Hankering For A World Without “Identity” or “Federation”

Author’s note: this is not a white paper. This is an opinion-piece, possibly a polemic. In it I expound what I believe rather than making an argument for you to believe it too; however if through it you arrive at a technical question or desire clarification, then please leave a comment using the tool provided. Also, there are footnotes annotated in square brackets. They are worth reading as you go along. Once I have had more coffee I’ll get round to making them into hyperlinks. Sorry.

Abstract

This posting began as an standalone article to describe my tussel with “Identity” in all its various forms, however it has evolved into a companion piece to Adriana’s musings on identity – not only because upon reading her posting I found us using like words and like metaphors to much the same conclusion, but also doubtless because it was she who singlehandedly provided me an alternative to a world without (or with much-reduced) “Big I” Identity.

However I wish to spell out my beliefs rather more bluntly, so here we go:

I believe that Identity is bunk.

I believe that the technologies of Identity are founded upon and perpetuate an outdated model of a passive user who lacks both the critical authority and the ability to participate in an authentication transaction, and further I submit that Identity’s commitment to this model inhibits its further evolution in the modern era.

…but before continuing I want to address a few potential misconstructions to aid later clarity – so for contrast I shall begin by listing a selection of identity-related topics which are emphatically not bunk:

identity theft

I have written about Identity Theft at length elsewhere, and although I still maintain the viewpoint that identity theft is straightforward fraud more than anything novel, I cannot deny that it occurs or that it is a serious matter.

identity management

I have a former BOFH sysadmin’s view of Identity Management, which means that of course I am going to welcome any set of tools which (a) permit me to unify my users’ authentication mechanisms into a homogeneous solution and (b) allow me to effect bans, lockouts or password changes on 30,000 machines at the same time. To deny the utility of this would be insane.

authentication

the act of establishing rights or privileges to access resources is one of the most fundamental (and common) actions to occur within a computer network.

strong authentication

one-time passwords, authentication tokens, javacards, sunray cards, stuff to authenticate more strongly (ie: definitely) to my network? Sure, “bring it on”.

single sign-on

see the section on “strong authentication”, in fact see all of what I have written above. Within a security domain it’s a wonderful thing to not have to keep typing-in your password to authenticate separately to Mail, Calendar, Web and database. It’s a neat trick if you can do it.

I consider all of the above to be perfectly decent, supposedly identity-related matters; where I diverge is in the field that I refer to as “Big I” Identity.

So What Is “Big I” Identity?

“Big I” Identity – let’s just call it “Identity” from now on, so that I don’t go mad spelling it out each time – is the umbrella term I use to describe processes and identity enabling technologies such as:

  1. Digital Identity
  2. Cross-domain Federated Identity
  3. Identity 2.0
  4. Identity Metasystems
  5. CardSpace
  6. Higgins
  7. …and an entire dumpster-load of other projects, toys, tools, XML standards, etc, all borne of the mindset which led to the above

Identity exponents paint a future in which your identity is a digital puppet – or possibly a hive-mind of several – living in a studio flat in cyberspace, buying goods, paying taxes and dealing with the other bureaucracies of life on your behalf, able to transact within cyberspace because your puppet has been certified into existence by some higher authority – most likely after payment of some real-world money.

In some ways the model is very like “Second Life”:

  • You pay for your Identity avatar to continue exist, so it may transact for you, and it will continue to exist only for as long as you pay for it.

  • You imbue it with some of your personal qualities.

  • You manage it awkwardly via remote control.

  • And you likely wish it was somehow also portable into “World of Warcraft” and “Everquest”, or vice versa – a process of federation..

A moment’s consideration of the above will reveal a fundamental concern of mine: your Second Life avatar only exists with the permission of of Linden Labs, and its future is bound to theirs.

Similarly: if your identity exists at the whim of another organisation, then it is not under your control and could cease to exist without your approval.

That would be a bad thing.

But before going further with that matter, I want to rhetorically ask:

Why Pursue Identity At All?

Our culture – our biology – seems geared for use of certificates to gain access to resources: having the “right” scent to enter the anthill, dressing an orphaned lamb in the skin of a dead one so that the latter’s mother will feed it… these demonstrate that nature has some grasp of authentication for a service, even if sometimes it implements weak authentication – e.g. a cuckoo’s egg in a reed-warbler’s nest[5].

What happens next is (I believe) unique to humans: we conflate “authentication” with an abstract concept of “identity”, and thence indirect from that to “authorisation” – so that somehow your state of mind, your beliefs, learnings, and capabilities can be captured, documented and carried-about as a certificate.

To be technical for a moment, traditionally speaking:

  1. authentication is the act of proving your “identity”

  2. a certificate documents an authorisation in an authoritative manner

  3. the process of authorisation provably binds an “identity” to the permission or ability to use or access a privileged resource

…or as otherwise experienced with a Norwegian police officer:

  1. “Yes Officer, my name’s Alec Muffett. Here’s my Passport.” (authentication)

  2. “Yes I am permitted to drive a motorcycle, here’s my license.” (certificate)

  3. “Feel free to check the license, it’s got the hologram, etc.” (authorisation)

  4. “The freeway speed limit is 50 km/h? You have got to be joking…” (negotiation)

…so when demanded by one authority (Norwegian Police) I am required to show two verifiable / hard to forge certificates: one linking the abstract concept of “Alec Muffett” to the actual human-being in front of him, and the other linking the abstract concept of “Alec Muffett” with the privilege of riding a morotcycle in the United Kingdom.

In passing, note that Norway’s recognition of the UK’s motorbike test is some manner of cross-domain federation.

The abstract concept known as “Alec Muffett” is my identity.

The UK Government understands “Alec Muffett” as the identity of a person who in 2001 passed the UK motorbike test thereby granting “Alec Muffett” the privilege of riding a motorbike on the UK’s roads – but although congruent, the identity of “Alec Muffett” is not equal to the six-foot-four hominid commonly associated with the name and who is typing this posting; instead it’s more a cloud of “claims” (either explicit or implicit) which are associated with the latter.

Claims are, for instance:

  1. Explicit: Alec Muffett is male

  2. Explicit: Alec Muffett passed a UK Motorcycle Riding test in 2001

  3. Explicit: Alec Muffett was born in 1968

  4. Implicit: Alec Muffett is old enough to buy alcohol in the state of California
    (since he was born in 1968 and thus is older than 21)

It would be really bad if we had to go around carrying certificates to authorise us for each and every one of the claims which dominate our lives. The cloud of explicit claims about Alec Muffett is large; the cloud of implicit ones is much larger, because an implicit claim derives from the context of someone seeking to verify the claim (eg: a Californian bartender) – and there are a near infinite number of potential contexts in the universe.[2]

However, in the real world, carrying physical certificates seems to be what biology has predisposed us towards.

What happens when we move our identities “online”? What happens is that folk try to replicate the authorise-via-trusted-certificate model of access control; and then they fret about the management issues regarding having done so.

Why do they do this, and why do they fret?

To move back to the Norwegian police analogy above: rather than resorting to credentials and identity to prove my ability to ride a motorcycle to a police officer, why not appeal to the the officer’s ability to observe that:

  1. I am demonstrably riding a motorcycle now.

  2. He has observed me riding it for a few miles.

  3. I would be perfectly happy to undertake a small test, there and then.

In short: why could not the police officer to observe me, develop a relationship with me, and from that satisfy themselves of my capabilities.[3]

If instead of being observed for a couple of miles once-off by a police officer, what if he knew me from the local motorcycling club? Wouldn’t having that relationship shortcut questions about my authorisation to ride a motorcycle – and shortcut invocation of a whole heap of paperwork and certificates, unless I was actually being booked?

The answer is obviously “it doesn’t work like that in the real world – relationships don’t scale in the real world”.

Yes, of course, but why should it not work like that in cyberspace? Because relationships do scale in cyberspace.

So What Am I Saying About Authorisation?

I am saying that authorisation need not be linked to an identity when it can be linked to a relationship with an entity, instead.

Anyone who has heard me speak at length about security in the past ten years or so, will have heard me utter something like:

Amazon really don’t care who you are in respect of your drivers license. They likely don’t care what your passport number is either, or who the government say you are. What they really care about is that the person placing an order today is the same person who placed an order last month, and the month before, and that each time before the person paid.

I submit that the frippery of Identity – that whole circus of indirection from me to a identity, from that identity to some authorisations, contains a potentially unnecessary step, one that can sometimes (perhaps frequently) be circumvented by maintaining a relationship with the entity to which you might otherwise have to authenticate.

What eluded me completely was the obvious next step, which was later inspired by months of talking with Adriana Lukas about Project VRMDoc Searls‘ pursuit of Vendor Relationship Management.

The next step is simple: create a tool that maintains a person’s relationships with third parties, but puts them under his or her own control.

A Different Way To Approach Authentication

To recap the above: traditionally there are three tines of authentication – three things you assert to prove your right to access a resource:

  • something you have

  • something you know

  • something you are[4]

eg: you have a key to a door, you know the password, you are the General in uniform or the appropriately-coloured cuckoo’s egg in a reed-warbler’s nest.

(Author’s note: at this point, if you’ve not read it already, please go read footnote [5] – you’ll need the background in a moment)

All of the above are predicated on the notion of need for repeated authentication – you use your door-key daily, your password likewise, you check your eggs each time you return to the nest.

But here’s a new spin on “something you are” – what if instead of checking the shape and colour of the eggs each time we return to the nest, instead what if we just watched the eggs, ever vigilant and unblinking, all the way from laying to hatching?

What if the reed-warbler was able to stretch its attentions beyond all conceivable bounds and move from weak authentication of the form:

You ARE an egg of the correct shape and colour

…to a more radical strong authentication of:

You ARE the specific egg that was laid, and I can guarantee that fact because I have never ceased to watch you since the time you were laid

In short, what if you had a relationship with your eggs, and could stretch that initial relationship (egg laying) through to conclusion (hatching) without any interruption?

If you were capable of doing that, you would have invented a new style of authentication – “relationship based authentication” – that requires no external parties or authorities to function.

And, interestingly, it would be a form of “single sign-on”.

The Third Form Of Single Sign-On

Eve Maler and Drummond Reed recently published The Venn Of Identity in IEEE Security and Privacy magazine, and it serves as an excellent introduction to a lot of the thinking, terminology, concerns, and perhaps some of the fads of the Identity community.

For me, the critical section is headed “Overview: Federated Identity Model” on page 17, in which it defines terms like “user”, “user-agent”, “identity provider” (IdP) and “service provider” (SP), and goes on to describe how “Single Sign-On” comes in two flavours:

SP-initiated Single Sign-On
Alice wants to buy something online; the vendor (SP) authenticates Alice by contacting a higher authority (her IdP; compare with Norwegian validation of a UK driving license, above)

IdP-initiated Single Sign-On
Alice wants to buy something online; she connects to her IdP which provides pre-authenticated channels to other vendors from whom she can buy.

My question is: Where is the third party in all this? Why has the user no authority or involvement?

Where is “User-initiated Single Sign-On”?

Where is my ability to talk to a vendor and for them to have surety that I am me (and for me to be sure that they are themselves) by virtue of the fact that I am the same person who has been dealing with them for several years?

This also brings me back to my fundamental issue with “Big I” Identity, viz: that the Identity universe is currently predicated upon ignoring the most important person in an authentication transaction: the user.

In Identity-land, the user is considered passive and non-authoritative – the papers and protocols all pay lipservice to the need for “self-asserted claims” – letting a person describe themselves authoritatively – but answers to heavy-hitting questions like:

  • Is this person old enough to buy booze?

  • Is this person permitted to ride a motorcycle?

…are all still dealt with using cyberspace metaphors of the old driving-license-certified-by-authority model.[6]

However, as I’ve outlined above, that is not the only way.

On the web we have an additional way to authenticate – via ongoing relationship; technologies that can implement this are already well-used and well-understood; any network engineer can explain how to use TCP to establish a reliable connection between two nodes albeit layered atop an unreliable datagram connection. All we need in order to to establish a reliable relationship is to stretch the communications mechanism out over time rather than distance – like a warbler watching its eggs rather than riskily re-authenticating them time and again.

You sign-on with a vendor, once. A single time. You can bootstrap that into authenticating all future communications.

This provides “User-initiated single sign-on”.

Identity: Your Part In Somebody Else’s Goldmine

Way back in 2001 some chap at Microsoft came up with a really brilliant idea – everyone in the world could have a free Hotmail account, and could use that e-mail address as an identifier to log into all of the e-commerce sites in the world, the latter being able to query Microsoft (now an Identity Provider, IdP) to prove whom it was that was trying to buy stuff.

PressPass: How widely does Microsoft expect this federation to be adopted?

Payne : We strongly believe that a universal authentication model is extremely valuable to virtually every business. Over time we expect that this interoperability will become as important and ubiquitous as interoperability of e-mail is today. So, I guess you could say we expect adoption to be very strong. Large business and corporations are especially interested in ways in which they can unite their divergent worlds of authentication within their own companys networks. They also want to [be] enabling users [to] navigate inside the company’s firewall with just one authentication and a single sign-in. Or when they need to visit the site or services of a trusted, third-party vendor, supplier or customer. For instance, imagine how easy an employee will find it to have just one password and ID that they can use securely when visiting their company’s HR benefits page, then leave the internal site to visit their company’s travel-services site — even though that site is run by an external vendor.

The rest of the world threw rocks at the idea: your Hotmail account would become the “mark of the beast”, you would not be able to transact without it, Microsoft would hold a treasure trove of information about you, what if Microsoft crashed, the world would not be able to transact… and thus was the Liberty Alliance born, an organisation to challenge the threat from passport and provide an alternative:

The Liberty Alliance was formed in 2001 by approximately 30 organizations to establish open standards, guidelines and best practices for federated identity management. The Liberty Alliance met this goal with the release of Liberty Federation in 2002, the industry standard for successfully addressing the many authentication, privacy and security challenges surrounding online identity management. Deployed by organizations around the world, Liberty Federation allows consumers and users of Internet-based services and e-commerce applications to authenticate and sign-on to a network or domain once from any device and then visit or take part in services from multiple Web sites. This federated approach does not require the user to reauthenticate and can support privacy controls established by the user.

Now here’s the funny thing: the Identity model back in 2001 was very authority-centric, and with some validity (at the time) assumed that the user – beyond use of passwords, etc – was incapable of participating in an authentication process, incapable of making authoritative statements about themselves, and incapable of transacting on the web on their own terms.

The model has not evolved since that time; but the world has moved immensely.

As I write in 2008 some one million, perhaps nearly two million people carry BSD/Unix servers in their pockets – they are called iPhones – and the world’s populace are gradually moving online 24×7; those who don’t yet have Apache running on their phones have hosted servers, blogs, wikis, e-mail accounts…

So the key realisation missing from Identity today is that there is the potential for three equal parties to participate in an transaction – the User, the Service Provider (e.g. vendor) and the Identity Provider.

Or even, as described above, we can drop the IdP out of the loop for some purposes; and the User will take back physical possession of their own data, and perforce will become authoritative regarding their own data, and will be able to project control over their own data.

“Big I” Identity In The Large

Summing up what has been discussed so far:

1) Identity is predicated on an old model of the disempowered user – dating from the Microsoft Passport era of 2001, if not before – and little if any thought seems to be given to the potential for active, even leading participation of a User and his or her iPhone in the authentication process.

2) Following from the above, where the old world of Identity focused upon the importance of third-parties making authoritative statements about someone, a new zeitgeist could concentrate upon people taking charge of their own data, and becoming the definitive source of claims about themselves in the process.

3) And from that, the role of Authority in Identity will fade somewhat.

Adriana describes it most clearly:

In the offline world identity is really third-party driven, to put it crudely, we are what our papers say we are. Your birth certificate attests to your date of birth, your utility bills to your residence, your diploma to your education etc etc. It has been so because our identity management has had several fundamental features ‚ it is centralised, system-centric and it is read-only. We are used to deriving our authority and credibility from a system that grants and confirms it. It is important that we can do that as the only way we can transact in a hierarchical environment is via authorisation from the level above us. (a definition of hierarchy is that in order to interact with somebody on the same level I have to go via a superior level).

Whatever the web turns out to be, it is not a hierarchy. It is a network, i.e. a heterarchy, a network of elements in which each element shares the same “horizontal” position of power and authority, each playing a theoretically equal role. This has impact on how my identity is defined and who defines it. From blogs to social network profiles, people are learning how to define their thoughts and ideas, record their lives in multimedia formats, share their experiences, swarm around causes and defy companies, institutions and authorities. From linky love to P2P, they are bypassing traditional media and distribution channels, learning the ways of direct connections.

People online build and destroy reputations, create and squander careers, establish themselves as experts or celebrities. That’s the birds eye view. The closer look reveals emergence of self-defined (and self-driven) identities. By writing I learn to articulate my thoughts better, by sharing I learn to differentiate from, as well as identify with, others. I become aware of myself and my preferences in ways that in the times before the web were available to a select few – writers, artists, politicians and the more articulate celebrities. We have ways of connecting with others who become validators and authenticators of our self-defined and persistent identities. The challenge is to understand and find how to evolve and use those for other than communication and information transactions.

When attending Identity conferences I encounter startup after startup whose concept of “enabling user-centric Identity” is to reinvent Microsoft Passport in the small; they all promise that you can give them your personal data – and maybe some money – and they will manage your data (your “identity”) securely on your behalf, somehow giving you added value in the process.

There’s even a software project out there now, again predicated on the Identity notion that you are neither fit nor capable to look after your own data, nor are you capable of being an authoritative and accessible resource for the same – but you may be permitted a pretty interface to manager your own data, when held on someone else’s website.

So that’s what Identity’s definition of “user-centric identity” is all about; for a second time (and in a separate posting) Adriana hits the nail on the head:

User-centric says – “we are going to build a system, put the user in the centre instead of the system”. So far, so good, but this sits uncomfortably with me as a user especially as one that is used to the online tools that have changed many an old way. The tools – blogs, wikis, feeds and feed readers, BitTorrent, Flickr, Dopplr, Twitter etc – are revolutionary not just because of their functionality, bits of code or their interface, but their design for usefulness, their modularity and constant evolution. There is an element of open-endedness in their design, either accidental or deliberate, recognising that the designers cannot foresee all the uses to which people will put the tools to. The simplicity is the key, the complexity coming from usage rather than the design. In other words, they are user-driven.

And that’s where I think we’re going, and I don’t think there is any way of stopping it, even if I wanted to. The web is creating this enormous mass of user-capability, and the sheer gravity will drag us all sideways into a world of user-driven identity.

So what happens to “Big I” Identity?

It won’t die, but identity will have to adapt to the user’s definition.

– alec

ps: I am not here going to investigate ideas like transitive-trust as applied to User-initiated Single Sign-On – e.g. that the fact I have a relationship with one party could be used to help me establish a separate relationship with another party; to discuss this would be re-opening notions of federation[7] which I am trying to get away from.

The new user-defined-identity space will be based upon having multiple independent relationships – not some form of corporate-enabled polyamory.

pps: (UPDATE) I am also here not going to get into the weirdness of Identity wherein the goal is to centralise your personal information to make management of it convenient, and then expend phenomenal amounts of brainpower implementing limited-disclosure mechanisms and other mathematica, in order to re-constrain the amount of information that is shared; e.g. “prove you are old enough to buy booze without disclosing how old you are”. Why consolidate the information in the first place, if it’s gonna be more work to keep it secret henceforth? It’s enough to drive you round the twist, but it’ll have to wait for a separate rant.

Footnotes

[1] There is no footnote #1.

[2] For starters, there are at least as many contexts are there are pubs.

[3] Oddly enough, it works exactly like this for drink-driving – in a drink-driving scenario it is assumed that although you may have passed a test at some point in the past, the issue at hand is whether you are capable of driving a vehicle at this precise moment in time. Hence all the “can you walk in a straight line, are your reactions impaired” stuff.

[4] Over (several) drinks recently, Ben Laurie amusingly cited me someone someone who described these rather more accurately as “Something you had, Something you forgot, Something you were” – but alas I forgot which wit came up with that.

[5] The Cuckoo lays eggs parasitically; it finds the nest of one of the host species (typically containing 3..4 eggs) and removes a single egg laying one of its own as a replacement. The surrogate parents do not spot the impostor because the total egg-count is the same, and Cuckoo eggs may be somewhat larger than but have similar colouration to the original eggs. The surrogates brood all the eggs, however the Cuckoo chick hatches early and pushes all other eggs/chicks out of the nest so that there is no competition for resources. The surrogates feed the solitary cuckoo chick, until it fledges. This is clearly a case of identity theft, fraud, and security failure due to weak authentication.

[6] I have heard too many times, statements such as “Governments won’t accept self-asserted claims – for information like my home address – without some third party’s certificate that attests to the accuracy of that data”; somehow the people who tell me this ignore that every time I use a pen to fill-in my address on a tax return, let alone on a DVLA web-form, I am making a self-asserted claim with which the tax office seem perfectly content…

[7] I have nothing against federation within a security domain, eg: If one company merges with another, then it’s nice to have tools which permit hybridisation of the two user-bases without pain; see the BOFH/sysadmin commment in the introduction. However I draw a mental line between that, versus using my DVLA driver identification number to authenticate my purchase of beer from Amazon, or whatever…

17 thoughts on “Hankering For A World Without “Identity” or “Federation”

  1. Chris Samuel

    It’s been a long day (as was yesterday) so my brain is probably not up to speed, but I have two questions:

    1) What is a morotcycle ? :-)

    2) Does OpenID seem to you to be a bit more user centric (given that you can run your own OpenID server should you so wish) ?

    I guess the main reason the user gets left out is because of trust – or the perception of trust.

    To take something that’s going on here in Australia at the moment, there is a big push for a federated identity across academia. So, for instance, should a user from Uni of Melbourne want to sign up for an account at VPAC then we’ll refer them back to the UoM IdP and if that comes back and asserts that they’re a member of staff there then we’ll believe them.

    But we wouldn’t believe it if the user just told us that they were Professor of Computational Basket Weaving..

    Reply
  2. Simon

    Surely the main reason we don’t use many independent relationship models is that it complicates the issue of trust management.

    Amazon want to get paid first time as well, they do that by using a credit card number, and other details, and going back to big databases of information (mostly held by your credit card company), that ties “alec” the legal entity to the purchaser in as many ways as possible.

    Similarly if you try and hire a motorbike in Norway, they don’t want to watch you drive, they just want to pass the risk to an insurance company who accepts your paper credentials as a minimum criteria for issuing a policy.

    I think the same thing will apply to the Internet. No matter how good a pseudonyms reputation, if there is no scope for legal redress in the real world, or exchange of cold hard cash, then certain activities won’t happen because there isn’t enough trust established.

    Reply
  3. Geoff Arnold

    Some comments from a colleague:

    I think this is the first time I have *ever* seen anyone acknowledge what I have said all along: that it doesn’t matter who you are, only that you can lie consistently. That’s really rewarding actually that at least one other person shares that opinion.

    I can’t remember where exactly I saw the reference, but my friend XXX described the “something you know, something you have, something you are” trilogy really well at one point. He said it as “something you have forgotten, something you have lost, and something you once were.” I think that captures a large part of the problem really.

    Reply
  4. Joe Andrieu

    Stimulating stuff.

    Ideologically, or perhaps politically, I’m in complete agreement. User sovereignty is critical to building a better future.

    Also, I’m with Doc and Adriana generally on the user-driven v user-centric (although I don’t think everyone wants to cook all their own meals… sometimes we want to order from a menu).

    However, can’t your post be boiled down to the argument that self-asserted claims are morally preferable?

    I agree that for a vast number of cases, they are. But architecturally, one would hope you could handle claims from anyone, including those that allow minimal disclosure (such as the drinking age claim) or transitive trust. Isn’t there something to be said for transitive relationships, like Visa backing my financial capability at a new vendor?

    Why shut down the thinking in those areas just because self-asserted claims are sufficient for the types of one-on-one relationships you want to build?

    The fact is, the types of relationships you want are 100% enabled by the current Information Card user-centric identity paradigm. So are a lot of other kinds of relationships. Yea! That seems like how it should be to me.

    -j

    Reply
  5. alecm Post author

    Hi Joe,

    However, can’t your post be boiled down to the argument that self-asserted claims are morally preferable?

    Only by people who oversimplify complex subjects into zero-sum games, Joe. :-)

    I agree that for a vast number of cases, they are. But architecturally, one would hope you could handle claims from anyone, including those that allow minimal disclosure (such as the drinking age claim) or transitive trust. Isn’t there something to be said for transitive relationships, like Visa backing my financial capability at a new vendor?

    Indeed; in face I think you’ll find that I said that existing mechanisms will continue to exist – and that I was further saying that they will have to budge-over a bit to make seating space for a new and different way of doing things.

    Regards transitive trust: chatting with Ben Laurie a few nights ago, he described some issues of relationship-based identity in terms of whether you believed it was possible to make a Strong-AI solution of any kind. This intuitively resonated with me.

    Eg: for transitive trust in relationship-based authentication, I think not, because I am a weak-AI person. I believe that you can have transitive trust in human relationships only because a human is involved:

    I trust Doc; Doc trusts Joe; Therefore I kinda-trust Joe

    …and I think for that to be replicated in a digital context requires more judgement than a digital actor can bring to bear, because nobody has created a true Artificial Intelligence on the scale of a human, yet.

    You could of course pursue research into the sort of crypto-token-swapping-to-demonstrate-transitive-trust that other networks engage in, but short of forming a token-ring of relationships and passing a nonce around inside it, chinese whispers style:

    I give Doc a secret, Doc gives you the secret, you give me the secret back, so I know you know Doc

    …which in itself is a matter fraught with difficulty as it depends upon the integrity of the node (ie: Game Over, if someone hacks Doc) – there is also the matter that beyond that level, in order to solve the relationship transitive trust issue in a relationship-identity space, you will need to invoke certificates and identities and whatnot, all the baggage that relationship-based authentication seeks to avoid.

    So… it would be a bit like proposing an Atheist Church; perhaps a nice conceptual idea, but it rather defeats the the object if you expect it to be adopted seriously.

    Why shut down the thinking in those areas just because self-asserted claims are sufficient for the types of one-on-one relationships you want to build?

    Well a) your comment comes misrepresents the position I am taking because it stands upon your “self-asserted claims are morally preferable” strawman, and b) I am not shutting anyone down but c) I do believe that transitive trust in relationship-based authentication is… dubious, for the reasons cited above.

    The fact is, the types of relationships you want are 100% enabled by the current Information Card user-centric identity paradigm.

    Dude, they are also enabled by the telephone. Reach out and touch someone. And also by e-mail. And a pile of other much-simpler-to-comprehend stuff than CardSpace.

    So why lard people down with crypto-crap?[1]

    See you at IIW.

    -a :-)

    [1] I am happy to talk about crypto crap, having generated a considerable amount of it in my lifetime. http://ftp.cwi.nl/herman/NFSrecords/RSA-155

    Reply
  6. alecm Post author

    Hi Simon,

    Surely the main reason we don’t use many independent relationship models is that it complicates the issue of trust management

    Pardon the glib answer, but time is limited this evening; am happy to follow up if you like.

    Short response: Ask your teenager about Facebook. Look at their friends list. You’ll be amazed.

    [...] if you try and hire a motorbike in Norway, they don’t want to watch you drive, they just want to pass the risk to an insurance company who accepts your paper credentials as a minimum criteria for issuing a policy.

    I think the same thing will apply to the Internet. No matter how good a pseudonyms reputation, if there is no scope for legal redress in the real world, or exchange of cold hard cash, then certain activities won’t happen because there isn’t enough trust established.

    Doubtless; and there are places in the real world where it is “money up front”, too; most burger joints, and (from what an ex-navy colleague tells me) most whorehouses too – but those places are not in pursuit of repeat business and customer relationships; you don’t hire a motorbike once a week, and McDonalds flatly don’t care.

    But your local wine shop? Hairdresser? Supermarket? Insurer?

    From what I am seeing, they are more than likely to be interested.

    Reply
  7. Pingback: Online Identity - Your Doing it Wrong - Cataga

  8. Joe Andrieu

    Alec,

    I wasn’t suggesting a zero-sum game, now was my suggestion a strawman. I was actually trying to understand the key difference between your perspective and the current intended functionality of “Big I” Identity technology. You explicitly shut down conversations about a bunch of value created by the current approaches, such as Single Sign On and Selective Disclosure. So, if we can’t defined “Big I” Identity on those grounds, it makes sense to try to understand what you’re really getting at.

    At the core of your approach to relationships, one still needs to authenticate with the vendor at the beginning of *each* transaction. Stretching the communications mechanism out over time rather than distance still requires some sort of “session identifier” and some way to validate that the current sender is still the initiator of the session. TCP is great for low security continuity, but it certainly doesn’t help with man-in-the-middle attacks, which become all the more problematic when stretched over time. So, while you’ve avoided third-party authentication, you still need to authenticate and to be able to maintain that authentication trail across the lifetime of the relationship.

    If we agree on that, then one might hope to see the value in Single Sign On. Because, frankly, managing session identifiers and authenticating at every website that wants a relationship with me is a PITA. Given there is value for SSO, then let’s cut out the “Identity Provider” so that the user can self-authenticate. Great. That puts us in a world of self asserted claims, which is entirely enabled by the current world-view in big “I” Identity. Good stuff, important in the architecture, and in fact, “a tool that maintains a person’s relationships with third parties, but puts them under his or her own control.”

    It is also a bit confusing why you conflate “authentication” with “authorisation”.

    In your definition section they are accurate, but in the beginning you define authantication as “the act of establishing rights or privileges to access resources is one of the most fundamental (and common) actions to occur within a computer network.” That is authorization not authentication.

    Later, you ask “What happens is that folk try to replicate the authorise-via-trusted-certificate model of access control?” But that it a mistatement. “Big I” Identity AUTHENTICATES via trusted certificate. The authorization by the Relying Party is then based on the relationship that party believes it has with the user as reference by that authenticated Identity.

    For the most part, user-centric Identity deals with third party authentication only. Whether or not that authentication enables access to restricted resources is entirely up to the Relying Party, based, as it should be, on the relationship with the user. The primary win with today’s Identity is in this ability to outsource your authentication as a website owner. Whether it is OpenID or CardSpace, there is no need to maintain the headaches and support issues of username & password.

    Finally, you seem to be missing the real point of user-centric identity you set up the following two-player perspective:

    SP-initiated Single Sign-On
    Alice wants to buy something online; the vendor (SP) authenticates Alice by contacting a higher authority (her IdP; compare with Norwegian validation of a UK driving license, above)

    IdP-initiated Single Sign-On
    Alice wants to buy something online; she connects to her IdP which provides pre-authenticated channels to other vendors from whom she can buy.

    And then ask where’s the user? Perhaps it is the nature of trying to see the air we live in, but in both cases, Alice is the user, and Alice actually initiated both transactions. In both cases, it is the action by Alice that triggers the authentication chain, and Alice that provides the information/gestures to authenticate her relationship with the SP. The only question, architecturally, is whether Alice starts at the SP or the IdP. Seams pretty straightforward to me. BOTH are user-driven.

    So, I’m really not understanding your rant. But then you state at the beginning that convincing me wasn’t your objective, so maybe I don’t need to understand it. However, I think the user-centric developments in “Identity” are the best current source of momentum against Big-Brother style Federated Identity by single authoritative organizations, such as the government or BigCo. Sure it’s not perfect, but there is a lot more to gained by building on that momentum instead of railing against it.

    All that said, I do want to say that I’m not a big fan of “user-centric”, except that it is already reasonably understood by the folks actually making this technology happen. User-driven is a great improvement, but has its own flaws as well; I strongly resonate with the fact that the user needs to drive the transaction, not just be the center of attention. As I put it to Doc, the Truman Show, with Jim Carey, is certainly Truman-centric, but it is most definitely NOT Truman-driven. I think the way to enable that user-driven capability is through open source and open standards so that anyone can build tools that address the needs of Identity. I think that is happening, courtesy of many efforts, including OpenID and the Higgins project you explicitly pan.

    The fact is, any solution in this area is going to need to address a boatload of complex, sometimes conflicting priorities. The user-centric crowd is a vast improvement over the federation universe. Transforming that into a user-driven movement seems more a matter of evangelism than confrontation.

    Reply
  9. Pingback: Links » The World Without “Identity” or “Federation” is Already Here

  10. alecm Post author

    @Joe:

    You explicitly shut down conversations about a bunch of value created by the current approaches, such as Single Sign On and Selective Disclosure.

    Yes, I did, because I am not interested in talking about the beliefs of religion when I am trying to talk about being an Identity atheist.

    So, if we can t defined ‘Big I ” Identity on those grounds, it makes sense to try to understand what you re really getting at.

    “Defined”, or “defend”?

    At the core of your approach to relationships, one still needs to authenticate with the vendor at the beginning of *each* transaction. Stretching the communications mechanism out over time rather than distance still requires some sort of ‘session identifier”

    There are alternatives to that; in fact there needs to be some sort of session “method” rather than an identifier; if you are a TCP geek, you should know about the TCP tuple:

    {tcp/udp, srcip, dstip, srcport, dstport}

    …which is the session identifier of which you speak; whereas I am talking about an analogue to the TCP sequence-number algorithm, a conceptually and functionally different beast.

    [...deletia...]

    If we agree on that, then one might hope to see the value in Single Sign On. Because, frankly, managing session identifiers and authenticating at every website that wants a relationship with me is a PITA.

    So is managing relationships; but go look at the facebook of any significantly involved teenager, and assess their capabilities to drive the same.

    Given there is value for SSO, then lets cut out the ‘Identity Provider ” so that the user can self-authenticate. Great. That puts us in a world of self asserted claims, which is entirely enabled by the current world-view in big ‘I” Identity.

    Enabled? Yes. Deprecated, I believe. Fundamental, no. Ignoring the possibility of the claims becoming the identity, certainly.

    It is also a bit confusing why you conflate ‘authentication ” with ‘authorisation “.

    Because the former is not always necessary to obtain the latter.

    In your definition section they are accurate, but in the beginning you define authantication as ‘the act of establishing rights or privileges to access resources is one of the most fundamental (and common) actions to occur within a computer network. ” That is authorization not authentication.

    I could have phrased that better, but I am trying to use terminology that comes down from Trusted Solaris so I must deal with a noun/verb conflict:

    1. (verb) authentication is the act of proving your identity
    2. (noun) a (particular) authorization is the binding of a privilege (of some sort) to your identity.

    See the problem?

    Later, you ask ‘What happens is that folk try to replicate the authorise-via-trusted-certificate model of access control? ” But that it a mistatement. ‘Big I ” Identity AUTHENTICATES via trusted certificate.

    Yes, and in doing so it invokes the notion of abstract identity, for which Adriana and I are trying to provide an alternative, and hence the posting.

    [...deletia...]

    The primary win with today’s Identity is in this ability to outsource your authentication as a website owner. Whether it is OpenID or CardSpace, there is no need to maintain the headaches and support issues of username & password.

    Funny; over at Ben’s blog he’s telling me that that the power of OpenID is that it is self asserted and under the user’s own control – and I don’t doubt that, but it is still playing the Big-I Identity game. Go read Ben’s blog (link below, trackback #2) for more.

    Finally, you seem to be missing the real point of user-centric identity you set up the following two-player perspective: SP-initiated Single Sign-On Alice wants to buy something online; the vendor (SP) authenticates Alice by contacting a higher authority (her IdP; compare with Norwegian validation of a UK driving license, above)

    …no, Joe, I am not ignoring it. It merely is not interesting to me when I am talking about an alternative.

    Jeez, now I know what it must have felt to throw away the parallel axiom and try telling people there are alternative geometries. “Whaddya mean, parallel lines must cross?”

    Reply
  11. Pingback: This blogger has a Hankering For A World Without “Identity” or “Federation”

  12. Pingback: Identity - An Alternative Perspective : James Farnhill’s Work Blog

  13. Pingback: Opinion of #SeamlessID at request of @mrchrisadams ; #security #identity & a HT to @blaine – dropsafe

  14. Pingback: What I think is wrong with #VRM – HT @nzn @glynmoody @windley @dsearls @adriana872 – dropsafe

  15. Pingback: Regrettably @Mat Honan is Entirely Wrong about “Killing Passwords” /cc @Wired – dropsafe

Leave a Reply