Roger Clarke's Web-Site
© Xamax Consultancy Pty Ltd, 1995-2018
|Identity Matters||Other Topics||Waltzing Matilda||What's New|
Version of 15 February 2010
This is a supporting document to http://www.rogerclarke.com/ID/IdModel-1002.html
For other supporting documents, see http://www.rogerclarke.com/ID/IdModel-Supp-1002.html
Roger Clarke **
© Xamax Consultancy Pty Ltd, 2008-10
Available under an AEShareNet licence or a Creative Commons licence.
This document is at http://www.rogerclarke.com/ID/IdModel-App-1002.html
The model presented in the main paper is asserted to be sufficiently comprehensive and rich to enable effective representation of (id)entity, (id)entity authentication and authorisation processes relating to a wide range of (id)entities that exist in real-world contexts. This supplementary paper applies the model to a range of entity-categories, in order to provide a test of that assertion.
The range of entities includes the vitally important category of humans, but extends well beyond them. The following sections consider in turn goods, packaging, devices, software, animals, organisations and finally humans. This represents a substantial proportion of the categories of entity that are relevant to information systems in business, government and community organisations, but is of course not a complete set. The analyses of the entity-categories have been pursued only to sufficient depth to demonstrate the application of the model.
By 'goods' is meant here physical items that are produced, traded between parties, delivered from one location to another, and transformed or consumed. Two different senses of the word 'goods' need to be distinguished: a specific item, and a category of identical or near-identical items. For example, a particular motorised vehicle (car, fork-lift truck, diesel engine, NASA rocket) is an item, but also an instance of a category. The expressions used in this sub-section are 'item' and 'product' respectively.
In applying the model, an item is an entity, and so is a product an entity. An appropriate entifier for a product may be a product code such as the UPC for supermarket products, which uniquely defines that product and distinguishes it from other, similar products. For an item, an appropriate entifier may be a serial number, or a serial number within a batch number, perhaps even within a date (if the batch numbers are not unique). Both product-numbers and item serial-numbers are important for such purposes as maintenance, warranty and product recall.
Some items and products may be used for multiple purposes, and hence may need to be treated as having multiple identities. One example is an item that is out-of-warranty, or has been traded on from its original owner. Another is an item that has been co-opted for a purpose different from its original purpose, e.g. a motor designed for static use on land being installed on a vessel in a salt-water environment, a fire extinguisher used on a fire of the wrong type (which could be reasonably expected to void any applicable warranty, and raise liability issues), and a 'spare part', which may have different characteristics depending on what it is substituted into (and which may cause its host to have different characteristics).
Entification processes commonly involve the capture of the product-number (for a product) or serial-number (for an item). Authentication processes commonly involve checking the product-number or serial-number against previously stored information. Nymity is seldom a quality of any great consequence; but it exists at item-level, if the items are not readily distinguished by any identifier. At the extreme, commodities such as a grade of iron ore or coffee are undifferentiated and anonymous. Authorisation is often irrelevant to products or items, but exceptions occur, such as regulations about the permitted locations of explosives, hazardous chemicals, fissile materials and biologically active materials.
By 'packaging' is meant here materials used to protect goods during transit. It includes boxes, crates and cargo containers, pallets, and insulation against such threats as impact, heat and cold.
Most packaging is insufficiently important to warrant the investment involved in (id)entification. There are exceptions, however. For example, packaging that carries the risk of contamination by chemicals or nuclear material is subject to regulatory controls, and requires identification and management throughout its life and journeys.
Another special case is cargo containers, which are expensive, and intended for multiple, successive uses. They are carefully entified, the entifiers are subject to authentication (e.g. through double-recording of the entifier and the code that indicates the container-type, and checking against available databases), and they are tracked through physical space. They may also have different identities, as occurs when a 'refrigerated container' (reefer) is empty, or is used for goods that do not need cooling. In those circumstances, many of the conditions applicable to them in their primary mode of use do not apply during that period. As is the case with goods, nymity and authorisation are seldom important, but may arise.
In the case of animals, the correlates to 'item' and 'product' in the previous sub-sections are the individual beast, and the species and any race or breed to which it belongs. Entifiers for a species or breed may be names or possibly a DNA profile. Entifiers that can be used for individual animals include biometrics and imposed biometrics such as a embedded chip - typically in the neck for domestic animals and in an ear-tag for stock such as cattle.
Animals may have different identities at times. For example, in a slaughter-line, the animal may be identified by a sequence-number that is then associated with its body-parts through the meat-inspection stages; and a guide-dog generally has that identity only when accompanying a blind person, but is otherwise 'just a dog'.
For breeding-stock, both for domestic and commercial animals, relevant attributes include the animal's blood-lines, and hence the design of the records associated with the animal's identifier(s) may be highly specialised.
Entification of an animal comprises collection of the relevant entifier. Entity authentication may comprise a check of key attributes recorded against the entifier, such as dog-breed or coat-colour. Some animals have particular capabilities, such as blind people's guide dogs and Customs 'sniffer' dogs, which need access to locations in which animals are normally not permitted. Each such dog may have multiple identities on and off the job, and may require authentication and authorisation prior to being permitted access to controlled locations.
By a 'device' is meant here an artefact that has the characteristic of being able to perform computations and in some manner act on its environment, perhaps in a physical manner (e.g. an automated teller machine or a computer-controlled sluice-gate or heating-device) or by displaying or transmitting data to another device (e.g. a desktop, portable or handheld computer, or a mobile phone).
Each such entity has particular attributes. Each typically has an entifier for the product (e.g. manufacturer's name and model-number) and for the item (e.g. a device serial-number). In addition, many such devices have, or have the potential for, multiple identities, each with its own identifier or identifiers. For example, mobile phones have an IMEI or similar as an entifier and an IMSI or similar as the identifiers for each of the separate SIM-cards that they may contain. Some mobile phones only contain one slot for a SIM-card and hence their identities are adopted serially, by switching SIM-cards; whereas other mobile phones may contain slots for two or more SIM-cards and hence may have two or more identities simultaneously.
(Id)entification typically comprises collection of the IMEI or IMSI or their equivalents. Some of the other attributes of a device may, however, be used as a less reliable and possibly temporary (id)entifier under a variety of circumstances. In particular, the serial-number of a component may be used (e.g. the NICId of its network interface card), and so can the device's network address at a particular time, such its IP-address. Alternatively, its location in physical space may be a sufficient (id)entifier, e.g. for a payment-card on a tollway.
(Id)entity authentication may comprise a check of the (id)entifier and perhaps some key attributes against data stored about the (id)entity in one or more registers, and/or against locations in which it was recently detected (to detect likely data collection errors, and masquerade). Alternatively, much stronger forms of authentication are possible, such as digital signatures by means of private signing keys securely embedded in a chip in the device and/or SIM-card at the time of manufacture.
Where needed, nymity may be programmed by means of the device exercising control over the device-identifier that is transmitted. Nymity may be challenging to achieve with respect to the local network infrastructure, but it is much more readily implemented with respect to distant devices, in particular through the use of proxy-servers.
Conventional computing hardware designed to be used variously as hosts, workstations, portables and handhelds is intended to support a wide range of loadable systems and applications software, serially and concurrently. In addition, mobile-phones need not be restricted to phone-calls and text-messaging and may be fully programmable devices capable of performing whatever functions are provided by loadable software. This may be client software (to support the device's user), server software (to support remote users) or intermediary software (to support other network users). Intermediary functions are moving far beyond routers, proxy-servers and network-caches, as peer-to-peer (P2P) architectures proliferate.
Software needs to be distinguished at two levels, in much the same manner as products and items were in an earlier sub-section. The entifier for the category of software is typically a product-name and version-number. For an instance of software, one candidate entifier is the file-name or path-name in which it is stored. A dynamic rather than static candidate entifier is the process-id allocated by the device's operating system. A possible proxy entifier is the port-number or the socket-id (IP-address plus port-number), which are the addresses (as distinct from names) used by the local systems software and the network respectively.
The concepts of identity and identifier are also applicable to software. Re-entrant or multi-threaded code, whether running in interleaved fashion on a single processor or concurrently on multi-processor configurations, enables a single instance of software running in a machine to support multiple users as though there were multiple instances of the program running. It expressly has multiple identities at once. Another example is a web-server (using that term in its correct sense as software, not hardware). A single web-server may manage many web-sites with different domain-names and even IP-addresses, and respond to requests from browsers sent to its many different identities and addresses.
Entity authentication may be important. For example, web-servers customise the HTML streams that they send to web-browsers, depending on which product each declares itself to be. Identity authentication may be important, for example where cross-pollution among identities such as threads gives rise to unacceptable security or quality risks, and as software agents become more common.
On the other hand, risk assessment may lead to the conclusion that it is the identity of the device in which the software is running that needs to be authenticated, or even more so the organisation or person on whose behalf the device purports to be performing its functions. This is at the heart of the challenge to overcome 'phishing' attacks. In some circumstances, the authentication process may need to take into account the combination of person, device-type, device, software product and version, process, network location and even apparent physical location.
Anonymity and pseudonymity are readily available, e.g. through self-manipulation of (id)entifiers, and through proxy-servers. These capabilities have been increasingly applied in recent years, and their use is, for various reasons in various contexts, likely to continue and increase.
An organisation is an entity whose existence arises through acknowledgement by humans. Organisations are non-corporeal, i.e. they have no physical existence or form, and are (for all their importance and scale in the modern world), like cyberspace, 'shared hallucinations'. Acts may be performed under law (such as incorporation) and entries may be placed in registers, but these are adjuncts to and evidence of the shared hallucination that the organisation exists, and do not make the mirage any more physically real.
Organisations commonly have names, although the names may be designed to obfuscate rather than inform, and may change frequently, particularly where the individuals concerned are actively trying to avoid detection (e.g. 'organised crime', and underground political opposition, and the contemporary fascination, 'terrorist cells'). Private sector corporations generally also have registration numbers, and in many jurisdictions so do unincorporated business enterprises. Registration codes are less common in the cases of government agencies, incorporated associations (even those with primarily economic functions) and unincorporated associations (many of which have primarily social or community functions).
Each organisation is an entity, and may have multiple identities (such as business divisions) and associated identifiers (such as business names, brands and logos).
(Id)entification comprises the collection of an (id)entifier. (Id)entity authentication comprises measures taken to establish that the organisation or a component of it is what it purports to be. This is seriously challenging, because of the organisation's incorporeal nature. Common techniques used to achieve some degree of confidence include searches in multiple informal registers such as phone-books and industry directories, physical visits to advertised corporate 'footprints', and phone-calls to apparent places of business. The attempts to use digital certificates for this purpose have been largely failures (Clarke 2001b).
All actions taken by an organisation are, of necessity, taken by humans, and perhaps devices or software processes, that purport to be agents for and acting on behalf of the organisation. Authentication of an action by a corporation (such as entering into contract) therefore involves not only (id)entity authentication but also attribute authentication, in order to achieve confidence in the legal capacity of the particular human(s) and/or device(s) to perform that action and thereby bind that organisation.
Humans represent the most complex and challenging category of entity to which organisations seek to apply (id)entification and (id)entity authentication.
A human entity has entifiers in the form of biometrics. Each human entity has many identities, arising within the many contexts within which the person acts, including workplaces, home(s), and social, community and political settings. Those identities have associated with them various identifiers.
Some identifiers are variants of a commonly-used name (e.g. a surname with different given names, initials and nicknames). Others are successive names (e.g. changed as a result of adoption, marriage, separation or divorce, ambiguity, personal taste or physical danger). Others are alternate names. For example, a woman's maiden name may not be used socially after marriage, but may continue to be used in professional contexts. Another source is multiple transliterations of diacritics, diphthongs and umlauts, and between incompatible alphabets, and from logographic languages such as Chinese into an alphabet.
Many additional situations arise in which multiple distinct names may be used concurrently by the same human entity, in some cases for positive reasons (such as a nom de plume for an author, for physical safety because the individual has a hazardous occupation, and for other categories of persons-at-risk - Clarke 1999b), and in others for negative purposes (such as criminal aliases/akas). In addition to names, many organisations assign codes as identifiers (such as employee numbers and customer numbers) (Clarke 1994d).
(Id)entification comprises the collection of an (id)entifier. (Id)entity authentication comprises measures to establish a degree of confidence that the (id)entity is accurate and is being appropriately used. This may involve demonstration that the individual is capable of the performance of an act (e.g. the production of a signature or enunciation of spoken language) or the divulging of a 'shared secret' that only the relevant individual is expected to be a able to perform or know (such as a password, the appropriate answer to a previously-agreed test-question, or some aspect of the most recent transaction conducted with the organisation).
In some circumstances, it may be more convenient to collect and authenticate proxies for human (id)entities rather than human (id)entifiers themselves. One possibility is the registration plates of a person's commonly-used vehicle. Similarly, a person's commonly-used handsets enable identification of them, and location and tracking of their movements (Clarke 1999b). Authentication may be feasible based on the usage style, or the content of intercepted voice or text messages. In static situations, the IP-address used by the device may be an effective proxy not only for the device and software, but also for the individual.
Many different authenticators are used, but their use gives rise to considerable security risks. For example, sets of personal (id)entification and authentication data represent highly attractive opportunities for (id)entity fraud and even theft. This needs to be seen in the light of the many instances in which organisations in both the public and private sectors, and throughout the world, have failed to exercise adequate control over inappropriate uses and disclosures of data.
Some forms of biometric measure (primarily DNA and iris-scans) may be capable of being sufficiently reliably matched against a single record in a large database, in which case they are, in principle at least, capable of supporting human entification. For most biometrics, however, the collection process results in highly variable measures, and the measures from different people overlap. As a result, most forms of biometrics are capable of being used only as an entity authenticator, and not as an entifier.
The capture of most forms of biometric is intrusive into the individual's physical person, and all are intrusive into their personal / psychological space; and some forms of collection are significantly intrusive. The ability to require the act to be performed signifies power by the organisation over the individual, and has a substantial chilling effect.
In addition, the acquisition of biometric measures of all kinds is fraught with quality and security risks, and their capture into recorded form generates even more security and privacy issues, because it gives rise to a 'honey-pot' of valuable data. The data is attractive to organisations and individuals seeking to exercise control over individuals, groups and societies, including not only national security and law enforcement agencies but also service agencies and corporations. It is also attractive to organisations and individuals intending criminal acts such as fraud. Beyond that, the scope for planting biometric evidence creates opportunities for extortion, and for deflection of the target's energies through unjustified investigations and court-cases, and in extreme cases for the miscarriage of justice.
The authentication of human entities gives rise to major issues for people at philosophical, political, social and psychological levels. It also leads to substantial risks for organisations. Because of these factors, biometric schemes demand a great deal more care in the analysis of requirements for entification and entity authentication, in the preparation of business cases, in the conduct of risk assessments, and in the design of systems, than has been evident during the last two decades.
A great deal of human behaviour has in the past gone unrecorded, and a great deal of what was recorded was anonymous, or was pseudonymous but with inbuilt protections against the breaking of the pseudonymity. The undisciplined and largely unregulated application of information technologies during the last 50 years has seen the recording of transaction data rise dramatically, and the collection and association of (id)entifiers with that data increase enormously as well.
Many individuals, in many different circumstances, have strong interests in the avoidance of data-recording and especially in the association of (id)entifiers with that data. Government agencies and corporations have ridden rough-shod over those strong human interests. Security and privacy concerns have continually arisen, and there has been increasing incidence of public resistance to and rejection of features of information systems and even of entire systems.
There are a great many circumstances in which the cost and intrusiveness of (id)entification and (id)entity authentication are unwarranted, and instead risk management is likely to be better achieved through the authentication of assertions relating to aspects other than (id)entity, such as value and attributes, including the individual's capacity to act as an agent for another individual or for an organisation.
The actions that an individual human is permitted in particular contexts are determined through the authorisation decisions taken on the basis of authentication, whether of (id)entity of of some other aspect. Where an individual is unable to achieve authentication, the consequences vary. For example, people with memory deficiencies have difficulty using ATMs and debit-cards and increasingly now credit-cards, because they cannot readily recall their PIN. Employees who cannot reliably produce a biometric (and 2-5% of the population share this characteristic in relation to fingerprints) may be continually calling for assistance from their employer's technical support team in order to be able to log into the systems they need access to in order to perform their functions. Applications of biometrics to consumers will result in even more serious service quality reductions for a significant minority of the population.
Beyond those functional problems lie much more serious potentials. One is intentional service denial (such as the preclusion of use of scheduled airline services, public transport and toll-roads). The sci-fi genre many years ago envisaged a highly-networked world in which the scope exists for public-private partnerships to extend the service-denial concept to outright identity denial.
The series of test-applications presented in this supplementary paper demonstrate that the model is effective in reflecting the realities of multiple categories of entity, which together have a wide array of different attributes and attribute-values, and exist and are used in widely varying contexts. On this basis, it is argued that the model satisfies the requirements of comprehensiveness and sufficiency.
Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor in the Cyberspace Law & Policy Centre at the University of N.S.W., and a Visiting Professor in the Department of Computer Science at the Australian National University.
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.
From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 50 million in early 2015.
Sponsored by Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916
Created: 30 March 2008 - Last Amended: 15 February 2010 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/ID/IdModel-App-1002.html