% fortune -ae paul murphy

Identity and Documentation

XK>þâQÝ-3-M9$ë'ë#kBb*³ç¶Kxß áÕf·B´»õ0|rT÷¨ëÄýünÎiÛ;úºÙNglž½@=æ8ÃJ
ä+~(ÒE±\PvÈWK<ÐD(¾2Þ.VæQF£D;uuI>®¦êôÔ"9ZÃ}·ÛÇïÚâ½!Oë{ëÛBÑIi@ÛXù¼QQ
¦ôY`A[¸U1/>Áp=!óL+ºé¢Çÿ÷j_¹jí£À*äK¥¯ìts@æ(Uâ6ÝÃ.ÿN*×ÐÌÂS`·µ´tw>]®j
À{ßîXÊO"àýêóZíHþ0¦^Uâ4²Xb}Ncï¤üfúÃR¦öd7åLÙjPh·M#ÒLyâgéê;ãD<ïá»Ü;EÂ

Can't read that? Umm, how about this:

0000000 135414 176530 003653 151456 165646 137525 036745 155672
0000020 067306 126637 040063 003023 027511 063454 023452 007517
0000040 017271 134535 142030 013050 012277 125503 031065 051217
0000060 056731 050633 032407 107007 147613 146443 116261 044577

No?

Well, you see that's a problem because I'm reasonably certain that the original document, which the lawyer who dictated it assured me would have a minimum forty year life, isn't electronically accessible to the people it went to either.

I picked this example in part because I happen to have it but mainly because it's a document about identity that was used to support authorizing my access to a "sensitive" applications environment - and that's the core of the issue I want to talk about this week: the "nexus" between identification, document management, and authorization.

If you're responsible for business data and authorize some list of people to have access to that data, then you want the system delivering that access to first ensure that anyone trying to get at the data is on that list of authorized users. That's obvious, right? but what isn't obvious is that this is a two step process in which it makes sense to impose a strong separation between the parts.

Step one is put a name on the list, and step two is to use that list to verify someone's right to access that data or application when he or she tries to login.

In practice the initial authorization usually involves a human being's interpretation of someone's real history with the organization, but the rights verification part is almost always done with a pseudonymous userid like pmurph.

Look at step one in the context of government security efforts like passport control and what you see is a massive problem in document integrity and accessibility management - thus the fact that the people who issue my Canadian passport almost certainly can't read my security clearance documentation suggests that the process may not be as well thought out and managed as some might wish.

Politically I subscribe to the view that less government, even if achieved through inefficiency, is better government. As a result you might reasonably expect me to applaud their inability to maintain document integrity and accessibility over both organizational boundaries and longer periods, but in fact I don't because enforcing a clear separation between the two steps in the process would offer an effective solution to the real problems government tries to addres via identity management without compromising anyone's privacy.

The identity management solutions being sold to governments today, whether expressed as national ID cards or as electronic passports, are all variations on corporate identity management solutions. In other words, they're aimed at step two -comparing an id being presented to an authorized list- with governments artificially gluing on step one -establishing authorization- simply by not recognizing the distinction.

Recognize the distinction and it becomes obvious that your passport, or national identity card, could become much more like a simple userid - and much less of a threat to privacy and your rights as a human being. Equally importantly, recognizing the separation would allow the processes of issuing and controlling these things to be greatly simplified and thus made more effective as controls against criminal and other inappropriate activities.

Doing that would require two specific technologies. The first of these would enable a standard approach to document storage and thus provide the informational basis for an efficient way to carry out the step one processes: authenticating someone's rights and placing the resulting authorization id on a list. The second would focus on the authorization token replacing identification documentation for step two.

That token would not carry identification information, and neither would the authorized list against which it gets compared when presented. The only information the customs agent, airline representative, or traffic cop gets when you present it is the information needed: you're one of the good guys, or you're not.

Of course if you're not, other questions become legitimate - but only once you initiate matters by attempting to do something you're not authorized to do, and that's where effectiveness in document management becomes important again because authorizations can be changed, or other appropriate actions taken, only if the right information is available and can be trusted.

In the short term this change would require a revolution in official thinking and isn't going to happen, but in the long term both the separation of authorization from identity and the required standardization in document management are inevitable -and information technology, the stuff you and I do, will lead the way.


Paul Murphy wrote and published The Unix Guide to Defenestration. Murphy is a 25-year veteran of the I.T. consulting industry, specializing in Unix and Unix-related management issues.