{"id":314,"date":"2004-11-30T23:39:50","date_gmt":"2004-11-30T23:39:50","guid":{"rendered":"\/?p=314"},"modified":"2012-11-01T14:10:04","modified_gmt":"2012-11-01T14:10:04","slug":"third-law-of-identity","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=314","title":{"rendered":"Third Law of Identity"},"content":{"rendered":"<h5><\/h5>\n<blockquote style=\"margin-right: 0px;\" dir=\"ltr\"><p><strong>The Fewest Parties Law of Identity<\/strong><\/p>\n<p><em>Technical identity systems MUST be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship.<\/em><\/p><\/blockquote>\n<p dir=\"ltr\">My own understanding of this law is one of the happy by-products of what I think of as my &#8220;Passport Aha&#8221;.<\/p>\n<p dir=\"ltr\">On the one hand, Passport has always been a system for authenticating to Microsoft&amp;#39s &#8220;Internet properties&#8221;, and was immediately successful in this role.<\/p>\n<p dir=\"ltr\">On the other, it was positioned as an early identity service. Given my long-term interest in identity, I was personally skeptical about this broader use of Passport. It&amp;#39s proponents argued that a centralized Internet service could act as an identity broker mediating between consumers and relying parties. They thought that life would be a lot easier (and more secure) if :<\/p>\n<ol dir=\"ltr\">\n<li>\n<div>consumers had a strong identity relationship with Passport ; and<\/div>\n<\/li>\n<li>\n<div>web sites started to use Passport identities to recognize their customers.<\/div>\n<\/li>\n<\/ol>\n<p dir=\"ltr\">There were only two problems with the concept. The first was that web sites didn&amp;#39t really want Passport mediating between them and their customers. And the second was that consumers didn&amp;#39t see what Passport was doing there either.<\/p>\n<p dir=\"ltr\">Put in terms of the Third Law of Identity, beyond the perimeter of Microsoft&amp;#39s own sites, few saw Passport&amp;#39s presence in an identity relationship as being necessary or justifiable.<\/p>\n<p dir=\"ltr\">Some observers who are less than enraptured by Microsoft have explained this rejection of Passport by citing a widespread distrust of Microsoft. But I don&amp;#39t subscribe to that explanation. There are, after all, a couple of hundred million active Passport accounts on any given day &#8211; the scale is amazing. But consumers use the accounts to access Hotmail and other properties owned by Microsoft &#8211; again, in accordance with the Third Law, where Microsoft&amp;#39s participation in the identity relationship is necessary and justifiable.<\/p>\n<p dir=\"ltr\">I argue that all of us involved with identity should &#8220;listen up&#8221; to this experience and come to understand the Third Law.<\/p>\n<p dir=\"ltr\">For example, it is natural for governments to operate identity services. And it is natural for people to use government-issued identities when doing business with the government. But in my view, it will not be seen as &#8220;necessary and justifiable&#8221; to insert a government intermediary between family members seeking to verify identity or between a consumer and his hobby or vice. Thus the success of government-run identity systems will be determined by governments&#8217; understanding of the Third Law.<\/p>\n<p dir=\"ltr\">The same is true of other identity providers. For now, I leave it as an exercise for the reader to explore the applicability of this law to various potential candidates for provision of identity.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Fewest Parties Law of Identity Technical identity systems MUST be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship. My own understanding of this law is one of the happy by-products of what I think of as my &#8220;Passport Aha&#8221;. On &hellip; <a href=\"https:\/\/www.identityblog.com\/?p=314\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Third Law of Identity<\/span><\/a><\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[6,2,1],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/314"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=314"}],"version-history":[{"count":1,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/314\/revisions"}],"predecessor-version":[{"id":1273,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/314\/revisions\/1273"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=314"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=314"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=314"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}