About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion



  • Add to
Technorati Favorites


  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« Digital ID Forum agenda for 2006 | Main | The myth of fingerprint authentication? »

Tokens mean credentials mean reputations

By davebirch posted Sep 18 2006 at 11:09 AM

[Dave Birch] It's hard to validate -- I mean really, really validate -- someone's real identity in a transaction.  By "hard", of course, I also mean "expensive".  That's why transaction mechanisms that don't validate real identity (eg, credit cards) are easy to use and cost-effective.  Luckily, we don't often really need actual identity validated to conduct a transaction.  What we need is reasonable assurance that the parties to a transaction are authorised.  So, when you are conceptually carded, it should be to see that you are over 21 (or whatever), not who you are.  There's a big difference.  Over time, the credentials that are being presented begin to acquire a history, a reputation if you like.  Once can certainly envisage markets in which transactions depend on that reputation: not "snapshot" credentials or identity no matter how well validated.

Technorati Tags: , , ,

The thing is that proving our actual identity is a special case: in almost all of the transactions we take part in every day, our real identity is immaterial.  It is generally used a proxy for some other credential -- you're an employee, you're allowed to park here -- because it's the key that's used to look up that credential in a database of some description.  Now, if it is possible to carry that credential around with you in a token capable of supporting a reasonable degree of authentication, then not only do we have a more secure system overall, we also have a much cheaper system (since we don't need to manage or control the proxy database).

This is why we should try and change the paradigm around identity management.  Many people still think in terms of people proving who they are to log on to a web site rather than what they are: British, over 18, an eBayer with more than 100 stars and so on.  The latter example indicates why I'm curious about the potential for paradigm shift.  When I buy things on eBay, I don't care who people are, I care about their stars.  It's a reputation economy.

I remember writing about this in the past, using the emergence of stock markets as an example.  The first modern stock market began in Amsterdam back in the seventeenth century.  One of the interesting lessons from that time is that the courts had no mechanism for dealing with the transactions that were being undertaken: the contracts could not be enforced in court.  Yet the market grew and traders began to experiment with new instruments.  This market worked because contracts were self-enforcing with the group and the means of enforcement was reputation.  As Adam Smith noted later that century in the UK, “when a person makes 20 contracts in a day, he cannot gain some much by endeavouring to impose on his neighbours, as the very appearance of a cheat would make him lose”.  Much like eBay today, a trader’s reputation was the basis of their earning power and a low-overhead enforcement mechanism for the community.  System based on reputation do seem to work, although without the "security infrastructure" they are open to abuse.  They are also open to non-technological abuse, if you see what I mean (authors recommending each other's books and that sort of thing) which is another topic in its own right.

At a personal level, reputation is a good basis for competitive advantage.  For one thing, it's long-lasting.  It's hard to forge a useful reputation -- not that people haven't succeeded: remember Frank Abagnale and the movie Catch Me If You Can -- and difficult to buy one.  When I'm calling a plumber, I'd be much happier choosing one with lots of stars: thus, the plumber's livelihood depends on having the stars and (the subject for another post sometime) taking away stars might be a more effective form of sanction than taking away some money.  If plumbers, policemen and everyone else had tokens that could give up (and verify) credentials, then it seems to me that many business models would be changed.

Imagine going to buy a car and having the dealer's "stars" verified by your own ID card, phone or PDA at the same time as the dealer is verifying your "stars" from the bank.


The comments to this entry are closed.