Wednesday, December 22, 2004

re Kobielus response to Cameron response


Apparently, people are reading this blog. Weird how word gets around.

In a recent blog entry (, Kim Cameron, identity visionary at Microsoft, has responded to my challenge to his "four laws of identity" (in the form of Kobielus' "four principles of identity," which I proposed in an earlier blog entry). Kim puts forth the following principal arguments:

First, he asserts that his "laws" are "explanations of why previous identity systems have failed where they failed and succeeded where they succeeded." If that's so, can he be more specific? Which previous identity systems? How is he defining the success or failure of such systems? How have privacy concerns--the primary focus of his "laws"--stymied acceptance of these identity systems? How can his "laws"--or, more to the point, normative imperatives to be implemented in identity management systems--make a difference?

Second, he construes me as arguing that "[people's] identit[es] are owned and controlled by the [big, impersonal, third-party] authorities who make assertions about [us]." That's often true, but he's overlooking a critical point that I make: in various (actual or ideal) identity regimes, each of us may be an "authority" (hence owner and controller, to greater and lesser degrees) over our own identity information (though often, the predominant identity authorities are large, impersonal institutions that exercise the balance of ownership and control over our identities and what we can do with them). Hence, in such "self-authority" identity regimes, privacy protection and permission-based attribute sharing are critical features. Consequently, my principles absorb and encompass his more limited precepts, which only focus on "self-authority" identity regimes, in which the designated (i.e., identified, named) entity is the only owner/controller. Per my second and fourth principles:

---"Identity is issued, owned, asserted, vouched, interchanged, controlled, disclosed, and administered by one or more recognized authorities, which may be the designated entity itself (i.e., self-declaration) and/or various third parties with responsibility over various roles, transactions, or scenarios in which that entity participates (and who may provision or deprovision some aspect of the entity’s identity at their pleasure, will, or whim, depending on their power over him/her/it in various spheres).

--"Identity is control over the entity that it designates, and that control may reside to varying degrees in the designated entity, various recognized identity authorities, and/or various relying parties."

Finally, he construes me as "dismiss[ing] how the user is treated while we build the identity system." Once again, Kim needs to read my full blog entry. I specifically state the following:

--"Privacy protection is important. "Personal control over one’s own identity information is important. But they aren’t the only requirements that must be addressed in a full-blown identity service bus. They don’t address cases where there’s a legitimate need for anonymity, or for full disclosure (over a designated entity’s objections) of identity. Should illegitimate political regimes be able to penetrate the veil of anonymity in which freedom fighters cloak their righteous activities? By the same token, should suspected terrorists own those identity attributes pertaining to themselves that, disclosed to the proper, legitimate authorities in the nick of time, would prevent massive death and destruction?"

I wouldn't construe any of this as arguing that it's unimportant how the user fares in an identity regime. Control over our lives depends critically on how we architect our identity service bus.

Kim, please read my post more closely. You'll find that I was doing you a service: generalizing, extending, and elaborating on your initial proposal. Yours was a good start, but you didn't model the problem space as deeply as you should have.