Principal, Xamax Consultancy Pty Ltd, Canberra
Visiting Fellow, Department of Computer Science, Australian National University
Scratch-Pad of 20 December 1998
© Xamax Consultancy Pty Ltd, 1998
This paper is being prepared for submission to the Journal of Strategic Information Systems
This document is at http://www.anu.edu.au/people/Roger.Clarke/EC/OrgID.html
The identification of organisations is thought to be a prerequisite to public confidence in electronic commerce. The concepts of identity, identification and authentication are examined, as they apply to organisations operating in information infrastructure-enabled marketspaces. Generic strategies are proposed for dealing with the risks involved in electronic commerce. To complement the recent drive for increased authentication of identity, it is concluded that much more attention should be paid to value authentication, attribute or eligibility authentication, and authenticated pseudonymity.
It is widely believed that the growth of electronic commerce is being stunted by uncertainty among both businesses and consumers concerning the security of dealings in the virtual 'marketspace'. A major element of this uncertainty is the lack of clarity in cyberspace about who it is that you're dealing with. Hence the identification of organisations appears to be at the heart of the problem.
Despite the expressions of concern, there is a serious shortage of analyses of the underlying concepts and practices. This paper sets out to overcome that shortfall.
The paper commences by examining the underlying concepts of identity, identification and authentication. These ideas are applied initially to natural persons, and then to unincorporated and incorporated organisations. The manner in which organisations act in the real world is examined, including their dependence on human agents, and progressively also software agents.
The available approaches whereby organisations can be identified and authenticated are assessed, and specific challenges identified. This leads to an assessment of risks involved in electronic dealings, and generic strategies that can be adopted to address those risks.
talk first in terms of abstract 'entities'
Identity
Identification
Authentication
brief exposition on human identity, identification, authentication
reference to ../DV/HumanID.html
important to use this as a basis for an examination of the identity, identification and authentication of organisations
purposes of organisations:
historical development of organisations
incorporation and the 'legal person' concept
typology of organisations
A business enterprise is a legal person that conducts commercial transactions. There are three broad classes of business enterprise:
Bodies Corporate include entities that are created under statute law, in particular:
Other kinds of body corporate may be recognised under the common law, in particular the various forms of trust. A trust is an obligation, enforceable in equity, which rests on a person as owner of some specific property (the trustee) to deal with that property for the benefit of another person (the beneficiary), or for the advancement of certain purposes. Some trusts are responsible for substantial economic activity, such as trading trusts (whose trustees trade on the market on behalf of the beneficiaries), and unit trusts (where the trust is divided into units of specific values).
Bodies Politic are sovereign states, and components of sovereign states that have independent existence. The Australian States are bodies politic, having been established as colonies of the United Kingdom, and been granted independence at the time of federation; and the two self-governing Territories are bodies politic through Acts of the Commonwealth Parliament. There are therefore nine bodies politic in Australia.
Most government agencies are not themselves capable of entering into contract with anyone, because they are merely segments of the relevant nation, State, Territory, province (Canada), Land (Germany), Departement (France) canton (Switzerland), etc. All Commonwealth portfolio departments, for example, are merely segments of the Commonwealth, not legal entities capable of entering into contract, or being sued, or themselves suing.
Some agencies, however, are established as bodies corporate, under the corporations law or under a special statute. Paradoxically, some of the agencies for which a portfolio department has fiscal responsibility may themselves be legal entities, capable of performing legal acts on their own behalf.
A great deal of business is conducted by unincorporated enterprises, including:
Such enterprises have no existence for the purposes of contracts and various other laws, and no ability to sue or be sued. The legal persons who are deemed in law to make up the enterprise are jointly and severally liable for its acts. Those legal persons are in most cases people, but can also be corporations or even bodies politic.
A business entity plays many different roles, and has many different kinds of relationship with many kinds of other organisations. Examples of these relationships include:
There are many circumstances in which it is most convenient for a business enterprise to recognise another business enterprise according to the role that it is playing. If one business entity fulfils several roles in its dealings with another business entity, it may have multiple identifiers.
An agent is an entity that has the legal capacity to formally represent another person or organisation, called the principal, and to bind them in contract. Agents may be appointed to act on behalf of people, or of bodies corporate.
Bodies corporate are a legal fiction that has served advanced economies very well, and continues to do so. There are serious practical limitations, however, on the extent to which acts can actually be directly performed by bodies corporate, and indeed by bodies politic.
There is an increasing number of examples of acts delegated to artificial intelligences, through such means as automated telephone, fax and email response; automated re-ordering; and program trading. Subject to some qualifications, legislatures and courts may be becoming willing to accept these acts as being binding on the entity concerned, at least under some circumstances. Despite the progress being made in computing and robotics, however, the vast majority of acts continue to be performed by natural persons on behalf of business entities.
Note, too, that where a body corporate or a body politic appoints as its agent another body corporate, that body corporate cannot itself perform acts, but must depend ultimately on some human agent. There may therefore be a cascade of agency relationships.
The identification schemes operated by business enterprises must be sufficiently sophisticated to distinguish between the acts and identities of principals, of intermediate agents, and of ultimate agents.
powers, rights and duties of organisations
actions in the name of an organisation
actions by an agent for an organisation, ultimately an entity capable of action in the real world (and perhaps sentience):
chains of agency, through multiple organisations
examples (if possible, within a typology) of:
challenges:
identification carries risks for the identified party: privacy, confidentiality, liability
motivations for avoidance of identification:
mechanisms for anonymity
alternative of pseudonymity
degrees of authentication
Need to work up an application of the classic categories of risk management:
supra-organisational comprises inter, multi, extra and public
differential strategies are appropriate for each
inter: partnering, closed systems, PN or VPN/extranet
multi, hub-and-spoke: ditto, but multi-lateral, with some form of hub-arrangement, physical or virtual
multi, cascading: ditto, but governance needs to reflect the once-removed relationships
extra: framework similar, but public Internet, and more emphasis on risk management
public: largely risk-managed
insurance
authentication of something other than identity:
'authenticated pseudonymity' as a balanced approach between anonymity and identification
foundational analysis provided for an aspect of EC that is very important
available for analyses by other authors
an indication of the basic theory's implications is provided, in the form of a set of generic strategies for organisations, and proposals for specific avoidance mechanisms that balance the various interests involved, namely value authentication, attribute or eligibility authentication, and authenticated pseudonymity
Text
Go to Roger's Home Page.
Go to the contents-page for this segment.
Created: 23 October 1998
Last Amended: 20 December 1998
These community service pages are a joint offering of the Australian National University (which provides the infrastructure), and Roger Clarke (who provides the content). |
The Australian National University Visiting Fellow, Faculty of Engineering and Information Technology, Information Sciences Building Room 211 | Xamax
Consultancy Pty Ltd, ACN: 002 360 456 78 Sidaway St Chapman ACT 2611 AUSTRALIA Tel: +61 2 6288 1472, 6288 6916 |