Security/identity · 2006-12-02

Identity planets, moons, and comets

A little while ago I talked about a universe of identifiers. At Johannes’s prompting, I’ll try to get a little more specific here. (No, I’m not talking about the Planet Identity site, but if you happen to be just joining the identity story at this point, following Planet Identity is a great idea in general!)

I’d like to respond on two points. One has to do with the utility of having an “anonymous” presence on the web, and the other has to do with “alternate representations” of myself on the web.

So, anonymity first: Many people have written at length about the value of keeping your identity secret, even while going about your (necessarily public) business of living. It’s one of the reasons that people have been nervous about any kind of Single Identity Provider in the Sky that “knows” all of us. It’s why Sun has a Chief Privacy Officer (hi, Michelle!) who serves as a steward of information about Sun’s employees, customers, and partners — in many cases to ensure legal compliance. It’s why Phil Zimmermann invented PGP. It’s even been discussed as a use case on an OpenID list. Since I can already tell this post is gonna be long (and I’m just getting warmed up!), I’ll just assume we can agree there are sometimes good reasons to protect one’s identity from being exposed.

The Liberty Alliance work has as one of its major design goals privacy and confidentiality enablement (for example, you can use a web app without its knowing who you are uniquely, if that info is none of its business), and this requirement has sort of seeped into my bones. One of the major premises of URL-based identity as expressed in OpenID is that you can identify yourself in the same way websites do. Are these actually in conflict? I don’t think so, since SAML and Liberty only enable privacy; they don’t mandate it, and there are deployments that don’t hide the user’s “real identifier”, whatever form it might take. In this area, the use cases are a superset. (OpenID has Internet-scale use cases that SAML didn’t optimize for, so it’s obviously not a strict superset…)

To summarize, I’d say that I’m not at all opposed to users choosing to share their identifier in order to allow websites to authenticate them, personalize application behavior, allow other people to learn more about the user, and so on; I’m sold on this value of URL-based identity. But because “high-value” transactions (where even one’s life might be at stake — think whistleblowing or political dissidence) can take place on the web, sometimes the identifier you dereference shouldn’t give a hint about someone’s true identity. I think a comprehensive solution for Internet identity needs to allow for this.

Now, on to the notion of alternate representations of oneself: I worked up a visual taxonomy to illustrate what I was suggesting earlier regarding pseudonyms vs. persona URLs (click to enlarge):

Identifier taxonomy

The orange thingies are individual people. Each person might choose to have (or be assigned without any choice in the matter) several digital identities, the bright yellow thingies. For OpenID this would be a unique URL (or XRI) that I’m calling “primary”. Each digital identity has the potential to be managed by an entirely separate authentication authority (identity provider — the bright green thingies), and thus no one else, unless the human goes and tells them, is able to correlate those several identities.

This is where I think I got too confusing before, such that Johannes misunderstood my intent; he says “She goes on to describe that one actual identity (of me) can be managed by several, independent identity providers (which may not be sure they all talk about me), each of which can expose several different subsets of the information about me to relying parties.” Rather, I meant that each identity is managed by one IdP (though we can talk about IdP proxies and strong auth some other time!), but I, the human, may deal with several IdPs because I have several independent digital identities.

Continuing along: The notion of human-selected persona URLs that was emerging in OpenID discussions seemed to correspond to what I show here as a “digital persona (secondary URL for same identity)” in pale yellow. I’m imagining that you would go to your IdP and set up some policies (in pale green) to go with a persona URL, e.g. “Only share my nickname and favorite color with any RP to whom I give this URL”.

To summarize so far, there’s a one-to-many relationship between digital subjects and digital identities, across which only the subject has certain correlation knowledge in the general case (though there are various — e.g., enterprise — scenarios where the user doesn’t own their identity, or where multiple identities are managed under the same IdP, in which case others know too). There’s also a one-to-many relationship between digital identities and digital personae, across which only that identity provider (and the subject above) has certain correlation knowledge — though if I were to use primary and secondary URLs that started with…, others could start getting a pretty good idea merely by guessing.

Now, here’s where I’ve added some SAML- and Liberty-related notions to the picture. First look at the blue thingie, a pseudonym. Today in SAML, in the process of doing SSO you can pass between applications an opaque handle that represents “the same user” over a short or long period as far as they’re concerned, without having to tell each other the user’s “real identity” (e.g., a primary or secondary URL). This allows for a fair amount of personalization and access control even in the absence of full knowledge if attributes can be exchanged, and this is precisely the formal mechanism in SAML that humans and their IdPs can use to “go and tell” someone to correlate activities among their multiple digital identities. I was suggesting earlier that this pseudonym need not be a URL because it’s shared privately among that user/IdP/RP triple, and in fact it’s better if it’s not dereferenceable on the open Internet. The URL that the user might have shared with Application Foo originally might have been merely the IdP URL of Application Bar (the “directed identity” feature of OpenID 2.0), which has custody of the digital identity they were intending to “federate” with their use of App Foo.

Another pedagogical addition: The Liberty People Service is something that’s attracted a lot of notice among folks interested in social networking. It allows you to set up your own ACLs, if you will, for your resources and apps on the web — even if your friends, family, and colleagues don’t use the same identity provider that you do. In today’s world of Flickr (federated proprietarily with Yahoo), Google, MSN, etc. silos, it’s a useful notion. And in an OpenID world, everyone potentially has their own personal IdP, so it’s still useful! This picture shows a People Service “group” as an association that a digital identity sets up with arbitrary sets of other people’s digital identities (“my soccer team”), and a “role” as a category that a digital identity can apply to someone else’s digital identity (“contact this person in case of emergency”). These groups and roles are pale green, the same color as the persona policies, because they can all be seen as things you’d want to twiddle as configuration settings when managing their profile at an IdP interface.

Whew. I believe that, in this picture, digital identities are planets in an IdP solar system, personae are moons, and pseudonyms are comets. And I suppose People Service groups and roles are like SETI. (Stop me before I analogize again!) The answer to the question “Is there life out there?” — do I have digital identities other than a “one true OpenID”? — is pretty clearly yes for most people. I have approximately 380 unique web app identities and counting, and I doubt they’re all going to collapse (into a black hole, ha!) anytime soon — nor do I necessarily want them all to. I do want a universe in which I have the option to reveal only as much about myself as is warranted and also to loosely connect identities, including those of the other humans in my life, as appropriate and permitted.