One good way of telling whether anybody means it is to see whether they are willing to spend money on it. Well, we are. A group of companies, including VeriSign, JanRain, Cordance, ooTao, Opinity (added, my apologies in missing you guys earlier), Four Kitchen Studios, Zooomr, claimID, Sxip, Six Apart, and us at NetMesh have a created a pool of money that we’ll give away to people who join us in in the mission to make URL-based digital identity ubiquitous.

To qualify for one of the 5000 dollar bounties, all you have to do is to OpenID-enable a well-established open-source application. The first 10 projects get 5000 dollars each. (The exact rules are at IWantMyOpenID.org.)

I’m really looking forward to seeing what will happen. To the best of my knowledge, nobody has ever done this kind of thing for this kind of technology. But we’ve run the idea through committers on a number of potential open-source applications for this, and the feedback generally has been very favorable. So, I why don’t you get started today, the race is on!

Either the audiences are getting better, or I’m getting better at explaining it (or maybe we’re all learning in parallel), but this evening’s discussion on "Why User-Centric Digital Identity Matters" at the SD Forum’s Collaboration SIG was great. Thanks, everybody, who participated and had lots of questions; I like those events particularly. Nothing worse than 90 minutes of one-way talk and snoring the other way. Fortunately we had the opposite! (Not the snoring part, there was plenty of interaction!) Don’t let those speakers like me have such an easy time!

Thanks, Scott and Eugene for having me!

The slides I used are at netmesh.org/slides.

July in Northern California is always hot, but this year it must be worse. Last nightToday, our pool has 85 86 degrees F (that’s almost 30C). What good is a pool if it doesn’t cool you down?

Our outside thermometer shows a recorded maximum of 120.7F 120.9F. I guess that the Sun must have been right on it somehow, although it is under a little roof in the shade, but nevertheless …

I was asked that question today, and gave the standard answer along the lines of "we don’t want everybody to correlate all information about us all across the web, e.g. the employer with the direct marketers with the healthcare provider".

I got an unusual response, however, which was:

Couldn’t this be solved as well with a single identity URL and good access control?

On the face of it, that is indeed true: if we had the ability to control which information about us could go where, then nobody could correlate us either … because they would have no information to correlate with.

Unfortunately, this does not work for two major reasons:

• Our identity is involved in the creation of a lot of information over which we do not have ownership rights. For example, if I use my identity to sign up for the service contract at ABC Inc., the transaction is owned as much by ABC Inc. as it is by me, and I cannot expect to be able to control the information about that transaction over the wishes (and needs, e.g. because of subcontracting) of ABC Inc. (Some jurisdictions may have laws about this — in general, however, I simply can’t make that assumption for all information that involves my identity).
• Even if we had the exclusive and full rights over the use of all information related to us, one could bet that on the global internet with its 100’s of jurisdictions and special exceptions, the actual legal situation won’t matter very much.

Ergo, we use software code instead of the legal code, and build software that allows us to use as many non-correlatable identifiers as we like. A bit more clumsy for the user than we’d wish, but a lot safer.

Stefan Brands’ Credentica, for example, was founded on the basic idea that nothing should be correlatable, by default. In the URL-based identity world, we take a more pragmatic middle ground: create as many identities as you wish (through multiple URLs), but not necessarily one for each transaction you are doing because, among other things, that would get in the way of a lot of social behavior on the net that depends on "I recognize you" in different places, which is a form of (mostly desired) identity correlation.

Update: Stefan Brands clarifies:

More precisely, [Credentica's] particular approach to avoiding breaks down into two categories:

• For identifiers (”identifier claims”…), a user can use different “identity tokens” at different service providers (or, if allowed/desired, at the same service provider) in order to segment his activities. Naturally, to access the same “account” the user reuses the same protected identifier!
• For “attribute claims” (as opposed to “identifier claims”), say “over 21, male, Quebec resident”, we avoid correlations (other than on the basis of the attribute values themselves, of course) between all protected “attribute tokens”.

Our first approach is not about eliminating identifiers (such as account indexes, e-mail addresses, usernames, etc etc), it is about protecting them in a manner that avoids correlations between _different_ identifiers.

Thanks, Stefan.

Eugene Eric Kim invited me to speak to the SD Forum Collaboration Special Interest Group:

• When: Monday, July 24, 2006 at 6:30pm
• Where: Pillsbury Winthrop, Palo Alto, CA (update: directions are here)

Here is the announcement. The title of the talk is "Why User-Centric Digital Identity Matters".

I’m planning to make this very interactive; bring your questions. I much rather discuss your questions than bombard you with my slides…