Author: Kim Cameron

I have long been fascinated by the way information technology is distorted by the economics governing its dissemination and commoditization. For example, I think our concepts of digital identity are profoundly affected by the fact that the mainframe era, in which organizations could afford computers while individuals couldn't, preceded the era of personal computers. The result was that the initial paradigms of digital identity (which permeated the thinking both of organizations and of individuals) emanated from the point of view of the organization, not the individual. It will take… a while… to reach a “recalibration” – in which there is a more balanced relationship between individual and organizational identity.

William Heath reports a fascinating example of potential recalibration of technology relations between customer and commercial entities:

Tom S points out a new service which might further help restore the balance of power between Winston Smith and the forces of darkness….it's called Registered Call. The founder, David Hume, says

Six months ago I launched Registered Call Ltd, a call recording service and
an online Consumer Complaints Resolution Mechanisms (CCRM) developed
primarily to assist consumers experiencing redress difficulties: Users dial
an access number and then, when prompted, the number they want to call. A
message notifies the called party the call is being recorded.
Users can later access their recording from the website and unite with
others who dial the same number.

I feel this service could be offered as an open source middleware technology
to all intermediaries within the consumer feedback/complaints industry…

Sounds pretty cool. Could Registered Call bridge the “digital divide” issue which UKFeedback will inevitably face? Is it appropriate to use direct recordings of calls to prove service quality points in a constructive way that leads to change?

Quite probably.

Eric Norlin‘s post about the sixth law asks an interesting question. For those with more than one thing to think about in life, let me restate the law for you:

The Law of Human Integration

The universal identity system MUST define the human user to be a component of the distributed system, integrated through unambiguous human-machine communications mechanisms offering protection against identity attacks.

Eric says:

Of course, being “unambiguous” in that context would be a little tough. Which leads me to my question: i guess i'm hesitating at “unambiguous” – kim how are we supposed to get “unambiguous” about the ceremony of human-machine interaction? Isn't it the ambiguity that has always led to the creativity of unexpected consequences? (the internet, podcasting, nascar, napster, etc) By mapping out ambiguity, aren't we also putting rigidity into a relationship that -by its very history and nature – should be a little ambiguous?

or am i missing something?

I should have made it clear that I'm not commenting about machine-human interfaces in general. I am talking specifically about human-machine communication with respect to the identity system. I totally agree that ambiguity has sometimes led to creativity and unexpected consequences. But we don't need unexpected consequences when figuring out who we are talking to or when revealing personal identification information.

So now the question becomes one of whether we can achieve very high levels of reliability in the communication between the system and its human users.

Last night, flying to the Open Group conference on Identity Management, United Airlines gave me a set of headphones, and I stumbled onto channel 9 – which carried the conversation between the cockpit and air traffic control. Now the conversation on this channel is very important. And technical. And focussed. Participants don't talk about their love affairs or political beliefs – all parties know precisely what to expect from the tower and the airplane – and as a result, even though there is a lot of radio noise and static, it is easy for the pilot and controller to pick out the exact content of the communication. And when things go wrong, the broken predictability of the channel marks the urgency of the situation and draws upon every human faculty to understand and respond to the danger. The limited semiotics of the channel mean there is very high reliability in communications.

And that is exactly what must happen in the human-machine identity interface. We'll come back to this.

ChangHee Lee has written to say he has translated the Laws of Identity so Korean bloggers can participate in this discussion. I think the idea of making the Laws available in as many languages as possible is a great idea.

To build a universal identity system our conversation has to cross all cultural boundaries. So ChangHee's contribution in this regard is really great news.

By the way, I forgot to say that I thought Jamie Lewis’ idea of a “motherhood test” for architectural principles was amazingly sensible. By this he means something cannot be an architectural principle if a reasonable person cannot suggest and defend a contrary position. Imagine how many bits will be saved by removing principles that fail this test from slide presentations and planning documents on a world-wide basis! Go forward, my ecological hero!

Parenthetically, this is a wonderful example of something which is unambiguously a principle, rather than a law. It doesn't represent a real-world dynamic bounding a system design. It is more a statement of fundamental intellectual hygiene – like Einstein's principle that things should be made as simple as possible – but no simpler.

Jamie Lewis is getting ready to venture forth on the Laws of Identity:

I’ve been keeping my powder dry, watching and listening to the conversation about Kim’s proposals, but it’s time to jump in.

In large part, I agree with both the intent and content of the laws. Kim is doing a valuable thing, sparking a conversation that needs to occur. As is the case with all things identity-related, however, there are many devils in the myriad details. And I’ve been struggling with how to compartmentalize my thoughts enough to keep any posts about Kim’s ideas from being ridiculously long (as opposed to just long). Since I’m a bit of a stickler about words and semantics, I’ll start there.

On one hand, terms don’t matter as much as solving the problem. On the other hand, terms (and connotation) are crucial. Loaded terms make it harder to understand and communicate how any complex system will evolve because they bring lots of baggage to the party. And communicating is a core requirement to solving the problem.

Jamie's right about this.

Regardless of what you call them, for example, Kim’s proposals cover some important issues that deserve consideration and further discussion. But several folks have reacted to the (minor) conceit that Kim’s proposals are already “laws” (especially when someone at Microsoft is handing them down). The fact that Kim has called his proposals “laws,” though, has been an effective catalyst in getting people to get involved in the discussion. Still, I see what Kim calls “laws” as a set of proposed architecture principles.

Hmmm. This is thoughtful. It is true that what is most important about our discussion – in a practical sense – is the resulting set of architectural principals. And I care deeply about this architecture.

But what makes architecture right? I think it has to do with seizing the inevitable dynamics of the objective world. I think it is useful for me to conceive of, propose and continuously test these dynamics as laws. Of course, that doesn't mean Jamie shouldn't take them as principles.

Principles are important in any architectural discussion. In our own Reference Architecture (which is focused on technical architecture for the enterprise), we establish principles as the foundation for any technical architecture. The principles incorporate the values, organizational culture, and business goals of the enterprise. Therefore, each suggested principle must pass the “motherhood” test, meaning that a reasonable person must be able to suggest and defend a contrary position. (“Security is important,” is not a principle, for example; where as “we’re willing to use bleeding edge technology” is controversial principle architects must agree on before they make big decisions.) Once an enterprise sets those principles, it can then drive the technical positions (where you make technology decisions) and templates (which map those decisions into diagrams that illustrate system functions and how they relate).

It seems to me, then, that Kim’s proposing architecture principles for an identity system for the Internet at large. He’s sparking a discussion about the values, culture, and goals that should drive the creation of an Internet identity system, which we obviously need.

That it’s a Microsoft employee doing all of this makes it even more interesting (and gleefully perverse). In subsequent posts, then, I’ll be commenting on Kim’s proposed laws from that perspective, looking at them as a set of architecture principles for an Internet identity system. That perspective may also help others understand both the scope of the issues we need to solve.

I really look forward to this.

Recently we've been talking about attacks (and potential attacks) on identity information and identity stores. It's important to put these issues in a much broader context.

Over the last months we've heard more than one expert say that phishing and the associated identity attack technology sector is growing an order of magnitude faster than the rest of high technology. If you want to depress yourself, think about it as an expanding market sector. Today everyone knows about phishing. Within the last year it has merited an industry organization with over a thousand members – including all the best banks – and an online site that maintains the latest in information. This is a tipping-point phenomenon.

Everything points to the fact that things are going to get worse before they get better. As all aspects of commercial distribution migrate to the cloud, the opportunity to benefit criminally from digital identity attacks will become continuously greater. At the same time, the international character of the internet offers the technically sophisticated criminal expanding opportunities. And a surfeit of highly gifted and trained individuals in societies with few conventional technology opportunities provides pools of talent in which international crime cartels can invest.

The identity system we have been discussing in this conversation is clearly one of the fundamental technologies needed to counter these threats. But for the same reasons, we must base our thinking on the premise that the identity system itself will be the most attacked component of distributed computing.

Being comfortable with a bull's-eye on your back

I'm totally certain that everyone who braves these pages knows how rife with implications this statement is for all of us who are concerned with identity. But the computer industry as a whole still has a long way to go in understanding how profound these problems are. Here is a not atypical quote from a casual commentator:

2004 was the year the hackers went “phishing” to con us into handing over our online banking details and despite belonging to the species allegedly at top of the food chain, an astonishing number of people obliged.

It's true that some of the ploys have been a little pathetic. But if the effect of those is to convince you that you can easily tell what's real from what isn't, you've been duped already. As an unenthusiastic inspector of identity attacks, I can guarantee that no matter how smart and attentive you are, there are ruses more than capable of torpedoing your self-esteem.

To take a very simple example, suppose you have a browser with an address bar showing you the DNS name of the site you are visiting. And suppose there is a “lock icon” which appears when a “secure connection” is in place. What is to prevent a piece of code running on your machine from overwriting the DNS name and throwing up a fake lock icon – so you are convinced you are visiting one secure site when you are actually visiting another insecure one? And so on.

Of course our usual immediate reaction to this type of problem is to find the most expedient single thing we can do to fix it. In the example just given, the response might be to write a new “safe address bar”. And who am I to criticise this, except that in the end, the proliferation of address bars makes things worse. By inventing one, we have unintentionally made possible the new exploit of getting people to install an address bar with evil intent built right into it. Further, who now can tell which address bar is evil and which one is not?

Beyond compensation and mere tactics

The point I am trying to make is that the new distributed identity system needs to be something other than an “expedient compensation”, something beyond a tactical riposte in the fight for security. And since the identity system has to work on all platforms, it must be safe on all platforms. The properties that lead to its safety can't be obscurantist or derive from the fact that the underlying platform or software still has a small adoption.

Returning to the discussion we've just had about the problems with today's browsers, I would summarize my thinking by saying we have done a pretty good job of cryptographically securing the channel between web servers and browsers – a channel that might extend for thousands of miles. But we haven't done a very good job at all of setting up the two or three foot channel between the browser and the human who uses it. And this is the channel that is attacked by phishers.

No wonder. What identities is the user dealing with as she navigates the web? How well is identity information conveyed to her? Do our systems interface with users in a manner that studies have proven to work? Identity information currently takes the form of certificates. Do studies show that certificates are meaningful to users? What exactly are we doing?

Whatever it is, a real identity system needs us to do a lot better. In particular, the identity system must extend to and integrate the human user.

The Law of Human Integration

The universal identity system MUST define the human user to be a component of the distributed system, integrated through unambiguous human-machine communications mechanisms offering protection against identity attacks.

One of the people who has thought long and hard about these issues is Carl Ellison. He has coined the term Ceremony for interactions that span a mixed network of human and cybernetic system components. Carl worked on this idea when he was at Intel and I interview him about his work here.

In the last few days, an amazing number of people have written asking me to comment on LID. So the first thing I'll say is that I find it exciting to see a new identity technology proposal arriving – apparently – out of the blue.

I also need to make it clear that although I am working on the Laws of Identity, it is definitely not in the cards for me to play the role of “conformace czar” – issuing compliance stickers to the appropriate technologies. The Laws need to stand on their own.

This said, I will take up some of the ideas put forward by Johnannes Ernst, as he has asked me to do, once I've finished the seven Laws. I'll have two goals. The first will be to fully understand all aspects of LID (I will do the same for SXIP, I-Names, Shibboleth, and so on). My second goal will be ongoing clarification of the laws – without favoring one identity technology over any other.

I see my role being to help all identity providers and relying parties align with the laws, and help in the emergence of the “mega meta momma backplane” – what I call the metasystem.

I guess for me the unexpected arrival of LID on the scene serves mostly as an omen of how important it is to build identity on the Law of Pluralism. Which brings me to… the Sixth Law.

I was also glad to see Jamie Lewis blogging about the security breach at George Mason University… The full story is on News.com. Basically,

George Mason University confirmed on Monday that the personal information of more than 30,000 students, faculty and staff had been nabbed by online intruders.

The attackers broke into a server that held details used on campus identity cards, the university said. Joy Hughes, the school's vice president for information technology, said in an internal e-mail sent over the weekend and seen by CNET News.com that “the server contained the names, photos, Social Security numbers and (campus ID) numbers of all members of the Mason community who have identification cards.”

Jamie had told me recently how much he liked the piece in which I worried that the British Identity Card – as proposed in its initial draft – is an information-disaster-waiting-to-happen. His reaction to the George Mason affair is:

As identity systems aggregate information, they also aggregate risk. And the custodians of those stores must take the proper precautions, including risk and threat assessments and the implementation of a reasonable protection posture.

I love the formulation that as identity systems aggregate information, they aggregate risk. I want to put that into the second law since it is really key to what I was trying to express.

However, as much as I love to see Jamie exhuding unbridled optimism – I would be surprised if the custodians had not done risk and threat assessments, or somehow failed to act responsibly to protect the information. So this part rings hollow.

We need to base our approach to these scenarios on the idea that one day, the store will be penetrated. We need then to reduce information in the store to the minimum required. We need to distribute information so breaking into one system gives away as little as possible. And more than anything, we need unidirectional identifiers such that only access to a metasystem allows assembly of cross-aspect information.

For example, there was no need for George Mason's ID system to contain social security numbers. Nor, bizarrely, is there probably any reason for it to contain student identification numbers. It could – I know this sounds primitive – just contain single-purpose identity card numbers. A metadirectory – which itself contained no substantive information – could provide glue to other identification contexts for those who merit it – and on a case by case rather than carte blanche basis. This allows many more controls and balances to be built into the system. (All of this is Law 4)

George Mason had been moving in the right direction.

Last year, George Mason said it would cease to print Social Security numbers on campus ID cards and would instead generate unique “G numbers” for each student and each member of faculty and staff.

So the SSNs were now redundant (ouch! Law 2). But as if to underline my point,

“We felt that the information there was secure,” George Mason spokesman Daniel Walsch said on Monday.

And now, fasten your seat belts for the obvious:

George Mason is not alone among universities in suffering a security breach. Two years ago, online intruders broke into a server containing the credit card numbers of some 57,000 patrons of a Georgia Institute of Technology arts and theater program, while others lifted more than 55,000 Social Security numbers from computers at the University of Texas at Austin. Last year, more than 1 million California residents had their personal information leaked thanks to a pair of incidents at UCLA and the University of California at Berkeley.

Put these all together, go up to the national scale, make the system available on-line, add every piece of identifying information – physical, biometric, educational, employer-related. Then you have a really nice target – I mean TARGET – don't you? Inside job or outside?

And you can probably just “dribble” a lot of information out of the system before anyone is any the wiser if you have the right background and access.

Last week I mentioned that I had some great links to tell you about. Guess what? That rotten Jamie Lewis has scooped me and with some great postings.

First, there is LID. As Jamie puts it:

The Lightweight IDentity (LID) spec joins SxIP and XRI/XDI in attempting to create systems that empower individuals to manage their digital identity. It uses URLs to point to identity information. It's an update of sorts of the vCard concept and allows users to publish (self-assert) identity info.

According to the LID site, LID is built on:

• VCards (actually the XML version of VCards currently maintained by the Jabber Software Foundation) for information about yourself;
• FOAF (friend-of-a-friend) for information about your social network;
• XPath to select which information to query, and which information is published to whom.
• Gnu Privacy Guard (GPG) for digital signatures.

He also points out that:

Johnannes Ernst has a blog where he talks about how LID conforms to Kim Cameron's laws of identity (more later – Kim).

Jamie then goes into considerably more depth here. He also points to an article by Shelley Powers which has to be the first concrete description of using the emerging identity systems – she concentrates on LID and SXIP, with some mentions of I-names and Liberty. I love stuff like this – and hope there will be a lot more of it. Shelley has a lot of energy going here. So I want to forgive her if there is a certain “biff! boom! bah!” in her punch – like when she lands one on me.

She's a ‘bit rough’ on Liberty, which after all has done pioneering work which all of us would like to see expressed in the emerging “mega meta momma backplane”. But I have to admit I was also taken aback when I first read the scenario doc she describes:

Case in point, from the specification there is a possible user scenario, with Joe Self logging on to an airline, who is part of a circle of trust. Once authenticated, in the scenario, Joe is then asked:

Note: You may federate your Airlines, Inc. identity with any other identities you may have with members of our affinity group.

Do you consent to such introductions?

Laughable. I chortled until tears ran down my face. It then continued on from there, with Joe Self being asked to ‘federate his identity’ at various sites within the ‘afinity group’ as he progressed along, just trying to reserve an airline ticket and rent a car – something that can be done in one move, with one click of the button in today’s travel systems.

I think we all know the authors must have meant this as a placeholder – meaning “more research to be done on user metaphor”. But I was wincing when I first read it too – only because I know how difficult these issues are. Anyway, I'll be getting to the issues at play here when I present my 6th law.

Finally there is Shelley's comment on my work on this blog:

I never touch ‘Laws’ as defined by a person or persons with vested interest, regardless of how good they sound.

Fair enough. But I can't imagine anyone who doesn't have some vested interest in what they do. Unconscious motivations are the worst – because you can't take them into account or compensate for them.

I do believe the laws we are discussing here operate equally in everyone's interest. They lead us all toward the identity big bang – a new era of software which is identity-aware. Sure, Microsoft will benefit from that big-time. But so will every thinker, inventor, developer and citizen on the planet, and all the companies, universities and governments with whom they are associated.

The snow storm never came. Instead I was hit with four feet of flu. Will return to duty at the earliest possible moment.