The issues of identity management and authorization have been established from very old times whenever somebody decided to protect his property from foreign aggressors. That’s how it was in cities of old Europe - if they were protected with high walls they checked everybody who entered the city to determine who could harm their security from inside. On the market days it was a very big queue because everyone must be checked on the entrance. But after invention of trebuchet which was very effective to destroy the city walls they have to change the security strategy along with identity management strategy and that’s why trading in Middle Ages has started to develop very fast (Windley 2005). Though it is a very interesting example of identity management, there were more interesting cases, such as caliph’s harems which was a more intimate place. Even though the access to caliph’s harem was strictly bounded there where people who could access it. They were eunuchs who were castrated because of some reasons of security.

So if we look on the first example we will understand that traditional exclusionary security model – perimeter-based systems focused on keeping bad people out of the system – are not sufficient to protect the virtual systems (Lewis 2005), just because you are keeping out not only the bad but also all the others. But even we understand that long time ago by changing security strategy but from another point we can’t castrate all users just because they are going to use our system. Even though, now we are allowing users to access our private and intimate information, todays systems must create exclusionary security with an exclusionary access to applications and data that support core processes. And such exclusionary models are unattainable without Identity management.

Basically everything starts from the act of authentication. Authentication is the act of establishing or confirming something (or someone) as authentic, that is that claims made by or about the thing are true (Wikipedia 2006). Authenticating a person may mean to identify that the person is who he/she says he/she is. In case of organizations they can present their Trust Certificate, but in case of a person - it is just impossible without special technologies. However, in many cases authentication is the most important stage of Interaction. For a long time authentication procedures in the area of service provision was, of course, paper-based (even now some companies request scanned copy of passport by email). And probably the best examples of self identification were passport or driving licence. Meanwhile, with the arrival of digital technologies to our society, enabling the development of online services, it became clear that new forms of authentication are required for situations in which the digital user’s identity must be checked as part of an assessment of service entitlement. In last decade lots of complicated systems have been developed aiming to solve this issue. But let’s go a little deeper into evolution of these systems.

So, what is identity? Of course the Identity is “Who you are”. Mainly we can state that after the question “who you are?” is always following the name of the person - “I am John Johnson”. Then the answer could go even a bid detailed: that the person who introduced himself is British, living in Salford, which is in Greater Manchester, which is in one’s part in Lancashire, which is a district in Great Britain. Then he could specify his address: let’s say he lives on Silk Street in Matthias court, on 11^th level, in room number 117. And only then he could note his sex, in this case he is male, born on 24th of July in 1980. And he is over 21 but under 28 and in the range of 25 to 30. Then maybe he will state that he graduated University of Salford and got MSc in eGovernance, or that he is currently working in Semantic Web Corporation where he is the founder and director. Also identity of this person is all his presence on the Internet. He could say that he have personal home page here – www.johnjohnson.com, then personal blog here – www.johnjohnson.com/blog and then only email address look like this – john@johnson.com. Maybe he could tell his phone numbers, especially the land line numbers, maiden name of his mother, the city where hewas born, his first pet’s name or the favourite book. So, basically, the identity “what you said who you are”. This is easy to convey in real life as far as person will show Passport, Driving licence, Student Card or even permanent ID card from local police office (Hardt 2006).

But first let’s see how this person would prove his identity in real life. Let’s say John came to buy a bottle of nice Rioja Wine from the local store. The seller will ask him for prove of this age, as they can’t sell alcohol to persons less than 21 years old. Johnson shows him permanent ID from police and then seller looks on the Photo to identify the document and name on it with John. Only after that the seller will look on document: when it was given, by whom and whether there is a stamp on the document. Then seller probably will analyse that it is enough to trust the local police station, and according to that conclusion it is more or less enough to trust that the person is actually John Johnson. Due to the settled trust John Johnson can finally buy the bottle of nice Rioja Wine. So identity is not only “What you say about you”, but also “What the others say about you”. And it is also important who are that “others”. It looks very much like reputation as has been stated by Dick Hardt in this presentation (Hardt 2006).

What about Digital Identity? It is the same simply as John tells somebody that he is John Johnson that he lives in Great Britain on Silk Street, and he is almost 27 year old and he has the following web-site - www.johnjohnson.com and email address – john@johnson.com. But in this case nobody can be sure that John is really that John Johnson, because we don’t have an Internet driving licence or even student eID. Then what about all other information like date of birth, address, post code, student card number. Actually it is just authentication. It just shows that the person who knows this is the person who provides this in first place. But this does not mean that he is the true John Johnson. So, the idea of digital identity has been established. If all this is about authorization, why not to keep it all in one place, to allow identity to go from web portals centric to user centric?

The first development starts probably from the development of first tools of Web 2.0: Interactive user centric content development. LiveJournal.com has built an online community based on developments from computer science major Brad Fitzpatrick in March 1999. Since then, it has grown into a user-supported, open-source service used worldwide. The same company, Six Apart, and Brad Fitzpatrick brought to live the idea of OpenID which has been driven by blogging community till now.

So what is the idea of user centric identification? To explain that probably we should go from what is Internet Identity. Internet identity is actually the anticipated revolution of identity verification on the Internet using emerging user-centric technologies such as the OpenID standard or Microsoft Windows CardSpace. This technology together with whole idea of digital identity has been highlighted in press as Identity 2.0. Identity 2.0 firstly mentioned by Mr. Hardt stems from the Web 2.0 theory of the World Wide Web transition. Its emphasis is a simple and open method of identity transactions based on movable identity which could be used on any website (Hardt 2007). This technology allows moving John Johnson’s identity from any web portal to any other web portal easily, instead of presenting all what he have presented above to do it only by his OpenID. OpenID is a technology of decentralized single sign-on system, which allows authorizing users who are OpenID enabled.

Albert Poghosyan