LID and Kim Cameron’s Laws of Identity

I was asked how exactly LID™ relates to Kim Cameron‘s Laws of Identity that have been getting a lot of buzz recently. Here are my thoughts:

The Law of Control

Technical identity systems MUST only reveal information identifying a user with the user’s consent.

LID only reveals information that has been specifically declared, by the LID URL owner, to be either public, or available to a particular client (who may be an other person or a website).

Further, LID gives the user the ability to track which information has been retrieved when by a given site or user, and of course the ability to return different information to different users even if they ask for the same (e.g. cell phone number for a limited set of users, work voice mail for everybody else).

Ergo: LID fully supports this.

The Law of Minimal Disclosure

The solution which discloses the least identifying information is the most stable, long-term solution.

First of all, many LID use cases only require the exchange of a LID URL (which may be a LID pseudonym that cannot be correlated to any other LID URL).

If a scenario requires additional information about the user (Kim’s/Eric’s music preferences example), the site can make a fine-grained query using the LID xpath= expression. The information behind that expression can be secured on a data element-level, leading to the exchange of the smallest amount of information that makes the scenario work.

Ergo: LID fully supports this.

The Law of Fewest Parties

Technical identity systems MUST be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship.

LID does not introduce or require any middlemen of any sort; identity owners interact directly with others (people, sites, …) that require the identifying information.

Ergo: LID fully supports this.

The Law of Directed Identity

A universal identity system MUST support both "omnidirectional" identifiers for use by public entities and "unidirectional" identifiers for use by private entities, thus facilitating discovery while preventing unnecessary release of correlation handles.

[I’m not sure the last word has been spoken on the way this particular law is phrased. What the law intends to convey, however, is of course correct.]

LID supports pseudonyms that cannot be correlated to other LID URLs owned by the same owner. The word "cannot" here really means "cannot" as the identity owner may operate entirely different LID URLs through different sites and/or service providers that have no knowledge of each other. Even where multiple LID URLs of the same owner are operated by the same service provider, it would very difficult and require a security breach to correlate those LIDD URLs.

Ergo: LID fully supports this.

The Law of Pluralism

A universal identity system MUST channel and enable the interworking of multiple identity technologies run by multiple identity providers.

It’s difficult to judge whether any identity system, LID included, meets this requirement. Kim gives RSS as an example that could easily be supported by many different systems.

If so, LID very clearly can be supported by many different identity system implementations as it only requires agreement on a very small set of simple HTTP requests. Most certainly, LID can be implemented in many different ways, and we ourselves have two entirely different implementations.

So I feel comfortable to say that LID supports this law.

 

Interestingly enough, LID was designed quite some time before Kim published his laws, and we have not done any adjustments in our implementation to conform to the principles he sets out. I think that makes the Laws a good validation point for LID, and LID a good validation point for the Laws … it also proves that not only the Laws are desirable, but that they indeed can be implemented, which I’m not sure has been proven before.


Posted

in

by

Tags: