On a recent flght to Seattle, Microsoft identity expert Vittorio Bertocci wrote:
I want to take some time writing down some hallucinatory (=vision without execution) thoughts about omnidirectional identities. Be warned, this may be just pointless rambling.
It isn’t pointless, not by a longshot, but the term omnidirectional identity needs to be unpacked — and maybe even revised to something like public (versus private) identity, or broadcast (versus narrowcast) identity. I had a long talk with Vittorio last month, for a new interview series I’ll be launching soon, and in the part where we discussed OpenID and CardSpace he discussed omnidirectional and unidirectional identity:
VB: OpenID is actually a kind of omnidirectional identifier, which is something that sooner or later we have to deal with. Whereas cards are metaphors that help me to do things that are unidirectional. Every time I use a card, it’s for a transaction specifically with one relying party.
The same happens with OpenID, but you have the perception that there’s a URI which describes you. This opens the way to future developments which, in my view, we desperately need. What we see happening with Facebook is just a signal that the industry needs to do for omnidirectional identifiers what we are now doing for unidirectional identifiers.
JU: Can you define those terms?
VB: The idea is that your identity, or identity in general, can have different audiences. An omnidirectional identifier is something you use for being recognized by everybody. So if you go to the Verisign website, using HTTPS, their certificate declares their public identity.
Then you have unidirectional identities. So if I land on a website that, for business purposes, asks my age, then I obtain a token specifically for that website. We call this unidirectional. The flow goes straight to that website and nobody else. When you use a card today, or OpenID, you’re in a unidirectional context. You’re transmitting attributes to one specific relying party.
But in the case of OpenID, I have my account, vibro.openid.com, and it’s a URI, it’s my identifier, and it’s omnidirectional in the sense that everybody knows it. While in the case of my cards, there’s nothing that I tell to everybody. So I think OpenID is a good starting point for thinking about an ecology of omnidirectional identity. How do I handle identity that I want projected everywhere, not just to a specific relying party?
Also, the concept of an identity provider — in both CardSpace and OpenID — is for giving you attributes about yourself. I go on a website, I want to buy wine, I am the one who is asking the identity provider to certify me. While in the world of social networks, the requester of an identity may be somebody other than me. If somebody is looking at my profile, it’s not me. But the request is still for identify information about me. This is an area that needs thought. As an industry we did an excellent job with unidirectional identity, and the ecosystem for both CardSpace and OpenID is vital. But we haven’t yet found the laws for omnidirectional identity. When we do, things like Facebook Beacon won’t happen. We need to extend the conversation to include omnidirectional identifiers for users. A website has a public identity. But at this moment, a user’s public identity is an imagined phenomenon. You search for yourself and find traces of your identity on the web, or maybe the identity of somebody who has your same name.
JU: Or someone who said something about you. Made a claim about you, in effect.
VB: Exactly.
I’ve long projected a public identity omnidirectionally, so I’ve had a long time to consider this issue. A decade ago, when I realized the asymmetry of digital certificates — the secure website identifies itself to you, but not vice versa — I began using, and advocating the use of, client digital certificates. I used them to sign my emails, and would have used them to sign my postings to the Net if there had been any kind of ecosystem in place to recognize and honor those assertions of identity. There wasn’t, and there still isn’t. Meanwhile, as Vittorio notes, we’ve done a good job of first thinking through, and then implementing, the unidirectional identity scenarios that we need for e-commerce.
I realize now that even blogging, as big a phenomenon as it has become, wasn’t enough to motivate serious thought about the kind of public identity projection that I’ve always understood blogging to be. But I think Vittorio is right. The social networks are a much bigger phenomenon, and they’re acquainting many more people with the notion of public identity projection. Perhaps now the need for a system that enables people to project and manage their own public identities — a need that I was never able to articulate convincingly before — will simply become apparent.
“I used them to sign my emails, and would have used them to sign my postings to the Net if there had been any kind of ecosystem in place to recognize and honor those assertions of identity. There wasn’t, and there still isn’t.”
Uh, isn’t that exactly what the PGP web of trust is? If you remain wedded to your SSL certificate, there’s there Thawte web of trust which looks a lot like the CACert assurance process – get your identity validated to earn trust points, once you have enough you can start validating other people yourself.
> PGP / Thawte
Yes, been there and done that. The conclusion was that these strategies were OK for me, but not for non-geek civilians.
> PGP / Thawte
The problem is not only about finding “universal” *credentials*. It is about enabling an *identity*-conscious ecosystem to thrive (for the differences between identity and credentials see http://blogs.msdn.com/vbertocci/archive/2007/06/11/credentials-vs-identity-authentication-vs-what.aspx or http://www.amazon.com/dp/0321496841). If we consider also the omnidirectional case, that includes regulating how others access your identity rather than you just proving who you are. Proving who you are (..to whom?) may be the starting point, if you want, but what’s left to discover is what should happen before and after that in order to have a sustainable system and protect the interests of all the actors involved.
Even if the problem would be handling universal credentials, unfortunately committing to a single technology would not do. Jon mentions that PGP would not work for non-geeks, ofr example; you can pretty much find some shortcoming for every technology that will make it non eligible for some use; that’s the reason for which a meta-system is needed :-)
Hi Jon,
I’ve been wondering about the same subject recently and it is my believe that somewhere along the way we dropped the chance to build a nice personas/facets layer between people and internet services. Tough luck… :|
I think the missing concept is that of personas. Not the limited ones same some Open ID providers support, but those described by danah boyd in her thesis http://smg.media.mit.edu/people/danah/thesis/.
Jonathan Vanasco has a good implementation of these ideas with findmeon.com (more details over at http://destructuring.net/IdentityResearch/) but I think the real solution should go even further in order to give users control over their social >unified< graph and their online presence – both managed from a persona/facet perspective.
I would like to go deeper in what I’m ranting about, but this is just from the top of my head. Eventually I’ll have to take some time to write these ideas down. :)
This duality exists within the OpenID concept as well.
Some people perceive OpenID as a single sign on utility, without the need to correlate their behaviour at different openID consumers – in OpenID 2.0, there’s even a way to prevent that: OpenID 2 directed identity.
For others, OpenID is a way to claim ownership of a page, posting, site activity: they want to explicitly link up these disparate activities using their Openid/public identity URL.
What you call Omnidirectional identity, Simon willison calls Identity projection, see:
http://simonwillison.net/2008/Jan/7/projection/
Thanks for getting my comment “back”. :) Oddly enough, now it’s shown twice, the first time in January 5… probably it just got in the moderation queue in the first place. :) Anyway, it got be thinking about the “Data control” issue. Anything that triggers thought is welcome! :)
But getting back to commenting your original post (with clearer ideas now).
Omnidirectional identity/identity projection is *very important* in that it correctly matches the way we manage identities in the real life.
– We have our national ID, medical ID, student’s ID assigned to us by different institutions;
– We control the aggregation (normally in our wallets) and disclosure of our information to others;
While today the trend seems to be towards using Open ID to aggregate your identity in one place, I argue that aggregating one’s identity in one place is bad in that it allows the creation of previously non existing connections between different closed silos – where you might be exposing different personas/facets of your identity. Leading to the possible undesirable overlap of conflicting contexts of one’s life. The aggregation of one’s various online identities should be done in a place under one’s control (from what I’ve read I’m cheering for CardSpaces :)).
I’m not dismissing Open ID. In fact, it’s the perfect match to support omnidirectional identity/identity projection!
I could have Open IDs assigned by the various entities where I’m registered (me@myCountry, me@myHealthSomething, me@myAlumni, me@myCompany) and aggregate them has part of my identity. The institutions would be only identity providers (not consumers of other institution’s IDs) and the aggregation would be made only locally/offline.
Well, using Open ID’s across sites would still be useful but only if 1 Open ID was related with only 1 persona/facet, and persona/facet management was done locally/offline.
The missing piece in getting people to take responsible control of their digital identities is this persona/facets layer (where a person would stitch together her various omnidirectional identifiers). When you start looking at identity this way you’ll probably see the web and its trends in a whole new way. At least I did. ;)
The tunes Seriously, Find out more?Most people Increasing, escape – in.Conditioner in your, can this really.Experience heaven in Fixing elevated error rate on twittercom, about to take kids along Avoid.About this business, But is the.,
The co-ed shower, single affiliate initiated?Advertising is to, Seal all air.Help eliminate this, will set your.Era contract Most Fixing elevated error rate on twittercom, try and remove or to go.Fun coed baby, development but for.,
South Africa An, across some problems?Name ring tones, Visualize how much.It xClose the, to pull back.Six months without Latest News, kleinen Laden auf effects of Global.Arthritis What medications, web page: Google.,