Month: March 2005

Johannes Ernst of Netmesh LID posted a comment supportative of our claims-based definition of digital-identity, and went on to suggest:

“Another exercise that might be worthwhile is to look at the use of the term “(digital) identity” with subjects other than people. If such subjects (a shipment, a car part, a bank transaction, a bank note, a company, …) had digital identities (and some of them do, I would think), can the same definition be used?”

That is really one of the key reasons the definition talks about digital subjects rather than simply “persons”.

To follow Johannes’ proposed route of inquiry, let me start with a familiar example – a web site representing a company. We then need to ask if it make sense to think of the digital identity of the web site being expressed as:

“… a set of claims made by one digital subject about… another digital subject.”

This is a case with which we have had a lot of experience: it describes SSL certificates, where web sites (public subjects with omnidirectional identifiers) have a set of claims made about them by a digital subject which is a company (a certificate authority such as Verisign – again a public subject with an omnidirectional identifier).

Really what happens here is that a certificate authority claims (shucks – asserts) that it does ongoing due diligence to establish that a web site with a given key is operated by a company (or other organization) with a given organization name, location, and other identifying information.

The set of claims represents a digital identity (good or bad), and the relation of this set of claims to reality is a potentially complex evaluation. As an observer I decide whether or not and to what extent I am willing to place confidence in the claims or use them in some way.

The digital identity of a shipment is not so very different. The shipment has an omnidirectional identifier, and it likely also has both a manifest and a destination. We could model this from an identity point of view in several ways. We could say the identifier, the manifest and the relationship to the destination digital identity represent the digital identity of the shipment. This is a set of claims. Again, the relationship to the actual contents of the shipment is “in doubt”. Typically, the shipment may be inspected as it crosses borders or when it arrives at its destination to determine whether the claims are in fact true. Thus the digital identity may or may not represent the actual real-world object. The extent to which it does depends on the competence and honesty of the subject creating the digital identity by making the claims, and the extent to which the shipment (and the claims themselves) have arrived at the inspection point intact.

In terms of modeling, the manifest could also be modeled as a separate entity, with a different digital identity, so the digital identity of the shipment would consist of only two claims – the digitial identity of the manifest and the digital identity of the destinee. The extent to which things are decomposed this way doesn't change anything for those who believe in the miracles of recursion.

We could go on like this, but I leave most of the exercise to the reader. I'll jump directly to example of the bank note.

I can imagine a set of claims corresponding to a bank note (denomination and serial number) and made by the mint or treasury. I suppose they could be used in tracing cash transactions. But what is interesting is that bank notes are just a symbol for wealth, the symbol being easily exchanged for other symbols (e.g. a check, a bank transfer, bills of a different denomination or a credit transaction, to name just a few). And thus there is no need for bank notes in the digital realm – new symbols and new ways of using symbols work just fine.

Here’s a story by John Fontana on efforts to extend identity to the world of things, in which Drummond Reed of XRI fame and Marty Schleiff, a long-time identity architect at Boeing, talk about their work on identifiers. Identifiers are the simplest claim, but I know from discussions that both would agree that the reasons identifiers are important is because they open the door to relationships between identities based on richer claim sets.

In the interests of completeness, now that we have defined “digital subject”, let's define “claim”. At the same time I will explain why I have used the word “claim” where others might have said “security assertion” or just “assertion”.

Again, according to the OED, an assertion is a “confident and forceful statement of fact or belief”. On the other hand, a claim is “an assertion of the truth of something, typically one which is disputed or in doubt”.

It is interesting that systems deriving from the X.500 and X.509 standards – including LDAP – have employed the word “attribute value assertion” (abbreviated AVA) to describe the mechanism by which the attributes of an object are presented. Those systems were thought out from the vantage point of the “administrative domain” making the assertions; Active Directory's LDAP engine was built along this model. So indeed, information is stored in the directory, which later “confidently and forcefully” presents it to the digital subjects of the domain, either through queries or associated protocols like kerberos.

When all subjects subscribe to the same administrative authority, and the trust boundaries are extremely clear and well defined, it makes sense to employ a metaphor based on confidence and force. But in evolving from a closed domain model to an open, federated model, the situation is transformed into one where the party making an assertion and the party evaluating it may have a complex and even ambivalent relationship. In this context, assertions need always be subject to doubt – not only doubt that they have been transmitted from the sender to the recipient intact, but also doubt that they are actually true. We need to incorporate the insights of SPKI. We must always favor the vantage point of the relying party.

The word “claim” – taken as “an assertion of the truth of something which is … in doubt” – grasps the subtleties of the federated world by adding the right dose of doubt to any assertion being made, and effectively reminding us to surface this doubt in our implementaiton.

Check out this eweek article. And at the New York Times, there is this one on issues at eBay.

In discussing my definition of a digital identity, Stefan Brands has asked, “What is a digital subject – and why not an entity in general?” A great question.

Let me quote from the Oxford English Dictionary. A “subject” is “a person or thing that is being discussed, described or dealt with.” “Digital” means “relating to or using signals or information represented by discrete values of a physical quantity.” So I interpret “digital subject” as a “person or thing represented or existing in the digital realm which is being described or dealt with”. “Dealt with’ is a great concept, and pertains to much of what we do in computing.

I think it is essential – not optional – to make it clear that the digital world includes many things which need to be “dealt with” other than humans. First and formost are the devices which allow us to penetrate the digital realm, and the digital resources which attract us to it. Beyond that are policies and relationships with other digital subjects (e.g. between humans and devices or documents or services). These policies and relationships are then themselves things that must be dealt with.

The OED goes on to define subject, in a philosophical sense, as the “central substance or core of a thing as opposed to its attributes”. I take “attributes” precisely as characteristics which are expressed in claims, so from this point of view, also, “subject” is the perfect word.

As for “entity”, the OED defines it as “a thing with distinct and independent existence”. The independent existence of the thing is a moot point here – it may well be an aspect of something else. Instead, what is most important about the entity is that it is being dealt with by some relying party and thus claims are made about it. So “subject” is a better word than ‘entity”.

Britain's The Register reports that the current British Identity Card proposal is likely to “bite the dust” because of the impending election and resistance by opponents in the House of Lords. The Scottish Parliament has also apparently lined up against the ID scheme. Meanwhile, the Tory party seems set to withdraw support, with one group of Tories attacking the scheme as a “con trick“. Another headline reads, “UK gov ready to u-turn on passport-ID card link?“.

This is all more writing on the wall. Governmental authorities should come together with privacy advocates and those in the software industry who understand advanced identity technology alternatives. Together, we should propose systems which can be shown to protect the privacy of citizens and reduce the risk of identity theft – while serving the needs of government, individual citizens, business and community organizations for a safer and more capable Internet.

Thanks to Stefan Brands for pointing us to On the Identity Trail – a really interesting blog on “Understanding the importance and impact of anonymity and authentication in a networked society”. It sports the “animated fingerprint’ shown here (Warning! Don't look at it for too long!) and in addition to Stefan, the group includes luminaries ranging from Steve Mann to Ann Cavoukian, the Information and Privacy Commissioner for the Province of Ontario.

Researcher Alex Cameron blogs beautifully about the recent conference held by the group in Ottawa, Canada. I really wish I'd been there.

As great as Alex's coverage is, I hope they'll post a podcast. Maybe Steve Mann has a complete three dimensional recording back at his central base.

While I'm at it, thanks to Stefan for emailing me to correct my impression that the Digital Identity paper refered to here was written by Abelson and Lessig themselves, rather than by their students. As he says, it doesn't make the paper any less interesting – but I'm actually relieved to discover that Lawrence Lessig was not an author.

Stefan has been doing some excellent postings and I am trying to find some time to give them the attention they definitely deserve. I guess I'll have to start with his interesting comments on the definition of digital identity I put forward in my last post.

Geek CEO Glenn Reid, who not only created iMovie and iPhoto while at Apple, but later canonized Marc Canter as shown at right, has pointed out how weird it is that someone would do the laws of identity without ever stopping to define what identity was for – or what it was. I certainly understand how this could be maddening – though I hope he returns to visit because, having given up on us, his intuitive musings have already led him into some pretty frightening simplifications – for example, that identity is “a single, global, unique credential”. He credits RSA with having given him this idea, which is something for all of us to ponder, especially RSA.

Colleagues involved in identity issues allowed me to avoid such basic duties. Why? Probably for the same reason I initially shied away from them: we knew from previous experience that it was important to establish a practical context before getting caught up in long-winded discussions of what identity was.

With the laws behind us, we can hardly continue to argue lack of context… We need a working definition of digital identity for the unifying metasystem we have described.

What I would like to do here is again separate the technological aspects of digital identity from the philosophical and legal aspects of identity – even as it relates to the digital world. I'll try to show that if we get the technological definition right, we end up being able to express whatever social (and ontological) relations we want to. This is the opposite of the way the problem has normally been approached.

For example, in their important 1998 paper, Digital Identity in Cyberspace, a group of students of Hal Abelson and Lawrence Lessig argued and then proceeded to demonstrate that “it is difficult to craft a formal definition of identity.” Not only, according to them, was the formal definition hard, but to the extent they achieved one, it did not translate into anything crisp at the practical level:

“In practice there is a degree of fuzziness to the definition of an entity's identity…”

The paper should be read again in 2005; it is brilliant for posing many crucial questions even if, in my view, it was not able to answer many of them. My thinking on these issues doesn't matter much… I leave those who would have us pursue a less pragmatic approach to take up where the Digital Identity in Cyberspace paper leaves off, and see if they don't end up meeting us at our technological destination.

Hold the trumpets…

In the meantime, hold the trumpets. Here is a simple working proposal (which I don't claim is novel) that I think allows a great many problems to be solved:

A digital identity is a set of claims made by one digital subject about itself or another digital subject.

It is clearly impossible for me to compare and contrast this definition with all those which have been given – perhaps readers familiar with good definitions can help me out in this regard – we could compile a cross-reference. But I can try to cover a few. For example, let's take a walk through a few of the top definitions that come up on google. The winner is… Digital ID World and its What is Digital Identity page:

“A Digital Identity is the representation of a human identity that is used in a distributed network interaction with other machines or people.”

Well, let me start by congratulating Digital ID World for “reaching out” to readers with its definition – they do such good work. But it can be seen that our definition, while perhaps not suited to the newcomer, works well as a scaffolding for the identity metasystem, and can encompass DIDW's definition as well as many others without being vapid or imprecise.

How do you “represent” a human identity in a “distributed network interaction”? Clearly you need a way for one entity to be able to “say” something about another. This is what we mean by a “set of claims”. DIDW talks about a human identity – we broaden this to a digital subject which may or may not be human. We must do this because the human subject “speaks through” channels which exist in entities about which other claims can be made. DIDW talks about a distributed network interaction. But like most other aspects of reality, there is a fractal continuum between the macroscopic and the microscopic, so that all the problems of the network actually exist, for example, within a single machine, where process and thread separation might also be best described through sets of claims. None of this is a criticism of DIDW's definition – I'm just explaining why we need a definition which allows us to solve as many aspects of the problem as possible.

Another top google hit is Unisys World's Self-service identity management: What, why and how? Here we read:

A digital identity is a combination of credentials that manages a computer user's authentication, authorization and access rights.

Here we see a lot of specified usages of digital identity mixed into a very narrow definition… But once again the metasystem definition works well and embraces it: a set of claims can certainly include a combination of credentials. Credentials is another word which I think needs definition… but that is for another day.

A little further down we come to SwissSign Certificate Services. Their definition is as follows:

A digital identity is the combination of the cryptographic keys and the certificate. A digital identity is a file, stored on a hard disk or some other external device (ex: Smartcard, USB-Token).
The cryptographic keys, is what it is all about. You could consider the certificate as the packaging for the keys which allow for verifying the validity and, to a certain extend, the correctness of the information.

This definition “combines” the mechanism for “proving” the set of claims and the claims themselves (here contained in a certificate) and additionally manages to complicate things further by introducing the issue of trust. I prefer to tease these apart, on the basis that there are two quite different questions to consider: What are the claims; and Do I believe them? So the fact that someone has a given public key represents one of the simplest possible claims, and the proof of this needs to done through cryptography – perhaps a signature on the claim. Our definition supports this hyper implementation-specific definition, but also allows the claim and the proof to be based on totally different mechanisms. The “A digital identity is a file…’ thing doesn't quite work with our definition, and I think this is a good thing, since it seems pretty strange. But of course, the claims could be put in a file…

Next I come to PC magazine, quoting James Kobelius:

‘Digital identity refers to the set of digital information—including user IDs, passwords, access control lists, public-key certificates, and voiceprint patterns—that is associated with a particular individual.”

I'm not sure access control lists really belong in this sentence – or that James was quoted correctly – but even if they did (and he was), it would fit with the claims-based defintion given above.

Next in the google list is Johannes Ernst's Digital Identity Terminology Mess page. Talking about identity, rather than digital identity, he says:

Any person has identity. It allows us to say “it was him who was hit by the truck, thus it is him who is dead and not somebody else”.

This reminds me of a live report I watched on TV in which a man with a gun had been shot dead by police at the Los Angeles airport. I remember a detective standing beside the body and saying, “Nothing is known of the man's identity.” It was quite clear that he was dead, and not someone else, but this did not in any way help the investigator. Incredibly, the claims about the man seemed to be even more important than his body.

Johannes goes on to say that digitial identity is the same as any other identity except it “occurs in cyberspace’. So again, I think that our claims-based defintion of identity is inclusive of that given by Johannes.