When would a unique identifier not be required?
Does an identity have to have a unique identifier?
Security: Identity Management Alert
By
Dave Kearns
,
Network World
, 06/01/2005
Sign up for this newsletter now!
Dave Kearns provides the information you need to evaluate, install and maintain your corporate identity management system.
- Share/Email
- Tweet This
- Print
Does an identity have to be unique? I think we'll get little argument if we claim that, within a given context, an identity
(that is, some distinguishable object) must have a unique identifier. Without one, there's no way to refer to the object.
For a human organism, the unique identifier is a DNA sequence and a fingerprint (the fingerprint needed to differentiate between
identical twins). For a user in an LDAP-style directory, a username that is unique within its container (the OU or organizational
unit) is a requirement. But even two seemingly identical drinking glasses sitting on my desk can be given unique identifiers
within the context of the desk: one is on the left, one on the right; one is next to the keyboard, one is nearer the mouse;
one is full, one is empty. This may seem a trivial case, but without an unambiguous identifier, (i.e., one unique within the
context) it's impossible to talk about the object.
My friend Kim Cameron, Microsoft's identity architect, did pose an example of a context in which a unique identity wasn't
required (http://www.identityblog.com/stories/2005/05/13/TheLawsOfIdentity.doc , page 5):
He writes: "... consider the relationship between a company like Microsoft and an analyst service that we will call Contoso
Analytics. Let's suppose Microsoft contracts with Contoso Analytics so anyone from Microsoft can read its reports on industry
trends. Let's suppose also that Microsoft doesn't want Contoso Analytics to know exactly who at Microsoft has what interests
or reads what reports.
"In this scenario we actually do not want to employ unique individual identifiers as digital identities. Contoso Analytics
still needs a way to ensure that only valid customers get to its reports. But in this example, digital identity would best
be expressed by a very limited claim - the claim that the digital subject currently accessing the site is some Microsoft employee.
Our claims-based approach succeeds in this regard. It permits one digital subject (Microsoft Corporation) to assert things
about another digital subject without using any unique identifier."
But within the context of Contoso Analytics, the object "Microsoft" has a unique identity, and as far as this context is concerned,
the persons posing as (or acting on behalf of, if you prefer) Microsoft have no standing at all - they aren't objectified
so there's no need for them to be identified. However, in the context of "Microsoft" there is an object uniquely identifiable
for each person and each of these objects are granted the role of "Contoso client" with the identity of "Microsoft".
Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.
Comment