Kim’s Third Law is the one he used to explain the failure of MS Passport:
Technical identity systems MUST be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship.
Passport violated this law by putting a third party Ã¢â‚¬â€œ the Microsoft Passport authentication database Ã¢â‚¬â€œ between every website and the users who wanted to authenticate themselves to that website. As Kim explains, this was as certain to lead to failure as a bridge designer ignoring the Law of Gravity when designing a bridge.
So hereÃ¢â‚¬â„¢s the corollary for identifiers:
3a. The Corollary of Fewest Identifiers
Technical identifier systems MUST be designed so the disclosure of identifying information (including other identifiers) is limited to parties having a necessary and justifiable place in a given identity relationship.
Note that the only difference between the Third Law and the Third Corollary is the reference to Ã¢â‚¬Å“identifiersÃ¢â‚¬Â instead of Ã¢â‚¬Å“identityÃ¢â‚¬Â. More than anything what this highlights is the critical role of identifiers in any type of digital identity infrastructure. There are two fundamental reasons:
- Every identifier inherently reveals a relationship between the resource it identifies (such as a person or organization) and the authority responsible for assigning the identifier. Thus for certain types of identification relationships, the very existence of the identifier can potentially reveal sensitive information.
- Every identifier is a Ã¢â‚¬Å“lightning rod for dataÃ¢â‚¬Â. Simply put, an identifier is a path to the data it represents Ã¢â‚¬â€œ even if the identifier is not itself directly resolvable.
On the latter point, Fen Labalme likes to tell the story of the data aggregator that (privately) says they need just two items of data about a person, such as their age and zip code, to identify them with about 98% certainty. This goes to show that in the age of Google, any identifier, even traditionally public, non-resolvable identifiers such as a personÃ¢â‚¬â„¢s real-world name, are suddenly Ã¢â‚¬Å“resolvableÃ¢â‚¬Â in an entirely new way. This capacity Ã¢â‚¬â€œ the ability to look up information about a person knowing only their name and perhaps their company, industry, or school Ã¢â‚¬â€œ that has led to popular adoption of the term Ã¢â‚¬Å“Googling someoneÃ¢â‚¬Â.
So, in the age of Google, how are digital identity systems supposed to conform to the Third Corollary? How can they use identifiers that limit disclosure of identifying information to necessary and justifiable parties? The answer jumps us forward to the Fourth Corollary (coming later this week), but to preview:
- Use unidirectional identifiers whenever possible (private identifiers or “pseudonyms” that only resolve in the context of a specific identification relationship).
- When using public, omnidirectional identifiers, make them abstract so they can maintain the privacy of the real-world authority they represent.
(Speaking of omnidirectional identifiers, if you don’t have my email address, please send any comments through my i-name contact page at =Drummond.)