12 June 2007

Identity, Reputation and Trust

Although I have researched, wrote and talked to people extensively (but not enough!) about trust and reputation, I have always assumed that within whatever model that is being discussed, there is some kind of effective, secure and convenient method of identifying an entity in the network. It is only recently that I started to look beneath the surface of the topic of identity and it has made me realise that we are still far from where we want to be with this.

Like reputation, identity, or the problem of identifying someone, is an area that we are still trying to graps and there is a lot of debate around it. The timeline looks something like this:

The network community tried to use existing authentication protocols like X.509 for the Internet. This didn't really work for an open network. Then PGP came along, and this made PKI less of a black-art and accessible to whomever that needed it. This worked to a certain extent, but is sill too geeky and non transparent enough for most people. Meanwhile, the web world embraced and marketed SSL to allay the general security paranoia that was created, but the general user never really understood what this is all about. In any case, from the user's perspective, whether the current transaction is secure or not boils down to whether the 'padlock' icon on the browser is 'open' or 'closed' - nobody really bothers to look at the certificate (well, I don't). There were other early attempts to break free from the X.509 shackles, with the likes of SPKI/SDSI and PolicyMaker/Keynote, but the focus was still really around key management, but this time with a deeper understanding of trust management.

But there is a new paradigm in identity management, summarised by this passage by Carl Ellison:

Along the way, we have learned that what is important in certificate (and related) security systems is not the computer-readable data structures and protocols alone. Rather, these certificates, licenses, grants, ACL entries, ..., are a cyberspace reflection of relationships in the physical world - and the security of these systems rests most heavily on the security of the process by which the physical world relationships are bound to their cyberspace reflections. That security far outweighs the more trivial security of private key protection, key length, choice of algorithm, etc., that people have obsessed about for decades.

This brings us to a new wave of electronic ID proposals, such as Sxip (and Identity 2.0), OpenID, and YURL. I'm sure there are lots more out there, but I'm just beginning to scratch the surface myself... I would appreciate any pointers to other new identity management tools out there.

All this is significant with respect to reputation and trust because without identity, it is impossible to reason about them. Furthermore, there is a very intimate relationship between identity and reputation because they are actually two sides of the same coin - you can't talk about one without the other.

I guess the point I'm trying to make is that we can't isolate the topics of identity, reputation and trust from any fora dedicated to these subjects.

3 comments:

TBRA Penang said...
This comment has been removed by a blog administrator.
Anonymous said...
This comment has been removed by a blog administrator.
Anonymous said...

texas car insurance auto insurance pa