A comparison of Christopher Allen’s Principles of Identity and Kim Cameron’s Laws of Identity
In 2005 Kim Cameron wrote his Laws of Identity and explored ways to give internet users safety, privacy, and certainity regarding who they were engaging with online. Cameron had observed that people had started using digital identity credentials to manage and exchange items of high real-world value. His 7 Laws of Identity were supposed to define the basis on which digital identity systems succeed or fail. Cameron’s Laws gave attention to the needs of relying parties as well as the subject of identity.
Christopher Allen’s Principal Authority: A New Perspective on Self-Sovereign Identity, written in 2021, explores the need for Self-Sovereign Identity to have a basis under the law. It is based on the U.S. State of Wyoming’s efforts to define personal digital identity and create legislation that governs the ownership, use, and storage of a Self Sovereign identity.
In this paper, we will first compare the definitions of digital identity in both papers. We’ll then compare Christopher Allen’s Principles of Self-Sovereign Identity to Kim Cameron’s Laws of Identity. These two papers were written over 15 years apart. The goal here is to establish how the digital identity challenge was perceived 15 years ago, and what has changed since then.
Defining Digital Identity
Christopher Allen starts by admitting that defining digital identity is by no means easy.
Kim Cameron defines digital identity as:
“a set of claims made by one digital subject about itself or another digital subject.”
He further defines a digital subject as:
“A person or thing represented or existing in the digital realm which is being described or dealt with.”
He then defines a claim as:
“An assertion of the truth of something, typically one which is disputed or in doubt.”
Cameron’s definition is geared towards ensuring that his laws of identity are easily understood. He acknowledges that digital identity can be defined in many other ways.
Christopher Allen defines digital identity as:
“A digital representation of an entity, managed by digital tools, over which that entity has personal or delegated control.”
He goes further and defines self-sovereign identity as:
“A decentralized digital identity that does not depend on any centralized authority and whose information is portable.”
Both definitions agree about there being a subject or entity attached to a digital identity. One can argue that a digital subject is the same thing as a digital representation of an entity.
Kim Cameron’s definition talks of “a set of claims” while Christopher Allen’s definition talks of “personal or delegated control.”
The two terms exhibit the different approaches to digital identity by both writers. While one is focused on the trustworthiness of claims made, the other one is focused on control over the set of information that constitutes an identity.
Principal Authority
Christopher Allen delves into what Principal Authority is and how it relates to self-sovereign identity.
He writes:
“When applied to digital identity, Principal Authority says that a Principal has Authority over his identity — which is a clear restatement of self-sovereign principles...
...It asserts that digital identity is always a representation of an actual entity, who predates any digital representation, and who is also the first and foremost beneficiary of that representation.”
The concept of principal authority focuses on the importance of there being a person or entity behind an identity claim. It also stresses on the need for that person/entity to have power and control over their digital identity.
In his definition of self-sovereign identity, Christopher Allen points to the digital identity being decentralized and having zero dependencies on any centralized authority. All these aspects are accommodated in today’s decentralized identity systems.
This leaves the question of identity reliability. Since the principal has and exercises all the power and authority over their digital identity, how do relying parties know they can trust the claims or representations made?
Comparing Principles of SSI to Laws of Identity
The main difference between the two papers is their area of focus. Christopher Allen is primarily focused on the legal dynamics behind the ownership, use, and storage of self-sovereign identity.
Kim Cameron, on the other hand, is focused on addressing the broader topic of what a digital identity should be.
That being said, both papers address the challenges of creating trustworthy, secure, and privacy-preserving digital identity systems. They recognize the importance of user control, minimal disclosure, and privacy in identity systems.
On that note, let’s compare Christopher Allen’s Principles of SSI to Kim Cameron’s Laws of Identity.
The Law of User Control and Consent VS The Principles of Control, and Consent
Both papers address the issue of user control and consent.
Kim Cameron states, “Technical identity systems must only reveal information identifying a user with the user’s consent.”
Christopher Allen States, “The definition of Principal Authority says that the Principal always retains control of an identity, within specifically defined boundaries, no matter who is holding it at a particular time.”
He adds, “Anything that happens within the defined boundaries of the digital identity is implicitly with the consent of the Principal, who may delegate or revoke Principal Authority at any time.”
Again the differences in focus are clear, but the underlying notion is similar.
Both "Principal Authority" and "The Laws of Identity" emphasize the importance of user control and consent in digital identity systems. "Principal Authority" proposes a protocol that enables users to control the permissions of their principals. The paper argues that this approach gives users greater control over their digital identities and the information that is shared about them.
Similarly, "The Laws of Identity" acknowledge that identity systems cannot reveal information identifying a user without the express consent of the user. Both papers recognize that users should have control over their digital identities and the information that is shared about them.
The Principle of Minimization VS The Law of Minimal Disclosure for a Constrained Use
The principle of minimization states, “An agent must minimize the data collected, stored, transmitted, and shared regarding an identity so that it only includes data that is strictly necessary in the context of a request made by the Principal.”
The Law of Minimal disclosure for a constrained use states, “The solution which discloses the least amount of identifying information and best limits its use is the most stable long-term solution.”
The principle of minimization and the law of minimal disclosure are similar since they both emphasize on the need for an identity system to disclose as minimal information as possible. The law of minimal disclosure recommends that information is acquired on a need-to-know basis and retained on a need-to-retain basis.
"Principal Authority" proposes a protocol where each principal is granted a specific set of permissions based on their role and only has access to the information necessary to perform their tasks. This approach minimizes the amount of information disclosed and ensures that only parties with a legitimate need to know have access to that information.
Similarly, "The Laws of Identity" argues that "the solution to the problem of privacy is not to try to prevent data from being collected, but to prevent the linking of that data to the identity of a particular individual." This is achieved by minimizing the amount of information disclosed and ensuring that only parties with a legitimate need to know have access to that information.
The Law of Justifiable Parties
The law of Justifiable Parties states, “Digital identity systems must be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship.”
This law focused on who information is shared with while one is interacting online. Identity systems have to ensure that users are aware of the parties they are interacting with while they share information.
This law is comparable to Christopher Allen’s entire concept of Principal Authority. The Principal Authority has the ability to delegate functions that pertain to their digital identity to an Agency. The agency must provide access, and maintain transparency, portability, interoperability, minimization, and protection of the digital identity.
An Agency, as described by Christopher Allen, can be likened to an identity systems provider. In that case, both writers explored the need for users to be in full control of how and where their digital identity and the information related to it are used and stored.
The Law of Directed Identity
The law of Directed Identity states, “A universal identity system must support both “omnidirectional” identifiers for use by public entities and “unidirectional” identifiers for use by private entities, thus facilitating discovery while preventing unnecessary release of correlation handles.”
"Principal Authority" and "The Laws of Identity" both stress the importance of directed identity. "Principal Authority" proposes a protocol that enables principals to be linked to specific roles or tasks, ensuring that digital identities are used for specific purposes and not as a general identifier.
Similarly, "The Laws of Identity" argues that identity systems must be designed for specific contexts and uses, stating that "identity systems must be directed to enable the user to present claims appropriate to the context."
The Law of Pluralism of Operators and Technologies
The law of Pluralism of Operators and Technologies states that, “A universal identity system must channel and enable the inter-working of multiple identity technologies run by multiple identity providers.”
While "Principal Authority" and "The Laws of Identity" differ in their approach to decentralization, both papers emphasize the importance of supporting the pluralism of operators and technologies.
"Principal Authority" proposes a decentralized authentication system based on public key cryptography, while "The Laws of Identity" does not propose a specific technology or protocol but suggests that a diverse ecosystem of identity systems and technologies is necessary to meet the diverse needs and preferences of users.
Both papers recognize that a diverse ecosystem of identity systems and technologies is necessary to support a pluralistic society.
The Law of Human Integration
The law of Human Integration states that, “The universal identity meta-system must define the human user to be a component of the distributed system integrated through unambiguous human-machine communication mechanisms offering protection against identity attacks.”
Another principle shared by both papers is the need for human integration in digital identity systems. "Principal Authority" acknowledges that decentralized systems can be challenging for users and proposes a user-friendly interface to manage principals and their permissions.
Similarly, "The Laws of Identity" argues that identity systems must be designed for people and not just for machines, stating that "human beings are not just data elements to be managed and controlled by information systems." Both papers recognize that digital identity systems must be designed with human needs and preferences in mind.
The Law of Consistent Experience Across Contexts
Finally, "Principal Authority" and "The Laws of Identity" stress the importance of consistency and interoperability in digital identity systems. "Principal Authority" proposes a protocol that enables principals to be transferred and revoked, ensuring consistency across different applications and services.
Similarly, "The Laws of Identity" argues that identity systems must be interoperable, stating that "identity systems must be designed so that identity information from multiple sources can be integrated."
In summary, "Principal Authority" and "The Laws of Identity" significantly differ in areas of focus. In “Principal Authority” Christopher Allen primarily focuses on legal and legislative frameworks behind self-sovereign identity. In “Laws of Identity” Kim Cameron focuses on setting the groundwork for ensuring internet users can interact with a sense of trust, privacy, and security.
The recommended solutions are not exactly similar, but they are all geared toward achieving trustworthy, secure, and privacy-preserving digital identity systems. That being said, both papers share several concerns, recommendations, and principles.
In hindsight, these are two writers tackling the same problem at different times and circumstances. The digital identity world has made significant leaps since 2005. The late Kim Cameron foresaw most of the challenges that Christopher Allen addresses in his paper. However, Cameron may not have seen the depth of the challenges the same way Christopher Allen saw them 15 years later.
Both Principles of SSI and Laws of Identity are focused on protecting the person identified. I feel that most digital identity meta-systems have not adequately considered the needs of relying parties. Once the person identified is protected, who protects the relying parties? Don’t you want to be able to trust the claims and representations made by the other party just as much as you want privacy and anonymity for yourself?
And aren’t we all relying parties?