"An introduction to the differences between OAuth authentication(?) and OpenID for non-technical users"Encouraged by the fact that this post has exceeded 800 Hatebu, I decided to write about identity this time.(* 0).
(Digital) identity is probably an unfamiliar term to you. Digital is one thing, but identity leaves you wondering, what on earth?
However, this word, whether it be OpenID or OAuth, is always used when talking about "authentication", and it was recently broadcast on Nico Nico Douga, attracting a total of more than 27000 visitors."A thorough explanation of the common number system to request the best service - Is such a common number system okay? - MIAU Presents Net Compass"It is actually indispensable when considering the "number" system that was being dealt with.
Even though it is such an important concept, it is difficult to find an easy-to-understand explanation. Even when I asked my beloved Wikipedia,Like thisAnd it's very difficult.Sanseido Word Webis quite easy to understand, explaining things like "the existence of something as it is," etc., but it's a bit vague, and the translation is "identity," which doesn't quite fit. So today, I'd like to answer the question "What is identity?" mainly from the perspective of digital identity.
Entity - Identity - Relationship
First of all, the basic premise.
Let's accept that I, you, and even the MacBook Pro on which I'm writing this article are real entities. In reality, it's pretty unclear whether these things really exist or not, but I won't get into those philosophical issues and will assume that the things we come into contact with on a daily basis do exist. I'll call these "things that exist" "entities."
In other words, I exist as an entity, and this Mac Book also exists as an entity.
However, unfortunately, it is not possible to observe this entity as it is. It can only be observed through the consciousness of the observer. Therefore, when it comes to yourself, there is the "self-observation" you that you observe yourself, and the "other-observation" you that others observe yourself.
Figure 1 illustrates these relationships in more detail.
Figure 1. Entity-self-image-relationships
In this diagram, the "entity" on the far left is you.(* 1).
You live in society, forming relationships with many different people. In Figure 1, I've written your friends in the upper right corner, and your boss at work in the lower right. Of course, they're not the only people you have relationships with. There are so many people out there. It's just that I couldn't fit them on the diagram.
You have a self-image of how you want each person to think of you or how you want them to see you. This self-image is called identity.
However, this self-image (identity) is abstract and not something your friends can see or feel directly. In reality, they indirectly learn about you by seeing, hearing, feeling, and interacting with you through various "attributes" such as your appearance, clothes, perfume, speech, behavior, where you live, your partner, the mobile phone you use, and so on. In that sense, your "self-image (identity)" is formed by these "attributes" that you provide to them. (←This part will be important when we talk about privacy later.) This is why the International Organization for Standardization's ISO/IEC 24760 defines identity as a "set of attributes." Yes, digital identity is a set of attributes that can be handled by a computer.
In addition, "numbers" (technically called identifiers) such as employee numbers and resident registration numbers are merely attributes. Some people often think of them as if they were something very special. It is important to be careful.
Other-view and self-view: Problems in interpersonal relationships
As mentioned earlier, this self-image is not something that can be generated directly. It is created by providing/sharing various "attributes." For example, to present a cheerful and friendly self-image, you would show other people "attributes" such as wearing clothes that are easy to move in, speaking clearly, touching others a lot, joking around a lot, and being called by your nickname without asking for your first name.
Since the impression we get from these attributes varies from person to person, there will inevitably be a discrepancy between the self-image we aim for (self-view) and the self-image others see (other-view). For example, you may be acting to present yourself as "cheerful and friendly," but your partner may interpret you as "frivolous" and say "goodbye." If this were to happen, wouldn't you feel devastated?
This discrepancy between the self-image and the other-image is a major cause of interpersonal problems. The right to control this discrepancy is closely related to the right to privacy.
Your privacy rights
First of all, it seems that there is no definitive interpretation of the right to privacy. Based on that, I will write about the mainstream view among those who are studying digital identity, which is called the "right to control one's self-image (Munei theory)" among Japanese legal scholars. (For other views,Professor Shinbo's lecturePlease take a look. )
As shown in Figure 13, an individual uses multiple "self-images (identities)." Imagine this as the state in which things are going very well right now. Your friends see you the way you want them to see you, and your boss sees you the way you want them to see you: your self-image and your other-image are quite consistent. Your interpersonal relationships are going well, your dignity is respected, and you derive a great deal of happiness from them. You have the right to maintain that dignity and happiness. This is one of the fundamental human rights, and is stipulated in the first part of Article XNUMX of the Japanese Constitution (individual dignity) and the second part (the right to pursue happiness). In Munei's theory, this is defined as privacy.
"Privacy is the freedom to use a variety of self-images in accordance with the diversity of social relationships that humans can freely form." (The right to control one's self-image, assuming free social relationships) Source: Munei Kaiyuki, A New Construction of Human Rights Theory, Shinzansha (1992), pp. 187-195.
However, what happens if a bad person comes along and provides your friend with information that you didn't provide to your friend (but did provide to your boss)? If you're lucky, your self-image won't change, but in many cases, your self-image will change. As a result, your relationship with your friend may deteriorate. This is a "privacy violation." In terms of the model in Figure 1, you can see that taking attributes from one self-image (identity) and mixing them with another self-image constitutes a privacy violation. Information leaks are said to be privacy violations because they add attribute information from the leaked identity to the public identity (= no provided attributes).
Access control
Now, we know that providing attributes to specific people to help shape our self-image is useful, but we also know that providing attributes that were previously only available to some people to others can lead to privacy violations.
A digital identity is a set of attributes that are provided to a person. In order to avoid violating privacy, attributes must be provided only to the intended person or object. Therefore, access to a digital identity must be controlled by identifying the accessing party.
This "identification of the access user" is "with a certain degree of accuracy"(* 2)"Authentication" refers to the act of identifying a person or service by authentication, and "allowing the person or service identified by authentication to access a collection of attributes (= digital identity)" is called "authorization." Of course, who is "authorizing" the person is someone who has the right to grant access authorization (usually the person himself/herself, but in some cases this may be stipulated by contract or law). This means that authentication must also be carried out on that person. In other words,
- Authenticate who has access to your digital identity.
- Authenticating who can grant access to your digital identity.
- The person issuing the access permission authorizes access for person 1.
- Obtaining a digital identity.
In many cases, consideration for 1. is overlooked, so care must be taken.
(*0) Unlike OAuth, this kind of abstract story probably doesn't attract much interest. I wonder if it will get even a single digit number of Hatebu?! Incidentally, the article in question has exceeded 800 Hatebu and RTs, and exceeded 1 PV in just a few days. That's an exceptional amount of access for such a niche and nerdy topic!
(*1) In this article, we mainly talk about identity and privacy related to "natural persons", but identity is not the exclusive property of humans. Anything can have an identity. Smart meters and mobile phones are examples that have been talked about a lot recently. That's why the word "entity" is used.
(*2) There is no such thing as "absolute certainty." It is always something to a certain degree of certainty. If we do not acknowledge this and start talking about "absoluteness," we will end up with a society that "will never acknowledge" even when an accident occurs.