On Thursday evening I attended an event hosted by Oracle in London – “Information Security and ID Management Strategies” – as part of their architect’s club (the first I’d attended).
Apart from being an excellent networking opportunity (to which I stupidly forgot to take business cards!) there were a couple of excellent speeches from John Madelin (formerly of RSA, but who now works for BT) and Des Powley (of Oracle), before a rigorous Q&A session. Madelin’s presentation was a very “blue skies” look at identity federations and how that will change with the increasing connectedness of our world – one thing that was very significant was the use of the word fragments to describe the separate parts of ones identity. We increasingly find that those fragments are being pieced together to allow others to see a whole that in many cases the owner of an identity themselves cannot view.
The Q&A session introduced Toby Stevens (along with the other speakers) and the questions came forth from a surprisingly willing audience! First and foremost on peoples minds when the word identity is used seems to be that of ID cards, but what I think becomes very clear is that these are merely representational of the process of de-fragmenting identity, but on a large scale, in the current guise. Identity on a national scale should be about enabling, not just access control (which tends to be the focus of corporate identity projects) and there needs to be part of that focusing on privacy aspects – it’s not desirable to have everyone knowing everyone’s business! There were some wonderful examples given of where privacy is paramount, but where individuals require access to services (therefore the system must adhere to Law 2 of Kim Cameron’s Laws of Identity disclosing the least amount of data required). This is very much at odds of most people’s concept of an ID card – and certainly at odds with what the Government is proposing (the idea of allowing privately owned stores to read data from a card when a purchase is made is ludicrous!)
Right at the very end of the session, the question was raised of how the concept of roles fits into this, but unfortunately the discussion was brought to a close… My own take on this is that identity is best dealt with in classes (or roles) of individuals – a good (my favourite) example of this is the case of a person wishing to buy beer. The thing that the bar tender requires is NOT proof of age, but merely that the person presenting the card is over the age of eighteen, presumably verified by a trusted third party (of course there must be some authentication method present, I’d expect a visual one would be adequate for this!). In this parlance the bar habitué needs belong to the role of “Over 18s”, but no other data are released during the transaction – using current identification methods there are data leaked (a driving license contains an address, DOB, endorsements etc). This convergence of roles into the wider identity space is something I think should be explored further.
Perhaps the best thing to come out of the event was a realisation by some of my more sceptical colleagues that privacy IS important after all, and that bodes well for persuading the general public.
Addendum (14/11/06 @ 00:28): Paul Toal was also there.