Recovered from the Wayback Machine.
I removed the last paragraph from my last posting. It added nothing to the discussion and was unnecessarily snarky. Still, doing so doesn’t impact on the message threaded throughout the post that *I’m not supportive of universal (read that ‘federated’) digital identities.
I don’t believe there is a system that can’t be cracked. What I do believe is that there is a tradeoff between the willingness to spend time and energy in cracking a system, and how universally it’s used. One overall, agreed on universal digital identity system that every major financial, economic, government player has bought into seems to me to be a mighty big target. It’s not so much that it represents a widely used identity infrastructure; it’s that behind the infrastructure is some very tasty data.
Additionally, I’m not sure that there is demand for this type of overall identity. In the midst of these discussions, Johhanes Ernst posed the question: why do we want digital identity? Is it for seamless enterprise wide access? Is it to facilitate commerce? Eliminate the existing highly fractured state of security, with implementations that range from heavily robust to wide open?
I personally favor the concept of ’single sign-on’ where I can use the same name and passwords at different sites, without having to re-input my contact information, and without having to remember different connection information with each. Even then, I would most likely only use something like this with sites where the cost of exposure of the data is minimal. Though it would be tempting to want to store my credit card on my machine, and have a remote system handshake with my local computer to exchange the information without me having to do so, I don’t find the fact that I have to re-input the data with each purchase to be an overwhelming burden. Not to the point of storing this information on my machine–whether it is my dual Windows/Linux machine, or my Mac.
Work on enhancing the security of our data exchanges is a goodness; but the farther from my machine I can store sensitive data, the happier I’ll be. In this discussion, rather than focus on separating the specification of a security infrastructure from the implementation, I’d rather discuss separating the storage of the data from the transport.
(Of course, some companies require that you store your credit card information on their machines, but I don’t know how something like InfoCards would eliminate this–unless part of the architecture also provides an ‘on-demand’ request for the card information from the site back to us. )
To answer his own question, Johhanes sees digital identity as a way of empowering people:
So let me tell you what excites me about Digital Identity: it is the transformational power that Digital Identity can bring — assuming it is done right — to empower individuals and groups in ways that are highly desirable but impossible without. Or, in plain language: the new products and features that only can be built with Digital Identity and will be built as soon as we have it. And we will never look back.
I thought this, at first, had to do with authenticity, and establishing that we’re who we say we are. However, from the examples Johhanes lists, this doesn’t seem to be the case. Examples, such as Marc Cantor’s digital lifestyle aggregation, where all of our digital devices work out how to integrate themselves; and Johhanes own company’s software, which …is aware of the user’s immediate situation, and proactively supports them in that situation, instead of being just able to offer a bunch of remote websites that are very clueless about the user and thus not very helpful.
I don’t know that we need digital identity for the latter — I have extensions added to my browser that lets me know when a site has RDF/XML I can examine, or a syndication feed I can link to. I’d rather passively put easily discoverable information out on a site using established ‘hooks’ and then use generic discovery tools to find this data elsewhere, then build something in them reflecting my identity.
I don’t think the power of the internet is based on the concept that eventually, everyone will know your name. I think it’s based on the fact that everyone doesn’t know your name.
*There goes my planetary status on Planet Identity I imagine
