Marc Canter posted on the progress of his PeopleAggregator. He mentions that PeopleAggregator will support a wide range of "identity" systems including: Sxip, OpenID, XDI I-Names, YADIS, Microsoft Infocard, Yahoo, AOL, and Google. Basically, if a system exists and has anything to do with identity, Marc's folk appear to intend to support it.
This is a rather drastic but very rational departure from the customary practice of only supporting a single identity system per site. In essence, what Marc is telling us is that PeopleAggregator won't care *how* you identify yourself -- as long as you can present a numerically unique identity that will serve as your proxy in future interactions. In fact, we're even being told that PeopleAggregator doesn't even care *who* you are. Since they will accept numerical identities managed by different systems, it is entirely possible that you could have multiple PeopleAggregator "accounts" -- each with an identity managed by a different service. It is ironic that even though the subject of PeopleAggregator is people, it isn't "person-ness" that will distinguish one user from another. Rather, what is identified is the ability to demonstrate ability to control or exercise use of an identity token on some supported identity system. This is as it should be.
Too often, "identity systems" attempt to identify people. Yet, machines have no means to detect person-ness. The best one can do with a machine is establish a relationship between an assumed person and some resource that a person may control (an identity on a trusted system) or a reasonably well-guarded secret (like a username/password pair). Identity systems which are focused on identifying people are, for the most part, simply doomed to failure.
The inability of folk to distinguish between what a machine can and cannot do has been, in my opinion, one of the primary reasons why we have seen such slow adoption of public-key based identity systems in the past. We have a whole generation of software users who have come to believe that things like PKI certificates must somehow be associated with people. The result has been the creation of businesses that sell certificates that supposedly identify people. The cost of these certificates is justified by the often useless efforts of the certificate sellers to verify birth certificates, drivers licenses, etc. in an attempt to identify those who purchase the certificates. What has been lost in this effort to correlate certificates to people is the simple fact that a certificate alone is sufficient to identify a "person" as simply that person who has control of the certificate's use. If we focus on keys rather than on "person-ness" we discover that there is simply no justification for selling certificates. Technically, anyone can create a certificate that is just as unique, just as "secret" and thus just as useful as even the most expensive certificates.
Some might be concerned about certificates that aren't correlated with person-ness. However, the reality is that the vast majority of computer systems have no use for the person-ness quality anyway. For instance, one of the most commonly used "identity mechanisms" is the simple HTTP Cookie. This unique identifier is assigned to your browser when you touch any of millions of web sites. The result is that when you return to the site in the future, it "remembers" who you were and what you were doing when last there. Similarly, when you create a new account for "BigBoy224" on AOL, Yahoo!, etc. the machine cares little if that is really the name given you by your parents -- it only cares that there is only one "BigBoy22" identifier that it manages. Of course, once you've got your cookie or once the BigBoy224 account is created, you might provide the machine with more qualitative information that it can use (Your real name, the pattern of your interests, your zip code or phone number) however, your identifier is just the cookie or username. Your person-ness is irrelevant to the proper functioning of the system.
As the new identity systems begin to propagate, my hope is that we'll see a reduction in the number of identity systems we interact with daily. Instead of having every site develop and deploy its own system, we'll hopefully see more people begin to rely on common shared systems. And, hopefully, we'll have competition among these systems so that users can choose the ones that are easiest to use, most respectful of privacy concerns, etc. Let's hope that the PeopleAggregator is only the first of many sites that will be identity-system-agnostic.
bob wyman
I do not share your hopes. I prefer every site being developed separately, cause in the other case internet will be full of boring and primitive clone sites (maybe with different content). But, for example, Google have one editor of sites (to create sites online) - I hate that thing. Dreadrul, without FTP, no opportunity to use my own imagination but just holding to standards!
http://www.flykoo.com
Posted by: flykoo | October 14, 2006 at 07:56