Yesterday during D9 interview, Eric Schmidt is quoted to have stated, “It’s the first generally available way of disambiguating identity. Historically, on the Internet such a fundamental service wouldn’t be owned by a single company. I think the industry would benefit from an alternative to that….Identity is incredibly useful because in the online world you need to know who you are dealing with.” There have been academic research done on disambiguating identity through social circles and social data. This may help us to move away from a service owned by a single company, but I am afraid that this will still beholden us to a handful of companies. In my opinion OpenID is a more apporpriate user-centric solution.
First of all, I don’t mean to use OpenID as it is generally understood to be a single identity used across multiple sites. Yes, OpenID originated to offer Single Sign On solution. But I am focusing on the decomposition of three parties and the protocol of engagement between them. The three parties are 1. individual, 2. Identity Provider and 3. Relying Party. The protocol of engagement is first the interaction between the Individual and RP, second between the Individual and IP, and finally the interaction between IP and RP, including Attribute Exchange. Additionally I want to discard a widely held assumption that RPs are expected to accept any and all IPs and that they should accept all the attributes provided by the IPs. Even though OpenID has never stipulated that, these two have found its way into our unconscious mind.
So how will I assert my identity with different RPs who may want to verify different attributes. If an RP would like to know my current employer, I will present OpenID issued by my employer and the RP can request the needed attributes like, start date, salary or other personnel information. I would use the OpenID procedure to allow or restrict access to such information as is appropriate. If an RP is interested in ensuring that the individual is school going student, they would require IP to be an accredited school and RP could access the age of the individual to further restrict age appropriate material. If an RP is interested in my address, they could require OpenID from DMV or an utility company. And so on.
To summarize, the technology is in place. We should evangelize and advocate use of this technology for wide adoption.
Posted by aswath at June 1, 2011 04:43 PM