W3C home > Mailing lists > Public > public-credentials@w3.org > June 2017

Re: "Identity" - is a modal notion and the matrix

From: David Chadwick <D.W.Chadwick@kent.ac.uk>
Date: Fri, 2 Jun 2017 17:13:50 +0100
To: Henry Story <henry.story@bblfish.net>
Cc: public-credentials@w3.org
Message-ID: <690bdd08-f1ad-d451-0ef9-b31f900967b6@kent.ac.uk>


On 02/06/2017 15:57, Henry Story wrote:
> 
>> On 2 Jun 2017, at 14:37, David Chadwick <D.W.Chadwick@kent.ac.uk
>> <mailto:D.W.Chadwick@kent.ac.uk>> wrote:
>>
>> My take on identity (or more properly the process of identifying an
>> entity) is that it is needed by everyone and everything for the
>> functional purpose of authorisation, which is the most generic of all
>> functions. It encapsulates all possible actions, including tracking
>> (from Joe's narrower definition). All actions need to be
>> authorised/controlled, thus they need to identify the actors.
>>
>> I identify you to decide whether I want to have or continue a
>> relationship with you (and not with someone else).
>>
>> Governments identify us to decide if we allowed to be citizens, drive
>> cars, have health care etc.
>>
>> Web services identify us to provide us with a service.
>>
>> I am hard pushed to find any use of 'identity' that does not have
>> authorisation as the base requirement.
>>
>> Examples that you might think are not related to authorisation, are
>> identifying celebrities, identifying inanimate objects, identifying
>> criminals from mug shots. Looking at each one of these in more detail:
>>
>> I identify celebrities to decide whether I want to follow them, read
>> about them, or ignore them etc. Each of my actions require
>> authorisation, (by my brain) and thus I need to identify who is the
>> person in the magazine to decide whether to read further about them or
>> turn the page and ignore them.
>>
>> I identify inanimate objects to decide whether to ignore them, pick them
>> up, switch them on etc. If I cannot identify one object from another
>> then I cannot decide what to do with it (i.e. an access control decision).
>>
>> I see a picture of a criminal on a police wanted poster. I identify him
>> to decide whether to phone the police or not when I see a stranger
>> walking down the street who may or may not match the mugshot.
>>
>> So I strongly believe that we identify entities in order to authorise
>> actions by them or on them (depending upon whether they are the subject
>> or object of the action).
>>
>> I would be pleased to hear from anyone who can specify a purpose of
>> identity/identification that does not involve authorisation.
> 
> 
> I can't quite tell if this is the result of a professional deformation
> from someone who has
> worked for years in this area or if it is brilliant :-)


Well actually I have Ron Rivest to thank for this brilliance, because he
showed me the light back in the 1990s, when he said 'I do not care who
you are, I only care what you can do'. i.e. authorisation is the
important factor, not authentication. And that is when I switched from
PKI to PMI (and built PERMIS).


> 
> The idea seems a bit stretched for mathematical objects. What would
> access control to
> mathematical objects be?
> 
> There is certainly something very important to natural selection for
> animals of all types 
> to be able to discriminate if something is of a type or not. Is this a
> poisonous mushroom or
> a tasty one? Is this object stable or is it going to fall over if I lean
> on it? Is that person coming
> to me a friend or a foe? (asked in a war like situation)
> 
> Just to take the last one: we have some x identified of largish agent
> call it x is moving over in 
> that direction with respect to us. We are in a war situation. Is it an
> animal (pig, fox, deer, ?)  or 
> is it a human?  We look and we  start to get enough information to be
> able to discriminate 
> more carefully. Soon we  can see that it is a human. So our alert level
> rises, since we don't yet know 
> if it is a friend or an enemy.  After looking more carefully we
> recognize some element of the uniform, 
> which indicates that it is an enemy soldier. So that would tend to
> indicate very strongly that it is a foe. 
> I don't in this situation actually need to identify x any further to
> act. I don't need to know it's name,
> phone number, email address, mother name, etc... Depending on the
> gravity time I am allowed to 
> think before being myself in danger I may have to act now just on that. 

thankyou for confirming my assertion that identification is ultimately
about authorisation. You have now performed sufficient identification to
be authorised to fire your gun. However, your humanity may determine
that you do not want to kill someone on such sparse identity
information, and you may choose to wait until you have more identity
information. But that is your choice and it does not ultimately effect
my thesis.


> 
> I may have a bit more time and relay this information to someone else
> who has a different angle on the situation
> and they can calculate where the person is given the directions I gave
> with respect to me. From 
> their angle they can (dis)confirm the relation of x to the type of
> our:EnemyCombatant. Of course 
> x is very likely moving and so changing its relation to other things as
> we are trying to diagnose the situation.
> We need to figure out very fast if we need to act or if we can escape
> its attention unharmed 
> and follow x to see what it is doing, i.e. to put it in relation to
> other enemy combatants, to work
> out what its plan is, and so what their plan is, .... We may be able to
> send a mosquito sized drone
> all the way to it, to spy on all its information exchanges with its
> headquarters, and so gather its e-mail
> address, home page, telephone number, mother and father's name etc... We
> will then have identified the 
> individual much more precisely. Perhaps we will then know enough that we
> can convince it to switch sides.
> 
> But perhaps we don't get all that information and it is only years after
> the war that having gotten hold
> of the enemy logs that we can work out that information and get that
> deeper identity which will allow us
> to let x's family know what happened that day.
> 
> Still in order to do that we have also identified a number of objects in
> the background as trees, roads,
> lakes, bushes, all in some relation to us and the background mountains.
> Each of these objects we can
> categorize in some way or other, and this can be used to guide our
> action with respect to them. But
> perhaps that is just because information, action and strategies are very
> strongly linked. 
> 
> Types are often thought of as ways of discriminating objects. And to act
> successfully we need to discriminate 
> correctly.

Correct. And types are the fundamental objects in RBAC and ABAC. And
guess how types are catagorised? By their attributes.

> 
> It is certainly true that as far as credentials go, the main use of them
> will be access control (I think). 
> That could certainly help narrow the focus somewhat of our investigation.
> 
> I think we can go further and then defined type of action an access
> control decision is. An act of
> access control is I think is an action that a Guard does that follows
> the following pattern:
> Is the thing x in front of me, at the other end of the connection,
> etc... allowed to act on object y 
> that I control? What types of objects are allowed to do that action? Can
> that x prove to me that it is of that type?
> And we are interested for proofs of that type to be done via a
> credential of some form, where the x
> can prove that it is the object that is spoken of in the credential
> shown to us - the x can work out
> somehow which credential is the most appropriate to show. 
> 
> This seems to be getting closer to something useful. 

Great. Because ultimately if we build a technically beautiful construct
that has all the latest state of the art, but is not useful, then it
will not be used and it will become shelf-ware. I believe that VCs are
incredibly useful. I use the physical equivalent everyday and I cannot
live without them. They are of course plastic cards.

regards

David



> 
> Henry
> 
>>
>> regards
>>
>> David
>>
>> On 02/06/2017 11:07, Henry Story wrote:
>>> If you favor a functional answer then you are not far from also coming
>>> to see
>>> the relevance of a logical one, and also of a pragmatic one. 
>>>
>>> The relations between functions and types is made clear in the "new" 
>>> foundational maths called Homotopy Type Theory. (The key book is online
>>> here https://homotopytypetheory.org/ and even compilable from github
>>> if you want the latest version with all the corrections. The first two
>>> chapters
>>> are very readable for someone with computing experience.)
>>>
>>> This is a built on type theory, which takes functions as the basic
>>> entity relating types. 
>>> But where other maths assume identity problems to be relatively easy,
>>> HoTT 
>>> develops this into the core of the theory. To specify a type of an
>>> object is to specify
>>> ways of finding when two objects of that type are identical. 
>>>
>>> This is constructive mathematics so in their examples they mostly use
>>> mathematical 
>>> objects. I think one can move to thinking about physical objects if one
>>> starts
>>> with the space of all possibilities and things of various types in that
>>> space.
>>>
>>> The intuition one should take back from HoTT is that types require a
>>> specification
>>> of the identity of an object, so that one can specify when two things
>>> are equal.
>>> Eg, two sets are equal if they contain the same elements.
>>>
>>> When is a ship the same from one moment to the next, is by the way not
>>> a problem without pragmatic consequences. If identity of a person were 
>>> a material one then eating a burger would be a way to get out of a murder
>>> charge. To understand people as processes that keep their identity
>>> through
>>> change is important for contracts to work, to also be able to pardon
>>> people 
>>> ("he is now a changed man"), etc... I think it is this thought of
>>> identity in change
>>> that gets people hung up, as they keep thinking what is it that
>>> remains the
>>> same from instant to instant - they think of the essence of something as
>>> another 
>>> thing that is always there, and so they start looking for the soul as a
>>> physical entity.
>>> In constructive mathematics one can name a type by showing how to
>>> construct elements
>>> of it. With object in physical space other criteria may be needed which
>>> are more
>>> likely to latch on for natural kinds, how the things themselves
>>> function, how they
>>> evolved, how they survived, etc...
>>>
>>> So yes, we can be functional. If a human person is a process then for
>>> example it is a 
>>> certain type of process, a biological one, that starts at a certain time
>>> and goes
>>> through a huge number of transformation. As I pointed out one can choose
>>> other 
>>> types to identify a person: a citizen perhaps would allow aliens from 
>>> other planets to be citizens and so could not be reduced to humans. One
>>> can then have a 
>>> partial map from citizens to  humans. Good modeling here would
>>> require that 
>>> one notice that a person can be the citizen of more than one nation and 
>>> indeed even change citizenship.
>>>
>>> As a human being is a process that interacts with other processes
>>> there will
>>> be an infinite number of ways of identifying it indirectly, though
>>> causal relations
>>> it has with any other number of things, from being the person who
>>> created a
>>> document at a time to being the person who helped save someone's life.
>>>
>>> In description logic (and hence in OWL and RDF) one can describe types
>>> by their relations to other types, and individual by relations
>>> between them
>>> and other things. So we slowly end up at the semantic web if we want to 
>>> think about this in relation to the global information system that the
>>> web is.
>>>
>>> As for your comments on identity being completely in the head, that
>>> is the private language fallacy that Wittgenstein spent a lot of time
>>> analyzing and dismantling in his "Philosophical Investigations". Language
>>> is by nature not private, or else all communication would be impossible.
>>> Language is also by nature one that requires that those playing the
>>> game of talking and listening abide by the logical consequences of
>>> what they
>>> say (see "Between Saying and Doing - Towards an Analytic Pragmatism"
>>> by Robert B. Brandom
>>> https://global.oup.com/academic/product/between-saying-and-doing-9780199542871
>>> )
>>>
>>> This means of course being able to bring different propositions
>>> together, combining
>>> them and being able to arrive at conclusions. Ie. merging propositions
>>> and reasoning 
>>> is the nature of a linguistic system.  If one needs to limit who can
>>> read some information there
>>> are other ways to do that: such as access control or legal requirements
>>> on usage 
>>> of information.
>>>
>>> Now to come back to the Lana Wachowski, director of The Matrix, talk on 
>>> Identity, Privacy  and Anonymity here https://youtu.be/crHHycz7T_c?t=317
>>>
>>> What Lana Wachowski is against is subdivision of Humans into two
>>> exclusive 
>>> types, and the assignation of strict roles to those types. That is
>>> clearly a modelling
>>> error, a simplification that is easy to do, but that does not capture
>>> reality correctly
>>> and so leaves people deaf to the problem of those who don't fit the
>>> categories.
>>>
>>> But that is not an argument against types, just one against a particular
>>> set of
>>> types, and a particular set of distinctions. She does make the point
>>> well that
>>> anonymity is then very useful - though what she means is not
>>> anonymity but
>>> pseudonymity, as her hairdresser for example has no difficulty
>>> identifying her,
>>> and knew a lot about her, except that she was the director of the
>>> Matrix. She was
>>> able to live a life where people did not know the relation between one
>>> aspect of
>>> her life and the other. Of course there is no way she could completely
>>> control
>>> the leakage of information (as we know from how much has been leaked
>>> through
>>> Wikileaks).
>>>
>>> So my conclusions:
>>> • language is for communication (but that does not mean one has to
>>> shout everything off the rooftop)
>>> • types come with identity criterion (when are two things in that type
>>> the same thing? With abstract
>>>  objects from Maths this may  be part of the structure of the thing,
>>> with physical objets it may 
>>>  actually be discovered later)
>>> • the open world assumption that is part of the web allows the same
>>> objet to have an indefinite 
>>>   number of names, and also to be described using anonymous nodes. It
>>> is the relation between
>>>   things that count.
>>>
>>> I could also argue that anonymity is not the only good in the system.
>>> Pure anonymity makes
>>> discussion impossible. If I can't tell that I am speaking with the same
>>> person between sentences
>>> then I cannot even have a reasoned discussion. Pseudonymity allows one
>>> to re-indentify someone
>>> over time which allows for a conversation to take place. Information by
>>> its nature is about relations.
>>> Think about functions as a specific type of relation.
>>>
>>> Henry
>>>
>>>
>>>
>>>> On 2 Jun 2017, at 09:54, Joe Andrieu <joe@joeandrieu.com
>>>> <mailto:joe@joeandrieu.com>
>>>> <mailto:joe@joeandrieu.com>> wrote:
>>>>
>>>> For what it's worth, I fear I've triggered the tar pit that many of 
>>>> us were trying to avoid.
>>>>
>>>> My initial request was simply to avoid demonizing identity and instead
>>>> be rigorous when we use the term. That begs the question of what such
>>>> rigor would mean, which, inevitably, triggers the impassioned arguments.
>>>>
>>>> I did not provide a definition. Instead I laid a framework for
>>>> distinguishing
>>>> between two different, valid ways for engineers to approach identity:
>>>> (a) compositionally--identity as the collection of attributes related
>>>> to an
>>>>       entity
>>>> (b) functionally--identity based on how it works and how we use it
>>>>
>>>> I will shortly provide a definition, but I want to ground the thread
>>>> in my
>>>> belief that, as engineers, these are the two productive ways to view
>>>> identity when the goal is to designing and building identity systems.
>>>> (Or, in our case, to design systems that impact identity.)
>>>>
>>>> There are other ways to view identity: political, cultural,
>>>> psychological, even meta-physical perspectives. These are the root
>>>> of many of the impassioned arguments. They are important. Not just
>>>> valid. IMPORTANT. However, while they may drive important trade-offs
>>>> in design decisions--in the WHY of any given system choice--they do not
>>>> help one communicate or understand HOW an identity systems works.
>>>>
>>>> Historically, we--meaning engineers--have treated identity
>>>> compositionally,
>>>> as if it were a thing that we could represent in attributes.
>>>> Attributes that
>>>> could be stored, shared, protected, regulated. This is defined
>>>> explicitly
>>>> in the ISO standard.
>>>>
>>>> My assertion is that treating identity this way is the root of many
>>>> problems 
>>>> in today's identity systems, and that thinking about how identity
>>>> functions
>>>> may be a more fruitful path forward.
>>>>
>>>> The definition I'm going to present may not be the best one, but it is
>>>> one 
>>>> based on its function. I'd love to hear other suggested functional
>>>> definitions.
>>>> I am sure there is room for improvement.
>>>>
>>>> But I also know, not only from my own experience, but from the empirical
>>>> and academic record that designing systems based on how they should 
>>>> function--rather than simply modeling the data the system contains--is 
>>>> a legitimate and productive way to approach complex system design.
>>>>
>>>> I think it provides a better approach than limiting the definition to 
>>>> the static notion of attributes. You can disagree with me on that and
>>>> still
>>>> work with me to define a common framework for thinking about
>>>> identity functionally. If there were a viable identity system, *both*
>>>> definitions
>>>> should hold merit. I argue the compositional model is incomplete. I ask
>>>> you to indulge me and help define a functional model, then we can
>>>> compare which teaches us more about how such systems can be and
>>>> eventually should be built.
>>>>
>>>> FWIW, I don't expect to do this work *within* the VCWG or even the
>>>> community group. I'll be writing and publishing elsewhere. I'll share 
>>>> that work as it occurs in case it might prove helpful.
>>>>
>>>> Here's my definition of Identity:
>>>>
>>>> Identity is how we keep track of people and things and, in turn how they
>>>> keep track of us.
>>>>
>>>> That’s it. We learn people’s names, we observe them and hear gossip
>>>> and consume media. We then apply that sense of who they are to our
>>>> dealings with them. Others do the same in return.
>>>>
>>>> In ICT systems, we assign identifiers, we accumulate observations, we
>>>> correlate those observations with entities, we make conclusions based
>>>> on those observations and we apply those conclusions in interactions
>>>> with those same entities.
>>>>
>>>> In other contexts, we give people name tags, we share business cards,
>>>> and we wear bracelets. All to facilitate keeping track of each other.
>>>>
>>>> This simple definition is surprisingly provocative. It triggers
>>>> associations
>>>> with Big Brother and the surveillance state. It brings up ideas about
>>>> embedded chips and tattooed serial numbers. It conjures fears of
>>>> government or corporations constantly tracking what we do.
>>>>
>>>> Which is ok, because, in fact, those are the most feared abuses of
>>>> identity. It’s important to realize when we talk about identity that
>>>> we are
>>>> always talking about how we keep track of people. It is important to
>>>> understand how identity systems limit or avoid (a) tracking
>>>> EVERYTHING about (b) everyone and sharing that with (c) anyone.
>>>>
>>>> What functional identity doesn't do is attempt to define what identity 
>>>> *is*; it focuses on what it does for us and how we use it.
>>>>
>>>> Organizations and people are going to use identity to keep track of
>>>> people and things no matter what we do. Fixating on sets of attributes
>>>> ignores the ways that we use identity information, whereas focusing on
>>>> the function of identity affords significant visibility into both
>>>> potential
>>>> harms and techniques for enhancing or limiting that functionality.
>>>>
>>>> In contrast, attributes themselves aren't harmful (they are inert
>>>> data) and
>>>> not only have we shown they are almost impossible to contain, we
>>>> know that the correlation of identities across contexts can occur based
>>>> on so many different observations that even if we could contain a
>>>> specific
>>>> set of attributes, we still could not prevent re-identification even in
>>>> "anonymized" data sets. In short: even the most rigorous attribute
>>>> management system cannot prevent undesired identification. Conclusion:
>>>> identity *must* be more than just the attributes in an ICT system
>>>> related
>>>> to an entity. 
>>>>
>>>> This is at the core of my motivation to move beyond attributes. Clearly
>>>> our identities can be compromised even with the most thorough
>>>> attention paid to protecting attributes. Attributes simply are not
>>>> enough
>>>> to capture the scope of identity.
>>>>
>>>> As I described in the subjective notion of identity, not only can we not
>>>> adequately record the subjective sense of, for example, "Joe Andrieu"
>>>> in the minds of everyone who knows me, there is no way to control
>>>> those subjective notions nor a way to prevent people from using those
>>>> notions in their considerations of how to deal with me. So even if
>>>> we could magically conceptualize the platonic form of forms that 
>>>> collectively represents "Joe Andrieu" we still would be lacking any 
>>>> understanding about how that notion functions: how it is used by actual
>>>> people. And it is in that use that harms occur.
>>>>
>>>> To respond to a few anchoring bits amidst the thread without
>>>> slight to the other thoughtful comments:
>>>>
>>>> On Thu, Jun 1, 2017, at 11:59 AM, Henry Story wrote:
>>>>> Yes, it looks like Joe's definition is one of what makes a thing the
>>>>> thing it is.
>>>>>
>>>>>> On 1 Jun 2017, at 20:08, Steven Rowat <steven_rowat@sunshine.net
>>>>>> <mailto:steven_rowat@sunshine.net>
>>>>>> <mailto:steven_rowat@sunshine.net>> wrote:
>>>>>>
>>>>>> On 2017-06-01 9:06 AM, Joe Andrieu wrote:
>>>>>>> Identity is innately
>>>>>>> trans-system. Any given "digital identity" may not be, but our real
>>>>>>> world "identity" absolutely is. By its very nature. We have an
>>>>>>> identity
>>>>>>> completely independent of any system or authority.
>>>>>
>>>>> This I suppose is behind Heraclitus statement that 
>>>>> "You could not step twice into the same river."
>>>>>
>>>>> It is also the old question of how much change one can make to
>>>>> something and it still 
>>>>> be the same thing, as the old paradox of Theseus Ship makes clear 
>>>>> https://www.wikiwand.com/en/Ship_of_Theseus
>>>>
>>>> Actually, I think the functional definition makes the question of
>>>> Theseus's
>>>> ship moot. That question is grounded in the compositional notion that
>>>> the identity of "Theseus's ship" is initially based on the components
>>>> of his initial ship. A functional definition would ask whether or not
>>>> the ship
>>>> in question was recognized as the same ship throughout its tenure.
>>>> If the 
>>>> current ship is recognized as the same ship, then, functionally, it
>>>> has the
>>>> identity of "Theseus's ship". Whether or not is *is* the same ship is
>>>> philosophical and not relevant to engineering and identity system.
>>>>
>>>> From what I understand, the basis for Steven Rowat's argument about
>>>> "essences" follows that same compositional notion. The functional model
>>>> doesn't care. If a person is recognized as an individual, then as
>>>> long as
>>>> the recognition holds, they have that identity. Whether or not they
>>>> *are*
>>>> in fact that person is a meta-physical, psychological, or philosophical
>>>> question, which I'm intentionally taking off the table so we engineers
>>>> can
>>>> figure out what we are trying to build together.
>>>>
>>>>>> On 1 Jun 2017, at 11:08 AM, Steven Rowat
>>>>>> <steven_rowat@sunshine.net <mailto:steven_rowat@sunshine.net>
>>>>>> <mailto:steven_rowat@sunshine.net>> wrote:
>>>>>>
>>>>>> I believe Joe and Henry are talking past each other in a fundamental
>>>>>> way that might be a good example of the tar-pit that Manu likes to
>>>>>> talk of.
>>>>
>>>> Yes. And I apologize for the distraction. Hopefully we can get this
>>>> out of
>>>> our systems and let the list get back to technical discussions in
>>>> short order.
>>>>
>>>>>> Joe's position (in my words, using Henry's terminology)
>>>>>> I believe Joe is most concerned with the fact that a given thing
>>>>>> (person) is unique in the world. And that any collection of labels
>>>>>> that relate to that person is part of an assumed superset relating to
>>>>>> them, and "Identity" is the whole superset. How much of the superset
>>>>>> we see at one time varies, but it exists because the person exists.
>>>>
>>>> I'm not sure I care about uniqueness. I don't think that's actually
>>>> relevant for a
>>>> functional model of identity. Certainly, identities can become
>>>> confused. Such
>>>> is the fodder for much comedy throughout literature and media. I
>>>> wouldn't say
>>>> that such confusion--or ambiguity if the identity is simply limited in
>>>> its specificity--
>>>> means we aren't dealing with identity.
>>>>
>>>> I will also say that while the superset could conceptually be
>>>> constructed in an
>>>> all-knowing thought experiment, any essential identity ultimately
>>>> resides in
>>>> the minds' eyes of the beholders who recognize a thing. What's in my
>>>> head is 
>>>> inevitably different than what is in someone else's, even if we both
>>>> are aware of
>>>> all the attributes ever recorded in any ICT system.
>>>>
>>>> Hence, while we could discuss the uber-set of all such mental notions,
>>>> it is not
>>>> clear that would ever be a superset of which some of us share
>>>> subsets, as
>>>> much as a collection of distinct notions. To get philosophical, we
>>>> can't even
>>>> know if your sense of "red" is the same as mine; it would seem
>>>> unlikely that
>>>> we could ever know if your sense of me is the same as anyone else's.
>>>>
>>>>
>>>> On Thu, Jun 1, 2017, at 12:16 PM, David Chadwick wrote:
>>>>> On 01/06/2017 17:06, Joe Andrieu wrote:
>>>>>
>>>>>    On Thu, Jun 1, 2017, at 12:44 AM, David Chadwick wrote:
>>>>>
>>>>>        On 01/06/2017 07:48, Joe Andrieu wrote:
>>>>>
>>>>>    If we mean "digital identity", then say it. Don't confuse it with
>>>>>    "identity".
>>>>>
>>>>>    The objections to "identity" are often because of conflation of
>>>>>    the two.
>>>>>    We discuss A when we mean B. We discuss "identity" when what we
>>>>>    really
>>>>>    mean is "the isolated domain-specific digital identity that only
>>>>>    applies
>>>>>    to this particular ICT system".
>>>>>
>>>>>
>>>>> Ok, but I prefer to use the term identity information when referring to
>>>>> the information held about a person in an information system. If the IS
>>>>> is physical and paper based, then the identity information will be held
>>>>> in paper files. If the IS is an ICT system, then it will indeed be
>>>>> digital identity information that is stored there.
>>>>
>>>> I like the term "identity information". That's much clearer than
>>>> referring
>>>> to a collection of attributes as someone's identity.
>>>>
>>>>> But I have never moved this discussion in the direction of talking
>>>>> about
>>>>> a single isolated ICT system, so I am not sure where you got that idea
>>>>> from. I said 'any and every ICT system'.
>>>>
>>>> The ISO standard does:
>>>>
>>>>    An identity is the information used to represent an entity in an
>>>>    ICT system.
>>>>
>>>>
>>>> It certainly does not say that identity is cross-system.
>>>>
>>>> That would, IMO, be much more rigorous to say either:
>>>> "A digital identity is the information used to represent an entity in
>>>> an ICT system."
>>>>
>>>> Or "Identity information is used to represent an entity in an ICT
>>>> system."
>>>>
>>>> However, our "real" identities are fundamentally external to any ICT
>>>> system.  
>>>> I am "Joe Andrieu" whether it is in an ICT system or not.
>>>>
>>>>>
>>>>>    The problem is that these digital identities don't stay isolated.
>>>>>
>>>>>
>>>>> Of course they dont. Who said they did? Federated identity management
>>>>> has always been about sharing digital identity information.
>>>>
>>>> And yet, the ISO definition of "identity" is anchored in "an ICT
>>>> system". The
>>>> whole point of federation is to match the identity information in one
>>>> system 
>>>> with the identity information in another. The nature of the problem is
>>>> that
>>>> these are *distinct* sets of identity information, distinct digital
>>>> identities, for
>>>> which some sense of equivalence is sought. That equivalence becomes
>>>> a shared sense of identity--and it almost never includes a
>>>> transference of all
>>>> related attributes. Even the ISO "identity" of a system isn't
>>>> transferred during
>>>> federation. Some subset of identifying information is. And yet, that
>>>> shared
>>>> sense of identity will still never match the entirety of any given
>>>> individual's
>>>> identity. The ISO definition conflates the shared sense of identity,
>>>> the ineffable subjective collective sense of identity, and the
>>>> identity information
>>>> in an ICT system when it refers to this last item as "identity". This
>>>> is the problem.
>>>>
>>>>>
>>>>>    Similarly, rights and privileges tied to our real identities are
>>>>>    often
>>>>>    ignored
>>>>>    or dismantled because *in a given system* it didn't seem relevant
>>>>>    to the engineers who designed and built it. Identity is innately
>>>>>    trans-system. Any given "digital identity" may not be, but our real
>>>>>    world "identity" absolutely is. By its very nature. We have an
>>>>>    identity
>>>>>    completely independent of any system or authority.
>>>>>
>>>>>
>>>>> Your last sentence conflicts with your other sentences in 'Identity
>>>>> Crisis' in which you state 'identity is an emergent phenomenon that
>>>>> does
>>>>> not have an existence independent of the observer'
>>>>>
>>>>> So which is it? Is identity completely independent or rather does not
>>>>> have an existence independently?
>>>>
>>>> I can see how that is confusing. However, both are accurate.
>>>>
>>>> Identity exists in the minds of observers, which is independent of
>>>> any authority. No single observer has the authority to decide their
>>>> version of my identity is authoritative, except to themselves, which
>>>> really is just a matter of the sovereignty of our own minds. Even *I*
>>>> don't have that authority. This was actually one of my rants against
>>>> many early testimonies about the awesome power of self-sovereign
>>>> identities. Nobody controls anyone else's  subjective state. We can
>>>> influence, but that state is innately independent of outside authority.
>>>>
>>>>> I dont think I know anyone who regards identity information as being
>>>>> specific to a single ICT system. Certainly everyone in the FIM world
>>>>> knows that identity information is meant for sharing. And people in the
>>>>> privacy world know that PII is allowed to be shared providing it stays
>>>>> within the rules. The GDPR is there to ensure the rules are obeyed,
>>>>> otherwise unscrupulous data controllers would share it in ways it was
>>>>> never intended for. Even the VC work does not believe in the full and
>>>>> free sharing of PII, rather it should be under the control of the
>>>>> holder. So there is no conflict between ISO, GDPR and VC work as far as
>>>>> I can see.
>>>>
>>>> On the contrary, identity information need not EVER be shared. It is 
>>>> not *meant* to be shared. It is meant to provide a given system with 
>>>> the information it needs to customize services in relation to a given
>>>> entity.
>>>> Not even ISO presumes that identity information is designed to be
>>>> shared.
>>>> That's a privacy nightmare.
>>>>
>>>> In a federated system, yes, fundamentally, identity information is being
>>>> shared, but that is what makes federation federation, NOT what makes
>>>> identity information identity information. And when an individual's
>>>> identity 
>>>> is treated as if it is entirely defined by the attributes in the system,
>>>> we have fundamentally compromised human dignity by subjugating 
>>>> individuals to the tyranny of the data. Believe me, I've spent six
>>>> months
>>>> in Amazonian purgatory because the database was in error about my 
>>>> identity. No matter what Amazon thought, my *identity* was fundamentally
>>>> *not* what was captured by their set of attributes.
>>>>
>>>> There is a growing awareness that PII is an insufficiently defined
>>>> set to 
>>>> rigorously regulate anything. Even the GSA says "it requires a
>>>> case-by-case
>>>> assessment of the specific risk that an individual can be identified."
>>>> [1]
>>>> There isn't even agreement as to what the acronym stands for. [2]
>>>>
>>>> Unfortunately GDPR is too young to discern its true strengths and
>>>> weaknesses. However, there are known flaws of the OECD
>>>> privacy principles which helped inform EU privacy law and I expect are
>>>> still lingering in GDPR. Namely, a complete lack of awareness that a
>>>> data
>>>> controller or data processor may also be the data subject. We ran into
>>>> this in VRM conversations about personal data stores. The dominant
>>>> paradigm assumes that, in essence, corporations have and control data
>>>> about people and that people have certain rights in that situation. The
>>>> world view remains firmly in the lens of our corporate overlords and how
>>>> we protect the proletariat from their evils. In this world, like in ISO,
>>>> "Identity" is something given to you, not something innately existing in
>>>> the relationships that form social bonds.
>>>>
>>>> In short, *none* of these approaches to identity should be considered
>>>> resolved or adequate. The primary drivers in the modern era have been
>>>> corporations focused on securing their ability to profit from
>>>> information.
>>>> More recently, in the EU, the state has picked up its original charge in
>>>> defining identity, acting as a force in the other direction, figuring
>>>> out how
>>>> to realize the EU constitutional right to privacy in the face of
>>>> corporate
>>>> data systems.
>>>>
>>>> [1] https://www.gsa.gov/portal/content/104256
>>>> [2] https://en.wikipedia.org/wiki/Personally_identifiable_information
>>>>
>>>>
>>>>>
>>>>>    aligned with the W3C mental
>>>>>    model of security by domain isolation as a response to things like
>>>>>    cross-site scripting hacks.
>>>>>
>>>>>
>>>>> I think you are confusing two separate issues, security vulnerabilities
>>>>> and data sharing. The Same Origin Policy is there to stop hackers
>>>>> linking systems that should not be linked, whereas FIM and token
>>>>> binding
>>>>> etc. are there to ensure that data can be shared safely and securely.
>>>>
>>>> Yes. Linking systems that should not be linked is how privacy is
>>>> violated.
>>>> It feels comfortable to consider contextual integrity as a security
>>>> problem.
>>>> Thinking of it in this manner leads to whitewashing information sharing
>>>> through consent ceremonies that users can't understand for uses that
>>>> are unexpected. There is a consistent perspective that within a given
>>>> domain, privacy and identity are the purview of the domain controller.
>>>> This is baked into the mental model of isolated systems sharing specific
>>>> bits of "identity" under controlled terms--with near complete disregard
>>>> for both the downstream sharing and the systemic effects on privacy and
>>>> identity. The framing is that "if we solve privacy and identity within
>>>> our
>>>> isolated contexts, we'll have done the right thing."  But fundamentally,
>>>> privacy and identity are greater than any isolated context. This is the
>>>> disconnect that, IMO, is the core architectural flaw in how most
>>>> contemporary systems deal with privacy and identity.
>>>>
>>>>>
>>>>>    If we want to make sure we don't undermine beneficial--or
>>>>> unwittingly
>>>>>    enable undesired--aspects of real-world identity, we need to
>>>>>    acknowledge
>>>>>    that identity is inevitably more than the digital identity in
>>>>>    any given system.
>>>>>
>>>>>
>>>>> I think we all realise that. No one has been arguing for the opposite.
>>>>
>>>> The ISO standard itself defines identity as merely the attributes
>>>> related to
>>>> an entity in an ICT system. So arguing for the ISO standard argues for
>>>> that opposite.
>>>>
>>>> --
>>>>
>>>> That's all for now. I think I've said more than enough. I've appreciated
>>>> the thoughtful responses and hope I've stretched some mental models.
>>>> It'd be great if the idea of treating identity functionally rather than
>>>> compositionally resonates enough to help us avoid the delicious yet
>>>> distracting rabbit holes of philosophical, cultural, and political
>>>> identity.
>>>>
>>>> As Manu suggested, I'll bring my perspective to comments and suggestions
>>>> in actual specification text. That's where I think we can most
>>>> concretely see
>>>> if anything I'm suggesting has merit.
>>>>
>>>> -j
>>>>
>>>> --
>>>> Joe Andrieu, PMP
>>>> joe@joeandrieu.com
>>>> <mailto:joe@joeandrieu.com> <mailto:joe@joeandrieu.com>
>>>> +1(805)705-8651
>>>> http://blog.joeandrieu.com <http://blog.joeandrieu.com/>
> 
Received on Friday, 2 June 2017 16:14:24 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:38 UTC