Richard Gray posted two comments that I found illuminating, even though I see things in a somewhat different light. The first was a response to my Very Sad Story:
One of the interesting points of this is that it highlights very strongly some of the meat space problems that Iâ€™m not sure any identity solution can solve. The problem in particular is that as much as we try to associate a digital identity with a real person, so long as the two can be separated without exposing the split we have no hope of succeeding.
For so long identity technical commentators have pushed the idea that a personâ€™s digital identity and their real identity can be tightly bound together then suddenly, when the weakness is finally exposed everyone once again is forced to say â€˜This digital identity is nothing more than a string puppet that I control. I didnâ€™t do this thing, some other puppet master did.â€™
Whatâ€™s the solution? I donâ€™t know. Perhaps we need to stop talking about identities in this way. If a burglar stole my keys and broke into my home to use my telephone it would be my responsibility to demonstrate that but I doubt that I could be held responsible for what he said afterwards. Alternatively we need non-repudiation to be a key feature of any authentication scheme that gets implemented.
In short, so long as we can separate ourselves from our digital identities, we should expect people not to trust them. We should in fact go to great lengths to ensure that people trust them only as much as they have to and no more.
He continued in this line of thought over at Jon's blog:
As you donâ€™t have CardSpace enabled here, you canâ€™t actually verify that I am the said same Richard from Kimâ€™s blog. However in a satisfyingly circular set of references I imagine that what follows will serve to authenticate me in exactly the manner that Stephen described. [Hey Jon – take a look at Pamelaware - Kim]
Iâ€™m going to mark a line somewhere between the view that reputation will protect us from harm and that the damage that can be done will be reversible. Reputation is a great authenticating factor, indeed it fits most of the requirements of an identity. It's trusted by the recipient, it requires lots of effort to create, and is easy to test against. Amongst people who know each other well its probably the source of information that is relied upon the most. (â€That doesnâ€™t sound like themâ€ is a common phrase)
However, this isnâ€™t the way that our society appears to work. When my wife reads the celebrity magazines she is unlikely to rely on reputation as a measure for their actions. Worse than this, when she does use reputation, it is built from a collection of previous celebrity offerings.
To lay it out simply, no matter who should steal my identity (phone, passwords etc.) they would struggle to damage my relationship with my current employer as they know me and have a reputation to authenticate my actions with. They could do a very good job of destroying any hope I have of getting a job anywhere else though. Regardless of the truth I would be forced to explain myself at every subsequent meeting. The public wonâ€™t have done the background checks, theyâ€™ll only know what theyâ€™ve heard. Why would they take the risk and employ me, I *might* be lying.
Incredibly, the private reputation that Allen has built up (and Stephen and the rest of us rely on) has probably helped to save a large portion of his public reputation. Doing a google for â€œAllen Herrellâ€ doesnâ€™t find netizens baying for his blood, it finds a large collection of people who have rallied behind him to declare â€˜He would not do thisâ€™.
Now what Iâ€™m about to say is going to seem a little crazy but please think it through to the end before cutting it down completely. So long as our online identities are fragile and easily compromised people will be wary to trust them. If we lower the probability of an identity failing, people will, as a result, place more faith in that identity. But if we canâ€™t reduce the probability of failure to zero then when some pour soul suffers the inevitable failure of their identity, so many more people will have placed faith in it that undoing the damage may be almost impossible. It would seem then that the unreliability of our identity is in fact our last line of defence.
My point then is that while it is useful to spend time improving authentication schemes perhaps we are neglecting the importance of non-repudiation within the system. If it was impossible for anyone other than me to communicate my password string to an authentication system then that password would be fine for authentication and it wouldnâ€™t even be necessary to encrypt the text wherever it was stored!