Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Laws of Identity Kim Cameron

Published byJuan Carlos Rey López Modified over 5 years ago

Similar presentations

Presentation on theme: "The Laws of Identity Kim Cameron"— Presentation transcript:

1 The Laws of Identity http://www.identityblog.com Kim Cameron
Architect of Identity and Access Microsoft Corporation The following notes on the presentation were taken by Scott Mace and published at Kim Cameron: I've been preoccupied by the fact whenever we have an identity conversion, we have to go back and have the conversation again. There isn't a wordset that meshes, there are so many ways to approach the problem. A group of us started a conversation in the blogosphere. In some ways it was theatrical to call hypotheses laws, but our goal is to get people involved in the discussion. To avoid going back to square one, the empty page. The work here is a result of that conversation.

2 Problem Statement The Internet was built without a way to know who and what you are connecting to Everyone offering an internet service has had to come up with a workaround Patchwork of identity one-offs We have inadvertently taught people to be phished and pharmed No fair blaming the user – no framework, no cues, no control We are “Missing the identity layer” Digital identity currently exists in a world without synergy because of identity silos The Internet was built without a way to know who or what you're connecting to. Everyone's had to figure out some way of compensating for that. In other areas of CS we'd call that a kludge. That's what they are, compensating mechanisms. We end up with a patchwork of compensations, rather than what I'd call a fabric of identity. Because of some of the limitations of our technology, what lives at the desktop end I'll say, we've gravitated toward the simplest options: form based where you enter your passwords. We've taught the entire world to indiscriminately put their credentials or PII into almost any form that appears on the screen. And then we make fun of people for being subject to phishing. There's no consistent way to do things or way for anyone to learn what's right or what's wrong. Leads to this very weak system in my view. The saddest aspect of it, I get so sad, because this is the only area of computing which has no synergy. Look at the blogosphere, at RSS – that is synergy. But because of this patchwork nature we have no synergy in identity.

3 Criminalization of the Internet
Greater use and greater value attract professionalized international criminal fringe Understand ad hoc nature of identity patchwork Phishing and Pharming (Phraud) at 1000% CAGR Combine with “stash attacks” reported as “identity loses”… Unwinding of acceptance where we should be seeing progress. Opportunity of moving beyond “public-ation” Need to intervene so web services can get out of the starting gate The ad hoc nature of internet identity cannot withstand the growing assault of professionalized attackers We can predict a deepening public crisis At the same time, we have this progressive criminalization happening. I have to say that people need to think 4 or 5 years ahead and imagine what it means for the current trends to continue. Go back 5 years and think about how you looked at these issues 5 years ago. Now imagine 5 years into the future: an Internet seriously weakened by continuing proliferation of identity “losses” and breaches and theft and all of those issues. I see the possibility of the unwinding of the acceptance of the Internet and its degeneration back into a system of publication – only stuff that's completely public. We need to intervene so Web services can be used for a large aspect of our lives rather than just for publication purposes. The ad hoc nature of the Internet identity patchwork cannot withstand the assault of the professionalized attackers. They're professionals just like us. It has a compound annual growth rate of 1000%, is one of the most prosperous part of the industry.

4 From Patchwork to Identity Fabric
The evolution to an identity fabric is hard Partial successes in specific domains – SSL; Kerberos But little agreement on what identity layer is or how it should be run Digital identity related to contexts Many contexts - each jealously guarded Enterprises, governments, verticals prefer one-offs to loss of control Individual is also a player – the key player – and has a veto Role of convenience, coolness, privacy, safety Nuanced and cogent privacy advocates in a world of pathetic “identity loss” No simplistic solution is realistic Cross cultural and international problems are the final straw We've had partial successes in various domains. I don't mean to put down anyone's good work: SSL, Kerberos in the enterprise, SAML, Liberty, a lot of early adopter projects. The truth is there's little agreement on what the identity layer is and how it should be run. Many people involved in these contexts jealously guard the identities that exist in them. This observation applies to governments, enterprises, web sites, everyone. I've talked to a lot of people. They prefer a one-off to a system outside their control. What's required is a system that leaves them in control but is capable of joining across contexts in such a way that people can maintain control of the situation out there. The individual has a veto in this thing. Without convenience, coolness, privacy, safety, the system will not be used. This very interesting group of privacy advocates are really thinking deeply and should be on our side. What we need is a system in which all the parties to identity are served. No simplistic solution is realistic. When you add cross-cultural and international problems, it becomes daunting. Is it possible to have a simple solution? I think we can have a simple solution without it being simplistic.

5 An Identity Metasystem
Diverse needs of players mean integrating multiple constituent technologies Not the first time we’ve seen this in computing Think back to things as basic as abstract display services made possible through device drivers Or the emergence of sockets and TCP/IP Unified Ethernet, Token Ring, Frame Relay, X.25 and even the uninvented wireless protocols We need a “unifying identity metasystem” Protect applications from complexities of systems Allow digital identity to be loosely coupled Avoid need to agree on dominant technologies a priori – they will emerge from the ecosystem An identity metasystem: Diverse needs of players mean integrating multiple constituent technologies. Analogy to displays. Over time things evolved to an abstraction of a graphic surface we programmed to. Device drivers sat between this abstract display and the actual hardware devices. The hardware devices became loosely coupled to the abstraction layers. Made it easier to write to them and to create new hardware devices. Hey, plug in, it works, but it's clearer, or has some advantages. TCP/IP didn't make Ethernet, TR, FR, X25 disappear. They continued to exist. That and sockets. All of a sudden you can develop applications without knowing if they had TR or Ethernet. Even wireless was able to come in and use the abstractions that were defined. We require the same kind of metasystem at the level of identity to provide this missing layer of the Internet. Protect the applications from the complexity of systems, and have identity be loosely coupled. We see new concepts coming out of the university environment. We're not at the end. Part of my work is to make contact with the innovators. Ways and systems that can have very nice properties for privacy, reliability, accountability. We need to allow solutions to come out of an ecology.

6 The role of “The Laws”… We must be able to structure our understanding of digital identity We need a way to avoid returning to the Empty Page every time we talk about digital identity We need to inform peoples’ thinking by teasing apart the factors and dynamics explaining the successes and failures of identity systems since the 1970s We need to develop hypotheses – resulting from observation – that are testable and can be disproved Our goals must be pragmatic, bounding our inquiry, with the aim of defining the characteristics of an unifying identity metasystem The Laws of Identity offer a “good way” to express this thought Beyond mere conversation, the Blogosphere offers us a crucible. The concept has been to employ this crucible to harden and deepen the laws. The role of the laws was to be able to structure our understanding of digital identity. It's a deep conversation. I call myself the hair on the end of the long tail. This is not widespread conversation. I hope it is going to be held amongst a growing number of people, since we need to involve policy thinkers, legal thinkers. The solution involves more than simply technology. Not a microscopic conversation, but not a “Gone with the wind” blockbuster. When we do start discussing identity, do we always have to come back to a tabula rasa? Preventing this is what the laws are all about. We paid hard for our understanding of identity. It's a matter of watching peoples’ careers almost go down the drain for doing identity. We need to seize the things we've learned over time. We need to develop hypotheses, and they have to be testable. We need goals that are pragmatic, that have a specific aim. I want to come back to this idea of the blogosphere. I couldn't have done this except through the blogosphere. There is an actual tempering. There is a hardening and an all-sidedness that emerges through this discussion that I would not be able to achieve as an individual thinker. And it's not over – the discussion continues…

7 Words to allow dialogue
Digital Identity: A set of claims made by one digital subject about itself or another digital subject Digital Subject: A person or thing represented in the digital realm which is being described or dealt with Devices, computers, resources, policies, relationships Claim: An assertion of the truth of something, typically one which is disputed or in doubt An identifier Knowledge of a secret Personally identifying information Membership in a given group (e.g. people under 16) Even a capability These definitions embrace Kerberos, X.509, SAML, and newly emerging technologies Here's some words that allow dialogue. Digital identity is a set of claims made by one digital subject about itself or another subject. Digital subject is a person or thing represented in the digital realm which is being described or dealt with. Claim: An assertion of the truth of something, typically one which is disputed or in doubt. Could include knowledge of a secret, PII (personally identifying information), even a capability can be a claim. These definitions embrace Kerberos, X.509, SAML. They take this problem of the evaluation of the usefulness of a digital identity up to a higher level in the systems sense of multiple layers. These definitions separate the layer of where stuff is communicated from the layer where evaluations are done – a very important step forward.

8 1. User Control and Consent
Digital identity systems must only reveal information identifying a user with the user’s consent Appeal by means of convenience and simplicity Endure by earning the user’s trust Requires a holistic commitment Put the user in control of what identities are used and what information is released Protect against deception (destination and misuse) Inform user of auditing implications Retain paradigm of consent across all contexts Digital identity systems must only reveal information identifying a user with the user's consent. Because of the pivotal role of the user. Even in prison the user can make the system really ineffective, but in the Internet the user has control. We can appeal through means of convenience and simplicity. Otherwise enough people reject the system that it doesn't become unifying. It's a system integrity issue, making sure the system isn't fundamentally divisive. This requires a holistic commitment. We need to put the user in control of what identities are used and what information is released. We need to protect against deception, both of info going to the wrong destination, and not understanding its intended use. We have to retain the paradigm of consent across all contexts. I think even when people sign into a corporate network, they are giving their consent. That isn't always clear however.

9 2. Minimal Disclosure for Limited Use
The solution that discloses the least identifying information and best limits its use is the most stable long term solution Consider Information breaches to be inevitable To mitigate risk, acquire and store information on a “need to know” and “need to retain” basis Less information implies less value implies less attraction implies less risk “Least identifying information” includes: Reduction of cross-context information (universal identifiers) Use of claim transformation to reduce individuation (example of over an age threshold as compared to specific birth date Limiting information hoarding for unspecified futures Relation of this law to information catastrophes 2. Minimal disclosure for limited use. The solution that discloses the least identifying information and best limits its use is the most stable long term solution. Don't ask for a SSN if all you need is a music preference. If you do, you're increasing your risk. If you did that in other aspects of business, you'd be fired. Be creative about achieving this minimalism. The date allows triangulation of personal identity; to get into a bar, age is all that's necessary. If you don't do this, you do become a target, as happened for example at the University of California. Why did they have information like SSN? [Q: Do they need to keep the birthdate? A: Anything they can forget they should forget. Studies show this. Let's not have everything everywhere, any more than we have to. I'm asking people to consider the reduction of risk. The systems that conform to that aren't going to be the Choicepoints of tomorrow.]

10 3. Justifiable Parties Digital identity systems must limit disclosure of identifying information to parties having a necessary and justifiable place in a given identity relationship The user must be aware of the party with whom information is being shared Justification requirements apply both to the subject and to the relying party Example of Microsoft’s experience with Passport In what contexts will use of government identities succeed and fail? Same issues face “intermediaries” (but don’t preclude them) Parties to a disclosure must provide a statement about information use Criminal investigation does not make the state a party to disclosure in the normal sense 3. Justifiable parties. Digital identity systems must limit disclosure of identifying information to parties having a necessary and justifiable place in a given identity relationship. Justifiable from the point of view of ALL those participating in the relationship. Users should be aware of who all these parties are. Some argue Passport was a complete and dismal failure. But in its role as an MSN identity provider, Microsoft's passport was very successful. Used by 250m people/day, does 1b authentications/day. Yet it was a failure in providing a generalized authentication service for the Internet. People want a relationship with MS segregated within a particular context that makes sense to them: their relationship to Microsoft. It's not appropriate in their relationship with Amazon or eBay. And which parties offering Web services want a Microsoft between them and their customers? Not hard to figure out why they don't want to. Whatever I'm proposing is not the son of Passport. It's a call to study our experiences and see them in an all-sided way.

11 4. Directed Identity A unifying identity metasystem must support both “omni-directional” identifiers for public entities and “unidirectional” identifiers for private entities Digital identity is always asserted with respect to some other identity or set of identities Public entities require well-known “beacons” Examples: web sites or public devices Private entities (people) require the option to not be a beacon Unidirectional identifiers used in combination with a single beacon: no correlation handles Example of Bluetooth and RFID – growing pushback Wireless was also misdesigned in light of this law 4. Directed identity. A universal identity metasystem must support both “omni-directional” identifiers for public entities and “unidirectional” identifiers for private entities. This was a shocker for me because our current systems need a lot of fixing in this regard. Public entities like Web sites should have an identity beacon. Same for public devices. This microphone is a public thing – everyone can see it. It can have a public identifier. Private entities like people need the option not to be turned into a beacon. This Bluetooth phone makes me into a beacon. Anyone interested in getting back at me can tune into my beacon. There are things that need to be public, and things that need not to be public. Unidirectional and voluntary overlap but are not the same. Even public figures want to be able to purchase books and not have that be a beacon. Not only is Bluetooth designed wrong from this point of view, but RFID uses beacons too. You can imagine remote detonation devices triggered by your very passport identification technology. Such technologies are not suitable to be impregnated in our children. Private individuals need systems that only respond to legitimate beacons that they can trust. It has to be more than just a unidirectional identifier. The shocking thing is we have designed all this wonderful technology in a very naïve way.

12 5. Pluralism of Operators and Technologies
A unifying identity metasystem must channel and enable the inter-working of multiple identity technologies run by multiple identity providers Characteristics that make a system ideal in one context disqualify it in another Example of government versus employer versus individual as consumer and human being Craving for “segregation” of contexts Important new technologies currently emerging – must not glue in a single technology or require “fork-lift” upgrade Convergence can occur, but only when there is a platform (identity ecology) for that to happen in 5 Pluralism of operators and technologies. A unifying indentity metasystem must channel and enable the inter-working of multiple identity technologies run by mulitple...

13 6. Human Integration A unifying identity metasystem must define the human user as a component integrated through protected and unambiguous human-machine communications We’ve done a good job of securing the first 5,000 miles but allowed penetration of the last 2 feet The channel between the display and the brain is under attack Need to move from thinking about a protocol to thinking about a ceremony Example of Channel 9 on United Airlines How to achieve highest levels of reliability in communication between user and rest of system 6. Human integration. A unifying identity metasystem must define the human user to be a component integrated through protected and unambiguous human-machine communications. You can have an SSL connection that is completely secure for 5000 miles – but which connects to the wrong party. And most people will be unable to tell. That is because the last 2 feet of the connection – between the computer display and the human brain – can be intercepted in such a way that the user doesn’t understand who he is connecting with. The channel between the display and the brain is under attack. We need to move from thinking in terms of protocols to thinking about cermonies. For example if you listen to a conversation between a pilot and air traffic control - Channel 9 on United - you'll see an example of how very important communication can be done very reliably. It uses a very limited semiotic field – meaning only a limited number of words are allowed. No one can talk about their vacation in Barbados. It’s highly controlled and predictable. That limitation produces clarity and reliability. We need that kind of a clear and defined channel between us and the rest of the system when we're releasing identifying information.

14 7. Consistent Experience Across Contexts
A unifying identity metasystem must provide a simple consistent experience while enabling separation of contexts through multiple operators and technologies Need to “thingify” identities – make them “things” on the desktop so users can see them, inspect details, add and delete What type of digital identity is acceptable in any context? Properties of potential candidates specified by the relying party Matching thingified identities presented to user, allow her to select one and understand information associated with it. Single relying party may accept more than one type of identity User can select best identity for the context Example of 401(k) portal in a large enterprise See this as the synergetic expression of all the laws 7. Consistent experience across contexts. A unifying identity metasystem must provide a simple consistent experience while enabling separation of contexts through multiple operators and technologies. Need to “thingify” identities – make them “things” on the desktop so users can see them, inspect details, add, delete. Example of a company where a new system was put in place allowing employees to access their 401(k) information using their employee identity. Much to the surprise of those working on the project, many employees were upset that this theoretically allowed the employer to see their private investments, including the state of their investments with other companies. Everything leads us back to the idea of putting the user in control. If we had a system where the user had a choice of identities, each user could gravitate to the one that made them feel safe in a given context. The 401(k) provider could then respect the user’s wishes. Again, this means we need to have a consistent experience across identifiers so people can select the identity they want in a given context.

15 Contributors to the discussion
Arun Nanda, Andre Durand, Bill Barnes, Carl Ellison, Caspar Bowden, Craig Burton, Dan Blum, Dave Kearn, Dave Winer, Dick Hardt, Doc Searls, Drummond Reed, Ellen McDermott, Eric Norlin, Ester Dyson, Fen Labalme, Identity Woman Kaliya, JC Cannon. James Kobielus, James Governor… Jamie Lewis, John Shewchuk, Luke Razzell, Marc Canter, Mark Wahl, Martin Taylor, Mike Jones, Phil Becker, Radovan Janocek, Ravi Pandya, Robert Scoble, Scott C. Lemon, Simon Davies, Stefan Brandt, Stuart Kwan and William Heath And others…

16 Conclusion Those of us working on and with identity systems need to obey the laws of identity Ignoring them results in unintended consequences. Similar to what would happen if civil engineers ignored the laws of gravity By following the Laws of Identity we can build an identity metasystem that can be very widely accepted and enduring

Download ppt "The Laws of Identity Kim Cameron"

Similar presentations

Building Secure Mashups D. K. Smetters PARC Usable.

Building Secure Mashups D. K. Smetters PARC Usable.
The Laws of Identity Kim Cameron Architect of Identity and Access Microsoft Corporation.

The Laws of Identity Kim Cameron Architect of Identity and Access Microsoft Corporation.
InfoCard and the Identity Metasystem Kim Cameron, Chief Architect of Identity Microsoft.

InfoCard and the Identity Metasystem Kim Cameron, Chief Architect of Identity Microsoft.
ECEU300 Ethics in the Workplace Why talk about Ethics? Everyone is ethical, everyone knows how to behave at work. Everyone gets it about not stealing stuff.

ECEU300 Ethics in the Workplace Why talk about Ethics? Everyone is ethical, everyone knows how to behave at work. Everyone gets it about not stealing stuff.
Gallup Q12 Definitions Notes to Managers

Gallup Q12 Definitions Notes to Managers
EID Summer Summit 28 June 2005 EAP’s Sponsored and in Partnership with 7 Laws of Identity Kim Cameron Chief Architect of Identity and Access MS Corp, Redmond.

EID Summer Summit 28 June 2005 EAP’s Sponsored and in Partnership with 7 Laws of Identity Kim Cameron Chief Architect of Identity and Access MS Corp, Redmond.
Windows CardSpace and the Identity Metasystem Glen Gordon Developer Evangelist, Microsoft

Windows CardSpace and the Identity Metasystem Glen Gordon Developer Evangelist, Microsoft
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.

 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.
Web Security A how to guide on Keeping your Website Safe. By: Robert Black.

Web Security A how to guide on Keeping your Website Safe. By: Robert Black.
The Laws of Identity and Cardspace Charles Young Solidsoft.

The Laws of Identity and Cardspace Charles Young Solidsoft.
The Identity Metasystem Caspar Bowden, Chief Privacy Advisor EMEA EMEA Technology Office on behalf of: Kim Cameron, Architect of Identity and Access Microsoft.

The Identity Metasystem Caspar Bowden, Chief Privacy Advisor EMEA EMEA Technology Office on behalf of: Kim Cameron, Architect of Identity and Access Microsoft.
Design Choices Underlying the Identity Metasystem Proposal Kim Cameron and Mike Jones Microsoft.

Design Choices Underlying the Identity Metasystem Proposal Kim Cameron and Mike Jones Microsoft.
Employee Engagement Survey

Employee Engagement Survey
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.

Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.

SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.
Security Vulnerabilities Linda Cornwall, GridPP15, RAL, 11 th January 2006

Security Vulnerabilities Linda Cornwall, GridPP15, RAL, 11 th January 2006
Princess Royal Trust for Carers National Conference at Birmingham 25 th November 2010 Alan Worthington Carer, NMHDP Acute Programme. ‘Do your local MH.

Princess Royal Trust for Carers National Conference at Birmingham 25 th November 2010 Alan Worthington Carer, NMHDP Acute Programme. ‘Do your local MH.
Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.

Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.
Assurance service/engagement

Assurance service/engagement

Similar presentations

Ads by Google