Saturday, January 01, 2005

Jumping In: Thoughts on Identity

Okay, so I've read so little about Identity that I feel completely empowered to voice my opinion. I've learned over the years that sometimes the most naive "first take" on any complex issue is often quite relevant, so I'm posting my first thoughts about it, to be recanted later, or refuted by the experts :) I've been reading some offshoots of Doc Searls identity postings and getting interested.

I started by reading the Laws of Identity that, if not obeyed, will:
...leave behind us a wake of reinforcing side-effects that eventually undermine all resulting technology. The result is similar to what would happen if civil engineers were to flaunt the law of gravity.
I find it funny that the purpose of identity is not included in this lofty statement, because the laws are unanchored without a clear statement of what is being achieved when the laws are met. I would even go so far as to reject the laws out of hand as meaningless without stating a goal along with them. Can you really say, in boldface, that "The emergent system must conform to all of the laws?" without a precise definition of success or failure? I think not. Maybe this is implicit in the conversation and stated elsewhere, but given that this is an open conversation, and apparently an unsolved problem, then my Googling is probably as good as the next guy's.

What is the goal of Identity? The folks at RSA Security have laid out two that seem reasonable: common infrastructure, and a single, global, unique credential. I see some goals already from thinking about this for a while:
  • a globally unique identifier
  • validation, e.g. to prove I am who I say I am
  • location/presence (e.g. if it's really "me" then I must be only one place)
Undoubtedly it's all of the above, but it seems to me that they follow one from another, starting with uniqueness and validation. After that you can do anything you want.

I immediately look to precedents, and I see two obvious ones: the Domain Name Service (DNS) and phone numbers / CallerID. Or even a third, a credit card number. This whole thing seems like a previously-solved problem to me. Phone numbers are going away (too slowly, but it's inevitable, as it's a bad system). Credit card numbers are not good as unique identifiers, though I think we computer geeks could learn a thing or two about validation and security by following an industry that has been moving money for decades (though the validation is extremely weak, it's clearly entrenched, and pretty well trusted worldwide).

Here's what I think, off the top of my head: use DNS, and extend it slightly:

Uniqueness: your email address which is globally unique, managed by the global (and obviously workable and successful) DNS infrastructure, portable to new vendors, and everything you want in a unique identifier, with the possible exception of spam vulnerability. Domains are unique via the hard work and deep infrastructure of DNS, and the "user@" in front of it is a natural for identity.

Validation: this should work by expanding DNS to allow encrypted validation that returns a public key instead of an IP address. Again, the infrastructure is already there, and proven. Why invent yet another central authority and try to propagate it out into the world?

Presence: this is harder, and relates to the notions of "logging in" and "sessions" and so forth. The DNS infrastructure clearly doesn't want to be in the business of tracking individual users and their sessions, but this could perhaps be delegated by DNS to a "current host IP address" that would represent the user's current session.

Thinking more about this, it could be a very interesting way to deal with the zilliions of individual logins on all the individual web sites at the moment. Have each of these web sites force the validation through DNS lookup and then track the sessions themselves.

Who owns DNS anyway? It's a big open source morass, right? Perfect :)

No comments: