Introduction

This blog is about building a multi-centered system of digital identity that its users control.  All kinds of things pass themselves off as “digital identity”, so I want to start by pruning enough trees that we can see a forest.

Basic ideas

In these pages, I'll make it clear that digital identity can't be confused with “a unique identifier” like an SSN or a biometric like DNA.  In fact, digital identity can often just convey that you are a member of some group, or possess some characteristic (for example, your profession, employer, citizenship, role or age).  Similarly, it can indicate that you are the same person who visited a site previously – without conveying any personally identifying information.

In other words, digital identity has a complex relationship with flesh-and-blood identity, which I'll call natural identity.  Sometimes we want digital identity to correspond to natural identity, and sometimes we want the two to be isolated, or the knowledge of the connection to be highly controlled.  This has become necessary because the digital world has its own “physics” that is quite different from that of the natural world.  Here space becomes more or less irrelavent and isolation very difficult to achieve, while “now” extends through great slices of time.  The result is not only that our friends and loved ones are closer:  so is every actor, good and bad, and every monitoring device in the world.

This leads us to conclude that digital identity must embrace both being public and being private.  It must provide both anonymity and pseudonymity.  It must embrace being public and being private.  It always exists in a context, and we expect the context to have the same degree of separation we are used to in the natural world, even though space and time no longer serve as insulation.

I'm interested in history and philosophy, and realize philosophers have had much to say about identity, but don't discuss these issues on this blog.  I stick to matters of technology, with the express goal of creating a digital world in which none of the richness of our natural world is lost, so that everything that can be expressed there can be expressed digitally.

A matter of urgency

The Internet was built without a way to know who and what you are connecting to. This limits what we can do with it and exposes us to growing dangers. If we do nothing, we will face rapidly proliferating episodes of theft and deception that will cumulatively erode public trust in the Internet.

As a result, I have undertaken a project to develop a formal understanding of the dynamics causing digital identity systems to succeed or fail in various contexts, expressed as the Laws of Identity. Taken together, these laws define a unifying identity metasystem that can offer the Internet the identity layer it so obviously requires.  They also provide a way for people new to the identity discussion to understand its central issues.  This lets them actively join in, rather than everyone having to restart the whole discussion from scratch.

Those of us who work on or with identity systems need to obey the Laws of Identity.  Otherwise, we create a wake of reinforcing side-effects that eventually undermine all resulting technology.  The result is similar to what would happen if civil engineers were to flaunt the law of gravity. By following them we can build a unifying identity metasystem that is widely accepted and enduring.

Reading these Laws will give you the introduction you need to understand the rest of this site.  They are available in five formats:

Browser versionPrintable PDF.  WordDIDW powerpoint

If you can't read the paper, you can look at  the laws in point form – as long as you promise to remember that you won't understand what I'm saying without returning to the paper when you have time.

Published by

Kim Cameron

Work on identity.

3 thoughts on “Introduction”

  1. Got here because I attended the 2008 Microsoft Technical Summit in Seattle last month. Looking at CARDSPACE or OPENID for several projects I am working on. Actually logging into this blog using a CARD on my LAPTOP.

  2. Kim, wondering about the enterprise context here. Policy Decision Points and Policy Enforcements points are getting a lot of interest from large enterprise customers. My sense is that they are on the path to the nirvana of an identity metasystem, but I would be very interested in your thoughts as to their utility in the near to medium term. Cisco's Securent seems to be getting a lot of attention lately.

  3. Kim – best wishes for the future. Cyber identity needs your vision and insight more now than ever, so hope you remain engaged – can't imagine that you would retire completely.
    Kind Regards,
    Patrick

Comments are closed.