As developers are inexorably drawn down the rabbit hole that is identity, they continually conflate authentication, authorization, and attributes into one big "identity" jumble. Lately, there has been a lot about OpenID, which as com.burtongroup.analyst.identerati.neuenschwander.mike (known unambigously around the identity water cooler as "Mike Neuenschwander") points out that OpenID is about attributes:
But don’t get me wrong: OpenID isn’t the problem here. OpenID simply calls into sharp focus something I’ve believed for years. It’s a kind of axiom, so I’d like to give it a name. I’ll call it, “identifiers.axiom.neunmike’s.axiomproxy.info”—that way you can easily refer to it unambiguously from anywhere. Here it is:
There are no identifiers, only attributes
Names are slippery. Most people have many more than one legal name, none of which are unique. They also have several dozen nicknames. There’s no practical way to get any of these every-day-use names onto a global namespace. And what’s a name after all but a synthetic attribute—a foreign key that we hope the receiving party stores somewhere so we can remember them later? Names are invaluable communication aids, but they have little to do with recognition, which is what’s at issue in most identity management contexts. Biologically, creatures don’t recognize others based on names but rather the confluence of attributes appearing within a certain context.
Lao Tzu (who goes by several dozen names) had a pretty good post on this idea over 2000 years ago. In a section called “Ineffability,” he writes:
The Way that can be told of is not an Unvarying Way;
The names that can be named are not unvarying names.
It was from the Nameless that Heaven and Earth sprang;
The named is but the mother that rears the ten thousand creatures, each after its kind. (chap. 1, tr. Waley)I understand why from a programmer’s perspective, it would be so much more convenient if everybody could simply have one globally unique, unambiguous, resolvable name. But such a quaint design constitutes a wanton disregard for reality.
The tech industry is adolescently ID-fixated. But I’ve had it to here with IDs! Would somebody please start seeing my avatars as something more than identification objects? So here’s to being an OpenAttribute power user!
Leave it to com.burtongroup.analyst.identerati.neuenschwander.mike to provide clarity on a much misunderstood issue.
org.tbray.ongoing.proprietor.bray.tim (aka com.sun.softwaredivision.canada.ubergeeks.bray.tim) kicked the tires on OpenID and came to a similar conclusion:
What Could I Use It For Today? · Here’s what I think I’d be willing to do: in the commenting system here at ongoing, I’d be inclined, if I had manually approved a comment with someone who’d authenticated via OpenID, to subsequently accept further comments from that OpenID, unmoderated. ¶
I can’t think of anything else.
The real work for developers is not about assigning an uber-GUID to people, it is about unmarshaling attribute values into a PEP and putting them into a context to make them meaningful. As Butler Lampson says, "all trust is local." Again, I mention Bob Blakley's work on Security Design Patterns, that describes several ways to do this in a distributed system.
Hunter S. Thompson said "buy the ticket, take the ride." But don't conflate yourself the ticket and the ride.