The 7 laws of identity
In 2005, Kim Cameron laid out The 7 laws of identity describing the properties that an ideal identity system should have (video interview). I encourage you to read directly from the source, but here is a short summary:
- User Control and Consent: identity systems must only reveal information identifying a user with the user’s consent.
- Minimal Disclosure for a Constrained Use: the solution which discloses the least amount of identifying information and best limits its use is the most stable long term solution.
- Justifiable Parties: digital identity systems must be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship
- Directed Identity: a universal identity system must support both “omni-directional” identifiers for use by public entities and “unidirectional” identifiers for use by private entities, thus facilitating discovery while preventing unnecessary release of correlation handles
- Pluralism of Operators and Technologies: A universal identity system must channel and enable the inter-working of multiple identity technologies run by multiple identity providers.
- Human Integration: The universal identity metasystem must define the human user to be a component of the distributed system integrated through unambiguous human-machine communication mechanisms offering protection against identity attacks.
- Consistent Experience Accross Contexts: The unifying identity metasystem must guarantee its users a simple, consistent experience while enabling separation of contexts through multiple operators and technologies
Many of these considerations we discussed independently as we had early discussions on WebID. It is great to find an analogous analysis because in addition to giving us validation of the problem statements it gives a great opportunity to reuse existing terminology. For example:
- IDPs still hand back global identifiers (e.g. email addresses, user ids) breaking (4), again the RP tracking problem.
- IDPs still hand back first/last names and profile pictures even when it isn’t arguably needed to create an account, breaking the principle of “least identifying information” in (2), which we called the RP tracking problem.
- RPs connect with IDPs at every sign-up and sign-in, breaking (3), which we called the IDP tracking problem.
Notably, however, there are a few considerations that I think we overlooked:
- IDPs have the ability to mint idtokens and impersonate users, breaking (1).
- IDPs don’t interoperate between each other, locking users into one or the other, breaking (5).
- IDPs aren’t interoperable, so they create different experiences for work profiles and social profiles, breaking (7).
I think the 7 laws of identity will serve as a great northstar to compare and constrast alternatives and architectures as we go along.