Author’s note: this is not a white paper. This is an opinion-piece, possibly a polemic. In it I expound what I believe rather than making an argument for you to believe it too; however if through it you arrive at a technical question or desire clarification, then please leave a comment using the tool provided. Also, there are footnotes annotated in square brackets. They are worth reading as you go along. Once I have had more coffee I’ll get round to making them into hyperlinks. Sorry.
This posting began as an standalone article to describe my tussel with “Identity” in all its various forms, however it has evolved into a companion piece to Adriana’s musings on identity – not only because upon reading her posting I found us using like words and like metaphors to much the same conclusion, but also doubtless because it was she who singlehandedly provided me an alternative to a world without (or with much-reduced) “Big I” Identity.
However I wish to spell out my beliefs rather more bluntly, so here we go:
I believe that Identity is bunk.
I believe that the technologies of Identity are founded upon and perpetuate an outdated model of a passive user who lacks both the critical authority and the ability to participate in an authentication transaction, and further I submit that Identity’s commitment to this model inhibits its further evolution in the modern era.
…but before continuing I want to address a few potential misconstructions to aid later clarity – so for contrast I shall begin by listing a selection of identity-related topics which are emphatically not bunk:
- identity theft
- I have written about Identity Theft at length elsewhere, and although I still maintain the viewpoint that identity theft is straightforward fraud more than anything novel, I cannot deny that it occurs or that it is a serious matter.
- identity management
- I have a former BOFH sysadmin’s view of Identity Management, which means that of course I am going to welcome any set of tools which (a) permit me to unify my users’ authentication mechanisms into a homogeneous solution and (b) allow me to effect bans, lockouts or password changes on 30,000 machines at the same time. To deny the utility of this would be insane.
- the act of establishing rights or privileges to access resources is one of the most fundamental (and common) actions to occur within a computer network.
- strong authentication
- one-time passwords, authentication tokens, javacards, sunray cards, stuff to authenticate more strongly (ie: definitely) to my network? Sure, “bring it on”.
- single sign-on
- see the section on “strong authentication”, in fact see all of what I have written above. Within a security domain it’s a wonderful thing to not have to keep typing-in your password to authenticate separately to Mail, Calendar, Web and database. It’s a neat trick if you can do it.
I consider all of the above to be perfectly decent, supposedly identity-related matters; where I diverge is in the field that I refer to as “Big I” Identity.
So What Is “Big I” Identity?
“Big I” Identity – let’s just call it “Identity” from now on, so that I don’t go mad spelling it out each time – is the umbrella term I use to describe processes and identity enabling technologies such as:
- Digital Identity
- Cross-domain Federated Identity
- Identity 2.0
- Identity Metasystems
- …and an entire dumpster-load of other projects, toys, tools, XML standards, etc, all borne of the mindset which led to the above
Identity exponents paint a future in which your identity is a digital puppet – or possibly a hive-mind of several – living in a studio flat in cyberspace, buying goods, paying taxes and dealing with the other bureaucracies of life on your behalf, able to transact within cyberspace because your puppet has been certified into existence by some higher authority – most likely after payment of some real-world money.
In some ways the model is very like “Second Life”:
- You pay for your Identity avatar to continue exist, so it may transact for you, and it will continue to exist only for as long as you pay for it.
- You imbue it with some of your personal qualities.
- You manage it awkwardly via remote control.
- And you likely wish it was somehow also portable into “World of Warcraft” and “Everquest”, or vice versa – a process of federation..
A moment’s consideration of the above will reveal a fundamental concern of mine: your Second Life avatar only exists with the permission of of Linden Labs, and its future is bound to theirs.
Similarly: if your identity exists at the whim of another organisation, then it is not under your control and could cease to exist without your approval.
That would be a bad thing.
But before going further with that matter, I want to rhetorically ask:
Why Pursue Identity At All?
Our culture – our biology – seems geared for use of certificates to gain access to resources: having the “right” scent to enter the anthill, dressing an orphaned lamb in the skin of a dead one so that the latter’s mother will feed it… these demonstrate that nature has some grasp of authentication for a service, even if sometimes it implements weak authentication – e.g. a cuckoo’s egg in a reed-warbler’s nest.
What happens next is (I believe) unique to humans: we conflate “authentication” with an abstract concept of “identity”, and thence indirect from that to “authorisation” – so that somehow your state of mind, your beliefs, learnings, and capabilities can be captured, documented and carried-about as a certificate.
To be technical for a moment, traditionally speaking:
- authentication is the act of proving your “identity”
- a certificate documents an authorisation in an authoritative manner
- the process of authorisation provably binds an “identity” to the permission or ability to use or access a privileged resource
…or as otherwise experienced with a Norwegian police officer:
- “Yes Officer, my name’s Alec Muffett. Here’s my Passport.” (authentication)
- “Yes I am permitted to drive a motorcycle, here’s my license.” (certificate)
- “Feel free to check the license, it’s got the hologram, etc.” (authorisation)
- “The freeway speed limit is 50 km/h? You have got to be joking…” (negotiation)
…so when demanded by one authority (Norwegian Police) I am required to show two verifiable / hard to forge certificates: one linking the abstract concept of “Alec Muffett” to the actual human-being in front of him, and the other linking the abstract concept of “Alec Muffett” with the privilege of riding a morotcycle in the United Kingdom.
In passing, note that Norway’s recognition of the UK’s motorbike test is some manner of cross-domain federation.
The abstract concept known as “Alec Muffett” is my identity.
The UK Government understands “Alec Muffett” as the identity of a person who in 2001 passed the UK motorbike test thereby granting “Alec Muffett” the privilege of riding a motorbike on the UK’s roads – but although congruent, the identity of “Alec Muffett” is not equal to the six-foot-four hominid commonly associated with the name and who is typing this posting; instead it’s more a cloud of “claims” (either explicit or implicit) which are associated with the latter.
Claims are, for instance:
- Explicit: Alec Muffett is male
- Explicit: Alec Muffett passed a UK Motorcycle Riding test in 2001
- Explicit: Alec Muffett was born in 1968
- Implicit: Alec Muffett is old enough to buy alcohol in the state of California
(since he was born in 1968 and thus is older than 21)
It would be really bad if we had to go around carrying certificates to authorise us for each and every one of the claims which dominate our lives. The cloud of explicit claims about Alec Muffett is large; the cloud of implicit ones is much larger, because an implicit claim derives from the context of someone seeking to verify the claim (eg: a Californian bartender) – and there are a near infinite number of potential contexts in the universe.
However, in the real world, carrying physical certificates seems to be what biology has predisposed us towards.
What happens when we move our identities “online”? What happens is that folk try to replicate the authorise-via-trusted-certificate model of access control; and then they fret about the management issues regarding having done so.
Why do they do this, and why do they fret?
To move back to the Norwegian police analogy above: rather than resorting to credentials and identity to prove my ability to ride a motorcycle to a police officer, why not appeal to the the officer’s ability to observe that:
- I am demonstrably riding a motorcycle now.
- He has observed me riding it for a few miles.
- I would be perfectly happy to undertake a small test, there and then.
In short: why could not the police officer to observe me, develop a relationship with me, and from that satisfy themselves of my capabilities.
If instead of being observed for a couple of miles once-off by a police officer, what if he knew me from the local motorcycling club? Wouldn’t having that relationship shortcut questions about my authorisation to ride a motorcycle – and shortcut invocation of a whole heap of paperwork and certificates, unless I was actually being booked?
The answer is obviously “it doesn’t work like that in the real world – relationships don’t scale in the real world”.
Yes, of course, but why should it not work like that in cyberspace? Because relationships do scale in cyberspace.
So What Am I Saying About Authorisation?
I am saying that authorisation need not be linked to an identity when it can be linked to a relationship with an entity, instead.
Anyone who has heard me speak at length about security in the past ten years or so, will have heard me utter something like:
Amazon really don’t care who you are in respect of your drivers license. They likely don’t care what your passport number is either, or who the government say you are. What they really care about is that the person placing an order today is the same person who placed an order last month, and the month before, and that each time before the person paid.
I submit that the frippery of Identity – that whole circus of indirection from me to a identity, from that identity to some authorisations, contains a potentially unnecessary step, one that can sometimes (perhaps frequently) be circumvented by maintaining a relationship with the entity to which you might otherwise have to authenticate.
The next step is simple: create a tool that maintains a person’s relationships with third parties, but puts them under his or her own control.
A Different Way To Approach Authentication
To recap the above: traditionally there are three tines of authentication – three things you assert to prove your right to access a resource:
- something you have
- something you know
- something you are
eg: you have a key to a door, you know the password, you are the General in uniform or the appropriately-coloured cuckoo’s egg in a reed-warbler’s nest.
(Author’s note: at this point, if you’ve not read it already, please go read footnote  – you’ll need the background in a moment)
All of the above are predicated on the notion of need for repeated authentication – you use your door-key daily, your password likewise, you check your eggs each time you return to the nest.
But here’s a new spin on “something you are” – what if instead of checking the shape and colour of the eggs each time we return to the nest, instead what if we just watched the eggs, ever vigilant and unblinking, all the way from laying to hatching?
What if the reed-warbler was able to stretch its attentions beyond all conceivable bounds and move from weak authentication of the form:
You ARE an egg of the correct shape and colour
…to a more radical strong authentication of:
You ARE the specific egg that was laid, and I can guarantee that fact because I have never ceased to watch you since the time you were laid
In short, what if you had a relationship with your eggs, and could stretch that initial relationship (egg laying) through to conclusion (hatching) without any interruption?
If you were capable of doing that, you would have invented a new style of authentication – “relationship based authentication” – that requires no external parties or authorities to function.
And, interestingly, it would be a form of “single sign-on”.
The Third Form Of Single Sign-On
Eve Maler and Drummond Reed recently published The Venn Of Identity in IEEE Security and Privacy magazine, and it serves as an excellent introduction to a lot of the thinking, terminology, concerns, and perhaps some of the fads of the Identity community.
For me, the critical section is headed “Overview: Federated Identity Model” on page 17, in which it defines terms like “user”, “user-agent”, “identity provider” (IdP) and “service provider” (SP), and goes on to describe how “Single Sign-On” comes in two flavours:
- SP-initiated Single Sign-On
- Alice wants to buy something online; the vendor (SP) authenticates Alice by contacting a higher authority (her IdP; compare with Norwegian validation of a UK driving license, above)
- IdP-initiated Single Sign-On
- Alice wants to buy something online; she connects to her IdP which provides pre-authenticated channels to other vendors from whom she can buy.
My question is: Where is the third party in all this? Why has the user no authority or involvement?
Where is “User-initiated Single Sign-On”?
Where is my ability to talk to a vendor and for them to have surety that I am me (and for me to be sure that they are themselves) by virtue of the fact that I am the same person who has been dealing with them for several years?
This also brings me back to my fundamental issue with “Big I” Identity, viz: that the Identity universe is currently predicated upon ignoring the most important person in an authentication transaction: the user.
In Identity-land, the user is considered passive and non-authoritative – the papers and protocols all pay lipservice to the need for “self-asserted claims” – letting a person describe themselves authoritatively – but answers to heavy-hitting questions like:
- Is this person old enough to buy booze?
- Is this person permitted to ride a motorcycle?
…are all still dealt with using cyberspace metaphors of the old driving-license-certified-by-authority model.
However, as I’ve outlined above, that is not the only way.
On the web we have an additional way to authenticate – via ongoing relationship; technologies that can implement this are already well-used and well-understood; any network engineer can explain how to use TCP to establish a reliable connection between two nodes albeit layered atop an unreliable datagram connection. All we need in order to to establish a reliable relationship is to stretch the communications mechanism out over time rather than distance – like a warbler watching its eggs rather than riskily re-authenticating them time and again.
You sign-on with a vendor, once. A single time. You can bootstrap that into authenticating all future communications.
This provides “User-initiated single sign-on”.
Identity: Your Part In Somebody Else’s Goldmine
Way back in 2001 some chap at Microsoft came up with a really brilliant idea – everyone in the world could have a free Hotmail account, and could use that e-mail address as an identifier to log into all of the e-commerce sites in the world, the latter being able to query Microsoft (now an Identity Provider, IdP) to prove whom it was that was trying to buy stuff.
PressPass: How widely does Microsoft expect this federation to be adopted?
Payne : We strongly believe that a universal authentication model is extremely valuable to virtually every business. Over time we expect that this interoperability will become as important and ubiquitous as interoperability of e-mail is today. So, I guess you could say we expect adoption to be very strong. Large business and corporations are especially interested in ways in which they can unite their divergent worlds of authentication within their own companys networks. They also want to [be] enabling users [to] navigate inside the company’s firewall with just one authentication and a single sign-in. Or when they need to visit the site or services of a trusted, third-party vendor, supplier or customer. For instance, imagine how easy an employee will find it to have just one password and ID that they can use securely when visiting their company’s HR benefits page, then leave the internal site to visit their company’s travel-services site — even though that site is run by an external vendor.
The rest of the world threw rocks at the idea: your Hotmail account would become the “mark of the beast”, you would not be able to transact without it, Microsoft would hold a treasure trove of information about you, what if Microsoft crashed, the world would not be able to transact… and thus was the Liberty Alliance born, an organisation to challenge the threat from passport and provide an alternative:
The Liberty Alliance was formed in 2001 by approximately 30 organizations to establish open standards, guidelines and best practices for federated identity management. The Liberty Alliance met this goal with the release of Liberty Federation in 2002, the industry standard for successfully addressing the many authentication, privacy and security challenges surrounding online identity management. Deployed by organizations around the world, Liberty Federation allows consumers and users of Internet-based services and e-commerce applications to authenticate and sign-on to a network or domain once from any device and then visit or take part in services from multiple Web sites. This federated approach does not require the user to reauthenticate and can support privacy controls established by the user.
Now here’s the funny thing: the Identity model back in 2001 was very authority-centric, and with some validity (at the time) assumed that the user – beyond use of passwords, etc – was incapable of participating in an authentication process, incapable of making authoritative statements about themselves, and incapable of transacting on the web on their own terms.
The model has not evolved since that time; but the world has moved immensely.
As I write in 2008 some one million, perhaps nearly two million people carry BSD/Unix servers in their pockets – they are called iPhones – and the world’s populace are gradually moving online 24×7; those who don’t yet have Apache running on their phones have hosted servers, blogs, wikis, e-mail accounts…
So the key realisation missing from Identity today is that there is the potential for three equal parties to participate in an transaction – the User, the Service Provider (e.g. vendor) and the Identity Provider.
Or even, as described above, we can drop the IdP out of the loop for some purposes; and the User will take back physical possession of their own data, and perforce will become authoritative regarding their own data, and will be able to project control over their own data.
“Big I” Identity In The Large
Summing up what has been discussed so far:
1) Identity is predicated on an old model of the disempowered user – dating from the Microsoft Passport era of 2001, if not before – and little if any thought seems to be given to the potential for active, even leading participation of a User and his or her iPhone in the authentication process.
2) Following from the above, where the old world of Identity focused upon the importance of third-parties making authoritative statements about someone, a new zeitgeist could concentrate upon people taking charge of their own data, and becoming the definitive source of claims about themselves in the process.
3) And from that, the role of Authority in Identity will fade somewhat.
Adriana describes it most clearly:
In the offline world identity is really third-party driven, to put it crudely, we are what our papers say we are. Your birth certificate attests to your date of birth, your utility bills to your residence, your diploma to your education etc etc. It has been so because our identity management has had several fundamental features ‚ it is centralised, system-centric and it is read-only. We are used to deriving our authority and credibility from a system that grants and confirms it. It is important that we can do that as the only way we can transact in a hierarchical environment is via authorisation from the level above us. (a definition of hierarchy is that in order to interact with somebody on the same level I have to go via a superior level).
Whatever the web turns out to be, it is not a hierarchy. It is a network, i.e. a heterarchy, a network of elements in which each element shares the same “horizontal” position of power and authority, each playing a theoretically equal role. This has impact on how my identity is defined and who defines it. From blogs to social network profiles, people are learning how to define their thoughts and ideas, record their lives in multimedia formats, share their experiences, swarm around causes and defy companies, institutions and authorities. From linky love to P2P, they are bypassing traditional media and distribution channels, learning the ways of direct connections.
People online build and destroy reputations, create and squander careers, establish themselves as experts or celebrities. That’s the birds eye view. The closer look reveals emergence of self-defined (and self-driven) identities. By writing I learn to articulate my thoughts better, by sharing I learn to differentiate from, as well as identify with, others. I become aware of myself and my preferences in ways that in the times before the web were available to a select few – writers, artists, politicians and the more articulate celebrities. We have ways of connecting with others who become validators and authenticators of our self-defined and persistent identities. The challenge is to understand and find how to evolve and use those for other than communication and information transactions.
When attending Identity conferences I encounter startup after startup whose concept of “enabling user-centric Identity” is to reinvent Microsoft Passport in the small; they all promise that you can give them your personal data – and maybe some money – and they will manage your data (your “identity”) securely on your behalf, somehow giving you added value in the process.
There’s even a software project out there now, again predicated on the Identity notion that you are neither fit nor capable to look after your own data, nor are you capable of being an authoritative and accessible resource for the same – but you may be permitted a pretty interface to manager your own data, when held on someone else’s website.
So that’s what Identity’s definition of “user-centric identity” is all about; for a second time (and in a separate posting) Adriana hits the nail on the head:
User-centric says – “we are going to build a system, put the user in the centre instead of the system”. So far, so good, but this sits uncomfortably with me as a user especially as one that is used to the online tools that have changed many an old way. The tools – blogs, wikis, feeds and feed readers, BitTorrent, Flickr, Dopplr, Twitter etc – are revolutionary not just because of their functionality, bits of code or their interface, but their design for usefulness, their modularity and constant evolution. There is an element of open-endedness in their design, either accidental or deliberate, recognising that the designers cannot foresee all the uses to which people will put the tools to. The simplicity is the key, the complexity coming from usage rather than the design. In other words, they are user-driven.
And that’s where I think we’re going, and I don’t think there is any way of stopping it, even if I wanted to. The web is creating this enormous mass of user-capability, and the sheer gravity will drag us all sideways into a world of user-driven identity.
So what happens to “Big I” Identity?
It won’t die, but identity will have to adapt to the user’s definition.
ps: I am not here going to investigate ideas like transitive-trust as applied to User-initiated Single Sign-On – e.g. that the fact I have a relationship with one party could be used to help me establish a separate relationship with another party; to discuss this would be re-opening notions of federation which I am trying to get away from.
The new user-defined-identity space will be based upon having multiple independent relationships – not some form of corporate-enabled polyamory.
pps: (UPDATE) I am also here not going to get into the weirdness of Identity wherein the goal is to centralise your personal information to make management of it convenient, and then expend phenomenal amounts of brainpower implementing limited-disclosure mechanisms and other mathematica, in order to re-constrain the amount of information that is shared; e.g. “prove you are old enough to buy booze without disclosing how old you are”. Why consolidate the information in the first place, if it’s gonna be more work to keep it secret henceforth? It’s enough to drive you round the twist, but it’ll have to wait for a separate rant.
 There is no footnote #1.
 For starters, there are at least as many contexts are there are pubs.
 Oddly enough, it works exactly like this for drink-driving – in a drink-driving scenario it is assumed that although you may have passed a test at some point in the past, the issue at hand is whether you are capable of driving a vehicle at this precise moment in time. Hence all the “can you walk in a straight line, are your reactions impaired” stuff.
 Over (several) drinks recently, Ben Laurie amusingly cited me someone someone who described these rather more accurately as “Something you had, Something you forgot, Something you were” – but alas I forgot which wit came up with that.
 The Cuckoo lays eggs parasitically; it finds the nest of one of the host species (typically containing 3..4 eggs) and removes a single egg laying one of its own as a replacement. The surrogate parents do not spot the impostor because the total egg-count is the same, and Cuckoo eggs may be somewhat larger than but have similar colouration to the original eggs. The surrogates brood all the eggs, however the Cuckoo chick hatches early and pushes all other eggs/chicks out of the nest so that there is no competition for resources. The surrogates feed the solitary cuckoo chick, until it fledges. This is clearly a case of identity theft, fraud, and security failure due to weak authentication.
 I have heard too many times, statements such as “Governments won’t accept self-asserted claims – for information like my home address – without some third party’s certificate that attests to the accuracy of that data”; somehow the people who tell me this ignore that every time I use a pen to fill-in my address on a tax return, let alone on a DVLA web-form, I am making a self-asserted claim with which the tax office seem perfectly content…
 I have nothing against federation within a security domain, eg: If one company merges with another, then it’s nice to have tools which permit hybridisation of the two user-bases without pain; see the BOFH/sysadmin commment in the introduction. However I draw a mental line between that, versus using my DVLA driver identification number to authenticate my purchase of beer from Amazon, or whatever…