I guess identities are considered "close enough" when some sufficiently high number of features overlap between identifying nodes.
Individual sites give permissions to an identity.
An identity lives on one or more servers which provide identity services.
Identities can be copied or migrated to other services.
A user can use their identity on an identity service to authenticate with another site.
Bunch of JSON messages are tossed back and forth.
RSA encryption is used to sign messages.
Identities are created through a Whirlpool-256 hash of the identities originating URI, a random number, and has a public key attached.