Digital Identity and authentication

One of motivations to use a digital identity on the web will be a self-authentication. I would like to show who is me by the way that I am only the person to do so. An alledged lightweight solution is OpenID, but it’s authority seems to be hold by the big players such as Google, Yahoo!, Microsoft, VeriSign, et. al. So such a federation will be ipso facto close, not open.

Authentication and certification

If we want to show who we are or what is our attribute, in the actual situation, we can easily do it in some ways. We can show an id card in front of a gate keeper. We can show our own faces to a person who sells ciggies or liquor. A gate keeper knows who is a person to be admitted to pass in and out, and a seller knows who can buy a cigarette under laws in his/her country. So a gate keeper reads your id card and decide whether we are valid “entities” to be accepted to step in/out, and a seller look at our face or hear our voice and decide whether we are over 20 and whether we are accepted to buy a cigarette (in japan).

In the former situation, you could show your validity to do it so with a “certification”, and the later situation, you could show your validity to do it so with an “authentication”. The difference is an existence of the certification authority (c.a.) to prove that you are a person who is shown as you. Picking up a web server, we would call a web server “trusted” when it shows a certification made from some certification authority such as VeriSign, GlobalSign, or others. You can show your hand-made certification by OpenSSL commands to put it in your server. Such certification is called self-certification or in derogatory context, “Ore-Ore (I am me) certification” in Japan. A certification is not “trusted” when anyone does not prove who are you. The self-certification only shows that you are who are you by who are you. So if you are not acqknowledged by the preson who call who you are, it might not be trusted even if you claim who you are.

The digital identity

Let’s go to the next situation. You visit a blog called “MarkupDancing” and find who is the person writing some stupid lines on there. This surname, called “philsci”, will be found on another blogs, microblogs, social network services, or else. Yes I (supposing I am really “philsci”) have registered in many places, but I can not prove who is “philsci” on del.icio.us (now is delicious.com as well). On MarkupDancing, I can say “I will add a bookmark to the Colbert Report Official SIte in delicious.com”, but I can not show an evidence for a person who will do it.

Therefore, in usual cases, I can only show who is me by me on my website. Yes that’s here in this context. The trans-service or trans-website identity is hard to prove insofar as our skills and habits. A person who shouts on Twitter and has an account name of “philsci”, could be my brother or sister if he/she were existed. Do you know whether I have a sibling and how to prove nobody is my sibling? And how to prove “philsci” on Twitter is the same person with “philsci” on MarkupDancing?

OpenID shows who you are who shows your ID of you

Recently IT media focuses on OpenID, an authentication protocol using (in most cases) URLs. You can set your own URI in your own server to be allowed to access as a URL of http://markupdancing.net/philsci. In most cases, you can put an index.html file to DocumentRoot/philsci/index.html and insert some lines to delegate it to an OpenID provider website, such as VeriSign, ClaimID, MyOpenID, or mixi.jp. With this way, you can use your own URL to register a web service which supports OpenID registration, so you also show your OpenID in each service to prove who is the holder of this OpenID and it is the same with an OpenID shown in another service. If a URL http://markupdancing.net/philsci on a web servce where A is shown on another web service, the holder of this URL is the same with the holder of that URL in another service, and this identity is hopefully trusted.

But I’ve doubted such thing under so naive reputation and so-called “user centric” buzzword. Another way?

[written on 19th November, 2008]