Jeffrey I. Schiller
Networking, Security and Cavies

Internet Identity

I have been involved in Internet Security for more then 20 or so years. One of the holy grails that we have pursued is the global Internet Authentication system. In the 1980's we developed Kerberos at MIT. Kerberos was one of the first practical cryptographic based authentication systems on the Internet. Prior to the advent of Kerberos you authenticated yourself by providing a user name and a password, in the clear over the network where they could be intercepted by anyone with the wherewithal to eavesdrop on the network. Kerberos permits you to prove who you are without revealing anything to a network eavesdropper that would permit them to impersonate you.

However Kerberos is an enterprise solution. It assumes a common management domain which issues user names and (Kerberos protected) passwords. Although Kerberos supports connections between “realms,” this is setup via bi-lateral arrangements. This works, but it doesn't scale to the size of the global Internet.

In the early 1990's when the Netscape browser first became popular, the folks at Netscape realized that the web could not be used for commerce unless there was some way of providing authentication and encryption of sensitive information in flight. The solution was Public Key Encryption. With Public Key Encryption you have two keys, one public and the other private. You can prove who you are by signing a datum with the private key. This “signature” can then be verified using the public key. As long as you know that you have the correct public key, you can validate the signature.

The trick is how you know you have someone's public key. The idea in the 1990's is that we would have a global X.509 based “certificate” infrastructure. A certificate is a data item, itself signed, that associates a public key with a person's identity. Using certificates we can build a hierarchy that permits any browser to validate any server and any web server to validate any web user that has a certificate.

But it didn't work out that way. In part this was because of greed, policy wonking and lawyers. Add to this technology that was complicated to understand and use and the seeds of failure were well planted.

Greed: Some folks wanted to setup the system so that they would profit from every certificate issued. Imagine the income if every Internet user paid you $25/year!

Policy Wonking and Lawyering: Some folks assumed that getting authentication credentials would be such an important process, that people would put up with significant hassle to obtain credentials (say, visit a notary public, show two forms of ID, mail off a paper application (with your $25 check) and then wait days or weeks for the credential to be issued!

In the end, server certificates succeeded, particularly since the infrastructure evolved so that there was competition in certificate issuers (competition = customer service!). But client certificates, those issued to individuals to prove their identity, have totally flopped.

In the meantime, a global identity system has evolved behind the scenes on the Internet. What is it? Its your e-mail address. Ultimately you prove yourself by demonstrating that you can read e-mail sent to your purported e-mail address. Most websites today that desire authenticating their users have some system where you establish an account on the site and provide your e-mail address. If you forget your password (common on a site you may only use occasionally) the site can mail it (or a new one) to you. So being able to read your e-mail translates into proving your identity. Problem solved, QED.

Why does this work:

• Everyone has an e-mail address, it is universal and ubiquitous.
• Everyone knows how to use e-mail.
• No policy mavens got involved early and made getting an e-mail address hard!
• Ultimately your e-mail address is your unique identifier.

Of course this works because of the domain name system (DNS). The DNS provides for a globally unique way of identifying resources on the Internet and its management has evolved in a reasonable fashion (this may be controversial because people do have issues with ICANN, the organization that in theory is responsible for managing the DNS. However this is beyond the scope of this post. Perhaps I will address it in a future post).

But perhaps the most important point is that e-mail addresses just work. There is no need for sites to enter into bilateral agreements to send mail to people. I.e. If I have an e-mail address at MIT (aka @mit.edu) and I use that to register at frobs.com. There doesn't need to be any technical arrangement or legal agreement between frobs.com and MIT in order for me to have frobs.com e-mail me a new password!

Which brings me to my final point. Check out http://openid.net. OpenID may well become an important authentication technology on the Internet (if not the authentication on the Internet). Why? Because like using e-mail addresses, there is no need for complicated bilateral technical arrangements nor legal agreements. It just works.

The Internet came to be because of technology that could be deployed and used. The most important property of that technology is that it “just worked.” OpenID just works... check it out.