Authentication is an essential part of any web application. But why are web service providers so secretive about their authentication protocols and procedures? Why they are not disclosing any information about how users’ credentials are communicated, verified and stored?

In the last months OpenID definitely gained momentum. Everyone is running to provide support and integration. But what about OpenID phishing risks?

Kaliya, the Identity Woman, says that pass.net is “a new identity protocol”. To me it seems more a smart idea for implementing an effective single sign-on solution. With Pass.net the trick is to delegate identification and authentication to a third party: your email domain. Hence this SSO method is as secure as the mail server handling your email account.

Sxore is disappointing not in itself, but mainly because it comes from Sxip, the very company whose mantra is “user-centric identity, decentralized identity”. We are looking forward to take a look at the very promising and upcoming release of Sxip 2.0, but with Sxore they missed the opportunity to test Identity 2.0 against a real-world problem.

I’m afraid we’ve been involved in a much larger topic than the one we intended to address.

Often I struggle to find the right words for my posts … just to discover that someone else already wrote with a brilliant and remarkable style about the very same stuff that I’m mumbling about.

It’s the case of my previous post “Identity is not reputation” confronted with James Kobielus post “imho identity privacy reputation” (November 2005).

Our original proposal was trying to convince identity providers to add reputation management as a built-in application within their systems. That was wrong. As Phil Windley said in a recent post

[…] reputation is computed from identity and transactional data.

Our recent proposal (a schema for handling the reputation of people posting comments to blogs) was based on the assumption that reputation management should be tightly coupled with identity management.

UPDATE - We received lots of brilliant feedbacks about our proposal. A revised version is now available [here][98] with more “philosophical” background [here][99].

In my [previous post][1] I mentioned a [recent article from Dion Hinchcliffe] [2] that is based on the following assumption: anonymity is extremely difficult to handle (look at what happened with the

Few days ago Massimo Mantellini brought to my attention this Wired article from cryptography guru Bruce Schneier. It’s a brilliant short essay that explain how bold is the error of those confusing anonymity with accountability and how important is the quest for accountable systems, especially those accessed by anonymous users.

If someone isn’t accountable, then knowing his name doesn’t help. If you have someone who is completely anonymous, yet just as completely accountable, then — heck, just call him Fred. History is filled with bandits and pirates who amass reputations without anyone knowing their real names.

Then I came across this post from Dion Hinchcliffe. Dion has a completely different vision and is ready to give up anonymity for the sake of preserving the writeable web!

Of course, there will be attendant problems with this approach including a rapidly vanishing anonymity on the Web. But that just might remain a nice artifact of being a read-only Web user.

I don’t believe anonymity is just a “nice artifact of the read-only web”, it’s an important part of our everyday life. Most of our time we are in an anonymous mode: when we walk the streets of our towns, when we pay cash our newspaper, when we attend the Sunday Mass, when we watch tv at home, ….

But Dion wishes for a different world:

[…] controlling anarchy on the writetable Web might be as simple asking that folks flash their Identity 2.0 credential right before they change something on the Internet. This ensures their personal identity is attached to the change. And creating a verifiable chain of evidence might be all it takes for people to act more responsibily. Wiki vandalism, comment flaming, and other forms of anonymous mischief on the writeable Web may be eliminated forever when you know that your ID will be attached to it in perpetuity, affecting your hireability, possible suitability for public office, and more, forever.

How scaring! Thankfully the day after I could read Rob Hof post about the same topic and it was a real relief. Suddenly I felt less of an anarchist …

Some people—perfectly good people with insightful opinions—simply don’t want to be identified in some circumstances. Their employers may object. They’re worried about government intrusion. Maybe they’re just shy.

I always thought that Identity 2.0 should give us more freedom, not “creating a verifiable chain of evidence” for anything we do online. I always admire the pragmatic and sensible approach of Dick Hardt to identity, in his answer to Rob he says:

A goal of Identity 2.0 is to mimic aspects of identity transactions that work well in the physical world. We all have different personas depending on context. I present different aspects of myself depending on wether I am interacting with my mother, my friends, my employees, a server at a restaurant, or my banker.

Right, but please remember that for the server at the restaurant you often are just a perfect stranger and hopefully an accountable one!

While showing your identity is easy (exhibit an ID card, logon to a web site), proving your accountability is more difficult and needs more complex infrastructures (technical or social) like the nexus of your professional relationships or the eBay feedback system.

No wonder that there are more people working on identity and much less on accountability. But we need both.

PS - Clipperz, not this blog but the service we will soon reveal, will definetely be an anonymous service. One like you have never seen before. And you can hold us accountable for providing you with real anonymity!

(thanks to Google Image)

I was one of the very first members of AttentionTrust. Why? Actually I don’t know exactly. Maybe because of the vigorous claim (“You own: yourself, your data, your attention)” or because the people promoting it were big names (Steve Gillmor, Seth Goldstein) and because it was free! So I signed up with Attention Trust, but actually I need to change the binding of my membership from the eXtrapola website to the Clipperz blog.

For quite a long time the people at AttentionTrust were quite silent and I almost forgot about them. Then this week they launched the Attention Recorder.

A Firefox extension that allows users to save a copy of their browsing history to their desktops as well as share it with the Attention Trust Approved Services of their choice.

I always thought that “what I like” is a big chunk of my identity and “what I like” is easily translated in “what I pay attention to”. Of course identity is made of other pieces (my name, where I live, my reputation, my job, …), but this one is the more varied and diverse chunk and, for this reason, the more interesting to marketing departments.

Q: What does the Attention Recorder save and share? A: For each web page you visit, the Attention Recorder will save the web page’s URL, the web page’s title, the HTTP response code, and whether that web page read or wrote any cookies to were cookies. (The contents of those cookies we don’t record.)

Is this bunch of data able to represent what I like? I do not think so, unless the user manage carefully all the recording activities, switching the recorder on and off, but I do not think that the tools was designed to this purpose.

Eric Norlin at Digital ID World has a better understanding of the role that the Attention Recorder should play:

The hope being that this will provide a minimal platform on which an ecosystem can evolve. That ecosystem could include things like giving companies your attention record (explicitly not implicitly) in exchange for something (monetary or otherwise).

Tim O’ Reilly, speaking at Web 2.0 conference, looks at this tool from an Identity 2.0 perspective and come to a conclusion that rationalize my early feelings about the whole initiative.

[Eric] Tim went on to speak about the power he think is released in users being able to combine their “attention record” with their “personal data.”

That mean that trusted web sites could tomorrow handle set of attributes like

[Eric] Male, 34yrs old, Caucasion, residence in Florida

pays attention to:
- ZDNet blogs
- Doc Searls
- Forbes RSS feeds
- etc etc etc……

Really interesting possibilities! Of course, its still just approximating me via my actions, not identifying me as I wish to be identified…but somehow, just somehow, I think you could add a simple authentication event to this and then suddenly you have portable, authenticated reputations getting access to resources based on their attention behavior…..

Quite interesting I have to admit, but I’m not able to be as enthusiastic as Eric because I’m afraid that a “simple authentication event” is still a big issue that need to be solved in an open, distributed and reliable way. No signs of the solution as of today …