[cryptography] Definition of Identity (was Re: key management guidelines)

Arshad Noor arshad.noor at strongauth.com
Sat Sep 4 13:08:05 EDT 2010

Ian G wrote:
> On 4/09/10 4:21 AM, travis+ml-rbcryptography at subspacefield.org wrote:
>> It's too bad there isn't a notion of identity seperate from keys.
> The problem with all this is there is an assumption that we can 
> accurately model an identity in any form.  In practice, we can't.  In 
> more theoretical terms, we can't even define identity, let alone design 
> a single system to capture it.

With all due respect, I would beg to differ, gentlemen.  All of you have
touched upon the answer, but did not precisely define it.  Ray came very
close to it in his very interesting posting, but again, did not express
it succinctly.

Very simply: identity is a set of attributes of a transacting party,
relevant to the transaction's context.

If you are not transacting with anybody or anything, with the possible
exception of your self, no one cares who you are.

If you are transacting with a newspaper vendor at a street corner, you
are only interested in the attributes that provide confidence you are
buying a legitimate newspaper of your choice.  You do not care for the
vendor's name, his bank account number, his driver's license number,
etc.  The newspaper vendor, similarly, does not care for yours; all he
cares is that you present legal tender (which has its own identity
attributes within this context - if the vendor does not accept credit
cards, the identity of your credit card is irrelevant) to complete the

If you are transacting with a bank teller for the deposit of a sum
of money, many identity attributes are involved, all of which must be
satisfied: the physical identity attributes of the bank (you would 
hardly deposit your money at a laundromat or a bank you did not
recognize), the identity attributes of the bank teller (you would
certainly not hand over your sum of money to someone who appears to
be the security guard behind the glass wall), your identity attributes
to satisfy the bank and its regulators, the identity attributes of the
currency, etc.

If you are transacting with your doctor, very different identity
attributes are involved: your insurance card's attributes, your
blood-type, your physical condition/appearance, etc.

And so, the same human being can have very different identities,
depending on the transactions' context.  Cryptography, while having
its own set of attributes, cannot mandate a universal identity; it is
merely an enabler of certain functions (that may or may not have
relevance within the transaction) and must, thus, adapt to real-world
transaction contexts.

Given this definition, it is impossible to define a single system to
capture the identity of anything because there are innumerable contexts
for transactions whose requirements for identity attributes will vary
from context to context.

However, for the sake of efficiency, it is possible (by contract) to
abstract some identity attributes for similar contexts, thus leading
to consolidated identities in finance, health-care, education, etc.

Some years ago, I wrote a paper called "Identity Firewalls" describing
a scheme, where all legal, non-anonymous transactions in the lifetime
of a human being in industrialized nations (such as the US) can be
transacted with just seven (7) such consolidated identities.  The paper
remains unpublished, but I am happy to send it to those who are curious.

Arshad Noor
StrongAuth, Inc.

More information about the cryptography mailing list