On the Essential Question of Identity

For years I’ve been on record proclaiming that identity centralization is good and synchronization is bad.  I reasoned it is better to re-engineer processes to share identities than to distribute and fragment them.

I still believe this to be true.  However I have come to realize that centralization of identities will not happen — during our lifetimes.  The reasons are numerous, obvious, and beyond the scope of this post.

Where does this leave us on the essential question, i.e. how do we maintain identities now they must be distributed across the known universe?

The answer to this question will included within a series of blog posts.  Stay tuned…


  1. Centralisation is outright bad. No matter how well-intentioned, your centralised resource will become a magnet for those who would seek to abuse it. Bad Things will happen. Just look at how CAs have been compromised, or how big databases have leaked.

    There are of course good levels of centralisation. As in the PGP keyserver.



    1. There are trade-offs right Niq? Decentralization increases exposure and risk across a wider domain. For example, the service provider(s) improperly maintaining creds; storing passwords in clear text; using weak/obsolete hashing mechanism. By centralizing you can focus talents into fewer sandboxes. But your point is valid, that centralized authority will always be a prime target for malevolence.



      1. Passwords? Hashing mechanisms? Why are you still using such obsolete devices for anything that matters?

        From memory, PGP is 25 years old this year, combining ZKP assertion with the WoT. OpenID/OAuth have been with us a fair time, albeit without an accepted bootstrap framework. And now we have a prospective next generation technology (Milagro) in incubation at Apache.

        Liked by 1 person

  2. Shawn, as it happens I just wrote a piece for the “Success at Apache” series. Sally asked for an introductory paragraph introducing myself, and I concluded that paragraph with a sentence that kind-of summarises my position:

    If you were to ask me today about the single goal I’d most like to accomplish, it’s a framework for Identity management that is not merely cryptographically strong, but sufficiently straightforward for the world to use, and robust against social engineering attacks such as phishing, while at the same time free of any centralised authority (such as government) whose motives might come under suspicion. An end to identity fraud, and to password management nightmares.

    Liked by 1 person


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s