It’s just hitting home, how important and fundamental to our way of life that these Laws exist and are adhered to by all. As a Software Developer, I have followed many of the Laws of Identity when implementing products without consciously knowing them or thinking about why I do.
Here’s my thoughts on the Laws
- User Control and Consent
The first law states that a User must have Control of which Identity is used when communicating with a system and must give consent to use an Identity. This seems obvious but it becomes apparent that even Windows tends to inadvertently violate this Law with it’s NT authentication (which automatically proffers up the NT Username to any requesting application or network resource without the user knowing). Perhaps Windows Vista is heading towards resolving this issue? I somehow doubt it…
Although there have been implementations where their not bending this law slightly has lead to an impossibly annoying implementation, an example being the security fix to Outlook which requires a user to "Allow access for 1 Minute" to Outlook (anyone who’s used MS Project with Outlook will know what I’m talking about)
- Minimal Disclosure for a Constrained Use
Even I’ve violated this one a couple of times, but not to a major extent, perhaps collecting Mobile Phone numbers in a web site when it wasn’t necessary. Some websites violate this so badly and it leads to fake data being provided. If a web site asks for my birth date I give it a fake one, just because I don’t trust them.
- Justifiable Parties
I was considering going with Passport for one of our applications not too long ago, it now seems that this would have an adverse effect on the perception of security of our application. Despite the obvious usability improvement of a unified identity, I’m not sure that if I was a user that I would understand what MSN was doing in between this application and me, if MSN knows I’m logging in, what else do they know?
- Directed Identity
This states that some identities should be able to be used anywhere, and some are only for a particular system and no other. I wish this law was stated to the people who designed Bluetooth technology. That has to be the most fundamental violation of this Law ever. And everyone from the average Mobile phone user, to the person driving their Bluetooth enabled Car is suffering because of the lack of thinking going into it’s design.
- Pluralism of Operators and Technologies
This is obvious I suppose, every system works differently and therefore has different requirements.
- Human Integration
This Law addresses something I’ve felt quite strongly about for many years, that we can secure the channel from my computer to the server in another country 100 times better than we can secure the channel from the computer to the person sitting in front of it. It reminds me of episode of The Simpson’s where Burn’s accesses a "secure" part of his Nuclear reactor by having to pass through an Eye Scan, Face Scan, Voice Scan, Hand Scan, several solid steel doors only to kick a stray cat out the fly screen back door, swinging open in the breeze. I remember years and years ago in high school having devices that would sniff keyboard strokes and log them so that we could steal the teachers passwords. This doesn’t even address the issue of, the computer not knowing if it’s really me sitting there at the keyboard. Biometric fingerprint readers will help but I think it’s only the tip of the iceberg.
- Consistent Experience Across Contexts
This has to be one of the most difficult problems to solve, but the most beneficial for everyone. Users will find it easier to use an Identity, not having go through their short list of usernames and passwords. Users will trust web sites and feel comfortable providing their private data to the appropriate systems which increases usage of those systems.
One question lingers for me which is even with all of this it doesn’t address the "how do I know I can trust you" issue for users. Regardless of whether I can prove I’m purchasing my book from Amazon.com, how do I know I can trust Amazon.com to keep my information private and secure. A classic example of this issue is the 500,000 credit card numbers that were "lost" by couriers transporting a data backup tape. How do we really know that the system is backed up by proper and secure procedures, and that our data is not being misused?
Unfortunately that one is an even bigger challenge to deal with.