I really like this post by Kim about Carl’s notions of identity.
I really agree with this, and like the overall direction, however I
believe that there is a big thing missing.

In my opinion, there has to be a larger circle that encompasses this
entire diagram that represents the community that all three of these
entities belong to!

What community? Well … there has to be some community that
exists since there is some common language, or form of representation,
that each of these entities is using to refer to the
observations. In fact, I do not believe that there is a way that
dinstinctions of identity attributes can exist outside of the context
of some language. Words to describe the uniqueness of the
attribute … to measure and quantify it.

I was reminded of this tonight while talking with my two and half year
old son, Sam. He has long know the meme “ball” which started with
watching the kids playing basket ball ouside. He then assumed
that all balls are a “b-ball” … what he would call them. One
evening while driving home, he saw the moon in the sky and yelled
“Daddy … ball!” pointing at the bright disc. I told him “moon”
and he replied “moon ball.” The birth of a new distinction.
Tonight he saw someone on TV playing with a globe that they took off of
its stand. He said “Ball!” and I replied “globe” … he then
replied “globe ball.”

As we are both making these observations and distinctions, we are only
able to refer to the identity of these objects through a common
language … and common community. This entire ability is an
accumulated experience that we all seem to forget … it is a product
of the community that we grow up and live within.

There ought to be a big circle behind the entire image … and it will
represent the community through which the three of these entities have
come into contact … and the one that give them the ability to express
their observations.

I want to start off by saying that I am in agreement with Kim’s Fourth Law of Identity … however it did get me thinking about ‘public’ and ‘private’ … ‘omnidirectional’ and ‘unidirectional’ …

The Fourth Law of Identity

The Law of Directed Identity

A universal identity system MUST support both “omnidirectional”
identifiers for use by public entities and “unidirectional” identifiers
for use by private entities, thus facilitating discovery while
preventing unnecessary release of correlation handles.

First, when I think about identity, I now believe that a ‘public’
identity is really just a ‘default’ identity. This is what we are
willing to expose to anyone, anyplace, and at any time. If I look
at the ‘real world’, we have certain characteristics and behaviors that
we are willing to expose when we go out in public. We then might
meet up with someone else, and choose to exchange other information
‘privately’, however we actually reveal something about ourselves even
when we perform a ‘private’ exchange of information. Kim stated:

Entities that are public can have identitifiers that are
invariant and well-known. These identifiers can be thought of as
beacons, emitting identity to anyone who shows up – and thus being in
essence “omnidirectional” (they are willing to reveal their existence
to the set of all other identities).

I agree with this … for any provider of good or services to be
known, they must expose some sort of information to be
discovered. It could be that the entity might choose to ’emit
this beacon’ all of the time … or maybe to sit quietly waiting for
the detection of another entity. In either case, once the
‘omnidirectional beacon’ has been emitted, there is a way to reference
the source entity.

What I like is the second example:

A second example of such a public entity is the “polycomm”
which looms large in the scenario we chose as a backdrop to the present
discussion. The polycomm sits in a conference room in an enterprise.
Visitors to the conference room can see the polycomm and it offers
digital services by advertising itself to those who come near it. In
the thinking outlined here, it has an omni-directional identity.

This is no really big deal … it makes common sense … however:

Similarly, when entering a conference room furnished with
a polycomm, the omnidirectional identity beacon of that polycomm can be
used by the owner of a cell phone to decide whether she wants to
interact with it. If she does, a short-lived “unidirectional” identity
relation can be created between the cell phone and the polycomm – and
used to disclose a single music preference without associating that
preference with any long-lived identity whatsoever.

I’m not so sure that this is truly ‘unidirectional’ since
there are other artifacts of the ‘short-lived unidirectional identity
relation’ that could be observed. I might not be able to
determine the exact details of what is transferred, however I could
easily – with the assistance of some others in the room – triangulate
on the source of the signal and locate the owner of the cell
phone. I could then couple this with other visible or audible
information to begin the process of compiling a profile of that
person. So is this ‘private’?

Of course the owner of the cell phone could also
collaborate with others in the room to all initiate communications with
the polycomm at the same time, and the polycomm could be configured to
add random timings to assist with masking the true source of the music
preference, however this then still potentially identifies the ‘crowd’
or ‘community’ that is the source of the communications.

When I was working on digitalMe, I followed the work of the AT&T “Crowds” project … and also the Lucent Personal Web Assistant project.
Both of these convinced me that there might not really be a way to be
truly “private” … and that the best we can hope for is to hide in a
crowd.

I’ve written and rewritten this post too many times … all the way
through Christmas and the New Year. It’s time to post it and get
on to the next … 😉

It is very cool to see all of the people that are joining this
conversation about Identity. And I do like the “lead” that Kim is
taking in driving towards an actual software solution … actual
implementations. I have a few comments on his Fouth Law of
Identity, however I wanted to throw out this Axiom to address his
request:

I would like to hear more of Scott Lemon’s ideas about how philosophical thinkers can help us figure out ways we can write software that intuits – this is my word and perhaps it is too rhetorical – our identity decisions for us… [Kim Cameron’s Identity Weblog]

I’ll throw out my next Axiom … and then some scenarios on how things might occur:

I posit that identity is exchanged in transactions that occur within a context of trust and authentication.

So what does this mean? It means that we are constantly
exchanging identity information throughout each and every day. Most of
these exchanges are so transparent to us … completely implicit and
automatic. The world around us is filled with “providers” and
“consumers”. We ourselves are both … at the same time. We
have, over the years, also developed a keen sense of “awareness” of the
providers of services that we want … or how to find them. We
have also developed a long list of “trusted sources” of services. This
sets up the basic foundation for an identity transaction, and it’s
context.

I move to a new town, and I
want to rent an apartment. I find some apartments that
meet my requirements, and then visit the apartment complex. They
hand me a rental application, and I fill out all of the
information. I give it back to them … a day later they call me
and indicate that I have been accepted as a tenant. I then visit
the apartments again, sign more papers and get the keys.

In this scenario, what exactly is going on with respect to
identity? This is really no different from the Polycomm and Cell
Phone scenario that Kim has been using.

The rental agreement is actually the interesting transaction to
me. It touches on most of the core aspects of identity
transactions. First, a rental agreement is actually a request for
identity information. More importantly, it is a request for pieces of
my identity along with the
references, or communities, that can be used to “authenticate” that
identity
information. They want to know how much money I make, and also
where I am working. They want to know the last three places that I
lived or rented. They can choose to trust the information I
provide, or more likely they will “verify the authenticity” of that
information with my references.

I have the option of locating
trusted sources and gathering background information on the apartment
complex. The apartment complex gives me a rental application to
gather my background identity information and verifying my
“trustworthiness.” In most cases, I simply “trust” the apartment
complex, and do little to look at their reputation. The apartment
complex uses a process to authenticate the identity information that I
have provided with their own trusted sources.

Some of my information is provided with “implicit” references to the
“definitive authorities” of that information. My Social Security
number, or drivers license state and number. Both of these are
understood to represent information that may be authenticated with
government agencies. Likewise, there are attributes that allow the
apartment complex to do a credit check with various credit
agencies. My job however has to be authenticated with
my employer. So when you truly
look at what any paper job application, loan application, etc.
represents, it’s actually a request for identity information along with
the information necessary to provide a context … to authenticate the
information … if so desired.

It would be great to apply for
the apartment on-line, and have the information automatically filled in
– if it is known and recognized – by identity software running on my
PC. If the identity software recognized field names, it would
fill in the appropriate information from my personal identity store
(Personal Directory?), and if it didn’t recognize the names, then it
would allow me to create global or site-specific aliases for the
fields. In addition, I would be able to review the information
being sent, and even temporarily or permanently change what is being
sent.

This is where I see a lot of value for digital identity software to
solve a real-world problem. Yes, single sign-on is one place, but
the world of paper ‘applications’ that request all sorts of redundant
and mundane information is very inefficient and tedious. On top
of that, most of these paper forms are asking us for the same
information, and a lot of past historical information that we are
expected to memorize! What are your last three addresses?
What are your last three jobs? When was your last tetanus
shot? Who is your insurance company?

If I answer the question once, it seems that my own little personal
identity agent could record my answer … so that the next time I am
asked for that information it would be “pre-populated” in the
form. This is exactly what the browser ‘form filling’ solutions
do … so why not expand this extensively?

Once I have completed the
apartment rental application, I probably would not want to always keep
them up to date with this information forever. However, there are
many cases where I *DO* want to keep someone up to date. When
someone asks for my business card, I ought to be able to send it to
them, and tell my personal identity agent to prompt me if I every
change that information. The prompt would be something simple
like “Scott, you just changed your home address … you asked me to
always notify this one group of people (so I already did!), and you
also asked me to prompt you about this group of people … can you
choose the ones that you want it sent to?”

This is really where we wanted to move with digitalMe … and it is far
from the software doing things automatically without instruction.
It is more that during the various identity transactions that we
experience, the identity software would be accumulating a set of
‘rules’ that we design to determine how future transactions might occur.

So this is almost like taking the simple form filling that we have
today, putting a real identity store behind it, and coupling it with a
‘learning’ rules engine similar to the learning firewalls that are
available today. If we then add support for the various identity
protocols that are growing in momentum we have a very flexible tool
that automates much of the work that we do today in these identity
transactions.

I agree completely with Kim’s Third Law.

The Fewest Parties Law of Identity

Technical identity systems MUST be designed so the disclosure of
identifying information is limited to parties having a necessary and
justifiable place in a given identity relationship.

This is, IMHO, the same thing that caused the failure of
Novell’s digitalMe project … after it was taken over by others in the
company. It’s funny how some people at Novell really thought that
Novell was somehow going to become the de facto source of identity
information in the world.

I kept hearing these funny internal pitches about “billion
user directories” … and silly me I just kept thinking “I would rather
sell hundreds of millions of personal directories, then a couple
of ‘billion user’ directories!” How many “billion user”
communities are there on earth?

I think of a different theory on why these grand schemes
fail. Kim touches on this also. If you try to build the
“one big thing in the sky”, and there is a second group of people that
don’t like you or trust you, then they’ll build their own
version. Which means there will be two. If there are two,
then there will be three or more … and then things start to go in all
directions. It’s funny to see this even occurring in the Open
Source world. People have disagreements and fork a project …
and then it get’s forked again. I’m not saying this is bad at all
… it’s the natural progression. So build to embrace this!

The original digitalMe team was after building community
platforms, and then providing methods to federate … however much of
what we were pursuing was “client-side federation” … allowing the
user to be the federation point, since they exist at the intersection
of all of the communities that they belong to. We figured that we would allow anyone
to create a community … and allow people to choose the communities
that they wanted to belong to, and which ones they would trust.

Part of the reason that I strongly believe in the Third
Law is that this is how the “philosophical” views fall also. When
I participate in an identity transaction, I can choose to limit the
parties involved if I trust the other party or if the information being
exchanged is not too valuable. On the other hand, I might have to
bring in a third or fourth party if we both want to feel secure about
who the other party is, or I want to authenticate the identity
information being exchanged.

In the end … I like Kim’s thoughts …

I agree completely with the line of thought from Dick.  There is
the concept of passing groupings of identity values, passing individual
identity values, and then passing the results of comparisons.  All
of this is greatly enhanced in the digital world.

Identifiers Enable Discrimination.
Kim Cameron posted his Second Law of Identity The Minimal Disclosure
Law of IdentityThe solution which discloses the least identifying
information is the most stable, long-term solution.”The thesis here is
that the more identifying information is released, the more a solution
invites abuse by rogue (and ultimately criminal) elements. We will
return to a more rigorous discussion of these dynamics… [Dick Hardt – Blame Canada]

I really like Dave Kearns and his “no nonsense” attitude. As I
worked at Novell, he often saw right through the crap going on
internally, and asked the tough questions. I’m glad to see him
following this conversation … he was one of the few that understood
the value of a “personal directory” …

He recently commented on my Axioms of Identity
and I have to admit … he brought up a very interesting
perspective. How ever, as he stated, “I can see we’re going to
disagree.” 😉

He indicated that DNA is an interesting form of identity and that:

Your DNA is you. You are your
DNA It is not assigned to you nor can you change it. It is your identity. Everything else is simply a “handle”, a shortcut or nickname for the identity that is you. [The Virtual Quill]

Hmmm … I have been thinking about this for a while. There are two issues that I see where this falls down …

1. DNA is not 100% unique. What? How can that be? Well … identical twins DNA.
I have to admit that one of the coolest things that I heard at a recent
conference was the answer to the question “Do identical twins have
identical finger prints?” The answer is no … even though they
do have identical DNA. So we have a situation where DNA can not
be my identity … or at least is not unique to me … if I am an
indentical twin.

2. There is a more important issue here … and that is that the entire
model and concept of DNA is again “given to me.” Yes, I do have
an interesting trait that some communities measure and discuss as
“DNA”, however there are a large number of places on earth, where there
is no such concept. DNA is something that a certain community of
people on earth say that I
have. However outside of these circles, it means nothing.
If I met up with some people in the jungles of New Zealand who had no
worldly contact, they might listen to my stories about double-helix strings of sugar-phosphates, however it probably would be meaningless to them.

This is again proof of my Second Axiom
… it only exists within the context of a community that gave me that
identity. When I leave that context … it doesn’t exist.
Just like the DNA example … I have a height and weight also … but
only as concepts that a community of people agree on. I am told
that I am as tall as something, and weigh the same as something … and
that I have DNA that is similar to something.

I am flattered by Dave’s comments and the conversation … I look
forward to more of this. I also look forward to discussing more
the concept of a personal directory to store all of this information
… as long as the directory supports enough of the required
functionality.

I had a friend ask me if I was really serious about these “Axioms of Identity” today …

Uh … no.  I mean, yes … I love the conversation and have spent
a lot of time thinking about this problem space.  But no … I’m
not really such a serious person.  I enjoy life too much.

Even the word “posit” I picked up with a friend Bruce Grant at the Accelerating Change Conference
in California last year.  During the first day, person after
person would get up to the microphone and start off by saying “I posit
…” … we both loved it.  We started using it at work all the
time … for the fun of it.

So … yes … I love to think deeply … and at the same time, I’m having fun!

I am getting the idea of where Kim is going with the Second Law …
I think. I and I agree completely. The solution that is
going to dominate is the one the consumer perceives as providing the
most control over, and awareness of
, their identity information. Ok … I added the “awareness of”
part. It’s to address one of the questions that Kim had in a
later post. I’ll get to it. I wanted to explore a new angle of this part of Kim’s post:

A solution in which the polycomm has to query my mobile phone for a social security number would be much less stable than one which required the polycomm to query only for the address of an mp3 service.

This makes me think about a lot of questions … and I want to
explore this in an orthogonal direction. I’m more thinking about
the “identity transactions” that are taking place. This actually
leads into my Third Axiom in which all identity is exchanged within
“verified” or “unverified” contexts. Of course it could also be
an “asymmetric” context in which on one party verifies the identity of
the other.

In this scenario, there are two digital devices that are wirelessly
communicating and exchanging information. In many scenarios like
this … the two devices might just trust each others “unverified
identities” and offer services or consume services. We live our lives
using and accepting a lot of “unverified identity” information, however
there are
many scenarios in our lives where “verified identity” is required.

When I walk into a bar, for example, the bartender is no longer as
likely to “take my word for it”. He or she instead wants me to
provide some credentials from a mutually acceptable community that we
both belong to. I could provide a drivers license, a passport, a
military ID, or maybe even my little digital device, that refers the
bartenders little digital device to contact some webservice that exists
at a commonly known namespace.

Of course, it could be that my little digital device contacts the web
service first, indicating that the bartender is going to be requesting
to verify my identity information in a moment. I get a “ticket”
back from the web service that I give to the bartender that allows the
bartender to only make that verification request … and only within a
certain amount of time. The request might be to verify my age, in years …
or better yet that I am simply “older than the legal drinking
age”. (This is something that I thought of when reading Dick Hardt’s post
the other day.) These are all details that the bartender and I have to
agree upon …
or have cool little digital devices that store our identity and
preferences and accelerate the negotiation. (No Kim … not
completely automate … unless I’m comfortable with that … 😉

All of these transactions support the idea that identity comes from
communities. The more important or valuable the transaction, the
more it will require verification … from an authoritative source.
That source will be the community that gave that identity to us,
or one that has a trusted relationship with the community that did.

Casual interactions between cell phones and polycomms … can use
unverified identity. And every now and then you might hear some
very disturbing sounds or music coming from a polycomm! 😉