Skip to content

Identity 2.0

June 12, 2006

This week-end, I attended a scientific meeting and, although the content of the presentations were often interesting, they also often lacked attractiveness. This reminded me two videos I stored, some time ago, on my hard disk. Sébastien Lorion called them “refreshing”. And, for me, not only these presentations look beautiful, they also talk about an interesting topic: who are you on the internet ?

In the first presentation (a keynote at OSCON 2005), Dick Hardt talk about what is identity and how do we prove who we are, in the online world.

Identity is what I say about me and it’s what other say about me. In the real world, technical advances had enabled the separation between acquisition and presentation of credentials as well as the separation between the identification process and the authorisation process.

Now, in the online world, we are still at the “Identity 1.0” level, where one has to register at a website in order to get a service. User IDs and passwords are just authentication, they only proves that you are a directory entry! At this level, it’s impossible to prove who you are because this so-called “verified identity” is not what you apparently give to the website but what this website knows about you. Dick Hardt calls those websites “walled gardens”, closed and complex identity silos, lacking transparent policies, simplicity, scalability and flexibility.

So, with his company, Sxip, he proposes a Simple eXtensible Identity Protocol (it’s the acronym for SXIP), based on buzzwords like “Web 2.0” or “webservices” (ok, I’m exagerating a little bit). He described some of the technological details in another presentation (given at ETech 2006). And, although I didn’t tested the websites he gave as examples, I think that, perhaps like other companies (MS Infocard, IBM Higgins, …), they succeeded in separating acquisition from presentation of credentials as well as the identification process from the authorisation process.

Use of a credential provider to many resources needing this credential
Use of many credential providers to only one resource, a bit like showing ID, SSID and driver license to the policeman
Claim acquisition
Claim presentation

In his talk, Dick Hardt gave two links : his blog and Microsoft Kim Cameron’s (where you can find the laws of identity but I didn’t had time to read them yet).

Finally, to come back to the presentation aspects, I think Dick Hardt presentations are quite surprising for me, sometimes slides go too fast (that’s because I’m becoming old 😉 ). But I am wondering how can I apply some of his tricks to my presentations (next one is on June, 29th). Let’s see ..

One Comment
  1. Peter Gutmann home page helps also to better understand that PKI is often PK without the “I”. SXIP seems very interesting but I always have a cautious approach when Identity management discussion is around… Another point is the licensing approach : http://sxip.net/index.php/License seems ok at the first glance but the license is only covering a use of the specification document. Future will tell us…

Comments are closed.

%d bloggers like this: