« Go Ahead, Aggregate | Main | The Business Narrative for Federated Identity (via C. K. Prahalad) »

January 20, 2005


Craig Burton

Rule Set is ok. It's just not as powerful as "Laws." I think we should stick with laws.

Mark Wahl

My observation on the use of the term "laws" is to the possibility
of confusion when discussing them, between "laws" that are an
inherent property of the system (maximum speed of light)
independent of the frame of reference and "laws" from a
lawmaking body (maximum speed of vehicle traffic) that are
dependent on the frame of reference.

If they are the former, then I would assume that they evolve
and change based on observed evidence and refinements from
peer review; in this category Kim's suggestions are quite
useful, though perhaps at their version 1.1/1.2 they will
reach the point where there is broad consensus that there are
no valid identity systems that could be postulated as operating
outside of those laws, as they incorporate the comments which
Kim's received this far and implementation experience (few
identity systems today meet even Kim's requirements for
a technical identity sytem (1-3), let alone a universal
technical identity system (1-6)).

If the laws are in the latter category, then should one hope
to see laws of identity from other bodies, e.g. Sony, the
Federal Reserve, Linux Standard Base, that are based on
different assumptions, and see how they will compete and
over time merge or interoperate.

Eventually I think everyone would hope to see laws that
are inherent properties, although this would require that a
great deal of control be given up in terms of mandating
implementation if the goal of interoperability based solely
on the laws is maintained. If Microsoft's product W
follows these laws, and products X and Y also do and
interoperate between themselves, then one should expect
that W and X, as well as W and Y, also interoperate.

However what tends to happen in pratice is that profiling
occurs for different deployment scenarios based on a set
of common requirements, and interoperabilty is only attempted
within that profile space. The profiles are almost always
"laws" in the latter category, e.g. OSI profiling in GOSIP
or EU interoperability testing, WS-I profiling of web service

For example, suppose an identity system is developed by a
collection of financial institutions that are paranoid
about phishing attacks. They decide that the customer (human)
should just not be given their account number as there is
too much risk that the customer will reveal the account
number to a third party in a phishing attack. Thus, the
financial institutions wrap the account number into a
microprogram which basically states 'only reveal the account
number to authorized affiliates of the issuing institution'.
The microprogram could be written in one or more of the many
possible competing implementation approaches; J2ME, EPAL, XrML,
..., and could be implemented in software (after verifying that
the customer's system has appropriate policy management software,
and eventually a Trusted Computing Base), or on hardware as a
smartcard or USB device. In any case, it will support the
correct handling of the account number microprogram in accordance
with the bank's intent, and attempts to circumvent the protection
to find out the account number will be difficult/illegal.

One could argue that the above system does define the human user
to be a component, albeit an untrusted component, offers unambigous
human-machine communication (e.g. "swipe card now" messages), and
offers protections against identity attacks, thus meeting the 6th
law. It is also possible to work out this scenario further such that
it meets the requirements of laws 1-3 for technical identity systems.

The interesting question will be how a universal identity
system intends to enable the interworking of this system
with others, e.g. those which treat a username as a 'string' or
'email address'. Will it be "ships in the night", e.g. a ISO
standard for credit card physical form factors allow wallet
manufacturers to make wallets that hold multiple credit cards,
or something more...

Mark Wahl
Informed Control Inc.

Impotence causes

It is truly a pleasure for me to comment on a blog like this, my name is Richard, I personally believe every day that passes we learn more about the network, the Internet have at hand all the information you want, that's what we need to people like you wrote this blog, I found very attractive and very interesting topic, the pictures are striking, indeed the whole blog is amazing, congratulations!

The comments to this entry are closed.

My Photo

My Recent Tweets

    follow me on Twitter

    July 2012

    Sun Mon Tue Wed Thu Fri Sat
    1 2 3 4 5 6 7
    8 9 10 11 12 13 14
    15 16 17 18 19 20 21
    22 23 24 25 26 27 28
    29 30 31