Thoughts on 'Reinventing the Internet' and Identity

Jason Kolb has been writing a great series of posts called 'Reinventing the Internet'.

I've been bookmarking and sharing some of these posts via Del.icio.us (and if you're sub'd to me, you would have seen these in my feed). Dipping in and out of these since the first post of his series, they seem to be getting better with each post.

In Jason's first 'Reinventing the Internet' intro post, he starts off with the assertion that:

Why?

"If somebody wants to know something about me, I point them to www.jasonkolb.com to find out about me, or to my personal site if it's on a personal level. Everyone I know tells people to find them via their MySpace account, LinkedIn account, or blog. Or, people who still don't have an account on a social network of some type (they will) give out their email address."

As Jason points out in his second post 'A domain name in every pot', companies bet their existence, brand, success and ability to be trusted on this very premise - the domain rules. So, Jason asks, why not for you and me?

And then a quick reminder:

"owning your own domain name is like owning the title to your car. Otherwise, MySpace, LinkedIn, your blog provider, or your email provider owns the title to your online identity."

I think somewhere along the line of my reading the series, Jason kicked me into action as I recently moved my blog to my new domain. Come to think of it, I'm amazed that I hadn't done this years earlier. I've been playing on the web for 12+ years, 10 of those years professionally. It's taken me some time, yes, but now I'm here, wow - it feels good!

And so on to the fundamental question Jason begins to tackle in his series::

should a blog at a domain name that you own be the epitome of an online presence?

Well a blog today, and something else tomorrow. The the point he makes is your domain is yours (as long as you keep paying the rent that is - Jason has another idea on that permarent issue.)

If the answer to Jason's question is 'yes', then what does it mean? What does it enable and why does it matter?

In the next few posts, Jason describes an architecture involving personal servers, URIs as unique personal online addresses and distributed applications, that will allow everyone to:

"eventually have their own personal server hosted at their own personal domain, and those servers will be able to talk to each other and collaborate with each other. ...be a node on an open source peer to peer social network."

It is a fascinating idea and it opens up some interesting scenarios (I'll get to those in another post). There are two key advancements he has discussed so far that would enable this vision:

an identity system that provides an authentication service that then allows the authorization of the user to connect and interact with distributed systems via their personal server

the internet becomes one giant relational database.

We'll explore the 'internet as a database' idea further in another post (a topic close to my heart), but for now I'm going to stick with the ID question.

As his posts unfolded, I wondered how he saw his ID vision fitting, if at all, with CardSpace - formerly Infocard, the identity metasystem effort led by Kim Cameron.

Today, Jason posted an 'interlude post' responding to some of the feedback he's received on his series so far and he called out CardSpace specifically. Bottom line is that Jason believes there is no fit. Jason write of CardSpace -

"The alternative to this are identity metadata schemes like CardSpace. These assume, however, that you will still have pieces of your online identity scattered amongst various providers, which is precisely what I want to get away from. Consider this statement from the CardSpace information page : "Different kinds of digital identities will always be necessary—no single identity will suffice... No single organization can unilaterally impose a solution." Basically what I'm saying in this series of posts is that I completely disagree with this statement. The individual himself should be the single source of online identity. There IS a single organization that can unilaterally impose a solution, and that's the individual. Power to the people ;) "

Jason and Kim (and others in the community working with Kim) agree on the 'power to the people' mantra. I've spoken to Kim, met him and heard him present a couple of times on this and it's a prominent theme in CardSpace (hey, he even blogged me!). I realize Jason has at least looked into CardSpace - he quoted from the Seven Laws of Identity - but I'd encourage him to find out more on what CardSpace has to offer in helping him achieve his vision.

I'd like to highlight two other quotes from Seven Laws of Identity. For the uninitiated, think of these Seven Laws as a base set of requirements that any ID system must meet:

"1. User Control and Consent No one is as pivotal to the success of the identity metasystem as the individual who uses it. The system must first of all appeal by means of convenience and simplicity. But to endure, it must earn the user’s trust above all. Earning this trust requires a holistic commitment. The system must be designed to put the user in control of what digital identities are used, and what information is released. The system must also protect the user against deception, verifying the identity of any parties who ask for information. Should the user decide to supply identity information, there must be no doubt that it goes to the right place. And the system needs mechanisms to make the user aware of the purposes for which any information is being collected. The system must inform the user when he or she has selected an identity provider able to track Internet behavior."

Back to Jason's objections, I think the following is another key concept to point out with the identity metasystem - the need to support multiple identity providers and systems.

"5. Pluralism of Operators and Technologies A universal identity system must channel and enable the inter-working of multiple identity technologies run by multiple identity providers. So when it comes to digital identity, it is not only a matter of having identity providers run by different parties (including individuals themselves), but of having identity systems that offer different (and potentially contradictory) features."

(My bold). Does this mean that universal identity system proposes or requires the use of a gazillion different username / passwords? No, precisely the opposite in fact. However, the metasystem design accepts a heterogeneous internet as a fact of life (you know, Utopia is a very hard thing to come by, if not impossible - I've tried...).

So, should Jason try to solve today's identity nightmare by trying to get everyone to use his one system, or does he try and solve what he really cares about by using a common layer above the various ID systems, including his, that abstracts out the differences (various UIs, behaviors, etc) of these systems out and away from the user? You know that the banks / merchants / services ain't going to replace / swap out their ID systems for years, if not decades or at all.

Instead of asking them to replace their systems, they could just adopt an additional ( not replacing ) protocol that we can all agree on and that provides an single common UI / ID experience for the users, and go from there. That is what we want for users - a better experience, right? But to get there, we need to accept that:

"The universal identity metasystem must not be another monolith. It must be polycentric (federation implies this) and also polymorphic (existing in different forms). This will allow the identity ecology to emerge, evolve, and self-organize."

The last point is what allows us all to win. In other words, if Jason's system works, and it works well, it will interop with any other system that also uses the universal identity metasystem. If his works really well and populous like it, then Jason's solution could become the system of choice by the majority of internet users, if that is how it turned out to be. But without at least an initial level of interoperability between his and the multitude of other systems (that users will want to use via their personal servers), the chances of mass adoption of Jason's vision / solution are vanishingly small compared to the alternative route.

As I see it, in the ID space there is no downside to playing with the rest of the others. You can have your cake and it. I really think Kim and James can and should have a discussion on this.