Kim Cameron has posted seven very sensible Laws of Identity. Numbers 2 and 3 add up to more or less Need to Know:
2. Limited Disclosure for Limited Use
The solution which discloses the least identifying information and best limits its use is the most stable, long-term solution.
3. The Law of Fewest Parties
Digital identity systems must limit disclosure of identifying information to parties having a necessary and justifiable place in a given identity relationship.
But user identities have aspects that go beyond traditional spook security.
A spy doesn’t normally ask the spied upon for permission to use the obtained information, but the first Law of Identity is:
1. User Control and Consent:
Digital identity systems must only reveal information identifying a user with the user’s consent. (Starts here…)
Rather than a basically third-party system (we spied something about so-and-so),these Laws also include first-person (see 1. above and this one):
6. Human Integration:
A unifying identity metasystem must define the human user as a component integrated through protected and unambiguous human-machine communications.
and second person:
4. Directed Identity
A universal identity metasystem must support both “omnidirectional” identifiers for use by public entities and “unidirectional” identifiers for private entities, thus facilitating discovery while preventing unnecessary release of correlation handles.
and even first person plural cultural experience (see 6. above and this one):
7. Consistent Experience Across Contexts:
A unifying identity metasystem must provide a simple consistent experience while enabling separation of contexts through multiple operators and technologies.
My favorite, though, I think is this one:
5. Pluralism of Operators and Technologies:
A universal identity metasystem must channel and enable the interworking of multiple identity technologies run by multiple identity providers.
Why? Because Kim Cameron works for Microsoft, and she’s explicitly disrecommending monopoly. What she is recommending is highly reminiscent of the IETF’s requirement of multiple heterogenous interoperating implementations for network protocols.
Here’s her rationale for the problems she was trying to solve, and why these laws in particular. I don’t know if her laws are the final word on this subject, but they’re sure worth reading and discussing.
-jsq
Umm, Kim Cameron is a he.