What is Identity?

We try so hard to authenticate identity, with passwords, digital signatures and physical tokens. But why are we doing it—what is the real purpose?

What is my real identity? Is it my genetic code? No. Should it turn out that my father really isn't, that may change my legal status. But it will not fundamentally change my identity. So called identical twins are in fact not identical, they are certainly separate biological and legal entities.

I figure there are three different identity needs:

And that real identity is really only a tool to authenticate the other types of identity.

Negative identity

When I check in at an airport, security doesn't care who I really am. They just want to make sure that I'm not Usama bin Laden, and not a few thousand other black-listed persons.

The most important tool for negative identification, is the real or unique ID in the form of a passport. My passport identity is supposed to be unique, and as long as that holds, my passport is proof that I'm not bin Laden.

Anyone operating below government radar, will try to get several IDs supported by passports. Then you can train with al Qaida on one identity, and still travel by plane on another.

Which is why passport control is supplemented by other methods. Any left-handed man looking like bin Laden will have a hard time traveling by plane these days.

And why passports will soon contain more biometric data. A match between my body, and my passport biometrics, does not prove that I'm not someone else. But if two passports with almost identical biometrics are in use, a global system comparing biometrics may detect that. Some biometry has been in use for many years. But the fact that two 175 cm tall males with blue eyes travel under different names, isn't really useful. Biometry that is different for each person, is needed. If fingerprints are too old fashioned, then DNA is an obvious candidate.

Positive identity

Positive identification is proving that I am the same person on different occations. I am the person that deposits on this account, so I am the person that can withdraw from it.

If you know my real identity, you know my positive identity.

For privacy reasons, it is desirable to have several positive identities that are not connected to each other, or to the real identity. I want Amazon to positively identify me from visit to visit, because that helps them come up with good suggestions. And they need positive ID linking me to the VISA account that will pay for the goods. But because Amazon knows more about me than Homeland Security does, I'd very much like my Amazon ID to be unconnected with my other identities. (In principle, I could use a digital identity that only VISA and Royal Mail can connect to my bank account and street address.)

It will often be easier to establish positive ID, than real. Proving who is behind a digital signature is tricky. But if you see the same signature twice, you know it's the same person, or at least the same goup of people: the group of people that knows the private key of the signature. (Positive ID does not imply token ID.)

Software vendors may like to ensure that the person who runs a program, is the same person that paid for the licence. That could be done, but stupid children would be tempted to distribute the parent's VISA signature, often with unpleasant results.

Token identity

Token identification is ensuring that only one entity claims an ID at any time. (While we don't care who is claiming it)

An ID token is something that can be observed but not copied; that implies a physical device.

Typical use will be software licencing. I have seen Quark Express locked with a dongle; I believe Windows XP uses network MAC addresses for the same purpose. (Although the MAC can be changed.)

The GSM SIM card seems a reasonable physical ID token, because more and more people drag a phone around anyway. But the present MSISDN is not enough, a digital signature is needed.