From the BBC:
Challenges facing Humanity:
Make solar energy affordable
Provide energy from fusion
Develop carbon sequestration
Manage the nitrogen cycle
Provide access to clean water
Reverse engineer the brain
Prevent nuclear terror
*Secure cyberspace*
Enhance virtual reality
Improve urban infrastructure
Advance health informatics
Engineer better medicines
Advance personalised learning
Explore natural frontiers
David Allen of GTD fame, teaches us that we need to define "next actions" for each item on the todo list, so the next action for realizing secure cyberspace is best expressed here in the Laws of Identity.
The Internet was built without a way to know who and what you are connecting to. This limits what we can do with it and exposes us to growing dangers. If we do nothing, we will face rapidly proliferating episodes of theft and deception that will cumulatively erode public trust in the Internet.We have undertaken a project to develop a formal understanding of the dynamics causing digital identity systems to succeed or fail in various contexts, expressed as the Laws of Identity. Taken together, these laws define a unifying identity metasystem that can offer the Internet the identity layer it so obviously requires. They also provide a way for people new to the identity discussion to understand its central issues. This lets them actively join in, rather than everyone having to restart the whole discussion from scratch.
Those of us who work on or with identity systems need to obey the Laws of Identity. Otherwise, we create a wake of reinforcing side-effects that eventually undermine all resulting technology. The result is similar to what would happen if civil engineers were to flaunt the law of gravity. By following them we can build a unifying identity metasystem that is widely accepted and enduring.
**
Putting Identity in generally reduces security. It can in the short term improve security for broken or low-value systems, much like both bandaids and battlefield dressings stop bleeding. They are both bandaids, although we might disagree on the size and lifetime of them.
The problem with the so-called Laws of Identity is that they are somewhat meaningless if the Identity Assumption is not accepted within the scope of a well-designed security system.
Posted by: Iang | February 21, 2008 at 08:52 AM
I am not implying we spray sensitive attributes all over the place, but if we define identity as
"a set of claims made by one digital subject about itself or another digital subject."
then I would see identity (claims) implicit in any transaction. What those claims are, how strong they are, how they are protected and so on is subjective.
Posted by: Gunnar | February 21, 2008 at 09:10 AM
Thought question: If the set of claims can include anything that doesn't relate to itself or a subject then ... can it be an Identity? E.g., if I can prove to you that I am 18++, is that an "Identity claim"?
I think there is some merit in re-inventing the language so as to appease those who are stuck in the other ways ... but the danger is that those who are stuck will then add a few restrictions of their own. E.g., you can use this claims stuff but only if you put Identities in there.
To some extent this is what happened with PKI. The supporters point out that we don't need an Identity in there. But nobody will accept an identity-free set of claims, so in effect, PKI is identity-driven.
The need to sell to business trapped the technology into being something like what was sold, got it hung up on its own marketing, which didn't work in the end. To some extent you can see Credentica doing this, as well as Microsoft's CardSpace/infocard. One view might be that this is what the so-called Laws of Identity are; a way to sell Identity-free Identity. The danger is that such trickery may drag in too much baggage and break the model.
Posted by: Iang | February 21, 2008 at 04:33 PM