Is the Open Identity movement making the world simpler? Or more complex?
There's been intense renewed activity in cyber security under the banner "open identity". See http://openidentityexchange.org and http://informationcard.net. But something about the word “open” has never sat well with me in the context of "open identity". I wonder if the open identity community has co-opted the word as one of those unquestionably good adjectives ... and twisted it a little?
Open standards and open government are obviously good things, and it's clear what they mean. And open source has a lot of goodness attached to it, even if it's not without controversy. But what exactly does “open” mean in open identity?
There is a strong implication in "open identity" that identities issued by different entities can be (nay, should be) treated equally. But when I look at any of the 'serious' identities used when transacting with business and with government, there is almost always a natural preferred issuer for each of them. Banks issue bank accounts and credit card numbers; health agencies issue health identifiers; the tax office issues tax file numbers and ABNs; Foreign Affairs issues passports; employers issue employee IDs; medical registration bodies issue doctors' credentials; Medicare issues provider numbers.
So these types of identities aren't actually "open" at all. How could they be?
It seems to me that there is usually just one obvious issuer for each given 'serious' identity. If so, then a great deal of the new Open Identity Trust Framework seems to be over-engineered.
I think to make progress in identity frameworks, we need more simplifying assumptions, and fewer complicating generalisations.
Stephen Wilson is the Founder and Director of Lockstep Consulting, providing independent specialist advice and analysis on digital identity and privacy. Lockstep Technologies develops unique new smart ID solutions that enhance privacy and prevent identity theft.