Laws of Identity with Kim Cameron


January 4, 2006

Click ARCast: Laws of Identity with Kim Cameron to listen to this ARCast.

Ron Jacobs:   Welcome, my friends, to ARCast. I'm your host, Ron Jacobs, with Architecture Information and Talk, that's what we do here: we talk. It's not a video, but really my guests are not that good-looking anyway, and I'm certainly not, so you are doing yourself a favor by listening only. Plus, that you can multitask. Many people tell me that they listen to ARCast while working out, riding a bike, riding a bus, riding in their car; whatever you do, just tell me about it, send me a note to

And, now, Kim Cameron with the Laws of Identity.

Hi, this is Ron Jacobs, and welcome to our talk today. I'm joined by Kim Cameron, who is an architect in Windows Identity and access-management area. I guess I'd say, How's it going, Kim?

Kim Cameron:   It's just great.

Ron:   And, and so, that's really interesting. I didn't realize that we had a whole group that is focused around identity and access management in Windows.

Kim:   Oh, sure, because we have things like Active Directory, you know, meta-directory integration services and all that sort of stuff. So, different ways of being able to find out who you are dealing with inside Windows environment. So, when you for example log in to Windows, you know, somebody has got to write that stuff.

Ron:   Yeah, oh, yeah, I'm glad you are, because, you know...

Kim:   It's not me, though.

Ron:   OK, well... (laughs)

Kim:   It's our… it's our group.

Ron:   Your group, yes, but you are the architect. You're the guy that, like, in Matrix, who wheels around and says, "I'm the Architect."

Kim:   Yeah, yeah, I'm responsible for what's wrong and what's bad about it.

Ron:   OK. Now, you've come up with this real interesting thing that we are going to talk about today called the Laws of Identity. And I love, I love these kinds of things. There are seven laws of Identity that you've written down on your, on your wonderful blog, which I've to plug, it's

Kim:   I love you…

Ron:   Well, you can return the favor and plug this show later.

Kim:   I'll… I'll…

Ron:   I love concise lists like this, because it kind of formalizes a lot of random thinking that goes on. How did you come up with this list?

Kim:   Well, you know, I was… Have you been ever to one conference too many?

Ron:   I have, yeah.

Kim:   So, you know, I was there and I just was listening to the way the discussion was going, and it occurred to me that we don't really have a framework that allows us to restart the discussion about identity anywhere except from the beginning each time we have it. Sort of like back to the beginning, rewind, and we start again. And all the words mean different things to different people, and basically there is… so, as a result, everybody ends up discussing little technical nits instead of the real concepts that are behind these things. So, I figured, Is there some way that I can actually reset the conversation or… or… Well, at the same time, I was just starting to blog, and I didn't really know anything about it, which was a good thing, and I didn't have anything to write about, so I was going… you know… I wondered what would happen if I started this discussion in about… how we get a real, you know… a set of concepts that we can reuse, so we don't always have to go back to square one. And do that with the Web, so it was kind of… it was just a… sort of experimental, trying-to-figure-it-out kind of thing.

Ron:   Yeah, and I guess a few people have noticed this now and so started showing up in various conferences and slide decks, and that sort of a thing, right?

Kim:   Yeah, it's really bizarre, because first of all I was thinking that I'll start a blog, and then maybe a year from now or something people will start to read it.

Ron:   Yeah.

Kim:   But what happened was, I started… Well, first of all, I guess it was a bit polemical to call it the "laws of identity." I was trying to show that it was not just opinions or moral precepts or something, but we are trying to do something to understand the dynamics, underlying dynamics, the system, so I said that, OK, I'll call the laws just like the… you know… the laws of robotics.

Ron:   Yeah, alright, there you go.

Kim:   And I thought, Well, you know, that will get some of my friends sort of steamed up and they will participate in the discussion. Yeah, it was great, because I couldn't believe how fast it just turned into a phenomenon on the Web, and all the people who were interested in identity were contributing and ripping me apart and, you know, promoting various ideas, and it was great.

Ron:   OK, so, what I want to do now is to begin a kind of rundown of the seven laws and see if you can help our listeners get a sense of what each of them means. So, the first law is about user control and consent. And here you say a digital-identity system must only reveal information identifying a user with the user's consent. Can you tell me a little bit more about that law?

Kim:   Well, you know we have had lots of systems that reveal the information about the user without the user knowing about it. And then the user finds about it. And the user… as if there is one, but… you know, a great number of the users who find out about this don't like it. I mean, it is a basic thing that when… if you want a system to succeed, people should like it. Right? If they don't like it , they are going to use some other system.

Ron:   Can you give an example of where systems have done that sort of thing?

Kim:   Well, I will, and you know it's not pretty, but for example there are times when some of Microsoft's products reveal… you know… how to GUID it in them that was constant and essentially ended up identifying the documents coming from a particular source, right? It wasn't intentional in any way but it was… effectively ended up being an identity system… a non-intended identity system, and actually it is part of my thinking that a lot of these unintended consequences in this area of identity systems and intended consequences which are really more, much more propitious than the intentional ones.

Ron:   You know, as I recall, the guy who wrote that, that massive "I love you" virus that was the Word macro was nabbed through that GUID, wasn't it?

Kim:   Yeah, he may have been, but that doesn't mean that was the only way to nab him, right?

Ron:   Right, I just remembered that it was an interesting way that they figured that out.

Kim:   Yeah, you know that there are lots of ways that you could have nabbed him without at the same time compromising the privacy of the entire population of the world.

Ron:   Well, sure, I mean, you know, it would... A great way to reduce crime would be to make every little bit of information public, but that's not the goal here.

Kim:   Put everyone in prison… Cut it down to the minimum.

Ron:   Sure, right.

Kim:   But I mean, part of the problem is if you start having GUIDs and things like that, that link all of the information of a certain kind together, you're starting to create… It's not simply a privacy problem, it's the problem of security of the system. So, it now becomes possible if you breach the system to end up with a lot more of the systematic knowledge of what you've done right… Because you've got these linking GUIDs, you've got these identifiers, etc.

I'll give you an example, if we ended up using the same identifiers for every Web site we go to, right… I mean, that's a privacy violation in the sense that the different Web sites can now correlate the information we didn't intend them to correlate. It's also at the same time a mechanism, which means if somebody broke into that kind of a system, they could do a lot more damage by knowing that… sort of… by having access to that super dossier than they would be able to do if they broke into one system.

Ron:   But that's sort of the big problem about today's world of user names and passwords, is just that a lot of people... Hey, I'm guilty, I try to use the same user ID on every Web site I can possibly use it on, because I can't remember all the various combinations that I've used.

Kim:   That's cool… Wow!

Ron:   I hope none of those Web sites figure that out, by the way!

Kim:   Do you use the same passwords, too?

Ron:   As much as possible... Yeah.

Kim:   Well, you know, and maybe for the lot of the Web sites that you are visiting it doesn't matter because… you don't really… you know… They are asking you for your identification, and it doesn't really… you don't feel very strongly about it.

Ron:   Yeah.

Kim:   Do you use the same user name and passwords on your bank account, for example?

Ron:   No, no, I don't there... yeah, because...

Kim:   Are you sure?

Ron:   I'm sure, because who cares if you know who can see how many frequent-flier miles I've on an airline? I don't care about that, maybe might be able to redeem them, I guess. But on my bank account, I care about that.

Kim:   Yeah. Yeah, and one of the ways that people actually take advantage of this kind of thing is they set up a sort of… sites like… Let's say a golf site, and they set up this golf site and actually run a real golf site and you're interested in golf, and so you know… You go to this golf site and you use this user name and password, and if you are actually one of these people who uses the same user name and password everywhere—of which are many, many, many—you've now… I can now take that and start working on major Web sites.

Ron:   Right. Oh, yeah. Sneaky!

Kim:   Yeah, so you're harvesting… You can set up apparently legitimate Web site that are used to harvest other Web sites. Part of my job that is a very bizarre part of it is I have to listen to all these mechanisms that are being used to attack, you know, what you are doing on the Web. So, that was another thing that led me to get involved in these laws of identity. You know, I just can't stand this any more.

Ron:   Do you actually spend time talking to security investigators who, like, figure out that kind of attacks these guys are doing?

Kim:   Oh, absolutely. I talk to people across the industry who are… You know… Each of them has their own story of, "Wow!" etc. You start to put it all together and you go, "Oh, my god," this is a chaos, really, and we have a… We invented the Internet and there is no systematic way of doing identity, therefore everybody makes something up… And what do we call that if everybody makes something up? We call it a kludge, right? So, let's face it , it's the patchwork of kludges, and at the same time the amount of business that's being done on the Web is increasing, so it's no longer just something for having fun… right… You know people are doing real… I was talking to somebody who bought a house on the Web…

Ron:   Oh, my gosh! Wow! You know, it's interesting: This is the holiday season, and I've been doing a lot of shopping for gifts, you know, and I was noticing Saturday was that... Using my American Express card like crazy, OK, I was like charging, charging, charging, every store accepted it without questioning, didn't look at any identity, didn't ask for anything as long as I did this electronic signature, they didn't even look at that, except for one... One store, where I made a $9 purchase, insisted on seeing my driver's license, and I thought, "Good for them," you know, "somebody cares about this," but...

Kim:   It's also that you are famous.

Ron:   I guess so, but it's almost like you know we have this system where it's like, Hey, we are making money , just shut up and let's go with it... you know, and, Why should we have a big headache here?

Kim:   Yeah, and… That's fine. Let's go back five years and think about what we thought about phishing and identity theft on the Web. We thought… Oh,… I mean, it didn't appear on the radar, did it? And you go five years forward and you look at what happened in terms of spam and basically the criminalization of the thing… And now put yourself… I mean, I'm an architect and so… All joking aside… I do have to think ahead, right?

Ron:   Yes.

Kim:   So, let's think ahead 5 years or 10 years or 15 years and assume that we don't do anything about it… and… I mean,… Actually, you know… CAGR is the compound annual growth rate, it's sort of a way of looking at an aspect of the industry and seeing how healthy it is. Well, the CAGR for this kind of identity theft and of attacks is over a 1,000 percent. I mean, there is one of the cards of institution that is the healthiest.

Ron:   It's a boom.

Kim:   Yeah. So, you know, you think ahead 5 years, 10 years, if we don't do something about it, and basically the… There is going to be a crisis of confidence in the Internet… We have to act now. Even if we act now, it takes us—what, three years? Five years? How pessimistic are you?—you know, some number of years before that turns into something measurable that we have done.

Ron:   You know, it is interesting that almost all ways in which we transact business on the Interdebt... Internet, rather...

Kim:   Interdebt…

Ron:   Yeah, the Interdebt, yeah... That's a good way of looking at it. That causes to have to reveal whole lot of information about our identity to everybody involved in the transaction in order to get anything done.

Kim:   Well, that gets down to some of the other laws, like the second law… And I don't claim that these are all original or anything, it's really the way they are assembled that is interesting… But, for example, the second law is that you should never ask for more information than you require. This is the whole thing, you know… Just get the extra information, just in case we need it one day… You know, it will be nice… That way, we'll have it there, and so what you end up creating if you do that is this honey pot that then becomes attackable. So, one of the things we should do to make the system succeed is just not store stuff that we don't need. That's easier to do if it's easier to get stuff when you do need it. So, there are all kinds of implications in that.

And the third law is in the same direction, which is, Tell people who will be sharing access to that information, and that way it would basically be more pressure on you to reduce the access to the information to the minimum. So, once again, you reduce the honey-pot effect and you reduce the chances of a breach, so I guess the over point there is that what people look at is privacy concerns ultimately tend… end up being, ah… security concerns. By embracing the privacy issues, we embrace all of the matters of hygiene in terms of building a secure system.

Ron:   Well, speaking of hygiene, I mean I was... It drives me crazy if I go to see a doctor or some chemist-specialist, and they give some kind of a form to fill out, and they always ask for your social-security number, and I'm like, What on the earth do you need that for? And I guess they want it so that if they don't pay or something, then they can go after me for collections or what-not, but I begin not to put that down because I'm like, You are my doctor, you don't need to know that, OK, and because it's a tremendous liability for them to have that information in their files and they just have it on paper sitting in the file cabinet that any old and employee could run by and grab that.

Kim:   Oh, yeah, and there is this guy in England, you know, Toby Stevens, who has developed this idea… In Europe, they have a lot of discussions about what they call data governance, so he has developed this notion of data rejection… and so that is the highest form of data management, is data rejection . But that's interesting, because I went to a pharmacy the other day and they asked me, you know, I guess if you went to a doctor they are trying to make sure that you really have health coverage, and so on I went to a pharmacist and I wanted to pay cash and they still wanted my social-security number and I said… And they wanted to stick it into a computer. I said, No, you can't stick it in your computer, and they said that, you know, We have to take your social-security number and we have an alternative system, and I said that is the alternative system, and I said, We write it down on this piece of paper which has your name, your address, your social-security number, and then we stick these all in this box that is kept under the counter in the pharmacy.

Ron:   Oh, yeah, that makes you feel good.

Kim:   Yeah, that's great.

Ron:   Well, it is kind of crazy how, you know, 10 years ago nobody thought anything of that and we are, you know, every body goes, Hmm, we need some form of unique identifier for people and, well, most folks have a social-security number and let's just use that, and so they built a lot of apps that relied on that as an identifier and...

Kim:   Right, and, you know, I think you have to go forward to the… You know, once again, you have to go forward 10, 20 years and imagine, you know… I'm sure you see all kinds of stuff going on around, and here there is very interesting… you know, coming out of futuristic thinking, and you know it's going to happen. I mean, all of this ambient stuff, right, where your entire environment is going to be responding to your identity and, I mean, how far do you want to go, are there any boundaries to that? Are we going to have any boundaries?

For example, I know the software coming out of these new companies is actually reading everything we are reading as we read it and creating a profile on us about… so they can offer handy helpful suggestions on about what else we should be reading and everything else. And, you know, so there's an example of this little accessory, you know, this helpful accessory sort of like a paper clip, you know, can be more helpful, you know, which actually is a knowledge… a very deep knowledge about what you are thinking, right? Now, what is going to have access to that knowledge, I mean, you know, where does that end? Does that end at the boundary of your house? Does it end, you know… When I go to your house, is your system able to tap into that system of knowledge of me and what I'm thinking? And so on… So, I'm not implying that there is any great negative plot here. What I'm implying is that there are big issues about where the edge of our thinking and our minds and so on are going to be defined in the virtual age.

Ron:   Well, you know the other interesting thing here, OK, the fourth law you talk about is directed identity. You say, "A universal identity system must support both 'omni-directional' identifiers for use by public identities and 'unidirectional' identifiers for use by private entities, thus facilitating discovery while preventing unnecessary release of correlation handles."

Kim:   Isn't that beautifully written?

Ron:   That is beautiful. What does that mean? It sounds good, but I want to know what it is!

Kim:   Wordy or what, aye? Well, OK, we've sort of taken it for granted that everything is grammatical and, you know, if we go to a service it identifies itself and we as an individual identifies itself, and those things are sort of peers, but in fact it… you know… We aren't really peers from a privacy point of view. If I've a store, an online store, I want it to be as well-known as possible. I want everybody to know everything about that store, so that I can get as many customers as I can, but when I'm going into that store, that's another thing. I mean, once again, it's the question of how many of these agents are looking over my shoulder about what I'm purchasing in the store and what I'm looking at and rejecting and thinking about. Am I going to be helped to death? So, what I'm saying is that the identity that you should go into the store with as an individual should be different every time you go into a different store, unless you want to cook them up, whereas the identity of the store, public things, it's fine for those to be publicly known, public things, so there is a difference between the sort of the requirements of the individual and in their private mode as you know as a single individual, and something like a store or television station or government or something like that, and we should respect that.

Ron:   So, in my wallet I have cards from various stores who offer me a discount or better price or something if I go to the checkout and wave my card, and they go, Oh, yeah, you get a better price. So, is that an example of this kind of a unidirectional identifier that I'm going to identify myself as something more than a shopper, I'm Ron Jacobs, and here's the history of everything I buy from you guys?

Kim:   Yeah, I mean, and those sorts of brand loyalties for cards are unidirectional. I've also seen in… Where I come from, in Canada, they have a thing called an airline or air-points card or something, where you have the same tracking number that is used across all of your purchases.

Ron:   OK, so that lot of different merchants can participate.

Kim:   Yeah, and then they can start to put together knowledge of you and use that every time you walk into the store. Right now, they don't know what your identity is when you first walk in, but you can imagine once we have our RFID that you just walk in and they'll know, Oh, here is a shopper, he hasn't bought anything in the last two months and, hey, we are not going to serve him.

Ron:   Could it be like... in Minority Report, where Tom Cruise is walking to the mall and all those, you know, holographs are going, Hey how, about those pair of pants you bought last year, how are those doing?

Kim:   That is not… In my view, that is not science fiction, that is this ambient atmosphere that people are talking about, and that's inevitable that that's going to happen. Now, the question is to an extent we as individuals can control how that happens.

Ron:   Oh, yeah, you know, actually...

Kim:   And that's what these laws are really about.

Ron:   And, you know, I have to say, for a long time I went through and just accepted all this, right. Then the other day, I went to a toy store, of all places, and they said... I'm going to check out, and they say, Can we have your phone number? And I said, No, you cannot have my phone number. What do you need my phone number for? I'm just buying a toy, you know. What if I just want to pay cash and want to be anonymous guy? You know, why should I give you my phone number? That's annoying.

Kim:   You know what, about the similar… Now our signature is… My signature is in thousands and thousands of scanned databases everywhere, so… What's the value of my signature?

Ron:   True, and I usually make a horrendous version of my signature on those little electronic things.

Kim:   Well, I actually saw something… somebody's blog, where he made it an art form to… to sign his checks in various ways that had nothing to do with his signature.

Ron:   That's a good point. Yeah, I never thought about that. Someone could just take one of my digital signatures, slap it on a document, you know, I probably would have a hard time telling it was different.

Kim:   Well, we have to… As architects and technologists, we have to assume that all our systems will be breached.

Ron:   Yeah.

Kim:   It's not… See, I'm going to build this system so it won't be breached, right, I'm going to build a dike so it won't be breached, right. Sure, it won't be breached; one day, it will be breached. Now, what happens?

Ron:   Right.

Kim:   So, and you know it's funny because once we had a law in California that… saying that, you know, identity breaches had to be reported. It was like there was, like, millions of them, right, they were reported everyday, you think that the world had really fundamentally changed, but all that really changed was that it was the reporting.

Ron:   Yeah.

Kim:   Of course, people don't call it as identity theft or theft of identity information, it calls it a loss, right, because one doesn't know where, you know, where that thing goes.

Ron:   Well, my question is how do they even know about all the ones that happen? I mean, they probably can't know about all of them.

Kim:   They can't know about all of them. And, so, we have to take it as a given that things will be breached.

Ron:   Yeah.

Kim:   Right, OK, so once they are breached, that means for example all the whole bunch of those systems that have my—or your—signature in electronic form are going to be breached, and maybe it will be there along with your phone number amalgamated with other information brought in from various third parties, so that they have everything up to your social-security number and, who knows… So, what I'm saying is… If, if, if, if… that you know, as the world moves in that kind of direction… There is going to be a lot of pushback to it. The pushback will undermine the creation of an identity system or any kind of an identity system. My ideas on the laws of identity is, Let's… Let's think ahead, figure out there will be breaches, figure out there will be these real problems if we don't start to act, you know, in a more mature way and build those things right from the beginning, so we don't hit those problems.

Ron:   OK so that brings me to the fifth law, which is pluralism of operators and technologies, where you say, "A universal identity system must channel and enable the inter-working of multiple identity technologies run by multiple identity providers." This kind of takes me back a few years, when we had this grand vision for Passport, we were like the uber-identity that just everybody would get one of these and you want it to be your one identity that everybody could trust.

Kim:   Yeah, wouldn't that be nice?

Ron:   Yeah, that would have been great. Why didn't the world go for that? I don't know.

Kim:   Wow… The world… There is no one identity that you want to use. You don't want everybody to know equally about you in all contexts.

Ron:   Hmm, hmm.

Kim:   You know… There are some people who do. There are some people who are really truly public characters and don't give a darn if anybody knows about anything… you know and… in terms of their lives, and so on.

Ron:   And they are usually dead. [Laughter]

Kim:   I was assuming it was his… I have a friend, I have one friend that is perfectly that way, and I myself, you know, am not particularly, you know, concerned about these things as an individual. But I have a fairly public life… But when I call fairly… But when it comes to, you know, to do this kind of thing, you know, I use different identities to do different things. So, for example, I don't personally want to use my government identity when I go to my bank. I don't want the government to get close to… more closely involved with my bank and my banking than it already is. I don't want to use my banking identity when I go and, you know, sort of reading stuff on the Web like… I don't… When I log into the New York Times, do I want my bank or my government to know how long I spent reading each article, or what my profile is in terms of articles, and so on?

So, I just think that it's inevitability that people would want multiple ways of expressing their identity. You know, and they would want to be able to have what we call contextual separation between the different aspects of their life. The other thing is what is, you know… We are just at the beginning of what identity systems can be; technologically, there are some really amazing systems coming out of the university area that have these wonderful properties. I can't go into them at this point, but, you know, they are so much better that anything that exists right now. So, we don't want to build our system to be closed off from the way it can evolve in the future, so therefore if you don't want to do that, what you need is the system that embraces multiple ways of doing things. And one last thing: If you even look at Microsoft, the different technologies we have here… We have Kerberos of the kind that is used with Active Directory, we have PKI used with certificate authority, and so on.

We have Passport, we have this, we have that in different aspects of our products, so we already have many multiple ways of doing things, and so what I'm saying is, you have to allow that to coexist, but that doesn't mean that once somebody gets to a site they see this confused mess of possibilities, you know… What if they see, you know, 20 options they have to choose from…? And in terms of how they are going to identify themselves, you know, it will drive them crazy, and they will become even more confused about what's safe and what's not safe than what we have today.

So, you need this set of multiple… this pluralism around technologies and who operates them, but at the same time you need a way that makes it very simple to the user, where they can choose which identity they want to use in a given context; so, that's the seventh law. I've jumped it because they are kind of opposite to each other.

Ron:   Ah, I see, and the seventh law is consistent experience across contexts, so the unifying met system must provide a simple, consistent experience and... My laptop went dead... That's it, just... The battery is gone. I knew I had a problem when I didn't bring my power adapter today. But, OK, so, but really, when you think about this is a tremendous challenge, because like if you go to... If I went to my mother and said, you know, Get your X509 certificate from the certificate authority and present it... Now, she would just get, you know, her eyes would glaze over, she can't understand, that's not the way she is going.

Kim:   Yeah, and to tell you the truth, my eyes glaze over because, you know, I see these dialogues coming up out of the system and, you know, who knows if they are real, where they are coming from, what do they mean, etc., to what extent are they… Should I trust them? So, that's what… So, we have a project in my area called the InfoCard project, and what that attempts to do is to establish, you know, how… Say in terms of files and documents, everything used to be sort of just by all means, and you have to understand, you know, from the old DOS days, etc.

And then we got to the point where we could represent those things visually… So we have, you know, a picture of a file folder, picture of a document. Oh, yeah, that's a document, I can drag the document and I can use it… I… I understand it. It's turned into a thing rather than just some abstract concept, so we want to do the same thing is that with identities, so the different identities that we have that we use in different areas look like cards of the kind you would keep in your wallet and, you know, they can be branded, and one of them might be VISA and one of them might be American Express and another one might be just something that you use for browsing that you've made up yourself, you know, your Captain Kangaroo card and blah, blah, blah.

And these form a palette of identities that you could choose from, and so when you go to a site it actually instructs the system which kinds of identities it will accept, and then those ones slide up as cards, and you choose which one you want to use. So, we have had very good usability experiences and… you know, when we were testing this kind of system, and I believe that both me and your mother could use.

Ron:   Well, that's perfect, because that's what we use everyday, right, if I... When I go to the gym, I present a card that says, This is my identity here at the gym and I belong here, and I go, you know, I get stopped by a police officer, he asks for my government-issued identity to see my driver's license, you know, so I have cards for different contexts and I present them, and that only certain ones are acceptable in certain contexts, so I think that's perfect.

Kim:   Yeah, I mean, it's so obvious. So, you know, it's awful when you create something so obvious, but, anyway…

Ron:   You know.

Kim:   I feel like an *****.

Ron:   It's amazing, when I just got my Tablet PC, you know, the other day, right, and I had it opened in the tablet mode and the first thing that hits me is, How do you do control ALT DELETE with the pen, right, and then they had a little keyboard picture there side where CONTROL ALT DELETE on that this nice, little, friendly dialog pops up and says, you know, There's a button on this tablet that you can push to do that, and I remember thinking of all the usability things, like, that's the worst usability thing ever, that you had to press CONTROL ALT DELETE to log in, and I guess we are stuck with it for all these years, because it was the one key combination that you couldn't spoof.

Kim:   Yeah, yeah, they have… It's hard-coded down into the kernel.

Ron:   Well, anyway, Kim, thank you so much for joining me today, this has been really great.

Kim Cameron, ladies and gentleman, and the laws of identity!! Just love those lists. Don't you love a list like that? It's really fascinating to think about all the stuff related to the ways in which we identify ourselves. And I think it's really changing; this is a dramatic time of change in the industry, and the ways in which we think about identifying the people. Frankly, right now, the user-password thing that we've got is just not cutting it, it's just not rich enough, and we've got to change it or this whole identity-theft thing, you know, just going to go crazy. Well, we have a lot more coming up on our talk with some great shows, live show from the patterns & practices summit later this week, so stay tuned to ARCast.