Friday, July 07, 2006
There is a fascinating discussion going on in the Google IDWorkshop group. There have been some great contributions by Eric Norman and Phil Becker amongst others. Michael Beach's review of the 4 or 5 items we have been seeing as part of the emerging vocabulary is a positive contribution to this discussion. I include those comments below (in italics). "Here are some of my perceptions relative to this thread. I agree with many of the contributions but tried to sort the aspects out into 4 or maybe 5 distinct parts. I have also added a new term to the mix - assurance. Identification - As Phil says the act of identifying a subject, but not the same as identity. I believe identification and authentication are synonymous. The identification/authentication act is the act of establishing the subject with some level of confidence that can range from zero to high. Involved in this identification act can be things like "I remember your face", "I see your driver's license", "You have provided a secret that likely others would not know" (yea, yea we could write books here). To me this is important, but not particularly useful without identity. Assurance - I mention this next because it is directly related to identification. I think it is the degree of confidence that the identification event does in fact establish the subject. "Because I say so" is low assurance. Facial recognition (not the computer kind, but the "I know you, I see you every day" kind) is reasonably high assurance. There are any number of assurance variations that might increase my confidence that you are who you say you are including passwords, biometrics, tokens, etc. Identity - I struggle to find complexity in this one. I claim it is a collection of attributes about a subject in a context. As a corporate employee I have a set of attributes. In this case these attributes are most likely asserted by the corporation, provided in a way the corporation can, with an acceptable degree of assurance, connect them to my identification. As a human being I may have several other "identities" that represent me (or a collection of people/things) in different contexts. This is an area I am regularly challenged in - many perceive identity is "who I am". For any number of reasons, both legitimate or otherwise, I have avatars. Even within the corporate world I have legitimate business reasons for multiple "personae/avatars". Bottom line, I don't see identity as a complicated thing to understand. Relationship - This is a popular word in these discussions. I understand what relationships are in the social world, but I don't yet have a clear understanding of the instantiation in the digital world. Trust - Ah, now if you want complication here you go. I think there are 2 kinds of trust. There is the one I live with every day in the corporate world and there is the more social-based trust. I agree the more interesting is the social-based trust that gets into reputation and the like. However I think the corporate world is still struggling with the more mundane "legal" trust. While at the recent Identity Mashup in Boston Christine Varney shared a definition of trust that resonated with me (again from a corporate perspective). That is: security, privacy, authenticity and reliability, recourse and liability. I felt this covered the landscape well - I am sure the attorney's will quickly latch on to this in the next couple of years. Trust at a corporate level is a challenge and we are still working through this with the vision of moving to the next plateau of "federation". When considering trust from the social perspective, I think the references to Bob Blakley's talk at Catalyst 2006 hit the mark. This is where reputation come in to the picture. As individuals we are not caught up in the legal aspects, we are interested at a much more primal level. Can we interact, can I trust you, will we have a win-win. In the end I think this is the much harder "trust" to develop and in the Internet age it is really all about reputation." Mike Beach I am in broad agreement but may use slightly different terminology - just to spice things up. In the digital space we risk getting tied up around the concept of identity. I agree that Identity is largely used in the digital world to handle authentication, accountability and traceability. We do not have a single identity. I believe we have multiple personae. Each personae that we craft is a collection of identity attributes. In the corporate world our identity may in large part be defined by the position we hold. Howver, even then we may have multiple personae. We may for example fulfill the role of employee, department head and company representative. In the digital world it is possible to craft multiple digital identities. Some may be more anonymous, or distant, from our real identity than others. For example, avatars constructed for role playing on line games may represent idealized or fantasy self. In other contexts, eBay for example, our digital identity is more a reflection of how we have conducted our affairs over time. So, for my contribution, I suggest using the term Persona to reflect the collection of identity artifacts and historical transactional footprints that we amass. We will always have multiple personae, some more rooted in the physical world. This simply reflects the evolution of our selves. As an example, I may have a persona as a school student. I discard this and go to college then enter the workforce. I pass through multiple companies taking on different roles, jettisoning old roles before retiring. In parallel with this I may also have persona related to my personal and family interests. These personae may share attributtes to a greater or lesser extent. I believe that we will have to become more cognizant of the online identities (or personae) we create. Guarding the linkages between them from others. Do you want your employer to be able to recognize that you belong to an infamous hacker organization or are the chairman for the local branch of identityholics anonymous.
Posted by Mark Scrimshire at 3:08 AM