This article on Authentication and Identity Management from 2002 explores some of the policy consideration surrounding online identity that are only today coming to point with new initiatives like NSTIC. The above illustration is excerpted from the article. This post explores one mechanism for appropriately architecting a system that supports and reflects the identity of individual citizens by created a protected “Core-ID” that may be used to enable privacy and personalization in a user-controlled and secure manner.
I have recently become acquainted with the ground-breaking work of the Open Group’s Jericho Forum, which has published it’s Identity Commandments prominently featuring the best description of principles that could underlay a Core-ID that I’ve yet seen. For more context on the concept of a Core-ID, I commend the Jericho Forum’s work as background.
The primary issues surrounding the notion of a Core-ID are business, legal and public policy oriented. Under what rules and expectations would a Core-ID be hosted, and what rights and obligations would the person who has a Core-ID undertake vis-a-vis those that host, rely upon, link down-stream personae too or otherwise interact with that Core-ID? Who would be considered the entity that “owns” the Core-ID of a person? How could a person “port” their Core-ID from one hosting provider to another? How could a Core-ID be linked or de-linked from a Personae and how could a Personae be linked or de-linked from a number of accounts on various external systems (i.e. the clusters of accounts on employee, ecommerce and other systems noted in the illustration above)? These softer legal and policy questions are key to fully understanding what a Core-ID could be, problems and prospects for it’s implementation in a broader Identity Ecosystem and practical technologies and business models that could enable the concept.
From a technical perspective, what could a “Core ID” be comprised of? A single identifier that is globally unique would certainly suffice. However, if one assumes that a “lowest common denominator” identity could be hosted by more than one entity and possibly under more than one set of processes, practices, procedures and domain-specific factors, then it may be useful to assume a small set of identifiers that together create the Core-ID. The distinction between an “identity” and an “attribute” (aka “identity attribute”) is unsettled and there are different definitions abounding today, but for purposes of presenting this concept, the term attribute is used to describe component identifiers that combine to create a unique identifier serving as a person’s “Core-ID”.
Below is a model for the concept of a Core ID – the irreducible attributes of identity of a single individual human being.
This SLIDE PRESENTATION describes the concept of Core Identity (sometimes called “Root Identity”) and shows some other “Identity Maps” as examples.
This model was offered as part of the January 12, 2012 meetings in DC of the American Bar Association’s Federated Identity Management Legal Task Force
This poster [click to download: SmartCities-eCitizen-Poster-5] was presented several years ago by my research group at MIT, called “the eCitizen Architecture Program” (ECAP), and describes some aspects of what Core-ID could be and how it could work. When I started ECAP, the acronym stood for the eCommerce Architecture Project, but over the years it became evident that the eCitizen – which I used to mean a human being operating online (e.g. via the Internet or other networks) is the key element to any digital architecture. And the concept of Core-ID was a method to describe how the individual person could be identified, and yet maintain their autonomy, privacy and when needed, anonymity or use of an alias. The general architecture assumes that very public “personae” are the touch points with most websites and other services, but that behind those personae identities resides the Core-ID in a protected and user-controlled method.
Here is a video segment about Online Identity from a video series I produced from the MIT Media Lab on 2007/2008 – this link goes directly to time mark 2:22 with Bill Mitchell discussing how physical architecture once enabled and protected Core Identity zones and framed a discussion for how cyberspace could use information architecture to ensure a Core Identity can be owned, controlled and managed in the first instance by the person identified. The video is embedded below:
Here is an interesting take by my friend Mark Dixon from 2011 on the relationship between attributes and identity – from a decidedly enterprise perspective. And here is a little video we did exploring some of the dimensions of Core Identity. The video is embedded below:
Update, April 17, 2012: The concept of “Limited Liability Personae” is, generally, very consistent with the approach of using a Core ID and multiple Personae for different purposes. These posts describe the concept more fully:
Bob Blakely (referencing Jim Harper) on: November 17, 2006 “The Limited Liability Persona”
Drummond Reed (referencing Jamie Lewis, who referenced Mike Neuenschwander & Lori Rowland of the Burton Group) on: September 9, 2006, The Limited Liability Persona (LLP)
Kaliya – Identity Woman (discussing the concept of LLC Persona relative to Google+ Prohibition on Use of Pseudonyms): July 31, 2011, Google+ and my “real” name: Yes, I’m Identity Woman
Nat Sakimura (referencing a talk by Mike Neuenschwander at the European Identity and Cloud Conference): April 17, 2012, Trust as a protocol, and limited liability persona