The World Without “Identity” or “Federation” is Already Here
My friend Alec Muffett thinks we should do away with “Big I” Identity. I’m all for that … but Alec seems to be quite confused.
Firstly, his central point, that all modern electronic identity requires the involvement of third parties, is just plain wrong. OpenID, which he doesn’t mention, is all about self-asserted identity – I put stuff on webpages I own and that’s my identity. Cardspace, to the extent it is used at all, is mostly used with self-signed certificates – I issue a new one for each site I want to log in to, and each time I visit that site I prove again that I own the corresponding private key. And, indeed, this is a pretty general theme through the “user-centric” identity community.
Secondly, the idea that you can get away with no third party involvement is just unrealistic. If everyone were honest, then sure, why go beyond self-assertion? But everyone is not. How do we deal with bad actors? Alec starts off down that path himself, with his motorcycling example: obviously conducting a driving test on the spot does not scale well – when I took my test, it took around 40 minutes to cover all the aspects considered necessary to establish sufficient skill, and I’d hesitate to argue that it could be reduced. The test used to be much shorter, and the price we paid was a very high death rate amongst young motorcyclists; stronger rules have made a big inroads on that statistic. It is not realistic to expect either me or the police to spend 40 minutes establishing my competence every time it comes into question. Alec appears to be recognising this problem by suggesting that the officer might instead rely on the word of my local bike club. But this has two problems, firstly I am now relying on a third party (the club) to certify me, which is exactly counter to Alec’s stated desires, and secondly, how does one deal with clubs whose only purpose is to certify people who actually should not be allowed to drive (because they’re incompetent or dangerous, for example)?
The usual answer one will get at this point from those who have not worked their way through the issues yet is “aha, but we don’t need a central authority to fix this problem, instead we can rely on some kind of reputation system”. The trouble is no-one has figured out how you build a reputation system in cyberspace (and perhaps in meatspace, too) that is not easily subverted by people creating networks of “fake” identities purely in order to boost their own reputations – at least, not without some kind of central authority attesting to identity.
Yet another issue that has to be faced is what to do about negative attributes (e.g. “this guy is a bad risk, don’t lend him money because he never pays it back”). No-one is going to willingly make those available to others. Once more, we end up having to invoke some kind of authority.
Of course, there are many cases where self-assertion is perfectly fine, so I have no argument with Alec there. And yes, there is a school of thought that says any involvement with self-issued stuff is a ridiculous idea, but you mostly run into that amongst policy people, who like to think that we’re all too stupid to look after ourselves, and corporate types who love silos (we find a lot of those in the Liberty Alliance and the ITU and such-like places, in my experience).
But the bottom line is that a) what he wants is insufficient to completely deal with the problems of identity and reputation and b) it is nothing that plenty of us haven’t been saying (and doing) all along – at least where it works.
Once you’ve figured that out, you realise how wrong
I am also here not going to get into the weirdness of Identity wherein the goal is to centralise your personal information to make management of it convenient, and then expend phenomenal amounts of brainpower implementing limited-disclosure mechanisms and other mathematica, in order to re-constrain the amount of information that is shared; e.g. “prove you are old enough to buy booze without disclosing how old you are”. Why consolidate the information in the first place, if it’s gonna be more work to keep it secret henceforth? It’s enough to drive you round the twist, but it’ll have to wait for a separate rant.
is. Consolidation is not what makes it necessary to use selective disclosure – that is driven by the need for the involvement of third parties. Obviously I can consolidate self-asserted attributes without any need for selective disclosure – if I want to prove something new or less revealing, I just create a new attribute. Whether its stored “centrally” (what alternative does Alec envision, I wonder?) or not is entirely orthogonal to the question.
Incidentally, the wit that said “Something you had, Something you forgot, Something you were” was the marvellous Nick Mathewson, one of the guys behind the Tor project. Also, Alec, if you think identity theft is fraud (as I do), then I recommend not using the misleading term preferred by those who want to shift blame, and call it “identity fraud” – in fraud, the victim is the person who believes the impersonator, not the person impersonated. Of course the banks would very much like you to believe that identity fraud is your problem, but it is not: it is theirs.
Yeah, OpenID is an interesting one, I still have not decided what to
think about that; as you say it seems to have the quality of
self-definition about it, but to me it appears to be:
“create your identity, then use that to have relationship”
…where I am trying to come from a perspective of “have relationship,
which brings-forth identity”, rather a different proposition, and as I
believe I stated it’s not one which is going to replace all other
forms of identity soon, – but I consider it viable.
Gimme that Ol’Time Religion.
I made a point about Amazon having a relationship with me, and
payments made thereof; you think I forgot that there are third parties
like VISA involved – and before jumping on the obvious strawman, no I
don’t think Amazon are an exact example of what I am proposing… I am
just pointing out that I know third-parties can and will exist.
Yet I have also got relationships with people that I only know through
the comments of my blog, and the continued existence of that channel
provides a perfectly realistic, no-thirs-parties-required, form of
authentication.
Actually I was thing to insinuate that if the Officer and the Rider
both knew each other /from/ the local bike club, perhaps were both
members and went for dinners together like a certain bike club we both
know, then that would certainly be a relationship that could
circumvent a lot of bureaucracy.
With my above clarification and retrenchment, your critique is moot; I
am not trying to involve third parties in the single domain of a
relationship between the Rider and the Policeman.
[...deletia of solution to misrepresentation of my position...]
Yeah, I expect several approaches to solving this, eg: a database for
the benefit of banks, that the person who owns
http://i-am-really-bent.com/mine is a bad person to deal with. Spam
blacklists exist, for example.
And how precisely does this inhibit my ability to form a relationship
with another entity via a communications channel and leverage it into
an identity?
[Grin]
Don’t be naughty, Ben; at no point did I say I was trying to
completely deal with the problem – ie: to make out that we can utterly
replace the extant infrastructure and ways of doing things.
Adriana and I am merely trying to present an alternative which has
been entirely untapped, and apparently seems easily misunderstood, by
folk from the world of Big-I Identity.
Yay, so you’re on our side!
I stand corrected; but also please see my notes on the irrelevancies
of third parties within relationship-based-identity.
Not at an IdP; ie: in a distributed fashion, under a user’s own
control – in the same way (blogger.com notwithstanding) that I do not
consider blogs to be “centralised”.
Obliged.
Stupendous, I shall correct my vocabulary forthwith.
Comment by Alec Muffett — 12 May 2008 @ 13:54
OpenID relies on your ownership of the domain name, right? That means it still relies on a third party (IANA, Network Solutions, etc.) to maintain that ownership.
Comment by John Stracke — 14 May 2008 @ 16:33
@John, yep, nuisance is it not?
There are ways around that, but I won’t expound them here.
Comment by Alec Muffett — 19 May 2008 @ 14:33
For the record, I’m not convinced I was first to say “Something you lose, something you forget, something you cease to be”; though I arrived at it independently, others have said they heard it form someone else first, and I’ve no reason to doubt them.
Nowadays, I offer the alternative of “Something they steal, something they chop off, and something they beat out of you.”
Comment by Nick Mathewson — 19 May 2008 @ 18:20