Mobile Identity Workshop

Submitted by fen on January 28, 2007 - 1:48am.

I had the opportunity to spend a few hours at the Mobile Identity workshop on Friday 1/26 in San Francisco (I'm going to miss this place). Some notes follow.

OpenID was present throughout the workshop, and it was good to hear more people asking about - or speaking intelligently about - XRI and i-names. The recent OpenID phishing thread came up during a lunchtime chat with John Clippinger, one of the workshop's organizers. We agreed with Victor Grey's recent blog post that community-based reputation and well-defined trust boundaries provided the best solution for protection from phishing, and also, ultimately, from spam.

Just before I left, Drummond Reed and I considered the organic growth of reputation in communities and how this process can be enhanced by user-centric identity. In particular, I've been thinking about how to allow multiple organizations to join a "club" that has access to the full membership of each of the participating organizations while increasing the ability of each member to choose who can contact her, for what reasons, when and how. Sounds like a job for i-names!

Drummond asked if I've been in touch with Jon Ramer of the Interra Project who I met in the early days of Identity Commons. From what I understand (I have not yet been able to talk with him directly about this) Jon has been asking some of the same questions with respect to the WISER Commons, a project of the Paul Hawken's Natural Capital Institute. (For a more fleshed out demo, see WISER Business.) Clearly, user-centric identity would enable multiple businesses to share their member bases while simultaneously increasing the control each user has. Further, strong authentication of businesses in the "club" would increase trust, perhaps even more when combined with e.g. social whitelisting.

There are clear opportunities here for working with organized, self-selected communities ready and interested to publish reputation metrics on issues of interest. These metrics will serve not only the organization's members, but also any and all groups that value those metrics, creating overlapping, intersecting and reinforcing structures of value to an expanding, aware populace.

As arguably the granddaddy of personalized identity with privacy (mentioning it in my thesis in 1981) and co-founder of the first XRI-based identity broker, 2idi.com, (serving i-names since 2004), it was wonderful to see such energy and passion directed at creating user-centric digital identity for the mobile devices that in a very real way, define who we are.

CardSpace, XRI and Freedom
Submitted by fen on January 28, 2007 - 1:57am.
A few more notes:

Mike Jones presented Microsoft's CardSpace (formerly InfoCard) that provides Net users with an excellent mechanism for authenticating themselves and trusted services they wish to use within Windows Vista-based systems. What was new at this gathering was Kim Cameron's recent post followed up by Mike's email to "offer assistance to XDI.org-Accredited I-Brokers who would like to add CardSpace support."

The offer was greeted with cautious enthusiasm, as "dancing with elephants" can be dangerous indeed. Further, there is a growing realization that OpenID and particularly i-names (available in the OpenID protocol) support a super set of the use cases that CardSpace supports. The bottom line is that authentication and single sign-on are only the beginning - enabling a service to contact me via a SEP (Service End Point) that I define (email, phone, bit bucket, etc...) is basic for XRI and well beyond CardSpace's capabilities. The suggestion was made that Microsoft should instead be asking us to support XRI's in CardSpace (I agree!). Wearing my hat as CTO of the first i-broker, you can bet that I'll be watching this space.

In a breakout on privacy requirements, Ben Laurie (now at Google) offered hope that we could have truly anonymous phones by randomly choosing Mac (low level network) identification codes and securely authenticating through secure communications with a trusted base station (e.g., running Asterisk). (Phil Windley blogged on the implications of such phones.) While some suggested that privacy and control was neither expected nor required, I noted that Freedom actually depends upon Privacy, and that while different services within a society may require certain forms of identification, the choice should always be the individual. There was general consensus that mobile identity - the electronic analogue of a drivers license - should be able to answer questions like "Are you over 21?" without yielding any other information than a trusted (by the relying party, perhaps a night club) "yes" or "no".

I'm thinking that another facet of the "Negroponte Inversion" may be ahead of us: the day may come where the only place you have any expectation of privacy is online, while one's "meatspace" life is recorded a thousand times over.