Learning Digital Identity Design, Deploy, and Manage Identity Architectures (Phillip Windley) (Z-Library)

Ping Identity

Learning Digital Identity Design, Deploy, and Manage Identity Architectures Phillip J. Windley

Learning Digital Identity by Phillip J. Windley Copyright © 2023 PJW, L.C. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (http://oreilly.com). For more information, contact our corporate/institutional sales department: 800-998-9938 or corporate@oreilly.com. Acquisitions Editor: Jennifer Pollock Development Editor: Sarah Grey Production Editor: Beth Kelly Copyeditor: nSight, Inc. Proofreader: Piper Editorial Consulting, LLC Indexer: Judith McConville Interior Designer: David Futato Cover Designer: Karen Montgomery Illustrator: Kate Dullea January 2023: First Edition Revision History for the First Release 2023-01-10: First Release See http://oreilly.com/catalog/errata.csp?isbn=9781098117696 for release details. The O’Reilly logo is a registered trademark of O’Reilly Media, Inc. Learning Digital Identity, the cover image, and related trade dress are trademarks of O’Reilly Media, Inc. The views expressed in this work are those of the author and do not represent the publisher’s views. While the publisher and the author have used good faith efforts to ensure that the information and instructions contained in this work are accurate, the publisher and the author disclaim all responsibility for errors or omissions, including without limitation responsibility for damages resulting from the use of or reliance on this work. Use of the information and instructions contained in this work is at your own risk. If any code samples or other technology

this work contains or describes is subject to open source licenses or the intellectual property rights of others, it is your responsibility to ensure that your use thereof complies with such licenses and/or rights. This work is part of a collaboration between O’Reilly and Ping. See our statement of editorial independence. 978-1-098-14674-0 [LSI]

Foreword Three weeks ago I was sitting in a ring of concentric circles with over 320 people at the opening of one of the most unusual and fascinating conferences you will ever see: the Internet Identity Workshop (IIW). In the front row was Phil Windley, who—along with Kaliya “IdentityWoman” Young and Doc Searls—founded IIW 18 years ago. If 18 years sounds like a good run for an annual industry conference, it is. But IIW is not an annual conference. It happens twice every year. That’s right—November 2022 was the 35th edition. What is so urgent and important about the problems of digital identity on the internet that an average of 250 people have flown from all over the world to gather in-person 35 times over 18 years to work on solutions? This book is the answer. Let me explain. When most people hear the term “digital identity”, they think of two things: the persistent pain of logging in with usernames and passwords and the bane of identity theft. Is digital identity about those things? Absolutely. Is it limited to those things? Absolutely not. In fact, for those experts gathering at IIW every six months, what is at stake is the very future of the internet. Why? The answer can be summarized by this 2021 quote from Thales Group: Trust is the most important currency in the digital world. Digital identities are how this trust is conveyed and embedded, and therefore their importance to our online society cannot be overstated. In short, digital identities are the key to how we can solve the fundamental trust issues with today’s internet. I doubt most readers need any convincing about the scale or severity of those problems. Some—like misinformation, ransomware, and Elon Musk’s struggle to verify Twitter accounts—are regular front-page headlines. What most readers will not appreciate, however, is the depth or complexity of these challenges. In fact, Phil needed to devote an entire chapter (Chapter 3) just to explain the eight fundamental problems that need to be solved. That’s why I’m glad Phil and O’Reilly have put the emphasis on learning digital identity. Like the proverbial iceberg, the parts that are visible to everyday internet users are only the very tip. A full understanding of the subject requires not just diving below the surface, but also going backward in time to appreciate how and why the internet identity landscape has evolved so rapidly in the last 20 years—and why it will continue until we finally have an “identity layer.” In my talks about this evolutionary progression, I describe it as having three major “eras”: centralized, federated, and decentralized. Phil and I first met at the Digital Identity World conference in 2003, when federated identity was just catching on and everyone was hopeful it would solve username/password hell. The hot topic at that conference was how these new federated systems could be truly “user- centric”, i.e., serve the interests of individuals, not just companies. Doc Searls introduced Phil

and I to Kim Cameron, who had recently become Chief Identity Architect at Microsoft (a position he would hold for the next 20 years). The following year, Kim began publishing his Seven Laws of Identity to help establish the “ground rules” for a user-centric internet identity system. These seven laws, widely debated in the blogosphere (when that was still a thing), have stood the test of time so well that Phil devotes an entire chapter to them (Chapter 4). The following spring, Phil, Kaliya, and Doc hosted the inaugural Internet Identity Workshop. Under the guidance of Kaliya and Heidi Nobantu Saul, IIW used Open Space technology to self- organize sessions about every facet of the relationship life cycle that Phil covers in this book— naming, identifiers, discovery, privacy, integrity, cryptography, authentication, authorization, and access control—as well as every major identity standard of the last two decades, including SAML, OpenID, OAuth, UMA and SCIM. Most of all, IIW was ground zero for the third era of internet identity—decentralized. The topic of how blockchain technology might be leveraged for user-centric identity first arose at the spring 2015 IIW. By fall there were a half-dozen IIW sessions on the topic. The next spring, “self-sovereign identity” (SSI) was in full force. In subsequent years, almost the entire focus of IIW shifted towards the topics Phil covers in the latter half of this book: decentralized identifiers (DIDs), digital wallets and agents, digital credentials, and decentralized digital trust and governance frameworks. At long last, there are real signs of traction. In the summer of 2021, the European Union announced the EU Digital Identity Wallets initiative to equip all EU citizens by 2024 with a government certified digital wallet and digital ID credential. The Canadian province of British Columbia issued its own digital wallet app (iOS and Android) based on the Hyperledger Aries open source code (Ontario and Quebec are expected to follow suit). Bhutan (the country best known for measuring Gross National Happiness) is preparing a National Digital Identity Act that will enshrine decentralized digital identity as the law of the land. All of which makes this book more timely than ever. As I watched Phil make his traditional announcement of the day’s sponsors in opening circle of IIW three weeks ago, I realized how extraordinary it is for someone who has had that front row seat for two decades to be sharing a comprehensive picture of everything he’s learned over that period. And not just as an observer— over that same period Phil has taught as professor of computer science at BYU, founded a startup in the space, and maintained the most prolific blog on the topic. Bottom line: if you really want to learn about digital identity, you could not have found a better starting point. Dive in! Drummond Reed Director, Trust Services, Gen Digital Coauthor, Self-Sovereign Identity (Manning 2021) Coeditor, W3C Decentralized Identifiers (DIDs) 1.0 Steering Committee Member, Trust Over IP (ToIP) Foundation 1 2

1 Doc Searls published a wonderful retrospective on these laws after Kim passed away in 2021. 2 Phil Windley’s Technometria; I teased Phil that I’ve run out of space in my browser for all the bookmarks I have to his digital identity articles.

Preface On December 2, 1942, beneath the viewing stands of the University of Chicago’s Stagg Field, Enrico Fermi and his team initiated the first human-caused, self-sustaining nuclear chain reaction in history. Once humans knew how nuclear chain reactions work and how to initiate them, an atomic bomb was inevitable. Someone would build one. What was not inevitable was when, where, and how nuclear weapons would be used. Geopolitical events of the last half of the 20th century dealt with the when, where, and how of that technology, as do many of the international questions of our day. A similar, and perhaps just as impactful, discussion is happening now around technologies like artificial intelligence, social media, online surveillance, and digital identity. The choices that developers, architects, product managers, founders, and others make, day to day, change the future. My great hope is that the material in this book will help inform you of the important issues surrounding digital identity, so that you can make better decisions that result in better online experiences for us all. But this book is also practical. I published my first identity book, Digital Identity, in 2005. Coincidentally, that year marked the beginning of a sea change in the field. Web 2.0 was all the rage, and organizations were looking for new identity tools and protocols to underlie their fledgling platforms and services. That same year, Doc Searls, Kaliya Young, and I started the Internet Identity Workshop (IIW). We, and most of the attendees, were working on projects that needed what we called user-centric identity. We thought that using URL-based identifiers for people was the answer to the internet’s identity problems. We imagined that we’d hold a couple of meetings, come up with a solution, and move on to other problems. Now, 18 years and 35 meetings later, IIW is still going strong, with solutions to new digital identity problems still being proposed, debated, and accepted (or not). In this book, I will teach you what digital identity is, why it’s hard to get right, what makes a good identity system, what technologies provide its foundation, how it’s done today, and where it’s going. You’ll learn why digital identity is at the heart of every online service and interaction, and why that position makes it one of the most important technologies you can work on.

Who Is This Book For? The primary audience for this book is product managers, architects, and developers who can use its ideas to lay a firm foundation for their own work, based on the principles of digital identity and an understanding of the architectures and technologies that are available to solve identity problems. This book will give you a good grounding in the base-level technologies and protocols that play important roles in digital identity systems. Learning Digital Identity will give you a fresh perspective on the role identity plays in creating usable and compelling digital products. A secondary audience for this book is chief information officers (CIOs), chief information security officers (CISOs), chief privacy officers (CPOs), risk managers, security engineers, and privacy professionals, who will read it to understand the terminology, concepts, and architectures. More importantly, I hope they come to see the potential of identity systems to make their business more secure, agile, and appealing. In this book you will learn the specific identity architectures that are possible and determine how those architectures impact the usability, availability, reliability, security, and privacy of your digital services and products. Conventions Used in This Book The following typographical conventions are used in this book: Italic Indicates new terms, URLs, email addresses, filenames, and file extensions. Constant width Used for program listings, as well as within paragraphs to refer to program elements such as variable or function names, databases, data types, environment variables, statements, and keywords. Constant width bold Shows commands or other text that should be typed literally by the user. Constant width italic Shows text that should be replaced with user-supplied values or by values determined by context. O’Reilly Online Learning NOTE For more than 40 years, O’Reilly Media has provided technology and business training, knowledge, and insight to

help companies succeed. Our unique network of experts and innovators share their knowledge and expertise through books, articles, and our online learning platform. O’Reilly’s online learning platform gives you on-demand access to live training courses, in-depth learning paths, interactive coding environments, and a vast collection of text and video from O’Reilly and 200+ other publishers. For more information, visit https://oreilly.com. How to Contact Us Please address comments and questions concerning this book to the publisher: O’Reilly Media, Inc. 1005 Gravenstein Highway North Sebastopol, CA 95472 800-998-9938 (in the United States or Canada) 707-829-0515 (international or local) 707-829-0104 (fax) We have a web page for this book, where we list errata, examples, and any additional information. You can access this page at https://oreil.ly/learning-digital-identity. Email bookquestions@oreilly.com to comment or ask technical questions about this book. For news and information about our books and courses, visit https://oreilly.com. Find us on LinkedIn: https://linkedin.com/company/oreilly-media Follow us on Twitter: https://twitter.com/oreillymedia Watch us on YouTube: https://youtube.com/oreillymedia Acknowledgments I’m indebted to hundreds of people who have helped me learn digital identity over the past 25 years. Here are a few who deserve special thanks. Kelly Flanagan has been my good friend, mentor, and cheerleader for most of my professional career. Steve Fulling is another great friend who was my business partner for many years in several adventures. They have both provided unflagging technical, financial, and emotional support for my identity explorations. Troy Martin and I had many profitable discussions about

personal learning systems, which led to my interest in self-sovereign identity. Kaliya Young and Doc Searls are my cofounders at Internet Identity Workshop. They and the participants at IIW have made working on digital identity fun, informative, and fulfilling. Heidi Saul, IIW’s producer, makes the semiannual Internet Identity Workshop event possible. In addition to being my IIW cofounder, Doc is also a great friend and trusted advisor. Many of the ideas in this book have their roots in discussions with him. I’m grateful for his wisdom. Drummond Reed and I have never worked for the same company, but we have worked closely together for almost two decades on the problems of identity, personal data, and privacy. I’m grateful for his cheerful optimism and careful guidance. Kim Cameron and Craig Burton, who both died this past year, were two of the “OGs” of the identity space who nevertheless continued to influence and guide its development over many years. They both had tremendous influence on my thinking and taught me important lessons (about both identity and life). Kim’s ideas on the identity metasystem and Laws of Identity appear in Chapter 4 and provide a framework for analyzing the concepts, protocols, and architectures I discuss later. I’ve had many technical discussions with people about the topics in this book that taught me important concepts and explained difficult ideas. Here are a few that stand out. Daniel Hardman and I had helpful discussions on zero-knowledge proofs, correlation, the time-value of privacy, and minimal disclosure. Sam Curren helped me understand the nuances of verifiable credential presentations and has been a trusted colleague for 15 years. Sam Smith is a source of insight on many digital identity topics, but I am most grateful for his ideas about privacy, self-certifying identifiers, and reputation. Nathan George is my go-to person for almost any question on details of cryptographic protocols and artifacts based on them. Jason Law’s clear explanations of cryptography, privacy, and credentials were critical to the development of my understanding of self-sovereign identity. Lastly, I am grateful to Joe Andrieu for the best definition of digital identity I’ve ever heard (you’ll have to wait until Chapter 2 for it!). My wife, Lynne, and my children, Bradford, Alexandra, Jacob, Joseph, and Samantha, have put up with much travel, near-constant writing, and many meetings in my quest to understand and help solve the problems of digital identity. They’ve also all had a hand in running IIW and making it work. Their love and support have been indispensable. The people at O’Reilly have made writing this book not only possible, but fun. A special shout- out to my editor, Sarah Grey, for making me look good. Her edits greatly increased the understandability of the book, and her advice got me through some of the rough spots. Credits Figure 9-11 is adapted with permission from a graphic produced by the DHS Science and Technology Directorate. Figure 10-5 is from DIF and used with permission.

Table 16-2 is adapted from a table in Chapter 10 of Self-Sovereign Identity by Drummond Reed and Alex Preukschat (Manning). In Memoriam In memory of Kim Cameron and Craig Burton, two identity pioneers who taught me much and influenced the world for good through their work, professionalism, and kindness.

Chapter 1. The Nature of Identity Cogito, ergo sum. —René Descartes The Peace of Westphalia, which ended the Thirty Years’ War in 1648, created the concept of Westphalian sovereignty: the principle of international law that “each state has sovereignty over its territory and domestic affairs, to the exclusion of all external powers, on the principle of non- interference in another country’s domestic affairs, and that each state (no matter how large or small) is equal in international law.” The ensuing century saw many of these states begin civil registration for their citizens, in an effort to turn their sovereignty over territory into governance over the people living in those lands. These registrations, from which our modern system of birth certificates springs, became the basis for personal identity and legal identity in a way that conflated these two concepts. Birth certificates are a source of legal identity and a proof of citizenship, and thus the basis for individual identity in most countries. Civil registration has become the foundation for how states relate to their citizens. As modern nation-states have become more and more influential (and often controlling) in the lives of their citizens, civil registration and its attendant legal identity have come to play a larger and larger role in their lives. People present proof of civil registration for many purposes: to prove who they are and, springing from that, their citizenship. Even so, Descartes did not say, “I have a birth certificate, therefore I am.” When most people hear the word identity, they think about birth certificates, passports, driver’s licenses, logins, passwords, and other sorts of credentials. But clearly, we are more than our legal identity. For most purposes and interactions, our identity is defined through our relationships. Even more deeply, we each experience these independently as an autonomous being with an individual perspective. This dichotomy reflects identity’s dual nature. While identity is something others assign to us, it is also something deep inside of us, reflecting what Descartes actually said: “I think, therefore I am.” A Bundle of Sticks? Another way to think about the dual nature of identity is to ask, “Am I more than a set of attributes?” Property rights are often thought of as a bundle of sticks: each right is separable from the rest and has value independent of the rest. Similarly, identity is often considered a bundle of attributes, each with independent value. This is known in philosophy as bundle theory, originated by David Hume. Bundle theory puts attributes into a collection without worrying about what ties them together. As an example, you might identify a plum as purple, spherical, 5 centimeters in diameter, and 1

juicy. Critics of bundle theory question how these attributes can be known to be related without knowing the underlying substance—the thing itself. Substance theory, on the other hand, holds that attributes are borne by “an entity which exists in such a way that it needs no other entity to exist,” according to our friend Descartes. Substance theory gives rise to the idea of persistence in the philosophy of personal identity. People, organizations, and things persist through time. In one sense, you are the same person you were when you were 16. But in another, you are not. The thing that makes you the same person over your lifetime is substance. The thing that makes you different is the collection of ever-changing attributes you present to the outside world over time. I’m no philosopher, but I believe both viewpoints are useful for understanding digital identity. For many practical purposes, viewing people, organizations, and things as bundles of attributes is good enough. This view is the assumption upon which the modern web is built. You log into different services and present a different bundle of attributes to each. There is no substance, at least in the digital sense, since the only thing tying them together is you—a decidedly nondigital entity. This lack of a digital representation of you, that you alone control, is one of the themes I’ll return to several times in this book. At present, you are not digitally embodied—your digital existence depends on other entities. You have no digital substance to connect the various attributes you present online. I believe that digital identity systems must embody us and give us substance if we are to build a digital future where people can operationalize their online existence and maintain their dignity as autonomous human beings. Identity Is Bigger Than You Think At first blush, digital identity seems pretty simple: the service you’re building needs to know who the person at the other end of the connection is. Set up an account, give them a username and password, and let them log in. Collect any necessary attributes into a nice, tidy bundle and store them in the account. Job done. I’ve seen plenty of examples of this kind of thinking over the 25 years I’ve been working on digital identity. I’ve succumbed to it myself. Years ago, every company offering an online service would start from this premise, build a simple identity system, and move on. Then they’d shake their heads as more and more of their development resources got sucked into solving the new problems that always seemed to crop up when the identity system couldn’t support some new feature. Today, most companies buy their identity systems. Identity and access management (IAM) barely existed as a market category in 2005 but is now a multibillion-dollar industry. Yet digital identity is still growing, with new concepts, products, and services appearing seemingly daily. The lesson? Identity is bigger and more complicated than you think. Throughout this book you will see examples of identity that go well beyond the traditional notions of login and access control. Privacy, trust, authenticity, confidentiality, federation, authentic data, identity for things, 2

and identity ecosystems are a few of the areas this book discusses. Identity is the foundation for all but the most trivial online services. Suppose a workflow that you’re building needs a signed attestation that certain work has been performed and includes the details about the work. The result is a secure, digital, machine-readable, auditable record of what’s occurred. The workflow requires that this attestation is authentic. How do you ensure that? The document might be considered authentic if it’s signed by someone or something that’s been authenticated, if the cryptographic processes have the fidelity necessary to inspire confidence in the result, and if there’s some process that establishes the provenance of the document. Authentication, confidence, and provenance are all based on identity. Beyond services, many documents we use every day have identity-related purposes. A movie ticket (an example I’ll use several times in this book) is an identity document that identifies the holder as someone entitled to a seat in a specific theater at a given time. Furthermore, it’s designed so that the ticket taker recognizes that it’s authentic. What about an invoice? An invoice identifies a payment that’s being requested by a specific party for a specific service. It has an identifier and can be recognized as authentic because of the workflow it’s part of. An invoice identifies a transaction taking place inside a larger relationship. These examples, and millions more, are all part of digital identity—yet they aren’t about logging into an account to retrieve some attributes. As you’ll learn in this book, however, they have much in common. No Universal Identity Systems Some people combine the mistaken assumption that identity is simple with the myopic view that identity is just about the process for tying legal identifiers to people. The result is a search for a universal identity solution. Universal identity systems are attractive because digital identity is hard and inconvenient. The siren song of a universal identity system calls developers and users alike with its promise to simplify online interactions, only to dash them upon the rocks of very real complexity. Over the years, I’ve had many people pitch me that their product is a universal solution for digital identity because it provides the means to concretely tie a body (literally, through biometrics) to a legal identifier. While this can reduce fraud, identity systems that do this are almost always privacy disasters because they must collect lots of personal information to be universal. The result is a honeypot of personal information that hackers find too attractive to ignore. More worrisome, a single universal identifier provides the means for computers to correlate the activities of people across a large variety and type of systems, creating a universal dossier that allows governments and companies to surveil and even control them. Universal identifiers are a 20th-century technology that has no business being used in the digital age. I hope that the examples from the last section have at least got you thinking about all the places that identity plays a role in your organization and, more importantly, your life. Because identity, 3

in one form or another, is foundational to nearly every transaction, relationship, and interaction, identity systems are polymorphic (they have many forms). Consequently, universal systems, which, by definition, have a single form, always end up solving only some of the problems. Universal identity systems do not exist. But all is not lost for those hoping for a better online identity experience, reduced fraud, and increased functionality. The internet provides a useful analogy. Think of all the ways messages are exchanged online: email, instant messaging, web pages, and video are just the more familiar ways that the internet facilitates the flow of messages between computers. But the internet is not a universal messaging system. Each of these message types has a different form and purpose. Rather, the internet is a system for building messaging systems on a common infrastructure. Similarly, protocols and standards can provide us with a system for building identity systems. The Road Ahead Learning digital identity requires that you understand important concepts and context, so you begin to think about identity holistically. Accordingly, the first part of this book deals with definitions of, problems concerning, and laws governing digital identity. Next you will learn about relationships, trust, privacy, and cryptography—concepts necessary for the discussions that follow. The second part of this book describes the technologies, methodologies, and protocols necessary for digital identity. These include staples like naming, discovery, authentication, federation, and access control. The third part of the book presents cryptographic identifiers, verifiable credentials, architectural patterns for digital identity systems, identity wallets and agents, and identity on the Internet of Things. We’ll compare solutions, using concepts we developed early on, and see how different architectures are used to build identity systems that support authentic data and trustworthy online relationships. Finally, I’ll discuss policies and governance, two crucial concepts for building identity systems —and ecosystems—that work. I’ll conclude with a look at how the concepts, protocols, technologies, and architectures discussed in the book can provide a foundation for digital identity that enables lifelike online interactions in preparation for a digital future we can live with. 1 “Nation-States and Sovereignty”, History Guild, accessed October 5, 2022. 2 Substance theory has many more proponents than Descartes, but his definition is helpful in thinking through identity’s dual nature. 3 Provenance takes into account where the document came from, who wrote it, the source of the data used to generate it, and how it’s been transmitted.

Chapter 2. Defining Digital Identity The family therapist Salvador Minuchin declared, “The human experience of identity has two elements: a sense of belonging and a sense of being separate.” This is as good a description of digital identity as it is of our psychological identity. A digital identity contains data that uniquely describes a person or thing but also contains information about the subject’s relationships to other entities. To see an example of this, consider the data record that represents your car, stored somewhere in your state or country’s computers. This record, commonly called a title, contains a vehicle identification number (VIN) that uniquely identifies the car. In addition, it contains other attributes of the car such as year, make, model, and color. The title also contains relationships: most notably, the title relates the vehicle to a person who owns it. In many places, the title is also a historical document, because it identifies every owner of the car from the time it was made, as well as whether it’s been in a flood or otherwise salvaged. While fields as diverse as philosophy, commerce, and technology define identity, most are not helpful in building, managing, and using digital identity systems. Instead, we need to define identity functionally, in a way that provides hooks for us to use in making decisions and thinking about problems that arise in digital identity. Joe Andrieu, principal at Legendary Requirements, writes that “identity is how we recognize, remember, and respond to specific people and things. Identity systems acquire, correlate, apply, reason over, and govern information assets of subjects, identifiers, attributes, raw data, and context.” This definition is my favorite because it has proven useful over the years in thinking through thorny identity issues. I’ll use it throughout the book. The identity record for a car includes attributes that the system needs to recognize it: in this case, the VIN. The title also includes attributes that are useful to people and organizations who care about (that is, need to respond to) the car, including the owner, the state, and potential buyers. The government runs a system for managing titles that is used to create, manage, transfer, and govern vehicles (or, in Andrieu’s formulation, remember them). The system is designed to achieve its primary goal (to record valuable property that the state has an interest in taxing and regulating) and secondary goals (protecting potential buyers and creating a way to prove ownership). Digital identity management consists of processes for creating, managing, using, and eventually destroying digital records, like the one that contains your car title. These records might identify a person, a car, a computer, a piece of land, or almost anything else. Sometimes they are created simply for inventory purposes, but the more interesting ones are created with other purposes in mind: allowing or denying access to a building, the creation of a file, the transfer of funds, and so on. These relationships and the authorized actions associated with them make digital identities useful, valuable, and sometimes difficult to manage. 1 2 3

The Language of Digital Identity The world of digital identity has its own nomenclature. Most of the terms are familiar but are used in specific ways. This section introduces some of that terminology. A subject is a person, organization, software program, machine, or other thing in some record. One of the key purposes of an identity system is to authenticate that the subject is who they claim to be and authorize requests to access a resource. A resource might be a web page, a piece of data in a database, or even a credit card transaction. To gain access to the resource, the subject lays claim to an identity record. For people, this is usually called an account. Throughout this book, I’ll use the word entity to generically refer to the subject of an identity record, such as people, places, things, and organizations. I dislike using words like subject or user when speaking about people if it can be avoided. I think many of the problems we have with online privacy and surveillance are in part the result of technologists dehumanizing the people for whom they’re building systems. Similarly, I dislike when people use the word identity when what they really mean is an account, identity record, or identifier. The problem is that identity means many things. We’re better off being accurate in what we’re talking about. Your account at Amazon isn’t your identity. Your identity is much more complex and nuanced than what can be recorded in a single database record, or even a collection of them. So, while there are identity systems, records, accounts, and so on, there’s really nothing that is “an identity.” In this context, an identity record is a collection of data about a subject that represents attributes, preferences, and traits: Attributes Attributes describe information about a subject, specifically of characteristics that are acquired. For a person this might include a drug allergy, purchase, bank balance, credit rating, dress size, age, and so on. Preferences Preferences represent desires and defaults such as preferred seating on an airline, favorite brand of hot dog, encryption standard used, default currency, and so on. Traits Like attributes, traits are features of the subject, but they are inherent rather than acquired. Attributes may change at any time, but traits change slowly, if at all. Examples of traits include a person’s eye color or how and where a company was incorporated. Since the distinction between attributes, preferences, and traits rarely makes a difference in the design of an identity system, I’ll typically use the term attributes to mean all three unless there’s