Category: Identity

In the interests of completeness, now that we have defined “digital subject”, let's define “claim”. At the same time I will explain why I have used the word “claim” where others might have said “security assertion” or just “assertion”.

Again, according to the OED, an assertion is a “confident and forceful statement of fact or belief”. On the other hand, a claim is “an assertion of the truth of something, typically one which is disputed or in doubt”.

It is interesting that systems deriving from the X.500 and X.509 standards – including LDAP – have employed the word “attribute value assertion” (abbreviated AVA) to describe the mechanism by which the attributes of an object are presented. Those systems were thought out from the vantage point of the “administrative domain” making the assertions; Active Directory's LDAP engine was built along this model. So indeed, information is stored in the directory, which later “confidently and forcefully” presents it to the digital subjects of the domain, either through queries or associated protocols like kerberos.

When all subjects subscribe to the same administrative authority, and the trust boundaries are extremely clear and well defined, it makes sense to employ a metaphor based on confidence and force. But in evolving from a closed domain model to an open, federated model, the situation is transformed into one where the party making an assertion and the party evaluating it may have a complex and even ambivalent relationship. In this context, assertions need always be subject to doubt – not only doubt that they have been transmitted from the sender to the recipient intact, but also doubt that they are actually true. We need to incorporate the insights of SPKI. We must always favor the vantage point of the relying party.

The word “claim” – taken as “an assertion of the truth of something which is … in doubt” – grasps the subtleties of the federated world by adding the right dose of doubt to any assertion being made, and effectively reminding us to surface this doubt in our implementaiton.

Check out this eweek article. And at the New York Times, there is this one on issues at eBay.

In discussing my definition of a digital identity, Stefan Brands has asked, “What is a digital subject – and why not an entity in general?” A great question.

Let me quote from the Oxford English Dictionary. A “subject” is “a person or thing that is being discussed, described or dealt with.” “Digital” means “relating to or using signals or information represented by discrete values of a physical quantity.” So I interpret “digital subject” as a “person or thing represented or existing in the digital realm which is being described or dealt with”. “Dealt with’ is a great concept, and pertains to much of what we do in computing.

I think it is essential – not optional – to make it clear that the digital world includes many things which need to be “dealt with” other than humans. First and formost are the devices which allow us to penetrate the digital realm, and the digital resources which attract us to it. Beyond that are policies and relationships with other digital subjects (e.g. between humans and devices or documents or services). These policies and relationships are then themselves things that must be dealt with.

The OED goes on to define subject, in a philosophical sense, as the “central substance or core of a thing as opposed to its attributes”. I take “attributes” precisely as characteristics which are expressed in claims, so from this point of view, also, “subject” is the perfect word.

As for “entity”, the OED defines it as “a thing with distinct and independent existence”. The independent existence of the thing is a moot point here – it may well be an aspect of something else. Instead, what is most important about the entity is that it is being dealt with by some relying party and thus claims are made about it. So “subject” is a better word than ‘entity”.

Britain's The Register reports that the current British Identity Card proposal is likely to “bite the dust” because of the impending election and resistance by opponents in the House of Lords. The Scottish Parliament has also apparently lined up against the ID scheme. Meanwhile, the Tory party seems set to withdraw support, with one group of Tories attacking the scheme as a “con trick“. Another headline reads, “UK gov ready to u-turn on passport-ID card link?“.

This is all more writing on the wall. Governmental authorities should come together with privacy advocates and those in the software industry who understand advanced identity technology alternatives. Together, we should propose systems which can be shown to protect the privacy of citizens and reduce the risk of identity theft – while serving the needs of government, individual citizens, business and community organizations for a safer and more capable Internet.

Thanks to Stefan Brands for pointing us to On the Identity Trail – a really interesting blog on “Understanding the importance and impact of anonymity and authentication in a networked society”. It sports the “animated fingerprint’ shown here (Warning! Don't look at it for too long!) and in addition to Stefan, the group includes luminaries ranging from Steve Mann to Ann Cavoukian, the Information and Privacy Commissioner for the Province of Ontario.

Researcher Alex Cameron blogs beautifully about the recent conference held by the group in Ottawa, Canada. I really wish I'd been there.

As great as Alex's coverage is, I hope they'll post a podcast. Maybe Steve Mann has a complete three dimensional recording back at his central base.

While I'm at it, thanks to Stefan for emailing me to correct my impression that the Digital Identity paper refered to here was written by Abelson and Lessig themselves, rather than by their students. As he says, it doesn't make the paper any less interesting – but I'm actually relieved to discover that Lawrence Lessig was not an author.

Stefan has been doing some excellent postings and I am trying to find some time to give them the attention they definitely deserve. I guess I'll have to start with his interesting comments on the definition of digital identity I put forward in my last post.

Geek CEO Glenn Reid, who not only created iMovie and iPhoto while at Apple, but later canonized Marc Canter as shown at right, has pointed out how weird it is that someone would do the laws of identity without ever stopping to define what identity was for – or what it was. I certainly understand how this could be maddening – though I hope he returns to visit because, having given up on us, his intuitive musings have already led him into some pretty frightening simplifications – for example, that identity is “a single, global, unique credential”. He credits RSA with having given him this idea, which is something for all of us to ponder, especially RSA.

Colleagues involved in identity issues allowed me to avoid such basic duties. Why? Probably for the same reason I initially shied away from them: we knew from previous experience that it was important to establish a practical context before getting caught up in long-winded discussions of what identity was.

With the laws behind us, we can hardly continue to argue lack of context… We need a working definition of digital identity for the unifying metasystem we have described.

What I would like to do here is again separate the technological aspects of digital identity from the philosophical and legal aspects of identity – even as it relates to the digital world. I'll try to show that if we get the technological definition right, we end up being able to express whatever social (and ontological) relations we want to. This is the opposite of the way the problem has normally been approached.

For example, in their important 1998 paper, Digital Identity in Cyberspace, a group of students of Hal Abelson and Lawrence Lessig argued and then proceeded to demonstrate that “it is difficult to craft a formal definition of identity.” Not only, according to them, was the formal definition hard, but to the extent they achieved one, it did not translate into anything crisp at the practical level:

“In practice there is a degree of fuzziness to the definition of an entity's identity…”

The paper should be read again in 2005; it is brilliant for posing many crucial questions even if, in my view, it was not able to answer many of them. My thinking on these issues doesn't matter much… I leave those who would have us pursue a less pragmatic approach to take up where the Digital Identity in Cyberspace paper leaves off, and see if they don't end up meeting us at our technological destination.

Hold the trumpets…

In the meantime, hold the trumpets. Here is a simple working proposal (which I don't claim is novel) that I think allows a great many problems to be solved:

A digital identity is a set of claims made by one digital subject about itself or another digital subject.

It is clearly impossible for me to compare and contrast this definition with all those which have been given – perhaps readers familiar with good definitions can help me out in this regard – we could compile a cross-reference. But I can try to cover a few. For example, let's take a walk through a few of the top definitions that come up on google. The winner is… Digital ID World and its What is Digital Identity page:

“A Digital Identity is the representation of a human identity that is used in a distributed network interaction with other machines or people.”

Well, let me start by congratulating Digital ID World for “reaching out” to readers with its definition – they do such good work. But it can be seen that our definition, while perhaps not suited to the newcomer, works well as a scaffolding for the identity metasystem, and can encompass DIDW's definition as well as many others without being vapid or imprecise.

How do you “represent” a human identity in a “distributed network interaction”? Clearly you need a way for one entity to be able to “say” something about another. This is what we mean by a “set of claims”. DIDW talks about a human identity – we broaden this to a digital subject which may or may not be human. We must do this because the human subject “speaks through” channels which exist in entities about which other claims can be made. DIDW talks about a distributed network interaction. But like most other aspects of reality, there is a fractal continuum between the macroscopic and the microscopic, so that all the problems of the network actually exist, for example, within a single machine, where process and thread separation might also be best described through sets of claims. None of this is a criticism of DIDW's definition – I'm just explaining why we need a definition which allows us to solve as many aspects of the problem as possible.

Another top google hit is Unisys World's Self-service identity management: What, why and how? Here we read:

A digital identity is a combination of credentials that manages a computer user's authentication, authorization and access rights.

Here we see a lot of specified usages of digital identity mixed into a very narrow definition… But once again the metasystem definition works well and embraces it: a set of claims can certainly include a combination of credentials. Credentials is another word which I think needs definition… but that is for another day.

A little further down we come to SwissSign Certificate Services. Their definition is as follows:

A digital identity is the combination of the cryptographic keys and the certificate. A digital identity is a file, stored on a hard disk or some other external device (ex: Smartcard, USB-Token).
The cryptographic keys, is what it is all about. You could consider the certificate as the packaging for the keys which allow for verifying the validity and, to a certain extend, the correctness of the information.

This definition “combines” the mechanism for “proving” the set of claims and the claims themselves (here contained in a certificate) and additionally manages to complicate things further by introducing the issue of trust. I prefer to tease these apart, on the basis that there are two quite different questions to consider: What are the claims; and Do I believe them? So the fact that someone has a given public key represents one of the simplest possible claims, and the proof of this needs to done through cryptography – perhaps a signature on the claim. Our definition supports this hyper implementation-specific definition, but also allows the claim and the proof to be based on totally different mechanisms. The “A digital identity is a file…’ thing doesn't quite work with our definition, and I think this is a good thing, since it seems pretty strange. But of course, the claims could be put in a file…

Next I come to PC magazine, quoting James Kobelius:

‘Digital identity refers to the set of digital information—including user IDs, passwords, access control lists, public-key certificates, and voiceprint patterns—that is associated with a particular individual.”

I'm not sure access control lists really belong in this sentence – or that James was quoted correctly – but even if they did (and he was), it would fit with the claims-based defintion given above.

Next in the google list is Johannes Ernst's Digital Identity Terminology Mess page. Talking about identity, rather than digital identity, he says:

Any person has identity. It allows us to say “it was him who was hit by the truck, thus it is him who is dead and not somebody else”.

This reminds me of a live report I watched on TV in which a man with a gun had been shot dead by police at the Los Angeles airport. I remember a detective standing beside the body and saying, “Nothing is known of the man's identity.” It was quite clear that he was dead, and not someone else, but this did not in any way help the investigator. Incredibly, the claims about the man seemed to be even more important than his body.

Johannes goes on to say that digitial identity is the same as any other identity except it “occurs in cyberspace’. So again, I think that our claims-based defintion of identity is inclusive of that given by Johannes.

Here is an interesting article in eWeek. To me it is one more report on how “bad process” leads to “social reaction” with deep technological implications for the topology of identity systems:

Lawmakers’ renewed urgency is being fueled largely by the recent security blunder at data warehouse vendor ChoicePoint Inc.

The incident, which illustrates the kind of damage many privacy-law advocates have long feared, is spurring legislators to take a new look at data privacy initiatives that died in the last session of Congress.

ChoicePoint, based in Atlanta, disclosed earlier this month that scammers accessed information on more than 145,000 consumers, including Social Security numbers and credit histories.

In a separate incident, thieves stole some of Science Applications International Corp.’s computers, which contained lists of SAIC shareholders, including their addresses, phone numbers, stock holdings and Social Security numbers.

Following requests from minority leadership last week, Sen. Arlen Specter, R-Pa., chairman of the Senate Judiciary Committee, said he would hold a hearing on the ChoicePoint incident.

Two of the Senate's leading champions of privacy rights, Patrick Leahy, D-Vt., and Dianne Feinstein, D-Calif., called for an investigation.

Continue here…

The Anti Phishing Working Group now includes Pharming on its web site. However, so far it has not changed its name to the “Anti Phishing and Pharming Working Group” – which is definitely a good thing. Anyway, the site says “Pharming uses the same kind of spoofed sites, but uses malware/spyware to redirect users from real websites to the fraudulent sites (typically DNS hijacking). By hijacking the trusted brands of well-known banks, online retailers and credit card companies, phishers are able to convince recipients to respond to them.” I think it would be wise to add attacks on DNS itself to this definition.

The Group has posted its report for December 2004, and I give it FIVE STARS. It goes way beyond counting incidents and into analysing trends. Email phishing had a 24% month to month growth rate since August (how's that for a CAGR?). The number of brands attacked grew as well (expanding into new markets, too).

“The number of reported hijacked brands grew again to 55, including nine brands first reported this month, eight of them financial institutions. This brings the total number of brands that have reportedly been hijacked to 131 since the APWG began examining phishing trends and reporting findings in November of 2003.”

There is an analysis of hijacked brands by industry sector. as well as a sobering chart pointing to the international dimensions of the problem.

The report includes an examination of a sample malware attack – a significant contribution in helping people understand the attacks to which an identity system will be subjected.

One of the main goals of a unifying identity system for the Internet is to mitigate these attacks. But let's be clear. If it succeeds at this it will become the new prime target of Internet crime. It must be designed from the start to withstand such attacks, using technology flexible enough to evolve faster than that of the attackers.

Put another way, it can be neither an “expedient hack” nor an unchangeable monolith. I've just begun to understand how the metasystem characteristics we have been discussing relate to achieving the flexibility needed by a component which is under continuous and escalating attack. This, in turn, testifies to the wide applicability of the fifth and sixth laws of identity.

Further to the curse just discussed, Mark Wahl points us to last year's NIST Knowledge-based Authentication Symposium web site. Several presentations take on the issues of authenticating to an infrequently-used service with potentially public information.