Thursday, January 27, 2005

imho The laws of identity governance


Identities must have their sovereignty safeguarded within a conducive governance structure. Per one of my previous blog postings, the core identity-governance normative/prescriptive principles are:

• Each person is the only legitimate owner of their identity, all manifestations of that identity, and all associated identity attributes.
• Each person must be able to exert full control over all instances, attributes, disclosure, and management of their own identity.
• Identity environments must be architected to enable each person to exert that control, while facilitating identity-based security functions (authentication, access control, etc.), ensuring permission-based identity-attribute sharing, and safeguarding personal privacy.
• Where each person’s identity information is concerned, any other party in the identity environments is either a registrar, steward, or consumer (not an owner) of such information.
• Other parties in the identity chain must ensure that their policies, procedures, activities, and operations don’t violate or compromise people’s control over their own identity information.

Extending the thoughts from my previous “imho” posting, I would boil down all of Cameron's proposed identity “laws” into three prescriptive rules that might be referred to collectively as the “laws of identity governance” (and which support the core identity-governance principles just outlined):

• Law of identity federation: Domains must be able to establish trust relationships under which they can choose to accept each other’s identity assertions and honor each other’s identity decisions--or reject them--subject to local policies.
• Law of identity assurance: Entities must be able to unambiguously ascertain, resolve, and verify each other’s identities, and reserve the right to refrain from or repudiate interactions in which such assurance is lacking.
• Law of identity self-empowerment: Humans must be able to self-assert their identities, and reveal or conceal as much or little of their identity as they wish, at any time, for any reason, from any other party, for any duration, and also to unlaterally defederate from any domain that deliberately or inadvertently compromises or violates these rights.

Implemented within a common governance structure, these laws would safeguard privacy while ensuring interoperability and trust in an environment forever fragmented into diverse identity domains. The right to an autonomous personal domain—each one in charge of his or her core identity—must be guaranteed to all humans, and the right to federate that idio-domain—or not federate it—must never be infringed.

Notice how I'm not calling for a "universal identity system" (which could be misconstrued as a Passport-emerges-from-its-crypt identity-aggregation scheme). I'm also not calling for, and the laws don't imply, a universal identifier. Or universal credential. Or universal SSO. I'm not actually calling for anything universal here. I'm just calling for trust, interoperability, and privacy protection mechanisms to be built into any multi-domain identity environment, no matter how narrow the domain structure (two domains interoperating, or millions of domains interoperating). These "laws of identity governance" should be basic ground rules for any distributed identity environment, simple or complex.

Essentially, I've mapped the "laws of identity" down to these minimal three (I based this in my prior formulations, and on Cameron's formulations, and on everybody's blog discussions around this topic). Applying William of Ockham’s Razor always reduces unwieldy lists down to a tidy trinity.