Digital identity

Definition

WARNING: This is really just a stub !!

• “Digital identity refers to the aspect of digital technology that is concerned with the mediation of people's experience of their own identity and the identity of other people and things.” (Wikipedia, retrieved 12 April 2007). Key issues of digital identity are:
• Identity attributes: How can we define "identity" through identity attributes of entity ? E.g. a human may identified through iris scanning, by showing a passport, by user names and passwords, etc.
• Authentication is a related question: How can an entity prove is identity to another identity ? E.g. a computer user will prove its identity to the computer by providing a login name and a matching password.
• Views: What kinds of views does an entity grant to its observer ? E.g. a Facebook user may allow or not allow categories of other users to see its profile.

See also:

• single sign-on
• online identity, an entry that deals with social identities that users establish in online communities or as a person "being" present on the Internet.

Technical definition

• “The electronic representation of a real-world entity. The term is usually taken to mean the online equivalent of an individual human being, which participates in electronic transactions on behalf of the person in question. However a broader definition also assigns digital identities to organizations, companies and even individual electronic devices. Various complex questions of privacy, ownership and security surround the issue of digital identity.” (Loosely coupled, retrieved 12:36, 12 April 2007 (MEST)).

Issues

Digital identity is related to many issues. Below are a few:

Digital identifiers and authentification

Providing digital identifiers to users and things in a local context is fairly easy. Since there is a single user/password database each user can be given a different user name.

On the global Internet and even on smaller wide area networks (like the Swiss university system) digital identifiers are more difficult to agree upon. E.g. the “OpenID Authentication provides a way to prove that an end user controls an Identifier. It does this without the Relying Party needing access to end user credentials such as a password or to other sensitive information such as an email address.” (OpenID 2.0, retrieved 19:14, 22 February 2010 (UTC)). The OpenID identifier is a unique URL chosen by the user.

Authentication is the process of attempting to verify the digital identity of the sender of a communication such as a request to log in. This process engages identifiers and several players. E.g. in the OpenID framework, one can according to the specification, distinguish:

• The identifier of a user: a "http" or "https" URI
• The relying party: A Web application that wants proof that the end user controls an Identifier. (User provides a website with an OpenID URL like http://XYZ@myopenid.com).
• OpenID Provider (OP): An OpenID Authentication server on which a Relying Party relies for an assertion that the end user controls an Identifier. This provider has
  • an OP identifier (e.g. http://myopenid.com)
  • a OP Endpoint URL: accepts OpenID Authentication protocol messages.

In simplified terms: The end user presents an identifier to the relying party. The Relying party then discovers an OP Endpoint URL from the identifier URL and both the relying party and the OP create a cypted channel for message exchange. Next, the end user is re-directed to the OP for verification of the authentication request. The OP then tells the relying party if the authentication is approved are rejected.

Identity as "being there" and "being perceived"

When humans engage in online activities they are at least partly "there". This is particularly true in virtual environments, social networks and various groupware. Role play may differ a lot. Identity is also about how a person is perceived by a community. See online identity for a short definition of what a on-line social identity can be.

Data portability and exchange

How can we reuse data accross applications, e.g. social networks, data, texts ? According to the DataPortability Project, “Data portability is the ability for people to reuse their data across interoperable applications. The DataPortability Project works to advance this vision by identifying, contextualizing and promoting efforts in the space.”. More precisely for the user, this project makes the following promise: “With data portability, you can bring your identity, friends, conversations, files and histories with you, without having to manually add them to each new service. Each of the services you use can draw on this information relevant to the context. As your experiences accumulate and you add or change data, this information will update on other sites and services if you permit it, without having to revisit others to re-enter it.”

Technology

Light-weight protocols and systems for identification on the Web

The essential question is how you can tell "Who am I" to a given website.

OpenID is an open, decentralized, free framework for user-centric digital identity. The first piece of the OpenID framework is authentication -- how you prove ownership of a URI. Your username is your URI, and your password (or other credentials) stays safely stored on a OpenID Provider (which can be your own). The advantage of OpenID is that it can prove that an end user controls an identifier without the relying party needing to access end user information such asn email address or a passord.

OpenID currently (2010) seems to be the most popular system.

• See also the OpenID entry.

There are two lesser known systems:

• MicroID - Small Decentralized Verifiable Identity.MicroID is a lightweight identity layer for the web, invented by Jeremie Miller (creator of Jabber). MicroID enables anyone to claim verifiable ownership over content hosted anywhere on the web (social networking sites, discussion forums, blogs, etc.).

• Light-Weight Identity (LID). a set of protocols and software implementations created by Johannes Ernst of NetMesh Inc. for representing and using digital identities on the Internet in a light-weight manner, without relying on any central authority. Related somehow to OpenID since the latter adopted the idea of using URL-based identities. (not clear how popular this is)

Since there is no universal Internet authentification mechanism (although OpenID is currently a strong contender), one can image "meta-services". Yadis Yadis is an open initiative to build an interoperable lightweight discovery protocol for decentralized, user-centric digital identity and related purposes. Yadis aims to allow the capabilities of identities to be composed from an open-ended set of services, defined and/or implemented by many different parties. It supports services like OpenID, OAuth and XDI. The Yadis project then led to XRDS.

• XRI is a fairly abstract concept for defining various identity schemes like i-cards, i-numbers and OpenID.

• XRDS (eXtensible Resource Descriptor Sequence) “is an XML format for discovery of metadata about a resource – in particular discovery of services associated with the resource, a process known as service discovery. For example, a website offering OpenID login can resolve a user's OpenID identifier to an XRDS document to discover the location of the user's OpenID service provider.” (retrieved 19:14, 22 February 2010 (UTC)).

• Higgins “is an open source framework that enables users and other systems to integrate identity, profile, and relationship information across multiple heterogeneous systems. Higgins unifies all identity interactions (regardless of protocol/format) under a common user interface metaphor called i-cards.” (Wikipedia, retrieved 19:14, 22 February 2010 (UTC)). i-cards and the (same) information cards, passwords and OpenIDs are part of the Higgins data model.

See also: single sign-on

Light-weight data and resource sharing

OAuth is a “an open protocol that allows users to share their private resources (e.g. photos, videos, contact lists) stored on one site with another site without having to hand out their username and password. OAuth allows users to hand out tokens instead of usernames and passwords to their data hosted by a given service provider. Each token grants access to a specific site (e.g. a video editing site) for specific resources (e.g. just videos from a specific album) and for a defined duration (e.g. the next 2 hours).” (Wikipedia, retrieved 19:14, 22 February 2010 (UTC)).

OAuth can be considered a complementary service to OpenID.

XDI “(XRI Data Interchange) is a generalized, extensible service for sharing, linking, and synchronizing data over the Internet and other data networks using machine-readable structured documents that use an RDF vocabulary based on XRI structured identifiers (XDI”, retrieved 19:14, 22 February 2010 (UTC)). It can been see as a "web" for machines (as opposed to the "HTML"-based web for humans).

OpenSocial is a common set of APIs to access data in social networking applications. Its main sponsor is Google. According to Wikipedia (retr. Jan 2010), “Based on HTML and JavaScript, as well as the Google Gadgets framework, OpenSocial includes four APIs for social software applications to access data and core functions on participating social networks. Each API addresses a different aspect: one is the general JavaScript API, one for people and friends (people and relationship information), one for activities (publishing and accessing user activity information), and one for persistence (simple key-value pair data for server-free stateful applications).”

More heavy systems for user authentication

• Shibboleth. An architecture and open-source implementation for federated identity-based authentication and authorization infrastructure based on SAML.
  • E.g. adopted by the Swiss University Network

• LDAP. The most popular organizational solution (Microsoft, Linux, Solaris, Novell, all support this in one or another way. Sometimes LDAP is the default way to manage users, sometimes it's an option ...). Often, institutions adopt an LDAP server to authenticate users for various internet applications (e.g. an LMS), to manage access to central systems and to manage the email and phone directory. So it's a kind of all-in-one solution.

Links

• Wikipedia Digital Identity

Players

• The libery allience Its vision “is to enable a networked world based on open standards where consumers, citizens, businesses and governments can more easily conduct online transactions while protecting the privacy and security of identity information.” (retrieved 19:14, 22 February 2010 (UTC)).

• Open Web Foundation is “an attempt to create a home for community-driven specifications.”

• DataPortability.org has a mission “To help people to use and protect the data they create on networked services, and to advocate for compliance with the values of DataPortability”.

• OASIS is a major player for XML-related standards. With respect to digital identity: SAML, XDI, XRI etc. See also the XRI committee, Web Services Security (WSS) Technical Committee, eXtensible Access Control Markup Language (XACML) Technical Committee, etc.

• OpenID community

• There are also publicly funded research projects, e.g. Primelife (a EU 2008-2011 project)

Specifications

• OpenID Authentication 2.0 - Final

Some technology links

• Public-key cryptography (Wikipedia)

• OpenID (Wikipedia)

• Light-Weight Identity

• Higgins Open Source Identity Framework