My current solution for the login problem is less than ideal. I use the java program Password Safe to save my accounts+passwords, which it generates randomly. The pass phrase for my password safe is pretty complex, and I change it on about an annual basis. The program re-locks the safe after 5 minutes of inactivity, so this is reasonably safe against casual compromise. Of course, keyboard shoulder surfing and a subsequent theft of my machine (or temporary control) could render it useless, but I’m willing to accept those risks and do what I can to maintain control of the laptop. If somebody steals my laptop, unless they can crack the encryption quickly, I feel pretty good that I’ll have enough time to restore from backup, change all the passwords, and set a new combination.

However, this is basically as good as our current “status quo” of online fractured identity can get. And I still don’t have anything to bring all of my online presence together.

I recall with fond memories watching Dick Hardt’s amazing Identity 2.0 presentation from the audience at OSCON 2005. I came away thinking to myself “oh good, somebody is on it.” I put it out of my mind as a systems administrator with a lot of things to think about on the backend, and no real concern for the frontend.

Fast forward 5 years, and I see that we’re not much better off now. Dick Hardt’s company Sxip produced Sxipper, which is pretty cool, but still puts it on the users to safeguard and manage their data. Oh and really, I never heard about it until I went looking for Sxip again, and I don’t know anybody using it, I think its just a cool curiosity, not a solution.

This really is an issue that affects people, but they may not know it. Look at the trouble this guy went through to make google accounts useful for people with multiple email addresses. As we start sharing and sending and moving data, our identities clearly can’t be defined as email addresses anymore. I have 3 that I use a lot, and a couple of others that just refuse to die for whatever reason. Changing them means trying to find every site on which I’ve used them. UGH.

OpenID was, and still is, a promising direction. There are some definite security pitfalls in the way its been done in the past, but I think they’ve solved most of them. It doesn’t really satisfy Dick’s Photo ID requirement where the issuer doesn’t get to know what you’re using it for. Still I love when I sign up for a site and I can use my OpenID login. I use my launchpad.net account for this, mostly because it was the first site that had a very clear “this is your open ID url” link.

FOAF-SSL or “WebID” also seems interesting as a way to promote social credibility and utilize existing technologies rather than try to invent the whole thing. Even twitter seems to have rudimentary support. But its still a long way off from being in control of our identity. Given the meager number of relying parties, I’d say it may not ever get there, which is too bad.

So now I’m just confused. How and when are we going to get this done? When can I say “this is me, here’s some proof that this is me, now lets get something done.”?

Social networks sort of try to do this with the social proof of many friends. But at issue there is how closed off those social relationships are. Facebook wants me *on Facebook*. They don’t want to enable me to also use myspace or my Ning community seamlessly.

Until we as users know why we’d want that, and somebody is able to provide it, I guess I’m just stuck with my password safe.

“Yeah,” he says, “At the end of the day, ship the fucking thing! It’s great to rewrite your code and make it cleaner and by the third time it’ll actually be pretty. But that’s not the point—you’re not here to write code; you’re here to ship products.”

I’m a big fan of “the proper amount of abstraction”, but I think its important to remember the scope of each thing we’re working on. Rock on jwz.

While you wait patiently for the amazingly useful and poignant posts to start rolling out, please do take a moment to brighten everybody in the office’s day with this ingenious little perl script. Its especially useful for informing your users that they are “TREE KILLERS!”, or for passing along any ex-girlfriends’ phone numbers to the other men in the office.. you know.. in the interest of making sure she can find a date.