Loading...
 
Print

sovereign identity

Doc Searls?' notion of sovereign identity is that users ultimately define and control how web services see them. This is a very controlled federated identity, one suitable to become a legally viable identity standard.

The jabber.org and Verisign? models require trust in one subvertable entity, albeit one that is so commonly used that many federated webs use them. Alternatives are required for whole-web service?s that must trust everyone. Vendor-centric models like eTrust? simply don't do the job, and can't do the job, as Internet user?s aren't in control of them.

Kim Cameron?'s model, which Microsoft? is adopting as its Identity Metasystem, based on the Zoomit model http://www.linuxjournal.com/article/8357 it acquired with that company(external link) to replace its earlier Microsoft Passport.

Kim Cameron's "Seven Laws of Identity"


Kim claims he found a "protocol that was so simple I could hardly believe it. I saw how it could work like a conduit for the simple exchange of tokens and how it could bridge many different identity systems." Then Craig Burton? took an interest, Drummond Reed?, Fen LaBalme?, Mark LeMaitre?, Kaliya Hamlin?, Jan Hauser? and Owen Davis? of Identity Commons? and Cordance?; Dick Hardt? of Sxip?; Marc Canter?, Simon Grice? of MiDentity?, Phil Windley? author of a book on digital identity?. All are open-source and open standards advocates." Kim "began posting his Seven Laws of Identity" at a slow pace, finishing in March 2005, getting their reviews.
  1. "User Control and Consent: digital identity systems must reveal information identifying a user only with the user's consent." That is, there can be no outing?.
  2. "Limited Disclosure for Limited Use: the solution that discloses the least identifying information and best limits its use is the most stable, long-term solution." That is, credentials and factions shield users body name?s wherever possible.
  3. "The Law of Fewest Parties: digital identity systems must limit disclosure of identifying information to parties having a necessary and justifiable place in a given identity relationship." An OP-recognized credential, for instance, implies privacy is well protected both for the credential provider and the user.
  4. "Directed Identity: a universal identity metasystem must support both "omnidirectional" identifiers for use by public entities and "unidirectional" identifiers for private entities, thus facilitating discovery while preventing unnecessary release of correlation handles." Implying that any unpublished credential can only be probed via an authentication protocol?, which allows for asymmetric relationships.
  5. "Pluralism of Operators and Technologies: a universal identity metasystem must channel and enable the interworking of multiple identity technologies run by multiple identity providers." For instance, the open politics web must support a single wiki login? if at all possible.
  6. "Human Integration: a unifying identity metasystem must define the human user as a component integrated through protected and unambiguous human-machine communications." In other words, as part of an ergonomic unit? not as a naked unprotected body.
  7. "Consistent Experience across Contexts: a unifying identity metasystem must provide a simple consistent experience while enabling separation of contexts through multiple operators and technologies." This is one goal of the Living Ontology Web.

"The Laws serve two purposes. The first is to guide conversation and development in an emerging marketplace. The second is to guide conversation and development inside Microsoft. Kim says he often finds himself saying stuff like, "No, that would break the Fifth Law" or "That misses the point of the Seventh Law.""

WS-Trust


In Microsoft's Identity Metasystem, Kim reports, "the encapsulating protocol used for claims transformation is WS-Trust?. Negotiations are conducted using WS-MetadataExchange? and WS-SecurityPolicy?. These protocols enable building a technology-neutral identity metasystem and form the "backplane" of the identity metasystem. Like other web services protocol?s, they also allow new kinds of identities and technologies to be incorporated and utilized as they are developed and adopted by the industry.... specifications for WS-* are published and are freely available" via OASIS. "Examples of technologies that could be utilized by way of the metasystem include LDAP claims schema?s; X.509?, which is used in Smartcards; Kerberos?, which is used in Active Directory and some UNIX environments; and SAML?, a standard used in inter-corporate federation scenarios."

open alternatives


Searls reports various free software alternatives:
  • Open ID? says, "This is a distributed identity system, but one that's actually distributed and doesn't entirely crumble if one company turns evil or goes out of business." Its identities are URL-based.
  • LID?'s goal is to "empower individuals to keep control over and manage their digital identities, using VCards, FOAF and GPG. It is very REST-ful and fully decentralized. It is also a great mechanism to add accountability to REST-based Web services, even if no (human) digital identities are involved." Johannes Ernst?, one of LID's creators, says "it's the simplest scheme there is, so simple that, just like a few other folks have done already, you can probably implement it yourself over the weekend and add five new profiles to it that we didn't even think of." There are several LAMP and J2EE implementations available for download.
  • Sxip? is more ambitious and has several parts. Sxip.net (Sxip Network) is "a simple, secure and open digital identity network that offers a user-centric and decentralized approach to identity management. This key piece of Internet infrastructure, based on a network architecture similar to DNS?, can be used by people to develop their own identity management solutions, enabling distinct and portable Internet identities." Sxip.com (Sxip Identity) "provides identity management solutions that leverage the Sxip Network and drive Identity 2.0 infrastructure. Sxip empowers individuals to create and manage their on-line digital identities and enables enterprises to instantly provision and manage their users." Sxip.org provides developer resources, including a Subversion code repository."
  • Passel? "builds on the success of e-mail-based identity systems by adding a few important but incremental improvements while laying the foundation for more advanced identity systems in the future." It claims to be "more convenient to use, easier to deploy and safer for all concerned, without requiring expensive investments in new infrastructure or adoption of untried, centralized identity systems."




Show php error messages