Equals Drummond

[This is the fifth of seven proposed “Corollaries of Identifiers” to Kim Cameron’s Laws of Identity.]

Kim’s Fifth Law is the one that most directly explains his use of the term “metasystem”:

5. The Law of Pluralism

A universal identity system MUST channel and enable the internetworking of multiple identity technologies run by multiple identity providers.

Again, the corollary from an identifier standpoint falls out nicely:

5a. The Corollary of Identifier Plurality

A universal identifier system MUST channel and enable the internetworking of multiple identifier schemes run by multiple identifier authorities.

This corollary highlights the architectural parallels between TCP/IP as an internetworking protocol and a universal identity metasystem as an “interidentity protocol”. TCP/IP solved the problem of interoperable network packet exchange by providing a way to map local LAN protocols to a common internetworking protocol. The LAN protocols themselves did not need to change; only mappings to the internetworking protocol needed to be added.

The Fifth Corollary postulates that the same solution will be required for the identifiers in a universal identity metasystem. In other words, identifiers designed for local “islands” of identity can’t be expected to provide cross-domain interoperability any more than a LAN protocol could be expected to produce the Internet. Instead, we need a universal identifier metasystem — a “TCP/IP of identifiers”.

A first temptation might be to say: “We already have it – URIs.” It’s hard to argue with the most successful identifiers in history, and URIs have been as integral to the success of the Web as IP addresses were to the Internet. However the Fifth Corollary adds an interesting new requirement when it comes to a universal identity metasystem: the need to “channel and enable the internetworking of multiple identifier schemes operated by multiple identifier authorities”.

While this might sound like what URIs do today, in fact interoperability is limited to a handful of broadly supported URI schemes (chiefly HTTP/HTTPS, but also mailto, ftp, and a few others). In addition, generic URI syntax uses a “single hierarchy” structure, i.e., a URI always represents a single identifier authority. There is no standard way in generic URI syntax to express “cross hierarchy” relationships, a directory concept known as polyarchy. Yet those of us working on the OASIS XRI TC have found polyarchy (which we call cross-references) as essential to the “internetworking of multiple identifier schemes” as TCP/IP packet exchange is to the internetworking of multiple LAN protocols.

For example, the following URIs might represent myself as a personal authority, and my employer, Cordance Corporation, as an organizational authority, respectively:

http://www.equalsdrummond.name/
http://www.cordance.net/

With URI syntax, each of these authorities may be the root of its own infinitie hierarchy of local resources, e.g.:

http://www.equalsdrummond.name/blog/identifier-corollaries-5.html
http://www.cordance.net/directory/employees/hourly.xls

But there is no standard HTTP URI syntax for referring across these hierarchies, i.e., for referencing “the resource known by the URI ‘http://www.equalsdrummond.name’ in the context of the resource known as ‘http://www.cordance.net’.”

With XRIs, this is easy:

xri://(http://www.cordance.net)/(http://www.equalsdrummond.name)

XRIs that use global context symbols (and therefore make the “xri://” prefix optional) can make cross-references even more compact:

@Cordance.Corporation/(=Drummond.Reed)

While there are other features that (in my humble opinion as XRI TC chair) qualify XRI as the “TCP/IP of identifiers”, cross-references is the feature that speaks most directly to interoperability. To my knowledge, the XRI scheme is the first URI-compatible identifier scheme that permits the use of all valid URIs (and all valid XRIs) within the context of a single resolvable identifier.

If you don’t already have my email address, please send comments via my i-name contact page at =Drummond

[This is the fourth of seven proposed “Corollaries of Identifiers” to Kim Cameron’s Laws of Identity.]

Kim’s Fourth Law is the only one that deals directly with digital identifiers:

4. The Law of Directed Identity

A universal identity system MUST support both “omnidirectional” identifiers for use by public entities and “unidirectional” identifiers for use by private entities, thus facilitating discovery while preventing unnecessary release of correlation handles.

Of all seven of Kim’s Laws, this one has the most obvious corollary:

4a. The Corollary of Directed Identifiers

A universal identifier system MUST support both “omnidirectional” identifiers and “unidirectional” identifiers and MUST make it practical for the identified party to control which type of identifier is used in any particular identification relationship.

In short, the Third Law requires an identifier infrastructure capable of fulfilling its requirements as well as those of the First Law (user control of information disclosure).

As is often the case, “public is easy and private is hard”. In other words, it’s not difficult to meet the need for public, omnidirectional identifiers. Wired/wireless phone numbers, domain names, email addresses, or instant messaging addresses all fulfill this requirement to a greater or lesser extent. (In fact, though they are much less user-friendly, so do public keys.)

The challenge lies in the second half of the equation: unidirectional identifiers. None of the identifier systems named above were designed to meet the requirement of easily producing and managing private unidirectional identifiers that are not public and do not provide the “correlation handles” Kim refers to.

For example, I’ve always thought it amusing that phone companies charge you extra for NOT publishing your phone number. After all, aren’t they saving work and paper? In fact not – phone numbers were designed to be omnidirectional identifiers, and any attempt to try to constrain that omnidirectionality requires extra work on the part of the phone company (and many other parties).

The same goes for publicly available DNS infrastructure. When registering the domain name “equalsdrummond.name” I was astounded that it cost me MORE to keep my registration information private (using a proxy registration service for the Whois listing) than I paid for the name itself!

As Mark Baker pointed out in his feedback on the Second Corollary, the situation is slightly better with email – services like Hushmail exist to help you register anonymous, privacy-protected email addresses. Unfortunately by themselves these don’t fulfill the requirements for “unidirectional” identifiers. If you reuse an email address — or any other identifier — across websites it renders it as much of a correlation handle as a real-world name, phone number, or URI.

This means unidirectional identifiers must be generated on a per-relationship basis – a requirement that is anything but trivial. Bell Labs developed an entire email technology, Target-Revocable Email Addresses, to do this. The Liberty Alliance Project bent over backwards to bake pseudononymity into its architecture. So does WS-Trust.

[Warning: stepping on my XRI soapbox now.]

So here’s a simple way to look at the XRI 2.0 specifications from OASIS: they are the first identifier specifications that provide equal support for both omnidirectional and unidirectional identifiers. In other words, they provide a uniform syntax and resolution protocol for both human-friendly, reassignable i-names and machine-friendly, persistent i-numbers. The former are designed explicitly for public, reusable, omnidirectional identifiers, while the latter are ideal for private, one-time, machine-generated unidirectional identifiers (though not all i-numbers will be unidirectional – some will serve as synonyms for omnidirectional i-names.)

XRIs also go one step further in supporting the Fourth Corollary: because XRIs are abstract, the XRI resolution protocol enables XRI authorities to control access to the attributes of an omnidirectional XRI like an i-name. In some cases this may lessen the need for unidirectional identifiers, but in all cases it helps fulfill the First Law requirement that every authority should have control over the release of its information.

(A case-in-point is my own i-name contact page at =Drummond. If you don’t already have my email address, please send me any comments there.)

[This is the third of seven proposed “Corollaries of Identifiers” to Kim Cameron’s Laws of Identity.]

Kim’s Third Law is the one he used to explain the failure of MS Passport:

3. The Law of Fewest Parties

Technical identity systems MUST be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship.

Passport violated this law by putting a third party – the Microsoft Passport authentication database – between every website and the users who wanted to authenticate themselves to that website. As Kim explains, this was as certain to lead to failure as a bridge designer ignoring the Law of Gravity when designing a bridge.

So here’s the corollary for identifiers:

3a. The Corollary of Fewest Identifiers

Technical identifier systems MUST be designed so the disclosure of identifying information (including other identifiers) is limited to parties having a necessary and justifiable place in a given identity relationship.

Note that the only difference between the Third Law and the Third Corollary is the reference to “identifiers” instead of “identity”. More than anything what this highlights is the critical role of identifiers in any type of digital identity infrastructure. There are two fundamental reasons:

1. Every identifier inherently reveals a relationship between the resource it identifies (such as a person or organization) and the authority responsible for assigning the identifier. Thus for certain types of identification relationships, the very existence of the identifier can potentially reveal sensitive information.
2. Every identifier is a “lightning rod for data”. Simply put, an identifier is a path to the data it represents – even if the identifier is not itself directly resolvable.

On the latter point, Fen Labalme likes to tell the story of the data aggregator that (privately) says they need just two items of data about a person, such as their age and zip code, to identify them with about 98% certainty. This goes to show that in the age of Google, any identifier, even traditionally public, non-resolvable identifiers such as a person’s real-world name, are suddenly “resolvable” in an entirely new way. This capacity – the ability to look up information about a person knowing only their name and perhaps their company, industry, or school – that has led to popular adoption of the term “Googling someone”.

So, in the age of Google, how are digital identity systems supposed to conform to the Third Corollary? How can they use identifiers that limit disclosure of identifying information to necessary and justifiable parties? The answer jumps us forward to the Fourth Corollary (coming later this week), but to preview:

• Use unidirectional identifiers whenever possible (private identifiers or “pseudonyms” that only resolve in the context of a specific identification relationship).
• When using public, omnidirectional identifiers, make them abstract so they can maintain the privacy of the real-world authority they represent.

(Speaking of omnidirectional identifiers, if you don’t have my email address, please send any comments through my i-name contact page at =Drummond.)

Andy Dale sent me this comment about the Second Corollary:

Drummond, you say:

“[Concrete identifiers such as an email address] reveal a direct method of interacting with me (as would a phone number, fax number, IM address, postal address, etc.)”

This is an argument you also made in the First Corollary. I want to point out that my i-name [XRI] is also a direct method of interacting with me. BUT, I maintain control of the channels of communication so I don’t have to be protective of it.

I give out my home address (fairly) freely because I trust the security (my dog) to help me manage and maintain control of ingress and egress, much as I trust my authentication service and related communications service providers.

Andy is correct — I keep referring as XRIs as abstract identifiers that do not reveal a direct method of interaction with the resource they represent, particularly when the resource is a person who wishes to keep those methods of interaction private. Andy’s point is that XRI resolution CAN provide such a direct interaction method (such as i-name contact pages), but that due to the additional level of indirection, the XRI authority can control the use of this method of interaction.

Net net: XRIs for people can provide the best of both worlds – direct interaction and privacy protection.

[Note: This is the second of seven proposed “Corollaries of Identifiers” for Kim Cameron’s Laws of Identity. See the First Corollary for more background info.]

Kim’s Second Law follows closely from his First Law:

2. The Law of Minimal Disclosure

The solution which discloses the least identifying information is the most stable, long-term solution.

2a. The Corollary of Minimal Disclosure for Identifiers

The identifier which discloses the least identifying information is the most stable, long-term identifier.

At first reading, this corollary seems tantamount to a prescription for URNs (Uniform Resource Names). It has long been a maxim that if you want a long-term, persistent, stable identifier for a resource, the identifier itself must contain little or no semantics, because semantics are always subject to change. By this maxim, either of the following two identifiers (a conventional UUID expressed as a URN, and persistent XRI) are ideal from the standpoint of minimal disclosure:

urn:uuid:f0502a17-4503-4463-8516-f1225b330e4d
=!(!762A!C40D!28E7!BB9C)

By contrast, the following globally-unique identifiers (XRIs) contain real-world semantics that may change over time:

=Drummond
@Cordance*Drummond
@Cordance*(=Drummond)

However, all of the XRIs above contain less identifying information than the following globally-unique identifiers (DNS names and email addresses):

equalsdrummond.name
drummond@example.com

Why? The first is a registered DNS name that requires the registration of real-world contact data which, even though registered using a proxy registration service (that cost me as much as the name itself!), is still available should someone have an important enough reason to identify me as the real-world owner of this domain name (were I not publicly blogging about it).

The second, an email address, reveals a direct method of interacting with me (as would a phone number, fax number, IM address, postal address, etc.)

So a first observation about the Second Corollary is that it is best served by abstract identifiers – identifiers that by themselves do not reveal a direct interaction method with a resource, but must first be resolved into one or more concrete interaction addresses.

A second observation is that abstract identifiers themselves fall into two classes: those that contain the very least identifying information (and thus can serve as the most persistent, as with the first set of examples above), and those that contain some degree of real-world semantic information and therefore may be less persistent — but much easier for ordinary mortals to use (like the second set of examples).

[Caution: XRI soapbox follows. Full disclosure that I am co-chair of the OASIS XRI TC.]

XRIs are, to my knowledge, the only abstract identifiers that natively support both of these classes: persistent XRIs (called i-numbers) and reassignable XRIs (called i-names) — or any combination of the two within a single XRI. A more detailed discussion of how XRI syntax does this is in section 3.1 of the Introduction to XRIs document published by the OASIS XRI TC as part of the current OASIS public review.

As we’ll see in future Corollaries, a unified syntax for both i-names and i-numbers allows XRIs to support any point in the continuum of perpetually persistent to rapidly reassignable, while at the same time supporting any point in the continuum of zero disclosure (disclosing no real-world identifying information) to full disclosure (such as disclosing one’s full legal name).

(Since I’m on the minimal disclosure side myself, unless you already have my email address, please send any comments through my i-name contact page at =Drummond.)

Mark Baker, one of the “gods of REST” whose work I have referenced many times in my work on the XDI protocol at OASIS, makes some excellent points in his commentary on the First Corollary. To my contention that many domain names break the First Corollary because they require public Whois data about a registrant, he says:

DNS does certainly require a small amount of information be made available, and though I’m hardly a historian, the little I do know of the history of this data suggests that it represents the minimum amount that a mature industry – which has had to balance the needs of domain owners (anonymity) with those of the public at large (accountability) over many years – has reached concensus on requiring. So I doubt that any competing centralized solution would be able to reach widespread deployment without, in the steady state, providing a similar amount of info about registrants.

Also, who says that there’s a direct correspondence between a DNS name and the person who uses the email address? I don’t own gmail.com, nor yahoo.com, yet have email addresses at both of those domains. Google and Yahoo, in offering an email service, provide a degree of anonymity via proxy; if you want to learn more about me there, you have to go through them, and I’m not required to publish any info about myself there.
Hushmail‘s probably the extreme case here, as they seem to exist to provide as-anonymous-as-possible email services.

Mark is right that the generalizations I made about privacy and DNS in the First Corollary were too strong. I agree with him that DNS has evolved a balance between anonymity and accountability (the balancing factors of which I think brilliantly are discussed in The Accountable Net paper originally inspired by Esther Dyson.)

I don’t agree with his contention, however, that any other federated identifier infrastructure must end out “providing a similar amount of info about registrants”. While accountability ultimately requires identifiability at some level, as The Accountable Net points out there are other (and arguably more effective) ways to provide it than direct public disclosure of identifying information. The XDI.ORG solution for global i-name/i-number accountability is only one example.

On Mark’s second point, about the privacy of email addresses, I completely agree with him that they can protect the real-world identity of the owner. I was trying to make a slightly different point, which is that an email address inherently discloses a method of interaction with its owner — less-than-ideal from the standpoint of the First Corollary. For example, giving a website a Hushmail address when registering may not reveal any personally identifying information about me, yet it still gives the website a way to send me email (unless I never use the account, which has its own drawbacks).

So having a way of being able to identify and authenticate oneself online without providing an email address, which is an advantage of LID, SXIP, and other digital identifier systems in addition to XRI i-names and i-numbers, gives users greater control under the First Corollary. Which leads us nicely to the Second Corollary…

Why so quiet of late? First because the OASIS XRI TC was completely heads-down finishing the XRI 2.0 specifications. They were unanimously approved as a Committee Draft on March 14, and now have entered a 30-day public review period (required before any Committee Draft goes to a full OASIS vote.) I strongly encourage review and feedback by anyone who cares about abstract identifiers and Internet infrastructure. You can access all the specs as well as the Comments link directly off the XRI TC home page.

Then there was completion of the XDI.ORG Global Services Specifications (GSS). These are the specs that will govern global XRI registration and resolution services from XDI.ORG. They have been in public review since late December but have been awaiting completion of XRI 2.0 before approval by the XDI.ORG trustees. Now we are rolling in a handful of changes (mostly based on the more powerful features of XRI 2.0 resolution) before they go into production. Again, public review and feedback of the GSS specs is strongly encouraged by anyone who cares about Internet infrastructure for persistent identity and trusted data sharing.

On top of this there’s the ongoing “Identity Gang” conversation with Doc Searls, Craig Burton, Kim Cameron, Marc Canter, Dick Hardt, Owen Davis, Kaliya Hamlin, Jan Hauser, and others. We just met again last Sunday in Phoenix on the opening day of Esther Dyson’s PC Forum conference. It was a great conversation that is starting to become very focused on how Internet identity infrastructure can unify around a single harmonious “metasystem” (to use Kim’s and Craig’s term) that fully encompasses both personal and commercial identity. Just keeping up with this conversation while trying to build one piece of this metasystem leaves zeeeeeeero time left over.

Anyway, once these various specs are done I hope I’ll come up for air, although any way you look at it it’s going to be a wild spring as we work through the XRI 2.0 vote, prepare for the OASIS Symposium, head into Digital ID World, and prepare for the XDI.ORG registry launch.

I’m going to need a loooooooong summer vacation this year.

John Fontana of Network World just published a nice article in CIO Today called Extending Identity Management’s Realm that points out the central role identifiers play in identity management infrastructure, especially when it is extended beyond people to “all things”.

This is exactly the job XRIs were designed for, as I’ll discuss more once the Introduction to XRIs publication from the OASIS XRI TCis ready next week (the XRI 2.0 vote is now scheduled for Monday the 14th).

As the OASIS XRI Technical Committee heads into the final stages of completing the XRI 2.0 specifications (currently scheduled for a Committee Draft vote on March 11), I’m spending a bunch of time on the XRI Primer, the first general-audience document that addresses the question, “Why would I want to use XRIs? What problems do they help me solve?”

An early preview of the type of content that will be available is the answer I just posted to a question on the Identity Commons i-broker mailing list. It addresses the topic of the advantages of XRIs vs. URLs when it comes to two key areas: persistent identity and semantic integration. (If you have any burning questions about XRIs that you’ve been dying to see answered in the XRI Primer, please let me know via my i-name contact page at =Drummond.Reed.)

Once the XRI Primer is published, I’m working with other XRI TC members on what we hope will be a fascinating series of blog entries that will help shed light on where XRIs fit into the emerging “Identity 2.0” picture, and specifically into Kim Cameron’s enormously powerful Laws of Identity.