The identity crisis (2) - What is identity?

December 3, 2009

Many systems for identity management suffer from severe security, privacy and usability issues. Previously I discussed how the difference between membership and ownership contributes to the resulting "Identity Crisis". Today I will argue that another fundamental question - "What is identity (anyway)?" - is not properly addressed by identity management systems yet.

First note that identity is not absolute. An identity describes an entity (a person, a computer, an organisation, etc.) within a specific scope. More formally: The identity of an entity within a scope is the set of all characteristics that have been attributed to this entity within that scope. For example, you may have one identity within the scope of your job, containing information such as your employee number, and another identity within the scope of your family, containing information on the food you like. Identities are therefore only valid in a specific scope. If an identity contains many characteristics, it may uniquely identify a particular entity within a scope. However, with only a few characteristics, many entities are likely to match.

It immediately follows that entities have, in general, multiple identities. These identities may partly overlap, but can also be mutually inconsistent. I have blue eyes in all contexts (ie scopes), but may go by different names, nicknames, in different contexts. In extreme cases, people are known to live parallel lives. Sometimes, hardly anybody knows that particular identities in different scopes belong to the same entity.

To uniquely identify entities, one needs to rely on identifiers, not identities. This distinction between identity and identifier is important, and not always properly understood. The confusion is understandable, because in common parlance identity is almost synonymous with personal name, which in turn is understood to be a unique identifier. Again, identifiers (e.g. a user name) are only valid (and guaranteed to be unique) within a scope.

Identity is not unique. Even within a single scope, people may have several different identities. Within the scope of my family I am not only a father (to my kids) but also a husband (to my wife). Moreover, the identity of an entity is perceived differently by different people, or perceived differently by the same people at different times or in different contexts. Someone may be trusted by one person, but not by another, or only within a certain context.

Virtual identities, in the virtual world, can be connected to entities in the real world, but this connection may be loose. For example, computers behind an IP address may be replaced. Ownership of game characters or avatars may be transferred between people over time. In fact, there is quite a large amount of trade in such virtual identities. Likewise, functional roles within companies may look, to external observers, as entities with a particular identity, but different people may actually be assigned to such a role over time.

Identity is also dynamic. Assertions about someones age change when time passes. Your financial situation changes over time, so do your friendships.

Identities may exist long after an entity ceases to exist. The lifetime of an identity does not correspond to the lifetime of the associated entity. Most of the time identity information is not updated or deleted after it has become inapplicable. Again, this introduces a privacy risk. But sometimes claims about an entity actually need to be kept long after the entity itself disappears. For accountability reasons, service providers store usage information for quite some time, sometimes several years. The situation is reminiscent to the difference in lifetimes between keys and certificates (themselves a possible part of an identity). A Certificate needs to be kept long after the key it certifies has expired, to allow parties to verify the signatures made with that key.

Identity is not only what you want to reveal about yourself, but also what others conclude, believe, find out about yourself. This data may be wrong, become invalid over time, be misrepresented, or be misguiding, etc. In other words, an identity does not necessarily correspond to reality. Moreover, it shows that an identity has many owners: it is not only owned by the identity it describes, but also collected and therefore owned by others. A fine example of this are your health care records that are being collected by GPs, doctors and other health care personnel. This also has important privacy ramifications by the way.


Instead of one single identity containing all characteristics taken from all scopes, it is therefore more natural to view identity as a collection of multiple identities (a set of sets), each with their own scope. Note, by the way, that this nicely aligns with the understanding that privacy ensures that information about a person does not leak from one scope into another.

When scopes merge (e.g. if companies merge) identities may clash. If an entity has an identity in both scopes they may not get merged at all, and as a result the scope perceives two entities where there is only one. For example, a person may have an account with two different SPs, both of which require the user to use an SP-specific IdP. How to determine what an entity's identity is in the new scope when the two SPs merge? Or when the two IdPs merge?

The fact that identities remain to exist long after the entity dies results in a wealth of personal information stored in many places, leading to privacy risks for users. It may also result in IdPs giving out incorrect claims, damaging their reputation of a trusted partner that is always right. Furthermore, claims may continue to exist indefinitely, even after identity information is deleted. When the claim of an old identity still exists and a new identity is created with the same identifier, these two may seem to refer to the same entity, while this is not the case.

Managing identities does not only mean handling new and fixed identities within one scope, but also handling the complex situations of changing identities in changing scopes, and managing the different perceptions of identity within the same scope. This is a challenge for identity management systems, to be solved in a way that is both user-friendly and secure.

In case you spot any errors on this page, please notify me!
Or, leave a comment.
The identity crisis (3) – Trust. « Jaap-Henk Hoepman – on security, privacy and…
, 2010-02-23 21:50:33

[…] 2010 Systems for identity management suffer from severe security, privacy and usability issues. A few of them I have discussed previously. Today I will discuss trust. Trust assumptions in identity […]

Samella Nishida
, 2010-03-11 20:32:31

Just landed on this post via Google research. I love it. This situation switch my perceptual experience and I am obtaining the RSS feeds. Cheers Up.

The Identity Crisis (4) – Security « Jaap-Henk Hoepman – on security, privacy and…
, 2010-04-06 09:58:36

[…] 2010 Systems for identity management suffer from severe security, privacy and usability issues. A few of them I have discussed previously. Security is the topic of today’s […]

Greenhost Weblog - Webwijs in de digitale wereld
, 2010-06-11 17:32:41

[…] met andere partijen en identificatietechnieken (met ieder verschillende consequenties) vragen om verschillende vormen van identiteitsmanagement. Dat is geen makkelijke […]