Less Databases

Just came across Chis Ceppi's blog posts on more Less Databases. He suggests that:

...some aggregation of identity information into centralized systems would be a big step in the right direction. Each aggregation point will be held to higher benchmarks for trust, security, privacy, and open standards than any completely decentralized system can ever attain.

I disagree on (at least) two accounts: first, he's still talking about multiple aggregation points, so by definition (and being admittedly nitpicky) we're still talking decentralized. But the major issue is: who controls the identity information?

Chis seems to think that we can and should trust a very few, highly secure, semi-centralized databases. Perhaps we should trust the government to hold all our personal information? Or maybe Microsoft? (As I used to say, 'the only good thing about Passport is at least Microsoft won't buy their database.') Personally, I would rather trust who I want to trust, whether it's my bank or a personal identity broker (like 2idi) or my own home server running a hardened personal copy of the open source i-broker software on an encrypted file system.

Such an i-broker can provide other sites with the ability to access and potentially even cache portions of my personal information, assuming they sign and abide by the specifics of the appropriate data sharing contracts. Adherence to these social contracts is governed by a mixture of technology and community reputation metrics that each community can define and manage as they see fit. Such social mechanisms simplify usability and puts the privacy burden on policies and trust federations (which I believe can become very powerful force indeed).

In this way, the number of databases truly drops to one, and as there is just one me - and I am the best authority for any information related to me - it seems natural and normal that I would be in control over my personal information.


Fen is right about the need

Fen is right about the need for better technical mechanisms for individuals asserting their own identity. The social impact of that technolgoy will be huge. It will not, however, provide a complete solution for digital identity. In the enterprise space, for example, self assertion will need to be brokered by trusted 3rd parties who take on explicit liability for miuse/abuse.

2005 may be the year that solutions for personal identity and enterprise (work) identity collide/intermingle/integrate. One challenege will be fostering constructive conversations between the camps of technologists who have been focused on one side or the other - as we speak different languages and respond to different concerns. My background is in the enterprise space and I am really looking forward to helping sort out how (or if) to mesh the personal and the enterprise identity spaces.