Slashdot Mirror
The Seven Laws of Identity
pHatidic writes "Something strange is a brewin' at Microsoft these days. Check out this video interview with Kim Cameron, Microsoft's Architect of Identity, about Kim's Laws of Identity." From the post: "We have undertaken a project to develop a formal understanding of the dynamics causing digital identity systems to succeed or fail in various contexts, expressed as the Laws of Identity. Taken together, these laws define a unifying identity metasystem that can offer the Internet the identity layer it so obviously requires. They also provide a way for people new to the identity discussion to understand its central issues. This lets them actively join in, rather than everyone having to restart the whole discussion from scratch."
As a card-carrying member of the tinfoil hat brigade, I prefer anonimity
Here are the seven principles, in abbreviated form [if anyone could make voodoo dolls of the creators of the PDF format, and stick pins in their - ah - whatevers, I'd be most grateful]:
I'm with you: Any WWW/Internet-ish global identity management system is gonna need a principle zero: With the understanding that the subsequent rules 1-7 apply only to those users who chose to forgo their principle zero rights.For those having a hard time getting to the PDF, here are the 7 Rules of Identity according to Kim. I've removed the text for brevity. 1. User Control and Consent: Technical identity systems must only reveal information identifying a user with the user's consent. 2. Minimal Disclosure for a Constrained Use: The solution which discloses the least amount of identifying information and best limits its use is the most stable long term solution. 3. Justifiable Parties: Digital identity systems must be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship. 4. Directed Identity: A universal identity system must support both "omni-directional" identifiers for use by public entities and "unidirectional" identifiers for use by private entities, thus facilitating discovery while preventing unnecessary release of correlation handles. 5. Pluralism of Operators and Technologies: A universal identity system must channel and enable the inter-working of multiple identity technologies run by multiple identity providers. 6. Human Integration: The universal identity metasystem must define the human user to be a component of the distributed system integrated through unambiguous human-machine communication mechanisms offering protection against identity attacks. 7. Consistent Experience Across Contexts: The unifying identity metasystem must guarantee its users a simple, consistent experience while enabling separation of contexts through multiple operators and technologies. -------- I'm really shocked that someone who works at Microsoft came up with this. This is a constructive, interesting set of ideas. The PDF link is : http://www.identityblog.com/stories/2005/05/13/The LawsOfIdentity.pdf
If you want to hide your identity online, just use Tor
In posting your comment, you had to assert an identity Dachannien (617929). We all assert identity all the time when we present a username password pair. We all have a large number of accounts to manage, which is just one set of identity assertions.
The username/password pair is an identity, usable with one web site or system. There is no way you can share that pair between sites with any degree of security. An identity system, properly executed, would allow you to make assertions between systems, without compromising that pair.
It's going to require a lot of work, there will be bugs, but it's a necessity, looking around for an invention to mother. When it does happen, it's going to seem obvious in retrospect, as it seemingly happens over night.
While the average user might not realize it yet, we need a standard for federated identity, and we need it yesterday.
--Mike--