This blog was updated and re-posted on 12 June 2012.
I have been blogging and commenting left and right that there is an alternative theory behind the woes of Cardspace and OpenID. Yes, vendor psychology, standardisation and commercial politics have frustrated progress on the “Identity Metasystem” but a less fashionable explanation is that it’s just not as great an idea as first appears. The Identity Metasystem is way over-engineered. It tries to solve stranger-to-stranger “trust” (as did Big Fat PKI in the 1990s) and seeks to allow parties to confirm one another’s unanticipated identity assertions.
These are almost academic problems. By far the most economically important transactions on the Internet occur between parties that already have their local “metasystem” in place. Payments, e-health, share trading, e-government etc. all take place within overarching risk management and legal arrangements involving specific registration protocols, formal credentials, terms & conditions, liability allocation etc. The analysis and design of business transaction systems anticipates the risks and responds with identification protocols and rules for participating. Parties in these different transaction contexts know precisely where they sit. They know their roles & responsibilities before they transact, even before they’ve installed whatever extra software and authentication devices are required according to the local risk analyses.
The “price” we pay for this level of crystalline certainty is that our different identities are brittle. They are highly context dependent, which is exactly what the Laws of Identity teach us.
On the other hand, the utopian Identity Metasystem tries to teach us to bend those identities, hopeful that a smaller number of them might be re-used cross-context. As if this will have a relatively minor impact on all those local risk management arrangements, and so reduce the total cost of ownership of IDs. Sorry, it just doesn’t.