To prepare for the panel discussion at the Cloud Identity Summit 2012, I was looking back to my old blog posts. Then, I found this article “Requirements to Digital Identity” which was written back in 2004 in Japanese.
Here is the translated version of it: (I have paraphrased them a bit to meet more modern terminologies.)
12 High Level Requirements
Entity and its attributes shall be pointed by identifiers and the data and meta-data shall be accessed in REST style.
It has to be access controlled.
In some cases, the access control shall be achieved through legally binding contracts (so that it can span boarders.)
Rule based automatic contracting shall be possible, with fall back to human intervention when “automatic” did not work.
The term shall be simple and easy to understand for the individuals.
The contract shall be applicable to groups of entities. (multi-party contract)
Minimal Information disclosure through anonymous and pseudonymous identifier shall be supported.
Persistent pseudonymous identifier shall be available for the use cases that requires them.
Attributes shall be version controlled so that the past values can be accessed if necessary.
To mitigate the information asymmetry, third party certifications on the accuracy of the claims by entities shall be available.
To supply more up-to-date information on the accuracy of the claims, reputation services shall be available.
5 Technical Requirements
As the number of Identity will be extremely large, it has to be implemented as a distributed system.
Use of persistent identifier can create privacy risk, so it is best avoided. Therefore, we should consider such mechanisms that establishes the existence/trustworthiness/etc. of the identity while using anonymous identifiers. (e.g., group signature based system)
Identifiers shall be internationalized.
Use URL as identifier.
Attributes should be provided as a pair of abstract identifier and the value.
The private copy of it actually dates back to 2003.
It is kind of surprising that after 8 to 9 years, we have not achieved much of them though we are moving towards the direction. At the time, I thought it would take only a few years to achieve it, but I was awfully wrong. Was it because of lack of the suitable technology? I do not think so. SAML was under active development, and ID-WSF was more or less done by 2005. Group signatures has been available for sometime then.
Then what was the cause for not achieving them?
I suppose it is the “status quo”. We have so much innertia in the reality that even if we think it is obvious that we should change the course, we often fail to do so.
In the middle age, B.Y.O.S. (bring your own sword) changed everything.
Having been working on Digital Identity since 2000.
Co-author of various identity related specifications like OpenID Connect, JSON Web Token.
Chair of the OpenID Foundation (2011-)
Vice Chair of the OpenID Foundation (2010),
Founder of OpenID Foundation Japan (2008-),
Trustee of Kantara Initiative (2009-).