The Laws of Identity (Light)

Kim Cameron was Microsoft's Chief Identity Architect and one of the most influential thinkers in digital identity. In 2005 he published The Laws of Identity — a set of principles describing what a trustworthy internet identity system must provide. These laws were widely discussed across the industry and directly informed the design of protocols such as OpenID Connect (OIDC) and SAML 2.0.

The principles, condensed

The following is a plain-language summary of Cameron's seven laws:

User control and consent — People using computers should be in control of giving out information about themselves, just as they are in the physical world.

Minimal disclosure — The minimum information needed for the purpose at hand should be released, and only to those who need it. Details should be retained no longer than necessary.

Justifiable parties — Identity information should only be disclosed to parties that have a justifiable need for it in a given context.

Directed identity — It should not be possible to automatically link up everything we do across all aspects of how we use the internet. A single identifier that stitches everything together would have many unintended consequences.

Pluralism of operators and technologies — We need choice in terms of who provides our identity information in different contexts. No single identity provider should hold a monopoly.

Human integration — The system must be built so that we can understand how it works, make rational decisions and protect ourselves.

Consistent experience across contexts — Devices through which we use identity should offer people consistent controls — just as car makers offer similar controls so that we can all drive safely.

---

Credit: These principles are drawn directly from Kim Cameron's original work. See identityblog.com for the full text.