Speaking of identity

The Identity movement is in crisis. Or at least, it should be.

Recent weeks have seen Microsoft shelve Cardspace and more or less pull out of the digital identity space. OpenID is being abandoned by important players. I would have expected quick and forceful semi-official responses from Kantara and the OIX Foundation but they seem mute. OpenID and Cardspace are the only two technologies explicitly mentioned in the (technology neutral) OIX Framework; they are the conceptual forebears of the National Strategy for Trusted Identities in Cyberspace. How can their struggles not signal deep deep troubles ahead for NSTIC and federated identity in general?

I see a paradox. In normal life, we are totally at ease with the concept of identity, its complexity and shades. We understand the different flavours of personal identity, national identity and corporate identity. We talk naturally, nay instinctively, about “identifying with” friends, communities, sporting teams, suburbs, cities, countries, causes, and companies. In multiculturalism we know about co-existing identities. Multiple personality syndrome makes sense to lay people. Identity is not absolute. It seems clear to me that we switch identities unconsciously, when for example we wear a uniform to work, or our team’s colours to a footy game. Most of us know how it feels at a school re-union to no longer identify with the way we once were.

But when it comes to digital identity — that is, knowing and showing who we are online — we make a total mess of it. The conceptual framework inherited mainly from computer science has led to arbitrary formulations around identity that are reasonable to technicians but don’t actually jive with the human condition. For example, “authentication” and “authorization” are not cleanly separable; further, to enforce an academic separation leads to tough problems. IT ideas like Single Sign On under one identity have no parallel in the real world.

Words are vitally important. If we can adopt plain language for describing identity online then we might see better progress and reach more stable positions.

So I offer here some fragments of simpler ways of talking about digital identity.

Let’s begin not with a formal definition but a form of words. What is identity? My identity is how I am known in a circle I move in.

I move in various circles: of colleagues, customers, users, members, professionals, friends and so on.

An identifier is a proxy for my identity in a given circle. An identifier represents me in a circle.

Identity is context dependent. An identifier is usually meaningless outside its circle. For example, if I tell you my “account number” is 56236741, it’s probably meaningless without giving the BSB as well (and that’s assuming it’s a bank account).

Identity usually goes with a set of rules. In any given circle, my identity confers certain rights and privileges. It is understood by everyone in the circle that there are rules governing belonging to that circle and having an identity within it.

People join different circles in different ways. Some circles have strict admission rules, some are also regulated (e.g. banks, chartered professional bodies). For the circles of most interest in the digital economy, there is usually an application process and an agreement to abide by the rules of the circle.

People obviously belong to many circles at once. Identities within circles do not usually “interoperate”. Quite often, circles are entirely separate, and it’s essential for practical privacy that I control to a great extent how any of my circles overlap.

An important aspect of identity management that often gets mangled is the difference between (a) authenticating yourself in real time, when accessing a secure service, and (b) authenticating a transaction or document in your name, so that your involvement is evident to third parties at a later time. These are different use case scenarios, and may demand different technologies.

Some linguistic formality might help. Digital identity can be described in …

First Person Present Tense “I am Acme employee 99” i.e. Access Control
Second Person Present Tense “You are www.anz.com.au i.e. “Mutual Authentication”
Third Person Present Tense “He is bob.pip.verisignlabs.com” e.g. Web SSO by OpenID
Third Person Past Tense “She was Dr Smith Prov. 123456” e.g. Digital Signature.