Doc‘s at DigitalID World in Denver, bored out of his gourd.
“Very arcane, this identity shit, from the abstracto-techie world of folks who professionally care about this stuff. I’m glad they’re doing it, I guess, but…
It’s also dull. I just heard service oriented business solutions coming from the stage.
Translation: It’s not about anything interesting. It’s about delivering business value.
He points us to Robert X. Cringely, who has a practical, Xpertwebby approach to Identity: Locate each of us in a web of our acquaintanceship. Here’s the heart of it, but the whole article’s worth reading: It’s called I’m With Stupid: How Having Friends Might Be the Key to Both Privacy and Identity:
What works against us is that we have a million years of societal and biological evolution based on the concept of small tribal groups, yet only a few centuries of urban life and less than two centuries of mass transit. One characteristic of tribes is that the members know each other. So when the lady at the bank recognizes you — really recognizes you — it decreases to almost zero percent the likelihood that somebody can come in the bank claiming to be you and steal all your money. This isn’t some clever security design, but an artifact of tribal life. You don’t resent the lady at the bank for knowing you. You are flattered that she does. You don’t fear that because she knows you that you are more likely to be a crime victim. Just the opposite — we feel safer because we are known.
My system is based on a registry of friends because we all participate in virtual tribes that are geographically dispersed. Every person who wants to have credit, to make a big purchase, or to board a 747 has to have a list of 10 friends — people who can vouch for their identity and know how to test it if needed. That takes us out of the realm of the mother’s maiden name, replacing it with, “What was the nickname I called you in the fourth grade?”
I am Bob, and these are my 10 friends.
They don’t even have to be friends — just people who know you. You don’t have to tell them they are on your list and you can change your list as often as you like.
Imagine an aerial view of this network of friends. It is so large it could only be analyzed by a big honking computer, but there is a great deal to be learned from that analysis. People could disappear and be noticed, perhaps to be found. Deadbeat dads could be tracked, as could sexual predators. Epidemics would ripple across the surface of the model, perhaps leading to targeted anticipatory preventive care, saving lives. Guys who buy enough fertilizer to blow up a Federal office building would stand out.
Now before you can say the words “Big Brother,” remember that YOU choose your list of friends so they can be people from work, from school, from the tennis club, but perhaps not from your Communist cell or from your swingers club. You can keep private what you want to keep private because the big picture is what matters here.
The system would be tied together by phone, e-mail, and Internet messaging. Ultimately,, it would come to function like a much larger version of eBay’s feedback system which would result in subtle pressure toward more civil behavior — something we don’t have in any practical sense today.
Maybe this system wouldn’t work. You tell me. But I know that what we have right now isn’t working, and I am not sure it can be made to work. The only answer that makes sense to me is to hearken back to a simpler time when these crimes just didn’t’ happen. And it is only through clever application of technology that this can be done.
But it really needs a clever name. Too bad Friendster is already taken.
I’d go with Xpertweb. The purpose of the Xpertweb protocol is to locate each of its users in a web of acquaintance. Every user is located in a formal, stable web like Cringely describes, but each is also in an ad hoc web of those with whom she buys and sells stuff. Here’s an example of what the formal web looks like, in this case with explicit connectors to, mirabile dictu!, 10 others as in Cringely’s example:
This structure is a form of a bribe, a chain letter, really, where each person has an explicit relationship with one person at each of five mentoring levels that pre-exist her adoption of the protocols. She has her own Mentor (level 1), a Senior Mentor (level 2, her Mentor’s mentor), that mentor’s mentor (level 3), etc., for 5 levels total.
When this Xpertweb user is ready, she can mentor any number of other new users. And each of them will send her 1% of whatever business they process using the rating system, just as she sends out five 1% transfers every month.
That’s the tribal part that Robert yearns for, but what about the
mechanical electronic part of the process? What’s the DigID widget?
This month Roland and I further refined the Xpertweb DIY DigID architecture. It’s an approach that’s obvious, unsophisticated and totally user-controlled, enough to earn my affections. This won’t help get you on a 747, at least initially, but it will help you do business with people you don’t know and will never meet.
The Xpertweb DIY DigID Authentication Drill
Every Xpertweb user must have his own web server. The system assumes that only the owner of a web site can quickly write a new file on it, while another person watches while it’s created.
The other assumption’s a philosophy, really, but it’s important. Web sites don’t do business with people, they do business with a reputation. The DigID challenge is to associate the current session’s keystrokes with a trusted reputation. If the reputation is stored on someone’s web server, the seller needs a way to be certain that the fingers on the keyboard are attached to the person whose reputation lives on a certain web site.
Trusting the casual visitor
All Xpertweb vendors want the world to know about their skills, reputation, products and, probably, thoughts and ideas on their blogs. Those are all published as broadly as possible, with skills and products organized into an Xpertweb index. The blogosphere is demonstrating that we crave notice more than we fear exposure.
However, Xpertweb vendors only want to transact with others having a proven reputation since, like a waitperson, the vendor’s compensation is subject to the buyer’s rating of their work. So here’s our homegrown digital ID sequence, assuming a vendor whose unique ID happens to be SSELLER and a shopper with BBUYER as a unique ID (gross simplification in effect–unique IDs are hard but possible).
- An Xpertweb-equipped shopper is attracted by SSELLER’s reputation and clicks on a product link.
- The product page ask
s the visitor to enter his unique Xpertweb URL.
- Upon submitting the URL, SSELLER’s site visits the URL and discovers there IS an Xpertweb site present with a properly formatted me.xml file at the root level and a script that says it’s ready to play nice. Only then does SSELLER’s script learn that the visitor purports to be BBUYER.
( Because each task has different requirements, BBUYER’s site can selectively expose needed information from the me.xml file, like a physical address or website admin info)
- SSELLER’s script still doesn’t know if this visitor is BBUYER, so the script notes the current time, the visitor’s IP number, composes a unique ID and task file for this contact and places a cookie on the visitor’s browser, something like:
taskid SSELLER.BBUYER.1066274480; IP 220.127.116.11 + some product info
(a task ID = users’ IDs + the Unix epoch [# of seconds since 12/31/1969])
SSELLER’s script knows for sure that there’s no task file with that name in BBUYER’s home/buystuff/sellers/SSELLER/ directory.
- SSELLER’s script directs the visitor to the URL presented
- The script at BBUYER’s site asks the still-mysterious typist to enter BBUYER’s name and password.
- If the challenge is passed, we need a stateless way to confirm to SSELLER’s script that this is indeed BBUYER.
- BBUYER’s script looks in its buystuff/sellers directory for a subdirectory labeled SSELLER.
[If absent, it creates a buystuff/sellers/SSELLER directory]
It then creates SSELLER.BBUYER.1066274480.xml in home/buystuff/sellers/SSELLER
… listing the now-current epoch, BBUYER’s IP # and the product info
Here’s a sample:
- BBUYER’s script returns BBUYER to the SSELLER site
- SSELLER’s script visits BBUYER’s site and notes that the properly formatted task file was created in the proper directory at a time shortly after the task ID creation, from a browser at the known IP number.
- SSELLER’s script looks in its sellstuff/buyers directory for a subdirectory labeled BBUYER.
[If absent, it creates a sellstuff/buyers/BBUYER directory]
It creates SSELLER.BBUYER.1066274480.xml in sellstuff/buyers/BBUYER
… listing the current epoch, BBUYER’s IP # and the product info
Good Enough for Tribal Work
It may not be perfect, but it’s close enough for SSELLER and BBUYER to proceed with a transaction, whether it’s reading a blog for $.06, trying a $15 shareware, ordering a $75 Afghani carpet or paying a personally negotiated $10,000 retainer.