Federating identity

In last week's column, I suggested that individuals and corporations should be the authoritative sources of basic information about themselves. That way, if an application needs my name, address, and phone number, I can refer it to a source that I control and guarantee to be correct. But how many applications really need my name, address, and phone number? Capturing the identity of individuals, along with personal information about them, has become a habit. In a climate of increasing concern about privacy, it's a bad habit we must learn to resist. [Full story at InfoWorld.com]

As I mention in this week's column, the notion of selective disclosure is a core value of Shibboleth, an Internet2 project that's gaining some real traction in the higher-ed world.

What's up with the name 'Shibboleth'? Here's the scoop:

A shibboleth is a kind of linguistic password: A way of speaking (a pronunciation, or the use of a particular expression) that identifies one as a member of an 'in' group. The purpose of a shibboleth is exclusionary as much as inclusionary: A person whose way of speaking violates a shibboleth is identified as an outsider and thereby excluded by the group. (This phenomenon is part of the "Judge a book by its cover" tendency apparently embedded in human cognition, and the use of language to distinguish social groups).

The story behind the word is recorded in the biblical Book of Judges. The word shibboleth in ancient Hebrew dialects meant 'ear of grain' (or, some say, 'stream'). Some groups pronounced it with a sh sound, but speakers of related dialects pronounced it with an s. [Suzanne Kemmer]
The federated identity system called Shibboleth deals with group membership, rather than individual identity. It's interesting to think about use cases, outside higher ed, that don't require the identification of individuals. Consider website registration. The New York Times, or InfoWorld, or other media sites that want to qualify readers to their advertisers, don't really need to know me as an individual. They just need to aggregate readers into groups. From the Times' perspective, I'm a member of the group of American male writers who work in Media/Publishing/Broadcasting and who read the Times regularly but do not subscribe. From InfoWorld's perspective, I'm a member of the group of consultants (Technical) working in the area of Tech: Publishing who strategize about (but do not directly purchase) IT assets.

What if it were possible -- and convenient -- to affiliate with these groups without giving up personally identifying information? In reaction to registration regimes that are too granular, the bugmenot.com hack abolishes granularity. But maybe there's a middle ground.

Former URL: http://weblog.infoworld.com/udell/2004/07/27.html#a1048