Commentary by Mark Wahl
Organizing principles for identity systems:
Principle of contractual disclosure (2005/1/8)
While rereading Kim Cameron's answer to my questions on justifying in #3, "So it should provide the disclosing party with a policy statement about information use. This policy should govern what happens to disclosed information - I save this discussion for another day. But I'll suggest in passing that one can view this policy as defining "delegated rights" issued by the disclosing party." and comparing that to a risk assessment methodology for IdM I'm writing up, I'd like to suggest that the discussion of policy statements needs to occur well prior to the disclosure of information. In particular I'd suggest that this principle of operation that is implied in data protection laws and typical security practices should be a governing principle, as currently it is AFAIK not directly derivable from statements #1-5, in particular #3 doesn't currently state what information is disclosable, even to a necessary party. Leaving it to just the phrasing of #2, "the least", will IMHO be insufficient to allow a user/auditor to understand a system and compare the system's treatment of user information with governing regulations. In Kim's response "No limits should be placed on how the party to whom I disclose information organizes itself, as long as it responsibly applies the policy under which I shared information." this requirement needs to be placed on other recipients of the information, not just the identity system "core", and so I'd suggest this additional principle, which could be stated as: An identity system must only reveal identifying information to a recipient if identity system and that recipient have agreed on how the recipient can handle and use that information. This is to ensure the identity system does not inadvertently violate its data management policy by revealing information to a recipient that is not going to follow a compatible policy. Without such an agreement in place, the operators of an identity system has no information about what the recipient will do with that information, an in particular has no recourse if it finds a recipient has misused a user's information provided to it, even if that recipient in general has a place in identity relationships, and even if the information is part of the 'least' identifying information for the user. If the recipient has no identified policy for managing a particular kind of identifying information, then the identity system wouldn't be able to fully answer a user's or auditor's question of how it ensures that the control of that data is maintained. This principle would IMHO be used primarily with respect to private information, but also is relevant for public information: most identity providers will want to make certain statements about the information they provide (e.g. the format, interpretation of fields, ownership/copyright, appropriate/acceptable use etc), as well as defend against libel, provide the right to later revise or revoke it, etc.
Tags: kim-cameron