12 June 2007

Identity, Reputation and Trust

Although I have researched, wrote and talked to people extensively (but not enough!) about trust and reputation, I have always assumed that within whatever model that is being discussed, there is some kind of effective, secure and convenient method of identifying an entity in the network. It is only recently that I started to look beneath the surface of the topic of identity and it has made me realise that we are still far from where we want to be with this.

Like reputation, identity, or the problem of identifying someone, is an area that we are still trying to graps and there is a lot of debate around it. The timeline looks something like this:

The network community tried to use existing authentication protocols like X.509 for the Internet. This didn't really work for an open network. Then PGP came along, and this made PKI less of a black-art and accessible to whomever that needed it. This worked to a certain extent, but is sill too geeky and non transparent enough for most people. Meanwhile, the web world embraced and marketed SSL to allay the general security paranoia that was created, but the general user never really understood what this is all about. In any case, from the user's perspective, whether the current transaction is secure or not boils down to whether the 'padlock' icon on the browser is 'open' or 'closed' - nobody really bothers to look at the certificate (well, I don't). There were other early attempts to break free from the X.509 shackles, with the likes of SPKI/SDSI and PolicyMaker/Keynote, but the focus was still really around key management, but this time with a deeper understanding of trust management.

But there is a new paradigm in identity management, summarised by this passage by Carl Ellison:

Along the way, we have learned that what is important in certificate (and related) security systems is not the computer-readable data structures and protocols alone. Rather, these certificates, licenses, grants, ACL entries, ..., are a cyberspace reflection of relationships in the physical world - and the security of these systems rests most heavily on the security of the process by which the physical world relationships are bound to their cyberspace reflections. That security far outweighs the more trivial security of private key protection, key length, choice of algorithm, etc., that people have obsessed about for decades.

This brings us to a new wave of electronic ID proposals, such as Sxip (and Identity 2.0), OpenID, and YURL. I'm sure there are lots more out there, but I'm just beginning to scratch the surface myself... I would appreciate any pointers to other new identity management tools out there.

All this is significant with respect to reputation and trust because without identity, it is impossible to reason about them. Furthermore, there is a very intimate relationship between identity and reputation because they are actually two sides of the same coin - you can't talk about one without the other.

I guess the point I'm trying to make is that we can't isolate the topics of identity, reputation and trust from any fora dedicated to these subjects.

8 June 2007

OSCON 2005 Keynote - Identity 2.0

This is old but the topic is probably is as current as ever. It is a video of Dick Hardt's (founder of Sxip) presentation at OSCON 2005. There are two things that are great about this presentation: 1) The idea of Identity 2.0, and 2) Dick's presentation style, which is extremely effective.

Go see it.

3 June 2007

Thesis: A framework for decentralised trust reasoning

A copy of my thesis titled "A framework for decentralised trust reasoning" is now available at scribd.com:



Also embedded here for your convenience :)

A new life

A lot of work and thought has been going on in the background while this blog has been stagnant for a very long while. So, it is time to dust it off and revive it.

The upcoming posts will include the same subject matter of trust and reputation, but this time I will be including also posts on related technologies and real world stuff (enough talk... more action this time ;)

Look forward to your comments and discussions.

European e-ID conference

I'll be attending the European e-Identity Conference on 11 June, and also giving a short talk on the kinds of questions to ask when assessing threats to a reputation system. I've talked and written about identities before but this is the first time I'm attending a forum on one, so should be interesting.

If you're going to be there, give us a shout for a chat.

[Update]
Unfortunately, due to unforeseen circumstances, I am not able to attend this event, but I'll be more than happy to forward you the material I have prepared for this talk - drop me a mail.