The Law of Identity in SSI Era by Kim Cameron

It has been long overdue. I should start blogging about what was discussed in the SSI Day 2020 Miyazaki 1. The first of them is about the “Law of Identity in SSI Era” by Kim Cameron.

Many of you must have heard of his “The Laws of Identity” (2005). It was collaboratively written in 2004 in order to 1) show that privacy is not ignorable; 2) to prevent the emergence of invasive practices. The document subsequently became very influential in the identity community.

A couple of years ago, he talked about it at European Identity Conference and in the Miyazaki meeting, he explained it a bit to the meeting participants. This is a note from that session that should serve its purpose until Kim blogs about the topic, at which time, I will replace this entry with the link to his blog.

1. User Control and Consent

  • Helps secure the longevity of the identity system, since systems die if users do not like it
  • Based on assumption that users will eventually begin to understand problems in the system

2. Minimal disclosure for a constrained use

  • Exchange only what is required for a specific purpose

3. Justifiable parties

  • To enable disintermediation = Nobody should be involved in an identity transaction if there is no need for them to be present there
  • Based on Microsoft’s early experience that enterprises did not want Microsoft to be in the middle of their relation with entities – concern currently largely shared towards other enterprises such as Amazon, Google

4. Directed identity

  • Supports both identifiers: “omni-directional” ones for public entities such as, and “unidirectional identifiers” ones for private entities such as Kim Cameron is a father
  • Prevents correlation – tracking between identifiers – through the use of pairwise identifiers
    • Privacy and security are tightly connected
  • Incorporated concept in the EU – European digital economy blue print and is foundation of GDPR – but need to be conscious in other countries
  • Key concept to SSI
    • A person is not a public entity that you can put single public identifier on blockchain

5.Standardized identity hub

  • User can represent him/herself and use identity in a consistent manner across providers, with identity being separated across the context at the same time
  • Same thing as an Identity Agent in that it is ‘technology for the self’

6.Standardized DID for long-terms identity stability

  • Need to survive the bankruptcy of identity operators and retain relationships with services
    • Storing personal data in a way that it is not dependent on the operators
    • Standardization at the data layer, key formats, etc.
  • Public blockchains may serve the purpose because they are not controlled by a single entity
    • Do not put identifiers on blockchain
    • Use blockchain as storage that organizes pieces of software that holds personal information

7.Human integration

  • Technologists need to be aware that users are a part of the system, and the system must be designed according to user needs, not tech needs
    • Ex. No more long complicated passwords


  1. 2020-01-27 at Sheraton Miyazaki

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.