• United States

Why reputation works as an identity management element

Mar 15, 20063 mins
Access ControlNetworking

* Individuals are comfortable with reputation-based trust systems

Last issue I began to talk about reputation as a component of an identity system. If you missed that issue, you should visit the Web site for Sxore, to learn more about Sxip’s implementation of a reputation-based system. Today, I want to look at the implications of a reputation-based identity system.

As I said last time, individuals aren’t likely – in any great number – to invest in confusing, cumbersome and expensive PKI certificate systems in order to establish trust relationships with transaction partners. But not only won’t they do this for their own identity product, they’re not very likely to make the investment in money, time and knowledge to enable them to accept this so-called “trust” system when it’s offered by corporate entities who wish to conduct transactions with the individuals.

Individuals, on the other hand, are quite comfortable with reputation-based trust systems. They accept reputation as an indicator of trustworthiness of other individuals as well as corporate entities. More importantly, the individuals realize that the reputation may only be an indicator of trustworthiness in limited areas. I may choose a medical practitioner based on reputation information from friends and family – but that doesn’t mean I’ll accept the doctor’s opinion on which camera I ought to buy.

One serious drawback to a reputation-based system, or so its critics would have you believe, is that reputation takes time to build. PKI certification systems can be implemented fairly rapidly (if you throw enough money at them) but reputation only grows as more transactions occur. I think of that as a benefit, not a drawback. In an hour or so I can construct a Web site, send out bulk e-mail and launch a phishing attack to gather bank account numbers, names, PINs and passwords. If people relied on a reputation-based identity system to decide whether or not to do business with that Web site, then those types of phishing expeditions would disappear almost overnight.

It’s also true that people informally trade reputation information about organizations and enterprises all the time. Internet chat rooms about travel, cars, stocks, pets and more are filled with reputational opinions about vendors within the chat room’s area of discussion.

What we don’t have, as yet, is a systematic way to gather and disseminate reputational data.

You should read John Clippinger’s essay “Identity, Reputation and Social Currency,” to understand where reputation-based systems are today. Social networking is rapidly becoming the testing laboratory for Internet technologies and identity management is no different – what’s important from an identity management perspective in today’s social networks will become important tomorrow in our business networks. If you’re a vendor, start working now on ways to involve reputation within your identity management stack. If you’re an individual, learn how you can control and protect your own identity through reputation-based systems. And all of you should catch Sxip founder and CEO, Dick Hardt’s act the next time he’s playing a conference you’re attending.