I have recently been following a discussion among Phil Becker, Eric Norman, and Luke Razzell. The discussion was primarily around identification vs. identity with a little trust thrown in. I just contributed my $.02 to the pot and post it here for posterity.
Identification – As Phil says the act of identifying a subject, but not the same as identity. I believe identification and authentication are synonymous. The identification/authentication act is the act of establishing the subject with some level of confidence that can range from zero to high. Involved in this identification act can be things like “I remember your face”, “I see your driver’s license”, “You have provided a secret that likely others would not know” (yea, yea we could write books here). To me this is important, but not particularly useful without identity.
Assurance – I mention this next because it is directly related to identification. I think it is the degree of confidence that the identification event does in fact establish the subject. “Because I say so” is low assurance. Facial recognition (not the computer kind, but the “I know you, I see you every day” kind) is reasonably high assurance. There are any number of assurance variations that might increase my confidence that you are who you say you are including passwords, biometrics, tokens, etc.
Identity – I struggle to find complexity in this one. I claim it is a collection of attributes about a subject in a context. As a corporate employee I have a set of attributes. In this case these attributes are most likely asserted by the corporation, provided in a way the corporation can, with an acceptable degree of assurance, connect them to my identification. As a human being I may have several other “identities” that represent me (or a collection of people/things) in different contexts. This is an area I am regularly challenged in – many perceive identity is “who I am”. For any number of reasons, both legitimate or otherwise, I have avatars. Even within the corporate world I have legitimate business reasons for multiple “personae/avatars”. Bottom line, I don’t see identity as a complicated thing to understand.
Relationship – This is a popular word in these discussions. I understand what relationships are in the social world, but I don’t yet have a clear understanding of the instantiation in the digital world.
Trust – Ah, now if you want complication here you go. I think there are 2 kinds of trust. There is the one I live with every day in the corporate world and there is the more social-based trust. I agree the more interesting is the social-based trust that gets into reputation and the like. However I think the corporate world is still struggling with the more mundane “legal” trust. While at the recent Identity Mashup in Boston Christine Varney shared a definition of trust that resonated with me (again from a corporate perspective). That is: security, privacy, authenticity and reliability, recourse and liability. I felt this covered the landscape well – I am sure the attorney’s will quickly latch on to this in the next couple of years. Trust at a corporate level is a challenge and we are still working through this with the vision of moving to the next plateau of “federation”.
When considering trust from the social perspective, I think the references to Bob Blakley’s talk at Catalyst 2006 hit the mark. This is where reputation come in to the picture. As individuals we are not caught up in the legal aspects, we are interested at a much more primal level. Can we interact, can I trust you, will we have a win-win. In the end I think this is the much harder “trust” to develop and in the Internet age it is really all about reputation.
Mike
September 18, 2006 at 9:04 pm
Mike,
i think i struggle with the point you make in regards to multiple identities or “personae/avatars”.
if i think about identity i always come back to this being who you are (yes as probably confirmed by somebody else). i really see that people may have what appears to be multiple identities, different id and attribute characteristics. but aren’t these kind of like aliases of their actual “identity”?
can a single person really have only one identity?
i don’t know, just kind of thinking
September 19, 2006 at 2:49 am
First a small bit of clarification. I am talking about digital identity, not the soul, flesh and blood kind of identity. Computers have no concept of you as DNA and digital identity discussions are about decision making.
In the digital world I believe that “identity” is just a collection of attributes about a subject in a context used for making decisions. In many cases it is not even the subject that is of interest, it is the attributes we use to make decisions.
So, when I represent my company as an employee I might have an entirely different set of attributes than I would have on MySpace (potentially including a different name). In the digital world there may well be absolutely no connection between these 2 “identities”. I might want to connect these identities but that requires we go down the path of discussing what federation and user-centric identity are all about.
Bottom line, in the physical world you are who you are but in the digital world you are not so constrained. You can be who you aren’t. Reasons for that are sometimes legitimate (don’t log on as the system administrator when you are not administering), innocuous (I am playing games or another infinite number of reasons), or varying degrees of fraud or deception.
Thanks for the comment, thinking is good.
Mike
September 19, 2006 at 3:56 pm
makes sense, i guess there is a few ways to think about this. For some your digital identity (alias/avatar) or whatever, may be all thats required. In some spaces a digital identity must be representative or your physical identity. For example electronic voting. There also may need to be an auditable relationship between physical identity and the digital id of choice.
I guess I was just thinking about this from a bottom up (top down) approach.
Physical identity- branches off to various digital identities(alias).
September 20, 2006 at 1:25 am
Basically I agree with your thinking. Personally I find it helpful to split identity considerations into two buckets – the corporate bucket and the personal bucket.
The corporate bucket is all about company or other 3rd party asserted identity (a collection of attributes about a subject in a context) used for making access or transaction decisions. Your point about auditability to the physical being is certainly applicable here. Multiple personae does apply here, but I am hard pressed to envision a case that lacks the requirement for auditability back to the physical being.
The personal/social bucket is a bit more nebulous for me. If I want to conduct monetary transactions with my identity (eBay, iTunes, etc.) with my personal identity then it requires 3rd party attestations (this presumes giving iTunes my credit card number involves a 3rd party attestation). If I want to simple do social interaction I may be able to do so with nothing more than simple self-assertions (the truth of which is unverified). A notch up from that might be an identity that includes a verifiable e-mail address. Beyond that we get into the interesting realm of reputation systems. A really cool thing, but I still claim not useful for conducting monetary transactions. This might not be so debatable except that I claim “eBusiness” without monetary exchange is just “eSocialization”. I grant socialization is important but I don’t consider it business.
Mike