On October 4th, I'm presenting at the upcoming Open Source Days 2008 conference in Copenhagen.

The presentation titled "Identity 2.0 - OpenID & User Centric Identity" explains the evolution of digital identity on the Internet, why current systems (or lack thereof) simply don't cut it anymore, and why OpenID may be a good alternative for the next step in the evolution of Internet identity.

Part of my message is that OpenID is the best contender for the next evolutionary step in digital identity offering the best compromise between usability, security, features, and easy of implementation.

The OpenID protocol may not provide perfect security, but I believe that misses the point. Much of the debate has focussed on perfect security with very little debate around the level that is actually needed now and until the next evolutionary step comes around. Two examples. IdP knowledge and RP collusion.

In many new identity protocols such as Microsoft Live (formerly known as Passport), Google Account, Facebook Connect, AOL, Typekey, and indeed OpenID, your identity provider (IdP) will know of every time you use your digital identity. This is an insecurity from a privacy perspective.

Not only will your IdP know your digital footprint - who cares? Google knows everything anyway - but two or more relying parties (RP) may "compare notes" (collude) to learn your digital footprint. This, also, is an insecurity from a privacy perspective. But, who cares? Except maybe Google who will no longer hold the monopoly on knowing everything.

Although the above examples are insecurities they are generally accepted facts that few (at least in 2008) would consider "fixing" in a new protocol. They are compromises from perfect security. They are the comprises needed to evolve digital identity.

Open Source Days is the largest conference in Scandinavia focussing on technical and commercial aspects of open source software.



blog comments powered by Disqus

Published

27 August 2008

Tags