Commentary by Mark Wahl
Organizing principles for identity systems:
Repurposable identity management systems (part 1)
(2005/5/5-2005/5/9)
A measure of success for a technology tool is its ability to be repurposed and expanded by its user community.
Many good products start out with a design derived from a set of usage assumptions. The actual usage is different, and the design adapts.
In some cases, the users can modify the tool, through customization or a modular architecture. More typical, is that the makers of the tool hear the new applications and incorporate some of them into the next version or release.
Tension can occur if, in a service offering, the service operators do not wish to make their tool available in the way some of the community desire to use it, and there is no viable alternative to that service for those members of the community.
In social networking sites, the typical example of this was Friendster's goal of having identities correspond to individual human subscribers, with all the attributes represented in the Friendster service being accurate or at least non-infringing to any third party. (See Friendster's Fakester Buddies). In contrast to the site operator's goal, many individuals wished to use the service in more 'creative' fashions, such as by using pseudononymous identities, creating accounts associated to groups and interests, etc.
This issue is particularly relevant to social networking services that wish to 'digitize' real-world associations - users will want to represent diverse sets of relationships besides a binary "friendship/acquaintance" - kinship relations, mutual interests, etc. Some sites do that today, however I'm not aware of any which allow one to present different identities to different communities.
In a closed world such as a private network or isolated service offering, various forms of contractual terms of service, review, vetting and other assurances can be used to limit what is present in a service. For example, in an aircraft maintenance management system, who is allowed to have an account is tightly controlled, and a user who describes themselves as a United mechanic familiar with 747 hydraulics can fairly easily be vetted (employed by United? etc).
Outside of a closed world, however, ...
In most of the social networking services today, all that is required to join the service is to have an email account (any email address). In order to launch a personal phishing attack, all that's required is to have some basic public information about the spoofed identity. The outer edges of the social network, those who are only connected via the service, have only a tenous means of validation.
For example, suppose four or five hops away there appears a user with identity Brian Eno. The user's identity might have a few bits of relevant information (music industry, company named Opal, located in the UK) to rule out some other legitimate user who has the same name.
In Friendster, it is quite likely that this is an account used by someone impersonating the well-known Brian Eno, or perhaps it is a 'group' account to collect people who are fans of Brian Eno. In other services, it is not as evident what the account represents. As many online services are free, a script with a copy of 'Who's Who' or an encyclopedia could bulk register fake accounts for thousands if not millions of people. As the service doesn't know anything about the identity purporting to sign up, it has no way of checking.
Different systems have defined or will evolve techniques, such as
- encouraging lots of connections - better connected accounts are more likely to be authentic than sparsely connected accounts
- minimzing inflection points - can't have more than n degrees of connection
- perform validation checks on purported identity, by leveraging an external datasource of non-public or semipublic data (e.g. credit, driver's license)
- predefined paths e.g. X.509 certificate validation typically through CA-organization-end entity
If we reach the goal of an interconnected system (the "backplane"), there are quite clear distinctions between the notions of identity and connectedness when comparing the different systems, and it is unlikely that there will be convergence to any one system that is able to encompass all the requirements of every Internet user. Some users will want to interact with systems that are able to given them certain guarantees (data quality), others want as much data as possible, still others are free to relax certain constraints but are interested in expressing attributes, objects and relationships within their community that are not of general use or interest.
Several people are currently working on mapping syntax for interconnection - e.g. telephoneNumber is tel is <contact type="voice">. The meta-information, what use can this information be put, still is outside the scope of these systems, and interpretations rely on the receiver to apply human judgement - as (human) users develop and modify these tools, only other (human) users in the community can make use of them. Representation of meta-information will depend on the emergence of applications in which non-human identities (agents, devices, organizations etc) start making use of these same services, and coexisting. More on this later.
I'll be at the Digital ID World conference the rest of this week.