Tuesday, December 07, 2004

Axioms of Identity

I'm inclined to state slightly different identity axioms but along the same lines.

I suspect that each individual has an inherent identity, but that it is irrelevant. Rather, I define the identity of person P as being a function not I(P) but rather I(P,O,t) - the identity of P from the point of view of observer O at time t.

This relies on one of the definitions of identity: "The quality or condition of being the same as something else."

In particular, in this case, the two things that are to be established as the same are:

1. characteristics C about P that O observes at time t

and

2. O's memories M at time t of P (built over a period of time)

These two sets of information are not matched exactly. O may remember P at an earlier time before P's hair turned white and that characteristic is not to be observed again.

Rather, those two sets of information are compared to find matches and non-matches. As long as the matches constitute enough entropy to rule out all other P' in the world, then O can conclude that s/he knows the identity of P -- assuming the non-matches do not rule out P.

So, if set-intersect(C,M) has enough entropy to specify P uniquely over the entire universe and set-intersect(C,anti(M)) is empty (or can be discounted), then identity has been established. [I'm not completely comfortable with the handling of anti(M) and welcome refinements, while I keep thinking about how to fix this formulation.]

So, I would replace the second axiom with one that says identity is a function of two entities - the oberver and the observed - rather than being defined only in a community. I would also claim that I(P,P,t) is an entity's intrinsic identity, but that's of no real use in the world, so I don't really fight the first axiom.

Note that because memories can fade over time and people's characteristics can change over time, the matching algorithm needs to take the passage of time into account and at the least require more elements in the set intersection.


7 Comments:

Blogger cme said...

There's a difference I would like to distinguish between what Tom's describing and what I was.

In both cases, there is some characteristic (or set thereof) about P that O uses to make a security decision. In Tom's case, that charactistic is observed, if I read his post correctly. In my case, it is remembered - and the observed characteristics are used only to link from the observed entity to the observer's memory.

In normal CS terms, I'm using the observed characteristics as an "identity" for later lookup in the mental equivalent of an ACL. I index my mental ACL by that identity and there I find other things - including the characteristic(s) I need in order to make my security decision. In Tom's case, there is no indirection.

I prefer Tom's model, of course. That's why I was pushing authorization certificates from 1996 on. However, we are sometimes stuck with the split model - especially when the "ACL" is literally in a person's head. E.g., if I get a signed e-mail from Tom, I make decisions based on my memory of Tom, not on anything contained in the signature on the message or any attached certificates.

4:20 AM  
Blogger cme said...

There's a clear advantage of what I was calling Tom's model.

If there is some characteristic about P that I need to make a decision and I can directly observe it (or have it presented to me in the form of an authorization certificate), then I can make my decision with confidence.

In the identity+ACL model I was describing in contrast, it is essential that we know that we're getting to the right body of memories - and that's when we care that the intersection of observed and remembered characteristics has enough entropy to single out one person in the universe - not just one person in my subset of the universe. This turns out to be a MUCH harder thing to do - sometimes impossible (e.g., when I have no memory at all of the person in question).

This is the chain of logic that leads me to discard the identity+ACL model as a general solution and to go for the authorization certificate model.

4:30 AM  
Blogger cme said...

Unfortunately, there are times when some of us use the identity+ACL model of authorization, but with the ACL inferred or assumed.

This is another faith-based-security example: security by wishful thinking.

I have in mind the common assumption that if you have a US driver's license, you must be an OK person -- at least it was common until it became known that some of the 9/11 hijackers were carrying valid (but possibly fraudulently obtained) VA driver's licenses. It might still be common. I haven't done a poll.

5:45 AM  
Blogger Bob said...

Nietzsche said "Belief in the identity of different things, or in the identity of the same thing at different times, is a fundamental philosophical error". This is a more complicated way of saying what the Buddhists knew long before - that there are no things. I agree with both views, and hence completely reject Carl's notion that individuals have inherent identities, and agree instead with the original identity axiom cited.

There's another problem with the whole discussion here, namely the assumption of uniformity - in other words, the assumption that past observations are good predictors of future behavior. Violating this assumption is what con men specialize in. For this reason, Identity is fairly unreliable as the basis for access control in situations where there's a lot at stake.

Identity is often more reliable when used for accountability (especially if the identifying information kept on file is useful for "laying hands on" a person who is believed to have committed a fraud or other offense) - but of course this is only helpful if you are trying to deal with offenses which are "benign enough" that you can afford to let them happen and then punish them.

This whole discussion is the central point which concerns me about the focus on identification technologies as a key part of the attempt to prevent future terrorist attacks. We certainly don't want to wait until someone blows up a building and kills 3000 people to deal with the problem of terrorism, so accountability-based solutions are not very comforting.

However, access-control solutions (like denying access to the country based on strongly authenticating passports), are unlikely to be effective - unless you believe that the bad guys are dumb enough to recruit people whose past behavior flags them as likely terrorists.

The problem arises because we are attempting to use IDENTITY to solve a problem which arises not from identity but from INTENT.

We had extensive discussions of the issues surrounding identity in the NAS/CSTB panel on Authentication Technologies and Their Privacy Implications; in our report we offer definitions of terms and an extensive discussion of what "identity" really is or isn't. I recommend chapters 1 and 2.

9:14 AM  
Blogger cme said...

I'm not sure if I buy Bob's conclusion that there are no things, but it's a useful Gedankenexperiment.

What if there is no such thing as identity?

Can we get our work done? Can we build security systems?

I believe the answer is that we can.

4:31 PM  
Blogger cme said...

From: Mark Wahl

Sent: Friday, December 10, 2004 10:20 AM

To: cme@acm.org

Subject: comment on axiom of identity: comparison function



In http://cme-spam.blogspot.com/ you write:

> O may remember P at an earlier time before P's hair turned white and that

> characteristic is not to be observed again. ...

> As long as the matches constitute enough entropy to rule out all

> other P' in the world, then O can conclude that s/he knows the

> identity of P -- assuming the non-matches do not rule out P.

For the comparison to work that would imply that some transformations are expected, e.g.

- people's hair color changes as they age

- DHCP-assigned IP addresses are not the same from one day to the next

The "all other P` in the world" seems a difficult formulation - it is a traditional device in fiction that the impostor has all the expected characteristics of the person being impersonated, and some unlikely characteristic is different. In one case, some minor characteristic that the observer would not typically have used to base a comparison is missing or modified. In another all the characteristics of P are present in the subject being tested, but an additional characteristic that P does not have is present: e.g "demonic possession" - the sweet old lady from next door is now swearing like a sailor, - the laptop has the same MAC address as before but is now sending out viruses

In real life, this might happen to friends and relatives of a person with a degenerative brain disease, or someone who reappears after a long separation (Martin Guerre) and there is often a period of time in which the observer will make only a provisional assertion about identity, and might await further observations in order to determine whether to change their comparison function, change their decision, or both.

--------- reply -----------

Hi Mark.

I added the "all other P'" on purpose. I see a persistent pattern among users and even among computer product designers to think of a small world (e.g., their own friends or their small company) when designing a user interface with the side effect that recognition of some other entity is via a mechanism that has a very high collision rate (e.g., a person's common name). I'm trying to remind designers and users that now that the Internet is global, you need to make sure the entity you recognize is uniquely the one you're thinking of from among all possible entities in the world.

If I were a designer faced with that requirement, the only thing I could imagine using is a public key.

- Carl

11:49 AM  
Blogger Bob said...

I realized that I posted an answer to a question asked here on another thread. Here's what I should have written here:

Regarding there being no things, the Buddhists explain it this way. Take a wagon wheel. It consists of an axle bearing, some spokes, and a rim. There is nothing which is a "wheel" here - there are just parts, and the arrangement of the parts is a temporary phenomenon which will pass away. Similarly the rim itself is just a set of pieces of wood which have been bent in a particular way and laminated together. There is nothing which is a "rim" here - there are just parts, and the arrangement of the parts is a temporary phenomenon which will pass away. By this argument there are no "things" - there are just patterns which form and pass away.

Plato realized this and tried to argue it away with the notion of archetypes. But this didn't really work, because he couldn't make the categories distinct. Is a cube of wood 2 and a half feet high a "table", or a "chair", or both, or neither?

9:07 AM  

Post a Comment

<< Home