Carl Ellison Blogging

Carl Ellison, who is a really interesting person from security space, has started to blog. I&#39ve already done some identity interviews with him, and I&#39ll be posting those when I get to the laws to which they pertain. For years Carl worked at Intel. Amongst many other contributions, he was one of the inventors of SPKI (Simple Public Key Infrastructure) – a technology we&#39ll be looking at going forward. Carl now works at Microsoft.

Carl&#39s first comment on the Laws was that the First Law is really a law of privacy, not identity. I disagree – here&#39s why.

To think about identity, you have to think about a system of identity. There really can be no identity outside of the system through which it is defined. The Laws of Identity are – in my view – the laws that make a sustainable system possible. And the Law of Control defines the most fundamental of those requirements. It is true that the effect of the Law of Control is to allow the parties to an identity relationship to achieve privacy. But it is a law of identity just the same.

In a recent post Carl attempts a rigorous definition of identity that is in line with the thinking of SPKI:

I define the identity of person P as being a function not I(P) but rather I(P,O,t) – the identity of P from the point of view of observer O at time t.

This relies on one of the definitions of identity: “The quality or condition of being the same as something else.”

In particular, in this case, the two things that are to be established as the same are:

1. characteristics C about P that O observes at time t


2. O&#39s memories M at time t of P (built over a period of time)

These two sets of information are not matched exactly. O may remember P at an earlier time before P&#39s hair turned white and that characteristic is not to be observed again.

Rather, those two sets of information are compared to find matches and non-matches. As long as the matches constitute enough entropy to rule out all other P’ in the world, then O can conclude that s/he knows the identity of P — assuming the non-matches do not rule out P.

So, if set-intersect(C,M) has enough entropy to specify P uniquely over the entire universe and set-intersect(C,anti(M)) is empty (or can be discounted), then identity has been established. [I&#39m not completely comfortable with the handling of anti(M) and welcome refinements, while I keep thinking about how to fix this formulation.]

This is great thinking. I really like his understanding of the role of memory, the use of a notation for viewpoint and the concept of an intersection set. But there is a flaw – which I hope is just terminology. I(P,O,t) is not the Identity of P, but rather O&#39s view of the identity of P. P emits an identity (and is capable of releasing more than one), and O views it, evaluates it, remembers it We need to separate the perception of something from the thing itself. The finger pointing at the moon is not the moon.

Carl has spent a long time trying to show people what to him is obvious: that O&#39s view of P is what matters to O (as opposed to the assertions of traditional PKI). But let&#39s not dismiss the role of the subject in selecting her identity and choosing what to reveal – which is equally important to the system as a whole. You cannot deal with half of this question. Oh yeah: I call the set-intersect (C,M) “recognition”.

Published by

Kim Cameron

Work on identity.