I feel the need for some secure, personal repository that would hold all of my connections and “whuffie” together. I want to keep my whuffie in my wallet – but not in a Microsoft Passport/Hailstorm kind of way. Ack, no.
It should include most elements of OpenID, a lot of FOAF, and maybe some of the stuff being worked on by the Attention Trust people.
I want it in XML, of course, and I want it to be incredibly easy to implement and use, as secure as it possibly can be, and extensible without being completely unmanageable.
Naturally, Iâ€™d want everyone to adopt it â€“ from eBay to Amazon, Facebook to Flickr, Google to Microsoft to Yahoo.
This immediately triggered an insight: identity seems to be inseparably bifurcated between assertions and reputation, between the direct and the indirect, or in legalese, between the statutory and the case-based. The latter two terms I think are particularly useful.
Reputation is a critical missing piece in the Identity meta-system. The meta-system enables reputation–as infrastructure you can build reputation with it–but I have yet to see good, concrete thinking about how to capture, build, leverage, and work with reputation in a general way. It’s still fairly fuzzy, despite its criticality. It’s a bit like the World Wide Web as a commerce platform in 1992. Sure, you could see how http and html could enable wide-spread e-commerce, but few grokked a future made of SSL, shopping carts, pay-per-click, and affiliate marketing.
Yet, I think that figuring out reputation is required to completely resolve the issues of Identity. Michael’s post focused on the isolated reputation silos at places like eBay and Equifax. And a personal data-store containing our transaction history, feedback, and ratings, is a great start for decentralizing identity, but doesn’t address what makes reputation distinct from other aspects of Identity.
Think about this missing piece as the distinction between statutory and case-based Identity.
I like this reference because it is a useful distinction in the U.S. legal system. Statutory law is what the government explicitly makes law, typically by legislative bills signed by governors or the President. It also includes local city and county ordinances and the like. These are explicit rules, formally enforceable in court.
Case-based law, on the other hand, is based on how the courts have decided to interpret the law, based on all existing applicable statutes and prior case law. It is essentially a case-by-case distillation of the entire history of the jurisdiction in the matter at hand. It requires analysis and evaluation of the entire set of applicable laws and prior judgments, and it is the ultimate arbiter when statutory laws are in conflict, such as when state and federal law disagree.
Think of Identity as a combination of statutory and case-based claims. Since identity, in the Identity meta-system, is the sum of all claims about an entity or individual, I think it behooves us to understand more clearly the distinction between statutory and case-based claims.
So, I’d like to introduce two new terms into the Identity conversation: “Statutory Identity” and “Case-based Identity”.
Statutory Identity is based on the explicit assertions of fact made about me by Identity Providers (IDPs) as to my true nature, e.g., that I am a Sun Microsystems employee (I’m not, btw), of a certain age, or a US citizen. These easily fit into the “claims” architecture of the emerging Identity infrastructure, and Relaying Parties can readily judge the validity of a particular claim based on the authority ascribed to the IDP. For example, the Department of Motor Vehicles is arguably definitive regarding my right to drive, authoritative for my age, but not authoritative for my current employment status.
In contrast, Case-based Identity is built from the accumulation of transactions (historical facts) or assertions of opinion/judgment by others. It is emergent or generative and is more a matter of judgment than fact. It is our reputation, as rendered by a particular method or by a particular service based on a knowable and refutable set of data. For example, your credit rating is a construct of one of three credit-bureaus, it represents their judgment about your credit worthiness. Rarely do these three sources agree, often because they base their judgment on varying data. Similarly, eBay generates its own reputation ranking based on feedback from transactions at their service. Both of these reputation architectures are (1) based on real transactions (2) refutable through some appeals process.
The good news is that these underlying data points can readily be communicated via the Identity infrastructure. The bad news is that there is as of yet no clear agreement about how to convert those facts into a reputation. Different folks have ideas, but we lack even a clear conceptual framework.
And yet, my identity is clearly both the factual statutory claims about me and the emergent reputation based on my history. While we have developed an architecture for the first, I think we are only beginning to establish a framework for the latter. Perhaps considering reputation as case-based identity, we can start to outline the components required for such case-based systems to work:
- transaction data (potentially including opinions of others)
- algorithmic evaluation
- refutation process
These may not be the definitive requirements for a reputation system, but they seem to be present in the working systems I know of and are perhaps a good starting point.
For the record, I think it is an even bet as to whether or not personal opinions can be effectively integrated as “transaction history” in a case-based identity system, given the challenges of emotions, grudges, slander, and the non-provability of opinions.
It is also a near certainty that for certain types of case-based identity that the user will never be able to actually fully control the data-set. For example, I could significantly improve my credit score if I had read-write control over that data-set. Unfortunately, that would render the current system completely ineffective. Perhaps a new one could emerge, but there are other domains, such as criminal records, etc., where an authoritative reputation requires a data-set with limited or heavily moderated user control–otherwise everyone would erase those pesky traffic violations.
Any suggestions for other elements in a good case-based identity system?