URL-based Identity and the Fourth Law of Identity
It's a fairly long piece and they cover a good amount of ground. Have a listen if your into digital identity. In the roundtable, several points or assertions were made that bear further discussion.
The first issue is unidirectional and omni-directional identity. Kim and Microsoft published a whitepaper a while back laying out the “Seven Laws of Identity”. Law #4 is the Law of Directed Identity, and asserts that an identity system should be able to provide a different identifier to each relying party, so as to foil attempts at correlation. That means that to website A, I'm known as “X”, and to website “B”, I'm known as “Y”. If they should happen to compare notes, they won't have a basis for determining that X=Y.
In contrast, omni-directional identity uses the same identifier to everyone. The example Kim gave in the podcast was the URL for a blog. That URL is omni-directional – all parties see the same identifier, and know the blog by the same name.
So far so good. Kim went on to suggest, however that URL-based identifiers were inherently omni-directional, and that this was a design flaw with URL-based identity systems, as they violated the Fourth Law of Identity.
URLs are well suited to unidirectional identity. There's no problem at all in deploying a identity server that issues a different URL for the user to be known by for each different relying party. For example, if I enroll at an identity server “exampleid.com”, it can provide me with an omni-directional ID URL:
http://michaelgraves.exampleid.com
I can delegate another website like my blog to that address if I want so that:
http://michaelgravesblog.blogspot.com
Delegates its identity services to http://michaelgraves.exampleid.com
That's straightforward. URLs have been used as omni-directional identifiers as long as there have been URLs. But exampleid.com can generate any number of URL IDs for me as I need them. For example:
| Relying Party | URL I'm known by |
| amazon.com | |
| bn.com | |
| united.com | |
| scripting.com |
My identity server knows each of these is me, but no one else does. Each of these can have its own policy and rules about what information and claims it will exchange with the relying party.
At the heart of this is what I believe the mistaken idea that URL-based identities are singular, or somehow tied to a blog or particular web page. That isn't the case. With URL-based identity, I can have as many omni-directional identifiers as I want and as many directed identifiers as I want.
Comments
You do need to take some care about how you generate your unidirectional URLs, though. If the R.P.s correlate by identity server, and you're running your own identity server, they're probably going to notice. You would need to be one of many users on a large identity server to be able to hide.
Or is there some way, perhaps through some Tor-like mechanism, to grab anonymous bits of URL space?
Posted by: Kevin Turner | February 6, 2006 01:39 PM
Another point I've seen raised over this is that it increases the need for identity management tools. How do I remember that I always use URL azy990fb with Alice and zx8y17t with Bob? You have to build a tool that keeps track of this somewhere, either client-side (which means you need to carry it with you between terminals and hope you don't lose it) or server-side (which I can't figure out how to do with OpenID or YADIS).
Posted by: Kevin Turner | February 6, 2006 01:51 PM
>
Posted by: m | March 2, 2006 06:52 PM
nice ideas
Posted by: yt | March 2, 2006 06:57 PM