URL-based Identity and the Fourth Law of Identity
It's a fairly long piece and they cover a good amount of ground. Have a listen if your into digital identity. In the roundtable, several points or assertions were made that bear further discussion.
The first issue is unidirectional and omni-directional identity. Kim and Microsoft published a whitepaper a while back laying out the “Seven Laws of Identity”. Law #4 is the Law of Directed Identity, and asserts that an identity system should be able to provide a different identifier to each relying party, so as to foil attempts at correlation. That means that to website A, I'm known as “X”, and to website “B”, I'm known as “Y”. If they should happen to compare notes, they won't have a basis for determining that X=Y.
In contrast, omni-directional identity uses the same identifier to everyone. The example Kim gave in the podcast was the URL for a blog. That URL is omni-directional – all parties see the same identifier, and know the blog by the same name.
So far so good. Kim went on to suggest, however that URL-based identifiers were inherently omni-directional, and that this was a design flaw with URL-based identity systems, as they violated the Fourth Law of Identity.
URLs are well suited to unidirectional identity. There's no problem at all in deploying a identity server that issues a different URL for the user to be known by for each different relying party. For example, if I enroll at an identity server “exampleid.com”, it can provide me with an omni-directional ID URL:
http://michaelgraves.exampleid.com
I can delegate another website like my blog to that address if I want so that:
http://michaelgravesblog.blogspot.com
Delegates its identity services to http://michaelgraves.exampleid.com
That's straightforward. URLs have been used as omni-directional identifiers as long as there have been URLs. But exampleid.com can generate any number of URL IDs for me as I need them. For example:
Relying Party | URL I'm known by |
amazon.com | |
bn.com | |
united.com | |
scripting.com |
My identity server knows each of these is me, but no one else does. Each of these can have its own policy and rules about what information and claims it will exchange with the relying party.
At the heart of this is what I believe the mistaken idea that URL-based identities are singular, or somehow tied to a blog or particular web page. That isn't the case. With URL-based identity, I can have as many omni-directional identifiers as I want and as many directed identifiers as I want.
