Content-type: text/html Downes.ca ~ Stephen's Web ~ Identity Networks Are Here

Stephen Downes

Knowledge, Learning, Community

Jun 30, 2006

You may not have noticed it, but identity networks arrived last week, and the great land rush for identity consumers has begun.

As of right now, there are three major entities who have entered the identity network space.

Probably the first is SixApart. This is a company that offers a hosted blogging service called TypePad (a lot like Blogger, only smaller) and the very popular LiveJournal site. It also sess the Moveable Type blogging software. The people at Typepad made some very encouraging moves recently with the development of OpenID. This in turn, with the addition of two other companies, LID and iNames, became the Yadis initiative.

While commenting on a Typepad blog the other day I noticed that the login had been replaced by something called Typekey. This is "a free authentication service that lets you sign-in to your favorite websites." This was surprising enough, given the existence of Yadis, to follow, and so I took a look at the Typekey information page, which in turn said, "If you'd like to use TypeKey as authentication in your own application, you can join our Professional Network to find out how."

Filling in the forms (which essentially amounts to giving them my life story) makes me a member of the Professional Network. This is pretty interesting in itself, but what caught my eye here was an advertisement for Yahoo small business hosting using Moveable Type. Now I know, it's not anything like a business alliance. But it does raise the question of what would happen is Yahoo and SixApart got together to offer logins.

Some consolidation is going to happen here. Typepad and the Professional Network use Typekey. LiveJournal uses OpenID.

There things would stay except for the launch of PeopleAggregator this week. At first glance, PA looks just like any other social network. But when you go to login you discover that you can use you OpenID identity, your Sxip identity, or your Flickr identity.

We've already seen OpenID. Sxip (pronounced 'skip') is based on a similar principle. To create a Sxip identity you create an account at a Sxip homesite. "Homesites are websites or applications that facilitate the exchange of identity data between users and sites that request user data. By adding Homesite functionality, a website can provide the following services: authenticate and identify users, assign identitifiers to a user's persona, provide a repository for identity data, and release that data, upon user consent, to other sites via the user's browser." (FAQ)

Flickr, of course, is a website that allows people to upload and store photos. Flickr was recently acquired by Yahoo and a process of merging Flickr identities with Yahoo identities has been underway. Which means that the mechanism employed by PeopleAggregator may also eventually involve allowing you to sign up with your Yahoo identity.

The systems described above are distributed. That means individual entities - such as schools or universities - could set up they own identity system, either by installing something OpenID or by installing a Sxip homesite server (this is not a simple process yet, though).

Not so with our third entry. As Tony Hirst notes, Google has set up an account authentication for web-based applications. What that means is that the system enables the application to get an authentication token without ever handling the user's account login information. The Google system, as you can see from their diagram, uses a mechanism that is almost exactly the same as my own mIDm system - the major difference being that people are redirected to the Google website rather than one identified in their browser header.

To quote the O'Reilly Radar post, "This service lets you build a web app that uses Google's user accounts for user authentication. All the build-to-flip optimists will immediately adopt it, but the rest of us probably aren't willing to cede our users to Google just yet. The word I had from inside Google is that this is not an identity play, it's something they were developing for internal use..." What distinguishes these systems from other identity systems is that they are networks rather than federations. The difference is crucil. In a network, there does not need to exist a trust relation between one member and another - they operate at arm's length. This means there's no real process required to 'join' the network - you install the right code, get people to use it, and you're in.

Compare that with passport. While designers could secure their website with Passport, only Microsoft created and held Passport accounts. You couldn't set up your own service and let people create identities that you would register. Such a system was therefore centralized. Other systems work in a similar manner, except that only a small number of trusted parties is able to create identities. Such networks are federated. In both cases, the result is the same: you must depend on the identity providers to allow you an identity - which means you must play by the identity provider's rules.

The end-game has yet to be written with respect to online identity. I still believe that the browser needs some mechanism to report to a site the user's selection of an identity provider - after all, we won't all use Google. And I think companies like Microsoft and AOL won't sit silently.

And I think that educational providers, who have focused almost exclusively on centralized or federated approachs thus far, will have to take note. People today get their own names, addresses and phone numbers. In the future, they will get their own net identities, and the universities won't provide it for them. This then raises the wisdom of heavy investment in an alternative schools-only system.


Stephen Downes Stephen Downes, Casselman, Canada
stephen@downes.ca

Copyright 2024
Last Updated: Dec 15, 2024 6:47 p.m.

Canadian Flag Creative Commons License.

Force:yes