Last month saw the publication of yet another definitive set of rules, laws or whatever you like to call them for this elusive identity meta system or identity eco system we all like to dream about; a lot of us talk and blog about; and only very few of us seem to be actually in the process of building.
I wondered if this latest set of identity commandments from the Jericho Forum added any new insights or critical success factors for ‘would be’ Identity Providers(IdP).
I wondered if similar exercises by governments or supra-national organisations added any value or if they just use legalese terms to preach exactly the same gospel. Are such directives complementary or perhaps incompatible? So here is a list of what I looked at:
- The Laws of Identity , Kim Cameron and others 05/11/2005.
- The EU Commission’s communication about a new comprehensive approach on personal data protection in the European Union, Brussels, 04/11/2010.
- The Fair Information Practice Principles (FIPPs) as highlighted once more
in the US National Strategy for Trusted Identities in Cyberspace (NSTIC), April 2011.
- The JerichoForum Identity, Entitlement & Access Management Commandments (IdEA), May 2011.
Please let me know if I missed a more important set of rules. I would be especially interested in reading similar documents from the non-western world. It seems there are some universal laws most of us can agree on, unless maybe you are one of the few tin pot dictators or communist regimes that are still left after recent ‘spring’ uprisings and like.
The following table tries to highlight the corresponding principles from the above mentioned documents and point towards broad agreement and common language used.
Studying the above table reaffirms my impression that at least the civil servants and private sector staff that have contributed to the above documents seem to have attended the same Identity Management and Privacy conferences and picked up the same buzz words. But the commercial organisations building the actual identity eco system, do they actually pay attention to these lofty data protection and privacy principles, or do they pay a mere lip service to them while in fact often doing the opposite?
The most sinned against identity law and privacy principle is probably that of minimal disclosure of Personally Identifiable Information (PII) for a constrained use. In a previous blog post I cited the case of janrain and the increasing popularity of the NASCAR approach of social network logins. The sucking dry by Relying Party (RP) web sites of the unsuspecting FaceBook users’ profiles at the first opportunity is probably a relic of the past when similarly 80% of the registration attributes required for a new account on any service provider web site seemed to offer no other business justification than collecting as much ‘nice to have’ user marketing information as possible. The cheeky ‘what income bracket are you in’ question will be familiar to most of us and if given a chance we all probably have deliberately ticked the wrong box meaning to say:”none of your business!”
A second observation that I made from studying these lofty ideals side by side is that the Laws of Identity and the Jericho Commandments seem to be much more radical and uncompromising in its proscriptive language of do’s and don’t or must and mustn’t than some of the public sector directives. It seems that in the case of the EU and US government documents for example, the lobbyist working for multi national firms have been very successful in making sure self-regulation gets a chance before onerous laws are passed, whereas the ‘Jericho Commandments’ have been drawn up by ‘dyed in the wool’ Chief Information Security Officers from companies that take security very serious indeed. Just like it is the lobbyists aim to take the bite out of privacy legislation by removing as many teeth as possible, these industry security experts know full well that fuzzily worded security policies are just an opportunity to ignore or circumvent them.
The more I study the new Jericho Commandments, the more I start to appreciate the document as a very useful new blueprint for success and one that perhaps can be put more easily and directly into practice than other more ‘high level’ and loftier missives.
The document is mercifully short (4 pages), but precise and to the point. What is nice is that it starts to make a link between Identity Management and Entitlement Management. These are after all two sides of the same coin.
The Jericho Commandments can easily be represented in a diagram visualising the relationships between the various components of the identity meta system. Below is my own attempt at this. The blue lines represent one way links (or a one way trust) in a relational data base implementation, or if you prefer an LDAP directory, you could represent the same as an inverted tree from the Core root Identity down, a root that must never be disclosed or compromised.
The dotted lines below represent contextual trust; for example linkage to government issued attributes / identifiers which the receiving Relying Party (RP) can validate with a relevant attribute provider using their trust relationship with that provider. The OASIS SAML and WS-* family of web service standards, provide ways by which such trust relationships can be technically implemented using attribute queries.
So in conclusion: What I like about the Jericho Identity Commandments is that they provide potential Identity Providers (IDP) with a real benchmark to test what engineers have actually built in reality from what may have started as a lofty and ideal design.