Kim published the Laws of Identity a bit more formally than the blog which has been their home until now (although the document smartly still links back to the Blog rather than delving directly into the deeper conversations that spawned the laws). The PDF and DOC versions are accessible from Kim's post along with a lot of commentary about them.

A few thoughts on the document.  The first thing that jumped out:  another reference to the wild west mentality I posted about previously:

"The later waves start to organize governments and authoritative positions (like Sherrif and Mayor) to be the trusted source of order and lawfulness but in doing so the original trailblazers need to give up more of the freedoms they were willing to work for.  These governing bodies assign Social Security numbers and track their citizens to maintain order.  This wave is all about stability, consistency and just using the west as a home to conduct their lives."

Kim mentioned this:

The absence of an identity layer is one of the key factors limiting the further settlement of cyberspace.

I know - hardly a smoking gun, but it really shows the thought process is that later stages require some level of stability and predictability and this leads to greater "settlement" of Cyberspace.  Identity is the sherrif and Social Structure that gives the settlers sufficient confidence to put down roots and start establishing a persistent identity in cyberspace.

There are a few points that I tend to disagree with (maybe for my own lack of background):

"...within a given context, identities have to be unique.  Many early systems were built with this assumption, and it is a critically useful assumption in many contexts.  The only error is in thinking it is mandatory for all contexts."

Maybe it's my enterprise mentality but even if I can't determine which specific person is the user uniquely, I still want to have a unique and consistent identifier for the user in MY service's context.  By not doing so, it can be difficult to track, support and understand the users' experiences over time at the service.  I wonder if this violates law 2 even though it's not disclosing the data, just keeping it for the betterment of the user's experience...

In law 1 (Consent and Control) Kim makes the point that "The system must first of all appeal by means of convenience and simplicity." 

My concern is that in past experience with systems that are sufficiently rich in capability to manage complex interactions (such as web browser security settings) tend to be complex out of necessity to provide sufficiently granular control.  Hence increasing consent and control appears to necessitate reduced simplicity as in the browser security model where a simple Green-Yellow-Red configuraiton for browser security would have obvious difficulties given the richness and variety of content and security.

In law 5 it skirts around the mention of inducing Chaos but instead talks about "self-organizaiton":

"It must be polycentric (federation implies this) and also polymorphic (existing in different forms).  This will allow the identity ecology to emerge, evolve and self-organize."

I would worry that the majority of the internet's identities are controlled by enterprises.  Enterprises rarely want to allow organization to impose itself, rather they would wish to impose organization on it's users to maximize uptake of services or optimize revenue, etc - fulfilling enterprise goals.  I appreciate the attempt at inducing Chaos and the self-organization of cyberspace but I think it's at odds with the predominant powers controlling the internet.  I look forward to Identity Gang grass-roots approaces attempting to turn this model on it's head.

Given these comments, don't get me wrong.  I think Kim (and the blogosphere behind the laws) has done a fantastic job and I agree with the majority of the paper (and intend to use it).  I am merely confused about a few points and want to continue the conversation.