Anyone who knows LDAP has probably heard of Mark Wahl. And they will likely enjoy this amazing page which defines Mark – are you ready? – as an OSI OID. For those who don't know about this type of thing, oidy is way beyond nerdy (in the positive sense). But those were the days when we were young and flush with the first blush of LDAP. There was a “whole lot of LDAP goin’ on”!
Mark was co-author and editor of the LDAP V3 specification. He built great directory at Innosoft, which was acquired by Critical Angle, which was acquired by SUN, and he contributed many ideas and refinements to the standardization of directory protocols. These days he has left SUN and has a startup called Informed Control.
While the First and Second laws didn't seem to wrankle him, he sent me extensive comments on the Third Law. I have posted them here.
Remember the Third Law? (If you need more context, check out the RECAP link on the identityblog home page.)
The Law of Fewest Parties
Technical identity systems MUST be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship. (Starts here…)
While Mark admits I gave some good examples of the usefulness of this law, he asks – and several other commentators have done the same – “Justifiable to whom? And who or what does the justifying?” He argues, “there may not even be agreement among the parties that one or more parties belong in the relationship”.
He then presents a number of examples in which identifying information is routinely forwarded to parties the consumer did not consider to be involved: a clearing house in an electronic funds transfer, a debt collector in the case where a consumer doesn't pay a debt, a government agency during a criminal investigation. “Today when a consumer signs up to a service provided by a bank or credit card issuer, they implicitly agree to share their identity information to a large and unbounded set of parties.”
What does the justifying? And justifiable to whom?
The First Law of Identity requires that disclosure of identity or private information be under the control of the party who is disclosing it. Doing so must make sense to her. So the justification requirements of the third law apply to the subject who is disclosing.
The identity system must make its user aware of the party or parties with whom she is interacting while sharing information.
Further, the system must be “translucent”. The user needs to understand the system, as we will see in an upcoming law. In the physical world we are able to judge the situation we are in and decide what we want to disclose about ourselves at any particular time. And we must be granted the same level of control in the cyber world.
Having disclosed an identity to another party, that party may have reason to pass information along to third parties. So it should provide the disclosing party with a policy statement about information use. This policy should govern what happens to disclosed information – I save this discussion for another day. But I'll suggest in passing that one can view this policy as defining “delegated rights” issued by the disclosing party.
No limits should be placed on how the party to whom I disclose information organizes itself, as long as it responsibly applies the policy under which I shared information.
Clearly such a policy would allow all parties to respond in the case of criminal investigations – but this does not mean the state is a therefore party to the identity relationship! Of course, this should be made explicit in the polcy under which information is shared.
The cases presented by Mark all dissolve as exceptions in light of this thinking.