[Wg-p3] Open vs Closed? [was: Wg-p3 Digest, Vol 3, Issue 22]
swilson at lockstep.com.au
Tue Sep 22 13:42:38 PDT 2009
I believe that the difference between Open and Closed is arbitrary. If
we're not careful, the pursuit of "open" identity on the presumtpion
that it is intrinsically better than "closed" might lead to a repeat of
some of the mistakes of traditional PKI.
It's all relative. What is "open" to one person can seem "closed" to
another. What matters in all cases is that there is a set of business
rules (and contracts or regulations) that governs conduct within the ID
system, what your identity means, what you do with it, what you're not
allowed to do with it etc. Establishing these arrangements in "open"
systems has proved prohibitively complex in orthodox PKI.
I presented a paper to the NIST IDtrust conference last year that
examined the history of PKI. I drew lessons from the newer ideas of
identity plurality, and urged that the quiet obsession with open PKI be
"One deep implication for PKI of identity plurality is
that it inverts the expectation that closed PKI is a
compromise while open PKI is the proper long term
goal. On the contrary, we should now appreciate that
open PKI would be a special and highly theoretical
instance. It is the closed PKIs – each with its own
arrangements and business rules – that represent the
That is, in my view the most useful ID systems are always closed,
because risk management is then transparent, everyone knows where they
stand, and best of all, we can usually map digital identity rules back
on to 'real world' identity rules which makes for seamlessness. The
notion of an "open" ID system -- where total strangers can make good use
of your ID and "trust" you for ... well ... anything, is too much
trouble to be worth pursuing in practice. You cannot do a Threat & Risk
Assessment on a transaction system when you haven't circumscribed all
The general case should be an identity paradigm which spawns a plurality
of local "closed" communitities, rather that the special case of one
giant all purpose singular digital identity.
Regarding that will-o'the-wisp of "interoperability", if you need to
operate in two communities then in general, there are two ways to go.
Either (1) join the two identities together so that they both use the
same identity, or (2) maintain two separate identities (like having
separate Visa and Amex cards).
Phone +61 (0)414 488 851
Lockstep Consulting provides independent specialist advice and analysis
on digital identity and privacy. Lockstep Technologies develops unique
new smart ID solutions that enhance privacy and prevent identity theft.
> Message: 1
> Date: Mon, 21 Sep 2009 11:55:31 +0100
> From: Mark Lizar <info at smartspecies.com>
> Subject: [Wg-p3] A Suggested Policy Demarkation Point: Open Vs. Closed
> Identity Systems
> To: wg-p3 at kantarainitiative.org
> Message-ID: <880B404E-0F39-4EDC-B906-28D70465CFC9 at smartspecies.com>
> Content-Type: text/plain; charset="windows-1252"; Format="flowed";
> Hello All,
> I have been pondering the merits of a more explicit policy paradigm
> between open vs closed id systems, and a discussion about this for the
> working group.
> The issue being that public policy in closed identity systems or
> systems with limited user driven/managed/volunteered access, needs a
> different type of policy than open, user controlled systems. In
> addition, I wonder if this type of conversation may actually provide a
> very useful distinction for Kantara driven activities?
> Behind the distinction of open and closed there is a great deal of
> ideological, philosophical, technical, jurisprudence, and sociological
> thought that can be sorted and contributed to both sides of the open
> and closed identity paradigm. A discussion in this light might reveal
> very different types of applied identity technologies. From what I
> understand a great deal of the work done in Kantara is for open ID
> systems? Does an open identity system need different levels or types
> of assurance for privacy than closed identity systems?
> Eg. Open Id systems, social networking is user controlled, adequate
> tools need to be in place for the user to control the policies and
> these policies need to be enforceable by the user. Even against the
> owner of the social networking site.
> Eg. Closed ID systems, enterprise, healthcare, id cards, drivers
> licenses, phone numbers, direct marketing. A policy explicit example
> for the use of a closed id system may be the need to mandate against
> function creep and designed around very specific to purpose etc. (use
> Uprove technology etc.) With risk management, different types of
> public usable transparency, access, and control is more specific to
> constitutional rights, rather then contract rights.
> Do others think this would be a useful distinction to make and point
> to discuss?
> Overall, it seems current events are pushing the agenda of this
> working group, starting with the Open ID/Inforcard initiative, and the
> letter this group has worked on for ICAM. Now the news of this round
> table, the FTC roundtable can also be used as an ?agenda driver? to
> get things moving, in this sense I think it would be difficult to
> develop policy with any force or meaning, if the policy didnt first
> engage with the wider Kantara community. I propose that we use the
> roundtable as an opportunity to take the FTC questions, develop a
> survey pilot it in our working group, then vote on passing the survey
> around the working groups to start a process of developing a common
> policy platform for this working group.
> My two cents worth,
> - Mark Lizar
More information about the Wg-p3