What Is Identity?
| Someone's identity includes his or her physical appearance, beliefs, interests, likes and dislikes, reputation, and history. It can cover everything vaguely interesting about the person. At the risk of boring you stupid, I'll take myself as an example. I am thus the subject and my identity can be (partially) expressed using the following statements:
If we express this information digitally I become the digital subject:
Humans are not the only possible digital subjects. We might equally deal with groups, devices, policies, resources, or relationships (such as between a user and a device). With a sprinkling of XML, each of the claims above can help form my digital identity:
Claims can take many forms: a simple identifier such as REDMOND\nigelwa, personal information (my name and address), membership of a group (Netflix), a capability (my credit limit is $5,000) or knowledge of a key. Do you believe all of them? Why? Why not? Would showing you my passport or my driver's license increase your level of belief in my proposed age? What if the Human Resources department at Microsoft were asserting that I was an employee? By using the word claim in the definition of digital identity, we make a subtle but deliberate choice. In a closed directory-based domain (for example, a Windows Server 2003 domain), we typically deal in security assertions, meaning "confident and forceful statements of fact or belief." This confidence is well-merited: It is a closed, administered system. However, if we want to have an open and broad-reaching identity system (we do), it helps to reflect the element of doubt inherent in dealing with parties on the Internet. How confident you are in the veracity of these claims depends on who the identity provider is, their reputation, and your relationship with them. Oh, and whether the claims have reached you intact and without being tampered with! In this case, I am the identity provider (and my security token is a Sams book). Perhaps you might have greater confidence in my age if shown my passport or my certificat de mariageor digital versions of those documents signed by a government authority. You might have less faith if you saw them in an English tabloid newspaper. This claim model is extremely flexiblewe can express a subject's identity in pretty much any way we choose to. It has another very valuable property: It enables us to tackle the concerns of the general public around privacy and anonymity. On the Interneteven more than elsewhereour natural desire is to remain anonymous until the moment we choose to reveal our identity, and even then we want to disclose the minimum amount of information possible (for example, revealing that I am over 21 without revealing my age). But how can an identity system preserve anonymity? Surely "anonymous identity" is an oxymoron?! Well, anonymity is as much a part of identity as recognition. Anonymity is the null set of identityand is very much a part of what we're trying to achieve. Many existing identity systems rely on unique identifiers. This is a critically useful constraint (to say the least) but not necessarily one we always want to apply. This is a flaw in URL-based systemsby their very definition, they resolve to a location. The key idea is that identifying a subject needn't have anything to do with knowing who that subject is "in the real world." We can use a pseudo-identity to represent a user, not a real identity, and associate that with zero or more claims. The fact that a certain user has a consistent pseudo-identity over time allows us to gauge the quality of that user without having any idea of who he really is. Summarizing, we are going to represent a subject's digital identity using a set of claims supplied in a secure and verifiable way by an identity provider. The claims are packaged in a security token that can travel over process and machine boundaries to wherever they are required. |
EAN: 2147483647
Pages: 132