Category: Identity

Bill Barnes suggested it might be possible to simplify the 7th law to this:

The unifying identity metasystem must make it easy for humans to make fully informed identity choices in the course of interacting with relying parties.

I see this as an important practical corollary of the law. But the law implies more.

• First, we need a system in which different identities (and kinds of identities) are reified (represented as “things”) in a consistent way, so the user can easily conceptualize and enumerate different identities, and select the right one for a given context. So from the point of view of the user the identities need to represent a harmonious set.
• Second, the relying party should be able to switch between different kinds of identities as needed with no technical or programming overhead, even if the identities are based on completely different technical systems and tokens – so from the point of view of the relying party, the identities again constitute a harmonious set

Thus we say:

The unifying identity metasystem MUST facilitate negotiation between a relying party and user of a specific identity – presenting a harmonious human and technical interface while permitting the autonomy of identity in different contexts.

Today's RFID tags include a fixed (read-only) omnidirectional identifier plus some rewritable memory. As explained in our discussion of the fourth law, the omnidirectional identifier means any party can obtain the identifier and collaborate with other parties about it. This means it is suitable for identifying public entities. Industry spokesmen have said the range of the tags is a maximum of 15 feet.

Tags are smaller than a nickel (basically the size of a drop of crazy-glue) and cost less too. They are already being added to packaging by retailers to keep track of inventory. But recently FutureSalon sent me to a piece by news.com's Robert Lemos about a security expert demonstrating how easily the tags “could be abused by hackers and tech-savvy shoplifters”. The expert, Lukas Grunwald, also said:

“While the technology mostly threatens consumer privacy, it could allow thieves to fool merchants by changing the identity of goods… This is a huge risk for companies, It opens a whole new area for shoplifting as well as chaos attacks...”

When RFID technology was evolving, expensive RFID reader hardware and hard-to-use software hindered security research. But in July, Mr. Grunwald announced a software tool called RFDump that can be used to read and reprogram radio tags. The software is available here.

Writer Robert Lemos pointed out:

“When such tools become widely available, hackers and those with less pure motives could use a handheld device and the software to mark expensive goods as cheaper items and walk out through self checkout. Underage hackers could attempt to bypass age restrictions on alcoholic drinks and adult movies, and pranksters could create confusion by randomly swapping tags, requiring that a store do manual inventory.”

It seems to me that users of RFID can get around some of these problems just by signing the writable data – implying the need to store a little extra data on the chip. This isn't hard since the signatures don't need to be calculated or understood by the tags or readers – only by the application software using the information. Further, the size penalty in bytes depends on how hard you want to make it to crack the signature. You don't need a scheme that costs a billion dollars to crack when protecting the RFID tag on a one dollar razor blade. You just need a scheme that costs at least a dollar per crack. And that isn't very many extra bytes.

Even the chaos attacks can be countered by storing data about the objects in a database where RFID fixed identifiers serve as lookup keys, rather than in writable memory on the tag. And finally, one summer's day when Moore's law has had more time to beautify the planet, RFIDs will be able to support unidirectional identifiers – they will just become invisible to the unauthorized.

Meanwhile, I was looking for the reader supported by RFDump and came across another related product. Guess what? Kiss the 15 foot range concept goodbye:

“Scanpak's RFID Kit contains a new wave of readers and tags developed using active technology. The readers, with a reading range of up to 200 meters, are the most advanced of their kind in the market today. The tags are available with an additional sensor output (light, pressure, temperature, weight). For more info, click here.”

Gee, does that mean a hacker can reprogram an entire shopping center from her seat in the Food Court? How will even the strongest of us ward off the temptation to “bring about” a 100% reduction in outfits by Comme des Garcons?

How do RFIDs relate to the laws?

Clearly the owner of an item has the right to deem it to be “public” – and to track it with an omnidirectional identifier. The question people are asking is, “What happens when it is sold?”. Everyone agrees that the new owner acquires the right to control the identifier. The point in public debate is whether it is incumbant on a retail seller to disable such identifiers at check-out time.

Applying our laws, when an RF tag comes into the possession of an individual user, it becomes an identifier for that user, and thus must not be released without the user's explicit consent (the first law of identity). That means it needs to be disabled unless the user explicitly approves its continued use. Further, the fourth law implies the user must be made aware this kind of identitifier can be detected by any interested party within… 200 meters.

A Global RFID Identity Infrastructure

For those, like me, who only check in on RFID from time to time, some relatively new documents are available at EBC Global Inc., which has now replaced Auto-ID Center. EBC Global is responsible for the Global Data Synchronization Network and the EBC Global Network. The former is a kind of UDDI for classes of things that get RFIDs slapped onto them. The latter is a world-wide object tracking network of practically unlimited scale:

The EPCglobal Network is the method for using RFID technology in the global supply chain by using inexpensive RFID tags and readers to pass EPCs, and then leveraging the Internet to access large amounts of associated information that can be shared among authorized users. To capture data, EPC tags carrying unique EPCs are affixed to containers, pallets, cases and/or individual units. Then, strategically placed EPC readers at gateways throughout the supply chain will read each tag as it passes and communicate the EPC and the time, date and location of the read to the network. EPC Middleware will control and integrate the EPC tags, readers and local infrastructure at the individual site.

Once the information is captured as described above, the EPCglobal Network then utilizes Internet technology to create a network for sharing that information among authorized trading partners in the global supply chain. Similar to Internet technology, the Object Naming Service (ONS) within the Discovery Services serves as White Pages that convert the EPC to a URL, which is then used to point local computers to where information associated with that EPC can be found. From there, actual access to data in the EPCglobal Network is managed at the local level by the EPC Information Services (EPC IS) where the company itself designates which trading partners have access to its information. The result will be a network of information that provides a history of individual product movement in real time.

*NOTE: Most EPC tags will pass only the EPC number to the reader. However, the potential value of more complicated tags with additional functionality justifies their increased cost in certain industries. For example, the food industry may want to add temperature tracking by adding a temperature sensor on tags. If a temperature sensor was added, the current temperature could also be passed to the reader when the tag was read.

In other words, we are looking at an identity system for objects which itself requires an identity system for domains which have owned, or now own the objects. This latter system (and probably the former) should integrate with the unifying identity system being discussed in this blog.

Gee. Do we still have some work to do or what?

I'm happy to go with Craig and P.T. about the name of the seventh law. After all, who can argue with this posting from Craig Burton:

Kim put forth the seventh — and final — law of identity Sunday:

The Law of Harmonious Contextual Autonomy

Kim, my man, the length and complexity of this name is too much. I want to be able to remember the laws easily and to use them as needed. The name you chose makes this objective impossible. I know you are dealing with complicated issues here, but please consider taking another cut at it. How about just “The Law of Contexts”? Something shorter and easier to remember, please.

Why was I trying to cram so much into the title? I don't know. I was running out of laws. It was a terrible feeling. What could I do?

Anyway, I squeezed too hard. And now I will make amends. I'm so glad we have a blog here and we can do all of this in real time. It is a great way to work.

So let's go with your much simpler and superior title for the Seventh Law:

The Law of Contexts:

The unifying identity metasystem MUST facilitate negotiation between a relying party and user of a specific identity – presenting a harmonious human and technical interface while permitting the autonomy of identity in different contexts.

I think it's a take.

Bill Barnes, who is the UI guru in new ways to “reify” identity here in the Identity and Access group at Microsoft, sent me this sobering thought about Craig‘s “sunspot-hot” comment:

I thought sunspots were actually cool spots on the sun

But of course, everything is relative:

One quick first reaction to Kim Cameron‘s recently posted Seventh “Law” of Identity — it's too long.

7. Harmonious Contextual Autonomy: The unifying identity metasystem MUST facilitate negotiation between relying party and user of the specific identity and its associated encoding such that the unifying system presents a harmonious technical and human interface while permitting the autonomy of identity in different contexts.

Kim: You need to cut the number of words in half. It's a 41 word sentence!

This might seem a frivolous reaction, but it is my experience that fundamental stuff can be expressed simply. If it is difficult to express simply, then it is probably not fundamental … and thus, shouldn't be a “law” or a principle. It should be broken down to it's component ideas.

I read #7 several times, and I still am having problems trying to understand it. I suspect the problem is not with the language but with the complexity of the idea.

In presenting the Sixth Law I talked about new emerging identity attacks that are like phishing but don't require the user to respond to an email. Now eWeek tells us that Scott Chasin, CTO at MX Logic, has started calling these attacks “pharming.” Great word.

Chasin expects this first-generation phishing to move toward pharming, which involves Trojans, worms, or other technology that attack the browser address bar. Thus, when users type in a “valid” URL they are redirected to the criminals’ Web sites.

Another way to accomplish the same thing is to attack the DNS system rather than individual machines. Do this and conceivably everyone who enters what seems like a valid URL—the one that worked properly moments before—will instead be taken to the scammer's site.

Scott sent writer David Coursey a list of pharming-like attacks that have already taken place.

These include an incident last November, when Google and Amazon users were sent to “Med Network,” an online pharmacy. The Troj Banker A/j worm, seen last November and December, watched for users to visit specific banking sites and then grabbed the personal information entered there for use by the criminal pharmers.

Depending on how you look at it, a less-criminal incident involved the March 2003 hijacking of the Al-Jazeera site by the “Freedom Cyber Force Militia” using DNS poisoning. The message viewers received: “God bless our troops.”

In talking about the inevitability of this type of attack, I have said:

Of course our usual immediate reaction to this type of problem is to find the most expedient single thing we can do to fix it. In the example just given, the response might be to write a new “safe address bar”. And who am I to criticise this, except that in the end, the proliferation of address bars makes things worse. By inventing one, we have unintentionally made possible the new exploit of getting people to install an address bar with evil intent built right into it. Further, who now can tell which address bar is evil and which one is not?

So we shouldn't be surprised that David's article concludes:

There are remedies for the pharming problem. A simple solution that works in some cases is a browser plug-in from Netcraft that displays information about the site being visited, such as its geographic location. If you notice that your mortgage company's site is being served from somewhere in the former Soviet Union, you can safely assume the worst.

But for those following the conversation here, who are attempting to understand how identity can work predictably across the entire internet, it is clear that threats like pharming and phishing must fundamentally shape the contours of the system, as expressed in the sixth and seventh laws of identity.

Cool Don Box has called the Laws a Gestalt: a structure, arrangement, or pattern of physical, biological, or psychological phenomena so integrated as to constitute a functional unit with properties not derivable by summation of its parts. An interesting observation as usual.

Many participants in this discussion have talked about how “identity is contextual”. The extreme argument is made by Scott C. Lemon, who posits in his second axiom that “identity does not exist outside the context of a community”. And Jamie Lewis has said “Context is Everything” when rapping on the Fourth Law (er Principle) of Identity. He gives some good examples, too:

I’m an audio/video enthusiast (my wife would say freak), so I’m a member of the Audio Visual Sciences Forum. I self-asserted my identity when I signed up, and that’s fine for the AVSForum. As long as I play by the forum’s rules, the folks that run the forum are fine with me being around using whatever identity I’ve established for myself. The reputation system inherent in the AVSForum takes care of many governance problems. The forum’s moderators and administrators step in with full authority when they have to.

But will self-assertion alone work for my bank? Hopefully not (or I need to change banks). Yes, the AVS Forum could rely on the identity my bank issues, but I might not want to use such an unambiguous (and valuable) identity in that social context. And why should AVSForum do that anyway? The cost could well outweigh any benefits it may gain. Once you get past registration, you get to the differences in policies (credential type and strength), attributes, and the management systems necessary to propagate and use identity in each of these very different contexts. In large part, these things must be need-driven, and one size will not fit all…

In other words, identity is the most contextual element you can possibly imagine; in fact, all social interaction is highly contextual, especially online. Who we choose to be, what of ourselves we choose to share, what faces we choose to show, depend entirely on the context in which we’re operating.

It stands to reason, then, that domains of activity will emerge, and they will have their own identity mechanisms, probably their own identifier, which will be unique and appropriate within the context of that given domain.

Several of the Laws of Identity capture the objective constraints implied by these observations. The Third Law talks about limiting the disclosure of identifying information to “parties having a necessary and justifiable place in a given identity relationship.” That relationship is clearly a context. The Fourth Law explains why a metasystem should be able to support “unidirectional identitifiers” for use in private relationships, which again are specific contexts. And the Fifth Law states the need for a pluralistic metasystem in which different technical systems run by different parties must coexist, again for use in appropriate contexts.

But now let's get a bit more concrete. Let's project ourselves into a future where we have a bunch of contextual identities. I'll carry on where Jamie left off and pick an arbitrary set of identities that seems pretty convenient:

• browsing: a self-asserted identity for exploring the web (giving away no real data)
• personal: a self-asserted identity for sites with which I want an ongoing but private relationship (including my name and a long-term email address)
• community: a public identity for collaborating with others and bloggling (includes my community name and its long-term email address)
• professional: a public identity for collaborating issued by my employer
• credit card: an identity issued by my bank
• citizen: an identity issued by my government

Things might be pretty simple if everyone chose the same set of identities that I use. But of course they don't. Jamie doesn't use a self-asserted personal identity. My brother's employer doesn't issue professional identities. Marc hasn't applied for a citizen identity, and doesn't plan to. So we have a mishmash of possibilities for identifying ourselves.

Now, you are not going to believe this, but this mishmash is good. It is in accordance with our diversity. We don't need to freak out about it. We need to accept it.

How do you deal with diversity?

Let's begin by assuming that diversity does not present a technical problem. I know this will be a stretch at first, but bear with me until “tomorrow”: let's look at the other issues.

The answer to which types of identity are acceptable then lies in the hands of each “relying party”. In other words, each given web site decides what kind of identities it will accept. Again, some examples will help, so I'll ofer some.

Let's start with “Kim Cameron's Identity Weblog”. What kind of identities will Kim's weblog accept? You name it – I'll accept it. Anything that works for you is fine with me – I want to get a discussion going.

On the other hand, let's say you go to a site like eBay. It may allow you to use any identity (or no identity) to window shop. But it will likely expect to see a credit card identity when you make a purchase. And if you want to post things for sale, the site may well expect you to present a community identity, something to which a reputation is attached.

We could give the example of using a citizen identity to access information about your social security contributions. Or of using a professional identity to get into a professional conference.

So two things become clear.

1. A single relying party will often want to accept more than one kind of identity; and
2. A user will want to understand his or her options and select the best identity for the context

Now it is necessary to consider the Sixth Law – the Law of Human Integration. This means that the request, the selection and the proffering of identity information must be done such that the channel between the relying party (e.g. the web site) and the user who is releasing information (in accordance with the First and Second Laws) is safe – and that the options are consistent and clear. Taking all of these constraints into account simultaneously (the head almost explodes) we are faced with the Seventh Law:

The Law of Harmonious Contextual Autonomy

The unifying identity metasystem MUST facilitate negotiation between relying party and user of the specific identity and its associated encoding such that the unifying system presents a harmonious technical and human interface while permitting the autonomy of identity in different contexts.

Does this sound too hard? It's hard, but I think, as you will see in upcoming postings, that our industry has the tools we need to do this. Meanwhile the cost of not having a unifying identity metasystem will continue to grow exponentially.

It was probably eight years ago now that Doc Searls took a deep look at my work on metadirectory, which I was having trouble explaining (you can see that little changes), and said:

“Kim. It's simple. We have multiple identities on multiple systems but there's no way for us to integrate them. If this were happening in the physical world, we'd have multiple personality disorder. The internet is still psychotic.”

A thought like this never leaves you. Certainly I am convinced that as users, we need to see our various identities as part of an integrated world which none the less respects our need for independent contexts.

Not long ago, Jamie Lewis suggested a course correction regarding our use of the word “universal”:

When anyone talks about a “universal identity system,” my first instinct is to put my money in my shoe.

Jamie went on to point out that when I have used the term “universal identity system,” I have meant:

“… universal” in the sense of a widely accepted, highly scalable approach, applicable and usable across the diverse and wide-ranging Internet. He’s talking about enabling a truly distributed system that can bind many different applications, use cases, and identity systems into a more meaningful (but logical) whole…

Because it is so crucial, I’m concerned that some folks will interpret “universal” to mean “uber,” as in one single identity system operating on a single standard, in spite of Kim’s intention. That’s precisely what X.500, X.509, and other attempts to solve this problem are and were about. And there are some folks who just seem genetically pre-disposed to approach the problem from a top-down, if-we-can-all-just-agree-on-one-single-identifier perspective.

And sure enough, as Jamie predicted, some good people have already been thrown off by the ‘U‘ word.

Here's a comment I received from Martin Taylor. Martin is a knowledgeable thinker who says:

I am curious… as to why there is nothing in the laws that really considers the motivation (or de-motivation) to an individual or to an organisation to make use of an identity system – to the collective point where the system could reasonably be said to be universal.

The need for identity mechanisms is clear. The need for a universal identity system is not.

The point at which a given identity system is able to grow sufficiently for it to be deemed universal has to show some benefit somewhere. If participation is expected to be voluntary (i.e. assuming that there will not be a single government able to mandate identity upon enough individuals for it to be deemed universal) then, the individuals involved must perceive a net benefit to themselves.

Where: net benefit = total benefit perceived – perceived disbenefit (from difficulty of use, perceived trust in providers, etc.)

This net benefit then is a limiting factor to the size/growth of the system.

I like the simplicity of Martin's “net benefit” equation. Yet the sentence beginning “If participation is expected…”, makes me fear he is taking the word ‘universal’ in precisely the way Jamie predicted would happen… And this unfortunately and unnecessarily complicates what is otherwise an interesting discussion.

Let's try substituting the word “unifying” and see if things get any better. Martin would then be saying:

The need for identity mechanisms is clear. The need for a unifying identity system is not.

That might not lead him to the same worries about bullying national or supernational governments…

Martin's equation is a proposition which applies to almost any computer system. But it certainly provides the framework for judging the success of systems designed according to the laws of identity.

Now let's look at how a unifying identity system would provide net benefit… Which takes us to the Seventh Law.

What an image from Craig Burton. Sun-spot-hot. Let's get this meta mojo moma backplane together so everyone can get on board and chill. Craig doesn't hesitate:

On the 30th of January, Scott Lemon posted some comments about Kim Cameron's Fifth Law of Identity:

Kim Cameron posted his Fifth Law of Identity, and I was surprised that more people didn't just jump in and agree. I was really surprised that Craig Burton didn't jump for joy as the entire law parallels some of the work that Craig led at Novell years ago.

My response to the Fifth Law was a jump for joy:

A cross platfrom identity metasystem is sun-spot hot and–with the other laws being discussed here–changes everything.

Jamie Lewis went into a big explanation on his thoughts about the fourth and fifth laws. I also noted that he goes back an forth between using term “laws” and “principles.” I will just stick with the use of “laws.”

Scott, I know this parallels work I have done before. It is in line with what I have been working on for 20 years. I don't know how I can be more vocal than I have been. To be honest, one of my first reactions was just to keep quiet. But then I realized, in another post it would take a “act-of-Gates” to stop this thing.

Go Kim.