PS (federated identity)...

It strikes me that what I've just posted might look inconsistent with my previous comment. Perhaps I didn't express it well in my earlier post - one of the problems with blogging as opposed to face-to-face discussion or formal article-writing!

I don't like institutionalised "weak identities" such as mickey-mouse passwords with zero due-diligence - but providing a less-assured ID as part of an ID system which lets you add assurance reliably, as and when it becomes sensible to do so, isn't "weak identity" in my book.

Federated Identity?

Kim - "I do not think there is a lot of disagreement between what we are each attempting to achieve" - no indeed - and you're actually helping to build it, I'm just commenting.

I dislike passwords too - but they're not much different to a signature, as long as we stop believing that a "strong password" actually means "strong identity" in practice - any more than we believed that anyone actually checked our credit card signature very carefully.

And no, I really don't want El Reg to ask for retinal scans before people can post here (as an aside, I believe that affordable, commodity, biometrics aren't usually foolproof anyway - I think a jelly finger can fool PC fingerprint readers, eg).

What I want is something more like real-world identity. I meet you, I assume that you are who you say you are, with an informal check via context (if I meet you at a Microsoft Press Conference I'll be more confident than if I meet you at a Wiltshire pub); if I need to send you money, then I'll dig further.

So, for this Blog exchange, weak identity is good enough. If we now enter a business relationship (journalist - Microsoft employee, well dodgy <g>) I don't want to switch to a different high-assurance identity system and possibly advertise that I'm doing business with Microsoft <g>, I want to dig deeper into a net of IDs - are you the Kim at the conference Mary was at, do you actually work for Microsoft on the payroll or are you simply consulting, have you written the books and articles authored by "Kim Cameron", are you on the electoral roll for your town - and eventually, if it's serious enough, will your bank or government vouch for your Identity - and guarantee the transaction. The point is, that it is mostly public domain stuff and I stop as soon as I'm satisfied, for my purposes.

If I have automated assistance, a machine might notice patterns associated with building a fake identity and suggest further unusual correlations to check - adaptive id checking. Mostly, id checking would stop quickly, when it reached something I trusted, in the context of what I was trying to do.

Any one of these bits of ID you can fake but faking the whole web would be difficult, as you don't know what checks I'd make - and there isn't one point of ID for a fraudster to attack. Of course, you really do need process and technology to facilitate this - and a good underlying model.

This make any sort of sense? It seems to fit with what you say: "there are the identity metasystem and visualization components, together allowing new forms of reputation animated from the bottom up and through organic association".

"I hope we can work on this together going forward" - I'm sure we can, but UK journalists are supposed to question (ie "test") everything, even when we are in basic agreement with it...

Cod Latin

Given the mastery of Cod Latin demonstrated on these pages, many must have studied the other philosophic and scientific arts as well, so I am loath to intervene except en passant. Unfortunately, however, this won't stop me.

I don't think it is reasonable to expect a person to present an identity which reveals a lot about themselves in order to be able to read, for example, the Register. And in fact, to your credit, you don't. Similarly, in order to post a comment to the Register, readers simply have to demonstrate they own the email address they say they own. Due diligence of some sort is done - but not at a very deep level. I doubt you would ask us for our social insurance numbers or passport numbers before you let us post - and if you did, I doubt we would turn them over.

All this just to say that the kind of "due diligence" and even linkage to a real world identity that is appropriate in any given context is very much a product of the requirements of the moment and the relationships in play.

Certainly, there are contexts in which we, as individuals, require the very strongest forms of identity. This implies strong proofing and strong cryptography.

However, I don't accept the implication that every internet site should then adopt the security procedures and processes essential to top assurance sites such as the large banks you are talking about. It's the don't-cry-wolf problem. For one thing, people just won't do it. They won't understand how the processes serve their self-interest, and will not play. I've never seen this approach to security issues succeed.

So, we need to support identities and mechanisms appropriate to a number of different contexts.

This being said, more than anyone else on the planet, I despise passwords, and agree with you we should work for their abolition. That's what my InfoCard work is all about.

David, as an influential person well versed in security who can really help alter the equations around identity, I hope you will support those of us who are trying to innovate in a number of ways, but don't think the right thing to do is tell the world to throw out the whole conventional https infrastrucure. We need a bunch of mechanisms, and to let the more effective ones win out over time.

High assurance certs, as inperfect as they might be, are one new mechanism; but above all, there are the identity metasystem and visualization components, together allowing new forms of reputation animated from the bottom up and through organic association.

I do not think there is a lot of disagreement between what we are each attempting to achieve. I hope we can work on this together going forward.