about

who
what
where
when
why
how
comments

feeds

ATOM

RSS

categories

identity
jabber
language
literature
music
personal
philosophy
politics
public domain
society
technology

archive

current
2007-04
2007-03
2007-02
2007-01
2006-12
2006-11
2006-10
2006-09
2006-08
2006-07
2006-06
2006-05
2006-04
2006-03
2006-02
2006-01
2005-12
2005-11
2005-10
2005-09
2005-08
2005-07
2005-06
2005-05
2005-04
2005-03
2005-02
2005-01
2004-12
2004-11
2004-10
2004-09
2004-08
2004-07
2004-06
2004-05
2004-04
2004-03
2004-02
2004-01
2003-12
2003-11
2003-10
2003-09
2003-08
2003-07
2003-06
2003-05
2003-04
2003-03
2003-02
2003-01
2002-12
2002-11
2002-10
2002-09
2002-08
2002-07
2002-06
2002-05
2002-04
2002-03
2002-02
2002-01
2001-12
2001-11
2001-10
2001-09

ATOM

Theseus Revisited

Identity persistence and Zooko's triangle.

Bob Wyman suggests that it's time to update Zooko's triangle by adding a dimension of persistence vs. non-persistence to the existing dimensions of unique vs. non-unique, global vs. local, and memorable vs. non-memorable.

First, it's important to clearly understand the meaning and import of Zooko's triangle (note well: the task is made harder by the fact that the property names at the above-referenced Wikipedia page are seriously confusing). Bob lays it out as follows:

The argument made by Zooko's Triangle is that no naming/identity scheme can provide all three of the attributes Zooko considers essential metrics of identity systems. For instance, while you might be able to build a "Secure and Global" naming system, in doing so, you would undoubtedly need to use identifiers that were not "memorable" -- at least not by mere humans. The importance of these three system attributes and the difficulty of producing systems which provide all three is generally well accepted by those in the naming/identity business.

As I wrote in XEP-0165: Best Practices to Prevent JID Mimicking, my understanding is that no one scheme can provide names that are simultaneously global, unique, and memorable (where a name could be an address, identifier, nickname, handle, etc.). However, certain combinations of names can together provide all three properties. Such combinations are commonly called petname systems. In XEP-0165, I use the following example:

1. Let's say my JabberID is "stpeter@jabber.org". That ID is unique on the Jabber network ("stpeter" is unique at the domain jabber.org and the jabber.org domain is unique on the network because of DNS). It is also global (again because of our use of DNS). So "stpeter@jabber.org" is both global and unique, but it may or may not be memorable to regular old humans. If the JID were something more complicated like "j.peter.saint-andre@corp.jabber.com" or if we used an even less memorable ID such as "CFFC A717 0EAC 8051 58C4 224F 3CD5 C970 E495 30ED" (the fingerprint of my X.509 certificate) then it would be less memorable. As Meatloaf said, two out of three ain't bad. But it doesn't get us to a petname system.

2. Let's say I assert to all Jabber users that my nickname is "PSA". That's quite memorable, but it's probably not unique (lots of folks could assert the same nickname). However, I want everyone to use that nickname for me, so in a sense it is global. I guess that's one-and-a-half out of three (two out of three if you're feeling generous).

3. Let's say when you add me to your contact list, you give me a "handle" of "that Jabber protocol dude" and you never assign the same handle to any other person in your contact list. This handle is quite memorable to you and it is unique within your personal context, but it is purely local. Here again, two out of three.

What happens when we put these three names together? We have a global+unique address, a global+memorable nickname, and a non-global+unique handle. If you talk about me with another person on the network, you can refer to me as stpeter@jabber.org + PSA (but you must never mention that your handle for me is "that Jabber protocol dude"). If you receive a message from stpeter@jabbber.org (note the third "b"), your client will warn you that the sender is not "that Jabber protocol dude". Together this combination of names gets us closer to a system that provides the properties of global, unique, and memorable (GUM?). (Note: It's even better if we associate a cryptographic key, or fingerprint thereof, with the address / nickname / handle, but we'll look at that some other time.)

Now to this "GUM" system, Bob Wyman suggests that we need to add "P" for persistence (GUMP?):

To the three attributes or axes of Zooko's Triangle, we need to add a fourth axis or dimension which is "Persistence" (i.e. that which relates to the difficult and controversial subject of Identity over Time). The result is a pyramid which allows us to better model constraints on the universe of achievable identity systems. For any of the three traditionally recognized attributes, we need to ask the question "For how long?" (e.g. For how long will an identifier be memorable? For how long will an identity system be secure? What determines the period of time during which a globally unique identifier can be considered "global?")

When Snow White met the dwarfs, the names "Sneezy," "Sleepy", and "Dopey" were highly memorable because those names were highly descriptive of the individuals identified by those names and because those individuals were constantly reinforcing the appropriateness of their names through very visible patterns of behavior. But, had Sneezy recovered from his allergies before meeting Snow White and had Sleepy previously learned to go to bed earlier, Snow White might have found their once memorable names to be less than memorable. (The memorability of the drawf's names was limited to a specific period of time.) Similarly, we are all well aware that we simply don't have the algorithms needed to build systems whose security is everlasting. Security is a temporal quality. No matter how "secure" you may intend your system to be, it is simply a matter of time and effort that is needed to break it.

It's true that all of the names I mention in my example could be non-persistent. Jer might forget to renew his registration for jabber.org and the domain might fall into the hands of someone who pulls the plug on the XMPP service there. I might decide to change my nickname from PSA to MaineBoy. You might decide to change your handle for me to "the guy who blogs at one small voice". My X.509 certificate might be revoked and I might generate a new one through a provider other than StartCom. I might get hit by a bus tomorrow and die on the way to the hospital, in which case my identity will become of only historical interest. Etc.

Well, sure -- everything is temporal (at least until the heat-death of the universe). I do think Bob's right that we do need to take better account of persistence -- or, more precisely, the lack of persistence -- in our identity systems. But I'm not yet sure if we need to expand Zooko's Triangle into Zooko's Pyramid in order to do that. We seem to function OK in Internet-space without persistent identifiers, since we use social norms to solve the problem of non-persistence ("sorry, changed my email address again"; "I'm no longer blogging here, go there for my latest posts"; "my old cert expired, here's my new cert"; "don't call me PSA anymore, call me MaineBoy"). That said, most people do have a persistent identifer in meatspace (in America we call it a Social Security Number). Do we need such a persistent identifier on the Internet? (I have an i-name, but do I really need an i-number?) I'm not yet convinced, but I haven't followed the argument very closely.

If anything, I tend to think that identity persistence is an emergent property of a combination of names. My email address changes but my JabberID and domain name stay the same during the transition; then I get a new cert but my (new) email address, JabberID, and domain name persist through that transition. Etc. As long as I don't change everything at once, we have as much identity persistence as the ship of Theseus did, which has enough persistence to provide a useful concept of identity for most people. Perfection (in this case, guaranteed persistence to the end of time) is not an option...

Posted on 2006-12-31 at 21:43. File under identity.

~ link ~

New WoT

CA + WoT = Strong Digital Identity?

Some folks who are associated in one way or another with the StartCom CA (first noted here) are talking about starting a web of trust project that would help build a stronger sense of digital identity. Check out their blog here. Though I like the general idea (since I like webs of trust) and I've left a few comments at the blog, I haven't yet had a chance to grok the idea in fullness. Expect more posts about this in the future...

Posted on 2006-09-14 at 12:57. File under identity.

~ link ~

Micro This!

To ubuiquity and beyond.

Terrell Russell is encouraging various providers to starting using the MicroID technology to show page ownership on the 'net. I'll be contacting last.fm and LinkedIn. If y'all do your part, I know we can achieve ubuiquitous deployment by, oh, next Thursday or so. ;-)

Posted on 2006-07-13 at 12:01. File under identity.

~ link ~

MicroIDs Ahoy!

More standards in the making.

In my copious spare time, I'll soon be helping jer with standardization of MicroIDs, ably assisted by Fred Stutzman of ClaimID. Jer has posted more over at the MicroID blog.

(Given my work last year with Passel and my ongoing work with CAcert and other certification authorities, it seems that digital identity is most definitely my second technical pursuit -- after Jabber, naturally.)

Posted on 2006-07-05 at 13:51. File under identity.

~ link ~

Got PKI?

Why digital signatures are not working.

Barry Leiba observes that the public key infrastructure (PKI) and related personal encryption technologies are simply not working. Sure, the cryptographers have figured out pretty secure hashing algorithms and all that, but the usability and logistics of encryption and digital signatures are challenging even to geeks, let alone Aunt Tillie. Bob Wyman argues that we don't need PKI in order to have digital identity, which is true up to a point, but personally I think that strong digital identity is important because many kinds of messages can be forged and in many contexts identity-based encryption is a good thing. But it's not easy now and unfortunately it's not getting any easier, because it's hard to get it right (in part because the metaphors are not familiar to normal people). Barry says "we should be able to get certificates when we get a passports or driver's licenses"; the folks in Estonia have done that (population ~1.3 million), but doing it in the USA (population ~300 million) or even one American state would be a challenge, I think.

Posted on 2006-04-19 at 14:21. File under identity.

~ link ~

Why Sign

Identity, digital signatures, and high-trust societies.

As mentioned recently, I digitally sign my email. Why? After all, by signing my email I vouch for what I say (no disowning it later) and I relinquish my anonymity. Wouldn't it be better to use some anonymizing service, not attach my name to what I say, not sign my mail, etc.?

Well, no. Here's why:

1. Anonymity doesn't matter. I'm proud of who I am, so I don't feel the need to be some anonymous shmoo on the Internet. (If I lived in a repressive society, I might feel differently, but in free societies anonymity isn't important, at least to me.)

2. Trust matters. As Francis Fukuyama has argued, societies with a high radius of trust (i.e., in which people readily associate with those far from their own kinship groups) are more successful. I want the Internet to be successful and to be a high-radius-of-trust extension of real life. One electronic marker of whether someone is trustworthy is whether they sign their email.

3. Identity matters. To me, trust and identity go hand-in-hand. I don't particularly trust anonymous people -- I need to know who they are (or at least that they have a stable association with a key, a cert, a mailing list, a blog, a website, etc.). When I receive email from someone with only a nickname, I immediately discount what that person says. It goes all the way back to Aristotle's Rhetoric: one is more likely to listen to or believe the argument of one who has a good reputation (and reputation is impossible without identity).

In the early days of the Internet (when it was almost solely an academic environment), access was tied to identity, users were not anonymous, and the medium was a high-trust microcosm of society. Today, Internet users have extremely weak identity (if any), email addresses are easily forged, no one knows who anyone is, and the result is a low-trust electronic slum. Use of digital signatures, server certificates, and the like is a way to help build a higher-trust Internet (or alternative community within the Internet). Those who use digital signatures today are like urban pioneers in a bad neighborhood. It's not clear if we're going to overcome the forces of darkness. But at least we're trying.

Posted on 2006-02-27 at 22:13. File under identity.

~ link ~

Reputation

How information orders emerge.

One of the most important insights gained from scientific endeavor in the last hundred years or so is the centrality of information to the structure of life and human society. Consider:

• In the late 19th century, economists began to recognize that prices are a form of information about supply and demand.
• In the mid 20th century, biologists began to recognize that DNA is a form of information (indeed, probably the original form of information).

Another key form of information, which enables a wide range of commercial and societal interations, is reputation. Because reputation is so important, care must be taken in correctly understanding its nature. Unfortunately, those who theorize about personal identity (especially digital identity) too often misunderstand the nature of reputation. A case in point is to be found in Trademark Law and the Social Construction of Trust: Creating the Legal Framework for on-line Identity by professor Beth Noveck of New York Law School. Where Professor Noveck goes wrong can be gleaned from the very title of her paper, which argues that reputation is a "social construction" (explicitly created by, and therefore the property of, a group) rather than an emergent property of social interactions. Her thinking about reputation (which she considers one aspect of, or in large measure co-extensive with, identity) is deeply influenced by the metaphor of social construction. Here are some relevant phrases:

• "the way identity is constructed in online environments"
• "the positive construction of reputation"
• "in a social software environment ... identity is socially constructed"
• "digital life is transforming identity and its construction"
• "it is important to make clear how the collective construction of reputation in social software actually works in practice"
• "the story we tell ourselves about identity and reputation does not make sense in a world of collaboratively-constructed reputation"
• "this narrative about how identity is constructed does not comport with the reality of identity being, not something that we only invest in as individuals, but something that is directly socially constructed by the group"
• "the fact that new social software transforms the construction of identity and reputation from an individual into an explicitly group process points the way towards trademark as the most apropos legal protection"
• "trademark theory gives us a way to make sense of the landscape of on-line identity because it, too, concerns the social and collective construction of 'branding'"
• "the trademark theory of identity helps us to distinguish between representation, which is weak, thin, and individually authored and stronger, thick, and communal construction of reputation"
• "the public plays a role in constructing reputational identity"
• "it is the group or the community ... that creates reputation"
• "identity ... in not purely an individual construct ... it is inherently the work of the group"

We face here a false dichotomy: either reputation is purely an individual construct or it is inherently the work of the group. But recognizing that others play a role in reputational identity does imply that others actively construct one's reputation. In particular, Noveck misses another possible explanation: that reputation is an emergent property of human interactions. Just as prices are not collectively created by economic actors in a market, so reputation is not collectively created by social actors in a community. Instead, reputation emerges; the fact that reputation seems orderly does not imply that this order was created or fixed by a group.

The point may seem arcane, but it has practical consequences. Noveck's argument for collective creation leads her, reasonably enough, to an argument for collective rights:

• "we lack the mechanisms to protect the rights of the communities in the reputations that they collectively create"
• "we need a view of identity that accouunts for the malleability of representation and the collaborative creation of reputation and that recognizes the interests of the collective as well as of the individual in the way identity is constructed in online environments"
• "this article proposes to re-center the doctrine of identity from one of individual rights to one that recognizes the group interest in the creation and use of reputation as a signalling mechanism for successful collective action"
• "my aim is to focus on the social ascriptions of identity that support group belonging and collective action on-line"
• "identity is a form of collective action"

Call me paranoid if you will, but I get concerned when thinkers talk about collective rights and collective action (we had quite enough of that in the 20th century, thank you very much). It is true that all individuals who wish to productively interact within a community benefit from the existence of reputation as a signalling mechanism; but that does not mean that reputation is a matter of collective interest or group belonging. Reputational signals are used always by individuals within a community and make it easier for those individuals to decide with whom to interact. Thus the benefits of reputational effects are dispersed among all members of the community. But it is a serious error of reification to therefore conclude that the group or community or collective realizes benefits, possesses rights, or pursues actions.

Consider again the analogy to prices. The emergence of prices from economic transactions between buyers and sellers benefits all members of the economic community that is concerned with the product or service at hand (and even members of economic communities concerned with other classes of goods and services, whose prices in turn are affected by the prices of goods and services in the first community). But prices are not therefore the property of all the economic actors in that community, they are not a collective creation of the community, and the group does not have rights to those prices. The same is true of reputation, and it is critically important to recognize the emergent nature of reputation if we are not to be led astray into notions of collective rights that will be inimical to individual participation in online communities.

Posted on 2006-01-28 at 20:37. File under identity.

~ link ~

Becoming a Citizen of the Internet

The significance of domain names.

While commenting just now on the proposed charter for the proposed Digital Identity Exchange working group at the IETF, Phillip Hallam-Baker observes:

To control your name on the Internet you have to own the domain name you rely on. If your web site is alice.blogsrus.com you are inevitably dependent on the continued terms of service of whoever owns the name blogsrus.com.

To be an Internet citizen rather than a serf you have to own your own domain name.

Truth.

(A truth that Chinese blogger Zhao Jing recently learned the hard way.)

Posted on 2006-01-13 at 10:07. File under identity.

~ link ~

IDPCs

Identity rights agreements, revisited.

Back in August I introduced the concept of Identity Rights Agreements. Over the last few weeks, I've been chatting about the idea a bit more seriously with Dizzy and Jer. So in line with Jer's post on 2006 as The Year of I, I thought I'd provide some insight into our thinking.

Recall the concept: I need the ability to specify how my information is to be used by online entities I interact with. But how? Ideally, someone would develop a way of tagging information so that I could, for example, tell an ecommerce site that my personal preferences are not to be shared with partners. Dizzy, Jer, and I have started to work on the concept in hopes of bringing it closer to reality. The basic idea is a kind of photographic negative of Creative Commons: rather than saying "here's something I've created, feel free to do anything with you want with it except for X", when it comes to my personally identifying information I want to say "here's some information about me and you must not do anything with it except Y". When that statement is instantiated in code (such as an HTML form I submit), we're calling it an Identity Privacy Contract (IDPC).

So what are the equivalent in IDPCs of the well-known Creative Commons licenses? We see two dimensions here: whether you can store my information, and whether (and with whom) you can share it. Boiling that down has yielded five options:

1. Don't Store, Don't Share
2. Store, But Don't Share
3. Store, Share Internally
4. Store, Share With Partners
5. Store, Share With Anyone

Let's look at each of these in a bit more depth...

1. "Don't Store, Don't Share" means I'm providing this information to you only for the length of this transaction, where the time to live (TTL) of this transaction is zero. I think of the stores that ask for my ZIP code when I complete a cash transation: they don't store that information and they don't share it with anyone, although in some computer system there's a counter that's incremented by one every time someone in my ZIP code buys something (conclusion: aggregation is OK). Similar functionality might be used by online polls and such. This ties your hands with regard to using my information, but sometimes that's what I want.

2. "Store, Don't Share" means that you can keep a record of my information (e.g., in a database or cookie) and associate it with me (e.g., with my email address), but you can't share it with anyone else, not even other subsidiaries of your company. Your hands are tied less tightly here (perhaps you need to store the information to provide me with a better user experience or whatever) but the potential damage is limited since you can't share my information with anyone else. Note also that unlike "Don't Store, Don't Share", there is something of a real contract here, which needs to be time-limited (you can store this data for 2 hours or 2 weeks or 2 years); finally a real-life use for TTLs on cookies!

3. "Store, Share Internally" opens the door a little wider: now you can share the information with other subsidiaries. The data still has a TTL, but you can use it to offer a more seamless service (or blast me with marketing messages).

4. "Store, Share With Partners" gives you even greater freedom (now you can make money by selling this information to your partners or doing some co-marketing). But we stipulate that you must name your partners (good for small partner networks, not good for big partner networks) or describe the network (e.g., "all companies in the VISA network, all members of this federation, all subscribers to this mailing list"). But those partners must not share my information -- if they want to do anything with my information, they must negotiate directly with me.

5. "Store, Share With Anyone" might seem strange -- why would I let you share my personally identifying information with literally anyone? Yet I think there is precedent here: consider blog comments or forum posts, where I provide an email address or URL that is under my control and you link to it from your blog or forum. You've stored it and you're sharing it with the world.

There is still much to work out here -- definitions of "aggregation", "transaction", "partner", "personally identifying information", and even "store", what counts as an address (required so that you can renegotiate with me or so that a partner can negotiate with me), and much more. But I think we're on to something. Stay tuned for more details...

Posted on 2006-01-06 at 21:31. File under identity.

~ link ~

Amphibious

More on expressing, sharing, managing, and controlling online identity.

I just took a walk with Dizzy, during which we chatted some more about online identity. One of the things I realized from our discussion is that most people don't even have an online identity that they might want to manage. Sure, there are freaks like me who've had large personal websites for ten years, and recently many more people have "gone amphibious" (leading a dual real/online life) with the emergence of blogging, but the vast majority of people do not express their identity online. However, as more people do more things online -- comment at blogs, edit wiki pages, send messages to public email lists, post to forums, participate in logged chatrooms, sell things at Craigslist or Ebay, review books at Amazon, post photos to Flickr, keep a blog, etc. -- they will leave enough traces to have an online identity whether they know/like it or not. At that point folks may realize that their online identity is something they probably want to consciously express, share, manage, and control. But not before.

Posted on 2005-11-10 at 12:27. File under identity.

~ link ~

DIX

Expressing, sharing, managing, and controlling identity.

There's an incipient effort at the IETF to work on digital identity (personally I prefer the term online identity). I just posted some thoughts to the DIX (Digital Identity Exchange) mailing list in reply to a kick-off message from RL Bob Morgan. Here is some of what I wrote:

People are increasingly "amphibious" -- they've got one foot in the old world of real-life identity and one foot in the new world of online identity. As more identity moves online, we need to find ways to express, share, manage, and control it. SAML uses the term "assertion" and I think we're talking about the same kind of idea in a personal context -- who gets to make assertions about who I am online? Perhaps part of the frustration with existing identity systems is that they do not put the individual in control (no fault of the existing identity systems, since individuals didn't have online identities back then).

Expressing your identity online, sharing it with others, managing it, and controlling its canonical expressions are important parts of what's happening. It seems to me that we need to really think about what each of these entails. For example:

1. Part of expressing online identity may involve formulating a common language or flexible structure for capturing such assertions (which is already happening from the bottom up through Flickr, FOAF, tagging, and the like).
2. Part of sharing online identity may involve figuring out how one can assert ownership over the information one shares (what some are calling identity rights agreements, kind of a Creative Commons in reverse).
3. Part of managing online identity may involve improving on the existing, informal process of registering with websites, known as "email based identification and authentication" (EBIA).
4. Part of controlling online identity may involve explicitly tying assertions to individuals (PKI again?) and treating individuals as the canonical source of information about themselves (without implying that others cannot make assertions about individuals, naturally).

In Passel we mostly focused on #3, but the other aspects are of inherent interest as well. It's not clear to me when standardization will happen in these areas, but if we adhere to the law of standards then I think we need to create some deployable technologies first, then formalize what works.

Posted on 2005-11-10 at 10:29. File under identity.

~ link ~

SSO Redux

Wired on identity again.

Wired magazine certainly likes to write about the prospect of single sign-on for the Internet. Last month it was a story about the GoingOn Network, today's it's a story about a company called Just1Key. Perhaps one of these days they'll report on open technologies for SSO rather than centralized, closed-source solutions. Passel, anyone?

Posted on 2005-09-01 at 09:17. File under identity.

~ link ~

Splogging Along

Spim, spam, spit, splogs.

In the beginning there was spam. Then there was spim: spam over IM. Then there was spit: spam over Internet telephony. As Doc notes, now there are splogs: spam blogs. Mark Cuban observes:

We are exploring a variety of options. The blog hosts can obviously help, but I think the best solution will come from the pinging process that is used to let blog search engines know a new post has been added. If blogging is supposed to be a personal medium, I dont know why we can't use an email confirmation for blog posts. We do it for comments to keep out comment spam. Why not do it for blog posts?

Seems like we need a strong concept of identity here, eh? The blog hosts, for instance, could verify a person's identity using a system like Passel before allowing them to create a blog. As to blog pings, if folks used the Atom-over-XMPP protocol then aggregators would have a verified identity for the poster; alternatively, aggregators could require that the poster push the update to an HTTP URL that requires sign-in using Passel. Granted, we could do all this using PKI if everyone had X.509 certificates or PGP keys, but that's unlikely to happen anytime soon -- it's more likely that the much-ballyhoed "identity layer" for the Internet will emerge first (heck, even the Mozilla folks are getting into the act).

Posted on 2005-08-19 at 20:17. File under identity.

~ link ~

IRAs

Identity Rights Agreements.

While riding on the MAX from OSCON 2005 out to PDX with Doc Searls, Phil Windley, and Dizzy, we got to talking about something Diz and I chatted about the other night: the need for some well-defined policies (analogous to Creative Commons licenses) regarding how my identity information can be shared when I release it to a website or other Internet service. Just as the CC licenses specify that you can do anything with what I create (except, depending on the license, that you must share and share alike, attribute it to me, etc.), when I release identity information to a website I'd love to stipulate that it may not do anything with it (except, depending on the identity rights agreement, that it may share it with its subsidiaries or partners, or even post it on their website if I so agree, such as at a blog or Wiki). Developing the vocabulary and straightforward set of ~5 options for identity rights agreements will require collaboration among technologists, lawyers, and other interested parties. So let's get busy!

Update: Phil Windley has also posted about our discussion.

Posted on 2005-08-05 at 14:51. File under identity.

~ link ~

Passelating in Portland

Identity. Remixed.

Dizzy gave his talk on Passel this morning at OSCON and did a fine job. I'd say there were about 30 people there, the room was nearly full, questions were good, discussion was productive. Unfortunately Diz ran out of time and didn't get a chance to demo Passel for the assembled throng. But we did have some good follow-on discussions after his talk.

Posted on 2005-08-03 at 17:37. File under identity.

~ link ~

One Ring?

Going on about identity.

Wired speculates about the prospects for "one login to bind them all" as a result of a product announcement about the GoingOn Network. Well. I rather doubt that any one company is going to provide the "one ring" in the identity space. Better to trust in open protocols like Passel, create a truly decentralized network that puts the individual in control (no intermediaries unless you want them), and otherwise adhere to the laws of identity.

(Oh, and by the way, with this post I inaugurate a new category for identity.)

Posted on 2005-08-02 at 16:51. File under identity.

~ link ~

Passel

Open identity.

While I was away over the weekend, Dizzy unveiled Passel, the open identity technology I've been hinting at for the last few months. It's really Dizzy's baby, I just helped out with the whitepaper (which has a few consistencies and needs to be beefed up in a few areas -- will do that this week). More on Passel soon.

Posted on 2005-07-19 at 13:23. File under identity.

~ link ~

Putting a Lid on the ID

On national ID schemes.

Over on the Crypotography list, Perry Metzger (with whom I had an enjoyable dinner at Vatan in NYC a few weeks ago) eloquently explains why so many Americans oppose the idea of a national ID card:

I do not trust governments. I've inherited this perspective. My grandfather sent his children abroad from Speyer in Germany just after the ascension of Adolf Hitler in the early 1930s -- his neighbors thought he was crazy, but few of them survived the coming events. My father was sent to Alsace, but he stayed too long in France and ended up being stuck there after the occupation. If it were not for forged papers, he would have died. (He had a most amusing story of working as an electrician rewiring a hotel used as office space by the Gestapo in Strasbourg -- his forged papers were apparently good enough that no one noticed.) Ultimately, he and other members of the family escaped France by "illegally" crossing the border into Switzerland. (I put "illegally" in quotes because I don't believe one has any moral obligation to obey a "law" like that, especially since it would leave you dead if you obeyed.)

Anyway, if the governments of the time had actually had access to modern anti-forgery techniques, I might never have been born.

To you, ID cards are a nice way to keep things orderly. To me, they are a potential death sentence.

Well said, Perry!

Posted on 2005-07-11 at 15:23. File under identity.

~ link ~

OpenID

Yet another identity system.

Sam Ruby comments on OpenID:

1. "If you have a webserver, can add something like the following to your template, and either can run a CGI script or know somebody who can run one for you, then you are in."
2. "This design is also explicitly not trying to compete with the "big boys". In particular, it has no notion of trust."

I fail to see how those are good things, since:

1. Not everyone has a webserver (for the most part only geeks are associated with URLs).
2. An identity system without a trust model strikes me as close to useless.

The two points are not unconnected. If we're limiting the system to geeks and not trying to take on the big boys by appealing to Aunt Tillie, then we already have something of an implicit trust model, just as the Internet did before it was opened to commercial use -- it was rather difficult to get on the 'net in those days, so we could assume that most people using it were clueful and to be trusted (at least somewhat). Personally I think there are better approaches to identity on the Internet, but they haven't been released yet. ;-)

Posted on 2005-05-20 at 11:44. File under identity.

~ link ~

Identify This!

On the road to workable identity systems.

Dizzy is frustrated about complex identity technologies like Liberty, SAML, and the various WS-* protocols. I agree. In the spirit of John Sowa's law of standards, we need technologies that undergo iterative development and improvement in the context of small research projects, not unwieldy specifications designed by large committees. In the spirit of Adam Bosworth's recent keynote at the MySQL Users Conference, we need simple, even sloppy standards that scale (sloppy in the sense that you don't need to be a syntax guru to use them).

Will we achieve such technologies in the identity space? The signs right now don't look hopeful. Everyone is chattering about Liberty and SAML and WS-*, but ignoring the subject of all this identification: the individual. Individuals want, deserve, and must have control: over who has access to their identifying information. Wouldn't it be great if I could be the one who says that Vendor X can know my email address, that Person Y can comment at or trackback to my blog, that Lender Z can see my FICA score? Unfortunately, giving that power to the individual would require the kind of decentralized architecture that would cut some kinds of power brokers out of the action (those who would love to be the center of the identity universe).

What would such a decentralized approach look like? One metaphor is that of the digital wallet (a patented idea, thanks to the USPTO) or identity portfolio. No matter what you call it, I have under my control certain credentials issued by various corporate and governmental entities -- banks, credit card companies, insurance companies, government agencies, and the like. There is no central identity broker -- I can show my driver's license to a bartender or CAcert assurer or whomever without asking the issuer's permission or forcing those who would check my credentials to have any kind of relationship with the Department of Motor Vehicles. And not only are my credentials under my control, but I can disclose the minimal information needed for any given interaction. That seems to me like a reasonable model for electronic identity, except that we can do better than driver's licenses and social security cards because the magic of electronic information and digital signatures means that issuers can generate and sign short-lived credentials whenever I ask for them, rather than long-lived paper documents that are relatively easy to forge.

There are three parties to a minimal identity interaction: the individual, the issuer, and the accepter. (I'm not sure what to call the party to whom I present my credentials: "accepter" seems rather neutral, but other possible terms are recipient, reader, checker, verifier, validator, viewer, presentee.) Some identity interactions might engage additional parties, such as a broker, but at a minimum the fewest parties you need are those three and only those three.

Kim Cameron goes on to define four more laws of identity beyond individual control, minimal disclosure, and fewest parties, but I think those are key. Yes, the resulting system or network must also allow public information while protecting private information (directed identity), enable multiple and diverse players into the marketplace (pluralism), be user-friendly and integrate with human ways of knowing and acting (human integration), and make it possible for the individual and accepter to negotiate what identity information is needed in a particular context and for the individual to gather the appropriate credentials from one or more issuers and then present the resulting aggregation of credentials in a unified way (harmonious contextual autonomy), but those are more advanced characteristics of a workable identity technology -- system designers need to keep those in mind, but they are not directly important to the individual, I think.

Cameron's laws or principles of identity define a tough set of requirements, but I think those requirements can be met with open technologies and simple, smart standards that emerge from the bottom up through experimentation and iterative development. But a small team needs to take the first step along that road and then present their findings to the world with working prototypes and well-defined protocols. Thankfully, I happen to know of such a team, but they're working in stealth mode right now while they hammer out rough consensus and running code. Stay tuned... ;-)

Posted on 2005-05-02 at 21:12. File under identity.

~ link ~

Identity Blogs

Mapping the identity space.

For various reasons, I've gotten interested in the topic of digital identity. For my own future reference if nothing else, here's a list of weblogs of interest in the identity space:

• Stefan Brands
• Craig Burton
• Kim Cameron
• Chris Ceppi
• Owen Davis
• Andre Durand
• Johannes Ernst
• Bryan Field-Elliot
• Prasanna Govindankutty
• Simon Grice
• Ian Grigg
• Kaliya Hamlin
• Ben Hyde
• Shekhar Jha
• Dave Kearns
• James Kobelius
• Fen Labalme
• Scott Lemon
• Jamie Lewis
• Eric Norlin
• P.T. Ong
• Luke Razzell
• Archie Reed
• Drummond Reed
• Mark Wahl

And of course there's the Technorati identity page, which yields interesting entries like this one on distributed authentication.

Posted on 2005-02-25 at 14:41. File under identity.

~ link ~

Entity and Identity

Some thoughts on digital identity.

Dizzy and I had a wide-ranging conversation today about identity. We agreed that trust and identity are two quite separate issues -- trust is something that is built on top of identity. But what is identity? Something's identity is the bundle of characteristics associated with it (often, but not necessarily, its more stable, essential, or distinguishing characteristics). But notice that word "something" -- the concept of identity depends on the more basic concept of entity. Identity is not merely that bundle of characteristics, it is those characteristics bundled together or integrated by the fact that they are all related to a particular entity.

For example, the folks at my local library might know me as the guy who shaves his head, has blue eyes, and always orders such interesting books through interlibrary loan (they also might know me by the number on my library card, but that's only once I hand them my card -- I know my library card number from memory, but I doubt they do). But they don't have in their heads a random bundle of "shaved head", "blue eyes", "lots of ILL books" -- those characteristics are integrated by the fact that they all pertain to a particular person. If someone else walked in with those characteristics, they would not mis-identify that person as me (in fact they'd probably look for differences, such as the fact that this other person doesn't have a goatee).

Now, in the physical world we are all familiar with the kinds of characteristics that we focus on in identifying other people, because humans have hundreds of thousands of years of experience in doing just that (and survival often depended on correctly identifying someone else). The challenge in the digital realm is that we have only a few years of experience in figuring out what the salient characteristics are -- and that most people don't have very many characteristics. I think this last point is significant, because lots of folks don't actually do much online (or what they do does not leave public traces). Other people have more online presence, as it were. For instance, I keep a weblog, have a website with many pages of content, periodically leave comments at other people's blogs, am associated with a public organization (the Jabber Software Foundation), post to lots of public discussion lists from a well-known email address, participate in archived chatrooms using a well-known Jabber ID, there are photos of me online, I have a PGP key, and so on. There are many ways to find me or find out about me (blog, personal website, organization website, email address, Jabber address, etc.), so that results in a larger bundle of characteristics than is associated with some random Joe who sends you a message.

But it seems to me that these are still all just bundles of characteristics. How does one integrate all those web pages, addresses, posts, archived conversations (etc.) into a digital entity? A lot of people and companies talk about digital identity, but it strikes me that we haven't even figured out digital entities yet (or, perhaps, figured out how to associate all of those digital characteristics with a physical person).

Posted on 2005-01-04 at 18:15. File under identity.

~ link ~

My Name, i-name

Bottom-up identity.

Jon Udell points to a longer exposition by Doc Searls on IdentityCommons (which provides stable "i-names" to individuals) and SXIP (Simple eXtensible Identity Protocol), two grassroots efforts at defining standards for personal electronic identity. If the law of standards holds true, the complex specs currently bandied about in the identity arena (Passport, Shibboleth, Liberty, WS-Federation) may not last forever. Complex is always bad when it comes to standards. As John F. Sowa says:

Many successful standards have been established for computer systems as well as everything from screw threads to grain sizes for wheat. But the overwhelming majority of successful standards are clarifications and revisions of interfaces that have proved to be effective without the support of a major standards body. What has consistently failed are the "proactive" attempts to design new systems from scratch that are declared to be standard before anyone has had a chance to implement them, test them, use them, and live with them. Some new systems succeed, but most fail, and even the most successful go through several iterations before the best configuration is found. Such design iterations are best done in small research projects, not in large public committees.

Unfortunately, How Sxip Works says "the Sxip Network consists of Homesites, Membersites and a central identity registry called the Root" -- and as a confirmed decentralist, I just don't trust any system that includes and requires a central registry. But I probably need to read more before I jump to The Island of Conclusions...

The "i-names" provided by IdentityCommons seem more promising -- especially since they don't have a trusted root for their "distributed, self-governing civil society" and I can act as my own i-broker -- so I've followed Doc's lead and reserved myself an i-name of =stpeter.

I still need to do more research on the XDI specs to figure out how they might help us strengthen identity and trust on the Jabber/XMPP network.

Posted on 2004-12-07 at 15:53. File under identity.

~ link ~

identity...

my back pages

me
home
music
jabber
poems
journal
essays
dotplan
résumé
ism book
contact me
me @ jaiku
me @ twitter

my group blogs

albion's seedlings
extended conversation
floss foundations
microid development
planet im
planet jabber
colorado blogs

jabberites

adam nemeth
armando diaz-jagucki
bernardo pérez
brendan taylor
daniel henninger
google talkabout
hal rottenberg
jeremie miller
kevin smith
matthew wild
mickael hallendal
ralph meijer
remko tronçon
robert quattlebaum
tobias markmann
tomasz melcer

techies

barry leiba
bob wyman
eric rescorla
fred stutzman
future pundit
mike linksvayer
paul hoffman
the speculist
steve o'grady
stowe boyd

wonks

cafe hayek
chicago boyz
the futurist
instapundit
joel kotkin
marginal revolution
michael barone
rand simberg
rants and raves
samizdata

i use...

i support...

i listen to...

fighting censorship...

current threat level...

flying the flag...