Kim Cameron retired from Microsoft on May 5th of this year.(* 1)However, there is something called the "Seven Laws of Identity" that was extracted from discussions with "Identity Gangs." It is a basic document that many people in the field refer to, but surprisingly many people in Japan are not familiar with it, so I have reproduced here an abridged translation by Fujiei of CTC.
| # | principle | Message |
| 1 | User Control and Consent | Identity systems should not disclose information that identifies a user without the user's consent. |
| 2 | Limited use and minimal disclosure | The most stable, long-lasting solutions will be those that minimize the amount of identity information revealed and appropriately limit access to that information. |
| 3 | Disclosure of information only to legitimate parties | Identity systems must be designed to disclose identifying information only to those parties who have a legitimate need and ability to obtain it in a particular context. |
| 4 | Directed Identity | Identity systems must support both publicly used "omnidirectional" identifiers and privately used "directional" identifiers, thus preserving public identity while avoiding unnecessary exposure of associations. |
| 5 | Interoperability with multiple identity providers and technologies | Identity systems must preserve interoperability across multiple identity technologies run by multiple identity providers. |
| 6 | Human Integration | The identity system must define the consumer user as a component of a distributed system. It must develop a clear human-machine interface to integrate the user into the distributed system and protect his or her identity. |
| 7 | Simple and consistent user experience | Identity systems must provide a consistent user and technology interface while allowing for the separation of identity context across different situations. |
 |
||
| Summary of "Seven Fundamental Principles of Identity in an Internet World" | ||
| The original text with details isPDF document posted on Kim Cameron's blogIt can be viewed at. | ||
(source)http://www.atmarkit.co.jp/fwin2k/operation/adfs2sso02/adfs2sso02_02.html
Although the document was written a long time ago, its intent remains current.(* 2)Along with this, it is a "principle" worth repeatedly pondering. I happened to have a chance to drink with Kim in Mountain View two days before his retirement, so I will summarize it here as a memorial. (By the way, I also met him in Munich the week after his retirement 🙂
(*1) Kim Cameron: Former identity architect at Microsoft. He had a huge influence on the thinking of the identity industry. He was one of the creators of InfoCard. These seven principles were reflected in the design of InfoCard, but unfortunately InfoCard was not commercially successful and ended up as a Feature Complete. However, these ideas have been passed down to OpenID Connect.
(*2) OECD 8 Principles:
#1 The principle of clarity of purpose
The purpose of data collection should be made clear, and data usage should be consistent with the purpose of collection.
#2 Principles of Usage Restrictions
Unless the data subject has given consent, or unless required by law, the information may not be used for any other purpose.
#3 Principle of collection restriction
Information should be collected by lawful and fair means and with the knowledge or consent of the data subject.
#4 Data Content Principles
It should be relevant to the intended use, accurate, complete and up-to-date
#5 Safety Principles
Must be protected by reasonable security measures against loss, destruction, use, modification, disclosure, etc.
#6 Principle of Openness
The data collection policy should be made public and the existence of the data, its purpose of use, and the person in charge of managing it should be clearly stated.
#7 The principle of individual participation
To verify the location and content of data concerning oneself or to guarantee the filing of objections
#8 Principle of Responsibility
The administrator is responsible for implementing the principles.