When would a unique identifier not be required?

The foundation for security and enterprise management

Does an identity have to be unique? I think we'll get little argument if we claim that, within a given context, an identity (that is, some distinguishable object) must have a unique identifier. Without one, there's no way to refer to the object.

For a human organism, the unique identifier is a DNA sequence and a fingerprint (the fingerprint needed to differentiate between identical twins). For a user in an LDAP-style directory, a username that is unique within its container (the OU or organizational unit) is a requirement. But even two seemingly identical drinking glasses sitting on my desk can be given unique identifiers within the context of the desk: one is on the left, one on the right; one is next to the keyboard, one is nearer the mouse; one is full, one is empty. This may seem a trivial case, but without an unambiguous identifier, (i.e., one unique within the context) it's impossible to talk about the object.

My friend Kim Cameron, Microsoft's identity architect, did pose an example of a context in which a unique identity wasn't required (http://www.identityblog.com/stories/2005/05/13/TheLawsOfIdentity.doc , page 5):

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Does an identity have to be unique? I think we'll get little argument if we claim that, within a given context, an identity (that is, some distinguishable object) must have a unique identifier. Without one, there's no way to refer to the object.

For a human organism, the unique identifier is a DNA sequence and a fingerprint (the fingerprint needed to differentiate between identical twins). For a user in an LDAP-style directory, a username that is unique within its container (the OU or organizational unit) is a requirement. But even two seemingly identical drinking glasses sitting on my desk can be given unique identifiers within the context of the desk: one is on the left, one on the right; one is next to the keyboard, one is nearer the mouse; one is full, one is empty. This may seem a trivial case, but without an unambiguous identifier, (i.e., one unique within the context) it's impossible to talk about the object.

My friend Kim Cameron, Microsoft's identity architect, did pose an example of a context in which a unique identity wasn't required (http://www.identityblog.com/stories/2005/05/13/TheLawsOfIdentity.doc , page 5):

He writes: "... consider the relationship between a company like Microsoft and an analyst service that we will call Contoso Analytics. Let's suppose Microsoft contracts with Contoso Analytics so anyone from Microsoft can read its reports on industry trends. Let's suppose also that Microsoft doesn't want Contoso Analytics to know exactly who at Microsoft has what interests or reads what reports.

"In this scenario we actually do not want to employ unique individual identifiers as digital identities. Contoso Analytics still needs a way to ensure that only valid customers get to its reports. But in this example, digital identity would best be expressed by a very limited claim - the claim that the digital subject currently accessing the site is some Microsoft employee. Our claims-based approach succeeds in this regard. It permits one digital subject (Microsoft Corporation) to assert things about another digital subject without using any unique identifier."

But within the context of Contoso Analytics, the object "Microsoft" has a unique identity, and as far as this context is concerned, the persons posing as (or acting on behalf of, if you prefer) Microsoft have no standing at all - they aren't objectified so there's no need for them to be identified. However, in the context of "Microsoft" there is an object uniquely identifiable for each person and each of these objects are granted the role of "Contoso client" with the identity of "Microsoft".

Context is extremely important to identity; it is a necessary component of identity and it's absolutely essential that we realize the context in which a given identity exists and that the identity has a unique identifier within that contextual system. Ignore this at your own risk.

Read more about security in Network World's Security section.

Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.