There are three areas where privacy ultimately matters:
* Do you mind all correspondence being viewed by others (your certs are part of your identity and frankly the current way this is managed on the web is a mess)?
* How do you manage your own social graph (many contacts are given on trust so handing them all to a ‘benevolent’ third party is no solution)?
* How do you manage multiple online identities (the average net user maintains something like six distinct web personas and one can envisage this trending upwards not downwards)?

Glynx can also be a complement to web experience of yellow pages and digest, by providing a private overlay to these services but we don’t see this as central.

There are three challenges for our business model.
* The “value denials” above cannot be managed any other way. But a superior solution may appear for these questions (or we are not able to be compelling in our answer).
* The key question is about “trust”. Only a private interaction can be trusted to have true fidelity. Our core implementation needs to continue to be robust.
* If we stray too much into “Yellow Page” type transactions we will be challenged.

Yep – all interactions are encrypted to current strong standards (different methods for different bits). There are other ways (apart from decryption) to destroy trust and we have spent years thinking through/implementing these. New threats may emerge and we need to be vigilant to keep up on this front.

We are not worried about the password lost problem – nice little feature to put into the product though. Of course database backup is also required. Both could be handled by a web service company (so long as they are physically and logically separated) to take care of personal “disaster recovery”.

As for human fallibility, if you have a choice between predictability and serendipity, always bank on serendipity. Part of the human condition is we are risk averse.

A question for you – does anyone else have a framework for managing user Identity with integrity (i.e. promises don’t count so mediated services are out)?

http://de.seven...e_9511_next_bl1

Cheers from germany,
Caro

Furthermore, I presume that, since everything is encrypted, if I forget my keys to my account… I’m screwed? Is that also a byproduct of having the user in total control?

I guess I’m also trying to understand how this model deals with the imperfection and unreliability in human behavior. Computers are good at remembering and always doing the same thing; humans, not so much. Identity systems, therefore, I think need to be forgiving to work at scale.

The cases you bring up around health care and the need for privacy in those cases are interesting, but point to the miserable way in which healthcare is deployed today — where the model is actually the avoidance of providing caring health services! In other words, if I put, say, chronic health conditions on my homepage for the world to see — why don’t I get better care? That seems to be a flaw in the system, and should be orthogonal to the way identity systems are built.

Perhaps that’s a tangential topic, and I agree that we need solutions sooner than later, but I’m just trying to get my head around how Glynx might actually work in the real world! Thanks for humoring me.

Glynx is an experiment. The truth is a few commentators are interacting with us who are interested in this line of thinking but no-one is prepared to say true privacy/control offers a superior paradigm. I would agree with you that our feedback is that “user owned identity”, “user centric identity” misses the consumer mark. Only specialists (most of whom assist web-server businesses) understand the significance of these terms.

The benefits of a benevolent Big Brother web-server business are compelling. However, as you know, the friction costs these businesses impose are immense. These costs are incurred because server based businesses need visibility and control of their user directories to function. As a simple example you have pointed out that the major of identity providers generally only act as OpenID Issuers. Eventually they may act as Relying parties too but in the meantime there is significant consumer inconvenience.

The point of Glynx is that you can start from the opposite premise; that user’s can have absolute control. We don’t restrict or observe the identities or associated information that users publish, search, associate and exchange. Ask that of any web-server. What is the cost of that censorship?

The web is still very young. As the web matures, users will increasingly grow intolerant of costs imposed on them by the client-cloud architecture because the same benefits can be achieved in other ways without incurring the costs. Just like a child yearns for their first Driver’s License ID, users will want the same benefits of direct Identity exchange, with its greater freedom and flexibility (along with greater responsibility).

There is enormous untapped value in private data, particularly Identity. Glynx lets users extract that value without compromising their privacy. A good example of this is medical records. You may be aware of the very expensive UK attempts at a client-cloud electronic medical records architecture that utterly failed due to the fundamental lack of privacy inherent in client-cloud. We are only just beginning the journey to a time when the internet is no longer a novelty. At that time today’s concerns will seem insignificant and people can focus on fulfilling their potential.

In other words — and I’m curious about this personally — are people really looking for a solution that they are completely in charge of — or would they prefer to share some of that responsibility with a third party that can, for example, help them recover their password if they forget it, etc?

Our company, Glynx, offers the only OpenID issuing party that enables you to use any verified online ID as an issuing ID regardless of whether the ID provider is an issuing party or not. So you can log onto websites with your GoogleID without requiring Google to be the issuer. A few notes.
* Our solution is stronger in privacy than any other existing OpenID solution. Unlike all other existing OpenID issuer solutions Glynx does not require you to trust private credentials to a third party, such as leaving a copy of your username and password on the issuers servers to check on login. Instead, with Glynx, when you log into an OpenID website, the Glynx OpenID server kicks off a secure P2P transaction that finds your device on the web and pops a message saying to you “someone claiming to be XYZ@ABC.com is seeking to log into http://www.123.com do you give permission Yes/No?”. No private credentials left your device to make the transaction – you should try it sometime
* Currently we are the only issuing party for this. Today all transactions must be mediated through our OpenID server (albeit end-to-end encrypted). Our intention is to opensource the code once we know it is robust and we get the time.
* This, of course has all sorts of implications for things like financial transaction authentication, etc, but more of this in the future.

We like to think “Glynx is for Grown Ups” by which we mean unlike any other Identity solution available today, Glynx enables you to take control of your own identity and control how/what it is used for instead of relying on a third party to conduct transactions on you behalf.

There is never going to be a day when everyone has a facebook account. But already it must be unusual to find people who don’t have at least one account with those providers supported by RPX.

GovernmentLocator.com – change yourself