Starship Lewis hovers over Laws of Identity

Jamie Lewis is getting ready to venture forth on the Laws of Identity:

I’ve been keeping my powder dry, watching and listening to the conversation about Kim’s proposals, but it’s time to jump in.

In large part, I agree with both the intent and content of the laws. Kim is doing a valuable thing, sparking a conversation that needs to occur. As is the case with all things identity-related, however, there are many devils in the myriad details. And I’ve been struggling with how to compartmentalize my thoughts enough to keep any posts about Kim’s ideas from being ridiculously long (as opposed to just long). Since I’m a bit of a stickler about words and semantics, I’ll start there.

On one hand, terms don’t matter as much as solving the problem. On the other hand, terms (and connotation) are crucial. Loaded terms make it harder to understand and communicate how any complex system will evolve because they bring lots of baggage to the party. And communicating is a core requirement to solving the problem.

Jamie's right about this.

Regardless of what you call them, for example, Kim’s proposals cover some important issues that deserve consideration and further discussion. But several folks have reacted to the (minor) conceit that Kim’s proposals are already “laws” (especially when someone at Microsoft is handing them down). The fact that Kim has called his proposals “laws,” though, has been an effective catalyst in getting people to get involved in the discussion. Still, I see what Kim calls “laws” as a set of proposed architecture principles.

Hmmm. This is thoughtful. It is true that what is most important about our discussion – in a practical sense – is the resulting set of architectural principals. And I care deeply about this architecture.

But what makes architecture right? I think it has to do with seizing the inevitable dynamics of the objective world. I think it is useful for me to conceive of, propose and continuously test these dynamics as laws. Of course, that doesn't mean Jamie shouldn't take them as principles.

Principles are important in any architectural discussion. In our own Reference Architecture (which is focused on technical architecture for the enterprise), we establish principles as the foundation for any technical architecture. The principles incorporate the values, organizational culture, and business goals of the enterprise. Therefore, each suggested principle must pass the “motherhood” test, meaning that a reasonable person must be able to suggest and defend a contrary position. (“Security is important,” is not a principle, for example; where as “we’re willing to use bleeding edge technology” is controversial principle architects must agree on before they make big decisions.) Once an enterprise sets those principles, it can then drive the technical positions (where you make technology decisions) and templates (which map those decisions into diagrams that illustrate system functions and how they relate).

It seems to me, then, that Kim’s proposing architecture principles for an identity system for the Internet at large. He’s sparking a discussion about the values, culture, and goals that should drive the creation of an Internet identity system, which we obviously need.

That it’s a Microsoft employee doing all of this makes it even more interesting (and gleefully perverse). In subsequent posts, then, I’ll be commenting on Kim’s proposed laws from that perspective, looking at them as a set of architecture principles for an Internet identity system. That perspective may also help others understand both the scope of the issues we need to solve.

I really look forward to this.

The Sixth Law

Recently we've been talking about attacks (and potential attacks) on identity information and identity stores. It's important to put these issues in a much broader context.

Over the last months we've heard more than one expert say that phishing and the associated identity attack technology sector is growing an order of magnitude faster than the rest of high technology. If you want to depress yourself, think about it as an expanding market sector. Today everyone knows about phishing. Within the last year it has merited an industry organization with over a thousand members – including all the best banks – and an online site that maintains the latest in information. This is a tipping-point phenomenon.

Everything points to the fact that things are going to get worse before they get better. As all aspects of commercial distribution migrate to the cloud, the opportunity to benefit criminally from digital identity attacks will become continuously greater. At the same time, the international character of the internet offers the technically sophisticated criminal expanding opportunities. And a surfeit of highly gifted and trained individuals in societies with few conventional technology opportunities provides pools of talent in which international crime cartels can invest.

The identity system we have been discussing in this conversation is clearly one of the fundamental technologies needed to counter these threats. But for the same reasons, we must base our thinking on the premise that the identity system itself will be the most attacked component of distributed computing.

Being comfortable with a bull's-eye on your back

I'm totally certain that everyone who braves these pages knows how rife with implications this statement is for all of us who are concerned with identity. But the computer industry as a whole still has a long way to go in understanding how profound these problems are. Here is a not atypical quote from a casual commentator:

2004 was the year the hackers went “phishing” to con us into handing over our online banking details and despite belonging to the species allegedly at top of the food chain, an astonishing number of people obliged.

It's true that some of the ploys have been a little pathetic. But if the effect of those is to convince you that you can easily tell what's real from what isn't, you've been duped already. As an unenthusiastic inspector of identity attacks, I can guarantee that no matter how smart and attentive you are, there are ruses more than capable of torpedoing your self-esteem.

To take a very simple example, suppose you have a browser with an address bar showing you the DNS name of the site you are visiting. And suppose there is a “lock icon” which appears when a “secure connection” is in place. What is to prevent a piece of code running on your machine from overwriting the DNS name and throwing up a fake lock icon – so you are convinced you are visiting one secure site when you are actually visiting another insecure one? And so on.

Of course our usual immediate reaction to this type of problem is to find the most expedient single thing we can do to fix it. In the example just given, the response might be to write a new “safe address bar”. And who am I to criticise this, except that in the end, the proliferation of address bars makes things worse. By inventing one, we have unintentionally made possible the new exploit of getting people to install an address bar with evil intent built right into it. Further, who now can tell which address bar is evil and which one is not?

Beyond compensation and mere tactics

The point I am trying to make is that the new distributed identity system needs to be something other than an “expedient compensation”, something beyond a tactical riposte in the fight for security. And since the identity system has to work on all platforms, it must be safe on all platforms. The properties that lead to its safety can't be obscurantist or derive from the fact that the underlying platform or software still has a small adoption.

Returning to the discussion we've just had about the problems with today's browsers, I would summarize my thinking by saying we have done a pretty good job of cryptographically securing the channel between web servers and browsers – a channel that might extend for thousands of miles. But we haven't done a very good job at all of setting up the two or three foot channel between the browser and the human who uses it. And this is the channel that is attacked by phishers.

No wonder. What identities is the user dealing with as she navigates the web? How well is identity information conveyed to her? Do our systems interface with users in a manner that studies have proven to work? Identity information currently takes the form of certificates. Do studies show that certificates are meaningful to users? What exactly are we doing?

Whatever it is, a real identity system needs us to do a lot better. In particular, the identity system must extend to and integrate the human user.

The Law of Human Integration

The universal identity system MUST define the human user to be a component of the distributed system, integrated through unambiguous human-machine communications mechanisms offering protection against identity attacks.

One of the people who has thought long and hard about these issues is Carl Ellison. He has coined the term Ceremony for interactions that span a mixed network of human and cybernetic system components. Carl worked on this idea when he was at Intel and I interview him about his work here.

Out of the blue

In the last few days, an amazing number of people have written asking me to comment on LID. So the first thing I'll say is that I find it exciting to see a new identity technology proposal arriving – apparently – out of the blue.

I also need to make it clear that although I am working on the Laws of Identity, it is definitely not in the cards for me to play the role of “conformace czar” – issuing compliance stickers to the appropriate technologies. The Laws need to stand on their own.

This said, I will take up some of the ideas put forward by Johnannes Ernst, as he has asked me to do, once I've finished the seven Laws. I'll have two goals. The first will be to fully understand all aspects of LID (I will do the same for SXIP, I-Names, Shibboleth, and so on). My second goal will be ongoing clarification of the laws – without favoring one identity technology over any other.

I see my role being to help all identity providers and relying parties align with the laws, and help in the emergence of the “mega meta momma backplane” – what I call the metasystem.

I guess for me the unexpected arrival of LID on the scene serves mostly as an omen of how important it is to build identity on the Law of Pluralism. Which brings me to… the Sixth Law.

A little tiny baby information calamity

I was also glad to see Jamie Lewis blogging about the security breach at George Mason University… The full story is on Basically,

George Mason University confirmed on Monday that the personal information of more than 30,000 students, faculty and staff had been nabbed by online intruders.

The attackers broke into a server that held details used on campus identity cards, the university said. Joy Hughes, the school's vice president for information technology, said in an internal e-mail sent over the weekend and seen by CNET that “the server contained the names, photos, Social Security numbers and (campus ID) numbers of all members of the Mason community who have identification cards.”

Jamie had told me recently how much he liked the piece in which I worried that the British Identity Card – as proposed in its initial draft – is an information-disaster-waiting-to-happen. His reaction to the George Mason affair is:

As identity systems aggregate information, they also aggregate risk. And the custodians of those stores must take the proper precautions, including risk and threat assessments and the implementation of a reasonable protection posture.

I love the formulation that as identity systems aggregate information, they aggregate risk. I want to put that into the second law since it is really key to what I was trying to express.

However, as much as I love to see Jamie exhuding unbridled optimism – I would be surprised if the custodians had not done risk and threat assessments, or somehow failed to act responsibly to protect the information. So this part rings hollow.

We need to base our approach to these scenarios on the idea that one day, the store will be penetrated. We need then to reduce information in the store to the minimum required. We need to distribute information so breaking into one system gives away as little as possible. And more than anything, we need unidirectional identifiers such that only access to a metasystem allows assembly of cross-aspect information.

For example, there was no need for George Mason's ID system to contain social security numbers. Nor, bizarrely, is there probably any reason for it to contain student identification numbers. It could – I know this sounds primitive – just contain single-purpose identity card numbers. A metadirectory – which itself contained no substantive information – could provide glue to other identification contexts for those who merit it – and on a case by case rather than carte blanche basis. This allows many more controls and balances to be built into the system. (All of this is Law 4)

George Mason had been moving in the right direction.

Last year, George Mason said it would cease to print Social Security numbers on campus ID cards and would instead generate unique “G numbers” for each student and each member of faculty and staff.

So the SSNs were now redundant (ouch! Law 2). But as if to underline my point,

“We felt that the information there was secure,” George Mason spokesman Daniel Walsch said on Monday.

And now, fasten your seat belts for the obvious:

George Mason is not alone among universities in suffering a security breach. Two years ago, online intruders broke into a server containing the credit card numbers of some 57,000 patrons of a Georgia Institute of Technology arts and theater program, while others lifted more than 55,000 Social Security numbers from computers at the University of Texas at Austin. Last year, more than 1 million California residents had their personal information leaked thanks to a pair of incidents at UCLA and the University of California at Berkeley.

Put these all together, go up to the national scale, make the system available on-line, add every piece of identifying information – physical, biometric, educational, employer-related. Then you have a really nice target – I mean TARGET – don't you? Inside job or outside?

And you can probably just “dribble” a lot of information out of the system before anyone is any the wiser if you have the right background and access.

Interesting times

Last week I mentioned that I had some great links to tell you about. Guess what? That rotten Jamie Lewis has scooped me and with some great postings.

First, there is LID. As Jamie puts it:

The Lightweight IDentity (LID) spec joins SxIP and XRI/XDI in attempting to create systems that empower individuals to manage their digital identity. It uses URLs to point to identity information. It's an update of sorts of the vCard concept and allows users to publish (self-assert) identity info.

According to the LID site, LID is built on:

He also points out that:

Johnannes Ernst has a blog where he talks about how LID conforms to Kim Cameron's laws of identity (more later – Kim).

Jamie then goes into considerably more depth here. He also points to an article by Shelley Powers which has to be the first concrete description of using the emerging identity systems – she concentrates on LID and SXIP, with some mentions of I-names and Liberty. I love stuff like this – and hope there will be a lot more of it. Shelley has a lot of energy going here. So I want to forgive her if there is a certain “biff! boom! bah!” in her punch – like when she lands one on me.

She's a ‘bit rough’ on Liberty, which after all has done pioneering work which all of us would like to see expressed in the emerging “mega meta momma backplane”. But I have to admit I was also taken aback when I first read the scenario doc she describes:

Case in point, from the specification there is a possible user scenario, with Joe Self logging on to an airline, who is part of a circle of trust. Once authenticated, in the scenario, Joe is then asked:

Note: You may federate your Airlines, Inc. identity with any other identities you may have with members of our affinity group.

Do you consent to such introductions?

Laughable. I chortled until tears ran down my face. It then continued on from there, with Joe Self being asked to ‘federate his identity’ at various sites within the ‘afinity group’ as he progressed along, just trying to reserve an airline ticket and rent a car – something that can be done in one move, with one click of the button in today’s travel systems.

I think we all know the authors must have meant this as a placeholder – meaning “more research to be done on user metaphor”. But I was wincing when I first read it too – only because I know how difficult these issues are. Anyway, I'll be getting to the issues at play here when I present my 6th law.

Finally there is Shelley's comment on my work on this blog:

I never touch ‘Laws’ as defined by a person or persons with vested interest, regardless of how good they sound.

Fair enough. But I can't imagine anyone who doesn't have some vested interest in what they do. Unconscious motivations are the worst – because you can't take them into account or compensate for them.

I do believe the laws we are discussing here operate equally in everyone's interest. They lead us all toward the identity big bang – a new era of software which is identity-aware. Sure, Microsoft will benefit from that big-time. But so will every thinker, inventor, developer and citizen on the planet, and all the companies, universities and governments with whom they are associated.

So far behind already

Over the last few days I have received a lot of interesting links and emails that I want to share with those of you involved in this conversation. There's a snow storm coming so maybe I can just hybernate over the weekend and do just that. Anyway, I had a good laugh at Myren's spirited comment (he's from the interesting in response to those spurring me on to faster delivery:

pardon me, but f that on demand non-sense. tell people to back off their rss readers 2880 minutes or so. take all the time you want. law number one about writing immutable laws is that you have to get them right. its been a month plus some change, this pace has been amazing. keep up the good work. no need to rush.

Hey, cool yo Myren. I appreciate that. Though I'm not sure what my excuse will be once we've finished the laws…

DIDW's top ten predictions

A picture named phil_becker.jpgPhil Becker of Digital ID World has put together his top-ten identity predictions for 2005.

And hey gang, the Laws made number six. I sure hope we can, as an industry, live up to the opportunity we all have in front of us.

6. Kim Cameron's “Laws of Identity” conversation will begin affecting products.
This conversation, started at the October Digital ID World conference, may be the most important thing going on in identity right now. It has re-engaged a number of serious identity thinkers, and clarified things for many observers. In a few short months, it has already shaken up thinking in several arenas. Kim is Chief Identity Architect at Microsoft, and Microsoft's identity strategy is gaining clarity again, but the products that this conversation affects in 2005 won't be just Microsoft's.

Lawrence Lee Averts Identity Catastrophe

Had a wierd problem trying to move Radio Userland from one machine to another last night. Although I was trying to restore from the cloud, my newly installed copy clobbered the cloud backup. Which reminds me – how many times has a backup really worked anyway? Remember those old tape machines that could write flawlessly but could never read the tapes?

Seemed for an hour or two I had lost everything despite the backups.

Except that Userland's Lawrence Lee came riding to the rescue as he has always done before. Thanks Lawrence. You are a great support guy. Now somehow I need to understand how this restore thing works. Maybe we can practice this again on the weekend.