Discuss Ch4Part8 here

One incentive to make personal identification and authorization the standard is spam: there are several suggestions on identifying email senders because spammers abused the ability to use sender" addresses without authorization. E.g., In SPF the owner of a domain name authorizes several mail exchangers to send email on its behalf! Then email from unauthorized servers can be recognized by the recipient.

One thing that I think it's not very clear in this chapter is the meaning of architecture. The described changes in the architecture are not done to the basic protocols that run the Internet, so a question arises if any change of the way a website is constructed should be considered a change of architecture. Wouldn't be appropiate to distinguish in this point between the levels of architecture?

So, what sort of "architecture of identity" has developed since 1999?  First, it has not been the ideal Chapter 4 seems to anticipate--everyone with a digital "driver's license" that identifies himself and his privileges wherever he surfs (I have offered some speculative reasons for this here).  But second, it has been sufficient to support however many tens (hundreds?) of billions of dollars of commerce is now happening online.

How has this happened?  I imagine that certificate-based identity has developed for certain niche markets where the value of the transactions is large enough and the coordination problems small enough to have allowed for standards to develop.  I know, for example, that to process credit card transactions on one's web site, one needs to verify oneself to the credit card processor by signing up for Verisign or the like.  I suspect other markets, perhaps especially b2b markets, have adopted certificates as a means of identifying legitimate buyers and sellers.

But for mass consumer markets, vendors have been unwilling/unable to impose a digitial identiy requirement on their customers.  Thus, they have fallen back on somethign approximating the klugey system of identification we have offline, namely, relying on credit card company guarantees, stiff legal penalties and people telling the truth most of the time.  Online technologies have played a role--one uses passwords to self-identify, cookies to ensure transaction integrity, and SSL to secure the privacy of information as it travels across the Internet.  And this is probably sufficient to ensure 99.x% accuracy.

But it does not work perfectly, and concern over "identity theft" is probably the best indication of public awareness of the failure of the marketplace to protect their digital identities.  And the government stepped in, with nearly every state in the country passing "identity theft" legislation.  Note, however, that the overwhelming response has been legal as opposed to architectural, with states imposing stiff criminal penalties rather than mandating (or even encouraging?) the development of a workable digital identity architecture.