Digital identity: Difference between revisions

The educational technology and digital learning wiki
Jump to navigation Jump to search
 
(19 intermediate revisions by the same user not shown)
Line 2: Line 2:
== Definition ==
== Definition ==


WARNING: This is really just a stub !!
{{quotation | Digital identity refers to the aspect of digital technology that is concerned with the mediation of people's experience of their own identity and the identity of other people and things.}}  ([http://en.wikipedia.org/wiki/Digital_identity Wikipedia], retrieved 12 April 2007). Key issues of digital identity are:
 
* {{quotation | Digital identity refers to the aspect of digital technology that is concerned with the mediation of people's experience of their own identity and the identity of other people and things.}}  ([http://en.wikipedia.org/wiki/Digital_identity Wikipedia], retrieved 12 April 2007). Key issues of digital identity are:
* '''Identity attributes''': How can we define "identity" through identity attributes of entity ? E.g. a human may identified through [http://en.wikipedia.org/wiki/Iris_scan iris scanning], by showing a passport, by user names and passwords, etc.
* '''Identity attributes''': How can we define "identity" through identity attributes of entity ? E.g. a human may identified through [http://en.wikipedia.org/wiki/Iris_scan iris scanning], by showing a passport, by user names and passwords, etc.
* '''Authentication''' is a related question: How can an entity prove is identity to another identity ? E.g. a computer user will prove its identity to the computer by providing a login name and a matching password.
* '''Authentication''' is a related question: How can an entity prove is identity to another identity ? E.g. a computer user will prove its identity to the computer by providing a login name and a matching password.
Line 10: Line 8:


See also:  
See also:  
* [[single sign-on]]
* [[Single sign-on]]
* [[OpenID]], the most popular single sign-on solution for Internet services (and that may include other services, like identity management).
* [[i-name]], unique identifiers for persons and other entities.
* [[online identity]], an entry that deals with social identities that users establish in online communities or as a person "being" present on the Internet.
* [[online identity]], an entry that deals with social identities that users establish in online communities or as a person "being" present on the Internet.


Line 16: Line 16:


* {{quotation | The electronic representation of a real-world entity. The term is usually taken to mean the online equivalent of an individual human being, which participates in electronic transactions on behalf of the person in question. However a broader definition also assigns digital identities to organizations, companies and even individual electronic devices. Various complex questions of privacy, ownership and security surround the issue of digital identity.}} ([http://looselycoupled.com/glossary/digital%20identity Loosely coupled], retrieved 12:36, 12 April 2007 (MEST)).
* {{quotation | The electronic representation of a real-world entity. The term is usually taken to mean the online equivalent of an individual human being, which participates in electronic transactions on behalf of the person in question. However a broader definition also assigns digital identities to organizations, companies and even individual electronic devices. Various complex questions of privacy, ownership and security surround the issue of digital identity.}} ([http://looselycoupled.com/glossary/digital%20identity Loosely coupled], retrieved 12:36, 12 April 2007 (MEST)).
Contents of this page should be updated to reflect more recent initiatives, e.g. the Swiss [https://www.switch.ch/edu-id/ SWITCH Edu-ID] initiative - [[User:Daniel K. Schneider|Daniel K. Schneider]] ([[User talk:Daniel K. Schneider|talk]]) 11:35, 17 August 2017 (CEST)


== Issues ==
== Issues ==
Line 21: Line 23:
Digital identity is related to many issues. Below are a few:
Digital identity is related to many issues. Below are a few:


=== Digital identifiers and authentification ===
=== Digital identifiers and authentication ===


Providing digital identifiers to users and things in a ''local context'' is fairly easy. Since there is a single user/password database each user can be given a different user name.
Providing digital identifiers to users and things in a ''local context'' is fairly easy. Since there is a single user/password database each user can be given a different user name.


On the global Internet and even on smaller wide area networks (like the Swiss university system) digital identifiers are more difficult to agree upon. E.g. the {{quotation|OpenID Authentication provides a way to prove that an end user controls an Identifier. It does this without the Relying Party needing access to end user credentials such as a password or to other sensitive information such as an email address.}} ([http://openid.net/specs/openid-authentication-2_0.html OpenID 2.0], retrieved 19:03, 22 February 2010 (UTC)). The OpenID identifier is a unique URL chosen by the user.
On the global Internet and even on smaller wide area networks (like the Swiss university system) digital identifiers are more difficult to agree upon. E.g. the {{quotation|OpenID Authentication provides a way to prove that an end user controls an Identifier. It does this without the Relying Party needing access to end user credentials such as a password or to other sensitive information such as an email address.}} ([http://openid.net/specs/openid-authentication-2_0.html OpenID 2.0], retrieved 19:14, 22 February 2010 (UTC)). The OpenID identifier is a unique URL chosen by the user.


Authentication is the process of attempting to verify the digital identity of the sender of a communication such as a request to log in. This process engages identifiers and several players. E.g. in the OpenID framework, one can according to the [http://openid.net/specs/openid-authentication-2_0.html#terminology specification], distinguish:
Authentication is the process of attempting to verify the digital identity of the sender of a communication such as a request to log in. This process engages identifiers and several players. In [[OpenID]] (and in simplified terms): The ''end user'' presents an identifier to the ''relying party'' (the web service he wants to access). The Relying party then discovers an ''OpenID Provider Endpoint UR''L from the identifier URL and both the ''Relying party ''and the ''OpenID Provider''(OP) create a crypted channel for message exchange. Next, the end user is re-directed to the OP for verification of the authentication request. The OP then tells the relying party if the authentication is approved are rejected.
 
* The identifier of a user: a "http" or "https" [[URI]]
* The relying party: A Web application that wants proof that the end user controls an Identifier. (User provides a website with an OpenID URL like ''http://XYZ@myopenid.com'').
* OpenID Provider ('''OP'''): An OpenID Authentication server on which a Relying Party relies for an assertion that the end user controls an Identifier. This provider has
** an ''OP identifier'' (e.g. ''http://myopenid.com'')
** a OP Endpoint URL: accepts OpenID Authentication protocol messages.
 
In simplified terms: The end user presents an identifier to the relying party. The Relying party then discovers an OP Endpoint URL from the identifier URL and both the relying party and the OP create a cypted channel for message exchange. Next, the end user is re-directed to the OP for verification of the authentication request. The OP then tells the relying party if the authentication is approved are rejected.


=== Identity as "being there" and "being perceived" ===
=== Identity as "being there" and "being perceived" ===


When humans engage in online activities they are at least partly "there". This is particularly true in [[virtual environment]]s, [[social networking|social network]]s and various [[groupware]]. Role play may differ a lot. Identity is also about how a person is perceived by a community. See [[online identity]] for a short definition of what a on-line social identity can be.
When humans engage in online activities they are at least partly "there". This is particularly true in [[virtual environment]]s, [[social networking|social network]]s and various [[groupware]]. Role play may differ a lot. Identity is also about how a person is perceived by a community. See [[online identity]] for a short definition of what a on-line social identity can be.
Massive use of ICT in business and private life has led to [http://en.wikipedia.org/wiki/Personally_identifiable_information personally identifiable information], i.e. information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual (Wikipedia). In addition, the use of [[social software]] and in particular [[social networking]] applications like Facebook allows to draw quite extensive digital profiles of many people. This situation requires - at least in principle - that person adopt some kind of ''Personal Information Management'' (PIM; Jones, 2008) strategy.


=== Data portability and exchange ===
=== Data portability and exchange ===


How can we reuse data accross applications, e.g. social networks, data, texts ? According to the [http://www.dataportability.org/ DataPortability Project], {{quotation|Data portability is the ability for people to reuse their data across interoperable applications. The DataPortability Project works to advance this vision by identifying, contextualizing and promoting efforts in the space.}}. More precisely for the user, this project makes the following promise: {{quotation|With data portability, you can bring your identity, friends, conversations, files and histories with you, without having to manually add them to each new service. Each of the services you use can draw on this information relevant to the context. As your experiences accumulate and you add or change data, this information will update on other sites and services if you permit it, without having to revisit others to re-enter it.}}
How can we reuse data across applications, e.g. social networks, data, texts ? According to the [http://www.dataportability.org/ DataPortability Project], {{quotation|Data portability is the ability for people to reuse their data across interoperable applications. The DataPortability Project works to advance this vision by identifying, contextualizing and promoting efforts in the space.}}. More precisely for the user, this project makes the following promise: {{quotation|With data portability, you can bring your identity, friends, conversations, files and histories with you, without having to manually add them to each new service. Each of the services you use can draw on this information relevant to the context. As your experiences accumulate and you add or change data, this information will update on other sites and services if you permit it, without having to revisit others to re-enter it.}}
 
=== Identity cards and i-names ===
 
Previous issues can be somewhat related to question on how one should manage multiple identities.
 
So-called information cards contain a certain number of assertions about yourself and can then be handed over to various services. A user when connecting to a web site (the relying party), can select an identity by selecting an information card. This card is then authenticated by a trusted identity provider.
 
'''I-names''' are one form of an XRI (see below) and represent a unique name for a person or an organization. I-names are related to unique '''I-numbers''' (i.e. the equivalent of IP addresses for humans).
 
The advantage of i-name is that a user can control what kind of information what kind of service or agent can access. e.g. one may give or not give permission to translate an i-name into an email-address. Finally, since an I-name is unique, one never has to change it.
 
I-*** services are provided by so-called '''i-brokers'''. [http://en.wikipedia.org/wiki/I-broker Wikipedia] defines an '''i-broker''' {{quotation|is a "banker for data" or "ISP for identity services" — a trusted third party that helps individuals and organizations share private data the same way banks help exchange funds and ISPs help exchange e-mail and files. The term was introduced in the Social Web paper describing how a new layer of Internet infrastructure is possible based on the OASIS XRI and XDI specifications. However the concept of an i-broker is not specific to any one technology or protocol, but rather a business and social function, similar to that of a bank or an ISP. [...] I-Brokers are sometimes referred to as a homesite, or PIP (Personal Identity Provider), or IdP (Identity Provider)}}, retrieved 22:22, 23 February 2010 (UTC).
 
An i-name can be registered for a span between 1 and 12 years (like domain names) and cost about $12/year. Associated i-numbers never can be reassigned.


== Technology ==
== Technology ==
Line 51: Line 61:
The essential question is how you can tell "Who am I" to a given website.
The essential question is how you can tell "Who am I" to a given website.


[http://openid.net/ OpenID] is an open, decentralized, free framework for user-centric digital identity. The first piece of the OpenID framework is authentication -- how you prove ownership of a URI. Your username is your URI, and your password (or other credentials) stays safely stored on a OpenID Provider (which can be your own). The advantage of OpenID is that it can prove that an end user controls an identifier without the relying party needing to access end user information such asn email address or a passord.
[http://openid.net/ OpenID] is an open, decentralized, free framework for user-centric digital identity. The first piece of the OpenID framework is authentication -- how you prove ownership of a URI. Your username is your URI, and your password (or other credentials) stays safely stored on a OpenID Provider (which can be your own). The advantage of OpenID is that it can prove that an end user controls an identifier without the relying party needing to access end user information such as an email address or a password.


OpenID currently (2010) seems to be the most popular system.
OpenID currently (2010) seems to be the most popular system.
Line 59: Line 69:
* [http://www.microid.org/ MicroID - Small Decentralized Verifiable Identity].MicroID is a lightweight identity layer for the web, invented by Jeremie Miller (creator of Jabber). MicroID enables anyone to claim verifiable ownership over content hosted anywhere on the web (social networking sites, discussion forums, blogs, etc.).
* [http://www.microid.org/ MicroID - Small Decentralized Verifiable Identity].MicroID is a lightweight identity layer for the web, invented by Jeremie Miller (creator of Jabber). MicroID enables anyone to claim verifiable ownership over content hosted anywhere on the web (social networking sites, discussion forums, blogs, etc.).


* [http://en.wikipedia.org/wiki/Light-Weight_Identity Light-Weight Identity] (LID). a set of protocols and software implementations created by Johannes Ernst of NetMesh Inc. for representing and using digital identities on the Internet in a light-weight manner, without relying on any central authority. Related somehow to OpenID since the latter adopted the idea of using URL-based identities.
* [http://en.wikipedia.org/wiki/Light-Weight_Identity Light-Weight Identity] (LID). a set of protocols and software implementations created by Johannes Ernst of NetMesh Inc. for representing and using digital identities on the Internet in a light-weight manner, without relying on any central authority. Related somehow to OpenID since the latter adopted the idea of using URL-based identities. (not clear how popular this is)


Since there is no universal Internet authentification mechanism (although OpenID is currently a strong contender), one can image "meta-services". [http://en.wikipedia.org/wiki/Yadis Yadis] Yadis is an open initiative to build an interoperable lightweight discovery protocol for decentralized, user-centric digital identity and related purposes. Yadis aims to allow the capabilities of identities to be composed from an open-ended set of services, defined and/or implemented by many different parties. It supports services like OpenID, OAuth and XDI. The Yadis project then led to XRDS.
Since there is no universal Internet authentication mechanism (although OpenID is currently a strong contender), one can image "meta-services". [http://en.wikipedia.org/wiki/Yadis Yadis] Yadis was an open initiative to build an interoperable lightweight discovery protocol for decentralized, user-centric digital identity and related purposes. Yadis aims to allow the capabilities of identities to be composed from an open-ended set of services, defined and/or implemented by many different parties. It supports services like OpenID, OAuth and XDI. The Yadis project then led to XRDS.


* [http://en.wikipedia.org/wiki/Extensible_Resource_Identifier XRI] is a fairly abstract concept for defining various identity schemes like i-cards, i-numbers and OpenID.
Since OpenID basically manages logins and profiles, but not identities per se, new global approaches to digital identity management have been developed, in particular [http://en.wikipedia.org/wiki/Extensible_Resource_Identifier XRI]: This standard defines a fairly abstract concept for defining various identity schemes like i-cards, [[i-name]]s, i-numbers and OpenID. XRI stands for '''EXtensible Resource Identifier''' and has been developed by OASIS as {{quotation|a standard for a high-level naming/identification system for individuals, businesses, communities, services and data on the Internet. XRI, along with XDI, a general-purpose data interchange protocol based on XRI, were developed to create the "Dataweb," which enables the Web to operate like a global database.}} ([http://dictionary.zdnet.com/definition/XRI.html ZDNet], retrieved 22:22, 23 February 2010 (UTC)).
* The XRI Identifiers (I-Names and I-numbers) are administered by [http://XDI.org XDI.org]. I.e.  XDI.org accredits I-Brokers. You can find these on the [http://www.inames.net/register.html i-broker page] page of [http://www.inames.net/register.html inames.net]


* [http://en.wikipedia.org/wiki/XRDS XRDS] (eXtensible Resource Descriptor Sequence) {{quotation|is an XML format for discovery of metadata about a resource – in particular discovery of services associated with the resource, a process known as service discovery. For example, a website offering OpenID login can resolve a user's OpenID identifier to an XRDS document to discover the location of the user's OpenID service provider.}} (retrieved 19:03, 22 February 2010 (UTC)).
Initiatives related to XRI:


* [http://en.wikipedia.org/wiki/Higgins_project Higgins] {{quotation|is an open source framework that enables users and other systems to integrate identity, profile, and relationship information across multiple heterogeneous systems. Higgins unifies all identity interactions (regardless of protocol/format) under a common user interface metaphor called i-cards.}} (Wikipedia, retrieved 19:03, 22 February 2010 (UTC)). [http://en.wikipedia.org/wiki/I-card i-cards] and the (same) [http://en.wikipedia.org/wiki/Information_card information cards], passwords and OpenIDs are part of the Higgins data model.
* [http://en.wikipedia.org/wiki/Higgins_project Higgins] {{quotation|is an open source framework that enables users and other systems to integrate identity, profile, and relationship information across multiple heterogeneous systems. Higgins unifies all identity interactions (regardless of protocol/format) under a common user interface metaphor called i-cards.}} (Wikipedia, retrieved 19:14, 22 February 2010 (UTC)). [http://en.wikipedia.org/wiki/I-card i-cards] and the (same) [http://en.wikipedia.org/wiki/Information_card information cards], passwords and OpenIDs are part of the Higgins data model.


See also: [[single sign-on]]
* [http://en.wikipedia.org/wiki/XRDS XRDS] (eXtensible Resource Descriptor Sequence) {{quotation|is an XML format for discovery of metadata about a resource – in particular discovery of services associated with the resource, a process known as service discovery. For example, a website offering OpenID login can resolve a user's OpenID identifier to an XRDS document to discover the location of the user's OpenID service provider.}} (retrieved 19:14, 22 February 2010 (UTC)). XRDS is also used with OAuth, i-names and i-numbers, Higgins i-cards, etc.


=== Light-weight data and resource sharing ===
=== Light-weight data and resource sharing ===


'''OAuth''' is a {{an open protocol that allows users to share their private resources (e.g. photos, videos, contact lists) stored on one site with another site without having to hand out their username and password. OAuth allows users to hand out tokens instead of usernames and passwords to their data hosted by a given service provider. Each token grants access to a specific site (e.g. a video editing site) for specific resources (e.g. just videos from a specific album) and for a defined duration (e.g. the next 2 hours).}} ([http://en.wikipedia.org/wiki/OAuth Wikipedia], retrieved 19:03, 22 February 2010 (UTC)).
'''OAuth''' is a {{quotation|an open protocol that allows users to share their private resources (e.g. photos, videos, contact lists) stored on one site with another site without having to hand out their username and password. OAuth allows users to hand out tokens instead of usernames and passwords to their data hosted by a given service provider. Each token grants access to a specific site (e.g. a video editing site) for specific resources (e.g. just videos from a specific album) and for a defined duration (e.g. the next 2 hours).}} ([http://en.wikipedia.org/wiki/OAuth Wikipedia], retrieved 19:14, 22 February 2010 (UTC)).


OAuth can be considered a complementary service to OpenID.
OAuth can be considered a complementary service to OpenID. In simple terms '''OAuth is like hotel card key''', e.g. you register a the desk and then get a key with which you can open a certain number of facilities for a certain amount of time. In other words, you can give a key to a web service and that allows it to look at some of your stuff. The key is made by a trusted web service. Example: Allow Facebook to look at stuff that sits in LinkedIn.


'''XDI''' {{quotation| (XRI Data Interchange) is a generalized, extensible service for sharing, linking, and synchronizing data over the Internet and other data networks using machine-readable structured documents that use an RDF vocabulary based on XRI structured identifiers ([http://en.wikipedia.org/wiki/XDI XDI]}}, retrieved 19:03, 22 February 2010 (UTC)). It can been see as a "web" for machines (as opposed to the "HTML"-based web for humans).
'''XDI''' {{quotation| (XRI Data Interchange) is a generalized, extensible service for sharing, linking, and synchronizing data over the Internet and other data networks using machine-readable structured documents that use an RDF vocabulary based on XRI structured identifiers ([http://en.wikipedia.org/wiki/XDI XDI]}}, retrieved 19:14, 22 February 2010 (UTC)). It can been see as a "web" for machines (as opposed to the "HTML"-based web for humans).


[http://www.opensocial.org/ OpenSocial] is a [http://www.opensocial.org/page/specs-1 common set of APIs] to access data in social networking applications. Its main sponsor is Google. According to [http://en.wikipedia.org/wiki/OpenSocial Wikipedia] (retr. Jan 2010), {{quotation|Based on HTML and JavaScript, as well as the Google Gadgets framework, OpenSocial includes four APIs for social software applications to access data and core functions on participating social networks. Each API addresses a different aspect: one is the general JavaScript API, one for people and friends (people and relationship information), one for activities (publishing and accessing user activity information), and one for persistence (simple key-value pair data for server-free stateful applications).}}
[http://www.opensocial.org/ OpenSocial] is a [http://www.opensocial.org/page/specs-1 common set of APIs] to access data in social networking applications. Its main sponsor is Google. According to [http://en.wikipedia.org/wiki/OpenSocial Wikipedia] (retr. Jan 2010), {{quotation|Based on HTML and JavaScript, as well as the Google Gadgets framework, OpenSocial includes four APIs for social software applications to access data and core functions on participating social networks. Each API addresses a different aspect: one is the general JavaScript API, one for people and friends (people and relationship information), one for activities (publishing and accessing user activity information), and one for persistence (simple key-value pair data for server-free stateful applications).}}


=== More heavy systems ===
=== More heavy systems for user authentication ===


* [http://en.wikipedia.org/wiki/Shibboleth_%28Internet2%29 Shibboleth].an architecture and open-source implementation for federated identity-based authentication and authorization infrastructure based on SAML.
* [http://en.wikipedia.org/wiki/Shibboleth_%28Internet2%29 Shibboleth]. An architecture and open-source implementation for federated identity-based authentication and authorization infrastructure based on [http://en.wikipedia.org/wiki/Saml SAML].
** E.g. adopted by the [http://www.switch.ch/aai/ Swiss University Network]
** E.g. adopted by the [http://www.switch.ch/aai/ Swiss University Network]


* [[LDAP]]. The most popular organizational solution (Microsoft, Linux, Solaris, Novell, all support this in one or another way. Sometimes LDAP is the default way to manage users, sometimes it's an option ...). Often, institutions adopt an LDAP server to authenticate users for various internet applications (e.g. an [[LMS]]), to manage access to central systems and to manage the email and phone directory. So it's a kind of all-in-one solution.
* [[LDAP]]. The most popular organizational solution (Microsoft, Linux, Solaris, Novell, all support this in one or another way. Sometimes LDAP is the default way to manage users, sometimes it's an option ...). Often, institutions adopt an LDAP server to authenticate users for various Internet applications (e.g. an [[LMS]]), to manage access to central systems and to manage the email and phone directory. So it's a kind of all-in-one solution.


== Links ==
== Links ==


* [http://en.wikipedia.org/wiki/Digital_identity Wikipedia Digital Identity]
=== Services ===
 
* See [[OpenID]] for OpenID-related services
* [http://www.inames.net/ inames.net] (the XDI.org portal for i-names)


=== Players ===
=== Players ===


* [http://www.projectliberty.org/ The libery allience] Its vision {{quotation|is to enable a networked world based on open standards where consumers, citizens, businesses and governments can more easily conduct online transactions while protecting the privacy and security of identity information.}} (retrieved 19:03, 22 February 2010 (UTC)).
* [http://www.projectliberty.org/ The liberty alliance] Its vision {{quotation|is to enable a networked world based on open standards where consumers, citizens, businesses and governments can more easily conduct online transactions while protecting the privacy and security of identity information.}} (retrieved 19:14, 22 February 2010 (UTC)).


* [http://openwebfoundation.org/ Open Web Foundation] is {{quotation|an attempt to create a home for community-driven specifications.}}
* [http://openwebfoundation.org/ Open Web Foundation] is {{quotation|an attempt to create a home for community-driven specifications.}}
Line 100: Line 114:
* [http://www.dataportability.org/ DataPortability.org] has a mission {{quotation|To help people to use and protect the data they create on networked services, and to advocate for compliance with the values of DataPortability}}.
* [http://www.dataportability.org/ DataPortability.org] has a mission {{quotation|To help people to use and protect the data they create on networked services, and to advocate for compliance with the values of DataPortability}}.


* [http://www.oasis-open.org/ OASIS] is a major player for XML-related standards. e.g. see the [http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xri XRI committee].
* [http://www.oasis-open.org/ OASIS] is a major player for XML-related standards. With respect to digital identity: SAML, XDI, XRI etc. See also the [http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xri XRI committee], [http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss Web Services Security (WSS) Technical Committee], [http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml eXtensible Access Control Markup Language (XACML) Technical Committee], etc.
 
* [XDI.org] (manages i-xxx spaces).


* [http://openid.net/ OpenID community]
* [http://openid.net/ OpenID community]
* There are also publicly funded research projects, e.g. [http://www.primelife.eu/ Primelife] (a EU 2008-2011 project)


=== Specifications ===
=== Specifications ===


* [http://openid.net/specs/openid-authentication-2_0.html OpenID Authentication 2.0 - Final]
* [http://openid.net/specs/openid-authentication-2_0.html OpenID Authentication 2.0 - Final]
* See [[http://www.xdi.org/ XDI.org] and [http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xri OASIS] for XRI-related specifications.


=== Some technology links ===
=== Some technical links ===


* [http://en.wikipedia.org/wiki/Public_key_cryptography Public-key cryptography] (Wikipedia)
* [http://en.wikipedia.org/wiki/Public_key_cryptography Public-key cryptography] (Wikipedia)
 
* [http://en.wikipedia.org/wiki/Digital_identity Wikipedia Digital Identity]
* [http://en.wikipedia.org/wiki/OpenID OpenID] (Wikipedia)
* [http://en.wikipedia.org/wiki/OpenID OpenID] (Wikipedia)
* [http://en.wikipedia.org/wiki/I-name i-name] (Wikipedia)
* [http://en.wikipedia.org/wiki/I-number I-number] (Wikipedia)
* [http://en.wikipedia.org/wiki/I-broker I-broker] (Wikipedia)
* [http://en.wikipedia.org/wiki/XRI XRI] (Wikipedia)
* [http://en.wikipedia.org/wiki/XRDS XRDS] (Wikipedia)
* [http://en.wikipedia.org/wiki/XDI XDI] (Wikipedia)


* [http://lid.netmesh.org/wiki/Main_Page Light-Weight Identity]
* [http://lid.netmesh.org/wiki/Main_Page Light-Weight Identity]


* [http://www.eclipse.org/higgins/ Higgins] Open Source Identity Framework
* [http://www.eclipse.org/higgins/ Higgins] Open Source Identity Framework
=== Other ===
* [https://identityblog.switch.ch/ SWTICH Identity Blog]




[[Category:Identity and authentication]]
[[Category:Identity and authentication]]
[[Category: Web technologies]]
[[fr:identité digitale]]
[[fr:identité digitale]]

Latest revision as of 10:35, 17 August 2017

Draft

Definition

“Digital identity refers to the aspect of digital technology that is concerned with the mediation of people's experience of their own identity and the identity of other people and things.” (Wikipedia, retrieved 12 April 2007). Key issues of digital identity are:

  • Identity attributes: How can we define "identity" through identity attributes of entity ? E.g. a human may identified through iris scanning, by showing a passport, by user names and passwords, etc.
  • Authentication is a related question: How can an entity prove is identity to another identity ? E.g. a computer user will prove its identity to the computer by providing a login name and a matching password.
  • Views: What kinds of views does an entity grant to its observer ? E.g. a Facebook user may allow or not allow categories of other users to see its profile.

See also:

  • Single sign-on
  • OpenID, the most popular single sign-on solution for Internet services (and that may include other services, like identity management).
  • i-name, unique identifiers for persons and other entities.
  • online identity, an entry that deals with social identities that users establish in online communities or as a person "being" present on the Internet.
Technical definition
  • “The electronic representation of a real-world entity. The term is usually taken to mean the online equivalent of an individual human being, which participates in electronic transactions on behalf of the person in question. However a broader definition also assigns digital identities to organizations, companies and even individual electronic devices. Various complex questions of privacy, ownership and security surround the issue of digital identity.” (Loosely coupled, retrieved 12:36, 12 April 2007 (MEST)).

Contents of this page should be updated to reflect more recent initiatives, e.g. the Swiss SWITCH Edu-ID initiative - Daniel K. Schneider (talk) 11:35, 17 August 2017 (CEST)

Issues

Digital identity is related to many issues. Below are a few:

Digital identifiers and authentication

Providing digital identifiers to users and things in a local context is fairly easy. Since there is a single user/password database each user can be given a different user name.

On the global Internet and even on smaller wide area networks (like the Swiss university system) digital identifiers are more difficult to agree upon. E.g. the “OpenID Authentication provides a way to prove that an end user controls an Identifier. It does this without the Relying Party needing access to end user credentials such as a password or to other sensitive information such as an email address.” (OpenID 2.0, retrieved 19:14, 22 February 2010 (UTC)). The OpenID identifier is a unique URL chosen by the user.

Authentication is the process of attempting to verify the digital identity of the sender of a communication such as a request to log in. This process engages identifiers and several players. In OpenID (and in simplified terms): The end user presents an identifier to the relying party (the web service he wants to access). The Relying party then discovers an OpenID Provider Endpoint URL from the identifier URL and both the Relying party and the OpenID Provider(OP) create a crypted channel for message exchange. Next, the end user is re-directed to the OP for verification of the authentication request. The OP then tells the relying party if the authentication is approved are rejected.

Identity as "being there" and "being perceived"

When humans engage in online activities they are at least partly "there". This is particularly true in virtual environments, social networks and various groupware. Role play may differ a lot. Identity is also about how a person is perceived by a community. See online identity for a short definition of what a on-line social identity can be.

Massive use of ICT in business and private life has led to personally identifiable information, i.e. information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual (Wikipedia). In addition, the use of social software and in particular social networking applications like Facebook allows to draw quite extensive digital profiles of many people. This situation requires - at least in principle - that person adopt some kind of Personal Information Management (PIM; Jones, 2008) strategy.

Data portability and exchange

How can we reuse data across applications, e.g. social networks, data, texts ? According to the DataPortability Project, “Data portability is the ability for people to reuse their data across interoperable applications. The DataPortability Project works to advance this vision by identifying, contextualizing and promoting efforts in the space.”. More precisely for the user, this project makes the following promise: “With data portability, you can bring your identity, friends, conversations, files and histories with you, without having to manually add them to each new service. Each of the services you use can draw on this information relevant to the context. As your experiences accumulate and you add or change data, this information will update on other sites and services if you permit it, without having to revisit others to re-enter it.”

Identity cards and i-names

Previous issues can be somewhat related to question on how one should manage multiple identities.

So-called information cards contain a certain number of assertions about yourself and can then be handed over to various services. A user when connecting to a web site (the relying party), can select an identity by selecting an information card. This card is then authenticated by a trusted identity provider.

I-names are one form of an XRI (see below) and represent a unique name for a person or an organization. I-names are related to unique I-numbers (i.e. the equivalent of IP addresses for humans).

The advantage of i-name is that a user can control what kind of information what kind of service or agent can access. e.g. one may give or not give permission to translate an i-name into an email-address. Finally, since an I-name is unique, one never has to change it.

I-*** services are provided by so-called i-brokers. Wikipedia defines an i-broker “is a "banker for data" or "ISP for identity services" — a trusted third party that helps individuals and organizations share private data the same way banks help exchange funds and ISPs help exchange e-mail and files. The term was introduced in the Social Web paper describing how a new layer of Internet infrastructure is possible based on the OASIS XRI and XDI specifications. However the concept of an i-broker is not specific to any one technology or protocol, but rather a business and social function, similar to that of a bank or an ISP. [...] I-Brokers are sometimes referred to as a homesite, or PIP (Personal Identity Provider), or IdP (Identity Provider)”, retrieved 22:22, 23 February 2010 (UTC).

An i-name can be registered for a span between 1 and 12 years (like domain names) and cost about $12/year. Associated i-numbers never can be reassigned.

Technology

Light-weight protocols and systems for identification on the Web

The essential question is how you can tell "Who am I" to a given website.

OpenID is an open, decentralized, free framework for user-centric digital identity. The first piece of the OpenID framework is authentication -- how you prove ownership of a URI. Your username is your URI, and your password (or other credentials) stays safely stored on a OpenID Provider (which can be your own). The advantage of OpenID is that it can prove that an end user controls an identifier without the relying party needing to access end user information such as an email address or a password.

OpenID currently (2010) seems to be the most popular system.

There are two lesser known systems:

  • MicroID - Small Decentralized Verifiable Identity.MicroID is a lightweight identity layer for the web, invented by Jeremie Miller (creator of Jabber). MicroID enables anyone to claim verifiable ownership over content hosted anywhere on the web (social networking sites, discussion forums, blogs, etc.).
  • Light-Weight Identity (LID). a set of protocols and software implementations created by Johannes Ernst of NetMesh Inc. for representing and using digital identities on the Internet in a light-weight manner, without relying on any central authority. Related somehow to OpenID since the latter adopted the idea of using URL-based identities. (not clear how popular this is)

Since there is no universal Internet authentication mechanism (although OpenID is currently a strong contender), one can image "meta-services". Yadis Yadis was an open initiative to build an interoperable lightweight discovery protocol for decentralized, user-centric digital identity and related purposes. Yadis aims to allow the capabilities of identities to be composed from an open-ended set of services, defined and/or implemented by many different parties. It supports services like OpenID, OAuth and XDI. The Yadis project then led to XRDS.

Since OpenID basically manages logins and profiles, but not identities per se, new global approaches to digital identity management have been developed, in particular XRI: This standard defines a fairly abstract concept for defining various identity schemes like i-cards, i-names, i-numbers and OpenID. XRI stands for EXtensible Resource Identifier and has been developed by OASIS as “a standard for a high-level naming/identification system for individuals, businesses, communities, services and data on the Internet. XRI, along with XDI, a general-purpose data interchange protocol based on XRI, were developed to create the "Dataweb," which enables the Web to operate like a global database.” (ZDNet, retrieved 22:22, 23 February 2010 (UTC)).

  • The XRI Identifiers (I-Names and I-numbers) are administered by XDI.org. I.e. XDI.org accredits I-Brokers. You can find these on the i-broker page page of inames.net

Initiatives related to XRI:

  • Higgins “is an open source framework that enables users and other systems to integrate identity, profile, and relationship information across multiple heterogeneous systems. Higgins unifies all identity interactions (regardless of protocol/format) under a common user interface metaphor called i-cards.” (Wikipedia, retrieved 19:14, 22 February 2010 (UTC)). i-cards and the (same) information cards, passwords and OpenIDs are part of the Higgins data model.
  • XRDS (eXtensible Resource Descriptor Sequence) “is an XML format for discovery of metadata about a resource – in particular discovery of services associated with the resource, a process known as service discovery. For example, a website offering OpenID login can resolve a user's OpenID identifier to an XRDS document to discover the location of the user's OpenID service provider.” (retrieved 19:14, 22 February 2010 (UTC)). XRDS is also used with OAuth, i-names and i-numbers, Higgins i-cards, etc.

Light-weight data and resource sharing

OAuth is a “an open protocol that allows users to share their private resources (e.g. photos, videos, contact lists) stored on one site with another site without having to hand out their username and password. OAuth allows users to hand out tokens instead of usernames and passwords to their data hosted by a given service provider. Each token grants access to a specific site (e.g. a video editing site) for specific resources (e.g. just videos from a specific album) and for a defined duration (e.g. the next 2 hours).” (Wikipedia, retrieved 19:14, 22 February 2010 (UTC)).

OAuth can be considered a complementary service to OpenID. In simple terms OAuth is like hotel card key, e.g. you register a the desk and then get a key with which you can open a certain number of facilities for a certain amount of time. In other words, you can give a key to a web service and that allows it to look at some of your stuff. The key is made by a trusted web service. Example: Allow Facebook to look at stuff that sits in LinkedIn.

XDI “(XRI Data Interchange) is a generalized, extensible service for sharing, linking, and synchronizing data over the Internet and other data networks using machine-readable structured documents that use an RDF vocabulary based on XRI structured identifiers (XDI, retrieved 19:14, 22 February 2010 (UTC)). It can been see as a "web" for machines (as opposed to the "HTML"-based web for humans).

OpenSocial is a common set of APIs to access data in social networking applications. Its main sponsor is Google. According to Wikipedia (retr. Jan 2010), “Based on HTML and JavaScript, as well as the Google Gadgets framework, OpenSocial includes four APIs for social software applications to access data and core functions on participating social networks. Each API addresses a different aspect: one is the general JavaScript API, one for people and friends (people and relationship information), one for activities (publishing and accessing user activity information), and one for persistence (simple key-value pair data for server-free stateful applications).”

More heavy systems for user authentication

  • Shibboleth. An architecture and open-source implementation for federated identity-based authentication and authorization infrastructure based on SAML.
  • LDAP. The most popular organizational solution (Microsoft, Linux, Solaris, Novell, all support this in one or another way. Sometimes LDAP is the default way to manage users, sometimes it's an option ...). Often, institutions adopt an LDAP server to authenticate users for various Internet applications (e.g. an LMS), to manage access to central systems and to manage the email and phone directory. So it's a kind of all-in-one solution.

Links

Services

  • See OpenID for OpenID-related services
  • inames.net (the XDI.org portal for i-names)

Players

  • The liberty alliance Its vision “is to enable a networked world based on open standards where consumers, citizens, businesses and governments can more easily conduct online transactions while protecting the privacy and security of identity information.” (retrieved 19:14, 22 February 2010 (UTC)).
  • DataPortability.org has a mission “To help people to use and protect the data they create on networked services, and to advocate for compliance with the values of DataPortability”.
  • [XDI.org] (manages i-xxx spaces).
  • There are also publicly funded research projects, e.g. Primelife (a EU 2008-2011 project)

Specifications

Some technical links

  • Higgins Open Source Identity Framework

Other