Tuesday, September 12, 2006

Presence enabled identity

Giving back digital identity ownership to end users has been one of the most in-vogue identity meme of the year. But why is digital identity not any more in its owner possession in the first place? Mostly because there is no way for an application to trace the real you back and check your privileges when needed. The result is the high number of digital identity fragments disseminated all over the internet that every power user has left behind in its wandering.

An obvious first answer to this fragmentation is the re-concentration of digital identity fragments in a limited number of places. The usual advantages are put forward, mainly the convenience of near single-sign-on. On the web, several alternatives have been implemented by various types of identity brokers, which are able to provide relevant assertion about a party identity and/or privileges. But most proposed assertion systems require the end-user to trust the identity broker. And frankly speaking, I am not convinced many end users go to the length of making sure when choosing an identity broker that:

  • Strong credentials are enforced and required by the broker,
  • Credentials are securely stored in the identity broker's database.
  • Physical and perimeter security at the broker's point of presence is enforced.

The next obvious answer would be to re-concentrate the complete digital identity in the immediate vicinity of the end-user. After all, many tend to agree that physical ownership gives a better feeling of security…

An interesting proposal has been made in a recent series of posts, where are described the components of a reinvented internet. I have several concerns about the entire internet re-invention, but Jason is also bringing up some clever and simple ideas. In his approach, each and every user will own a domain name on which a private identity broker will be located. The proposal is interesting because an application can use the private identity broker directly as it would a web identity broker. Today's applications will also be able to resolve that private broker address just using DNS.

Although it gives a better sense of ownership to the end-user, this approach does not entirely provide a solution to the original question when the user is going mobile or when an external application requests a dynamic authorization. These use cases are no edge cases in my opinion.

Carrying a laptop everywhere may not provide the ultimate freedom. A PDA might give a better feeling, but still. Using a password from a distant terminal will work, but is not better that today's solutions. And being remote definitively decreases the ability to provide interactive authorizations. I believe real identity ownership would ultimately involve some kind of portable device, using biometrics to assess one's identity when in use. This device would in turn advertise its presence on the network. It would then be "seen" by the private server. In turn, the server would be able to interact securely with the device and retrieve whatever privileges required by calling applications.

This is the nearest I would go toward bringing together identity and presence. And why not just call it "presence enabled identity".

Technorati Tags: , , , ,

Labels: ,