Posted 10:03 AM

The Third Wave

A few days ago I mentioned the Third Wave of identity and I'd like to expand on that. First, though, you might read Phil Becker's postings (here and here) on the Third Wave from last month:

"Identity's third wave will be all about how to build a true network of decoupled, interoperating identity systems. Federation and virtual directory technologies allow some of this capability today. But they still require fairly constrained, one-off, cross-domain governance structures to break very far out of the domain focused mold. Something more is needed to build a true identity network."

I agree with most of what Phil says, although if the time line is to go back to x.500 then we might even be facing the fourth wave!

But I'd like to talk about the Third Wave of Internet Identity, and this is the context I brought it up in the other day.

The first wave was the initial eCommerce wave, when commerce sites asked for your personal identity information (PII) and stored it on their site. You could buy books at Amazon and Barnes&Nobel but each needed copies of your name, shipping & billing address, credit card number, etc. In a word, SILOS. Each web site you dealt with had to have its own copy of your data. This first wave extended into the social networking era (MySpace, Friendster, Flickr, and hundreds more including everyone's blog site). In fact, most sites are still, today, stuck in this first wave.

The second wave was kicked off by, among other things, Microsoft's Passport application. This was what's also termed a "wallet" where your web browser stored all of your PII and presented it to the sites as needed. Some commerce bought in as did some social sites. Microsoft sought to extend this functionality through the Hailstorm initiative, which really raised hackles. No one bought into Hailstorm. And not enough bought into Passport, so it also went away. Today's "user-centric" identity applications are endeavoring to re-create the Passport experience without the requirement to use Microsoft to store your data. Microsoft's CardSpace and OpenID's Attribute Exchange are both about using Identity Providers (IdP) to store attribute data (i.e., PII) and serve it up to web sites that need it (called "relying parties" or RPs) at the behest of the user.

This doesn't, of course, eliminate silos. CardSpace takes data from a silo and presents it to other parties. OpenID AE creates a new silo, maybe a metaSilo, to hold all of the data.

The third wave can move us beyond silos but perhaps is best explained as "virtual" silos. Data is served up to an RP similarly to the methods of CardSpace and OpenID AE. But the data itself can be stored wherever it's best to store it - usually with the initiator of the PII data. So a driver's license number would be stored only at the DMV. A credit card number only with the card provider. Your shipping address with the Post Office. And on and on. What's needed is a protocol and a specification for retrieving the data as needed, consolidating it and presenting it for one-time use to the RP.

In effect, we need to take the virtual directory technology and apply it to web-based PII. A combination of securely vaulted data held by a trusted third party (e.g., a bank) which can be updated from the authoritative source of the data (e.g., post office, credit card company, dmv) periodically or at request time. Data is assured of being up to date as well as secure. Relying parties not only don't need to store copies of the data but would be expressly forbidden to do so. The data vault would hold copies of the data but this would be considered a cache and only used if timely retrieval weren't available at request time. And, very importantly, the data would be available at the user's request no matter where, or on what platform, the request was made.

Personal Identity Information becomes pervasive and ubiquitous - available whenever and wherever you need it. That's the third wave, and while I can see that wave on the horizon I don't think the tsunami warnings need to be raised just yet.