That site offers free certificates, where previously people (and companies) had to pay a lot of money.

There are different levels of trust but they do offer to qoute : “verify your identity using your government issued photo identity documents.”

Would this not be similar to what you all were discussing?

I would be interested in your thoughts for this in relation to the above discussion.

However, going back to what Simon reminded me of, trusted third parties could possibly use OpenID to prove identity. This could do this by becoming an OpenID Provider - it’s down to people being able to trust the assertions that are made by companies and/or individuals (as you suggest).

As far as terminology goes - I can live with differentiating between “identity” and “prov(es/ing) identity” - I think in the context of most online services, an “identity” that is tracable to a unique identifier (URI) is sufficient.

I like the term identity - I just don’t like the word ‘proven’ in the context of technology with no verification process. So, for identities that have been proven, how about we use the term ‘verified’, or ‘proven’ - say what it does on the tin so our grannies know what the hell we’re talking about.

I remember when the W3C Semantic Web Education and Outreach Special Interest group first started, I almost had to remind the extremely intelligent technical folk that the group’s mission was ‘marketing’, so we had to stop talking about Semantic Web, RDF and definitely had to stop talking about ontologies. We need to speak in layman’s language using terms they already understand.

Try to figure out what a Web page is according to W3C definition for the sake of Web accessibility? It’s a mind fcuk. The terms are ok to the working groups (I’m including my own staff in there) that dream them up, but give them to agencies and freelance developers who actually design and build Web sites and you get a blank stare.

I still don’t like ’strong identity’. We can continue to use the word identity, but not say that solution x ‘proves’ identity. That said, I think if the passport office was a provider, we could say that it ‘proved’ identities…

I agree that you shouldn’t be forced to prove who you are all of the time. I’m not in favour of ‘policing the Internet’, which I hope, it obvious from my W3C work.

You don’t necessarily want to prove who you are when creating an account with Bebo (I use them instead of MySpace because it’s European and a friend of mine co-founded it). But you might want eBay and PayPaul to force people to prove who they say they are.

When I get a minute I’ll update my post with a note about the discussion here - I think it’s worth adding to the discussion.

That said, the vast majority of OpenIDs are tied to a virtual persona with no strong identity hooks at all. This is a good thing for preserving online privacy. Whether or not you need strong identity depends very much on the application, and unless strong identity is absolutely essential (paying tax, applying for a passport etc) I think it is best avoided.

This blog has asked for your identity and assumes you will tell the truth. Why? well because it’s not that important to ‘us’. However, providing your identity on eBay when creating an account should have a better identity solution - wouldn’t you agree?

PayPal is online only and it verifies your identity by using offline methods. Identity has one simple definition as I provided in my post. It’s the level of security and trust associated with identity that changes depending on the circumstances.

I love the whole idea of OpenID but I do have concerns over the misuse of the word ‘identity’ as I explained. OpenID resolves a very simple problem. I think it should be left there and not endorsed to resolve lots of other problems, at least not until it’s mainstream - by that I mean, it’s easy for my mother to use.

Regarding OpenID, how does it prove that I own URI y.com? For example, couldn’t I setup an OpenID and pretend to be John Smith. We can prove that John owns the OpenID and he owns y.com, but we can’t prove that I am John.

Have I got that right?

I must admit that I don’t know much about OpenID. What I do know (I hope) is that it’s impossible to prove one’s identity using OpenID. Unfortunately, nobody has got this right, even the organisations who have adopted OpenID. VeriSign is the closest to getting Identity right but as you know, it’s based on proprietary technology and costs a lot of money.

(for non-techies, URI is the same as URL, it’s not a typo)

But when filling out my information to post this comment, I wasn’t proving my identity, I was simply providing it. Big difference. When people talk about Identity on the Internet, they mean providing identity, not proving it. OpenID is a solution which allows us to provide our identity much more easily, while not attempting to prove it (although that can be the task of the OpenID provider).

I’ve heard the term “strong identity” used to mean the kind of identity you are talking about (identity that has been tied to a real human being). I like that phrase as it further reduces ambiguity.

Thanks for the discussion. I wanted to touch on a couple of things:

1) The graphic is mine. Please don’t ascribe any misrepresentation by me of these concepts to Tim.

2) OpenID is not a “central register of user names and passwords”. OpenID is, in fact, explicitly decentralized:

“OpenID is an open, decentralized, free framework for user-centric digital identity” (from http://openid.net/what/)

Note the phrase “user-centric” - OpenID puts the control of who does/doesn’t have access to a user’s profile data in the user’s control, not a centralized third-party. While there may be a need/place for “trusted third parties” in online transactions, that’s not the problem OpenID is trying to solve. Per Simon Willison (to which post Dan Connoly was refering):

When a user authenticates with OpenID, what they are doing is stating “I have the ability to prove my ownership of this URL”.

3) “OpenID does not prove identity”. No, OpenID creates a definition of identity - “the person or persons who can prove ownership of a URI” - A definition upon which a large contingent of web services have agreed. It’s up to other layers or other systems (ie, your trusted third parties) to establish the trustworthiness of a particular identity. The original OpenID home page does a good job at explaining some of this.

Cheers,

–Steve