These are all from what I think of as Identity Wars 1.0, which led to the Internet Identity Workshop (IIW) https://internetidentityworkshop.com/ starting in 2005. OpenID and OAuth came out of this, as well as tension with existing corporate / enterprise systems, which were much too complicated for developers of small web apps and startups to implement.
- User Control and Consent
- Technical identity systems must only reveal information identifying a user with the user’s consent.
- Minimal Disclosure for a Constrained Use
- The solution which discloses the least amount of identifying information and best limits its use is the most stable long term solution.
- Justifiable Parties
- Digital identity systems must be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship.
- Directed Identity
- A universal identity system must support both “omni-directional” identifiers for use by public entities and “unidirectional” identifiers for use by private entities, thus facilitating discovery while preventing unnecessary release of correlation handles.
- Pluralism of Operators and Technologies:
- A universal identity system must channel and enable the inter-working of multiple identity technologies run by multiple identity providers.
- Human Integration:
- The universal identity metasystem must define the human user to be a component of the distributed system integrated through unambiguous human-machine communication mechanisms offering protection against identity attacks.
- Consistent Experience Across Contexts
- The unifying identity metasystem must guarantee its users a simple, consistent experience while enabling separation of contexts through multiple operators and technologies.