Last week I wrote an introduction to the The Jericho Forum Identity Commandments. The last sentence talked about ‘core identity’ and privacy and we will explore these a little more.
There is a lot of confusion around identity and what it means. As with ‘virtualisation’ and ‘cloud’, identity means something to everyone, but not necessarily the same thing. The first problem, then, is to define terms.
The Jericho Identity Commandments define ‘core identity’ as "a unique physical, biological or digital entity, which has exclusive use of the associated core identifier and understands the linkage to any associated persona." What this really refers to is ‘you’, your ‘id’ or however you want to identify yourself. You can then have various flavours of ‘you’, such as when you are at work, or when you are at home - these are your personas.
When you are at work, you may have a different name from when you are at home, for example using a maiden name for one and a married name for another. Each persona has a set of attributes (characteristics) which creates uniqueness in that context, the core identifier.
Think of your email addresses, they all refer to you but are all used for different purposes. In theory, you know all the email addresses that refer to you, but others may not and you cannot necessarily deduce one from the other. This is very important and related to the first commandment: "all core identities must be protected to ensure their secrecy and integrity."
Core identifiers must never need to be disclosed and are uniquely and verifiably connected with the related entity.
Core identifiers must have a verifiable level of confidence.
Core identifiers must only be connected to a persona via a one-way linkage (one-way trust).
An Entity has primacy over all the identities and activities of its personae.
Entities must never be compelled to reveal a persona, or that two (or more) persona are linked to the same core identity.
The goal here is to enable and allow individuals to be individuals and to have control over their various personas. So, there is no electronic ‘super-identity’ that all the other identifiers and personas are keyed off; I am not a number... If you want to keep one part of your life private, then you are able to do so.
The core identity can also refer to a ‘thing’ as well, a mobile phone with its SIM card and IMEI number. While this is not strictly in line with the first commandment because the IMEI number is known to others (and so could be impersonated), it is pretty good and so is useful in determining the phone really is the phone (i.e. the telephone number is significantly less secure than the IMEI). So, put together you, your phone and some password information and you is a good device to verify that it’s really you.
OK, so that is happening already but it will become even more so. Imagine using your phone as the physical access device for work, or as part of the logon process when you are there.
Technology is evolving extremely rapidly, as are ways of working and socialising, and strong, reliable identity is the key to it all.
Guy Bunker, Jericho Forum board member