[OpenID] What does "identity" MEAN?

Dick Hardt dick.hardt at gmail.com
Wed Sep 17 19:35:04 UTC 2008 

This topic was discussed to death on the identity gang mail list a  
couple years ago.
	http://wiki.idcommons.net/Identity_Gang

I think that is likely a better place for discussion on what Identity  
is.

I find it is much more useful to discuss scenarios -- and to refine  
those so that implementation is not implied -- that way we can have a  
discussion about the possible implementations.

-- Dick

On 17-Sep-08, at 2:53 AM, Jack Cleaver wrote:

> SitG Admin wrote:
>
>> I'm trying to imagine a world without identity, and what my mind
>> would do trying to wrap itself around the concept of someone trying
>> to sell me the idea of identity. I don't mean lacking the ability to
>> distinguish ourselves from other entities as separate individuals, I
>> mean the idea of knowing who other people *are*. To relate this to
>> OpenID, let's step back a moment from the idea of accounts *at all* -
>> think of the internet as just one giant bulletin board, where anyone
>> can leave notes anywhere.
>
> You've articulated the question well; but then you've dropped it, and
> fallen back to discussing the identity of blog-posters again.
>
> Identity in a world of physical people you have met, people can talk  
> to
> in person, is a kind of baseline. Knowing "who someone is" in such a
> context means knowing what they look like, how they talk, what they
> believe, where they live, and what they do for a living. In theory,  
> one
> might be acquainted with a person in that kind of way, and still be
> deceived about their identity; for example, they might be a secret  
> mole,
> operating under deep cover for a foreign power. But personal
> acquaintance still seems to be the best kind of identity you could  
> ask for.
>
> A second kind of "identity" has developed, whereby one is known by  
> one's
> token. Originally this was one's mark or signature; appended to a
> handwritten letter (or to some other sample of one's handwriting) it  
> was
> a fair indication that the signed content was one's own work, or at
> least that one assented to its meaning. This was extended to the
> expression of assent by means of signatures on cheques and  
> contracts, so
> that the identifier consisted *only* of the autograph; and at this
> juncture the strength of the identifier is seen to have become pretty
> questionable (signatures are quite easy to forge, particularly if  
> one is
> handling them in bulk, as banks do).
>
> So now those who would use our identity to compel our compliance with
> our obligations are seeking stronger tokens. My autograph alone is no
> longer any good for opening a bank account; I must also produce a
> passport or a driving licence, some recent payslips, and some number  
> of
> utility bills. To obtain the passport or driving licence, I must now
> subject myself to a retinal scan. The bank hopes by this means to have
> at least some of the knowledge of me that someone who knew me  
> personally
> used to have - where I live and work, principally.
>
> What does this accumulation of evidence achieve? I think it achieves a
> kind of consistency; the result is a collection of identity tokens  
> that
> purport with various degrees of credibility to be attached to a
> single individual. Essentially, the bank knows (or hopes they know)
> where to find me. They don't know how trustworthy I am, and certainly
> they can't distinguish me from someone completely different, who  
> happens
> to have obtained control over my tokens. If I present myself in person
> at my bank without my various tokens, I am not recognised. So in fact
> they *don't* know the individual, even though they might (think they)
> want to; they only really have enough information to mitigate the  
> risks
> of lending me money.
>
> For "bank" you might want to substitute "state". A century ago, the
> majority of people had precious little interaction with the agencies  
> of
> the state; the state, in turn, had little knowledge of its citizens  
> and
> visitors. Borders were much more porous, and few people had bank
> accounts. Beyond the realm of personal acquaintance, identity didn't
> mean very much. The UK government wishes to issue us all with tokens
> that incorporate retinal scans, medical records, autographs,
> photographs, and PINs, and doubtless they hope that we will present
> these tokens every time we do anything interesting, so that they can
> "know" us in some sense. At the same time, marketers hope to know us  
> by
> building a profile of our economic activities; loyalty cards, RFID
> chips, cookies and the like are deployed on a massive scale in order  
> to
> develop an identity to which we have not consented at all.
>
> So here we are in the internet age; a good part of our interactions  
> with
> others are now conducted remotely, with people who have never met us,
> and who will never be acquainted with us through physical meeting.  
> That
> strong concept of identity, the concept based on personal  
> acquaintance,
> has gone, to all intents and purposes. Instead, we must settle for an
> identity that is built around utility. If I make a contract with
> someone, what do I need to know about them? Ultimately I might want to
> know how to find their physical person, so that I can drag them into
> court; more usefully, I might want to obtain references (e.g. an eBay
> feedback score). What if I was considering employing someone on  
> (say) an
> open-source project? I might want to search the net for evidence of
> their participation in other projects; their eBay feedback would
> probably not interest me. And suppose I was evaluating some remarks  
> on a
> blog, where the author was prognosticating about (e.g.) politics? I
> think I might not be interested in their reputation either as a  
> coder or
> as a trader; instead I might want to know whether they had a record of
> disseminating propaganda and bullshit. Another scenario: I am  
> engaged in
> a (legitimate) plot to overthrow the elected government - perhaps by
> revealing certain secrets about prominent figures. My fellow plotters
> would be known to me by personal acquaintance. I would probably want  
> to
> know that my correspondence was secret, and that my correspondents  
> were
> indeed the acquaintances I believed them to be. A PGP key exchanged in
> person might serve my purposes; their goverment-issued ID card would
> probably not be useful to me.
>
> In each of these scenarios, I think the type of token I would require,
> so that I was confident that I knew who I was dealing with, would be
> different. In only one of these cases would I require confidence that
> was equivalent to that of personal acquaintance.
>
> My point is that in this new world, identity is instrumental; it is  
> what
> you want to use it for that determines what kind of identity you  
> need to
> obtain. It is certainly not the case that a single identity should  
> serve
> all these purposes; on the contrary, it is clear that the form of
> identity that satisfies my government is *not* the identity that my
> fellow conspirators require, and the form required by my bankers is
> different from the form required by a marketer.
>
> In short, we manifestly possess multiple identities nowadays, and they
> are largely if not wholly disjoint (that is: it doesn't usually matter
> whether my various identities belong to one person or several).
>
> Hey, I'm sorry; this long tract bears only a loose relationship with  
> the
> topic of OpenID. I've written it because a lot of comment here seems  
> to
> be predicated on the notion that my identity is unique; it isn't, it
> doesn't need to be, and it isn't possible to make it so.
>
> -- 
> Jack.
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

More information about the general mailing list