The Laws of Identity by malj


									The Laws of Identity                                                               …as of 2/20/2010

                       The Laws of Identity
The Internet was built without a way to know who and what you are connecting to. This limits
what we can do with it and exposes us to growing dangers. If we do nothing, we will face rapidly
proliferating episodes of theft and deception which will cumulatively erode public trust in the Inter-
This paper is about how we can prevent that loss of trust and go forward to give Internet users a
deep sense of safety, privacy and certainty about who they are relating to in cyberspace. Nothing
could be more essential if new Web-based services and applications are to continue to move
beyond “cyber publication” and encompass all kinds of interaction and services. Our approach
has been to develop a formal understanding of the dynamics causing digital identity systems to
succeed or fail in various contexts, expressed as the Laws of Identity. Taken together, these
laws define a unifying identity metasystem that can offer the Internet the identity layer it so ob-
viously requires.
The ideas presented here were extensively refined through the Blogosphere in a wide-ranging
conversation documented at that crossed many of the conventional fault-
lines of the computer industry, and in various private communications. In particular I would like to
thank Arun Nanda, Andre Durand, Bill Barnes, Carl Ellison, Caspar Bowden, Craig Burton, Dan
Blum, Dave Kearns, Dave Winer, Dick Hardt, Doc Searls, Drummond Reed, Ellen McDermott,
Eric Norlin, Esther Dyson, Fen Labalme, Identity Woman Kaliya, JC Cannon, James Kobielus,
James Governor, Jamie Lewis, John Shewchuk, Luke Razzell, Marc Canter, Mark Wahl, Martin
Taylor, Mike Jones, Phil Becker, Radovan Janocek, Ravi Pandya, Robert Scoble, Scott C. Lem-
on, Simon Davies, Stefan Brands, Stuart Kwan and William Heath.

                                                       There is no consistent and comprehensible
Problem Statement                                      framework allowing them to evaluate the
                                                       authenticity of the sites they visit, and they
The Internet was built without a way to know           don‟t have a reliable way of knowing when
who and what you are connecting to.                    they are disclosing private information to
                                                       illegitimate parties. At the same time they
A patchwork of identity                                lack a framework for controlling or even re-
one-offs                                               membering the many different aspects of
                                                       their digital existence.
Since this essential capability is missing,
everyone offering an Internet service has
had to come up with a workaround. It is fair
                                                       Criminalization of the Internet
to say that today‟s Internet, absent a native          People have begun to use the Internet to
identity layer, is based on a patchwork of             manage and exchange things of progres-
identity one-offs.                                     sively greater real-world value. This has not
                                                       gone unnoticed by a criminal fringe which
As peoples‟ use of the web broadens, so
                                                       understands the ad hoc and vulnerable na-
does their exposure to these workarounds.
                                                       ture of the identity patchwork – and how to
Though no one is to blame, the result is per-
                                                       subvert it. These criminal forces have in-
nicious. Hundreds of millions of people
                                                       creasingly professionalized and organized
have been trained to accept anything any
                                                       themselves internationally.
site wants to throw at them as being the
“normal way” to conduct business online.               Individual consumers are tricked into releas-
They have been taught to type their names,             ing banking and other information through
secret passwords and personal identifying              “Phishing” schemes which take advantage
information into almost any input form that            of their inability to tell who they are dealing
appears on their screen.                               with. They are also induced to inadvertently

Kim Cameron, Architect of Identity, Microsoft Corporation                                           1
The Laws of Identity                                                             …as of 2/20/2010

install “spyware” which resides on their             and composability we have achieved in oth-
computers and harvests information in long           er aspects of web services will enable noth-
term “Pharming” attacks. Other schemes               ing new. Knowing who is connecting with
successfully target corporate, government            what is a must for the next generation of
and educational databases with vast identity         cyber services to break out of the starting
holdings, and succeed in stealing hundreds           gate.
of thousands of identities in a single blow.
Criminal organizations exist to acquire these        It’s hard to add an identity layer
identities and resell them to a new breed of
innovators expert in using them to steal as          There have been attempts to add more
much as possible in the shortest possible            standardized digital identity services to the
time. The international character of these           Internet. And there have been partial suc-
networks makes them increasingly difficult to        cesses in specific domains – like the use of
penetrate and dismantle.                             SSL to protect connections to public sites; or
                                                     of Kerberos within enterprises.
Phishing and Pharming are now thought to
be one of the fastest growing segments of            But these successes have done little to
the computer industry, with an annual com-           transform the identity patchwork into a ra-
pound growth rate (CAGR) of 1000%.                   tional fabric extending across the Internet.
Without a significant change in how we do            Why is it so hard to create an identity layer
things, this trend will continue.                    for the Internet? Mainly because there is
It is essential to look beyond the current sit-      little agreement on what it should be and
uation, and understand that if the current           how it should be run. This lack of agree-
dynamics continue unchecked, we are                  ment arises because digital identity is re-
headed toward a deep crisis: the ad hoc              lated to context, and the Internet, while be-
nature of Internet identity cannot withstand         ing a single technical framework, is expe-
the growing assault of professionalized at-          rienced through a thousand kinds of content
tackers.                                             in at least as many different contexts – all of
                                                     which flourish on top of that underlying
A deepening public crisis of this sort would         framework. The players involved in any one
mean the Internet would begin to lose credi-         of these contexts want to control digital iden-
bility and acceptance for economic transac-          tity as it impacts them, in many cases want-
tions when it should be gaining that accep-          ing to prevent spillover from their context to
tance. But in addition to the danger of slip-        any other.
ping backwards, we need to understand the
costs of not going forward. The absence of           Enterprises, for example, see their relation-
an identity layer is one of the key factors          ships with customers and employees as key
limiting the further settlement of cyberspace.       assets, and are fiercely protective of them.
                                                     It is unreasonable to expect them to restrict
Further, the absence of a unifying and ra-           their own choices or give up control over
tional identity fabric will prevent us from          how they create and represent their relation-
reaping the benefits of web services.                ships digitally. Nor has any single approach
Web services have been designed to let us            arisen which might serve as an obvious mo-
build robust, flexible, distributed systems          tivation to do so. The differing contexts of
that can deliver important new capabilities,         discreet enterprises lead to a requirement
and evolve in response to their environment.         that they be free to adopt different kinds of
Such living services need to be loosely              solutions. Even ad hoc identity one-offs are
coupled and organic, breaking from the pa-           better than an identity framework which
radigm of rigid premeditation and hard-              would be out of their control.
wiring. But as long as digital identity re-          Governments too have found they have
mains a patchwork of ad hoc one-offs which           needs that distinguish them from other kinds
must still be hard-wired, all the negotiation        of organization. And specific industry clus-

Kim Cameron, Architect of Identity,    Microsoft Corporation                                      2
The Laws of Identity                                                              …as of 2/20/2010

ters – “verticals” like the financial industry –      have been done many times before as com-
have come to see they have unique difficul-           puting has evolved.
ties and aspirations when it comes to main-
                                                      For instance, in the early days of personal
taining digital relationships with their cus-
                                                      computing, application builders had to be
                                                      aware of what type of video display was in
As important as these institutions are, the           use, and of the specific characteristics of the
individual – as consumer – gets the final say         storage devices that were installed. Over
about any proposed cyber identity system.             time, a layer of software emerged that was
Anything they don‟t like and won‟t – or can‟t         able to provide a set of services abstracted
– use will inevitably fail. Someone else will         from the specificities of any given hardware.
come along with an alternative.                       The technology of “device drivers” enabled
                                                      interchangeable hardware to be plugged in
Consumer fears about the safety of the In-
                                                      as required. Hardware became “loosely
ternet prevent many from using credit cards
                                                      coupled” to the computer – allowing it to
to make on-line purchases. Increasingly,
                                                      evolve quickly since applications did not
malware and identity theft have made priva-
                                                      need to be rewritten to take advantage of
cy issues of paramount concern to every
                                                      new features.
Internet user. This has resulted in increased
awareness and readiness to respond to                 The same can be said about the evolution of
larger privacy issues.                                networking. At one time applications had to
                                                      be aware of the specific network devices in
As the virtual world has evolved, privacy
                                                      use. Eventually the unifying technologies of
specialists have developed nuanced and
                                                      sockets and TCP/IP emerged, able to work
well-reasoned analyses of identity from the
                                                      with many specific underlying systems (To-
point of view of the consumer and citizen. In
                                                      ken Ring, Ethernet, X.25 and Frame Relay)
response to their intervention, legal thinkers,
                                                      – and even with systems, like wireless, that
government policy makers, and elected rep-
                                                      were not yet invented.
resentatives have become increasingly
aware of the many difficult privacy issues            Digital identity requires a similar approach.
facing society as we settle cyberspace. This          We need a unifying identity metasystem
has already led to vendor sensitivity and             that can protect applications from the inter-
government intervention, and more is to be            nal complexities of specific implementations
expected.                                             and allow digital identity to become loosely
                                                      coupled. This metasystem is in effect a sys-
In summary, as grave as the dangers of the
                                                      tem of systems that exposes a unified inter-
current situation may be, the emergence of
                                                      face much like a device driver or network
a single simplistic digital identity solution as
                                                      socket does. That allows one-offs to evolve
a universal panacea is not realistic.
                                                      towards standardized technologies that work
Even if some miracle occurred and the vari-           within a metasystem framework without re-
ous players could work out some kind of               quiring the whole world to agree a priori.
broad cross-sector agreement about what
constitutes perfection in one country, the            Understanding the obstacles
probability of extending that universally
across international borders would be zero.           To restate our initial problem, the role of an
                                                      identity metasystem is to provide a reliable
                                                      way to establish who is connecting with what
An identity metasystem                                – anywhere on the Internet.
In the case of digital identity, the diverse
                                                      We have observed that various types of sys-
needs of many players demand that we
                                                      tems have successfully provided identifica-
weave a single identity fabric out of multiple
                                                      tion in specific contexts. Yet despite their
constituent technologies.      Although this
                                                      success they have failed to attract usage in
might initially seem daunting, similar things
                                                      other scenarios. What factors explain these

Kim Cameron, Architect of Identity,     Microsoft Corporation                                      3
The Laws of Identity                                                              …as of 2/20/2010

successes and failures? Moreover, what               failures of Microsoft‟s Passport identity sys-
would be the characteristics of a solution           tem.
that would work at internet scale? In ans-
                                                     The Laws of Identity, taken together, define
wering these questions, there is much to be
                                                     the architecture of the Internet‟s missing
learnt from the successes and failures of
                                                     identity layer.
various approaches since the 1970‟s.
This investigation has led to a set of ideas         Words that allow dialogue
called the “Laws of Identity”. We chose the
word “laws” in the scientific sense of hypo-         Many people have thought about identity,
theses about the world – resulting from ob-          digital identities, personas and representa-
servation – which can be tested and are              tions. In proposing the laws we do not ex-
thus disprovable. The reader should bear             pect to close this discussion. However, in
in mind that we specifically did not want to         keeping with the pragmatic goals of this ex-
denote legal or moral precepts, nor embark           ercise we define a vocabulary that will allow
on a discussion of the “philosophy of identi-        the laws themselves to be understood.
ty” .
These laws enumerate the set of objective            What is a digital identity?
dynamics defining a digital identity metasys-        We will begin by defining a digital identity as
tem capable of being widely enough ac-               a set of claims made by one digital subject
cepted that it can serve as a backplane for          about itself or another digital subject. We
distributed computing on an Internet                 ask the reader to let us define what we
scale. As such, each law ends up giving              mean by a digital subject and a set of claims
rise to an architectural principle guiding the       before examining this further.
construction of such a system.
Our goals are pragmatic. When we post-               What is a digital subject?
ulate the Law of User Control and Con-
sent, for example, it is because experience          The Oxford English Dictionary (OED) de-
tells us: a system that does not put users in        fines a subject this way:
control will – immediately or over time - be                   "…a person or thing that is being
rejected by enough of them that it cannot                      discussed, described or dealt with."
become and remain a unifying technolo-
gy. How this law meshes with values is not           So we define a digital subject as:
the relevant issue.                                            “…a person or thing represented or
Like the other laws, this one represents a                     existing in the digital realm which is
contour limiting what an identity metasystem                   being described or dealt with".
must look like - and must not look like - giv-       Much of the decision-making involved in
en the many social formations and cultures           distributed computing is the result of "deal-
in which it must be able to operate. Under-          ing with” an initiator or requester. And it is
standing the laws can help eliminate a lot           worth pointing out that the digital world in-
of doomed proposals before we waste too              cludes many subjects which need to be
much time on them.                                   "dealt with" other than humans, including:
The laws are testable. They allow us to                       devices and computers (which allow
predict outcomes – and we have done so                         us to penetrate the digital realm in
consistently since proposing them.      They                   the first place)
are also objective, i.e. they existed and op-
erated before they were formulated. That is                   digital resources (which attract us to
how the Law of Justifiable Parties, for ex-                    it)
ample, can account for the successes and
                                                              policies and relationships between
                                                               other digital subjects (e.g. between

Kim Cameron, Architect of Identity,    Microsoft Corporation                                       4
The Laws of Identity                                                              …as of 2/20/2010

        humans and devices or documents               to participation by many different subjects,
        or services).                                 the more obvious this becomes.
The OED goes on to define subject, in a               The use of the word claim is therefore more
philosophical sense, as the "central sub-             appropriate in a distributed and federated
stance or core of a thing as opposed to its           environment than alternate words such as
attributes". As we shall see, "attributes" are        “assertion”, which means “a confident and
the things expressed in claims, and the sub-          forceful statement of fact or belief" . In
ject is the central substance thereby de-             evolving from a closed domain model to an
scribed.                                              open, federated model, the situation is trans-
                                                      formed into one where the party making an
What is a claim?                                      assertion and the party evaluating it may
                                                      have a complex and even ambivalent rela-
A claim is:                                           tionship. In this context, assertions need
        "…an assertion of the truth of some-          always be subject to doubt - not only doubt
        thing, typically one which is disputed        that they have been transmitted from the
        or in doubt".                                 sender to the recipient intact, but also doubt
                                                      that they are true, and doubt that they are
Some examples of claims in the digital realm          even of relevance to the recipient.
will likely help:
       A claim could just convey an iden-            Advantages of a claims-based
        tifier - for example, that the subject‟s      definition
        student number is 490-525, or that
        the subject‟s Windows name is                 The definition of digital identity employed
        REDMOND\kcameron. This is the                 here encompasses all the known digital
        way many existing identity systems            identity systems and therefore allows us to
        work.                                         begin to unify the rational elements of our
                                                      patchwork conceptually. It allows us to de-
       Another claim might assert that a             fine digital identity for a metasystem em-
        subject knows a given key – and               bracing multiple implementations and ways
        should be able to demonstrate this            of doing things.
                                                      In proffering this definition, we recognize it
       A set of claims might convey perso-           does not jive with some widely held beliefs –
        nally identifying information – name,         for example that within a given context, iden-
        address, date of birth and citizen-           tities have to be unique. Many early sys-
        ship, for example.                            tems were built with this assumption, and it
                                                      is a critically useful assumption in many con-
       A claim might simply propose that a
                                                      texts. The only error is in thinking it is man-
        subject is part of a certain group –
                                                      datory for all contexts.
        for example, that she has an age
        less than 16.                                 By way of example, consider the relationship
                                                      between a company like Microsoft and an
       And a claim might state that a sub-           analyst service that we will call Contoso
        ject has a certain capability – for ex-       Analytics. Let's suppose Microsoft contracts
        ample to place orders up to a cer-            with Contoso Analytics so anyone from Mi-
        tain limit, or modify a given file.           crosoft can read its reports on industry
The concept of “being in doubt" grasps the            trends. Let's suppose also that Microsoft
subtleties of a distributed world like the In-        doesn't want Contoso Analytics to know ex-
ternet. Claims need to be subject to evalua-          actly who at Microsoft has what interests or
tion by the party depending on them. The              reads what reports.
more our networks are federated and open              In this scenario we actually do not want to
                                                      employ unique individual identifiers as digital
Kim Cameron, Architect of Identity,     Microsoft Corporation                                      5
The Laws of Identity                                                                …as of 2/20/2010

identities. Contoso Analytics still needs a            uses it. The system must first of all appeal
way to ensure that only valid customers get            by means of convenience and simplicity.
to its reports. But in this example, digital           But to endure, it must earn the user‟s trust
identity would best be expressed by a very             above all.
limited claim - the claim that the digital sub-
                                                       Earning this trust requires a holistic com-
ject currently accessing the site is some Mi-
                                                       mitment. The system must be designed to
crosoft employee. Our claims-based ap-
                                                       put the user in control - of what digital identi-
proach succeeds in this regard. It permits
                                                       ties are used, and what information is re-
one digital subject (Microsoft Corporation) to
assert things about another digital subject
without using any unique identifier.                   The system must also protect the user
                                                       against deception, verifying the identity of
This definition of digital identity calls upon us
                                                       any parties who ask for information. Should
to separate cleanly the presentation of
                                                       the user decide to supply identity informa-
claims from the provability of the link to a
                                                       tion, there must be no doubt that it goes to
real world object.
                                                       the right place. And the system needs me-
Our definition leaves the evaluation of the            chanisms to make the user aware of the
usefulness (or the truthfulness or the trust-          purposes for which any information is being
worthiness) of the claim to the relying party.         collected.
The truth and possible linkage is not in the
                                                       The system must inform the user when he or
claim, but results from the evaluation. If the
                                                       she has selected an identity provider able to
evaluating party decides it should accept the
                                                       track internet behavior.
claim being made, then this decision just
represents a further claim about the subject,          Further, it must reinforce the sense that the
this time made by the evaluating party (it             user is in control regardless of context, ra-
may or may not be conveyed further).                   ther than arbitrarily altering its contract with
                                                       the user. This means being able to support
Evaluation of a digital identity thus results
                                                       user consent in enterprise as well as con-
in a simple transform of what it starts with –
                                                       sumer environments. It is essential to retain
again producing in a set of claims made by
                                                       the paradigm of consent even when refusal
one digital subject about another. Matters of
                                                       might break a company‟s conditions of em-
trust, attribution and usefulness can then be
                                                       ployment. This serves both to inform the
factored out and addressed at a higher layer
                                                       employee and indemnify the employer.
in the system than the mechanism for ex-
pressing digital identity itself.                      The Law of User Control and Consent al-
                                                       lows for the use of mechanisms whereby the
                                                       metasystem remembers user decisions, and
                                                       users may opt to have them applied auto-
The Laws of Identity                                   matically on subsequent occasions.
We can now look at the seven essential
laws that explain the successes and failures

of digital identity systems.                                     Minimal Disclosure for a
                                                                 Constrained Use

        User Control and Consent
                                                                  The solution which discloses the
       Technical identity systems must only            least amount of identifying information and
       reveal information identifying a user           best limits its use is the most stable long
       with the user’s consent.                        term solution. (Starts here...)
(Blogosphere discussion starts here...)
                                                       We should build systems that employ identi-
No one is as pivotal to the success of the             fying information on the basis that a breach
identity metasystem as the individual who              is always possible.       Such a breach

Kim Cameron, Architect of Identity,      Microsoft Corporation                                        6
The Laws of Identity                                                             …as of 2/20/2010

represents a risk. To mitigate risk, it is best
to acquire information only on a “need to
know” basis, and to retain it only on a “need

                                                               Justifiable Parties
to retain” basis. By following these practic-
es, we can ensure the least possible dam-                    Digital identity systems must be de-
age in the event of a breach.                                signed so the disclosure of identify-
                                                             ing information is limited to parties
At the same time, the value of identifying           having a necessary and justifiable place in a
information decreases as the amount de-              given identity relationship. (Starts here...)
creases. A system built with the principles
of information minimalism is therefore a less        The identity system must make its user
attractive target for identity theft, reducing       aware of the party or parties with whom she
risk even further.                                   is interacting while sharing information.
By limiting use to an explicit scenario (in          The justification requirements apply both to
conjunction with the use policy described in         the subject who is disclosing information
the law of control), the effectiveness of the        and the relying party who depends on it.
“need to know” principle in reducing risk is         Our experience with Microsoft‟s Passport is
further magnified. There is no longer the            instructive in this regard. Internet users saw
possibility of collecting and keeping informa-       Passport as a convenient way to gain
tion “just in case” it might one day be re-          access to MSN sites, and those sites were
quired.                                              happy using Passport – to the tune of over a
                                                     billion interactions per day. However, it did
The concept of “least identifying information”       not make sense to most non-MSN sites for
should be taken as meaning not only the              Microsoft to be involved in their customer
fewest number of claims, but the information         relationships. Nor were users clamoring for
least likely to identify a given individual          a single Microsoft identity service to be
across multiple contexts. For example, if a          aware of all their Internet activities. As a
scenario requires proof of being a certain           result, Passport failed in its mission of being
age, then it is better to acquire and store the      an identity system for the Internet.
age category rather than the birth date.
Date of birth is more likely, in association         We will see many more examples of this law
with other claims, to uniquely identify a sub-       going forward. Today some governments
ject, and so represents “more identifying            are thinking of operating digital identity ser-
information” which should be avoided if it is        vices. It makes sense (and is clearly justifi-
not needed.                                          able) for people to use government-issued
                                                     identities when doing business with the gov-
In the same way, unique identifiers that can         ernment. But it will be a cultural matter
be reused in other contexts (for example             whether, for example, citizens agree it is
drivers‟ license numbers, social security            "necessary and justifiable" for government
numbers and the like) represent “more iden-          identities to be used in controlling access to
tifying information” than unique special-            a family wiki – or connecting a consumer to
purpose identifiers that do not cross context.       her hobby or vice.
In this sense, acquiring and storing a social
security number represents a much greater            The same issues will confront intermediaries
risk than assigning a randomly generated             building a trust fabric. The law is not in-
student or employee number.                          tended to suggest limitations of what is
                                                     possible, but rather to outline the dynamics
Numerous identity catastrophes have oc-              of which we must be aware.
curred where this law has been broken.
                                                     We know from the law of control and con-
We can also express the Law of Minimal               sent that the system must be predictable
Disclosure this way: aggregation of identify-        and "translucent" in order to earn trust. But
ing information also aggregates risk. To             the user needs to understand who she is
minimize risk, minimize aggregation.

Kim Cameron, Architect of Identity,    Microsoft Corporation                                      7
The Laws of Identity                                                               …as of 2/20/2010

dealing with for other reasons, as we will            tage - in fact there is a great disadvantage -
see in law six (human integration). In the            in changing a public URL. It is fine for every
physical world we are able to judge a situa-          visitor to the site to examine the public key
tion and decide what we want to disclose              certificate. It is equally acceptable for eve-
about ourselves. This has its analogy in              ryone to know the site is there: its existence
digital justifiable parties.                          is public.
Every party to disclosure must provide the            A second example of such a public entity is
disclosing party with a policy statement              a publicly visible device like a video projec-
about information use.         This policy            tor. The device sits in a conference room in
should govern what happens to disclosed               an enterprise. Visitors to the conference
information.     One can view this poli-              room can see the projector and it offers digi-
cy as defining "delegated rights" issued by           tal services by advertising itself to those who
the disclosing party.                                 come near it. In the thinking outlined here, it
                                                      has an omni-directional identity.
Any use policy would allow all parties to
cooperate with authorities in the case                On the other hand, a consumer visiting a
of criminal investigations. But this does not         corporate web site is able to use the identity
mean the state is party to the identity rela-         beacon of that site to decide whether she
tionship. Of course, this should be made              wants to establish a relationship with it. Her
explicit in the policy under which information        system can then set up a "unidirectional"
is shared.                                            identity relation with the site by selecting an
                                                      identifier for use with that site and no other.
                                                      A unidirectional identity relation with a differ-

          Directed Identity
                                                      ent site would involve fabricating a com-
          A universal identity system must            pletely unrelated identifier. Because of this,
          support both “omni-directional”             there is no correlation handle emitted that
          identifiers for use by public entities      can be shared between sites to assemble
          and “unidirectional” identifiers for        profile activities and preferences into super-
use by private entities, thus facilitating dis-       dossiers.
covery while preventing unnecessary re-
lease of correlation handles. (Starts here...)        When a computer user enters a conference
                                                      room equipped with the projector described
Technical identity is always asserted with            above, its omni-directional identity beacon
respect to some other identity or set of iden-        could be utilized to decide (as per the law of
tities. To make an analogy with the physical          control) whether she wants to interact
world, we can say identity has direction, not         with it. If she does, a short-lived unidirec-
just magnitude. One special "set of identi-           tional identity relation could be estab-
ties" is that of all other identities (the pub-       lished between the computer and the projec-
lic). Other important sets exist (for example,        tor - providing a secure connection while
the identities in an enterprise, some arbitrary       divulging the least possible identifying infor-
domain, or in a peer group).                          mation in accordance with the law of minim-
Entities that are public can have identifiers         al disclosure.
that are invariant and well-known. These              Bluetooth and other wireless technologies
public identifiers can be thought of as bea-          have not so far conformed to the fourth law.
cons – emitting identity to anyone who                They use public beacons for private entities.
shows up. And beacons are "omni direc-                This explains the consumer backlash inno-
tional" (they are willing to reveal their exis-       vators in these areas are currently wrestling
tence to the set of all other identities).            with.
A corporate web site with a well-known URL            Public key certificates have the same prob-
and public key certificate is a good example          lem when used to identify individuals in con-
of such a public entity. There is no advan-           texts where privacy is an issue. It may be

Kim Cameron, Architect of Identity,     Microsoft Corporation                                        8
The Laws of Identity                                                             …as of 2/20/2010

more than coincidental that certificates have        But in many cultures, employers and em-
so far been widely used when in confor-              ployees would not feel comfortable using
mance with this law (i.e. in identifying public      government identifiers to log in at work. A
web sites) and generally ignored when it             government identifier might be used to con-
comes to identifying private individuals.            vey taxation information; it might even be
                                                     required when a person is first offered em-
Another example involves the proposed
                                                     ployment. But the context of employment is
usage of RFID technology in passports and
                                                     sufficiently autonomous that it warrants its
student tracking applications. RFID devices
                                                     own identity, free from daily observation via
currently emit an omni-directional public
                                                     a government-run technology.
beacon. This is not appropriate for use by
private individuals.                                 Customers and individuals browsing the web
                                                     meanwhile will in many cases want higher
Passport readers are public devices and
                                                     levels of privacy than is likely to be provided
therefore should employ an omni-directional
                                                     by any employer.
beacon. But passports should only respond
to trusted readers. They should not be emit-         So when it comes to digital identity, it is not
ting signals to any eavesdropper which iden-         only a matter of having identity providers run
tify their bearers and peg them as nationals         by different parties (including individuals
of a given country.      Examples have been          themselves), but of having identity sys-
given of unmanned devices which could be             tems that offer different (and potentially con-
detonated by these beacons. In California            tradictory) features.
we are already seeing the first legislative
                                                     A universal system must embrace differen-
measures being taken to correct abuse of
                                                     tiation, while recognizing that each of us is
identity directionality. It shows a failure of
                                                     simultaneously - in different contexts - a citi-
vision among technologists that legislators
                                                     zen, an employee, a customer, a virtual per-
understand these issues before we do.
                                                     This demonstrates, from yet another angle,
                                                     that different identity systems must exist in a

          Pluralism of Operators                     metasystem. It implies we need a simple
          and Technologies:                          encapsulating protocol (a way of agreeing
                                                     on and transporting things). We also need a
            A universal identity system              way to surface information through a unified
must channel and enable the inter-working            user experience that allows individuals and
of multiple identity technologies run by mul-        organizations to select appropriate identity
tiple identity providers. (Starts here...)           providers and features as they go about
It would be nice if there were one way to            their daily activities.
express identity. But the numerous contexts          The universal identity metasystem must not
in which identity is required won‟t allow it.        be another monolith. It must be polycentric
One reason there will never be a single,             (federation implies this) and also polymor-
centralized monolithic system (the opposite          phic (existing in different forms). This will
of a metasystem) is because the characte-            allow the identity ecology to emerge, evolve
ristics that would make any system ideal in          and self-organize.
one context will disqualify it in another.           Systems like RSS and HTML are powerful
It makes sense to employ a government                because they vehicle any content. We need
issued digital identity when interacting with        to see that identity itself will have several -
government services (a single overall identi-        perhaps many - contents, and yet can be
ty neither implies nor prevents correlation of       expressed in a metasystem.
identifiers between individual government

Kim Cameron, Architect of Identity,    Microsoft Corporation                                       9
The Laws of Identity                                                                …as of 2/20/2010

          Human Integration:                          derlying platform or software is unknown or
                                                      has a small adoption.
           The universal identity metasys-
           tem must define the human us-              One example is United Airlines‟ Channel 9.
           er to be a component of the distri-        It carries a live conversation between the
           buted system integrated through            cockpit of one‟s plane and air traffic control.
unambiguous human-machine communica-                  The conversation on this channel is very
tion mechanisms offering protection against           important, technical and focused. Partici-
identity attacks. (Starts here...)                    pants don't “chat” - all parties know precisely
                                                      what to expect from the tower and the air-
We have done a pretty good job of securing            plane. As a result, even though there is a lot
the channel between web servers and                   of radio noise and static, it is easy for the
browsers through the use of cryptography –            pilot and controller to pick out the ex-
a channel that might extend for thousands of          act content of the communication. When
miles. But we have failed to adequately pro-          things go wrong, the broken predictability of
tect the two or three foot channel between            the channel marks the urgency of the situa-
the browser‟s display and the brain of the            tion and draws upon every human faculty to
human who uses it. This immeasurably                  understand and respond to the danger. The
shorter channel is the one under attack from          limited semiotics of the channel mean there
phishers and pharmers.                                is very high reliability in communications.
No wonder. What identities is the user deal-          We require the same kind of bounded and
ing with as she navigates the web? How                highly predictable ceremony for the ex-
understandably is identity information con-           change of identity information. A ceremony
veyed to her? Do our digital identity sys-            is not a “whatever feels good” sort of thing.
tems interface with users in ways that objec-         It is predetermined.
tive studies have shown to work? Identity
information currently takes the form of certif-       But isn‟t this limitation of possibilities at odds
icates. Do studies show certificates are              with our ideas about computing? Haven‟t
meaningful to users?                                  many advances in computing come about
                                                      through ambiguity and unintended conse-
What exactly are we doing? Whatever it is,            quences which would be ruled out in the
we‟ve got to do it better: the identity system        austere light of ceremony?
must extend to and integrate the human us-
er.                                                   These are valid questions. But we definitely
                                                      don‟t want unintended consequences when
Carl Ellison and his colleagues have coined           figuring out who we are talking to or what
the term „ceremony‟ to describe interac-              personal identification information to reveal.
tions that span a mixed network of human
and cybernetic system components – the full           The question is how to achieve very high
channel from web server to human brain. A             levels of reliability in the communication be-
ceremony goes beyond cyber protocols to               tween the system and its human users. In
ensure the integrity of communication with            large part, this can be measured objectively
the user.                                             through user testing.

This concept calls for profoundly changing
the user‟s experience so it becomes predict-
                                                                Consistent Experience

able and unambiguous enough to allow for
informed decisions.                                             Across Contexts
Since the identity system has to work on all                   The unifying identity metasystem
platforms, it must be safe on all platforms.                   must guarantee its users a simple,
The properties that lead to its safety can't be                consistent experience while enabl-
based on obscurity or the fact that the un-           ing separation of contexts through multiple
                                                      operators and technologies.
Kim Cameron, Architect of Identity,     Microsoft Corporation                                        10
The Laws of Identity                                                              …as of 2/20/2010

Let's project ourselves into a future where                    A user will want to understand his or
we have a number of contextual identity                         her options and select the best iden-
choices. For example:                                           tity for the context
       browsing: a self-asserted identity            Putting all the laws together, we can see
        for exploring the web (giving away            that the request, selection, and proffering of
        no real data)                                 identity information must be done such that
                                                      the channel between the parties is safe.
       personal: a self-asserted identity            The user experience must also prevent am-
        for sites with which I want an ongo-          biguity in the user‟s consent, and under-
        ing but private relationship (includ-         standing of the parties involved and their
        ing my name and a long-term email             proposed uses. These options need to be
        address)                                      consistent and clear. Consistency across
       community:        a public    identity        contexts is required for this to be done in a
        for collaborating with others                 way that communicates unambiguously with
                                                      the human system components.
       professional: a public identity for
        collaborating issued by my employer           As users, we need to see our various identi-
                                                      ties as part of an integrated world which
       credit card: an identity issued by            none the less respects our need for inde-
        my financial institution                      pendent contexts.
       citizen: an identity issued by my
We can expect that different individuals will
have different combinations of these digital
identities, as well as others.                        Conclusion
To make this possible, we must “thingify”             Those of us who work on or with identity
7                                                     systems need to obey the Laws of Identity.
 digital identities – make them into “things”
the user can see on the desktop, add and              Otherwise, we create a wake of reinforcing
delete, select and share. How usable would            side-effects that eventually undermine all
today‟s computers be had we not invented              resulting technology. The result is similar to
icons and lists that consistently represent           what would happen if civil engineers were to
folders and documents? We must do the                 flaunt the law of gravity. By following them
same with digital identities.                         we can build a unifying identity metasystem
                                                      that is universally accepted and enduring.
What type of digital identity is acceptable in
a given context? The properties of potential
candidates will be specified by the web ser-
vice from which a user wants to obtain a              1
                                                        For example, the Anti-Phishing Working
service. Matching thingified digital identities       Group “Phishing Activity Trends Report” of
can then be displayed to the user, who can            February 2005 cites an annual monthly
select between them and use them to un-               growth rate in phishing sites between July
derstand what information is being re-                through February of 26% per month, which
quested. This allows the user to control              represents a compound annual growth rate
what is released.                                     of 1600%.
Different relying parties will require different      2
                                                        And recently, we have seen successful
kinds of digital identities. And two things are       examples of federation in business to busi-
clear:                                                ness identity sharing.
       A single relying party will often want
        to accept more than one kind of
        identity; and

Kim Cameron, Architect of Identity,     Microsoft Corporation                                     11
The Laws of Identity                                            …as of 2/20/2010

  We consciously avoided the words “propo-
sition”, meaning something proven through
logic rather than experiment, and “axiom”,
meaning something self-evident.

  All three areas are of compelling interest,
but it is necessary to tightly focus the current
discussion on matters which are directly
testable and applicable to solving the imma-
nent crisis of the identity infrastructure.

  We have selected the word subject in pre-
ference to alternatives such as "entity",
which means "a thing with distinct and inde-
pendent existence". The independent exis-
tence of a thing is a moot point here - it may
well be an aspect of something else. What
is important is that the thing is being dealt
with by some relying party and that claims
are being made about it.


 We have chosen to “localize” the more ve-
nerable word “reify”.

Kim Cameron, Architect of Identity,     Microsoft Corporation                12

To top