MemeStreams | MemeStreams Discussion

Create an Account

This page contains all of the posts and discussion on MemeStreams referencing the following web page: Mind blowing delivery of Identity 2.0. You can find discussions on MemeStreams as you surf the web, even if you aren't a MemeStreams member, using the Threads Bookmarklet.

Mind blowing delivery of Identity 2.0
by w1ld at 11:14 am EST, Jan 3, 2009

My friend Steve Clayton, long time employee of Microsoft and general geek genius, posted a video which really blew my mind. The delivery of this “presentation” by Dick Hardt, who recently joined the corporation, is unique in style, and will draw you in, like some crack addict being tempted with a chocoloate fudge brownie.

While this video may not directly involve or to do with students, it’s an interesting delivery style which should be noted for those inevitable presentations we’ll have to give. Also, some of the content about the next generation of identity; how we use it, in what forms, online and offline, is certainly for students. After all, we are the next generation of IT users - this is what we need to look out for.

http://www.youtube.com/watch?v=RrpajcAgR1E&e

RE: Mind blowing delivery of Identity 2.0
by Decius at 9:12 am EST, Jan 5, 2009

This presentation does a very good job of laying out the problem, but we've been talking about this problem for years. What is the solution? It doesn't seem we're going to get one out of Sxip. They have a Firefox plug that fills out website forms for you and the speaker here has gone to work for Microsoft. I'm pretty sure there were Windows apps that did what the Sxip plugin does 8 years ago.

Why hasn't identity 2.0 happened? Nobody with the money and the userbase has been willing to create a platform that solves this problem, because they don't care about part of the problem, or because they think that controlling some aspect of the architecture will make them rich. The best architecture has the following characteristics:

1. Anyone can host identities. (Passport didn't work because Microsoft was the only identity provider and no one trusted them.)
2. Anyone can accept identities. (This is why the federated identity stuff is solving a different problem.)
3. The identities mean something. (This is the problem with OpenID.)

The two most interesting developments in this space right now are:

1. RealID. Governments have traditionally been the identity providers. They handle 3 and 2 quite well. Traditionally, they've gotten around 1 by forcing people to work with them. I think its interesting and surprising that RealID hasn't happened, but I'm not going to bet against the state. At some point soon some government will issue smart cards that can be used as online credentials with a USB smart card reader. One could imagine child predator hysteria being leveraged by an enterprising group to create a social networking site that can only be accessed with government issued credentials - an environment that is "safe for children." Its a natural evolution of current laws prohibiting sex offenders from using social network sites. Providing those sites with a way to check secure government issued credentials from every user is the only way to enforce that sort of requirement.

2. Facebook. They've created an application platform that is centered around user identities. They also handle 2 and 3 well. They share problem 1, but they are attempting to overcome Microsoft's trust problems by creating an environment where privacy is carefully managed. The day when someone asks us if MemeStreams will accept Facebook credentials is fast approaching.

I'd love to be able to create a system that solves all three problems. I really don't think there are any outstanding technical barriers to doing so. The problem is that its a big project and it has no patron.

It is the unfortunate consequence of our economy that:

1. Its expensive to develop a good platform.
2. Platforms only work if they become pervasive.
3. Charging for things creates a barrier to adoption.
4. Barriers to adoption prevent platforms from becoming pervasive.

RE: Mind blowing delivery of Identity 2.0
by Decius at 11:13 am EST, Jan 5, 2009

Decius wrote:
1. Anyone can host identities.
2. Anyone can accept identities.
3. The identities mean something.

I figured I'd preemptively answer the obvious question this raises. The way you achieve this is by:

1. Allowing identity providers to make assertions about the identities they provide.

2. Providing identity acceptors with mechanisms for managing the list of identity providers from whom they trust assertions and what sort of assertions they trust.

1. Allowing identity providers to make assertions about the identities they provide.

Basically, the identity host must be able to say things like:

User Bob54 says his name is "Bob Marley."
User Bob54 says his email address is "bob@gmail.com."
- We tested this with a verification email on 01/01/06 and it worked.
User Bob54 has been a user of our system since 01/01/06.

Preferably, the user should be able to control which assertions the provider provides to which acceptors, so that private information can be managed in the system.

2. Providing identity acceptors with mechanisms for managing the list of identity providers from whom they trust assertions and what sort of assertions they trust.

There are many possible architectures here. It may be the case that a small number of widely trusted identity providers will emerge, but unlike passport the system will be open to competition. One approach that I like is to have an entity that audits identity providers and publishes a list of ones that follow certain best practices. That entity could collect user fees from both providers and acceptors.