History of Light-Weight Identity (LID)
LID traces back to a casual chat between husband-and-wife team Johannes and Tammy Ernst, probably some time in 2003. The idea was "there should be some really simple scheme for digital identity on the net that's a lot more trustworthy than anything that's out there." We quickly settled on the idea of using PGP keys for security, and (decentralized) URLs as identifiers from where PGP keys and other information about the individual could be found. A couple hundred lines of Perl later, we had something interesting, but didn't know what to do with it.
When Johannes first started to publish about the promise of decentralized, user-controlled internet identities early in 2005, the idea was definitely controversial. Up to this point, identity had been largely confined to large, expensive corporate implementations that put either the technology vendor or the sponsoring corporation in control, but never the individual whose identity it is, after all.
The idea that individuals could pick URLs of their choosing, and declare them to be their identity, without depending on any kind of permission or endorsement from anybody, was largely unheard of, but quickly gained a following. At first, we did not know whether others would see the same potential for URL-based identity as we did, and so we proceeded carefully: we designed an initial set of capabilities that seemed useful for URL-based identity (single-sign-on, basic profile queries), put together some proof-of-concept Perl code, made it available for download, blogged about it, and watched what was going to happen.
What did happen was that the vast majority of the people who commented, mostly in the blogosphere, said very positive things, often taking some of our code, modifying it, integrating it, and asking for new features. The public backlash that had accompanied so many identity technologies before (remember the reaction to Microsoft Passport?) did not occur; instead, early adopters really liked the idea. After a few months, it was clear that there was a "there" there for URL-based identity, in particular on the open web, where the centralizing assumptions and the expense in software and manpower of many previous identity technologies clearly did not work.
When, a few months later, Brad Fitzpatrick at Six Apart / LiveJournal needed a decentralized mechanism that would enable users to prove their identity when commenting on others' blogs, he picked the same idea: URLs are a good way to identify people, and bloggers already have a URL (their blog's) that is quite ideal for the purpose. With some browser redirects and a bit of cryptography, a user could prove to websites that they own a particular URL, and thus avoid having to sign up for one new account at each blog. And when reading comments on a blog post, it would be easy for the reader to follow to the blogs of the commenters, because their user name would be their own, clickable identity/blog URL.
In summer 2005, Brad Fitzpatrick and David Recordon (then both at Six Apart) and Johannes Ernst and Joaquin Miller (then both at NetMesh?) decided to join forces, and soon gained the XRI/XDI community as an enthusiastic supporter. The result of this collaboration was announced in October 2005, and came to be known as the Yadis specification, which arguably spawned a wave of innovation around digital identity on the net.
As the momentum and support grew, a group of us decided to give the community an organizational structure and incorporated the non-profit OpenID Foundation. This enabled major internet companies like AOL, Yahoo, Google, Facebook, Verisign, Microsoft and IBM to throw their support behind the movement.
However, the more support there was from larger and larger stakeholders, the more the needs of organizations took over, instead of the initial focus on the needs of the individual. So arguably the OpenID movement has strayed away far from its roots, and by now (late 2010) arguably has little to do with the goals and principles of LID, which have remained the same: individual control, not corporate control.
Here are some now historical quotes from the early days of LID:
- Lucas Gonze
- "Fantastic -- using URLs as the basis of identity is, as far as I can tell, the only way to do it. ... beautiful simplicity."
- Dave Winer
- "A quite simple, but powerful technology that empowers individuals to keep control over and manage their digital identities."
- Stephen Downes
- "This may end up being the year of personal identity, if the first week is any indication (and I think it is). Today's entrant is a strong contender, a system called Light-Weight IDentity (LID) that instantiates many of the criteria I have stated previously: it is light-weight, it is distributed, it is (somewhat) easy to install, and most importantly, it is in the control of individuals - there is no central directory service that acts as a weak link ..."
- David Weinberger
- "LID gives the user complete control over her digital ID by putting the actual info on the user's site"
- Phil Windley
- "LID has a few features which will appeal to many... LID lets me build business cards, not credentials"
- Jamie Lewis
- "LID [is] self-organizing and the antithesis of a top-down identity registry... LID gives individuals the power and responsibility to self-assert and manage identity information. But there are some important differences in all of these approaches. SxIP is based on a distributed registry and governance model. iNames is based on a third-party registry and uses XRI/XDI Uniform Resource Names (URNs) as identifiers. With InfoCards?, individuals will (in theory) be able to self-assert, manage, and store identity information in Longhorn, which will (in theory) make the identity subsystem to multiple applications and services. LID allows users to self-assert identity information via a published URL on the Internet, so it's leveraging an existing name space. And as Loftness points out, LID provides a "mini Web service", allowing individuals to store identity information as static XML data at a URL. Applications and services can then use a script to query the identity URL... I like the fact that LID is a self-organizing system..."
- Shelley Powers
- "LID, on the other hand, doesn't store any data about you. In fact, it doesn't even know you exist â€” there is no way of tracking a LID user from some root LID site... ...I find I can't compare [Liberty and LID] implementations, because it would like trying to compare an Oraclized PeopleSoft? with Wordpress. More, where LID represents a service to the user, Liberty Alliance represents a service to Alliance members â€” no more, no less. In other words, the two implementations are so far apart on the scale, that the scale becomes meaningless. Frankly, this is all to LID's favor, too. LID provides a great deal of functionality in a tiny little package. It supports pseudonyms (personas), secure authentication, single sign-on, and data exchange, all using standard, accessible technologies. More, it's not dependent on any single centralized authority, other than the DNS itself. But then, we're all rather dependent on this... [T]he root concepts of LID are good... I also like the extensibility of the system, and have already tried out various tiny bits of other XML documents I have. As for the use in social networks, LID already provides integration with FOAF..."
- Julian Bond
- "It's the first identity system I've seen that I really feel I can get behind."
- Adrian Blakey
- "Like all the best works of art, I fear that it'll be long after its inventors have died that it will be realized how truly brilliant an idea it is, and what a significant contribution it is to the well-being of society - yeah, it's that important."