Several online actors are willing to play the role of identity provider, but ARPA2 is the first to grant you control over your own identity -- by hosting it either on your own machine, or letting you delegate it to a hosting provider.

The provisioning of identity under your own control is a vital part of the ARPA2 goal of regaining control over online presence; we coined the Bring Your Own IDentity concept for precisely that reason. And we subsequently designed Various Forms of Identity to get to a flexible setup. We are working towards Realm Crossover for the entire Internet to make all this possible.

This ARPA2.net project site describes how online services can make good use of the infrastructures that we are unfolding. The design is optimally suited for integration with today's infrastructure, by relying on widely used protocols with a proven track record and sufficient flexibility to accommodate local tweaking.

Authentication and Authorisation

It is vital to distinguish the following two concepts:

• Authentication or authn assures the identity of a client
• Authorisation or authz assures access rights of a client identity to a given resource, usually by checking against an [ACL](http://donai.arpa2.net/acl.html]

The two clearly need to work together, which is why they are often confused. But it is good to understand that both concepts are needed in most online services, and that each has its own issues to focus on. We have solutions for both authn and authz in the ARPA2 project: the TLS Pool and our use of Diameter and RADIUS are good examples.

Applications that follow these structures are pretty much ready for action under the InternetWide Identity Framework, and so they are supportive of the Bring Your Own IDentity concept, which re-empowers end users to control their online identity and presence.