Links

Ben Laurie blathering


The World Without “Identity” or “Federation” is Already Here

My friend Alec Muffett thinks we should do away with “Big I” Identity. I’m all for that … but Alec seems to be quite confused.

Firstly, his central point, that all modern electronic identity requires the involvement of third parties, is just plain wrong. OpenID, which he doesn’t mention, is all about self-asserted identity – I put stuff on webpages I own and that’s my identity. Cardspace, to the extent it is used at all, is mostly used with self-signed certificates – I issue a new one for each site I want to log in to, and each time I visit that site I prove again that I own the corresponding private key. And, indeed, this is a pretty general theme through the “user-centric” identity community.

Secondly, the idea that you can get away with no third party involvement is just unrealistic. If everyone were honest, then sure, why go beyond self-assertion? But everyone is not. How do we deal with bad actors? Alec starts off down that path himself, with his motorcycling example: obviously conducting a driving test on the spot does not scale well – when I took my test, it took around 40 minutes to cover all the aspects considered necessary to establish sufficient skill, and I’d hesitate to argue that it could be reduced. The test used to be much shorter, and the price we paid was a very high death rate amongst young motorcyclists; stronger rules have made a big inroads on that statistic. It is not realistic to expect either me or the police to spend 40 minutes establishing my competence every time it comes into question. Alec appears to be recognising this problem by suggesting that the officer might instead rely on the word of my local bike club. But this has two problems, firstly I am now relying on a third party (the club) to certify me, which is exactly counter to Alec’s stated desires, and secondly, how does one deal with clubs whose only purpose is to certify people who actually should not be allowed to drive (because they’re incompetent or dangerous, for example)?

The usual answer one will get at this point from those who have not worked their way through the issues yet is “aha, but we don’t need a central authority to fix this problem, instead we can rely on some kind of reputation system”. The trouble is no-one has figured out how you build a reputation system in cyberspace (and perhaps in meatspace, too) that is not easily subverted by people creating networks of “fake” identities purely in order to boost their own reputations – at least, not without some kind of central authority attesting to identity.

Yet another issue that has to be faced is what to do about negative attributes (e.g. “this guy is a bad risk, don’t lend him money because he never pays it back”). No-one is going to willingly make those available to others. Once more, we end up having to invoke some kind of authority.

Of course, there are many cases where self-assertion is perfectly fine, so I have no argument with Alec there. And yes, there is a school of thought that says any involvement with self-issued stuff is a ridiculous idea, but you mostly run into that amongst policy people, who like to think that we’re all too stupid to look after ourselves, and corporate types who love silos (we find a lot of those in the Liberty Alliance and the ITU and such-like places, in my experience).

But the bottom line is that a) what he wants is insufficient to completely deal with the problems of identity and reputation and b) it is nothing that plenty of us haven’t been saying (and doing) all along – at least where it works.

Once you’ve figured that out, you realise how wrong

I am also here not going to get into the weirdness of Identity wherein the goal is to centralise your personal information to make management of it convenient, and then expend phenomenal amounts of brainpower implementing limited-disclosure mechanisms and other mathematica, in order to re-constrain the amount of information that is shared; e.g. “prove you are old enough to buy booze without disclosing how old you are”. Why consolidate the information in the first place, if it’s gonna be more work to keep it secret henceforth? It’s enough to drive you round the twist, but it’ll have to wait for a separate rant.

is. Consolidation is not what makes it necessary to use selective disclosure – that is driven by the need for the involvement of third parties. Obviously I can consolidate self-asserted attributes without any need for selective disclosure – if I want to prove something new or less revealing, I just create a new attribute. Whether its stored “centrally” (what alternative does Alec envision, I wonder?) or not is entirely orthogonal to the question.

Incidentally, the wit that said “Something you had, Something you forgot, Something you were” was the marvellous Nick Mathewson, one of the guys behind the Tor project. Also, Alec, if you think identity theft is fraud (as I do), then I recommend not using the misleading term preferred by those who want to shift blame, and call it “identity fraud” – in fraud, the victim is the person who believes the impersonator, not the person impersonated. Of course the banks would very much like you to believe that identity fraud is your problem, but it is not: it is theirs.

4 Comments

  1. Firstly, his central point, that all the modern electronic identity
    requires the involvement of third parties, is just plain wrong.
    OpenID, which he doesn’t mention, is all about self-asserted identity

    Yeah, OpenID is an interesting one, I still have not decided what to
    think about that; as you say it seems to have the quality of
    self-definition about it, but to me it appears to be:

    “create your identity, then use that to have relationship”

    …where I am trying to come from a perspective of “have relationship,
    which brings-forth identity”, rather a different proposition, and as I
    believe I stated it’s not one which is going to replace all other
    forms of identity soon, – but I consider it viable.

    Cardspace, to the extent it is used at all, is mostly used with
    self-signed certificates – I issued a new one for each site I want to
    log in to, and each time I visit that site I prove again that I own
    the corresponding private key.

    Gimme that Ol’Time Religion. 🙂

    Secondly, the idea that you can get away with no third party
    involvement is just unrealistic.

    I made a point about Amazon having a relationship with me, and
    payments made thereof; you think I forgot that there are third parties
    like VISA involved – and before jumping on the obvious strawman, no I
    don’t think Amazon are an exact example of what I am proposing… I am
    just pointing out that I know third-parties can and will exist.

    Yet I have also got relationships with people that I only know through
    the comments of my blog, and the continued existence of that channel
    provides a perfectly realistic, no-thirs-parties-required, form of
    authentication.

    Alec appears to be recognising this problem by
    suggesting that the officer might instead rely on the word of my local
    bike club.

    Actually I was thing to insinuate that if the Officer and the Rider
    both knew each other /from/ the local bike club, perhaps were both
    members and went for dinners together like a certain bike club we both
    know, then that would certainly be a relationship that could
    circumvent a lot of bureaucracy.

    But this has two problems, firstly I am now relying on a third party
    (the club) to certify me, which is exactly counter to Alec’s stated
    desires, and secondly, how does one deal with clubs whose only
    purpose is to certify people who actually should not be allowed to
    drive (because they’re incompetent or dangerous, for example)?

    With my above clarification and retrenchment, your critique is moot; I
    am not trying to involve third parties in the single domain of a
    relationship between the Rider and the Policeman.

    […deletia of solution to misrepresentation of my position…]

    Yet another issue that has to be faced is what to do about negative
    attributes (e.g. ‘this guy is a bad risk, don’t lend him money
    because he never pays it back’). No-one is going to willingly make
    those available to others. Once more, we end up having to invoke
    some kind of authority.

    Yeah, I expect several approaches to solving this, eg: a database for
    the benefit of banks, that the person who owns
    http://i-am-really-bent.com/mine is a bad person to deal with. Spam
    blacklists exist, for example.

    And how precisely does this inhibit my ability to form a relationship
    with another entity via a communications channel and leverage it into
    an identity?

    Of course, there are many cases where self-assertion is perfectly
    fine, so I have no argument with Alec there. And yes, there is a
    school of thought that says any involvement with self-issued stuff
    is a ridiculous idea, but you mostly run into that amongst policy
    people, who like to think that we’re all too stupid to look after
    ourselves, and corporate types who love silos (we find a lot of
    those in the Liberty Alliance and the ITU and such-like places, in
    my experience).

    [Grin]

    But the bottom line is that a) what he wants is insufficient to
    completely deal with the problems of identity and reputation

    Don’t be naughty, Ben; at no point did I say I was trying to
    completely deal with the problem – ie: to make out that we can utterly
    replace the extant infrastructure and ways of doing things.

    Adriana and I am merely trying to present an alternative which has
    been entirely untapped, and apparently seems easily misunderstood, by
    folk from the world of Big-I Identity.

    and b) it is nothing that plenty of us haven’t been saying (and
    doing) all along – at least where it works.

    Yay, so you’re on our side! 🙂

    Once you’ve figured that out, you realise how wrong [ALEC’S
    DISTASTE FOR PUTTING ALL YOUR PERSONAL INFORMATION INTO AN IdP AND
    WRAPPING IT IN LIMITED DISCLOSURE AND OTHER MAGIC]

    is. Consolidation is not what makes it necessary to use selective
    disclosure – that is driven by the need for the involvement of third
    parties.

    I stand corrected; but also please see my notes on the irrelevancies
    of third parties within relationship-based-identity.

    Obviously I can consolidate self-asserted attributes without any
    need for selective disclosure – if I want to prove something new or
    less revealing, I just create a new attribute. Whether its stored
    ‘centrally’ (what alternative does Alec envision, I wonder?) […]

    Not at an IdP; ie: in a distributed fashion, under a user’s own
    control – in the same way (blogger.com notwithstanding) that I do not
    consider blogs to be “centralised”.

    Incidentally, the wit that said ‘Something you had, Something you
    forgot, Something you were’ was the marvellous Nick Mathewson, one
    of the guys behind the Tor project.

    Obliged.

    Also, Alec, if you think identity theft is fraud (as I do), then I
    recommend not using the misleading term preferred by those who want
    to shift blame, and call it ‘identity fraud’ – in fraud, the victim
    is the person who believes the impersonator, not the person
    impersonated. Of course the banks would very much like you to
    believe that identity fraud is your problem, but it is not: it is
    theirs.

    Stupendous, I shall correct my vocabulary forthwith.

    Comment by Alec Muffett — 12 May 2008 @ 13:54

  2. OpenID relies on your ownership of the domain name, right? That means it still relies on a third party (IANA, Network Solutions, etc.) to maintain that ownership.

    Comment by John Stracke — 14 May 2008 @ 16:33

  3. @John, yep, nuisance is it not?

    There are ways around that, but I won’t expound them here.

    Comment by Alec Muffett — 19 May 2008 @ 14:33

  4. For the record, I’m not convinced I was first to say “Something you lose, something you forget, something you cease to be”; though I arrived at it independently, others have said they heard it form someone else first, and I’ve no reason to doubt them.

    Nowadays, I offer the alternative of “Something they steal, something they chop off, and something they beat out of you.”

    Comment by Nick Mathewson — 19 May 2008 @ 18:20

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress