Lets’ start with a good old fashioned Problem Statement:
- The problem of –
- being required to share multiple items of personal information as a pre-condition to being granted access to resources on a website
- Affects –
- my ability to manage and maintain control over my personal information;
- The impact of which is –
- that I no longer know who has my information, what they are doing with it and how securely it is being maintained.
- An ideal solution would be …
- A system whereby my personal information is securely stored and decoupled from their application. This would enable me to take back control of my personal information by managing when and how third parties are able to view and use my personal information.
Now, I’ve got that off my chest, let’s have a look at an important piece of background material on the subject.
In 2005 Kim Cameron, Architect of Identity at Microsoft wrote The Laws of Identity‘, a blog in which he produced a problem statement, far more succinct than mine – “The Internet was built without a way to know who and what you are connecting to.”
Cameron argues that it’s hard to introduce an identity layer into the Internet because there is no agreement on what digital identity should be or how it should be run. This comes about because digital identity is related to context and each one of the billions of Internet users has many hundreds of reasons, or contexts, for using the Internet.
According to Cameron, the emergence of a single simplistic digital identity solution as a universal panacea is not realistic, what is needed is a unifying identity metasystem that can protect applications from the internal complexities of specific implementations and allow digital identity to become loosely coupled.
Cameron proposes 7 laws of identity:
- User Control & Consent – technical identity systems must only reveal information identifying a user with the user’s consent.
- Minimal disclosure for a constrained use – the solution which discloses the least amount of identifying information and best limits its use is the most stable long term solution.
- Justifiable parties – digital identity systems must be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship.
- Directed identity – a universal identity system must support both “omni-directional” identifiers for use by public entities and “unidirectional” identifiers for use by private entities, thus facilitating discovery while preventing unnecessary release of correlation handles.
- Pluralism of Operators & Technologies – a universal identity system must channel and enable the inter-working of multiple identity technologies run by multiple identity providers.
- Human integration – the universal identity metasystem must define the human user to be a component of the distributed system integrated through unambiguous human-machine communication mechanisms offering protection against identity attacks.
- Consistent experience across contexts – the unifying identity metasystem must guarantee its users a simple, consistent experience while enabling separation of contexts through multiple operators and technologies.