity proofing into consent. Pick an IAL. Mandate biometric capture. Ship. That path ends two ways: rejected by every system that already has an identity substrate, or drifting into a quasi-identity provider that competes with the substrates it was supposed to consume.

So the boundary stays where it is. Prometheno consumes whatever the implementing system mounts. The cost is real — the protocol's sovereignty claim is contingent on identity-proofing upstream — but it's the same cost SMTP pays for not running mail servers and OAuth pays for not running user databases.

What comes next#

The second gap is harder, because it lives in a different epistemology. Crypto can prove a value hasn't been altered. Identity proofing can prove a key belongs to a person. Neither can prove the value reflects clinical reality. That sits in medical empiricism. The next post takes it up.

References

  1. Douceur, J.R. "The Sybil Attack." International Workshop on Peer-to-Peer Systems (IPTPS), 2002. Sybil resistance requires an out-of-band binding to a costly real-world artifact.

  2. NIST Special Publication 800-63-4: Digital Identity Guidelines. National Institute of Standards and Technology, 2024. Defines IAL (Identity Assurance Level), AAL (Authenticator Assurance Level), FAL (Federation Assurance Level) as orthogonal axes. This post discusses IAL only.

  3. 21st Century Cures Act, Public Law 114-255 (2016); ONC interoperability rules 85 FR 25642 (May 2020), 89 FR 1437 (January 2024). Patient-access APIs operate under identity proofing equivalent to NIST IAL2.

  4. ONC Health IT Certification Program §170.315(d) — identity-proofing requirements for credentialed access to certified health IT.

  5. Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., Mortimore, C. OpenID Connect Core 1.0, OpenID Foundation, incorporating errata set 2 (2014–present). Federated authentication on top of OAuth 2.0 (RFC 6749).

  6. W3C Decentralized Identifiers (DIDs) v1.0, W3C Recommendation, July 2022.

  7. SMART App Launch Framework v2.0. Mandel, J.C., et al. SMART on FHIR: A standards-based, interoperable apps platform for electronic health records. JAMIA 23(5):899-908, 2016.

  8. eIDAS Regulation EU 910/2014, effective 2016; eIDAS 2.0 (Regulation EU 2024/1183) extending the framework with the European Digital Identity Wallet. Assurance Levels (Low / Substantial / High) align with NIST IAL1/2/3.

  9. HAVEN whitepaper v2.0, §9, "What We're Not Trying to Do." DOI: 10.5281/zenodo.18701303.

Get new notes by email

No tracking, no upsells. One email per post. Unsubscribe instantly.