- From: Dave Longley <dlongley@digitalbazaar.com>
- Date: Wed, 16 Sep 2015 11:15:22 -0400
- To: Tony Arcieri <bascule@gmail.com>, Henry Story <henry.story@co-operating.systems>
- CC: Rigo Wenning <rigo@w3.org>, "public-web-security@w3.org" <public-web-security@w3.org>, Mike O'Neill <michael.oneill@baycloud.com>, Anders Rundgren <anders.rundgren.net@gmail.com>, public-webappsec@w3.org
On 09/15/2015 10:05 PM, Tony Arcieri wrote: >> On Tue, Sep 15, 2015 at 2:27 PM, Henry Story >> <henry.story@co-operating.systems >> <mailto:henry.story@co-operating.systems>> wrote: >> >> As long as she can select the identity she wishes to use, and >> change identity when she wants to, or become anonymous: she must >> be in control. > > > You're conflating authentication with identity. Repeatedly. As Brad > Hill already called out, but I'll continue calling it out. I'm mostly following this conversation from the sidelines but wanted to offer input that I hope will help resolve some miscommunication. It seems that there's a decent bit of definition dissonance with the terms authentication and identity and, without addressing that, some participants will continue to speak past one another. I'll offer my view of these terms in the hope that it is useful in resolving that miscommunication: I think it's certainly true that authentication and identification *are not the same thing*, but that it is also true that the two are, in fact, inextricably linked, in this sense: Expressing one or more attributes of an entity is to identify it. To authenticate is to establish the veracity of such a claim made about an entity. It follows that authentication is the act of confirming an identity. The *scope* and *meaning* of a particular identity is a separate issue that does not effect this linkage. It is scope and meaning that seem, at least to me, to be at the center of this discussion, not the conflation of identity and authentication. For example, it's perfectly reasonable to limit the scope of an identity to a single origin and its meaning to "the owner of a private key". Similarly, it's perfectly reasonable to limit the scope of an identity to "my close group of friends" and its meaning to "the personality I present to them". Human beings use identity in a whole variety of different ways to present different aspects of themselves. Humans have unique identities that they present in particular relationships and common identities that they present across relationships. In society, the authentication mechanism to identify one's self is sometimes the same for different identities. I present the same face to a friend that I present to a professional colleague, but the identity that they associate with me varies. This can make privacy difficult, and sometimes humans want to keep certain identities more private by using authentication mechanisms that don't tie them together. It is both important that humans are able to make the identity choices they want to make on the Web and that they can easily understand those choices and their implications. We shouldn't delude ourselves into thinking humans won't demand to be able to act as they do in society in their digital lives. We also shouldn't delude ourselves into thinking that making sure people can safely make the choices they want to make is an easily solved problem. -- Dave Longley CTO Digital Bazaar, Inc. http://digitalbazaar.com
Received on Wednesday, 16 September 2015 15:15:50 UTC