Here is a piece Jon Callas (CTO and CSO of the PGP Corporation) sent to the “idworkshop” list recently. I am often asked to speak about ”identity management”, but the truth is, I don't actually know what people want me to discuss when they make such a request. My working hypothesis has become that there are different aspects of identity management, rather than different definitions of it, and that people tend to concentrate on some aspect central to their current concerns. Having a formal definition of these aspects, along the lines suggested by Jon, would help a lot. This would be especially true if they had names we could agree on, numeric identifiers probably not being adequate in the long run…
When I first started hearing the term “identity management” show up at security conferences, I made a habit of going up to anyone offering products or services that they called “identity management” and asking them what identity management is. I found that there were two different things called identity management. I also started ending up at various fora where “identity management” was discussed. I pointed out that identity management was not one thing, but two. Then I found a third. Then a fourth.
At Financial Cryptography 2006, I was on a panel on identity management. I opened up the discussion with level-setting. Part of that level-setting was to describe these different types of identity management that are often related, but are still distinct.
At the last IIW, I found that the vagueness was all over there. At Monday's first session, E.E. Kim told us first that identity management is what I call IM(4), but then Paul Trevethic talked explicitly about what I call IM(2), and IM(1). My notes say that he was most emphatic that IM *is* IM(1). At various times in the workshop I heard people unknowingly talking about IM(i) and IM(j) at each other. Others would start with one and slide into another in a paragraph.
This week, I was at another security conference and one of the keynotes was by Ken Watson of Cisco and he spoke at length about the need for good identity management, but he was talking mostly about IM (3), with IM(2) being secondary and IM(1) being implied. We're not using the same language, even though we're all talking about more or less the same thing.
I think it's important to know that there are at least four things that are identity management, and maybe more. Here's my four, taken from my March slides at FC2006, with some added commentary:
* Identity Management (1)
– Traditional security notions of identification, authentication,
authorization, reputation, etc. Oftentimes a “PKI.” Often times
The very first IM systems I played my little Socratic game with were PKIs and AAA systems re-labeled as “IM.” There was, in fact, no change in what the product was from the previous year. It was merely marketing spin.
* Identity Management (2)
– Mechanisms to reduce the annoyance factor of the above.
Oftentimes a “Single Sign-On” system or password
I consider these distinct, because at the same time I started seeing PKIs relabeled as IM, there were SSO systems relabeling themselves as IM. While the *concepts* are related, as I note, the *systems* were distinct. Also, when I interviewed people, some people would say, “Oh, IM is really PKI” and others would say, “Oh, IM is really SSO.”
Furthermore, the systems they were building were distinct.
* Identity Management (3)
– Database management systems to facilitate accurate, speedy
updates. Oftentimes, a human-resources system that keeps track of
phone numbers, titles, building access, parking places,
conference room reservation, “metadirectories” etc.
This is the most recent addition to my taxonomy, but I number it 3 here, because it is taxonomically related. I know of a couple of places in which a security company that did not call its PKI or AAA system IM acquired or built the entity management systems and started calling that addition “identity management.”
* Identity Management (4)
– Marketing systems that keep track of preferences, buying
habits, loyalty programs, and so on so as to effectively send
people ads that wonâ€™t annoy them. Much.
– Note that this is the most different of the types, but still
– Also note that in this form, Alice does not own her
– Important because it is closest to the colloquial definition of
– It is the outside world's perception of who you are.
This is the type of IM that first got me to make a taxonomy. I had noted that IM1 and IM2 are not the same thing, but because the companies that do each are across the aisle at the RSA or CSI trade show, I just rolled my eyes at the sloppy language use.
When I was at an early spam-fighting conference in 2002, I detected groups of us not communicating. That turned out to be because there were the security people all talking about IM1, and the direct marketing people talking about IM4. We had to have a reset when I finally realized that what they talked about solving spam through IM, they did not mean what we meant. They wanted to make sure you never got an unwanted advertisement, and thus there would be no spam. Argue if you want, but not with me, please.
The very definitions of “identity” were different. If I take the definitions Paul Trevethick gave us on Monday, my group, the security group were talking about what he talked about as “identity” (claims about oneself) and the marketing people were talking about “reputation” (clams others make about you). This doesn't exactly follow, because they wanted you to make claims about yourself that they will then tune. Nonetheless, it's important to understand both the imprecise language and that the terms have somewhat separated out, but are not exact.
However, I believe that it's important for us to be able to make these distinctions. We're not going to get anywhere without recognizing that IM1 != IM2 != IM3 != IM4, despite them forming a smear. I numbered them the way I did because fortunately, IM3 is related to IM2 and IM4, but not much to IM1. IM4 is somewhat close to IM3 but not much at all to IM1 and IM2. They do, thank heavens, form a spectrum.