Laws of Identity: A Computer Theology Perspective

Preface

One of the more widely recognized names in the Identity domain is that of Kim Cameron, Chief Architect of Identity in the Connected Systems Division at Microsoft. Through his Identity Weblog (www.identityblog.com), Kim has promulgated a wide ranging discussion about the concepts, manifestations and mechanisms of identity. In the course of these discussions, he has arrived at a statement of The Laws of Identity; seven guiding principles to the construction of an identity meta-system through which can be realized digital identity.

A profound observation derived by The Laws of Identity is the extensive dependence of identity concepts on the encompassing concept of context. However, while the laws pay homage to this extended concept, they leave quite ambiguous its detailed specification. Consequently, the laws as stated provide less than might be desired in the way of guidance toward building an effective meta-system. A more detailed consideration of the concept of context might offer an interesting perspective from which to survey the laws and the resulting meta-system.

Our book, Computer Theology: Intelligent Design of the World Wide Web posits a model for human social systems, suggesting they are direct manifestations of the physiologically derived needs hierarchy that guide interaction stimuli of the species. This model considers the environment formed by a social ecosystem, i.e. an extension to the physical ecosystem in which the human species emerged through evolutionary processes. From consideration of the characteristics of various grouping mechanisms, social ecosystems subsume the individual members of the species as well as their collective tools and tool systems.  The book then builds upon the view that computers and their resulting networks, including the Internet and the derivative World Wide Web, comprise the most complex of man’s myriad tools and hence would be expected to be subsumed by the social ecosystems in which individual people function as members of larger collectives.

As the physical ecosystem forms the constraining environment for all interactions effected through the basic forces, social ecosystems constrain interactions resulting from policy manifestations effected within social orders. At its most basic, the model suggests that all human social systems are founded through the establishment of a trust infrastructure that serves to provide a gating mechanism for interactions that occur within the social system. In this guise, trust is a probability of specific interaction outcome. In a high trust situation, one should be able to better predict the outcome of an interaction than would be the case in a low trust situation. Within a trust infrastructure, policy (e.g. rules, interaction mechanisms and consideration of consequences) can be effected with some anticipation of its application and effectiveness. This leads us down the path of considering how one establishes and conveys trust in the face of specific interactions. It also allows us to consider the necessary levels of trust to be established before an interaction proceeds. So, looking at the situation from that perspective, let’s consider the laws as noted on www.identityblog.com .

Kim Cameron’s Laws of Identity [1]
… as of 5/12/2005

1.      User Control and Consent
Technical identity systems must only reveal information identifying a user with the user’s consent.

2.      Minimal Disclosure for a Constrained Use
The solution which discloses the least amount of identifying information and best limits its use is the most stable long term solution.

3.      Justifiable Parties
Digital identify systems must be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship.

4.      Directed Identity
A universal identity system must support both “omni-directional” identifiers for use by public entities and “unidirectional” identifiers for use by private entities, thus facilitating discovery while preventing unnecessary release of correlation handles.

5.      Pluralism of Operators and Technologies
A universal identity system must channel and enable the inter-working of mulitiple identity technologies run by multiple identity providers.

6.      Human Integration
The universal identity metasystem must define the human user to be a component of the distributed system integrated through unambiguous human-machine communication mechanisms offering protection against identity attacks.

7.      Consistent Experience Across Contexts
The unifying identity metasystem must guarantee its users a simple, consistent experience while enabling separation of contexts through multiple operators and technologies.

The Problem

The white paper The Laws of Identity suggests that the root problem to be solved by an identity meta-system is that “The Internet was built without a way to know who and what you are connecting to.” This, it would seem, is an excellent illustration of the importance of context in communication (as opposed to simple information transfer). In fact, the Internet is replete with the means for specifying connectivity and for conveying identity information through those connections. The end-point mechanisms provided by Internet addresses (IP) and by Web addresses (URI / URL) allow any entity to be connected to any other entity. The signaling mechanisms of the Web allow for the conveyance of information of many forms and communication protocols allow for confirming the relative integrity of the information so conveyed. Moreover, names of all kinds can be attached to addresses providing ample capability for “John Smith” to interact with “Sally Brown; ” for example, through electronic mail. Indeed, a defining characteristic of the Internet is establishing and maintaining connectivity in the face of a highly dynamic foundation of point-to-point circuits. In essence, given only the addresses of the end points, various connection pathways can be established. Thus “John Smith” and “Sally Brown” have a rather robust means of interacting through the Internet. So, it would seem that we have lots of ways to express who or what we want to connect to, and lots of ways to confirm and use that connection. What then evokes the claim that there is not “…a way to know who and what you are connecting to?” The answer would seem to be found in the context of the claim. How does “John Smith” know that he’s interacting with THE “Sally Brown” that he wants to interact with? Conversely, how does “Sally Brown” know that she’s talking to THE “John Smith? ” We use the upper-case “THE” to distinguish a unique, biophysical person. How do two unique biophysical persons know they’re talking to each other?

The central facet of the problem is that essentially anyone or anything can use an address and through that address establish a connection with someone or something else while claiming to be yet a different someone or something. As the now classic New Yorker cartoon notes, “On the Internet, nobody knows you’re a dog.” We can recognize this facet when we more closely examine the details of the context of the original claim. Unfortunately, the basic Internet does not offer a THE-service, which would seem a reasonable response to this facet of the problem. Stated more generally, the Internet does not provide a mechanism through which the validity of information about or related to the connected entities can be assured or even merely assessed. We might paraphrase “The Problem” to be that the network lacks a well defined means to establish trust in the information that is foundational to any subsequent interactions and to convey that trust across the connections of the network. This is because the model of the Internet is that of a highway devoid of driving rules. As such, it is simply an improved pathway, or collection of pathways, within the physical ecosystem. Information can move along the pathways, and by way of that information, interactions can be effected between or among connected entities. However, lacking any comprehensive trust infrastructure, this information flow supports interactions governed primarily by the “laws” of the physical ecosystem; somewhat crudely stated as “the law of the jungle. ” This suggests references to the Internet as a modern incarnation of “the old West. ” Whatever “rule of law” exists is inconsistently and often ineffectively applied, largely due to the lack of a common basis of trust in the definition, application and enforcement of the “laws.” So, we might restate the problem a bit more abstractly as, the Internet as now realized does not provide a comprehensive trust infrastructure on which can be based an effective policy infrastructure.

The Solution

Adopting as the problem statement the last sentence from the previous section, we can now examine The Laws of Identity through the revised context that this problem statement suggests. First, the observation from Kim Cameron’s white paper that “…today’s Internet, absent a native identity layer, is based on a patchwork of identity one-off's.” resonates as a quite reasonable assessment. As the human species evolved, successively larger and more comprehensive grouping mechanisms emerged. At a relatively early stage, groups such as families and clans formed as effective ways to exert some level of beneficial control over the physical ecosystem. Today’s identity one-off’s have emerged on the Internet in much the same way and for many of the same reasons.

Each of the identity one-off’s essentially forms a trust infrastructure where trust conveys from the network administrator to the network access (login) facility. This is a rather classic illustration of what is referred to in Computer Theology as trust through causality: we implicitly trust the appearance of login from the existence of trusted administrators. The login operation itself then forms an illustration of trust through process: a well defined sequence of operations imbues the trust that there is control involved. Once a user is successfully logged in, she therefore becomes immersed in a trusted environment; exactly “how” trusted may yet be something of a question.   However, in general the purveyors of goods and services within that environment gain some further level of trust in the user and the user gains some further level of trust in the purveyors of goods and services through more causal and process events. This would seem to be the starting point of the current white paper as it projects the evolution of the Internet going forward; individual identity one-off’s coalesce through an identity meta-system. However, the context of the problem as we’ve restated it suggests a different progression and a somewhat different perspective on The Laws of Identity. We can still expect to arrive at an overarching identity meta-system, and we can still expect for something like the identity one-off’s to constitute subordinate elements of this identity meta-system. However, the effective principles extracted from The Laws of Identity as guidance for designing the identity meta-system may be somewhat different.

Extending the Social Order

We assume that The Laws of Identity are listed in a sequence meant to establish an ordered progression of principles. Retaining that intent and based on our re-statement of the problem to be solved, we suggest that a more appropriate starting principle is that listed in Law #6:

6.      Human Integration
The universal identity metasystem must define the human user to be a component of the distributed system integrated through unambiguous human-machine communication mechanisms offering protection against identity attacks.

As written, the law addresses the principle of including the human user as a component of the distributed system, but it does so from the perspective of the distributed system as an organizing entity. If we interpret this distributed system as being a tool system aimed at serving the human user, this perspective seems akin to writing a specification for a hammer and asserting that a human should be assumed as an extension of the handle. A different perspective would suggest that the guiding principle should be that the distributed system comprises an extension of the existing human social order. The distributed system could be construed as extending the individual human’s as well as the group’s sensori-motor and cognitive facilities into the digital world of the Internet. Optimally, the identity meta-system would extend the dynamics of the family or a small, cohesive group across the full extent of the Internet and its vastly larger population. In the highly constrained environment, identity authentication and the establishment of trust based on it are foundational manifestations of the group. The identity meta-system should provide a tool system to extend these identity facilities throughout the populace of the digital realm. A wheel extends the human sensori-motor system, allowing the traveler to more easily access the full extent of the world traversed by the highway. Likewise a Web browser extends a portion of the sensori-motor system of the Internet user across the full extent of the network. This is actually something of a telling metaphor in that it gives some insight into how we arrived at the current state. That is, how did we end up with an Internet that isn’t based on an inherent, comprehensive trust infrastructure?

If we look at the formative prototype environment of the Arpanet, the network incarnation that gave rise to the Internet, we get some clues. The Arpanet was an experiment contrived from whole cloth. It included the study of basic network architectures (the physics of the network), of protocol definitions (addressing, procedures, channel switching and message transport) and of content to be provided and consumed. The prototype network was developed within a rather cloistered domain of the existing social order. That is, it was constructed within a collection of government agencies, universities and select companies. Each of these organizing entities existed within defined trust and policy infrastructures; actually, recursively interconnected trust and policy infrastructures. The recursion was based on an overarching trust infrastructure ultimately grounded in the Constitution of the United States. The projection of the network onto the physical ecosystem was similarly cloistered. Communication channels either existed within relatively secure (trusted) physical installations or on circuits that terminated within relatively secure physical installations, e.g. telephone central offices and company offices.

As a result, the human users of the prototype network fit within a highly structured and trusted social order and the network was relatively secure from external attack or intrusion. Consequently, a significant level of trust was imbued to any user allowed access to the network. The opportunities for and the incentives toward fraudulent uses of the network, while not to be ignored, were certainly minimal relative to today’s Internet. Therefore, the network itself became imbued with an elevated level of trust. This offers some rationale for the white paper’s speaking of the increasing “criminalization of the Internet. ” Considering the Internet simply as an extension of the physical ecosystem, one might rather facetiously view this a bit like speaking of the “criminalization of the Serengeti” when lions kill a zebra for dinner. The white paper presents an image of the inherent trustworthiness of the network diminishing. In fact, the problem arose as the influx of users from outside the initial “cloistered domain” affirmed that the highway had now been extended beyond the boundaries of the original social order. Established identity one-off’s essentially form the fortified walls of cyber-cities situated amidst the pervasive jungle. If someone journeys beyond the walls, they must provide a password to the sentinels at the gate before they’re allowed to re-enter the city. The goal then becomes one of recasting this feudal system of disjoint fiefdoms into an encompassing union.

As an important corollary, we should note that when we re-cast the law of Human Integration to one of Social Order Integration, we must remember that the integration works both ways. We want to extend social order into the Internet, but in viewing the Internet as a new, improved tool system, we want to extend its facilities and utility back into the social order. There are many elements of human tool systems that are digital in substance and yet separate from the Internet. Moreover, there are many interaction environments which rely purely on the human sensori-motor system, without benefit of enhancement through tool systems; digital or otherwise. An identity meta-system that enhances trust in interactions distributed across distance and time through the Internet may have great utility in enhancing non-Internet based interactions faced with the same issues of distance and time, or simply face-to-face for that matter. Rather obviously, we will expect both the social order and the Internet to be impacted as a result. All that said; let’s consider in just a bit more detail what is involved in “social order integration. ”

The model of social ecosystems presented by Computer Theology [Computer Theology, Chapter 5, Page 151: Model of Social Ecosystems] suggests that a trust infrastructure is the defining boundary of a social order. Trust is defined as a probability of interaction outcome and is traced back to a state of the mind termed an altered state of consciousness. A recurring companion of this altered state, particularly within groups, is the practice of rituals. This matches quite will with the observation in the white paper of the importance of ceremony to describe “…interactions that span a mixed network of human and cybernetic system components – the full channel from web server to human brain.” In fact, this is a prescient observation regarding groups (networks) of computers, groups of humans or groups of both intertwined.  Indeed, a subsequent comment suggests that “This concept calls for profoundly changing the user’s experience so it becomes predictable and unambiguous enough to allow for informed decisions.” [The Laws of Identity, Kim Cameron, Page 10] This matches quite well with the function of an ecstatic state in re-calibrating a personal trust infrastructure or that of the members of a religious group. [Computer Theology, Chapter 5, Page 164: Religion]

The white paper suggests that an identity system must work “…on all platforms.” We would suggest that while such a system might be made to work on many, or all platforms, trust from an identity system is only established when it is conveyed from one trusted platform to another trusted platform. Trusted platforms are, in turn, a product of causality; they can not be achieved through process alone.

As something of an aside, since it is not fundamental to the discussion, we would also note that the white paper makes a poor choice in using the air traffic control radio channel as an illustration of a highly reliable (trusted?) channel. The suggestion is that “The limited semiotics of the channel mean there is very high reliability in communications.” The 1977 collision of two Boeing 747 aircraft on the runway at Tenerife in the Canary Islands, in which over 500 people were killed, was enabled in part by a heterodyne (caused by both pilots simultaneously keying their transmitters) on the air traffic control channel. In this case, the error in the communication channel could not be corrected by responses outside the bounds of the channel that might have compensated in other situations. The planes collided a few tens of seconds after the communication channel error. This situation illustrates the pitfalls of asymmetries in threat assessment and amelioration.[Computer Theology, Chapter 11, Page 388: Freedom]

So, perhaps we can summarize the constraints on the identity meta-system required for social order extension:

·        Extend the primary social order policy infrastructure into the digital domain

·        Extend the primary social order interaction framework into the digital domain

·        Extend the full capabilities of the human sensori-motor and cognitive system into the digital domain (This capability is clearly limited by available technology. On the other hand, the facilities of the identity meta-system should be anticipating future development that yields new, applicable technology.)

Social Interoperability

The identity one-off’s that have emerged within the physical ecosystem extension that is the current Internet have developed largely as grouping domains distinct from other such domains. In his book, Systematics and the Origin of Species, Ernst Mayr suggests that speciation begins as distinct communities become isolated in some fashion from the main body of the species’ population. From this position of relative isolation, the separated community can evolve distinct characteristics that cause it to continue to diverge from the main body of the species until a new species is formed. While Mayr wrote of purely organic species, similar evolutionary progression can be noted in social systems as well. Since a social order relies on a common basis of trust for entities contained within, the segregated development of identity one-off’s can result in starkly incompatible trust infrastructures which can give rise to starkly incompatible policy infrastructures. From this position of separation, it is difficult to integrate the respective trust and policy infrastructures through an identity meta-system. In that case, we essentially revert to the trust infrastructure of the physical ecosystem; the law of the jungle. Consequently, we would view the second most important guiding principle to be derived from The Laws of Identity to be Law #7:

7.      Consistent Experience across Contexts
The unifying identity metasystem must guarantee its users a simple, consistent experience while enabling separation of contexts through multiple operators and technologies.

The concept of a “…simple, consistent experience…” suggests the need for a common basis of metaphorical understanding across the distinct identity one-off’s. Indeed, most of these domains have developed from a similar metaphorical basis that we characterized earlier as residents of, or visitors to, a walled city. By enrolling with the administrator of the city, a visitor is given a name coupled to a privileged password that will allow them entry into the city. Within the city, both residents and visitors interact under the watchful eye (trust infrastructure) of the administrator and her rules. This is a rudimentary illustration of the concept of an identification system as a facility of the trust infrastructure of a social ecosystem. In each domain, personal information about the user is used to establish some level of trustworthiness on the part of the user. On the basis of this perceived trustworthiness, the user is allowed access to the goods and services of the city. Unfortunately, a common theme of such domains is that often information about a person is used to authenticate the identity of a person. Hence, the concept of identity theft has entered the vocabulary; a person in possession of information about another person can often then impersonate that other person. This strikes at the heart of human physical as well as social interaction mechanics.

The Identity Experience

The previous section suggests that a defining principle of the identity meta-system is the concept of social interoperability. To gain technical utility, popular acceptance and quantifiable trust, common concepts should be applied across the full breadth of the meta-system. Distinct identity one-off’s may have some latitude in implementation and operational approaches, but if a user is to truly establish trust in interactions that cross the boundaries of multiple identity one-off’s then common concepts must be understood in all of the domains in question. While the white paper says that it seeks to avoid “… a discussion of the ‘philosophy of identity’,” in fact the discussion of a “claims-based definition” relative to the concept of “digital identity” seems to be very much just such a discussion of the philosophy of identity. This philosophy is given the vestiges of physical form through Law #4:

Therefore, we would suggest a somewhat different philosophy of identity that we believe leads to a more rigorous specification of the interaction environment, and in turn a better understanding of an identification system as an illustration of a basic social order. Exploring the concepts of identity through first principles of interactions should lead to a significantly more comprehensive specification of the interaction environment through which identity is used. A more complete presentation of the concepts is to be found in the book [Computer Theology, Chapter 9, Page 304: Identity] so we will simply introduce them here.

·        Experiential-identity: that characteristic of an element of a set that confirms the outcome of an interaction in which that element engaged; an information concept.

Characteristics of a good marker (explicitly stated for people):

1.      Completely unique to one entities relative to all other entities within the target set; e.g. for people, to be able to distinguish one individual person as unique within a population of 10 to the 11^th power (100,000,000,000 people)

2.      Does not change over the lifetime of the entity.

3.      Impossible to counterfeit, given a controlled (trusted) measurement environment

4.      Is non-invasive to determine (capture).

5.      Requires at most, inexpensive equipment for capture.

6.      Provides a very high quality comparison test to authenticate when compared to a collection of samples; that is, very low rates of either false-positive or false-negative indications. A feasible test of adequate sensitivity to establish identification to the level indicated in point 1 above must be available.

7.      Provides an efficient comparison test to verify a differential-identity by comparing a sample to a known template.

8.      Conveys no information about the individual other than the differential-identity of that entity, and

9.      Offers no forensic evidence for identification and indication of location after the fact; i.e. leaves no forensic wake

Experiential-identity is information that can be, under privacy-controlled circumstances, rigorously associated with a differential-identity. In general, experiential-identity will be comprised of a set of credentials, each issued by a trusted third party that attests to some interaction outcome related to a differential-identity. Some examples of experiential-identity “experiences: ”

1.      Name or Persona

2.      Birth Certificate.

3.      Address

4.      Social Security Number

5.      Driver License Number

6.      High School Diploma

7.      College Diploma

8.      Advanced Degree Diploma

9.      Honorable Discharge from Military Service

10.  Security Clearance

11.  Bank Account Number

12.  etc.

Affirming experiential-identity is accomplished through a validation protocol that confirms the trustworthiness of the credential and of the trusted third party that issued it. Privacy is granted through control of information release by the individual involved. In a digital domain, a credential is generally presented as a digital certificate and the validation protocol confirms the integrity of the certificate and the differential-identity of the trusted third party.

Using this approach, authentication of differential-identity is the means by which trusted entity involvement in an interaction is achieved. This can be accomplished within any of the identity one-off’s. Authentication is essentially a state which can now be projected throughout the identity meta-system among all trusted identity one-of’s. Experiential-identity is never used for authentication purposes. Rather, it is used either to establish trust through reputation or to establish authority (granted, just another variant of trust).

Law #4 explicitly addresses the manner in which an entity seeks to engage in an interaction. As discussed in the book [Computer Theology, Chapter 5, Page 170: Architectures of Computer Interaction] , the initiation of an interaction (overture) involves a delicate blending of actions requiring balance between aggressive and defensive behavior; in other words, a complex consideration of privacy as we discussed above.

Law #4 can be construed to explicitly refer to the establishment of physical connectivity among potential parties to an interaction. Certain physical communication channels are inherently poor at providing privacy to the interacting parties. As noted in the white paper, Blue Tooth physical protocols provide for pair wise connections to be established and for small, local networks to be dynamically established. Through this mechanism, a de facto identification of participating parties has already been accomplished before higher protocols can be brought into play through which privacy choices can be arbitraged. Smart card tokens, both contact and contactless have similar deficiencies. For these tokens, the problem arises from the master-slave relationship between the token and the host platform that it communicates with. Perhaps the more interesting manifestation of Law #4 arises if higher order interactions are considered. In this case, several useful identity constructs emerge under the guise of persona. [Computer Theology, Chapter 9, Page 309: Identity]

A persona, like a name, is a metaphorical reference to a person. Given that either a persona or a name is malleable, as a derivative of privacy, it should not be viewed as a marker, but rather as an element of experiential identity. Four distinct types of persona are considered in the book, and they provide an interesting reponse to Law #4:

·        Anchored Persona – a persona that is closely associated with a (biometry based) differential identity; an anchored persona can be recursively associated with a differential identity over the lifetime of a person throughout the primary social order.

·        Floating Persona – a persona that may be selectively, closely associated with a differential identity in a subordinate social order; a floating persona allows a person the means to create domains of experiential identity for purposes of enhanced privacy.

·        Situational Personal – a persona that is not associated with a biometry based differential identity; the “what happens in Vegas stays in Vegas” persona.

·        Anonymous – a persona that is not associated with a biometry based differential identity and that leaves no forensic wake following interactions.

Through the two facets of identity that we discussed above and using the various forms of persona, the objectives of Law #4 are addressed at a higher “logical” level as well as at the more basic physical level; again, with respect to the OSI Reference Model.

Recursion of Social Orders

As they grow to larger scale, social orders get more deeply recursive in construction. The human needs hierarchy is ultimately the source of interaction stimuli and provides impetus for people to become a part of discrete trust and policy domains. In today’s world, at the highest level, people tend to function as members of governance structures such as the nation, state and local constructs. However, they often are also members of religious congregations. In addition, they often work for companies, they’re members of social clubs and other ancillary social structures. Each of these constructs have rules and reasons why their members adhere to the rules. It is very much the “order” of things. Similarly, we have recursion [Computer Theology, Chapter 10, Page 378: Recursion] among identity systems in the digital domain as each social ecosystem chooses its own means of establishing identity and the trust established through those mechanisms. The constructs that we discussed above must be represented within such mechanisms, or new constructs must be added to the metaphorical mix. This is the only way social interoperability can be maintained.

Mechanics of Interaction

The remaining laws form a basis for specification of the interaction environment to be provided by the identity meta-system. As Barbossa observed regarding the pirate’s code (in The Pirates of the Caribbean: The Curse of the Black Pearl), “…the code is more what you'd call ‘guidelines’ than actual rules." While the stated “laws” certainly suggest relevant constraints to be placed on the interaction environment provided by the identity meta-system, they each involve a subjective evaluation process for an interaction environment that is not yet well defined. Indeed, perhaps these are better viewed as guidelines than as immutable laws.

1.      User Control and Consent
Technical identity systems must only reveal information identifying a user with the user’s consent.

The various persona that we discussed earlier provide a consistent basis for negotiation among potential parties to an interaction. It is through such negotiation [Computer Theology, Chapter 10, Page 364: Drawing the Party Line] that user control and consent can be effected, but within the constraints of the social ecosystem in which the interaction can occur. It should be remembered that social ecosystems can be recursively defined and that policy specifications applicable to an interaction can be found in the full hierarchy of such recursively connected domains. Thus, it seems reasonable that a “user” have access to the specification of the interaction environment through negotiation, but in most instances it will not be the user (supplicant) choice alone. Moreover, while the term “consent” might imply “take it or leave it” (fight or flee), in fact the choices available through negotiation might well encompass more complex decision options.

This guideline is directly applicable to the establishment of privacy relative to an interaction. However, for any particular interaction, what constitutes “minimal” yet still meets the constraints of the recursive social orders and all other participants is dependent on the interaction.

Epilogue

The Laws of Identity provide a very useful illustration of an intriguing problem. Please note that the interpretations we’ve made are ours alone. If we have misconstrued or misinterpreted any aspects of the laws, we will be pleased to adjust our discussion accordingly.