Identity Rule Set
Is Kim Cameron working on Identity "Laws" or Identity "Principles"? That is a topic that is recently getting some play across a couple of blogs (e.g Craig Burton, Jamie Lewis, Shelley Powers). I categorize Kim's 7 thingys as an Identity Rule Set. This is primarily because I have been following the work of Thomas P.M. Barnett. Thomas Barnett is a strategist who has developed a widely respected interpretation for the underlying dynamics of globalization and the way globalization causes and resolves conflict around the world. <sarcasm> Granted, his problem space is significantly less complex than digital identity</sarcasm>, but that won't stop me from borrowing a distinction or two.
One of the key pieces of language Barnett uses is "Rule Set". In his view, conflicts and breakdowns occur when activity races ahead of the Rule Sets that govern that activity. This is a pattern that can be seen in the current situation with digital identity on the Internet. Many systems and practices for dealing with identity have developed organically and tactically and the resulting breakdowns include mass inefficiencies, risk to privacy, barriers to developing new systems, etc.
What Kim is developing is a language for discussing a Rule Set that can govern the ways Identity is handled on the Internet - this is an incredibly generous and ambitious endeavor. That said, I can understand the built in suspicious reaction to his use of the term Laws.
I think Rule Set works for me - and we do need Rule Sets in this area, so in my little world...Identity Rule Set it is.
Side note: Learning and borrowing (OK, stealing) from voices like Thomas Barnett is one of the reasons I call my blog Arbitrage. He is working in a foreign market to mine, yet his methods, processes, and language can be applied in my market and add value. Blogs really facilitate this form of arbitrage – idea arbitrage.
Rule Set is ok. It's just not as powerful as "Laws." I think we should stick with laws.
Posted by: Craig Burton | January 20, 2005 at 09:29 PM
My observation on the use of the term "laws" is to the possibility
of confusion when discussing them, between "laws" that are an
inherent property of the system (maximum speed of light)
independent of the frame of reference and "laws" from a
lawmaking body (maximum speed of vehicle traffic) that are
dependent on the frame of reference.
If they are the former, then I would assume that they evolve
and change based on observed evidence and refinements from
peer review; in this category Kim's suggestions are quite
useful, though perhaps at their version 1.1/1.2 they will
reach the point where there is broad consensus that there are
no valid identity systems that could be postulated as operating
outside of those laws, as they incorporate the comments which
Kim's received this far and implementation experience (few
identity systems today meet even Kim's requirements for
a technical identity sytem (1-3), let alone a universal
technical identity system (1-6)).
If the laws are in the latter category, then should one hope
to see laws of identity from other bodies, e.g. Sony, the
Federal Reserve, Linux Standard Base, that are based on
different assumptions, and see how they will compete and
over time merge or interoperate.
Eventually I think everyone would hope to see laws that
are inherent properties, although this would require that a
great deal of control be given up in terms of mandating
implementation if the goal of interoperability based solely
on the laws is maintained. If Microsoft's product W
follows these laws, and products X and Y also do and
interoperate between themselves, then one should expect
that W and X, as well as W and Y, also interoperate.
However what tends to happen in pratice is that profiling
occurs for different deployment scenarios based on a set
of common requirements, and interoperabilty is only attempted
within that profile space. The profiles are almost always
"laws" in the latter category, e.g. OSI profiling in GOSIP
or EU interoperability testing, WS-I profiling of web service
protocols.
For example, suppose an identity system is developed by a
collection of financial institutions that are paranoid
about phishing attacks. They decide that the customer (human)
should just not be given their account number as there is
too much risk that the customer will reveal the account
number to a third party in a phishing attack. Thus, the
financial institutions wrap the account number into a
microprogram which basically states 'only reveal the account
number to authorized affiliates of the issuing institution'.
The microprogram could be written in one or more of the many
possible competing implementation approaches; J2ME, EPAL, XrML,
..., and could be implemented in software (after verifying that
the customer's system has appropriate policy management software,
and eventually a Trusted Computing Base), or on hardware as a
smartcard or USB device. In any case, it will support the
correct handling of the account number microprogram in accordance
with the bank's intent, and attempts to circumvent the protection
to find out the account number will be difficult/illegal.
One could argue that the above system does define the human user
to be a component, albeit an untrusted component, offers unambigous
human-machine communication (e.g. "swipe card now" messages), and
offers protections against identity attacks, thus meeting the 6th
law. It is also possible to work out this scenario further such that
it meets the requirements of laws 1-3 for technical identity systems.
The interesting question will be how a universal identity
system intends to enable the interworking of this system
with others, e.g. those which treat a username as a 'string' or
'email address'. Will it be "ships in the night", e.g. a ISO
standard for credit card physical form factors allow wallet
manufacturers to make wallets that hold multiple credit cards,
or something more...
Mark Wahl
Informed Control Inc.
Posted by: Mark Wahl | January 21, 2005 at 10:02 AM