Idlemind - nickcoster.com

Yesterday I respondeed to Kim Cameron’s Identity Blog posting titled INTERVIEW ON OPENNESS AND PRIVACY, discussing an interview between Bill Gates and the Financial Times. I just wanted to get my comment up here in case Kim never authorises it on his site. He may not trust me.

Bill Gates: “That’s called federation, where we take their trust statement and we accept it, within a certain scope. So they don’t have to get another user account password. There’s no central node in this thing at all, there never can be. Banks are a key part of it, governments can be part of it. The US, probably not as much.”

This statement highlights the number one problem that a federated identity system is going to face – the federation of trust. Compared to the problem of trusting ‘trust’ identity management is a piece of cake. Yet the discussion continually seems to revolve around the sharing of identity secrets, but it is the trust of the owners of the identity secrets that is the greatest challenge. It is fairly clear that in the world today trust is an expensive commodity that is not easily transferable.

I believe that there needs to be a way of abstracting this trust problem to one or more (competing?) third parties. The question is ‘who do you trust’?

I just upgraded the site to the latest version of wordpress. I thought that I had lost the lot for a moment there and the site was down for about 3 hours.

Obviously it is back now. Phew.

It is time to get this site going about more than just my ‘idle’ mumblings and out of date running updates. There is a topic of conversation that my career has revolved around like a satellite around a planet. It is the story of online identities and their use and misuse.

For me this has appeared in projects where two ISP businesses have brought their customers under one organisation and these customers do not have unique username to identify them selves to the new ISP. What! Two ‘Fred’s!! Will the real Fred please step forward? Hmm, if only it was that simple. In the late ‘90 when ISP’s and online portals were coming together this happened time and again, and it was always messy.

At around the same time the ‘kiddies’ got their hands on software that would allow them to steal passwords from customers in the school holidays. So now usernames and passwords are under siege. A single stolen password could be reused by the baddies over and over again without recourse.

Then spam came along and polluted the one personal identifier that the whole internet had agreed from the outset would be unique. Bugga. Stopping spam and protecting mailboxes became another major project. Without a way of identifying who the hell sent the spam in the first place, or even being sure who sent what looks like the good email, then all manner of arcane solutions had to be employed.

By now the ‘kiddies’ have grown up and are selling their password stealing skills to the spammers who are selling their spam networks to real criminals, who don’t want you email. They want your bank account. Enter the rise and rise of ‘phishing’.

So now I am looking at ways of improving on the humble static password. When was the last time you changed yours? Are you sure nobody else knows it?

All of these things tie right back to ‘identity’ (as the industry insists on calling it). Who am I? Who are you? And how do we prove it to each other in such a way that it doesn’t get in the way of what we were trying to do in the first place.

I want to talk about this here because there is a lot in this idle mind that I need to get out. I know this stuff and I hear some of the biggest names in many different industries grappling with the same problems and, in my opinion, in quite misdirected ways. This surge of blog energy was inspired by an interview with Kim Cameron on Microsoft’s Channel 9. I get frustrated because i believe that they are trying to solve the wrong problem, and as a result won’t get the outcome they are seeking.