Monday, May 29, 2006

Notes on Laws of Identity (Part 3)

It's been a while, but I'm going to work on finishing unfinished business...

  • The definition layed out thus far is flexible enough to cover all the known digital identity systems, allowing for the emergence of a metasystem embracing multiple implementations/ways of doing things.
  • The usefulness of the claim is not inherent in the claim, but its evaluation/decision by the relying party.

The Laws (finally...):

1. User Control and Consent: Technical identity systems must only reveal information identifying a user with the user's consent. The system should also protect the user against deception, verifying the identity of any parties who ask for information, ensuring submitted information goes to the right place, and informing the user the reason for which the information is requested.

2. Minimal Disclosure for a Constrained Use: To mitigate risk, the solution should release the least amount of identifying information as possible. This ensures that there is less of a chance identifying a person accross multiple contexts.

3. Justifiable Parties: Information is only disclosed to those parties that have a "justifiable" place in the identity transaction. Although what exactly qualifies as "justifiable" is open to interpretation, this law does provide for a transparent transaction.

No comments: