- 1 Definition
- 2 Issues
- 3 Technology
- 4 Links
“Digital identity refers to the aspect of digital technology that is concerned with the mediation of people's experience of their own identity and the identity of other people and things.” (Wikipedia, retrieved 12 April 2007). Key issues of digital identity are:
- Identity attributes: How can we define "identity" through identity attributes of entity ? E.g. a human may identified through iris scanning, by showing a passport, by user names and passwords, etc.
- Authentication is a related question: How can an entity prove is identity to another identity ? E.g. a computer user will prove its identity to the computer by providing a login name and a matching password.
- Views: What kinds of views does an entity grant to its observer ? E.g. a Facebook user may allow or not allow categories of other users to see its profile.
- Single sign-on
- OpenID, the most popular single sign-on solution for Internet services (and that may include other services, like identity management).
- i-name, unique identifiers for persons and other entities.
- online identity, an entry that deals with social identities that users establish in online communities or as a person "being" present on the Internet.
- Technical definition
- “The electronic representation of a real-world entity. The term is usually taken to mean the online equivalent of an individual human being, which participates in electronic transactions on behalf of the person in question. However a broader definition also assigns digital identities to organizations, companies and even individual electronic devices. Various complex questions of privacy, ownership and security surround the issue of digital identity.” (Loosely coupled, retrieved 12:36, 12 April 2007 (MEST)).
Digital identity is related to many issues. Below are a few:
2.1 Digital identifiers and authentication
Providing digital identifiers to users and things in a local context is fairly easy. Since there is a single user/password database each user can be given a different user name.
On the global Internet and even on smaller wide area networks (like the Swiss university system) digital identifiers are more difficult to agree upon. E.g. the “OpenID Authentication provides a way to prove that an end user controls an Identifier. It does this without the Relying Party needing access to end user credentials such as a password or to other sensitive information such as an email address.” (OpenID 2.0, retrieved 19:14, 22 February 2010 (UTC)). The OpenID identifier is a unique URL chosen by the user.
Authentication is the process of attempting to verify the digital identity of the sender of a communication such as a request to log in. This process engages identifiers and several players. In OpenID (and in simplified terms): The end user presents an identifier to the relying party (the web service he wants to access). The Relying party then discovers an OpenID Provider Endpoint URL from the identifier URL and both the Relying party and the OpenID Provider(OP) create a crypted channel for message exchange. Next, the end user is re-directed to the OP for verification of the authentication request. The OP then tells the relying party if the authentication is approved are rejected.
2.2 Identity as "being there" and "being perceived"
When humans engage in online activities they are at least partly "there". This is particularly true in virtual environments, social networks and various groupware. Role play may differ a lot. Identity is also about how a person is perceived by a community. See online identity for a short definition of what a on-line social identity can be.
Massive use of ICT in business and private life has led to personally identifiable information, i.e. information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual (Wikipedia). In addition, the use of social software and in particular social networking applications like Facebook allows to draw quite extensive digital profiles of many people. This situation requires - at least in principle - that person adopt some kind of Personal Information Management (PIM; Jones, 2008) strategy.
2.3 Data portability and exchange
How can we reuse data across applications, e.g. social networks, data, texts ? According to the DataPortability Project, “Data portability is the ability for people to reuse their data across interoperable applications. The DataPortability Project works to advance this vision by identifying, contextualizing and promoting efforts in the space.”. More precisely for the user, this project makes the following promise: “With data portability, you can bring your identity, friends, conversations, files and histories with you, without having to manually add them to each new service. Each of the services you use can draw on this information relevant to the context. As your experiences accumulate and you add or change data, this information will update on other sites and services if you permit it, without having to revisit others to re-enter it.”
2.4 Identity cards and i-names
Previous issues can be somewhat related to question on how one should manage multiple identities.
So-called information cards contain a certain number of assertions about yourself and can then be handed over to various services. A user when connecting to a web site (the relying party), can select an identity by selecting an information card. This card is then authenticated by a trusted identity provider.
I-names are one form of an XRI (see below) and represent a unique name for a person or an organization. I-names are related to unique I-numbers (i.e. the equivalent of IP addresses for humans).
The advantage of i-name is that a user can control what kind of information what kind of service or agent can access. e.g. one may give or not give permission to translate an i-name into an email-address. Finally, since an I-name is unique, one never has to change it.
I-*** services are provided by so-called i-brokers. Wikipedia defines an i-broker “is a "banker for data" or "ISP for identity services" — a trusted third party that helps individuals and organizations share private data the same way banks help exchange funds and ISPs help exchange e-mail and files. The term was introduced in the Social Web paper describing how a new layer of Internet infrastructure is possible based on the OASIS XRI and XDI specifications. However the concept of an i-broker is not specific to any one technology or protocol, but rather a business and social function, similar to that of a bank or an ISP. [...] I-Brokers are sometimes referred to as a homesite, or PIP (Personal Identity Provider), or IdP (Identity Provider)”, retrieved 22:22, 23 February 2010 (UTC).
An i-name can be registered for a span between 1 and 12 years (like domain names) and cost about $12/year. Associated i-numbers never can be reassigned.
3.1 Light-weight protocols and systems for identification on the Web
The essential question is how you can tell "Who am I" to a given website.
OpenID is an open, decentralized, free framework for user-centric digital identity. The first piece of the OpenID framework is authentication -- how you prove ownership of a URI. Your username is your URI, and your password (or other credentials) stays safely stored on a OpenID Provider (which can be your own). The advantage of OpenID is that it can prove that an end user controls an identifier without the relying party needing to access end user information such as an email address or a password.
OpenID currently (2010) seems to be the most popular system.
- See also the OpenID entry.
There are two lesser known systems:
- MicroID - Small Decentralized Verifiable Identity.MicroID is a lightweight identity layer for the web, invented by Jeremie Miller (creator of Jabber). MicroID enables anyone to claim verifiable ownership over content hosted anywhere on the web (social networking sites, discussion forums, blogs, etc.).
- Light-Weight Identity (LID). a set of protocols and software implementations created by Johannes Ernst of NetMesh Inc. for representing and using digital identities on the Internet in a light-weight manner, without relying on any central authority. Related somehow to OpenID since the latter adopted the idea of using URL-based identities. (not clear how popular this is)
Since there is no universal Internet authentication mechanism (although OpenID is currently a strong contender), one can image "meta-services". Yadis Yadis was an open initiative to build an interoperable lightweight discovery protocol for decentralized, user-centric digital identity and related purposes. Yadis aims to allow the capabilities of identities to be composed from an open-ended set of services, defined and/or implemented by many different parties. It supports services like OpenID, OAuth and XDI. The Yadis project then led to XRDS.
Since OpenID basically manages logins and profiles, but not identities per se, new global approaches to digital identity management have been developed, in particular XRI: This standard defines a fairly abstract concept for defining various identity schemes like i-cards, i-names, i-numbers and OpenID. XRI stands for EXtensible Resource Identifier and has been developed by OASIS as “a standard for a high-level naming/identification system for individuals, businesses, communities, services and data on the Internet. XRI, along with XDI, a general-purpose data interchange protocol based on XRI, were developed to create the "Dataweb," which enables the Web to operate like a global database.” (ZDNet, retrieved 22:22, 23 February 2010 (UTC)).
- The XRI Identifiers (I-Names and I-numbers) are administered by XDI.org. I.e. XDI.org accredits I-Brokers. You can find these on the i-broker page page of inames.net
Initiatives related to XRI:
- Higgins “is an open source framework that enables users and other systems to integrate identity, profile, and relationship information across multiple heterogeneous systems. Higgins unifies all identity interactions (regardless of protocol/format) under a common user interface metaphor called i-cards.” (Wikipedia, retrieved 19:14, 22 February 2010 (UTC)). i-cards and the (same) information cards, passwords and OpenIDs are part of the Higgins data model.
- XRDS (eXtensible Resource Descriptor Sequence) “is an XML format for discovery of metadata about a resource – in particular discovery of services associated with the resource, a process known as service discovery. For example, a website offering OpenID login can resolve a user's OpenID identifier to an XRDS document to discover the location of the user's OpenID service provider.” (retrieved 19:14, 22 February 2010 (UTC)). XRDS is also used with OAuth, i-names and i-numbers, Higgins i-cards, etc.
3.2 Light-weight data and resource sharing
OAuth is a “an open protocol that allows users to share their private resources (e.g. photos, videos, contact lists) stored on one site with another site without having to hand out their username and password. OAuth allows users to hand out tokens instead of usernames and passwords to their data hosted by a given service provider. Each token grants access to a specific site (e.g. a video editing site) for specific resources (e.g. just videos from a specific album) and for a defined duration (e.g. the next 2 hours).” (Wikipedia, retrieved 19:14, 22 February 2010 (UTC)).
OAuth can be considered a complementary service to OpenID. In simple terms OAuth is like hotel card key, e.g. you register a the desk and then get a key with which you can open a certain number of facilities for a certain amount of time. In other words, you can give a key to a web service and that allows it to look at some of your stuff. The key is made by a trusted web service. Example: Allow Facebook to look at stuff that sits in LinkedIn.
XDI “(XRI Data Interchange) is a generalized, extensible service for sharing, linking, and synchronizing data over the Internet and other data networks using machine-readable structured documents that use an RDF vocabulary based on XRI structured identifiers (XDI”, retrieved 19:14, 22 February 2010 (UTC)). It can been see as a "web" for machines (as opposed to the "HTML"-based web for humans).
3.3 More heavy systems for user authentication
- Shibboleth. An architecture and open-source implementation for federated identity-based authentication and authorization infrastructure based on SAML.
- E.g. adopted by the Swiss University Network
- LDAP. The most popular organizational solution (Microsoft, Linux, Solaris, Novell, all support this in one or another way. Sometimes LDAP is the default way to manage users, sometimes it's an option ...). Often, institutions adopt an LDAP server to authenticate users for various Internet applications (e.g. an LMS), to manage access to central systems and to manage the email and phone directory. So it's a kind of all-in-one solution.
- The liberty alliance Its vision “is to enable a networked world based on open standards where consumers, citizens, businesses and governments can more easily conduct online transactions while protecting the privacy and security of identity information.” (retrieved 19:14, 22 February 2010 (UTC)).
- Open Web Foundation is “an attempt to create a home for community-driven specifications.”
- DataPortability.org has a mission “To help people to use and protect the data they create on networked services, and to advocate for compliance with the values of DataPortability”.
- OASIS is a major player for XML-related standards. With respect to digital identity: SAML, XDI, XRI etc. See also the XRI committee, Web Services Security (WSS) Technical Committee, eXtensible Access Control Markup Language (XACML) Technical Committee, etc.
- [XDI.org] (manages i-xxx spaces).
- There are also publicly funded research projects, e.g. Primelife (a EU 2008-2011 project)
- Public-key cryptography (Wikipedia)
- Wikipedia Digital Identity
- OpenID (Wikipedia)
- i-name (Wikipedia)
- I-number (Wikipedia)
- I-broker (Wikipedia)
- XRI (Wikipedia)
- XRDS (Wikipedia)
- XDI (Wikipedia)
- Higgins Open Source Identity Framework