One Level of Indirection
Upon a closer reading of Stephen Downes’ Authentication and Identification, I realized he gets into a bit of a spot with his approach, and has to redefine what most of us would accept as authentication to self-identification...
It is common at this juncture to confuse an identity claim with authentication. For example, the presentation of a bank card (a token) to a bank machine, combined with an assertion (the keying of a PIN), is often taken to constitute a type of authentication. However, it is not; it is nothing more than the claim to be a certain person.Many of us would rather refer to the above process as the authentication of the account holder’s identity to the bank machine with a bank card (what you have) and the PIN (what you know), as opposed to self-identification of the account holder to the bank machine.
Because Downes does not separate an entity from its identity (or identities), authenticating an identity is equivalent to self-identification of an entity. So, to Downes, if you authenticate an identity (or self-identify, in his terminology), you lose any control and privacy—hence the need to (somewhat awkwardly) differentiate self-identification from authentication. The point I made in an earlier post (Strong Identities Can Be Anonymous) is that an entity does not have to be bound to its identity. This level of indirection allows for anonymous identities, and addresses most of the privacy and control concerns Downes raises in his article.
Update (November 12, 2007)
Joe Long tells me it was Jim Grey who said that any programming problem can be solved by adding one level of indirection and that any performance problem can be solved by removing one level of indirection. (I should do some research on this.)