Tuesday, May 10, 2005

DIDW 2005: Kim Cameron's 7 laws of identity

Raw notes from Digital Identity World 2005:

(Notes are "raw" so they are subject to revision for accuracy. These are a combination of direct quotes and paraphrasing, and I take full responsibility for any errors, omissions or accidental misinterpretations - Scott Mace)

Kim Cameron – The Laws of Identity

Kim Cameron: I've been preoccupied by the fact whenever we have an identity conversation, we have to go back and have the conversation again. There isn't a wordset that meshes, there are so many ways to approach the problem. A group of us started a conversation in the blogosphere. It's theatrical to call them laws, but was to get people involved in the discussion. To avoid going back to square one, the empty page. The work here is a result of that conversation.

The Internet was built without a way to know who or what you're connecting to. Everyone's had to figure out some way of compensating for that. In other areas of CS we'd call that a kludge. That's what they are, compensating mechanisms. We end up with a patchwork of compensations, rather than what I'd call a fabric of identity. Because of some of the limitations of our technology, what lives at the desktop end I'll say, we've gravitated toward the simplest options: form based where you enter your passwords. We've taught the entire world to indiscriminately put their credentials or PII into almost any form that appears on the screen. And then we make fun of it for being subject to phishing. There's no consistent way to do things or way for anyone to learn what's right or what's wrong. Leads to this very weak system in my view. The saddest aspect of it, I get so sad, because this is the only area of computing which has no synergy. Look at the blogosphere, at RSS. Because of this patchwork nature we have no synergy in identity.

At the same time, we have this progressive criminalization happening. I have to say that people have to think 4 or 5 years ahead and imagine what it means for the current trends to continue. Go back 5 years and think about how you looked at these issues 5 years ago. Now imagine 5 years into the future: an Internet seriously weakened by serious proliferation of identity “losses” and breaches and theft and all of those issues. I see the possibility of the unwinding of the acceptance of the Internet and its degeneration of it back into a system of publication – only stuff that's completely public. We need to intervene so Web services can be used for a large aspect of our lives rather than just for publication purposes. The ad hoc nature of the Internet identity patchwork cannot withstand the assault of the professionalized attackers. They're professionals just like us. It has a compound annual growth rate of 1000%, is one of the most prosperous part of the industry.

We've had partial successes in various domains. I don't mean to put down anyone's good work: SSL, Kerberos in the enterprise, SAML, Liberty, a lot of early adopter projects. The truth is there's little agreement on what the identity layer is and how it should be run. Many people involved in these context jealously guard the identities that exist in them. Applies to governments, enterprises. I've talked to a lot of people. They prefer a one-off to a system outside their control. What's required is a system that leaves them in control but joining across contexts in such a way that people can maintain control of the situation out there.

The individual has a veto in this thing. Without convenience, coolness, privacy, safety, the system will not be used. This very interesting group of privacy advocates are really thinking deeply and should be on our side. What we need is a system in which all the parties to identity are served. No simplistic solution is realistic. When you add cross-cultural and international problems, it becomes daunting. Does it mean you have a simple solution? I think we can without it being simplistic.

An identity metasystem: Diverse needs of players mean integrating multiple constituent technology. Analogy to displays. Over times things evolved to an abstraction of a graphic surface we programmed to. Device drivers sat between this abstract display and the actual hardware devices. The hardware devices became loosely coupled to the abstraction layers. Made it easier to write to them and to create new hardware devices. Hey, plug in, it works, but it's clearer, or has some advantages.

TCP/IP didn't make Ethernet, TR, FR, X25 disappear. They continued to exist. That and sockets. All of a sudden you can develop applications without knowing if they had TR or Ethernet. Even wireless was able to come in and use the abstractions that were defined.

We require the same kind of metasystem at the level of identity to provide this missing layer of the Internet. Protect the applications from the complexity of systems, and have identity be loosely coupled.

We see new concepts coming out of the university environment. We're not at the end. Part of my work is to make contact with the innovators. Ways and systems that can have very nice properties for privacy, reliability, accountability.

We can allow solutions to come out of an ecology. The role of the laws was to be able to structure our understanding of digital identity. It's a deep conversation. I call myself the hair on the end of the long tail. This is not widespread conversation. Going to be held amongst maybe a growing number of people, we need to involve policy thinkers, legal thinkers. The solution involves more than simply technology. Not a microscopic conversation, but not gone with the wind. When we do start, do we always have to go back to this tabula rasa? That's what the laws are all about. I have these people coming to me with all these ideas.

We paid hard for our understanding of identity. It's a matter of I've watch people's careers almost go down the drain for doing this. We need to seize these things we've learned over time. We need to develop hypotheses, and they have to be testable. We need goals that are pragmatic, that have a specific aim. I want to come back to this idea of the blogosphere. I couldn't have done this except through the blogosphere. There is an actual tempering. There is a hardening and an all-sidedness that emerges through this discussion that I would be able to achieve as an individual thinker. And it's not over.

Here's some words that allow dialogue.

Digital identity is a set of claims made by one digital subject about itself or another subject.

Digital subject is a person or thing represented in the digital realm which is being described or dealt with.

Claim: An assertion of the truth of something, typically one which is disputed or in doubt. Could include knowledge of a secret, PII (personally identified information), even a capability can be a claim. These embrace Kerberos, X.509, SAML. They take this problem of the evaluation of the usefulness of a thing up to a higher level. Separated the layer of where stuff is communicated from the layer where evaluations are done.

Now the laws. Unfortunately there are two many of them. I really tried for three. I love Newton. Three would be good. If we can get to these seven, we can put a metasystem in place.

Audience Q: I'm wondering why identity is being expressed as a set of claims.

It can't be expressed any other way. But it's not precepts you must follow.

Q: I sense Aristotle vs. Plato. Red state vs. blue state. Realism vs. idealism.

That's so cool. If you read the definition, it specifies the subject is what is implied by the attributes of it. Is the essence rather than the attributes themselves. We will never agree on all these things, but maybe we can agree on how to layer these things. Navigating from the claims to the unifying essence.

Let's look at identity systems and things that didn't think they were identity systems. (i.e. Intel CPU ID)

  1. Digital identity systems must only reveal information identifying a user with the user's consent. Because of the pivotal role of the user. Even in prison the user can make the system really ineffective, but in the Internet the user has control. We can appeal through means of convenience and simplicity. Otherwise enough people reject the system that it doesn't become unifying. It's a system integrity issue, making sure the system isn't fundamentally divisive. This requires a holistic commitment. We need to put the user in control of what identities are used and what information is released. We need to protect against deceptive, both of info going to the wrong destination, and not understanding its intended use. We have to retain the paradigm of consent across all contexts. I think when people sign into a network, they are giving their consent. That isn't always clear.

  2. Minimal disclosure for limited use. The solution that discloses the least identifying information and best limits its use is the most stable long term solution. Don't ask for a SSN if all you need is a music preference. If you do, you're increasing your risk. If you did that in other aspects of business, you'd be fired. Be creative about achieving this minimalism. The date allows triangulation of personal identity; to get into a bar, age is all that's necessary. If you don't do this, you do become this target, and you do become the University of California. Why did they have this information? [Q: Do they need to keep the birthdate? A: Anything they can forget they should forget. Studies show this. Let's not have everything everywhere, any more than we have to. I'm asking people to consider the reduction of risk. The systems that conform to that aren't going to be the Choicepoints of tomorrow.]

  3. Justifiable parties. Digital identity systems must limit disclosure of identifying information to parties having a necessary and justifiable place in a given identity relationship. Users should become aware of the party. Then there is this process of justification. Some argue Passport was a complete and dismal failure, like my buddy Craig. But in its role as an MSN identity provider, Microsoft's passport was very successful. Used by 250m people/day, does 1b authentications/day. Was a failure in providing authentication for the Internet. People want a relationship with MS compressed into a particular context that makes sense to them: their relationship to Microsoft. It's not fine in their relationship with Amazon or eBay. Which parties offering Web services want a Microsoft between them and their customers? Not hard to figure out why they don't want to. Whatever I'm proposing is not the son of Passport. It's a call to study our experiences and see it in a two-sided way. [Q: Single identity, or multiple? A: Multiple.] The Shibboleth people have thought about this a lot. Nothing here makes criminal investigations impossible. The state functions the way the state functions.

  4. Directed identity. A universal identity metasystem must support both “omni-directional” identifiers for public entities and “unidirectional” identifiers for private entities. This was a shocker for me. The Web site should have an identity beacon. Public devices. This microphone is a public thing. Private entities like people need the option not to be turned into a beacon. This Bluetooth phone makes me into a beacon. Anyone interested in getting back at me can tune into my beacon. There are things that need to be public, and things that need not to be public. Unidirectional and voluntary overlap but are not the same. Maria Cantwell wants to be able to purchase books and not have that be a beacon. Not only is Bluetooth designed wrong, RFID uses beacons, you can imagine remote detonation devices triggered by your very passport identification technology. It's not suitable to be impregnated in our children. You need systems that only respond to legitimate beacons that it can trust. It has to be more than just a unidirectional identifier. The shocking thing is we have designed all this wonderful technology in a very naïve way.

  5. Pluralism of operators and technologies. A unifying indentity metasystem must channel and enable the inter-working of multiple identity technologies run by mulitple...

  6. Human integration. A unifying identity metasystem must define the human user to be a component integrated through protected and unambiguous human-machine communications. I had an SSL connection to whatever it was. I'm a collector of disturbing identity dialogs. We can get together and share photographs. The channel between the display and the brain is under attack. We need to move from a dialog about protocols to a dialog about cermonies. Channel 9 on United, you'll see it's a very limited semiotic field. You don't hear people talking about their vacation in Barbados. We need that kind of a channel between when we're releasing identifying information and ... we've developed a channel [that's confusing]

  7. Consistent experience across contexts. A unifying identity metasystem must provide a simple consistent experience while enabling separation of contexts through multiple operators and technologies. Need to “thingify” identities – make them “things” on the desktop so users can see them, inspect details, add, delete. Story of 401(k) backlash, employer can see my other investments. It's their identity. This brings us to the fact that if we had a system where the user had a choice of identities, they could gravitate to the one that made them feel safe.

Contributors to the discussion [listed on screen]. I will be posting them on my blog.

Those of us working and with identity systems need to obey the laws of identity. Ignoring them results in unintended consequences.

This is just what we think is right at this point in time. There is no identity outside of a cross-industry collaboration. It's one of the first times we've codified the thinking. It's very significant Microsoft is throwing its weight behind these laws.

Q: How to enforce?

A: The laws enforce themselves through the users. God has put these laws into effect already.

Q: Legislative efforts.

A: How do we explain that negative security features are the weakest.

Q: These are rights, not laws. They're still in danger.

A: I'm less pessimistic than you. This is a natural system at work.

Jamie Lewis: It's on my blog [shield]?

A: Let's not make it a matter of ideology. Let's make it a safe technology.

A: Certificates break Law 4 – private individuals.

Q: iName and Law 4?

A: I want you to be able to contact me, and I think it's cool. I can have a conversation with you without ever releasing my email address. Does it break Law 4? It would break it if in cases outside my control, or if I wanted communication to be private. People don't know how to contact you at the email level. It's a case where you release something but keep other things private. It's an interesting way to keep public personas, even semi-public personas.

Q: Trusted Computing violates some of these laws? The voluntary aspect.

A: Just buy a machine without that capability. Even if we're doing it wrong, I still hold to the laws. If we're doing something wrong, I think we should fix it. NGSCB used to protect our identity is a valuable thing. It can be used for various things. Will people be able to decide what it's used for? The consumer will decide.

Q: How do the laws fit in the context of those who want to do criminal activities?

A: If you have an identity system that people accept, then we can actually imagine a new era of identity-based applications, because people aren't alienated from them. My [ISP] could be identifying me for certain purposes if I choose to do that to get other things back in a social contract. Right now, I get so frustrated that I always have a machine that almost has everything turned off, because that's the only way I can get things to work, then monitor IP packets so I'm not a spam center. But that's no good. Once you can give access to just who you want, a lot of those fraud problems go away. Reduces the opportunity for phishers, and malware. On Thursday John Shuchuk would see us putting into Windows.

READ: Soloff's Digital Person book. Superdossiers will lead to a backlash. (breakout from Law #4)

2 Comments:

Blogger Chris Quirke said...

In a sense, the Internet is not a network, even if it is made out of networking technology (a table is not a tree, even if it's made of wood).

A network is limited to known identities, and so identity is meaningful - because there's a template of expectations that the identity can be checked against, and thus levels of risk can be judged.

The Internet is where strangers interact. Proof of identity doesn't make you less of a stranger - so you really are Fred Smith, so what? It doesn't mean I can trust scripts hidden in your web page to run on my PC. "If a bad guy can run code..." - then why do we let every web page potentially "...own the system"?

Once you log into a particular web site, *then* you may be in the network that you hoped you'd logged into. Then again, if something's spoofed the URL to a lookalike site on a different IP, you aren't.


LANs used to be defined by where the cables go, and WiFi undermines this.

I expect to see a new and nasty type of crime, that combines virtual world info intercept/spoofing with real world location awareness. Our current Internet-facing strategies will not address these risks.


Privacy is based on security; you can't promise to keep info private if you are not the only player.

Security is based on safety; you can't build it out of unsafe code that acts beyond design intention, such as a JPEG handler that runs "pictures" as raw code.


Another aspect is that security not only must be done, but must be seen to done. You talk of making a tangible symbol, but symbols are just pixels - a key icon doesn't mean a secure site, etc... so even if you have a truly secure identity verification system, as users we would still be asked to trust this, because you tell us it's trustworthy.


What we need on the Internet is less identity-based "safety", and more safety in terms of matching expected risk with maximum actual risk. As it is, there's no such thing as safe "data"; every HTML allows misleading fake-URL link text, embedded scripts, ActiceX, etc.

What we need is:

- software that does not take risks ahead of user intent

- user to be presented with the level of risk that an action would take, in a way the user can understand ("view" vs. "run", and no more meaningless "open")

- software is bound by the level of risk displayed; no more running raw .EXE code within .PIF, or Word Macros within .RTF, etc.

This is "risk WYSIWYG", and malware thrives on failure here.

Limiting user rights for the duration of an OS session isn't the answer either. Every user hs the right to edit their data, so every malware running within those rights can overwrite and destroy that data.

5:31 PM  
Blogger Sonny L. said...

Hey - Cool blog, nice layout! Checkout my people search blog if you can.

2:47 PM  

Post a Comment

<< Home