oreilly.comSafari Books Online.Conferences.


The Long View of Identity
Pages: 1, 2, 3, 4

The Building Blocks of Identity

Perhaps we should start the exploration of identity technology by looking at how things stand for most internet denizens now. Ironically, most of us are profoundly deluded.

When we go online to a forum on some topic that interests us, nobody knows us from Adam. We feel anonymous, and we possibly share personal information on that basis.

In fact, identifying us is pretty easy. It's just that nobody bothers to try, unless a record company decides to make an example of us for uploading MP3 files or the Chinese government decides to call us in for questioning about some posts containing the word "democracy." Consider that:

  • Your ISP or system administrator knows your IP address at every moment. Many governments have passed laws or (as in the U.S.) are considering laws that would require the ISP to store this data about you for a long period of time.
  • Everything you've ever put online (including sophomoric postings to ancient newsgroups) is still there, and it's searchable.
  • Many people can be singled out through a combination of a few pieces of data (such as zip code, age, etc.) that they freely surrender to web sites.

Our identity situation is the worst of both worlds: people with bad intentions can find our data, but we are isolated from the people with whom we'd like to form communities. This once again raises the tension between holistic identity and compartmentalized identity.

Anonymity: The Starting Point for Identity

Because anyone with a warrant--or just an easy-going relationship with an ISP, as the NSA apparently has--can trace you through your IP address, true privacy depends on hiding even that tiny bit of identifying information. Protection from tracing your location, along with protection from traffic analysis (which can identify a conversation's parties by such measures as checking when packets are sent and received on various routers) is performed by onion routers, collections of cooperating machines that bounce around messages until the nefarious traffic analyzer gets dizzy. The term "onion router" comes from the practice of encrypting each message and wrapping it in another message in order to get it through an arbitrary set of systems.

Privacy researcher Roger Dingledine came to the conference to introduce onion routing and promote the most prominent project among its current generation, Tor. He anticipated audience reaction by asking, and then answering, the question of whether onion routers facilitate crime. The answer is that criminals already know how to hide their tracks through prodigious efforts. Tor is geared toward people with a legitimate need for privacy, whether Navy personnel (the U.S. Navy is one of the project's sponsors) or companies trying to keep competitors from finding out which customers their sales force is contacting.

An example of how someone determined to stay in hiding can succeed for a long time appears, by coincidence, in the most recent Atlantic Monthly (July/August 2006). A cheerleader for al-Zarqawi's Iraqi insurgency posted terror training videos and other propaganda anonymously for years, despite coordinated efforts on several continents to track him down. I'm not sure that what he did would be illegal in the U.S., but it certainly was in the U.K., where he was finally located.

Aids To Trusted Third Parties

I've already explained that identity systems like trusted third parties. There are plenty of other examples of trusted third-party systems in actual use. For instance, many sites tie together different user directories and application servers through Kerberos, a version of which has now been adopted by Microsoft. And the certificates used to sign secure web sites depend on trusted third parties called certificate authorities. Unfortunately, most web users are aware of these certificates only because the system breaks down so often. Either the browser fails to keep up with changes in certificate authorities, or the server lets its certificate become invalid in some way.

Identity systems bring a ton of logistical and liability problems on themselves when they adopt the third-party solution. Yet the competition for identity systems is intense. To help the various vendors and open source solutions work together, the Berkman Center has sponsored a project called Higgins.

At the conference, the Higgins designers unveiled a purchasing system with the Interra Project, which directs a percentage of each purchase to a non-profit cause. I was impressed with this demo because they're really putting their money where their mouths are. Anything that distributes funds, no matter how small, had better be secure.

Many types of middleware place (usually unanticipated) constraints on the systems they promise to tie together. The identity space is constantly being reconsidered and will get banged on a lot more by innovators before they feel the problems are solved, so middleware in this space must emphatically avoid such constraints.

Higgins, according to technical lead Paul Trevithick, was carefully designed to leave things open for innovation. It does this in the usual way adopted by standards: by providing fill-in-the-blank protocols and leaving it up to application providers to specify what they want. "If the bank calls some field a Surname and the vendor calls it a Last Name," Trevithick told me, "it's up to them to work it out--as much as some of them would like us to do it for them."

Users who come in contact with Higgins will do so through its interfaces for creating accounts and authorizing the sharing of information, which the developers provided in the hope that all sites could provide a common experience. Everyone agrees that identity systems will take off only if they're fun and easy to use.

It's also widely accepted that the single sign-on systems mentioned earlier, with their complex Web Services protocols and design-by-committee deployment scenarios, will be niche applications for quite a while. However, developer Casper Biering of the Danish identity firm Netamia told me the Danish government has just adopted SAML, one of the major federated protocols, for the exchange of identity information among government agencies. This is an example of a niche that could grow.

I spoke by phone with Andre Durand, CEO of Ping Identity, which is one of the most important firms offering single sign-on systems and other federated identity applications. He says that the market so far has largely focused on business-to-business communications, but that the broader market opportunity for identity will take off in the next couple of years as end-users become more aware of its existence through efforts such as CardSpace and Higgins. He cites two recent achievements as reasons for optimism.

First, as many people at the conference have said, the vendors and large firms interested in identity have agreed that in order to get their systems adopted, they must factor the end-user into the equation. Up to now, Durand says, the conversation has fixated on only two of three crucial parties: the service provider (such as an online store or bank) and the identity provider. Now the third--and probably most important--party to this three-way dance is being introduced: the end-user.

Second, the standards have matured and and simultaneously become a lot less complex. Microsoft will use the WS-* specifications, many of which have been moved for ratification by the OASIS consortium. Other vendors will use SAML, which includes contributions from the Liberty Alliance. Vendors will help bridge the discrepancies in protocols by providing products that speak both specifications or bridge their functionality. Durand also says that CardSpace and Higgins will provide a common open source foundation from which these and other, yet-to-be-invented identity systems can interoperate.

Alternatives To Trusted Third Parties

If most individuals and companies are not to be bothered with federated, third-party systems walled in behind complex protocols, how will identity systems spread? Who will validate identity?

Kim Cameron, one of the leaders in the identity field and an architect at Microsoft, thinks the field can flourish without third-party validation. "Currently, 99.9% of all identity information online is self-asserted," he points out. In other words, we are already forming communities and exchanging information that matters to us with people whom we know only through email, web pages, or other forums. Why can't we continue this way, just making things a little easier through standards?

Perhaps a grassroots movement will make sxip, LID, or one of the other low-overhead contenders for identity into the next cool plaything, but few people know such systems exist--and they satisfy only a small portion of the field's needs.

Durand insists that at least for now, SAML and WS-Federation are here to stay, especially SAML tokens. "There's an opening for loosely-coupled social networking sites (the blogosphere, gaming sites, and so forth) to leverage the lighter-weight systems. But the bulk of our most important interactions are still between individuals and businesses, and businesses need the robustness of the federated systems. Many firms such as Ping Identity are putting in a lot of work to make these more mature identity systems easier to acquire, integrate, and use: they're open sourcing pieces of the infrastructure, building LAMP stack versions of SAML, and putting extremely lightweight interfaces such as REST in front of them. I believe projects that span both the enterprise use cases and the end-user (customer-facing) use cases have the best chance for long-term success. CardSpace and Higgins meet these criteria."

Identity and Reputation

Identity and reputation exist in tandem; there's not much point to one without the other. Reputation seems to pay off. Robin Harper, VP of Linden Labs, the providers of the popular Second Life virtual world, says that trust reduces risk and therefore impels people to new behaviors. Reputation researcher Kevin McCabe says that people behave better when they know they're being rated, even if most people don't bother to check the reputations.

Reputation is a monster of a problem that makes identity exchange seem trivial by comparison. Collecting reputation information is tedious, and trusting it is perilous.

Reputation on eBay seems to do the rudimentary job of winnowing out incompetent vendors, but we have to remember that it has the backing of the much more time-tested credit card system. I have a lot more trouble seeing the point of reputation systems in forums where their function is less concrete, such as LinkedIn and Orkut.

If communities try to work together to build individuals' reputation, they immediately run into thorns:

  • Many sites jealously guard reputation information about their users as proprietary, although there is some movement toward recognizing that sharing information would benefit everyone.
  • Different communities consider different things to be important, so reputation in one community may not translate well to another.
  • There are many types of reputation, some of which are relevant across communities and some of which are not. For instance, your reputation as a person who follows through on a promise can be transferred from one domain to another, but your expertise as a doctor is probably irrelevant to a forum on home repair.

Identity: The Long View

I can't end this article without sharing some of the most pessimistic fears aired at the Mashup by some of its most well-informed participants, such as Stefan Brand. Brand admitted to feeling near despair sometimes, because we could easily move into a society where RFIDs are embedded in our bodies and every move is tracked. "I'm afraid that, despite all our best efforts, our technical solutions may drive us into totalitarianism." There were many responses that tried to assuage this fear, but no one could banish it.

Perhaps our best hope was cited by Berkman Center fellow Mary Rundle, who said that we must maintain multiple sources of power that can constrain each other, so that "power cannot be used to amass more power."

Andy Oram is an editor for O'Reilly Media, specializing in Linux and free software books, and a member of Computer Professionals for Social Responsibility. His web site is

Return to

Sponsored by: