Month: December 2004

The Law of Directed Identity

A universal identity system MUST support both “omnidirectional” identifiers for use by public entities and “unidirectional” identifiers for use by private entities, thus facilitating discovery while preventing unnecessary release of correlation handles.

Technical identity is always asserted with respect to some other identity or set of identities. To make an analogy with the physical world, we can say identity is a vector, not a scalar. One special “set of identities” is that of all other identities. Other important sets exist (for example, the identies in an enterprise, some arbitrary domain, or in a peer group).

Entities that are public can have identitifiers that are invariant and well-known. These identifiers can be thought of as beacons, emitting identity to anyone who shows up – and thus being in essence “omnidirectional” (they are willing to reveal their existence to the set of all other identities).

A corporate web site with a well-known URL and public key certificate is a good example of such a public entity. There is no advantage – and in fact a great disadvantage – in changing such a public URL. It is fine for any visitor to the site to examine the public key certificate. It is similarly acceptable that everyone knows the site is there: its existence is public.

A second example of such a public entity is the “polycomm” which looms large in the scenario we chose as a backdrop to the present discussion. The polycomm sits in a conference room in an enterprise. Visitors to the conference room can see the polycomm and it offers digital services by advertising itself to those who come near it. In the thinking outlined here, it has an omni-directional identity.

On the other hand, a consumer visiting a corporate web site is able to use the identity beacon of that site to decide whether she wants to establish a relationship with it. Her system can then set up a “unidirectional” identity relation with the site by selecting a key for use with that site and no other. A unidirectional identity relation with a different site would involve fabricating a completely unrelated key. Because of this there is no handle emitted by conformant identity system technology that can be shared between sites to track or profile her activities and preferences.

Similarly, when entering a conference room furnished with a polycomm, the omnidirectional identity beacon of that polycomm can be used by the owner of a cell phone to decide whether she wants to interact with it. If she does, a short-lived “unidirectional” identity relation can be created between the cell phone and the polycomm – and used to disclose a single music preference without associating that preference with any long-lived identity whatsoever.

It is immediately evident that Bluetooth and other wireless technologies have not so far been conformant with the fourth law. This explains the privacy issues innovators in these areas are currently wrestling with. And it will be obvious to some that public key certificates have been extremely successful to the extent they were used in conformance with the fourth law (public applications). By the same token, they were dismal failures in areas where they were not conformant. We will return to these issues in more detail.

Eric talks about SXIP as Passport redux. I think Dick Hardt, the CEO of SXIP Networks, would have something to say about that. Seems to me the SXIP folks have learned a lot more from Passport than Eric lets on. I don&#39t believe they hold identity information or do authentication directly. They are a registry combined with a browser redirection technology, pointing to a user&#39s identity provider and thus adroitly avoiding the very pitfall articulated in the Third Law. They call themselves the first “distributed public identity network”.

While checking out the link to Dick Hardt above, I saw his interesting posting on the Second Law (somehow I had missed this) and the statement that he was intuitively aware of this law when developing SXIP. I&#39m sure he was also “intuitively aware” of the third law. I think his comment on the various meanings of discrimination is a propos:

This got me thinking that the basis of identity is to enable discrimination. I then realized that the negative, emotional response to universal IDs is a fear of unjustified or undesired discrimination through data correlation. Racism and sexism being the more evocative “isms”. We can “blame” the movie (or book for older people )* 1984 for surfacing this as a fear of the future.

Of course we all want positive discrimination per the Clue Train Manifesto and as Doc Searls promotes he wants in his relationships as a customer.

I want to understand SXIP more deeply. Maybe Dick will help me set it up on my blog for those who are SXIP enabled… That would certainly help me understand it better.

Eric Norin of Ping Identity admits he thinks that Passport was a damn fine idea, but people wouldn&#39t accept it because of the microsoft stigma.

I&#39m at a loss as to how to move the conversation forward here. There are somewhere near 200 million active Passport accounts (unused accounts are swept out, so these numbers represent actual usage). People clearly accept Passport… for dealing with MSN in conformance with the Third Law. “Microsoft stigma” doesn&#39t seem to play much of a role here…

Eric thinks Passport&#39s problems can be explained by bad marketing. I can&#39t even think about the marketing issues, because I think there is something much deeper going on: Passport was very successful when in accordance with the Third Law, and unsuccessful when it was not.

I&#39d like to take a moment to look at what I&#39m trying to achieve with this exploration of the Laws of Identity.

I&#39ve pointed out already that our discussion here is not about the “philosophy of identity” – which is a compelling but entirely orthogonal pursuit.

Instead, I am trying to reveal the set of “objective” dynamics that will constrain the definition of an identity system capable of being widely enough accepted that it can enable distributed computing on a universal scale. I do not propose my laws as “moral imperatives”, but rather as explanations of dynamics which must be mastered to craft such a universal system.

For example, when we articulate the Law of Control, we do so because a system which does not put users in firm control of their own identity will – on day one or over time – be rejected by enough users that it cannot become a universal. The accordance of this law with my own sense of values is essentially irrelevant. Instead, the law represents a boundary defining what the universal identity system must look like – and must not look like – given the many social formations and cultures in which it must be able to operate.

I also say these laws are objective because they pre-exist our consciousness of them. For example, the Law of Fewest Parties predicted what aspects of several real life systems would succeed in spite of the fact that those building the systems were unaware of the law.

The Laws of Identity, taken together, establish many constraints on what a universal identity system can be. The emergent system must conform to all of the laws. Understanding this can help us eliminate a lot of doomed proposals before we waste too much time on them. The first big breakthrough is to understand these laws exist. The second breakthrough comes from daring to wrestle with what they are. In doing this we need to invent a vocabulary allowing us to communicate precisely about them.

I&#39ve been asked why I do not see the Law of Fewest Parties as a simple corollary of the Law of Control. I hope this ontological detour helps explain why. It is true that systems conforming to the Law of Control would reveal to their users that identity information is being shared with some irrelevant party. But the set of parties with whom sharing occurs represents its own boundary on the definition of what a successful system can be. In this sense it has its own content as a determining dynamic, and is a law, not a corollary.

Responding to the Third Law, Dave Kearns asks Is it time for personal directory? He is clearly a long-time champion of this, as am I.

I&#39ve been spending quite a bit of time looking into Dave&#39s long history of serious pieces at NetworkWorldFusion. In terms of personal directory, he did a great series on SMBMeta (proposed by Dan Bricklin of VisiCalc and the seminal Dan Bricklin&#39s Demo Program).

I need to finish off the Laws of Identity but want to come back to this discussion. Dave has made some pretty Kearnesque comments on my investigation of the identity aspects of Bluetooth. Bad news: I&#39m going to come back to them – and not just Bluetooth, but all of wireless networking. But I hope I will get Dave interested too, because I think we can actually get these things fixed and brought into line with the Laws of Identity.

 

OK – my position must seem supercilious – for Craig says:

I didn&#39t miss the point. I nailed it. Passport was never–at least not until now–billed as an experiment. Passport was positioned as the future of Identity infrastructure. This so frightened the industry that a hasty alternative was financed and brought to life–behold–the Liberty Alliance.

Gee – Was I just rewriting history? Airbrush and all? Let me be more specific. I&#39m not talking about ‘billing’.

It was clear to me from day one that Passport was not going to become a universal identity system. But though I expressed my opinions inside Microsoft, I was not directly involved in the Passport or Hailstorm initiatives. In an innovative environment, you often have to go with the flow and let passionate people test their ideas. The testing includes – as you know only too well – positioning. Sometimes passionate people will be right, and sometimes they&#39ll be wrong.

So, I saw Passport as an experiment.

What is incredible is that others in the industry looked at all of this and – being as ignorant of the Third Law as were the very proponents of Passport – they had no understanding that objective factors would stem the tide of Passport for generalized identity purposes.

It is said that this is what gave rise to Liberty. I cede to your analysis here – though I know some of the good people involved and that there were some positive reasons for people to come together as well as negative ones.

Governor James says, “Strange -your feed hasn&#39t been updating in bloglines? I had no idea you had been so busy.” I moved my blog from RadioLand to www.identityblog.com. Does anyone know if there is something wrong with the way I did the transition?

Meanwhile Craig Burton, who can&#39t resist a good line, writes:

You gotta love it when Kim goes off on passport and states a law that makes it obsolete for its supposed original purpose. Of course Kim is so diplomatic that you almost forget that what he is saying is that Passport failed. Further Passport will not be the basis of Microsoft&#39s Identity infrastructure.

I like the drama, but I fear Craig has missed on my main point. Which makes me think I mustn&#39t have been quite clear enough. So let me try again.

Microsoft put a lot of effort into an important identity experiment early in the Internet cycle. As is the case with many projects we undertake when creating new technology, Passport was successful at some things and unsuccessful at others. I try to show it was very successful when in line with the Third Law, and unsuccessful when not in line with it.

But my main point is that there has been an important “learning” here. And it will apply to everyone who wants to get involved with identity. This is full of implications for any party who tries to develop a business plan based on intervention in identity processes

Craig goes on to say:

Think of the implications of this new law. If Microsoft is going to participate in providing infrastructure that meets the criteria of the three laws, it will have to be willing to allow infrastructure that can operate sans Windows. Hmmmm. It could happen.

No. Not it could happen. It really really should happen.

As I promised Marc Canter, I want to see the big bang that will occur in software innovation shortly after we as an industry put in place a new distributed identity fabric open to all and fundamentally respectful of the people using it.

That is what I think the Web Services stack allows us to do – if we can rise to the occasion. Let&#39s do it.

I would like to hear more of Scott Lemon&#39s ideas about how philosophical thinkers can help us figure out ways we can write software that intuits – this is my word and perhaps it is too rhetorical – our identity decisions for us…

I&#39ve heard a number of people talk about intelligent policy engines capable of doing this type of thing, but so far, I haven&#39t seen one I would choose for my own personal use.

I certainly think you can have simplistic policy – configuration, really – that decides things like whether, having once decided to interact with an identity, you want to do so automatcially in the future.

And I can understand policies along the lines of, “Trust the identifying assertions of people recommended to me by Scott for access to my discussion papers”.

And I&#39ll even go along with, “Place items containing the words Viagra or Investment in the Spam folder”.

But in general I have become very suspicious of systems that purport to create policy that affects me without asking me for approval. One of the worst outcomes of such technology is that the user ends up living in a “magical system” – where decisions she doesn&#39t understand are constraining her experience. Our systems need to be translucent – we should be able to see into them and understand what is going on.

But I&#39m probably ranting. I&#39m sure Scott meant that an engine would put forward policy proposals and the user would be asked to approve or reject them.