Ben Laurie blathering

Laws of Identity, Revised

Many moons ago, I wrote my Laws of Identity. Yesterday, my friend Cat Okita pointed out a deficiency, so here’s an update…
I claim that for an identity management system to be both useful and privacy preserving, there are three properties assertions must be able to have. They must be:

  • Verifiable
    There’s often no point in making a statement unless the relying party has some way of checking it is true. Note that this isn’t always a requirement – I don’t have to prove my address is mine to Amazon, because its up to me where my goods get delivered. But I may have to prove I’m over 18 to get the alcohol delivered.
  • Minimal
    This is the privacy preserving bit – I want to tell the relying party the very least he needs to know. I shouldn’t have to reveal my date of birth, just prove I’m over 18 somehow.
  • Unlinkable
    If the relying party or parties, or other actors in the system, can, either on their own or in collusion, link together my various assertions, then I’ve blown the minimality requirement out of the water.

What’s changed? Cat pointed out that collusion isn’t necessary for linkability, people can do it all on their own.


  1. the very nature of the content being asserted to can make possible easy correlation (e.g. shipping address), this correlation completely independent of the link-inhibition capabilities of whatever identity system delivers the assertions. I think you have to distinguish between these two levels of unlinkability.

    Also, many use cases absolutely require that a single RP be able to ‘link’ together sequential assertions for a given user. Its only when this is not a requirement that single-RP correlation becomes a negative .

    Comment by Paul — 2 May 2007 @ 12:43

  2. […] and finally Ben Laurie of Google who understands all this stuff. Splendidly sceptical, I think of his as a classic product of the cussed British non-conformism in which anything we’re ever proud of seems to have been rooted. His blog is here and his current three laws of ID are here. […]

    Pingback by Blindside : Blog Archive » ID questions: some contempory thinkers from the technical community — 28 May 2007 @ 10:26

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress