Saturday, January 07, 2006

I can't get a handle on this...

What is the difference between a object in the real world and one inside a computer? There are many we could choose but the real world one lacks a handle, a unique reference to that object.

Why is this important? If you are trying to describe your identity (of you, the physical being in the world) uniquely to the many websites with which you have a relationship, there is no way to do this currently. Each website, such as Amazon, delicious etc. has to have a username for you and yet another password. This situation is only going to get worse as we progress to an online world. These days I try to log in to sites that I haven't visited in ages, and there are always helpful links saying 'forgotten password' but very rarely 'forgotten username', which is the real problem. How much more convenient if your identity at all these places were the same.

Microsoft have tried to solve the problem with their Passport system, but this is widely discredited now and is being played down as a technology by the boys from Redmond. What is really needed is a handle: a unique reference to you the person - a sort of digital analogue.

And while we are in the business of giving people a handle, why don't we do it for everything? Using Web 2.0 techniques, we could get people to register all of the types of object they own or come into contact with, be it Playstations, Ipods, concrete mixers or bottles of salad dressing.

We already have a unique referencing system on the Web: the URI or Uniform Resource Identifier. If we classified each object with its own URI then we would be nearer the Holy Grail of uniquely identifying things. So we could have something like:

to uniquely identify the PC on which I am writing this, in the imaginary Classification of Things (COT) domain.

To get back to identifying people, how could the above scheme be extended to instances of Homo sapiens. Unfortunately we don't have unique serial numbers and may have to wait a few million years for evolution to provide us with one. I don't really want to wait that long.

This is where Public Key encryption comes in - if we want to uniquely identify ourselves, we could claim a Public Key from a identification provider. The provider would guarantee that this was unique within their domain. This key is part of a a two key pair, the other part of which is the Private Key and which would need to be securely transmitted to you - probably not by the internet!

If the website now wants to check that we are who we say we are, they can send a challenge (in the form of a number) encrypted with our public key. We are the only people who can decrypt this, because only we know the private key that forms the pair. We do so, and get back the original challenge. To prove that we got it, we encrypt with the website's public key and send it back. This cannot be intercepted, as the website is the only one with the private key for the pair.

If the website gets back the original challenge, then the communication must have been with the person who owns the public key.

We can go further though - we can encrypt all of our personal information such as Credit Card details and shipping addreess, at our classification URI and make this available to the website only by using their Public key - only they will be able to access this information. We will have to trust that they only make proper use of it, but this is similar to providing details to Amazon today. They remember all of your details between visits so that you can buy stuff with a single click.

Building this type of self identification into browsers must surely be that route to the secure Web 2.0. Death to the username!

No comments: