Maybe it should be “Human-centric identity”

Opinion
May 18, 20093 mins

*Should the OpenID community assume that an identifier always refers to a human individual?

Is the OpenID community making a fatal error when it assumes that an identifier always refers to a single, unique, human individual? That question arose on the OpenID general discussion list recently and the answers, to me at least, appear troubling

Is the OpenID community making a fatal error when it assumes that an identifier always refers to a single, unique, human individual? That question arose on the OpenID general discussion list recently and the answers, to me at least, appear troubling

The specifications for OpenID are ambiguous, since there’s no specific injunction either for or against the limitation of an identifier to a single human. Perhaps it’s thought that the term “user-centric Identity” is self-evidently providing that limitation. That would be a bad assumption, however.

Any uniquely identifiable thing/object/entity has an identity and can be supplied with an identifier. A person, certainly, but also a piece of hardware on the network, an application (and even a particular instance of an application), a service, a group (of people or things), even a moment in time can carry a unique identifier.

While the OpenID specification (Version 2) does reference the term “end user” and “user” for the entity with an OpenID identifier, it’s trivial to show that an application — or a device — can be an “end user” of a service just as easily as a human end user can be.

The practice of using a unique URI as identifier likewise has no limitation for a human user — every device on the network has a unique URI, for that’s what a URI is: a Uniform Resource Identifier. The resource can be a printer, server, administrative assistant, cut and polished diamond, RSS feed and so on.

Some of the basis for the (to me, wrong) assumption that OpenIDs always represent single users comes from the reasoning that Brad Fitzpatrick, the founder of LiveJournal, says caused him to create OpenID almost four years ago. OpenID was to be a method to authenticate people wishing to comment on blog entries. It would serve two purposes: insure that a person, not a bot, was commenting; and insure that all comments using the same identifier were from the same person. It was definitely a person-centric system.

But when others joined in the effort — such as Netmesh’s Lightweight Identity system (LID), the XRI/i-names group, Sxip and JanRain, among others — the idea was to enable multiple styles of identifier (both I-names and URIs) to be used for authentication to ubiquitous “relying parties” (RPs, sites and services that accept OpenID authentication) well beyond the initial blogosphere domain.

The advent of cloud computing will require that authentication of hardware resources and services be just as easy (and just as safe) as the authentication of human individuals. Privacy concerns will need to be met in the cloud, through the use of pseudonymous authentication. If the service in the cloud doesn’t need to know if a particular individual is accessing it, then a group identifier could be sufficient.

If the OpenID system is going to limit itself to only identifying single humans, then it becomes worse than username/password systems. At least those can be used (often, it’s true, hardcoded) by non-humans or groups of humans and/or non-humans.

Maybe this week’s Internet Identity Workshop should address this issue. I’ll let you know if it does.