Third Law of Identity

The Fewest Parties Law of Identity

Technical identity systems MUST be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship.

My own understanding of this law is one of the happy by-products of what I think of as my “Passport Aha”.

On the one hand, Passport has always been a system for authenticating to Microsoft&#39s “Internet properties”, and was immediately successful in this role.

On the other, it was positioned as an early identity service. Given my long-term interest in identity, I was personally skeptical about this broader use of Passport. It&#39s proponents argued that a centralized Internet service could act as an identity broker mediating between consumers and relying parties. They thought that life would be a lot easier (and more secure) if :

  1. consumers had a strong identity relationship with Passport ; and
  2. web sites started to use Passport identities to recognize their customers.

There were only two problems with the concept. The first was that web sites didn&#39t really want Passport mediating between them and their customers. And the second was that consumers didn&#39t see what Passport was doing there either.

Put in terms of the Third Law of Identity, beyond the perimeter of Microsoft&#39s own sites, few saw Passport&#39s presence in an identity relationship as being necessary or justifiable.

Some observers who are less than enraptured by Microsoft have explained this rejection of Passport by citing a widespread distrust of Microsoft. But I don&#39t subscribe to that explanation. There are, after all, a couple of hundred million active Passport accounts on any given day – the scale is amazing. But consumers use the accounts to access Hotmail and other properties owned by Microsoft – again, in accordance with the Third Law, where Microsoft&#39s participation in the identity relationship is necessary and justifiable.

I argue that all of us involved with identity should “listen up” to this experience and come to understand the Third Law.

For example, it is natural for governments to operate identity services. And it is natural for people to use government-issued identities when doing business with the government. But in my view, it will not be seen as “necessary and justifiable” to insert a government intermediary between family members seeking to verify identity or between a consumer and his hobby or vice. Thus the success of government-run identity systems will be determined by governments’ understanding of the Third Law.

The same is true of other identity providers. For now, I leave it as an exercise for the reader to explore the applicability of this law to various potential candidates for provision of identity.

Denver Post on Ping

Everyone should check out the Denver Post&#39s article on Andre Durand and Eric Norlin. It captures a lot about the whole experience of building Ping. And it contains the unforgettable line, which I hope I have made more flattering:

Norlin, known around Ping&#39s offices for his… humor, joked that cashing out is like a teenager&#39s view of sex. “You wish it would happen but you try not to think about it.”

Responses to the first law…

Eric Norlin of Ping has responded to my First Law of Identity with “My running commentary on Kim's exposition“. As he says,

Kim's posting about the “laws of identity” — using a scenario i sent him to tease them out. So, in true redactive fashion, I thought it only right for me to post a running commentary on his laws (since I provided the original text ;-).

Other interesting people have contributed comments as well. So although I've only made it through to the first law, I can already see that doing this kind of thing using Weblogs is going to be really different than banging out an article in “the private space” of my office. And I think this is “way cool”…

Here is the First Law of Identity I put forward…

The “Owner Decides” Law of identity

Technical identity systems MUST only reveal information identifying a user with the user's consent.

On the content of the first law, Eric “absolutely agrees — kinda”:

An employer (like Kim's) maintains data about the user that they use to log the user onto various corporate applications that they run (i'd bet that kim did this today) — in that case, the employee has given implicit consent by collecting a paycheck and the employer is NOT encumbered with giving the user consent privileges. Bottom line: getting paid is consent.

But whoa there Eric… you go too fast, man.

Is it my employer who “logs me in” to various corporate applications? Not really. Instead, it is me who logs myself in to my employer's corporate network.

I also chose to give my employer my name, my address, my social security number and my educational background. In other words, there are a whole series of explicit actions here.

Every day, I choose to use my corporate identity through the admittedly incantational act of pressing control-alt-delete and entering a password. This is explicit consent, not implicit. The consent is in the logging in and the filling out of forms – not the getting paid.

I see more and more attention to explicit consent by my employer (which is Microsoft, for those just tuning in). Recently, when I registered for a new service offered through the corporate portal, I was asked to explicitly approve the collection of tracking information necessary to monitor and improve the level of service I received. So even though I had already logged in to its network, Microsoft explicitly asked me for further approval to collect additional information. I assume this was done because, as Eric would put it, my paycheck does not represent implicit consent for Microsoft to do whatever it wants with regard to my identity information.

I've actually had personal experience with the incorrect version of the first law that Eric has proposed. Back in the mid 1990’s, during my ZOOMIT days, we put a web “protocol head” on our VIA metadirectory. This created a personal web page for each user. Like many other technology companies, we believed in “eating our own dog food”, so we had a VIA microdirectory of our employees. Since I was a naturally public person, I thought (or perhaps “didn't think” is a better way of putting it) that everyone would just love to have a web page, and asked one of our writers to interview all our employees so we could set up an initial page for everyone. The idea was that they could then alter things as they saw fit, and we would be off to the races. In addition, we asked everyone for a photograph.

Talk about surprises… Within hours, a number of people let me know in a fairly assertive way that as much as they loved me, not to mention ZOOMIT and their paycheck, this was really going too far (especially the photo bit). And of course it was! So you can see I have a true nerd pedigree on this matter. And I've come a long way, baby! I haven't forgotten the lesson. It doesn't cost anybody anything to ask employees if they want their information to cross organizational boundaries – and be explicit about it – at least once.

In general I can't agree with Eric's contention that the first law of identity applies, as a fundamental principle, only to “consumer-facing scenarios”. I'm more accepting of what he says about control versus ownership:

Properly speaking, identity info is about control. The end user should be given *control* over their information — because there is a ton of identity information about me that I simply cannot, in any practical sense, *own*.

I was thinking of “owning” in the sense of “possessing” – in orther words, in the philosophical sense (I guess I'm allowed to say that, since Eric can say “redactive”). The trouble with the word “owning” is that it tends to be associated with our current economic superstructure. I don't mean that we *own* our identities in the same way we *own* a house in the suburbs… However we do possess an identity. But it's really hard to talk about a “possessor” without sounding like a David Cronenberg movie…

Anyway, I can go with the “Law of Control”. So let's call it that. I hope Eric will drop support for his proposed amendment. I think that as soon as we put in place an infrastructure embodying the Law of Control, it will trump inferior ad hoc practices which arose historically in corporate environments. And I think this forshadows the emerging approaches to compliance that are arising here and around the world.

I find it encouraging that a number of people are jumping ahead of my exposition and coming up with solutions that do in fact respect the laws of identity (see, for example, various comments by eminently sane people). But I hope you will will stick with me a bit longer as I slog forward trying to tease these laws out of the current example.

I'm not trying to pedantically beat a dead horse – I'm hoping to provide some axioms we can refer to in our future discussions… But for now I need to get some “work” done in my day-job.

I also learned that I can't just drag pictures into my magical radioland window – which explains why the pathetic pictograph I prepared for yesterday's discussion can't be seen by anyone. I'm trying to get the “enable pictures” thing to work, but they don't seem to arrive at the RadioLand cloud site – still waiting for “help to arrive”. When I do post this pictograph I'm sure you will all hear the guffaws!

Getting behind the myths

I just saw Craig Burton's “A thousand tornadoes deep“. Craig has been around. We've had a hundred conversations over the years, and I truly admire his ability to see uderlying taxonomies.

Craig was the one who, a number of years ago, taught me not to prejudge Microsoft – and explained his “ten tornado” theory (he has since – I think rightly – adjusted it by two orders of magnitude).

So his vote of confidence means a lot to me:

“There are good people with vision and integrity at Microsoft. Kim Cameron is one of those people. You can't go wrong working with Kim.”

I like the wit and wicked incision in his comment that:

Each tornado (or hailstorm if you like) has its own path, thinking and objective. They seldom cross paths and are too busy dealing with the issues at hand to even talk to each other.

That, in fact, says a lot about the real Microsoft – and is much more realistic than those who talk about plots. I wish we, as a company, allowed more visibility into our nature, which is close to the one Craig describes.

Then he concludes:

Microsoft bashing aside, when two people like Marc and Kim get together and collaborate, expect good things to happen that go beyond the history of giants — even the giant of all time — Microsoft.

I look forward to seeing what they can do.

And, I have to say, I do too.

In order that this conversation on identity can go forward, I have so far edited out (or is it just that I have “not mentioned”) Craig's “one further” comment that:

“Microsoft is an unabashed bully. The leaders of Microsoft– Bill Gates and Steve Ballmer — lead the bully behaviour.”

It's so wierd. As though I had caught myself sleeping through the first half of some dream (or in fact wasn't there for it), and now that I'm in the second half, I can't quite follow the plot. In fact, maybe that's what has happened.

Although I don't know Steve and can't comment on what he's like from first hand experience, I have spent a fair amount of time with Bill. He is a remarkable and uniquely generous person, witty – a real engineer of great breadth and depth, as well as a deeply disruptive thinker. I just can't recognize him in his demonized form. (Don't get the idea we go fishing together – we don't.)

Anyway, to make a long story short, many many moons ago, Craig and Bill didn't seem to, er, really hit it off together. But I still like them both a lot.

Check out Scott Mace's interviews from Digital ID World

I just met Scott for the first time at Digital ID World in Denver. He was doing an incredible podblogging thing – sort of like an “enthnomusicologist of identity” (is that a mixed metaphor or what?) I really want to hear what he came away with ’cause he talked to a lot of interesting folks… He certainly got me singing like a canary – I hope I don't end up sounding too much like I've got everything figured out… I was trying to put an initial stake in the ground about what I'm committing to do.

What is it about Scott? He doesn't even use the podblogging word! There's something slightly psychoanalytic about his approach. He's so open. Open is strange and calming these days. Imagine! Someone who asks just the right questions to put your thoughts in order. I need to see him daily.

Jamie Lewis moves back into his blogopad

I have to thank Jamie, who is as gracious as he is devilish, for welcoming me to the blogosphere:

Kim Cameron Has Started a Blog

Kim, formerly of Zoomit and now of Microsoft, has been thinking about identity-based security for a long time. So the blog he just started should prove interesting, as long as Microsoft lets him keep it going (green accent is mine – Kim).

Maybe he'll motivate me to get off my duff and get back to posting my own self.

Yes it's true, there was this, er, small hiatus in Jamie's blogging – but he came back today with a piece that makes me real happy to see him rappng. Gosh – does Jamie know absolutely everything about what everyone is doing, or does it just seem that way sometimes?

Dave Kearns is also helping me get oriented. It will be great to have him dropping in – he should keep the conversation honest and keep everyone from getting too ideological – he's seen it all. And thanks to Radovan Janecek from Systinet for the kind introduction to his friends – what a smart guy and profound innovator in the UDDI space (amongst others). Thanks to him for turning me on to the applicability of aspect oriented programming to various of my ideas.

How many pages does it take to make an LDAP spec?

In order to get a handle on how big “big” is, I thought it could be good to figure out how many pages were involved in the LDAP specs.

Of course, my memory is that there were an aweful lot. In fact, I don't think you could really do an LDAP implmentation without reading the X.500 spec first – and this means reading the X.200 series and probably getting your head around X.400. But let's take things at face value and assume you could ignore those documents and just use the documents that were filed as RFCs.

Given the fact that I'm opinionated, I thought it would be better to use someone else's list of the standards. A quick google and I came across an independently compiled list of LDAP documents. The site is run by Jeff Hodges – who seems to be a protocol architect himself at a very eminent software company.

And what do we find? Here is the resulting table of specs and pages…

1255 I T. Directory Forum, “A Naming Scheme for c=US”, 09/05/1991. 25
1276 PS S. Kille, “Replication and Distributed Operations extensions to 17
1275 I S. Kille, “Replication Requirements to provide an Internet 17
1274 PS P. Barker, S. Kille, “The COSINE and Internet X.500 Schema”, 60
1275 I S. Kille, “Replication Requirements to provide an Internet 17
1276 PS S. Kille, “Replication and Distributed Operations extensions to 17
1277 PS S. Kille, “Encoding Network Addresses to Support Operation Ov 10
1278 I S. Hardcastle-Kille, “A String Encoding of Presentation Address”, 5
1279 S. Kille, “X.500 and Domains”, 11/27/1991. (Pages=13) 13
1295 I NADF, “User Bill of Rights for entries and listings in the Public 2
1308 I J. Reynolds, C. Weider, “Executive Introduction to Directory 4
1309 I S. Heker, J. Reynolds, C. Weider, “Technical Overview of Director 16
1330 I ESCC X.500/X.400 Task Force, “Recommendations for the Phase 87
1355 I J. Curran, A. Marine, “Privacy and Accuracy Issues in Network 4
1384 I P. Barker, S. Hardcastle-Kille, “Naming Guidelines for Directory 12
1430 I S. Kille, E. Huizer, V. Cerf, R. Hobby, S. Kent, “A Strategic Plan 20
rfc1431.txt—DUA Metrics (OSI-DS 33 (v2)) 19
1487 PS W. Yeong, T. Howes, S. Hardcastle-Kille, “X.500 Lightweight 21
rfc1488.txt—The X.500 String Representation of Standard Attribute Syntax 11
rfc1558.txt—A String Representation of LDAP Search Filters. 3
rfc1588.txt—White Pages Meeting Report. J. Postel & C. Anderson. Febru 35
1617 I P. Barker, S. Kille, T. Lenggenhager, “Naming and Structuring 28
1684 I P. Jurg, “Introduction to White Pages services based on X.500”, 10
1727 I C. Weider, P. Deutsch, “A Vision of an Integrated Internet 11
1758 I T. American Directory Forum, “NADF Standing Documents: A Bri 4
1777 DS W. Yeong, T. Howes, S. Kille, “Lightweight Directory Access 22
1781 PS S. Kille, “Using the OSI Directory to Achieve User Friendly 12
1798 PS A. Young, “Connection-less Lightweight Directory Access Proto 9
1803 I R. Wright, A. Getchell, T. Howes, S. Sataluri, P. Yee, W. Yeong, 8
1804 E G. Mansfield, P. Rajeev, S. Raghavan, T. Howes, “Schema Publi 10
1823 T. Howes & M. Smith, “The LDAP Application Program Interface”, Au 22
Total 551