IdentityCamp: Lessons Learned in Bremen
The IdentityCamp in Bremen on the weekend was a blast: Focused discussions, energized participants, great weather, a relaxed atmosphere, and interesting interdisciplinary exchange. It seems to have been the first time that the Identity 2.0 crowd really discussed in an open and in-depth way with the privacy people, which was exactly what we hoped would happen. It’s impossible to summarize all the sessions, but here are some interesting observations that I took away from it:
"The buzzword of the day seemed to be OpenID." (Sid Arora). But at the same time, the OpenID community to me left the impression that they are a bit desperate. A number of big players have become OpenID providers, but nobody except for a few blogs and some platforms is consuming OpenIDs issued by other parties. So the session on "Killer Applications for OpenID" left me with the feeling that OpenID is still very much a solution looking for a problem. A way out may be using OpenID not only for authentication, but also for attribute exchange. There are some active attempts into this direction. Dennis Blöte is currently developing a system which uses OpenID for the different online services at Bremen University (e-learning, exams, administration, etc.). Here are his slides.
Convergence of Standards: Infocards and OpenID are moving closer to each other. The best known case for this is using
Update: There is also convergence between
We now know what "Identity 3.0" officially means. Caspar Bowden presented on the recently acquired U-Prove technology and how Microsoft plans to integrate it into the Identity Meta-System. Christian Scholz has a good summary. Caspar provided a typology of the generations of identity management:
- Identity 1.0: centralized IdM like Passport. The problem was that one IdM is way too powerful.
- Identity 2.0: SAML or OpenID like. The problems here are that all IdMs are too powerful, and you have the extra-problem of phishing.
- Identity 3.0: smart client-side crypto. Using minimal disclosure tokens, you achieve multi-party security and privacy. By this, you get more independent of the identity provider, which is a good thing from a privacy perspective. The problems here are unresolved patent issues.
"The topic least understood by the participants (at large) seemed to me to be national identity (and their respective cards)." (Sid Arora). This is understandable, as OpenID, Cardspace, and other instances of Identity 2.0 are not really part of most developments around governmentally issued electronic ID cards. This camp was a nice opportunity for people who work on these different corners to meet and exchange views. This is especially important when discussions are starting about the possible use of OpenID in e-government contexts, which happened in Bremen. A lot of scepticism was raised towards this idea, though, mainly because of security issues and the too central role of the identity provider. Caspar Bowden got applause for his question:
"Why use the lowest standard (OpenID) for the most security-relevant use case (government authentication)?"There was a huge interest in trust online. Which mechanisms generate trust in the offline world, and what is different in online environments? Tina Guenther’s presentation sparked such a lively discussion with her attempt to break down the research questions and get some first insights that she even offered a well-attended second session on Sunday for getting deeper into this.
You can reduce the need to trust with data minimization. A lot of the open questions discussed in the other sessions also boil down to "Who do you trust"? Your government? A corporation like Yahoo? The members of your social network? If the idea of a loosely coupled identity meta-system is that you do not need high trust among all parties, then I see two possible solutions:
- Everyone becomes his or her own identity provider and does not have to worry about IdPs collecting their digital traces.
- The amount of exchanged data is reduced in general, so you don’t have to trust all kinds of parties. This is where Identity 3.0 with minimal disclosure tokens and zero-knowledge proofs is very promising.
This leads to the conclusion by many participants: An interdisciplinary perspective is really needed on the issue of identity. We came pretty close to the ideal, but some perspectives were still missing:
"There was a healthy mix of disciplines represented, including computer scientists and programmers, lawyers, sociologists, social media / web developers and even a few curious students from the Bremen University of Arts, where the event was hosted. A couple historians and policy makers mixed in would have been nice, but considering the method in which such an IdentityCamp was organised (or lack thereof), it was brilliant." (Sid Aora)There is a great interest in follow-up. People are eager to have the next IdentityCamp and go into the issues more in depth and even develop a common vision. Check the IdentityCamp page regularly to see how we will stay in touch.
A big "thank you" goes to our sponsors: University of the Arts Bremen, big Bremen, Kuppinger Cole + Partner, artundweise, hmmh Multimediahaus, Mister Wong, Spreadshirt, and Pure Tea.