In the previous post I wrote about our zeal in building zero-knowledge web applications and our pledge to never introduce features that could compromise the integrity of our model.

Now I present a comparative analysis of Clipperz and PassPack with regard to the implementation of one-click logins. The analysis will clearly show the benefits of adopting a rigorous zero-knowledge methodology.

Kaliya, the Identity Woman, says that pass.net is “a new identity protocol”. To me it seems more a smart idea for implementing an effective single sign-on solution. With Pass.net the trick is to delegate identification and authentication to a third party: your email domain. Hence this SSO method is as secure as the mail server handling your email account.

Few days ago Massimo Mantellini brought to my attention this Wired article from cryptography guru Bruce Schneier. It’s a brilliant short essay that explain how bold is the error of those confusing anonymity with accountability and how important is the quest for accountable systems, especially those accessed by anonymous users.

If someone isn’t accountable, then knowing his name doesn’t help. If you have someone who is completely anonymous, yet just as completely accountable, then — heck, just call him Fred. History is filled with bandits and pirates who amass reputations without anyone knowing their real names.

Then I came across this post from Dion Hinchcliffe. Dion has a completely different vision and is ready to give up anonymity for the sake of preserving the writeable web!

Of course, there will be attendant problems with this approach including a rapidly vanishing anonymity on the Web. But that just might remain a nice artifact of being a read-only Web user.

I don’t believe anonymity is just a “nice artifact of the read-only web”, it’s an important part of our everyday life. Most of our time we are in an anonymous mode: when we walk the streets of our towns, when we pay cash our newspaper, when we attend the Sunday Mass, when we watch tv at home, ….

But Dion wishes for a different world:

[…] controlling anarchy on the writetable Web might be as simple asking that folks flash their Identity 2.0 credential right before they change something on the Internet. This ensures their personal identity is attached to the change. And creating a verifiable chain of evidence might be all it takes for people to act more responsibily. Wiki vandalism, comment flaming, and other forms of anonymous mischief on the writeable Web may be eliminated forever when you know that your ID will be attached to it in perpetuity, affecting your hireability, possible suitability for public office, and more, forever.

How scaring! Thankfully the day after I could read Rob Hof post about the same topic and it was a real relief. Suddenly I felt less of an anarchist …

Some people—perfectly good people with insightful opinions—simply don’t want to be identified in some circumstances. Their employers may object. They’re worried about government intrusion. Maybe they’re just shy.

I always thought that Identity 2.0 should give us more freedom, not “creating a verifiable chain of evidence” for anything we do online. I always admire the pragmatic and sensible approach of Dick Hardt to identity, in his answer to Rob he says:

A goal of Identity 2.0 is to mimic aspects of identity transactions that work well in the physical world. We all have different personas depending on context. I present different aspects of myself depending on wether I am interacting with my mother, my friends, my employees, a server at a restaurant, or my banker.

Right, but please remember that for the server at the restaurant you often are just a perfect stranger and hopefully an accountable one!

While showing your identity is easy (exhibit an ID card, logon to a web site), proving your accountability is more difficult and needs more complex infrastructures (technical or social) like the nexus of your professional relationships or the eBay feedback system.

No wonder that there are more people working on identity and much less on accountability. But we need both.

PS - Clipperz, not this blog but the service we will soon reveal, will definetely be an anonymous service. One like you have never seen before. And you can hold us accountable for providing you with real anonymity!

(thanks to Google Image)

Riya is a service based on facial recognition technology that enable user to spot known people in their photo collections and automatically add tags. See this early review from Techcrunch. I’ve requested an invitation to Tara Hunt, Riya chief blogger, and I’m looking forward to test it on my 2 thousands wedding shots.

But wouldn’t be nice to use Riya as a single sign-on (SSO)platform?

Imagine a web service XYZ that, during the creation of your account, asks to submit a pictures of your face. Then, any time you need to authenticate with XYZ, you can fill in the usual username/password form, or just stare into your webcam. The webcam sends your face straight to a Riya server, meanwhile the XYZ login page send a request to Riya to check if there is a recent pictures of your face matching the face associated to your account in the XYZ database.

The sensitivity of service XYZ will determine how aged could be the picture in the Riya server in order to succeed in the authentication. Less than five seconds for an online banking service, one hour for your web based email, one month for your social bookmark site. (of course given that all requests come from the same IP address)

Since most of our laptops, desktops and mobile phones are equipped with a camera, this scenario could be not science fiction.

[Kaliya Hamlin][1], the Identity Woman, in an [essay for O’Reilly][2], wrote