On a recent flght to Seattle, Microsoft identity expert Vittorio Bertocci wrote:
I want to take some time writing down some hallucinatory (=vision without execution) thoughts about omnidirectional identities. Be warned, this may be just pointless rambling.
It isn’t pointless, not by a longshot, but the term omnidirectional identity needs to be unpacked — and maybe even revised to something like public (versus private) identity, or broadcast (versus narrowcast) identity. I had a long talk with Vittorio last month, for a new interview series I’ll be launching soon, and in the part where we discussed OpenID and CardSpace he discussed omnidirectional and unidirectional identity:
VB: OpenID is actually a kind of omnidirectional identifier, which is something that sooner or later we have to deal with. Whereas cards are metaphors that help me to do things that are unidirectional. Every time I use a card, it’s for a transaction specifically with one relying party.
The same happens with OpenID, but you have the perception that there’s a URI which describes you. This opens the way to future developments which, in my view, we desperately need. What we see happening with Facebook is just a signal that the industry needs to do for omnidirectional identifiers what we are now doing for unidirectional identifiers.
JU: Can you define those terms?
VB: The idea is that your identity, or identity in general, can have different audiences. An omnidirectional identifier is something you use for being recognized by everybody. So if you go to the Verisign website, using HTTPS, their certificate declares their public identity.
Then you have unidirectional identities. So if I land on a website that, for business purposes, asks my age, then I obtain a token specifically for that website. We call this unidirectional. The flow goes straight to that website and nobody else. When you use a card today, or OpenID, you’re in a unidirectional context. You’re transmitting attributes to one specific relying party.
But in the case of OpenID, I have my account, vibro.openid.com, and it’s a URI, it’s my identifier, and it’s omnidirectional in the sense that everybody knows it. While in the case of my cards, there’s nothing that I tell to everybody. So I think OpenID is a good starting point for thinking about an ecology of omnidirectional identity. How do I handle identity that I want projected everywhere, not just to a specific relying party?
Also, the concept of an identity provider — in both CardSpace and OpenID — is for giving you attributes about yourself. I go on a website, I want to buy wine, I am the one who is asking the identity provider to certify me. While in the world of social networks, the requester of an identity may be somebody other than me. If somebody is looking at my profile, it’s not me. But the request is still for identify information about me. This is an area that needs thought. As an industry we did an excellent job with unidirectional identity, and the ecosystem for both CardSpace and OpenID is vital. But we haven’t yet found the laws for omnidirectional identity. When we do, things like Facebook Beacon won’t happen. We need to extend the conversation to include omnidirectional identifiers for users. A website has a public identity. But at this moment, a user’s public identity is an imagined phenomenon. You search for yourself and find traces of your identity on the web, or maybe the identity of somebody who has your same name.
JU: Or someone who said something about you. Made a claim about you, in effect.
I’ve long projected a public identity omnidirectionally, so I’ve had a long time to consider this issue. A decade ago, when I realized the asymmetry of digital certificates — the secure website identifies itself to you, but not vice versa — I began using, and advocating the use of, client digital certificates. I used them to sign my emails, and would have used them to sign my postings to the Net if there had been any kind of ecosystem in place to recognize and honor those assertions of identity. There wasn’t, and there still isn’t. Meanwhile, as Vittorio notes, we’ve done a good job of first thinking through, and then implementing, the unidirectional identity scenarios that we need for e-commerce.
I realize now that even blogging, as big a phenomenon as it has become, wasn’t enough to motivate serious thought about the kind of public identity projection that I’ve always understood blogging to be. But I think Vittorio is right. The social networks are a much bigger phenomenon, and they’re acquainting many more people with the notion of public identity projection. Perhaps now the need for a system that enables people to project and manage their own public identities — a need that I was never able to articulate convincingly before — will simply become apparent.