What is a digital identity?

Geek CEO Glenn Reid, who not only created iMovie and iPhoto while at Apple, but later canonized Marc Canter as shown at right, has pointed out how weird it is that someone would do the laws of identity without ever stopping to define what identity was for – or what it was. I certainly understand how this could be maddening – though I hope he returns to visit because, having given up on us, his intuitive musings have already led him into some pretty frightening simplifications – for example, that identity is “a single, global, unique credential”. He credits RSA with having given him this idea, which is something for all of us to ponder, especially RSA.

Colleagues involved in identity issues allowed me to avoid such basic duties. Why? Probably for the same reason I initially shied away from them: we knew from previous experience that it was important to establish a practical context before getting caught up in long-winded discussions of what identity was.

With the laws behind us, we can hardly continue to argue lack of context… We need a working definition of digital identity for the unifying metasystem we have described.

What I would like to do here is again separate the technological aspects of digital identity from the philosophical and legal aspects of identity – even as it relates to the digital world. I'll try to show that if we get the technological definition right, we end up being able to express whatever social (and ontological) relations we want to. This is the opposite of the way the problem has normally been approached.

For example, in their important 1998 paper, Digital Identity in Cyberspace, a group of students of Hal Abelson and Lawrence Lessig argued and then proceeded to demonstrate that “it is difficult to craft a formal definition of identity.” Not only, according to them, was the formal definition hard, but to the extent they achieved one, it did not translate into anything crisp at the practical level:

“In practice there is a degree of fuzziness to the definition of an entity's identity…”

The paper should be read again in 2005; it is brilliant for posing many crucial questions even if, in my view, it was not able to answer many of them. My thinking on these issues doesn't matter much… I leave those who would have us pursue a less pragmatic approach to take up where the Digital Identity in Cyberspace paper leaves off, and see if they don't end up meeting us at our technological destination.

Hold the trumpets…

In the meantime, hold the trumpets. Here is a simple working proposal (which I don't claim is novel) that I think allows a great many problems to be solved:

A digital identity is a set of claims made by one digital subject about itself or another digital subject.

It is clearly impossible for me to compare and contrast this definition with all those which have been given – perhaps readers familiar with good definitions can help me out in this regard – we could compile a cross-reference. But I can try to cover a few. For example, let's take a walk through a few of the top definitions that come up on google. The winner is… Digital ID World and its What is Digital Identity page:

“A Digital Identity is the representation of a human identity that is used in a distributed network interaction with other machines or people.”

Well, let me start by congratulating Digital ID World for “reaching out” to readers with its definition – they do such good work. But it can be seen that our definition, while perhaps not suited to the newcomer, works well as a scaffolding for the identity metasystem, and can encompass DIDW's definition as well as many others without being vapid or imprecise.

How do you “represent” a human identity in a “distributed network interaction”? Clearly you need a way for one entity to be able to “say” something about another. This is what we mean by a “set of claims”. DIDW talks about a human identity – we broaden this to a digital subject which may or may not be human. We must do this because the human subject “speaks through” channels which exist in entities about which other claims can be made. DIDW talks about a distributed network interaction. But like most other aspects of reality, there is a fractal continuum between the macroscopic and the microscopic, so that all the problems of the network actually exist, for example, within a single machine, where process and thread separation might also be best described through sets of claims. None of this is a criticism of DIDW's definition – I'm just explaining why we need a definition which allows us to solve as many aspects of the problem as possible.

Another top google hit is Unisys World's Self-service identity management: What, why and how? Here we read:

A digital identity is a combination of credentials that manages a computer user's authentication, authorization and access rights.

Here we see a lot of specified usages of digital identity mixed into a very narrow definition… But once again the metasystem definition works well and embraces it: a set of claims can certainly include a combination of credentials. Credentials is another word which I think needs definition… but that is for another day.

A little further down we come to SwissSign Certificate Services. Their definition is as follows:

A digital identity is the combination of the cryptographic keys and the certificate. A digital identity is a file, stored on a hard disk or some other external device (ex: Smartcard, USB-Token).
The cryptographic keys, is what it is all about. You could consider the certificate as the packaging for the keys which allow for verifying the validity and, to a certain extend, the correctness of the information.

This definition “combines” the mechanism for “proving” the set of claims and the claims themselves (here contained in a certificate) and additionally manages to complicate things further by introducing the issue of trust. I prefer to tease these apart, on the basis that there are two quite different questions to consider: What are the claims; and Do I believe them? So the fact that someone has a given public key represents one of the simplest possible claims, and the proof of this needs to done through cryptography – perhaps a signature on the claim. Our definition supports this hyper implementation-specific definition, but also allows the claim and the proof to be based on totally different mechanisms. The “A digital identity is a file…’ thing doesn't quite work with our definition, and I think this is a good thing, since it seems pretty strange. But of course, the claims could be put in a file…

Next I come to PC magazine, quoting James Kobelius:

‘Digital identity refers to the set of digital information—including user IDs, passwords, access control lists, public-key certificates, and voiceprint patterns—that is associated with a particular individual.”

I'm not sure access control lists really belong in this sentence – or that James was quoted correctly – but even if they did (and he was), it would fit with the claims-based defintion given above.

Next in the google list is Johannes Ernst's Digital Identity Terminology Mess page. Talking about identity, rather than digital identity, he says:

Any person has identity. It allows us to say “it was him who was hit by the truck, thus it is him who is dead and not somebody else”.

This reminds me of a live report I watched on TV in which a man with a gun had been shot dead by police at the Los Angeles airport. I remember a detective standing beside the body and saying, “Nothing is known of the man's identity.” It was quite clear that he was dead, and not someone else, but this did not in any way help the investigator. Incredibly, the claims about the man seemed to be even more important than his body.

Johannes goes on to say that digitial identity is the same as any other identity except it “occurs in cyberspace’. So again, I think that our claims-based defintion of identity is inclusive of that given by Johannes.

Published by

Kim Cameron

Work on identity.