Scott Cadzow was at the first ITU meeting. Like me he is an independent consultant who spent a lot of time in standards land particularly with mobile efforts in Europe. He read my “What is Identity?” post and had this comment (sorry commenting doesn’t really work on my blog I have to get this fixed anybody know a good wordpress wiz?)
I wonder if identity as a social construct and identity as a transferable element are not getting confused? Who I am is too complex to summarise in a few sentences, maybe not even in an autobiography stretching across many volumes. In part this is because my perception of my identity is not what others perceive of my identity and as such any declaration of who I am is always false as the entity I declare it to will have a different end view. However if I give you my email address that allows access to the more complex part of identity. If a thief can gather sufficient pointers to your identity they may be able to masquerade as you, but whilst I could give all of my details to somebody they would fail to masquerade as me to someone who knows me in person (family or employer say).
In the ITU-T world identity has to be decomposed to what is available in their world and simply they cannot hope to maintain knowledge related to the societal you, only the knowledge that allows them to make connections to a possible you (telephone numbers address the telephone and not the person and quite simply I am not a telephone). However it is sufficient in the ITU-T space to say that the form of identity they deal with is sufficient to describe the thing that communicates (people use phones to make connections, the ITU-T makes sure that phones can make connections and they do not offer to make connections for people).
In my field of security, and securing identity as a task with it, there is no way that I can offer to protect your identity in all its societal richness. However I can make sure that you will be able to make decisions on the value of some parts of identity (the identifier) by allowing to verify its authenticity and its authority (if it is an authoritative identity). We certainly don’t need to go back to birth certificates for this proof (apart from anything else these can be forged).
Whilst I will agree that identity needs protection it also needs basic common sense (the power of real names in legend should be updated for the modern age – don’t release more data than essential and get systems to default to minimum release policies).
My point is that it is dangerous to conflate identity with identifiers and then say to the public you are your identifier and that the STATE has all the power to ‘validate’ who you are with those identifiers. This is a police state in the making and billions of people world wide have no ‘valid’ stat papers. It doesn’t mean they should not get on the network.
True and I hope nobody is trying to say identifier is identity in all contexts. What I want to note is that if the context is a phone call the only identity from the protocol view is the phone number, from the person using the phone the phone number does not equate to identity (different context, different identity). Rehash: Identity is relevant in context and not all contexts are the same so the value of identity is as varied as the contexts it is placed in.
Your suggestion that the state validates identifiers is harsh. The authority for an identifier is responsible for the validation and the authority need not be the state (most often isn’t). This is the reason behind my view of identity being authoritative or non-authoritative. In the real world we can only verify some identifiers as authoritative and not identity in the societal case (as we cannot have authoritative context although for forensic examination and recovery reasons we may wish to).