I'm Bob Artner for TechRepublic, and as we all know, thereis a lot of conversation going online right now about authentication, securityand the whole question of digital rights and digital access. And Kim Cameron,who is the Identity Architect at Microsoft has proposed something he calls"The Laws of Identity" as a way for us to think about digitalidentity, digital identification and authentication and I'm going to take theseseven laws and really compress them but try to give you a sense for what he'stalking about. What's his first law?
Basically, it's about consent. He says any digital rightscheme or protocol or technology has to have the users consent at the heart,first and foremost. The user has to consent to that authentication.
Second, it has to be as minimal as possible. In other words,you need to give as little information as possible for that particulartransaction that you're doing. If I'm sending an e-mail address to someone, youneed to be able to verify that is in fact your e-mail address. But you don'tneed to give that person your street address, your social security number, yourcredit cards, your bank information. Some of that information might be requiredif you're doing e-commerce, but the principle for this law is, provide aslittle information as is possible under the circumstances.
And the next law is about justifiable access. In otherwords, if a person is going to be party to this conversation, thisauthentication, they need to have the need to have it. In other words, if youand I are talking, that's one thing. We couldn't authenticate with each otherbut do we have to authenticate with some big agency, a big clearinghouse, ifthe conversation is just between us and this all the time he says no. It's onlypeople who have a real justified need to be involved.
Four, directed identity - this is a little more confusingbut what Cameron means here is there's a distinction between uni-directional orpublic authentication. If I have a website, for example, that's a URL and thatURL is public and everyone has access to it and everyone should be able to knowwho owns that URL and what it's about. On the other hand, my e-mail address isby it's nature more private and any conversation that happens between me as anindividual to another individual is private and any authentication scheme needsto recognize the difference between those two kinds of things.
Fifth law. You know what, I'm going to put this in redbecause I think it's really important: pluralism. By this, Cameron means thatthere isn't going to be a central scheme or central technology or a centralclearinghouse. That a real law of identity means that there needs to bemultiple ways to do this, multiple partners, multiple technologies that need towork together to reduce the possible power and corrupting influence of a singleoverriding authentication clearinghouse.
Six, human integration. By this what Cameron means is thefact that our digital authentication involves a person sitting at a computer orin front of a terminal or in front of a mobile phone and we need to understandthat there is a relationship between the device and an authentic human. Soauthentication schemes and technologies have to look at things like phishingand other types of scams and recognize that there's a human/machine interfacehere that we have to be cognizant of.
What's the last one? I think this one is really importanttoo so I'm going to put this in red also: consistent experience. For doingauthentication, for doing digital rights management in many different contexts,the consistent application has to be the same. In other words, if I'm providinginformation in one context, it needs to look similar, so that I have confidencethat, "Oh, yes, this is the authentication part of what's happeningnow," and it doesn't vary from place to place or from application toapplication.
So you can see, these are seven laws that are reallyprinciples and what Cameron is trying to do is get a framework for how we cantalk about this. And I'm not suggesting that he's right in every detail, but Iam suggesting he's starting a conversation that I think is really important andall of us should be thinking about.
