Roger Clarke's Web-Site

© Xamax Consultancy Pty Ltd,  1995-2024
Photo of Roger Clarke

Roger Clarke's 'Lessons from a Model of (Id)entity'

Lessons from a Sufficiently Rich Model of
(Id)entity, Authentication and Authorisation

Sketch of 12 October 2009

Outline of an Invited Presentation to the
Identity, Privacy and Security Institute (IPSI), at the University of Toronto
26 October 2009

Roger Clarke **

© Xamax Consultancy Pty Ltd, 2009

Available under an AEShareNet Free
for Education licence or a Creative Commons 'Some
Rights Reserved' licence.

This document is at

The slide-set supporting the presentation is at


eBusiness transactions involve risks. Organisations seek to reduce and manage their exposure to those risks through authentication and authorisation processes.

It has become conventional for organisations to focus primarily on the authentication of identities. An industry of architectures, protocols and software products has arisen to support this approach. However, the players use terms in varying and undisciplined ways, and it is far from clear that there is any coherent model of the relevant part of the real world that underpins the terminology, the architectures, the protocols and the products.

Over the last decade, this author has developed and tested a model of the relevant domain. In parallel with the model, a dialect has been developed comprising terms that are defined and inter-related. The dialect enables conversations to take place about the real world, and about infrastructure and business processes to enable risk management. Application of the model demonstrates that the precepts on which the current 'identity management' industry is based are deeply flawed.

This presentation commences by providing a rendition of the model. The rendition is interleaved with discussions of aspects of the model that are to some extent in conflict with commonly-held views among providers and purchasers of eBusiness products. Particularly critical aspects are:

The model is applicable to a great many different categories of entities, including goods, motor vehicles, computing devices, human beings, and various artefacts as proxies for human beings. The importance of the distinction between an entity and an identity is drawn out by considering mobile phones. The authentication of human identities and human entities is then reviewed using the model, and some of the myths inherent in conventional approaches are demonstrated.

The presentation concludes with several suggestions for constructive approaches to the design of schemes using chips (whether in cards, tags or some other carrier) and using biometrics.


The primary exposition of the model is in the following paper:

Clarke R. (2009) 'A Sufficiently Rich Model of (Id)entity, Authentication and Authorisation' Proc. IDIS 2009 - The 2nd Multidisciplinary Workshop on Identity in the Information Society, LSE, 5 June 2009

Here is the glossary of terms associated with the model.

Other important papers underpinning the analysis are:

Clarke R. (1997) 'Chip-Based ID: Promise and Peril', for the International Conference on Privacy, Montreal (September 1997)

Clarke R. (1999) 'Anonymous, Pseudonymous and Identified Transactions: The Spectrum of Choice', Proc. IFIP User Identification & Privacy Protection Conference, Stockholm, June 1999

Clarke R. (2008) '(Id)Entities (Mis)Management: The Mythologies underlying the Business Failures' Invited Keynote, 'Managing Identity in New Zealand', Wellington NZ, 29-30 April 2008

Here is a list of the full series of papers on which the model draws.

Here are the main steps in the development of the model.

Author Affiliations

Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor in the Cyberspace Law & Policy Centre at the University of N.S.W., and a Visiting Professor in the Department of Computer Science at the Australian National University.

xamaxsmall.gif missing
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.

From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 65 million in early 2021.

Sponsored by the Gallery, Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916

Created: 12 October 2009 - Last Amended: 13 October 2009 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at
Mail to Webmaster   -    © Xamax Consultancy Pty Ltd, 1995-2022   -    Privacy Policy