The lowly browser has come a longs way since Marc Andreessen wrote the code for Mosaic back in his salad days as a student at the National Center for Supercomputing Applications because he was fed up with the line-mode interface intrepid Internet pioneers like us were forced to use back in the early Ninties. But Mosaic was a relatively simple program, and improvement set in almost immediately. First came plug-ins, then Java applets and extensions, and today’s web browsers are actually sophisticated and powerful packages of applications that can automatically handle anything from downloading music to playing radio or running videos. For most of us, the browser is our window to the world behind the computer screen, and in the age of cloud computing, it is poised to take over as the most important and widely used piece of software ever written.
At the Identity Collaboration workshop held yesterday in San Francisco on the eve of the RSA Conference, browsers seemed poised to take the next big step forward when Mike Hansen and Dick Hardt hosted a session which they entitled "Identity in the browser". For that, though, the browser as we know it must be replaced by an intelligent application that stores the necessary credentials on the users machine and releases them on request by a website, thus saving us the trouble and bother of constantly typing in our user names and passwords or performing some other kind of authentication before being allowed to access content or services online.
In fact, Mike and Dick argue, people are aleady doing this, for instance by allowing websites to share their Facebook logins, but this poses security risks that many of us are unwilling to take. A much neater and safer way is verified email, where the owner of the website or the service provider send a password to your mail address which you then key in to complete the registration and/or login process.
Mozilla would like to take this one step (or possibly a whole set of steps) further by setting up an infrastructure that would allow websites to identify users by their mail addresses, something that webfinger [http://webfinger.org] does already, albeit in a rather limited fashion. WebFinger is actually an Internet protocol like SMPT or HTTP created by Blaine Cook. He’s the guy that wrote the original code for Twitter and one of the leading lights behind OAuth, so his identity credentials are impeccable.
Webfinger is an extension of the Finger protocol used by the UNIX finger utility to identify users of a particular computer in a network. It can also help identify users in a cross-site manner, validate person's identity (by pointing to metadata including public encryption keys), or instead of a phone number in VoIP networks. Webfinger’s biggest problem, however, is its relative obscurity: nobody outside of geekland has ever heard of it and most people don’t really feel any need to find out more.
Enter Mike and Dick. They would like to generate enthusiasm, first among the Identity Gang and later among browser makers like the Mozilla Foundation, Microsoft, Apple and Google, and hopefully among potential provider and relying parties. Technical details need to be worked out, of course, but they will presumably include widespread use of public/private keys as well as machine readable policies for privacy and security. The short session in San Francisco was intended to get a discussion going and test the waters. Of course, there are issues such as what happens when I lose my computer containing an identity-aware browser or if I leave my computer running while I follow a call of nature; theoretically, anyone could pose as me online during my absence.
But these things can surely be worked out by intelligent people like those in the identity community. If they succeed, the humble web browser may actually someday become, in Mike's words, "the identity token of choice".