Grounds for Identity

Identity became a hot topic last year, but it won't truly matter until it becomes the focus of a serious open-source project.

A year ago, identity was mostly the concern of privacy and crypto guys. The only company taking much public interest was Microsoft, which was busy scaring everybody with its Passport identity management system and the Hailstorm initiative that went along with it. (Microsoft folks tell me they never meant to scare anybody. Privately they refer to Passport as "Piñata" because of all the bashing it takes.)

But over the next three quarters, identity became a big deal, certified by its own high-profile web site and tradeshow: Digital ID World (DIDW). The first DIDW took place in Denver in early October 2002. It was well-run and well-attended for a first effort by people who were, for the most part, new to the business. Those people included, which is the commercial counterpart of, an open-source effort.

When Don Marti got a look at advance promotion for DIDW, he called the speaker lineup "scary": a lot of big companies and associations (Microsoft and the Sun-led Liberty Alliance, for starters); a lot of small companies trying to sell stuff to big enterprise customers; and almost nobody representing individual interests (especially privacy). Except for me. And frankly, I had to push to get myself added to the speaker lineup, which I did through my position on the advisory board of PingID.

At the show I made as much trouble as I could. On the opening day I moderated a panel on identity and open source. On the closing day I gave a talk about the open-source nature of internet infrastructure--the need for open identity protocols and other standards that commercial interests alone would be unlikely to provide. I presented a slide that compiled a list of phrases assembled from buzzwords I heard in one talk after another at the show:

  • metadata control exchange system

  • partnership compliance implementation audit

  • self-addressing portable entitlement chain

  • DRM privacy directive store

  • self-regulating feedback mechanism

  • persistent federated domain logic audit

  • enterprise portal crossover

  • cross domain global security management protocol framework

  • custody containment certificate

  • logical domain root browser function

Driving this droning was a default assumption that identity could be managed and controlled--in spite of the fact that the Net is neither. At the end of my open-source panel, Brent Glass said this from the audience (quoting notes taken by another audience member):

I don't want any organization having control of my identity. I don't trust enterprises. I don't trust the government. I want to be the center of my identity. One of the things open source has going for it is it puts the user at the center. Could the panel explain if it can do this for us? Can it give humans control that need not be relinquished?

I believe the answer is yes. But to explain how, I'll start with some history. Back in the late 1980s and early 1990s, Craig Burton, Jamie Lewis and other Novell veterans at The Burton Group quietly changed the way we conceived networks, shifting us from a technical to a service model. Thanks to TBG's efforts, we began talking about networks as collections of interoperable services, including directory, security, management, file, print and messaging. At first the "network services model" was applied to LANs and enterprise systems such as Lotus Notes. But when the Internet began to lithify and support almost everything, the model applied there as well. Protocols such as TCP/IP, HTTP, SMTP, IMAP, POP3, LDAP and DHCP not only define the Net's working infrastructure but also provide its services.

Compared to even an old commercial LAN like Novell's NetWare, the Net's roster of services are still primitive and few. In fact, their primitive nature helps account for much of their ubiquitous adoption. Openness and simplicity are good things to have in protocols. But the fewness of network services on the Net is another matter. If "the history of the Internet is the history of its protocols", as Vint Cerf says, we're still in the Paleozoic era. For example, there still are no common protocols for printing over the Net. Directory services are minimal (DNS covers few bases and LDAP only covers directory access). Aside from e-mail, messaging is a mess. Jabber's IM protocols are widely adopted, but hardly ubiquitous. Thanks to AOL's and Microsoft's childish refusal to interoperate with each other, instant messaging for most of us remains stuck at the Prodigy vs. Compuserve stage. But if IM is an embryo, ID is an unfertilized egg.

To shift metaphors in a botanical direction, think of the Net as Mother Earth and all this corporate droning as seed thrown on dry ground. What's more, the enthusiastic seed spilling at DIDW reminded me of every other cycle of enthusiasm launched whenever the ground starts to shake. Big companies and governments try to protect and extend the existing order while startups wage a leadership revolution. Both miss the fact that all Net-based architectures, old and new, are grounded on a geology that nobody owns, everybody can use and anybody can improve.

Today big business operates by the grace of the Net. The creators of the Net--the makers of ubiquitous protocols that are as central and beyond ownership as the core of the Earth--are the gods behind the primal forces of today's business world. Those gods still have work to do, as veteran Byte editor John Udell explains:

The connected computer is fast approaching ubiquity. We've created cyberspace, but we haven't yet really colonized it because we lack the organizing principle to do so. Having abolished time and space, nothing remains but identity. How we project our identities into cyberspace is the central riddle. Until we solve that, we can't move on.

Project is the right word, not protect.

If we create the protocols, APIs and other standards that let customers relate at full power with the companies they choose, consumer becomes an obsolete noun. The companies now in full charge of the identities they confer on each of us will no longer have full control, because now they will have to relate and not just distribute. But because we show up as customers rather than as consumers, the range of business possibilities is much larger. The trade-off is a good one for both sides.

But it won't begin until we get those protocols and APIs, which won't happen unless somebody decides to write them for everybody. Maybe that effort will come from the noncommercial world, as it did with HTTP and SMTP. Or maybe it will come from the altruistic side of the commercial world, as it did with SOAP and RSS.

My guess is that it will come from both, as it does with Linux (if we give full credit to the companies that employ the developers who continue to improve code that nobody owns and everybody can use). Once it does, there will be real grounds for enthusiasm.

Doc Searls is senior editor of Linux Journal.



Doc Searls is Senior Editor of Linux Journal


Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Open Standards, distributed implementation.

Anonymous's picture

It would be far better if there ID issues were handled through
open (publicly implementable without royalty) standards, and the
only way to scale is via distributed implementation.

Take a peek at
- while it
concentrates on exchanging email keys, it has some of the same issues. Here, there is still a central key - but only for the root DNS servers, to find the other servers, and you need those keys anyway. This doesn't address the issues of identity completely from this article, but there may be some usable ideas here.

Re: Grounds for Identity

wally's picture

1) To the first commenter: the cash card is not the identity, "fred" is. The cash card is a short-lived service allocated to the identity fred which allows him to spend $X, perhaps in a certain venue. The digital identity relationship to be managed here is between fred and his bank; I hope you do not want that to be fleeting.

What about suppliers who, in the future, will transact billions of dollars over the Internet? While the authority to purchase a certain amount of a certain item may be a short-lived service, the history of who was authorized for that service and what organization they were part of had better be perpetual information. Particularly when one starts talking about financial authority. Who requested or shipped BGAs instead of PGAs on chips? Was it the buyer or the supplier? Who authorized the transformation of $9B in expense to capital assets? Yes, the authorization for a service may be short-lived; but the history of who (identity) had authorization for what services and what they did with them had better be perpetual.

Besides your banker, what about your doctor, your institute of higher ed., other financial relationships (investment), etc.? Do you really want your relationship with them to be one of a fleeting few seconds that then disappears into complete oblivion?

Where is the audit trail in your "few second" approach that is necessary where it is determined the trust was misplaced?

Digital identity is a very complex issue, and should not be trivialized to the level of using a cash card to buy a book from

2) To Doc: "Microsoft didn't mean to scare anyone." Well, of course not, you don't get customers (not good ones anyway) by scaring people, even Redmond knows that. They just hoped we were all too stupid to figure out what they were up to. I mean, why would the technical population get nervous when the biggest monopolist of the last half-century created software and a service that would own user's identities and the history of all their Internet transactions. "We just put out great software -- it's not our fault consumers love our stuff so much."

The best part here is that "Pinata" is a great name for it. And it doesn't take much of a whack to enable all the contents of Passport to be readily spilled out. That's been proven half a dozen to a dozen times since it was released, by individuals and the likes of ATT Labs.

3) DigitalIDWorld: yep, we pushed to get a speaking spot as well. But, lacking your connections, or the ability to bankroll a sponsorship, it wasn't about to happen. Lots of energy, but pretty much the same drivel and products being pushed by the same old vendors who haven't really solved the problem. Instead, they've repackaged the same old offering to say that it now addresses "digital identity needs".

4) User Privacy: You're right. This is a huge issue. Even in the "Liberty Alliance" model, the enterprises decide what information is shared about users, not the user itself. But the big boys, thus far, have not been interested in listening to solutions that would truly promote user privacy. We'll see what the future holds.

I could go on on this topic for hours, but I'll end here for now.

Users can never get control of this stuff.

Anonymous's picture

Giving the users control of "identity" information sounds good, but companies won't do it. Most of the reason big companies keep records on you is to be able to say bad things about you. My credit record is bogus but Equifax isn't going to give me the ability to fix it. It's better for them to have saleable but wrong info than to spend money correcting it.

Of course you can set up user-controlled records in such a way that the company can authenticate them, but if a user can't delete a record it's not under his or her control, and if he or she can delete the record, he or she won't keep it around very long once it starts to carry bad information.

Re: Grounds for Indentity

geoff_lane's picture

I've been thinking about trust relationships quite a bit. It seems to me that the current schemes all fail because they want to create a long lived "digital identity". To do this properly is expensive to create, manage and use; requiring large amounts of resources, global standards etc. This kind of digital identity is open to "identity theft".

But most trust relationships are very brief, a few seconds to a few days, and involve the transfer of money at some point :-), so why use the same digital identity for all of them? Buying a newspaper takes seconds and needs no persistent effects. Even buying something over the Internet only needs a trust relationship that lasts until the goods are delivered and the payment is transfered. For normal, everyday transactions all that is needed is the kind of trust that we give to credit cards. Some card issuers are now providing one-time card numbers for Internet transactions. These prevent card number from being reused and hence are far safer to use on the Internet (and elsewhere.)

All the grand schemes could well be made pointless by the pragmatic use of one-time card numbers. I say I'm Fred, you ask for proof, I give you a one-time number, you check against the credit card web site which says the number belongs to Fred (and may even have a picture.) The number is now useless.

This is Pretty Good Identity Checking...

Re: Grounds for Indentity

Anonymous's picture

For normal, everyday transactions all that is needed is the kind of trust that we give to credit cards. Some card issuers are now providing one-time card numbers for Internet transactions. These prevent card number from being reused and hence are far safer to use on the Internet (and elsewhere.)

All the grand schemes could well be made pointless by the pragmatic use of one-time card numbers. I say I'm Fred, you ask for proof, I give you a one-time number, you check against the credit card web site which says the number belongs to Fred (and may even have a picture.) The number is now useless.

From my perspective, it should go one step further. I'm not sure what the technical term is but I'll call it a "cash card". Basically, the same as a prepaid phone card or a "credit card" style gift certificate. Works the exact same. You go to any random store (prepaid phone cards seem popular at gas stations around here) by a card for $25. You now use this card like a regular credit card until the $25 is gone. Anonymous, limited time, no tracing. The infrastructure is already there to do it.

Of course, it will never happen since large corporations don't want it.

I have a friend from Costa Rica that says they are quite popular there.


Re: Grounds for Indentity

Anonymous's picture

Um, I think this already exists. It's called "cash" and comes in a variety of paper based "cards" which can be used everywhere. The only downside is that it is anonymous and untraceable and so easily stolen and pretty useless for many online transactions (where delivery etc would require you to have a verifiable identity).

Re: Grounds for Indentity

Anonymous's picture

How would such a card work over the internet?