On Online Identity
Last night, my tweetstream lit up with comments about a piece that Ev Williams (of Twitter) wrote entitled, "Five Easy Pieces of Online Identity." I threw a few off-the-cuff comments out there and went to bed. Morning brings clarity, and the desire to comment a bit more.
First, a little context:
I've "known" Ev since the early days of Blogger (early as in him and Meg Hourihan running it, and me emailing Ev and saying, "Ev, blogger's f&cked, can you reboot it?"). In fact, Chris Locke and I ran personalization.com entirely on Blogger (i'm still arguing that this was the very first example of a business site run entirely on a blogging platform -- circa 2000).
Shortly thereafter, I got seriously involved in identity. I co-founded Digital ID World (identity management conference; sold to IDG), and was employee #1 at Ping Identity (which is now a bona fide world wide leader in enterprise identity stuff; full disclosure - I'm a shareholder). When I got into identity, I was the young guy that had to listen to all of the old directory guys tell war stories. When I "left" identity (it's like the mafia, you never leave), I was the old guy watching the young kids have the "same old arguments" that we'd been having for 7 years. Somewhere along the way, I provided feedback to Kim Cameron as he was writing "the laws of identity" -- which I consider to be *the* seminal identity document of the last 10 years.
Lastly, I obviously have huge respect for Ev, his work, etc. We're not "buddies" like we hang out having beers (or he'd even recognize me on the street), but more often than not, he answers when I shoot him an email, and I'd like to think he remembers me from back in the early blogger days -- so all of this is just constructive criticism, as it were.
With that as context, my thoughts on Ev's post:
Ev divides identity into 5 "easy pieces" - but I think he's got some confusion in the pieces (ie, there are actually more than 5), so let me walk through them individually.
1. Authentication. Ev begins with "authentication" and says it answers the question "do you have permission?" Every security guy I know just paused. That question is an "authorization" question, not an authentication question. Traditionally, security guys divide "AuthN" (shorthand for "authentication") and "AuthZ" (shorthand for "authorization") very strictly. Authentication answers one thing and one thing alone: are you who you claim to be? Once that question has been answered, THEN you move to authorization -- which is (properly) "what do you have permission to do/access/alter/etc?"
Note that AuthN and AuthZ can be split functions, as is the case with OAuth (I'm so woefully in over my head here that if I make technical errors you have to promise to be gentle). OAuth can provide AuthZ for an app to access some info (you give it permission), but it does not perform AuthN (it doesn't authenticate that you correctly are who you say you are). Example: I login to Twitter, I then give an app permission to access my twitter stuff via OAuth. I have given it authorization, but it (the app) has no way of knowing if i hacked the account to gain access in the first place - hence, AuthZ without AuthN.
Bottom-line: Ev *means* AuthZ, even though he labels it AuthN. I think. (I'll let him say differently.)
2. Representation: Ev starts off explaining "representation" by "who are you?" -- which makes every security guy think he means AuthN. But he doesn't. Hence, the question that he's answering is badly phrased. It's not "are you who you say you are?" (AuthN), but "who do you represent your self to be to the outside world (in terms of accomplishments, work history, etc)?" In this context, representation is actually the unverified flip-side of reputation.
Bottom-line: by the time Ev hits #2, he's actually got 3 pieces in his head -- AuthN (are you who you claim to be?), AuthZ (do you have permission?) and Representation (how do you present your self to the outside world?).
Since reputation is the flip side of representation, I'm skipping 3 (communication) and 4 (personalization) on Ev's list to deal (for now) with 5 (reputation).
5. Reputation: Ev's observations about reputation are spot on. Reputation is "how you are regarded" -- essentially, the flip side of representation. Reputation can be "verified" (credit scores) or "unverified" (an opinion) -- where "verification" does NOT equate to being true (there are incorrect credit scores all of the time). Most importantly, once we "externalize" and codify reputation in such way so that the person can see and access it, it's no longer reputation. Which is to say that at least HALF of reputation is what people say about you when you're not there to hear it.
3 and 4: Communication and Personalization: I actually think these are the same category, as "how do I reach you" is a personal preference. Call it the broad category of personalization -- which is giving the individual some amount of control over the relational dance that occurs between them and the outside service provider (or world at large).
That surfaces what I think is the *crucial* thing to consider when considering identity. And it's a tough philosophical nut to grasp.
Western civilization predisposes the majority of us ("us" being folks reading this blog) to think of "identity" as a discrete thing ("me") that was either determined via nature ("i'm born this way"), nurture ("my environment made me this way") or a combination of both. No matter what your view on nature or nurture, though, your western predisposition sees identity as a fairly discrete object ("me").
In practice, I'd argue that your "identity" is a constantly evolving set of relational interactions. Every time I use a debit or credit card to make a purchase, it is a complex interaction between me, the issuer of the card, and a service provider. That *interaction* (their actions as well as mine) feeds into a sense of "my" identity. But that information and interaction is in no way "owned" by me. At best, I'm legally able to exert some level of "control" over the exhaust (implications) caused by the interaction. But that's it. The relational nature of the interaction makes it nearly impossible for "me" (discrete entity) to "own" my "identity."
In that light, I'd break Ev's easy pieces down into things that are discretely associated with me and those that aren't. Note that "discrete" does not mean "lack of interaction" with other party. My philosophical stance (which is too nutty to detail here) is that there is no instance of identity where you're not interacting with something/someone/etc. (Feel free to drive yourselves crazy arguing about that without me.)
Discrete Pieces of Identity: Authentication (who are you?), Authorization (do you have permission?), Representation (how you present yourself to the world), and Reputation (how the world regards you).
Interactional Pieces of Identity: Communication, Personalization, Geo-location and any other instance where an "interaction" between you and a service provider occurs. Within that interaction, you may wish to express preferences.
The bottom-bottom-line: Ev's right. Online Identity is *still* one of the messiest problems out there, and people have been working on this for (no joke) decades (plural) now. Check out VRM, the IIW, Kantara, the Liberty Alliance, SAML, or any number of identity-related topics to see just how deep this rat-hole goes. Hats off to Ev for re-starting the discussion at large. I'll be watching to see if his next sure to be a monster startup tries to deal with the identity problem head-on. ;-)
(ps: come to gluecon for more on OAuth, SAML, etc.)