The Laws of Identity

Thanks to Eric Norman, Craig Burton and others for helping work towards a “short version” of the Laws of Identity. So here is a refinement:

People using computers should be in control of giving out information about themselves, just as they are in the physical world.

The minimum information needed for the purpose at hand should be released, and only to those who need it. Details should be retained no longer than necesary.

It should NOT be possible to automatically link up everything we do in all aspects of how we use the Internet. A single identifier that stitches everything up would have many unintended consequences.

We need choice in terms of who provides our identity information in different contexts.

The system must be built so we can understand how it works, make rational decisions and protect ourselves.

Devices through which we employ identity should offer people the same kinds of identity controls – just as car makers offer similar controls so we can all drive safely.

Published by

Kim Cameron

Work on identity.

3 thoughts on “The Laws of Identity”

  1. I think the car maker metaphore works, but it isn't just about safety. After all, we don't have a moving cardspace. I think it is about consistency and familiarity. I will use something more often if I know how it works.

    Ubiquity cannot ensue without comfort and consistency. It needs to be like breathing. Driving a car is like breathing. I know where all of the tools are without thinking.

  2. An additional aspect that is never mentioned anywhere: No site should ever insist that some claim is invalid when it is, in actuality, valid.

    I mean here the exclusion of ‘+’ from the set of valid characters in the username part of an email address, on this site. The site has a regular expression which validates all valid email addresses according to RFC822.

    Since your site had to email me to validate my address, the preprocessing of the email address to fit some ill-conceived preconception of what an email address should look like (the rule violation screen stated ‘username’@’’, where the domain part contained at least one period — no mention at all that the plus was deemed an invalid character in the username) did nothing but make me put a specific spamtrap-sequence of dots in the username I embedded into my card.

    I use the ability to generate email addresses on-the-fly (by appending a ‘+string’ to my username) quite often, so that I can identify when my email address is being misused (which leads to another Law: ‘trust the other parties involved with information, but verify that the trust is not abused’). Unfortunately, CardSpace and all alternative implementations (including DigitalMe, which is the only way I was able to log on from my Mac) fail to take this into account, and the user interface is now so solidly entrenched that this facet of my identity management system is now impossible to bring to bear.

    (As well, I either have to install in my Applications folder, my Utilities folder, or leave it cluttering up my desktop. If I did not have administrator rights on my machine, I'd be stuck with it on my desktop with no recourse.)

    Also: YOUR SITE CERTIFICATE IS EXPIRED. I had to set my clock back just to be able to sign in to provide feedback on this issue.

Comments are closed.