The foundation of social computing: Identity Management

Submitted by Norm Roulet on Sun, 01/02/2005 - 03:31.

The future of the Internet and social networking is being build upon a foundation of a "meta identity standard" - and our identity and lifestyle aggregation guru Marc Canter points out, on his great blog, "creating a meta-identity standard will be 2% technology and 98% politics". He goes on to propose "to nominate Dick Hardt and his Sxip Networks technology
to lead this effort forward. Sxip can be a 'mini-backplane' of sorts -
that can then plug into Kim's mega meta momma backplane he's talking
about. I really think it's possible that 2005 can be the year that this
all comes together." For REALNEO, we are integrating the SXIP backplane into our identity management system, as is so well supported by our CMS Drupal and our Bryght development partners' efforts, making us world-class compliant to follow the "Laws of Identity" developed by the Kim Cameron referenced above, which are included below. Thus, REALNEO users' social computing future is secure.

The Laws of Identity

People who work on or with identity systems need to obey the Laws of Identity. When we don't, we leave behind us a wake of reinforcing side-effects that eventually undermine all resulting technology. The result is similar to what would happen if civil engineers were to flaunt the law of gravity.

The Laws of Identity are not about the "philosophy of identity" - which is a compelling but entirely orthogonal pursuit.

Instead, they define the set of "objective"
dynamics that constrain the definition of an identity system capable
of being widely enough accepted that it can enable distributed
computing on a universal scale. It is essential that we change
the identity conversation enough that its laws are no longer argued as
"moral imperatives", but rather as explanations of dynamics which must
be mastered to craft such a universal system.

For example, when we articulate the Law of Control
(stated below), we do so because a system which does not put users in
control of their own identity will - on day one or over time - be
rejected by enough users that it cannot become and remain a universal. The accordance of this law with my own sense of values is essentially irrelevant.
Instead, the law represents a contour limiting what the universal
identity system must look like - and must not look like - given the
many social formations and cultures in which it must be able to
operate. And so on for the other laws.

These laws are objective because they pre-exist our
consciousness of them. For example, the Law of Fewest
Parties explains the successes and failures of widely promoted real
life systems in spite of the fact that those who built the systems were
totally unaware of them.

The Laws of Identity, taken together, establish significant constraints on what a universal identity system can be. The emergent system must conform to all of the laws. Understanding this can help us eliminate a lot of doomed proposals before we waste too much time on them.

The first big breakthrough is to understand
that "some set" of laws exist. The second breakthrough comes from
wrestling with what they are. In doing this we need to invent a
vocabulary allowing us to communicate precisely about them.

Some day - when we've come to the end of the Seventh
Law - I will work on a presentation of the laws that integrates all the
thinking we have done together since this discussion began. But for
now, it's best (and often amusing) to follow the actual blog
conversation, which has really been helpful to me in clarifying these
ideas.

1. The Law of Control: 

Technical identity systems MUST only reveal information identifying a user with the user's consent. (Starts here...)

2. The Law of Minimal Disclosure

The solution which discloses the least identifying information is the most stable, long-term solution. (Starts here...)

3. The Law of Fewest Parties

Technical
identity systems MUST be designed so the disclosure of identifying
information is limited to parties having a necessary and justifiable
place in a given identity relationship. (Starts here...)

4. The Law of Directed Identity

A universal
identity system MUST support both "omnidirectional" identifiers for use
by public entities and "unidirectional" identifiers for use by private
entities, thus facilitating discovery while preventing unnecessary
release of correlation handles. (Starts here...)

5. The Law of Pluralism: 

A
universal identity system MUST channel and enable the interworking of
multiple identity technologies run by multiple identity providers. (Starts here...)

The Polycomm Scenario...

To help ground our exploration of the Laws of Identity in the concrete, we decided to run with this scenario from Eric Norlin:

you walk
into a conference room; dial into a con call on the polycomm; the
polycomm senses your bluetooth phone and (using a discovery service)
looks at your personal attribute known as "music preferences"; thus
your current favorite music (by how often you listen to it) is
downloaded from your "federated" mp3 player -- and the hold music while
you wait for your fellow con-callers is *your* favorite music.

sound a bit advanced? actually, you could (technically) do this right now with the Liberty Alliance specifications...

To facilitate discussion, I
scratched out a pictorial representation of the components (to keep
incredulous comments at bay, I won't say it is a "diagram"). One day I'll figure out how to post it.

The little thing beside stick
person is a phone, and interaction (1) uses Bluetooth to determine
stick person's identity by retrieving an identifier from the phone. The polycomm then interacts with a discovery service (2) to find out where stick person's "federated mp3" server is located. Then
it pulls down some music (3) conforming to stick person's sense of
what's hip and appropriate. Note that the components are functional
pieces only. At this point we are making no assumptions about how they
are implemented or where they are located. (Starts here...)