The three laws of identity

* Microsoft directory guru carves out the three laws of identity

If Kim Cameron, Microsoft's architect of directory services, had been a physicist, there might be one or two fewer buildings in Redmond today, and more holes in the ground - or maybe the world would be a lot better off.

Once Cameron starts to poke around in his "lab," the consequences can be fantastic, fabulous or merely infamous. For instance, he freely admits that he thought Microsoft's Passport/Hailstorm initiative was a mistake: "It was clear to me from day one that Passport was not going to become a universal identity system," is how he put it. And Cameron does know a thing or two about identity systems - he's the eminence griese of Microsoft Identity Integration Server (MIIS) - the Identity Information Service, a.k.a. the metadirectory.

A couple of weeks ago, I pointed you towards his new Weblog, although the URL changed almost immediately (it's now What I didn't know at the time was what Cameron hoped to do with the blog.

Turns out, he wants to be the Isaac Asimov of identity.

You'll remember, I trust, that in the book "I, Robot" Asimov proposed the three laws of robotics ( So revered was the author, and so logical the laws, that most subsequent writers of fiction containing robots observe them as if they were handed down on stone tablets. Cameron has now proposed the Three Laws of Identity (Note that Cameron is, um, "organizationally challenged" so following the discussion of the three laws on his Web site is a good exercise in data searching). His three laws are summarized as:

1. Technical identity systems must only reveal information identifying a user with the user's consent.

2. The solution which discloses the least identifying information is the most stable, long-term solution.

3. Technical identity systems must be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship.

I certainly can't find anything to quibble with here. These seem like simple truths that any application or service which purports to handle identity management should follow. I also think that the path you start on by subscribing to these three laws has only one logical endpoint - the personal directory system (see for more on this).

Read through the information Cameron has posted, and check with others are saying about it, then let me know your thoughts on the three laws.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2004 IDG Communications, Inc.