In the lazyweb department, I had an idea the other day that I thought I’d put out more broadly (lest someone else have the same thought, plus the thought to patent it.) And that is the idea that one side-effect of the “social graph” is to create a unique identity signature. Who my friends are can be used for entity resolution. (Background: one problem in identity is figuring out whether two people who have the same name are in fact the same person. This is complicated by variations on the name. So there’s a whole set of questions: is T. O’Reilly the same as Tim O’Reilly the same as Timothy F. O’Reilly? Are you referring to my brother Sean O’Reilly or my father Sean O’Reilly? And when you find a reference to Tim O’Reilly, is it the Tim O’Reilly who blogs here or the Sydney musician who also has a wikipedia entry, or one of the hundreds or thousands of others who have the same name.)
Typically, you resolve identity conflicts by adding additional information: a phone number, an address, a social security number.
Now, clearly, there are far more cases where you might have easier access to this kind of real-world information than you would have access to someone’s friends list from Facebook. But it’s also true that a site like Facebook could offer an identity service by which they present a unique hash of someone’s friends list at a particular point in time as a unique credential that doesn’t actually require disclosure of any confidential information.
Of course, this is just a special case of a much broader situation, namely that our “identity” is in fact a function of everything we show to the world. Mechanisms might generate credentials by hashing our purchase history at Amazon, our search history at Google, or our surfing patterns in Firefox as easily as they could hash our social network. But the point is that it is possible to generate credentials that are as unique as fingerprints.
It would be kind of cool not to have to enter passwords, but for a site to “recognize” me because I was able to present a hash of my past interactions with the site, automatically recorded by both the site and my browser.
You could think of this as a kind of public key cryptography. Your private key would be the timestamp at which the hash was created, or of the start time and end time that were used to create it. Your public key would be the hash itself.
Food for thought.