As I grok more about the distinction between personal identity and corporate identity it seems wise to say:
This is my personal blog. It does not reflect the views of my employer, and I am not speaking as my employer’s representative. If you quote me, please respect my right to contribute opinions without connection to my employer.
Mike
Leave a Comment » | 
identity | 
Permalink
Posted by Mike Beach
A recent discussion on the ID Workshop group has been about user-centric identity and the corporation. As a part of that discussion Phil Becker pointed out we use the term “user-centric” in multiple contexts and it really means different things in different contexts. Below is my first pass at a potential list of contexts for the term “user-centric”.
I think the list Phil proposed is:
User-centric architecture – is this about the user in the protocol? I don’t think it is intended to be about where the data resides. I am still unclear about how this fleshes out given there seems to be agreement it does not mean the user makes a decision, nor sees every exchange of identity data.
User-centric experience – So is this just CardSpace and OSIS?
User-centric control – I suppose this would be about the user having some say in what attributes of their identity in what context are shared. This could be a user in the middle each time, or include delegation via the likes of an i-broker.
User-centric management – Managers are vague, management is vague (sorry). How is this different from user-centric control, if at all? Is control about flow and management about the maintenance of identity attributes (CRUD)?
User-centric data – Don’t know if Phil proposed this as a category, but I have some trouble with this one. Notice what is not on the list is user-centric identity *ownership*. Is that what we mean here? I am stuck on the idea that I have no ownership of any meaningful identity data. See my previous posts. We might have control, but the only identity attributes anyone else would care about are owned by someone else, at least asserted by others. What you own that is not issued/asserted by others is fantasy.
Mike
Leave a Comment » | 
identity | 
Permalink
Posted by Mike Beach
So here is a thought.
What is user-centric identity? It is not a thing, it is a process. In the digital world, user-owned identity is simply self-asserted and of inconsequential value. For an identity to have value, its characteristics (attributes) must be attested to by third parties. These third parties must have credibility either from their legal founding (such as credit card companies, my employer) or from the shear number of consistent independent attestations (reputation systems). The fact that I own any aspect of my digital identity is a myth. User-centric identity is about controlling the distribution of that information.
Digital identities that I *truly* own are simple avatars that have no value beyond fantasy.
Mike
Leave a Comment » | 
identity | 
Permalink
Posted by Mike Beach
I have been mulling Doc Searl’s discussion of Independent Identity (http://www.itgarage.com/node/768#comment), including Andre Durand’s 3-tiers of identity.
Let’s start with Andre’s 3-tiers:
I read this and ask – what is my “true personal” identity? Is it who I really am as opposed to some avatar? I don’t think who I REALLY am has a digital manifestation. Is it attribute that I own? Or attributes that I have asserted?
What attributes about me do I actually own? My name? – Not really, I can assert my name but it has no real significance unless attested to by some authoritative 3rd party. I cannot even change my name without a court filing. So what of my name do I own? Are there aspects of my digital identity that I do own? I am leaning toward nothing of any significance. I own, can assert, can prove, and can change of my own volition only things like hair color, weight, dress, behavior, etc. Some things I own but cannot change (at least easily) are my many biometrics. But who cares? What can I do with these? To do anything connected back to the real world requires some kind of T2 identity. Any legitimate T1 identity you have seem to be a simple collection of “authenticator” attributes. They provide identification, but not identity (a Phil Becker concept).
Tier 2 identity is where the action is. These are the identities that actually have meaning to connect the digital world to the real world (i.e. – doing business). These identities might not have been given to you by the corporation, but they are in some way controlled by a legal institution, not you. As I pointed out above this even includes your name. It certainly includes those things in our wallet that Andre pointed out. Why do we carry a wallet – to do business like buy things, drive a car, get on an airplane. I would even claim that our business cards (excluding the self-employed) are not ours to own and control.
I think what distinguishes the meaningful T1 from T2 is a potentially vague temporal difference in the tie to a 3rd party. Also I would claim T1 identity that many would say is “MINE” only has real value when attested to by an authoritative 3rd party. Again, what my name is without the drivers license to back it up does not carry much weight. If I classify T1 identity as authenticator attributes then T2 are the “authorizer” attributes.
I don’t think I am interested in this space, possibly other than to wish it went away.
I think there is another view of this. T1 identity only has meaning when connected to reputation. There are no other attributes that I would care about because I have no assurance they are true. However if I can authenticate an identity is associated with a known reputation I can make business/commerce decisions. This is the path that I think the social discussions are following. However, I am thinking that in the personal world T1 identity without reputation has little if any value. In the business world T1 identity even with reputation has little value, it is all about T2.
So now what does Doc mean when he says MY identity? I have previously said I believe identity is simply a collection of attributes about a subject in a context. That seems to be contrary to Doc’s definition of MY identity. Given that Doc’s a smart guy (that reputation thing), does he mean MY identity is about me having control, management, distribution rights, to the various collections of identity and associated attributes where I am the subject in any context? I would presume this is independent of who owns, asserts, or is authoritative for any given attribute. Because, in the pure sense I have no digital identity that is MY identity – even reputation is bestowed by others.
Mike
I have recently been following a discussion among Phil Becker, Eric Norman, and Luke Razzell. The discussion was primarily around identification vs. identity with a little trust thrown in. I just contributed my $.02 to the pot and post it here for posterity.
Identification – As Phil says the act of identifying a subject, but not the same as identity. I believe identification and authentication are synonymous. The identification/authentication act is the act of establishing the subject with some level of confidence that can range from zero to high. Involved in this identification act can be things like “I remember your face”, “I see your driver’s license”, “You have provided a secret that likely others would not know” (yea, yea we could write books here). To me this is important, but not particularly useful without identity.
Assurance – I mention this next because it is directly related to identification. I think it is the degree of confidence that the identification event does in fact establish the subject. “Because I say so” is low assurance. Facial recognition (not the computer kind, but the “I know you, I see you every day” kind) is reasonably high assurance. There are any number of assurance variations that might increase my confidence that you are who you say you are including passwords, biometrics, tokens, etc.
Identity – I struggle to find complexity in this one. I claim it is a collection of attributes about a subject in a context. As a corporate employee I have a set of attributes. In this case these attributes are most likely asserted by the corporation, provided in a way the corporation can, with an acceptable degree of assurance, connect them to my identification. As a human being I may have several other “identities” that represent me (or a collection of people/things) in different contexts. This is an area I am regularly challenged in – many perceive identity is “who I am”. For any number of reasons, both legitimate or otherwise, I have avatars. Even within the corporate world I have legitimate business reasons for multiple “personae/avatars”. Bottom line, I don’t see identity as a complicated thing to understand.
Relationship – This is a popular word in these discussions. I understand what relationships are in the social world, but I don’t yet have a clear understanding of the instantiation in the digital world.
Trust – Ah, now if you want complication here you go. I think there are 2 kinds of trust. There is the one I live with every day in the corporate world and there is the more social-based trust. I agree the more interesting is the social-based trust that gets into reputation and the like. However I think the corporate world is still struggling with the more mundane “legal” trust. While at the recent Identity Mashup in Boston Christine Varney shared a definition of trust that resonated with me (again from a corporate perspective). That is: security, privacy, authenticity and reliability, recourse and liability. I felt this covered the landscape well – I am sure the attorney’s will quickly latch on to this in the next couple of years. Trust at a corporate level is a challenge and we are still working through this with the vision of moving to the next plateau of “federation”.
When considering trust from the social perspective, I think the references to Bob Blakley’s talk at Catalyst 2006 hit the mark. This is where reputation come in to the picture. As individuals we are not caught up in the legal aspects, we are interested at a much more primal level. Can we interact, can I trust you, will we have a win-win. In the end I think this is the much harder “trust” to develop and in the Internet age it is really all about reputation.
Mike
4 Comments | identity | Permalink
Posted by Mike Beach
