Laws of Identity

Seven Laws of Identity - Kim Cameron

Shortened version of an excellent introductory overview by Kim Cameron at http://www.identityblog.com/stories/2004/12/09/thelaws.html

1. User Control and Consent

Technical identity systems must only reveal information identifying a user with the user’s consent. (Blogosphere discussion starts here…)

2. Minimal Disclosure for a Constrained Use

The solution that discloses the least amount of identifying information and best limits its use is the most stable long-term solution.

The concept of “least identifying information” should be taken as meaning not only the fewest number of claims, but the information least likely to identify a given individual across multiple contexts.

We can also express the Law of Minimal Disclosure this way: aggregation of identifying information also aggregates risk. To minimize risk, minimize aggregation.

3. Justifiable Parties

Digital identity systems must be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship.

The identity system must make its user aware of the party or parties with whom she is interacting while sharing information.

4. Directed Identity

A universal identity system must support both “omni-directional” identifiers for use by public entities and “unidirectional” identifiers for use by private entities, thus facilitating discovery while preventing unnecessary release of correlation handles. (Starts here…)

5. Pluralism of Operators and Technologies

A universal identity system must channel and enable the inter-working of multiple identity technologies run by multiple identity providers.

The universal identity metasystem must not be another monolith. It must be polycentric (federation implies this) and also polymorphic (existing in different forms). This will allow the identity ecology to emerge, evolve, and self-organize.

6. Human Integration

The universal identity metasystem must define the human user to be a component of the distributed system integrated through unambiguous human-machine communication mechanisms offering protection against identity attacks. (Starts here…)

7. Consistent Experience Across Contexts

The unifying identity metasystem must guarantee its users a simple, consistent experience while enabling separation of contexts through multiple operators and technologies.

As users, we need to see our various identities as part of an integrated world that nonetheless respects our need for independent contexts." (http://www.identityblog.com/stories/2004/12/09/thelaws.html)

Fen Labalme's additions

From the entry, 'Four More Laws of Identity', at http://blog.fen.net/archives/000042.html

8. Freedom

The entity (often a person) using an online digital identity system must be in total control of their information. This implies that not only the data but also the access protocols and authorization mechanisms must not be encumbered by someone else's (IP) rights, unless such restrictions were previously - and explicitly - agreed to.

9. Decentralization

An identity system should be decentralized.

10. Portability

Bridges must exist - or be straightforward to create - between identity systems so that users are not locked into a single provider.

11. Transparency

There should be a clear and (if desired) visible cause and effect relationship in all identity related transactions." (http://blog.fen.net/archives/000042.html)

Drummond Reed's Corrollaries

Drummond Reed has published corrolaries to the above principles, which are listed here at http://www.identitygang.org/Reference

More Information

See the related entries on Reputation, Trust, Privacy, Anonymity

Identity Standards are listed here at http://www.identitygang.org/Reference

Identity discussion at http://www.identityblog.com/