Rethinking Identity
Contents
Introduction
"Identity" is the concept of who someone is. Really, it boils down to this: "Is the guy I'm talking to the same guy I talked with a moment ago?"
With the introduction of key pairs, identity is all but solved.
Keeping Secrets
In key pair encryption, your computer generates and stores two keys that have a magical property. Data encrypted or signed by one can only be decrypted or verified by the other. No other information is passed about the nature of one key in comparison to the other.
Identity is then solved because only the bearer of the private key can decode messages from the holder of the public key. Your identity becomes your public key, provided your private key is truly kept secret.
Implications
There are several implications of the above.
Keys are really important
Let's say you gave Amazon.com a public key and said, "The holder of the matching private key is me." That means you have to not only keep your key from being discovered by others, but never lose your key.
This suggests a third party who you trust to keep your private key safe. This third party will have to have some other way of identifying you. It can be a device you carry or that is implanted in your body, or it can be a remote service who specializes in this kind of thing.
Making New Identities is Easy
If only your key identifies you, then it's trivial to make a hundred new individuals. Granted, you'd probably manage them all with some kind of master key, but each individual can be a completely separate identity from the others.
Changing Keys is Hard
What do you do if you need to change your identity's key? Given enough traffic and time, eventually your key will be compromised. Before that happens, you need to contact all of the holders of your public key and issue them a new public key that will represent the future you.
When public keys are handed out, you need to inform the holder where they can go to get a new public key and when the key will expire. This alternative identity --- a master identity --- becomes the new, true identity which will hand out keys that can temporarily represent it.
Identity Service
Since each public key is unique, looking up the information on the owner of that public key isn't difficult. Two companies can get together and share their notes on each of the public keys they have seen and build a better picture of the bearer of those keys.
Rather than allow that to happen, you need some way to control how much information you leak out into the wild. Giving the information to anyone is the same as giving it to everyone, so you might as well be open about it.
An identity service would be the clearinghouse for your public data. If someone can produce your public key, they can access any details you are willing to publish about that public key.
A good identity service would create unique identities for every entity you interact with. This would allow you to control precisely who gets what data, without allowing people to piece together facts.
A better idea is to have personas. You can have a persona for your shopping habits, a persona for your financing, a persona for your education and professional life, and another persona for your friends and family. For your personal life persona, your contact information and calendar would be available, but your financing and purchase habits would not. To your shopping persona, everything about where you shop and how much you spend would be shared, but your personal information and bank accounts would not. For your finances, you might have a history of your transactions, or at least summaries of your other persona's expenses, but not any personal information that could connect you to another persona.
Segmenting your life in this way reduces the chance of one area ruining another. For instance, you wouldn't want your employer spying on how much money you have or what your purchase habits are, and you probably don't want them to know who your friends are.
