4 May 2008
Identity and control
Posted by Dan under: social web .
There is a big movement on the web about peoples’ identity at the moment. It’s not just about security, it’s about how you sign-in to the accounts with sites and services you use and how you can control the information about yourself.
So we have the DataPortability Group, which encompasses many technologies such as OpenID, oAuth and many others as well as project Diso. The community is attempting to derive a means of embodying control and identity for users on the web and who you relate to (XFN/FOAF) , what you like (APML) and what feeds you read (OPML) mixing in useful technologies to form a meaningful whole.
Aside from the difficulty in technological implementation, not only of a working solution but a solution that can be easily adopted by developers world-wide, I think we have some basic issues on a more conceptual level before people are really going to use this.
Say you have a single point of identity - your login is through a URL such as http://yourname.provider.com. This suggests to me that your identity could be prone to the same issues as the average website but with more profound effects. If you identity or provider goes down, you can’t log-in to any of your sites or services (unless a fall-back is considered), the providers would increasingly become the target of criminals and you would need the assurance in whoever is you identity host.
AOL and Orange (France Telecom) for instance have enabled their user accounts as OpenIDs, which is a significant move in terms of availability (but still is an issue over whether there are the opportunities to use these on many high profile consumer websites and whether their customers understand what this means to them). With a name like this, you may feel a sense of security but it’s possible for any developer or host to become an OpenID provider. Would a bank be a more likely source for your identity or is putting all of your important personal information in one place asking for trouble?
Imagine all of your accounts on the web used your URL as your login and services polled your APML for interests, your feed reader polled you OPML reading lists, etc. This much reliability surely needs a different and more secure kind of host?
Any thoughts?
3 Comments so far...
How far do we want to put our identities online? | Here in the Hive Says:
4 May 2008 at 9:25 pm.
[…] is kind of a follow on to my previous post about identity on the web and data portability. One thing I have been thinking about for a while […]
Dave Stevens Says:
5 May 2008 at 8:58 am.
I’m pretty much torn between the different options. I hate having to remember a bunch of different logins, especially as I can never seem to remember which password is which at the critical moment. I also really like integration, so while I like to use multiple services (twitter, pownce, etc) I then link them all together in one place for consuming them.
However the concern I have always revolves around the same few points:
1. If I have one single place where access is controlled to all services I use, how can I be sure that this particular service will always be available?
2. If everything’s in one place, one security compromise = a whole host of problems.
3. Can I *really* trust anyone with that much access? I’m sure the people behind oAuth/openID/etc are noble and well intentioned, but it would only take one renegade employee/volunteer to make things difficult for me, if I were to put all my eggs in their basket.
I guess the summary of my position right now would be: like the idea, not convinced we have a suitably robust implementation to make it a possibility just yet.
dan Says:
5 May 2008 at 10:45 pm.
Thanks for the comment, Dave.
It seems like the majority of the community interested in this stuff is wondering how we can do this in technical terms so I think opening the debate into a more practical space is in order.
Having a service to make signing into websites easier is great but that could so easily be a small step into something akin to a passport (not lie Microsoft’s Passport!). Something that does actually profile you in a meaningful way should be treated with almost the same security and uptime as a bank BUT as many sites could be polling for data, the bandwidth demands could make identity hosts a different prospect.
It’s all food for thought ;)
