Identify This!


Dizzy is frustrated about complex identity technologies like Liberty, SAML, and the various WS-* protocols. I agree. In the spirit of John Sowa's law of standards, we need technologies that undergo iterative development and improvement in the context of small research projects, not unwieldy specifications designed by large committees. In the spirit of Adam Bosworth's recent keynote at the MySQL Users Conference, we need simple, even sloppy standards that scale (sloppy in the sense that you don't need to be a syntax guru to use them).

Will we achieve such technologies in the identity space? The signs right now don't look hopeful. Everyone is chattering about Liberty and SAML and WS-*, but ignoring the subject of all this identification: the individual. Individuals want, deserve, and must have control: over who has access to their identifying information. Wouldn't it be great if I could be the one who says that Vendor X can know my email address, that Person Y can comment at or trackback to my blog, that Lender Z can see my FICA score? Unfortunately, giving that power to the individual would require the kind of decentralized architecture that would cut some kinds of power brokers out of the action (those who would love to be the center of the identity universe).

What would such a decentralized approach look like? One metaphor is that of the digital wallet (a patented idea, thanks to the USPTO) or identity portfolio. No matter what you call it, I have under my control certain credentials issued by various corporate and governmental entities -- banks, credit card companies, insurance companies, government agencies, and the like. There is no central identity broker -- I can show my driver's license to a bartender or CAcert assurer or whomever without asking the issuer's permission or forcing those who would check my credentials to have any kind of relationship with the Department of Motor Vehicles. And not only are my credentials under my control, but I can disclose the minimal information needed for any given interaction. That seems to me like a reasonable model for electronic identity, except that we can do better than driver's licenses and social security cards because the magic of electronic information and digital signatures means that issuers can generate and sign short-lived credentials whenever I ask for them, rather than long-lived paper documents that are relatively easy to forge.

There are three parties to a minimal identity interaction: the individual, the issuer, and the accepter. (I'm not sure what to call the party to whom I present my credentials: "accepter" seems rather neutral, but other possible terms are recipient, reader, checker, verifier, validator, viewer, presentee.) Some identity interactions might engage additional parties, such as a broker, but at a minimum the fewest parties you need are those three and only those three.

Kim Cameron goes on to define four more laws of identity beyond individual control, minimal disclosure, and fewest parties, but I think those are key. Yes, the resulting system or network must also allow public information while protecting private information (directed identity), enable multiple and diverse players into the marketplace (pluralism), be user-friendly and integrate with human ways of knowing and acting (human integration), and make it possible for the individual and accepter to negotiate what identity information is needed in a particular context and for the individual to gather the appropriate credentials from one or more issuers and then present the resulting aggregation of credentials in a unified way (harmonious contextual autonomy), but those are more advanced characteristics of a workable identity technology -- system designers need to keep those in mind, but they are not directly important to the individual, I think.

Cameron's laws or principles of identity define a tough set of requirements, but I think those requirements can be met with open technologies and simple, smart standards that emerge from the bottom up through experimentation and iterative development. But a small team needs to take the first step along that road and then present their findings to the world with working prototypes and well-defined protocols. Thankfully, I happen to know of such a team, but they're working in stealth mode right now while they hammer out rough consensus and running code. Stay tuned... ;-)

Peter Saint-Andre > Journal