Microsoft have just published an excellent paper by Kim Cameron discussing the characteristics of an “identity metasystem” which must evolve if we are to have proper trust in the Internet and interactions which take place through it.
The paper is also available from the Identity Blog.
The paper’s thrust is that we need to develop a unifying set of identity-related technologies, but that these must observe certain key “laws”, and must accomodate varying technologies and requirements, much as unifying APIs provide access to a variety of hardware technologies.
I started thinking about the most common form of digital identify at the moment, the email address. It can be used in accordance with many of the laws. I can (usually) control when I release it. I can have different identities in different contexts, and choose which one to disclose. The identity is verifiable (to a limited extent) – someone can send me mail to check my address is valid. A variety of service providers and technologies are supported.
The big problem with email, of course, is that I can’t usually verify that email is from the claimed sender. For example, my spam whitelist admits email apparently from microsoft.com, but some of these emails are offers of dodgy mortgages and promises of increased manhood, obviusly not from the claimed source!
As a result, I wonder whether there is a missing “law of identity”. I need to be able to verify a claimed identity by methods I trust. I’d express the law something like “A party must be able to validate any identity claim, particularly its ownership, by reference (directly or indirectly) to resources he or she trusts.” This is implied in the current laws, but might be important enough to promote to a law in its own right.