The Virtual Quill

Shame on Google

2010-05-29T09:11:00.000-07:00

Ben Adida takes Kim Cameron to task ("Privacy Advocacy Theater") for taking Google to task ("The Laws of Identity smack Google") Ben claims that Cameron is over reacting ("Come on, Kim, this was accidental data collection by code that the Google Street View folks didn’t even realize was running. ") But I'm here to say that Kim was spot on.

As Cameron notes in his reply:

"My argument wasn’t about the payload data that was collected accidentally. It was about the device identification data that was collected on purpose. "

As Kim rightly points out, collecting SSID and MAC addresses (as Google says they did on purpose) is just as heinous - perhaps even more so - then collecting the contents of data packets. MAC addresses persist. The MAC address of the computer I'm using to type this entry is the same one that is used when I get my email, talk to my bank, shop at amazon (and other places) chat on Facebook, etc. That MAC address is an attribute of my identity just as much as my street address is. More so, since I don't need to mention my street address to pay cash at the grocery store.

Kim, as he so often is on issues of identity and privacy, is right on this one. Neither Google, nor anyone else, should be collecting data which can be correlated to a MAC address, or to any other identifier attribute of a person's identity. The only exceptions should be: a) opt-in authorization by the user (i.e., "loyalty cards"); or b) properly executed law enforcement warrants.

EIC 2010: Kim Cameron on Minimal Disclosure

2010-05-05T10:35:00.000-07:00

German blogger "mrtopf" has posted an excellent summary of Kim Cameron's keynote, delivered yesterday at the European ID Conference in Munich.

In his talk Kim disclosed his new project, the Federated Directory Project. Using the cloud, claims, minimal disclosure and roping in (one way or another) most of the existing ID protocols and systems.

It was a breath-taking tour-de-force as only Kim can deliver it.

There'll be a lot more to come as Cameron tries to bring as much input as possible to bear on his project. Watch for opportunities to get involved in a community that will (hopefully) coalesce around this.

Stay tuned!

This blog has moved

2010-04-27T22:34:00.001-07:00

This blog is now located at http://newvquill.blogspot.com/.
You will be automatically redirected in 30 seconds, or you may click here.

For feed subscribers, please update your feed subscriptions to
http://newvquill.blogspot.com/feeds/posts/default.

European Identity Conference 2010

2010-03-08T10:58:00.000-08:00

Less than two months to go until the 4th annual European Identity Conference, and registration is now open! Once again, as last year, I'll be delivering an opening keynote as well as hosting two session tracks.

On Tuesday (5/4/10), I'll keynote on "Convergence: Better Control, Lower Cost". Since it's the keynote between a break and Kim Cameron, I should at least get those who want to come early to get a good seat for Kim!

On Wednesday (5/5/10), I'll continue the "convergence" theme with a track called "Value Through Convergence - Consolidate for Better Value, Efficiency and Security".This will feature a conversation with Martin Kuppinger ("5 Quick-Wins to Leverage your Existing Identity Infrastructure through Convergence"), a conversation with Kim Cameron ("Converging User-centric & Enterprise-centric IDs") and two panel discussions: "Converging Data Governance and Access Governance," and "Establishing an Advanced Level of Enterprise Identity Maturity."

Then, on Thursday (5/6/10) I'll tackle "Cloud Platforms & Data Portability". This track will feature an intro talk ("Data Statelessness and the Continuum of Individuals' Data Portability on the Web") by XMLgrrl herself, Eve Maler. We'll follow this up with two great panels: "Social Data Portability," and "Business/Cloud portability."

There'll be other great sessions, also - there always are. Plus, the Deutsches Museum in Munich is a fabulous venue. I hope to see you there.

IIW spring 2010

2010-01-28T23:02:00.001-08:00

Time to register for the spring Internet Identity Workshop. Do it now.

Which ox are you goring?

2010-01-22T09:27:00.000-08:00

ProjectVRM's Joe Andrieu has a long, but not necessarily rambling, post today buttressing his (and the project's) stand on data sharing.

He makes some great points, such as that many people confuse privacy with secrecy. And that transactional data is owned by all parties to the transaction separately and mutually. He totally misses some points, such as confounding Digital Rights Management with meat space copyrights.

But where he really got me was right near the very end of his screed where he says:

"Because the fact is, we want to share information. We want Google to know what we are searching for. We want Orbitz to know where we want to fly. We want Cars.com to know the kind of car we are looking for.
We just don’t want that information to be abused. We don’t want to be spammed, telemarketed, and adverblasted to death."

But the reality is that we will be "spammed," telemarketed and adverblasted whether or not the party doing the marketing knows what we want or not. Advertising should be about letting me know the possibilities that might interest me. And the only way that can happen is if the advertiser knows my likes and dislikes, wants and needs. Isn't that the premise of VRM, that we (the users) tell the vendors what we want and they then compete to fill our need? How can they do that without telling us of their offers, and isn't that advertising? Targeted advertising, targeted directly at the person(s) who are looking to buy.

Rework the post, Joe. There are too many good points to be spoiled by such a bad ending.

Google, OpenID and Chris Messina

2010-01-07T12:37:00.001-08:00

Today's announcement that Chris Messina is joining Google is certainly good for Chris, probably good for Google - but what about the openID Foundation?

As of today, Google has 3 members of the Board of Directors, their corporate rep (Eric Sachs), and "community" reps Messina and Joseph Smarr. That's 3 out of the 19 board members.

I should note that Yahoo has two members, a corporate one (Raj Mata) and a community one (Allen Tom), as does Microsoft (Mike Jones and Dick Hardt).

I do think that any corporate member should be prohibited from also having employees hold community seats. Not that I have any indications that messrs. Messina, Smarr, Hardt or Tom would vote against their own principles, but people's principles are influenced by those of the culture in which the perform their daily employment tasks.

Over and above that consideration, though, should be the desire to avoid even the appearance of a conflict of interest.

Maybe it's time the Foundation adopted a rule prohibiting such perceived conflict.

Burtner or Garton?

2010-01-05T09:05:00.000-08:00

Huge news this morning as it was announced that Gartner had purchased the Burton Group in a straight cash transaction (reportedly $56 million). WTF?

These are groups addressing two different constituencies. As the Wall Street Journal reported: "Gartner has typically focused on advising companies' chief information officers and senior IT executives, while Burton has built its business by advising 'front-line IT professionals,' said Gartner Chief Executive Gene Hall."

Even though I don't always see eye-to-eye with the Burton Analysts, I consideer them to be the finest group of minds available on IdM questions. Bob Blakley, Gerry Gebel, Ian Glazer, Kevin Kampman, Lori Rowland, and Mark Diodati are an Identity brain trust , almost a national treasure. Add in the brilliant minds of Phil Shacter, Dan Blum and - of course - Jamie Lewis and you have an irreplaceable resource.

Gartner also has some good minds in IdM, just not as many. I could easily sit and chat with Earl Perkins all day, for example. But Gartner's IdM practice isn't something I want to listen to. As I said last year, about Gartner's IdM Summit: "It isn’t a conference that you, the identity management expert, should go to – at least not alone. This is really geared more to the line-of-business (LOB) manager who needs to get a handle on this 'identity stuff'.” And Perkins agreed with me.

This acquisition could put Gartner in the forefront of IdM thinking, or end up with all of Burton's heavy hitters on the back burner. Time will tell.

God's personas

2009-12-21T11:36:00.000-08:00

I was contemplating the Christmas season and what it means to those of a religious bent when it occurred to me that the idea of “persona” – different facets of a single identity – is thousands of years older than our digital world.

A few years ago I defined persona as “an aspect of identity in a specific situation: office persona, parenting persona and so on. “ Since then, I’ve refined it to be a collection of related attribute-value pairs, a subset of all of the attributes that make up an entity’s identity.

Over 1500 years ago, Roman Catholicism’s St. Patrick was attempting to convert Ireland’s Druids to Roman Catholicism. One tool he used was the shamrock, a sacred plant to the Druids. Patrick illustrated the doctrine of the Holy Trinity (one God, three aspects: the father, the son and the holy spirit) by noting that the plant has three leaves but only one stem. Today we could say that the entity, God, has three personae: the Father, the Son and the Holy Spirit. Each persona emphasizes a particular set of God’s attributes yet each persona is still the entity, God.

That led me to take another look at the God of the Old Testament – God the Father in the Christian tradition. But also Yahweh to the Jews and Allah to the Muslims. Each of these is merely a persona of the entity God with a mildly differing set of attributes interpreted by those humans known, collectively, as prophets. One God, multiple personae.

But, in looking farther afield, we find it isn’t only the near-Eastern monotheistic religions which offer us a God-entity with multiple personae. Hinduism is also based on this concept. As Hindu Wisdom (http://www.hinduwisdom.info/Symbolism_in_Hinduism.htm) puts it:

“Hinduism is often labeled as a religion of 330 million gods. This misunderstanding arises when people fail to grasp the symbolism of the Hindu pantheon. Hindus worship the nameless and formless Supreme Reality (Bramh) by various names and forms. These different aspects of one reality are symbolized by the many gods and goddesses of Hinduism. For example, Brahma (not to be confused with the over-arching Bramh) is that reality in its role as creator of the universe; in Vishnu it is seen as the preserver and the upholder of the universe; and Shiva is that same reality viewed as the principle of transcendence which will one day 'destroy' the universe. These are the Trimurti, the ' three forms,' and they are not so much different gods as different ways of looking at the same God. Each emphasizes a particular aspect or function of the one reality. The forms are many, the reality is one. It is the same with all the gods and goddesses: they are not rivals but aspects of a single principle. Hindus have represented God in innumerable forms. Each is but a symbol that points to something beyond; and as none exhausts God's actual nature, the entire array is needed to complete the picture of God's aspects and manifestations. It has been said that images are to the Hindu worshipper what diagrams are to the geometrician.”

Explaining the concept of persona is never easy, but at least this might give you an edge with the practicing religious folks in your organization.

[reprinted from Network World]

Microsoft strengthens Healthcare IdM Portfolio

2009-12-10T09:35:00.000-08:00

Microsoft announced today the acquisition of Sentillion, Inc., an acknowledged leader in IdM for the Healthcare industry.

Earlier this year, the Gartner Group placed Sentillion in the "Visionaries" quadrant of their Magic Quandrant for User Provisioning, saying:

"Sentillion's singular focus is on meeting the identity management needs of healthcare entities. It remains in the Visionaries quadrant due to its continuing innovation in healthcare provisioning needs, continued customer growth, its increasing name recognition within healthcare, and its expanding partner network for resale and system integration."

So why did Microsoft pick this particular company? Let's go back a couple of years to an interview I did with Sentillion CEO Rob Seliger. I tried to get him to admit an interest in branching out beyond healthcare. Nothing too exotic; perhaps an allied market like pharmaceuticals? But he wouldn’t be baited. He claimed Sentillion knows the market well – the company was spun-off from HP’s Medical Products Group nine years ago - and wants to leverage its expertise to do healthcare identity better than anyone else.

Some say they were doing just that. And now they have Redmond's deep pockets behind them - the sky's the limit. At a time when the US is about to undergo a healthcare revolution, Microsoft shows remarkably agility in getting out in front.

Does anyone understand privacy?

2009-10-29T14:05:00.000-07:00

Good post today from Sun's Michelle Dennedy on the whole privacy issue. She's commenting on a Gov't security official's quote: "We have a saying in this business: 'Privacy and security are a zero-sum game.'" and responds:

"I'm sure they have that saying in their business. And it's precisely why, when people in their business are in charge of government, it becomes a police state. If privacy and security really were a zero-sum game, we would have seen mass immigration into the former East Germany and
modern-day China. While it's true that police states like those have less street crime, no one argues that their citizens are fundamentally more secure."

It simply amazes me how many different ways people can misunderstand privacy!

He who steals my identity steals - not very much?

2009-10-13T12:46:00.000-07:00

Good article in the Wall Street Journal today ("The Fallacy of Identity Theft") by Julia Angwin. She starts off:

"As far as I know, no one can steal my identity. Even if my bank account number, my credit card number and all my passwords are stolen, I am fairly confident that I will still be me and the thief will be a different person.

Yes, the criminal will be masquerading as me. But anyone who knows me – my husband, my children, my colleagues, my doorman, my employer – will not be fooled. If 'I' was actually stolen, I believe that would be called a kidnapping."

She goes on to show that the problem is really fraud, the people who have their identity "stolen" don't lose much and, in truth, the amount of fraud is dropping. Her conclusion?

"It turns out that 'identity theft' is one of the most brilliant linguistic constructs ever, with its terrifying specter of losing not just your money – but your soul. Maybe it's time that we renamed it what it is: a fear campaign designed to get us to buy expensive services that we don't need."

Excellent!

Is there a future for OpenID?

2009-10-06T10:51:00.000-07:00

Johannes Ernst, one of the founders of OpenID (and the OpenID Foundation) has just posted a thought provoking piece about the present state - and the future - of that protocol ("Is OpenID Still User-Centric?")

I've pointed out before the problems between the OpenID evangelists (typically folks who do their own implementations, support open source projects and bemoan corporate or commercial involvement) and the major web organizations (Google, Yahoo!, Microsoft, Facebook, et al) who have adapted OpenID to their own purposes.

This is the often unspoken but nevertheless almost inevitable path that any successful open source project follows.

Perhaps it's time to truly fork the project. Let the "big boys" continue on with their "NASCAR billboards", PKI and whatever other baggage they want to heap on top of the simple protocol. Let the open source evangelists take the simplicity that was OpenID 1.1 and re-style it to it's original purpose - locking in the development stream so that the aggrandizement can't happen again. It's not too late, and the upcoming IIW would be a good place to talk about it.

Getting Privacy Right

2009-10-05T12:33:00.000-07:00

The Burton Group's Bob Blakley writes ("Gartner Gets Privacy Dead Wrong") a seminal piece on privacy - what it is, what it isn't and how to protect it. In the course of his blog entry he manages to pretty much dismiss most of the work that's been done under the rubric of "privacy" (which, as he notes, is really about secrecy) over the past dozen years.

As he writes: "That's how privacy works; it's not about secrecy, and it's not about control: it's about sociability. Privacy is a social good which we give to one another, not a social order in which we control one another."

It's an issue I've brought up a number of times in the past. Last year, for example, I discussed where many "...have gone wrong is to equate privacy with anonymity. You don’t have to be anonymous to maintain the privacy of your data. Again going back 100 years when you went into the bar and everybody knew your name there was also much about you that wasn’t known. Most things about you, in fact, weren’t known. Those things we want to keep private - our medical data, financial data, legal situation, etc. - were kept private. But people did know who you were, and perhaps where you lived, or worked, who your family was - and no one thought that was strange."

Secrecy and anonymity are not privacy, and the quicker we all understand that the quicker we can move to protect privacy.

Tell us what you really feel...

2009-10-01T09:43:00.000-07:00

In an Open Letter to Steve Ballmer, Craig Burton rants about the ridiculous policy Microsoft has for controlling updates and enhancements:

As we drove further down to path to understand why, we were told the following unbelievable conversation. (The following is not an exact quote, but close.)

Changes like you are requesting can only happen in an “in-band” release of Windows. These sort of changes are prohibited from going out in the Tuesday updates. What goes out with in-band releases the Tuesday updates is controlled by—Steve Ballmer.

Well F*&% me. Dude, after all of these years, you are still micro managing the Windows release! Now I know why Microsoft is now been relegated to insignificance in the identity market. The reason is simple. Internal policy, managed by you, prohibits product mangers from keeping up with trends and innovation.

And what was the momentous change Burton was asking about?

In our meeting, we discussed how many man hours it would take to modify CardSpace to support context-automation. The answer is a few days of work at the most. When asked how long before such a simple change would find its way into CardSpace, the answer came back as two years at best, maybe.

Unfortunately, Ballmer has never understood the importance of identity to the fabric of computing, so he's never going to permit what he would perceive as "feature creep" in the regular monthly updates. That's good news for Microsoft's competitors, and bad news for it's customers.

Novell Support goes off the deep end.

2009-09-23T08:44:00.000-07:00

Novell Sr. VP Colleen O'Keefe justifies their current support money grab with claim that "We absolutely believe there is tremendous value in Novell's patches, service packs and other intellectual property and that the cost of providing these services should not be solely born by current maintenance customers."

What's the brouhaha about? This Novell announcement:

"To further encourage more customers to take advantage of the comprehensive benefits a maintenance contract provides, Novell is announcing that as of November 15, 2009, maintenance or subscription authorization will be required to access service packs and patches (excluding stand-alone security patches) for most Novell products. In early 2010, we will extend this initiative to include Technical Information Documents (TIDs) in the Novell Support Knowledgebase for products in the general support phase of the product lifecycle."

That's right, Novell is asking you to pay for its mistakes.

Maybe there's a business plan here for me - are you willing to pay $10/month to get the errata pointing out the corrections to stuff in the newsletter? Do I have to start making more mistakes before you'll pay up?

The blogger's lament (Revised)

2009-09-06T09:17:00.000-07:00

Where have all the bloggers gone, long time passing.
Where have all the bloggers gone, long time ago.
Where have all the bloggers gone, gone to twitter every one
When will they ever learn, when will they ever learn.

with a tip o'the hat to xmlgrrl

The blogger's lament

2009-09-05T16:33:00.000-07:00

Where have all the bloggers gone
Long time passing
Where have all the bloggers gone
Long time ago
Where have all the bloggers gone
Gone to facebook every one
When will they ever learn
When will they ever learn.

The dearth of blogging

2009-07-28T09:44:00.000-07:00

I'm skipping the first couple of days (the "workshop" days) at this year's Catalyst Conference in San Diego. In the past, I'd relied on others blogs for the nitty-gritty of what's going on in those sessions. This year, though, it appears that Twitter has become the reporting tool of choice (and yeoman work is being done by @paulmadsen, @NishantK, @xmlgrrl and especially @brettmcdowell) but there's simply no way to get the full flavor of a presentation in a disjointed series of ~140 character semi-cryptic notes.

Please people, write up those blog entries! Tweet the URL of the posting, but give us as much verbiage as necessary to convey actual meaning.

Facebook can't tell a friend from a hole in the ground

2009-07-27T10:20:00.000-07:00

Burton Group's Ian Glazer has done some follow-up on his "Privacy Mirror" Facebook application with more shocking results. Evidently, if you and one of your friends both add the same application then the application treats your personal data as if it were also a friend - ignoring your "application privacy" settings. And it does this without informing you in any way.

Not good. Not good at all.

Write a caption - win some bucks

2009-07-24T10:58:00.000-07:00

NetVision is holding a contest - write a caption for their cartoon and you could win $1000.

Piece of cake, you say. You doodle cartoons and captions all through the weekly staff meeting anyway - why not got money for it? Well, there are some qualifications:

"Entrants must be actively employed as an Active Directory administrator by a company with more than 100 employees at the time of submission."

Think of that, though, as limiting the competition. Go for it!

Mirror, mirror on my screen tell me what PII is seen...

2009-07-22T10:03:00.000-07:00

The Burton Group's Ian Glazer just created "Privacy Mirror", a "...Facebook application to see what #FB tells 3rd party developers ." If you're on Facebook you might want to check this out. Do you really want to "share" all that info (and all your friends' info) with some nameless, faceless app developer?

Who knew Hospitality suites could do that?

2009-07-15T16:30:00.000-07:00

In a posting on the Burton Group Catalyst website, Mountain View's Centrify says:

Visit Centrify in our Hospitality Suite in Aqua 311 on Wednesday, July 29!
More than 1000 enterprise customers, including 38% of the Fortune 50, have selected the Centrify Suite to improve IT efficiency, strengthen regulatory compliance initiatives, and centrally secure their heterogeneous computing environment.

I usually visit the suite to eat, drink and play games. Who knew you could also "improve IT efficiency, strengthen regulatory compliance initiatives, and centrally secure [your] heterogeneous computing environment"! I'm gonna be first in line...

Geneva was better

2009-07-13T09:11:00.000-07:00

At it's Worldwide Partners Conference today, Microsoft announced the formal names for the products and services that had been going under the code name "Geneva":

Active Directory Federation Services – formerly known as “Geneva” Server(and a name in use since at least 2005. See this press release )

Windows Identity Foundation – formerly known as “Geneva” Framework (this name was suggested back in 2006, but for a slightly different product).

Windows Cardspace – same as current version (also around since 2006).

Not nearly as catchy as "Vista", but that name has too much baggage. My preference would have been for Geneva Federation Services, Geneva Identity Foundation and GenevaCards. But, then, I don't make the big bucks!

CALL FOR PAPERS

2009-07-09T12:25:00.000-07:00

Last chance (deadline is July 11) to submit for Net-ID '09 coming in October in Berlin.

The European Conference on Digital Identities “Net-ID – Identity, Trust, Privacy and Security“ will come back to Berlin, Germany, in the fifth year of its history. It will take place on October 1-2, 2009, in the Steigenberger Hotel Berlin. Net-ID 2009 contains 4 tracks with the following
headlines:
– Enterprise Applications, Best Practices and Case Studies
– eIDs in the Focus of E-Government
– Data Protection and Privacy
– Trends and Future

- Please submit to: stg@computas.de
or by fax to: +49-221-5907480

Snoopy Sears

2009-07-02T13:53:00.000-07:00

World +dog seems to be cock-a-hoop over the new authentication that Sears has enabled, claiming OpenID is now accepted. Well, it is, but you'll only see it if you know it's there and go looking for it. First you'll be presented with a NASCAR box showing badges for Facebook, Yahoo, Google, Twitter, AOL and MySpace. Clicking on the [more] link gets you a choice of OpenID or Windows Live. But it isn't just authentication that Sears wants.

Click on the Facebook link, for example, and you see "Allowing Signin.mysears.com access will let it pull your profile information, photos, your friends' info, and other content that it requires to work."

Click on the Twitter link and get: "The application Signin.mysears.com by Sears would like the ability to access and update your data on Twitter."

Do I really want Sears to know who my friends are (and how to contact them)? Do I really want Sears to be able to update my Twitter data (whatever that is)?

Decidely and emphatically, NO!

Some may think this is a step forward for OpenID, but it's not. It's a step back for privacy.

Targeting targeted advertising

2009-06-29T11:35:00.000-07:00

There's a strong movement afoot to set targeted advertising as the antithesis to privacy. See, for example, this sententious blathering from that normally reliable publication, The Register.

Advertising is what's paying for the internet. There are two types of advertising, targeted and non-targeted. Non-targeted ads means I have to wade through ads for feminine hygiene, pet flea collars, securities traders, mortgage lenders and dozens of others that I not only have no interest in, but will never have an interest in because I'm the wrong gender or don't have the item (pet, need to trade stock, re-financing quandary, etc.) that they are aiming for.

On the other hand, I am interested in travel, slow food, blues music, comfortable clothing, and other topics whose ads I'll gladly read and often click on. Occasionally I'll even make the purchase. I don't feel they intrude on my time (certainly not as much as PR types who call me early in the AM) nor do I feel that my "privacy" has been violated.

The article I pointed to above includes the usual diatribe about Google and Gmail: "Gmail scans your personal communication for keywords - there is no opt-out, and using a secure tunnel is no protection." But of course there's an opt-out: DON'T USE GMAIL! (and, I must ask, protection from what?) Use some other "free" service, or pay for one. Google has no obligation to provide you with free email, photoposting (Picassa), newspapers (Google News), telephone accessories (Google Voice) or any of the other ad-supported services from the Mountain View search giant.

I like my Gmail. If you don't, that's fine. Just leave me alone to enjoy it and I'll leave you alone to enjoy whichever mail service you choose.

Lookin' for a date honey?

2009-06-24T15:39:00.000-07:00

Ever use an escort service in Vegas? Or think about it? Better read Matt Flynn's blog entry for today :)

Half empty?

2009-06-22T10:23:00.000-07:00

Although the city of Bozeman, MT has now dropped it's requirement that job seekers, to be considered for a job, must provide login information and passwords for social network sites in which they participate, the story notes: "...the passwords already given by previous applicants will remain the confidential property of the City. "

Why?

They admit that it was poor policy to collect them. The ethical thing to do would be to immediately discard them - safely. Until you do that, Bozeman, you're still going to be at the top of the anti-privacy list.

Just one more reason to drop the use of passwords in favor of a biometric authentication. Even Bozeman, I'd hope, wouldn't ask you to leave your finger on file!

Is "fact" analog or digital?

2009-06-11T10:12:00.000-07:00

In a recent posting about Kim Cameron's latest effort ("Proposal for a Common Identity Framework"), Radovan Semancik picks a number of nits, including this:

"It also seems to assume a binary view of trust: something is either "in doubt" (in claims) or becomes a "fact". I consider this binary view to be one of the worst fallacies of most current identity architectures and systems."

Now it could be that he means there's actually 3 possibilities: "in doubt", "fact" or "false." But, somehow, I get the sense that he refers to some analog function of factuality which I simply cannot fathom. He later adds: "No information is absolutely reliable and all the information (at least in cyberspace) is subjective," which appears to be positively Luddite in finding cyberspace to be somehow less reliable than, say, print media.

In any event, Cameron's latest effort, the 30-page (sometimes dense reading) paper written in conjunction with Dr. Kai Rannenberg (who holds the T-Mobile Chair for Mobile Business and Multilateral Security at Goethe University Frankfurt) and Dr. Reinhard Posch (Federal CIO for the Austrian government) deserves your attention. Read it this weekend.

verification: All a Twitter

2009-06-08T09:39:00.000-07:00

Twitter news is usually well below my radar, but today's post on the Twitter Blog does deserve some comment.

It seems that Twitter will be rolling out a "verification service" this summer as a way to combat celebrity (and other) impersonators. Why the impersonations should be a problem (since most that I've heard of are patently obvious fakes), I don't know. Except, of course, that Twitter could be sued (and has been) for allowing them.

While the verification service is being rolled out, Twitter advises: "Another way to determine authenticity is to check the official web site of the person for a link back to their Twitter account." That's provided, of course, that the "official" web site has been properly verified!

Not everyone will get the "Verified by Twitter" mark, though, as "...due to the resources required, verification will begin only with a small set." But we are assured that "The experiment will begin with public officials, public agencies, famous artists, athletes, and other well known individuals at risk of impersonation." I'll be waiting for my invitation...

Pre-selecting (is that like pre-boarding?)

2009-06-04T10:41:00.000-07:00

Paul Trevithick has a good post today taking a look at the experience of a user who doesn't have an identity card selector installed (or, perhaps, has a selector - e.g., with IE - but no cards). Faced with a choice of the openID NASCAR billboard and tthe tiny purple Infocard logo the user is more than likely to opt for a familiar logo in the openID display - if they even notice the tiny .

He goes on to suggest various behaviors for a mouseover event which would, at least, let the user know what the icon represented. He then offers a popover showing the logos of up to four "trusted" (by the RP, presumably) card issuers with the user able to click on one and be carried through the process of creating a card, downloading a selector (if needed) and then re-directed to the original site to complete the infocard authentication process.

Besides taking an inordinate amount of time (something internet users appear to not want to do), it places infocard relying parties on the slippery slope of favoring some card issuers over others leading to abusive behavior (charging for placement/positioning, blackballing, etc.).

Perhaps the ICF (Information Card Foundation) should consider issuing it's own "super logo" which would present, on a rotating basis, all card issuers...

It's OK, we're co-related

2009-05-25T09:06:00.000-07:00

In responding to my "violent agreement" post, Kim Cameron goes a long way towards beginning to define the parameters for correlating data and transactions. I'd urge all of you to jump into the discussion.

But - and it's a huge but - we need to be very careful of the terminology we use.

Kim starts: "Let’s postulate that only the parties to a transaction have the right to correlate the data in the transaction, and further, that they only have the right to correlate it with other transactions involving the same parties."

Which would mean, as I read it, that I couldn't correlate my transactions booking a plane trip, hotel and rental car since different parties were involved in all three transactions!

But he goes on to say: "...the individual would have the right to correlate data across all the parties with whom she interacts."

So which is it - do the parties have the right to create correlations among all partners, or not? Remember that, at least according to US law, a corporation is treated as "an individual."

In the end, it isn't the correlation that's problematic, but the use to which it's put. So let's tie up the usage in a legally binding way, and not worry so much about the tools and technology.

In many ways the internet makes anti-social and unethical behavior easier. That doesn't mean (as some would have it) that we need to ban internet access or technological tools. It does mean we need to better educate people about acceptable behavior and step up our policing tools to better enable us to nab the bad guys (while not inconveniencing the good guys).

Another violent agreement

2009-05-23T22:57:00.000-07:00

Kim replied to my earlier post with a thoughtful piece. First, let me say, the allusion I made to the RIAA was that they wish to ban tools - it's so much easier than collecting evidence of illegal behavior.

And I took Kim at his word when he talked "about the need to prevent correlation handles and assembly of information across contexts..." That does sound like "banning the tools."

So I'm pleased to say I agree with his clarification of today:

"I agree that we must influence behaviors as well as develop tools... [but] there’s a huge gap between the kind of data correlation done at a person’s request as part of a relationship (VRM), and the data correlation I described in my post that is done without a person’s consent or knowledge." (emphasis added)

We need sophisticated data correlation tools, tools which can discern our real desires from our passing whims and organize our quest for knowledge, experience and - yes - material things in ways which we can only dream about now. By all means let's punish and abjure bad or anti-social behavior. But let's not stigmatize the tools that the miscreants pervert to their own unethical purposes.

And I think we can say that those who purchase barbells, and only barbells, at Canadian Tire are thoughtful, erudite gentlemen of the old school... :)

Kim Cameron: secret RIAA agent?

2009-05-23T09:44:00.000-07:00

Kim has an interesting post today, referencing an article ("What Does Your Credit-Card Company Know About You?" by Charles Duhigg in last week’s New York Times.

Kim correctly points out the major fallacies in the thinking of J. P. Martin, a "math-loving executive at Canadian Tire", who, in 2002, decided to analyze the information his company had collected from credit-card transactions the previous year. For example, Martin notes that "2,220 of 100,000 cardholders who used their credit cards in drinking places missed four payments within the next 12 months." But that's barely 2% of the total, as Kim points out, and hardly conclusive evidence of anything.

I'm right with Cameron for most of his essay, up til the end when he notes:

"When we talk about the need to prevent correlation handles and assembly of information across contexts (for example, in the Laws of Identity and our discussions of anonymity and minimal disclosure technology), we are talking about ways to begin to throw a monkey wrench into an emerging Martinist machine. Mr. Duhigg’s story describes early prototypes of the machinations we see as inevitable should we fail in our bid to create a privacy enhancing identity infrastructure for the digital epoch."

Change "privacy enhancing" to "intellectual property protecting" and it could be a quote from an RIAA press release!

We should never confuse tools with the bad behavior that can be helped by those tools. Data correlation tools, for example, are vitally necessary for automated personalization services and can be a big help to future services such as Vendor Relationship Management (VRM) . After all, it's not Napster that's bad but people who use it to get around copyright laws who are bad. It isn't a cup of coffee that's evil, just people who try to carry one thru airport security. :)

It is easier to forbid the tool rather than to police the behavior but in a democratic society, it's the way we should act.

The Diamond Framework

2009-05-18T15:12:00.000-07:00

Paul Trevithick has done us all a great service: he's provided a matrix of terms from the major authentication/identity systems making up what's loosely called "user-centric" identity and equated the varying terms (each identified with a letter) to facilitate conversations about the varying protocols, systems and technologies. A wonderful effort coming, as it does, on the opening day of the spring Internet Identity Workshop.

Would that, in this best of all possible worlds, the various evangelists for these systems could adopt Paul's terminology.

Does one finger beat two pins?

2009-05-16T09:49:00.000-07:00

This story from India about a bank installing biometric ATMs, purportedly so that senior citizens who have difficulty remembering their PIN could have their fingerprint read instead, got me to thinking.

I have two different ATM accounts with my bank, one business, one personal. I use different PINs for each. I don't know why I use different ones, perhaps it's a belief that if one is compromised I'd still have the other. But suppose my bank offered a biometric ATM? Would I choose to use the same finger for each account or two different ones?

After all, chances are that if one finger is "compromised" my entire hand would be also. And simply remembering which finger works which account could be problematic for this "senior citizen." Still, it's deeply ingrained in me that different accounts need different authenticators. Maybe I'd choose to use a "strengthened" method - fingerprint+PIN. Then I could use the same finger (but a different PIN) for each account. Or different fingers plus the same PIN.

Using different fingers with different PINs is right out, though. No way I could remember those combinations. I'd need to carry around a picture of the correct finger with the right PIN written on it!

And, with all those people, especially all those old people, swiping their fingers on the ATM - wouldn't that be a health hazard?

Buzz phrase du jour

2009-05-14T11:01:00.000-07:00

Came across another, to me, really dumb term this morning: Private Clouds. I'm still not all that comfortable with "cloud computing," mind you. Differentiating it from last year's Software as a Service (SaaS) where the service is outsourced presents issues to me - issues of why call something a new name when the old one works just as well. So too with this oxymoron "Private Clouds". The author starts by appropriating (from the Berkeley RAD Lab's cloud computing report) a definition of cloud computing. Of course, he goes on to state "...that the RAD Lab specifically states that they do not consider internal (i.e., private) clouds to be 'real' clouds..." This doesn't stop him, though and he blunders on.

Perhaps I just understand this part better, but his comments on Identity Management left me chuckling:

"A robust identity management system needs to be in place to enable automation. Requests for computing services will come not from a sit-down meeting where authentication and authorization will be done on a personal basis - i.e., direct face-to-face interaction enabling the resource granter to identify the legitimacy of the request and the requestor - but from an service request via a software-enabled mechanism like an internal portal."

Ask any mid-sized to large enterprise IdM manager when was the last time that provisioning was done via a "direct face-to-face interaction"! Automated, even self-service, IdM has been around since long before the "cloud" paradigm was ever contemplated and its use does not constitute evidence of the elusive "private cloud" architecture, but of a robust enterprise IdM system.

Calling a POCS (Plain Old Client-Server) system a "private cloud" simply because you've added some self-service elements succeeds only in muddying the waters at a time when clarity is needed. Let's agree to drop this foolish term.

"Entitled" to an opinion?

2009-05-13T13:25:00.000-07:00

My good friend Ian Glazer, over at the Burton Group, had an interesting post today called Nailing Down the Definition of "Entitlement Management". Unfortunately, he missed.

Ian started out pointing to Ian Yip’s definition ("Entitlement management is simply fine-grained authorisation + XACML") and showing why it's wrong. And I do completely agree with Glazer on that.

But he goes on to say that the enterprises that Burton is talking to use the term differently. He says:

"The enterprises that we talked to use 'entitlement management' to mean:
· The gathering of entitlements from target systems (for example, collecting all the AD groups or TopSecret resource codes)
· Reviewing these entitlements to see if they are still valid
· Reviewing the assignment of these entitlements to individuals to see if the assignments are appropriate
· Removing and cleaning up excessive or outdated entitlements"

My first question to Ian, then, is this: if your clients (as many have in the past) referred to the enforcement of access controls/policies as "authorization" would you assume that definition for further discussion or try to get people to use the term properly?

"AD groups" are not, but any stretch of the definition, an entitlement. Nor should an "entitlement" be assigned to "an individual". Let's use entitlement at least in an analogous way to the real world - no one is "entitled" to something based on their name. All entitlement comes from their group or role. The same should be said of digital entitlements. So gather users' access rights, please. But then group those rights into an entitlement and grant them to a role and/or group.

Differentiate entitlement management from access management, also (else, why use both terms?). Individuals get access, roles/groups get entitlements. Access is granted to resources (hardware, applications, services, etc.) while entitlements specify what a particular role/group can do with or within that resource.

If we all try really hard, maybe we can all speak the same language! That said, we should always be aware of what Richard Feynman said: "You can know the name of a bird in all the languages of the world, but when you're finished, you'll know absolutely nothing whatever about the bird... So let's look at the bird and see what it's doing -- that's what counts. I learned very early the difference between knowing the name of something and knowing something."

EIC 2009

2009-05-10T17:53:00.000-07:00

Just back from another fine European ID Conference in Munich. The combination of the venue (the Forum at the Deutsches Museum), the speakers and our great hosts from Kuppinger-Cole + Partner (Martin, Tim, Joerg, Felix, Sebastian, Levent, Gabi, Bettina and all their cohorts) makes this an event ne plus ultra.

In particular, the panels I moderate at EIC always seem to sparkle a bit more, to have more content and to be just a bit more interesting than those in other venues. Maybe it's the panelists themselves but more likely its a combination of them and the very engaged audiences. Whatever the reason, this is a conference I can recommend to anyone in IdM whatever your skill level, specialty or location.

Government nonsense

2009-04-28T08:54:00.000-07:00

My Network World colleague Mitch Kebay points out that the National Institute of Standards and Technology's Computer Security Division has just published SP 800-118, “DRAFT Guide to Enterprise Password Management” which now awaits comments. Mitch suggests it needs those comments "for improvement," but that shipped has already sailed. The only improvement would have been to not waste the time to write and publish it.

Username/password for enterprise authentication is not only poorly implemented, not only passe but also very dangerous. The ONLY guideline NIST should issue for enterprise passwords is STOP USING THEM.

Of course, with the heavy government involvement in business that the current economic crisis is enabling, a simple ban on username/password or a requirement for strong authentication would make much more sense.

Oracle-Sun merger: a gathering of opinion

2009-04-26T21:59:00.000-07:00

When I heard about Oracle's purchase of Sun, I started contacting those I know in IdM - vendors, consultants, and users - to gather their opinion on what it means both to the industry and to those who use the products. Here's what some people had to say:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

I think [this] is a positive change, Sun was suffering from a lack of direction, and Oracle is probably going to get things straight.

Regarding the market, in the software arena is where things are going to be interesting:
MySQL is going to die.
In the identity space I think Oracle products are going to win, that probably means that OpenSSO, glassfish etc are going to suffer a slow death (I am not sure about the dedication of Oracle to OpenSource). I still think that the Directory is going to be the only part of sun that has a potential to live.
This sets an interesting landscape in which those employees that are fired (or made redundant :) ) as they might take the OpenSource code and spin off a company that makes a living out of that (something along the lines of unboundID).

Regarding Symlabs as a company I do not expect to see major changes, as the clients that prefer Oracle are going to prefer Sun, it also means that the VDS from Sun is never going to see the light (OVD is a good product).
In the federation space the oracle product would probably stay and we have always had a good relationship with oracle (from our IGF collaboration).

- Antonio Navarro, Symlabs

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

My view: The directory will survive. Everything else is suspect (including Open SSO).

- Mike Neuenschwander, MyCroft

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

1. Larry Ellison wants an operating system so that he can pee with the Big
Guys. And hey, what's a few billion more or less?

2. Larry is just about the uncoolest person in the world a far as the open
source community goes. And HE is going to own Java? Give me a break!

- Tim Cole, Kuppinger-Cole

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

In the identity management space, Sun and Oracle are direct competitors and Oracle will likely want to consolidate products.

1. Directory: Oracle’s OID is core to Oracle’s platform, as it uses the database as a back end. On the other hand, Sun’s directory server is much more widely deployed, despite some reliability problems. Hitachi ID predicts that Oracle will add the ability to use an Oracle database as a back end to Sun’s directory server and use the resulting software to replace OID.

2. User provisioning: Architecturally, Sun’s identity manager product (Waveset acquisition) has serious performance and scalability problems, since it keeps a significant amount of user profile data in a complex XML object stored in each user’s LDAP directory object. As a result, Oracle will will likely ask Sun IDM customers to upgrade to Oracle’s product (Thor acquisition). Sun IdM customers will not accept an upgrade option unless the new product has all of the same functionality and there is a reasonably automated migration process. This means that Oracle will have to spend a significant amount of time and product engineering effort to:

(a) Find the functional and integration gap between the Sun and Oracle user provisioning products.
(b) Close the gap so that the Oracle (formerly Thor) product covers 100% of the capabilities of the Sun product.
(c) Develop a migration program to help customers move from the Sun to the Oracle product.This process will likely take 1–2 years and consume most of Oracle’s IdM product engineering bandwidth, effectively ruling out any major improvements in either product during that time.

3. Role management: Sun’s acquisition of Vaau was mostly intended to impress influencers such as analysts and press. Hitachi ID’s evaluation of Vaau convinced us that the Vaau product was totally unworkable (we could not get it to even load a real-world data set from a mid-sized company). It follows that this product will be replaced by Oracle’s role manager (Bridgestream acquisition).

4. Web access management: Sun has had no luck selling its WebAM/WebSSO product, and has consequently open sourced it. As an open source (and importantly: no license fee) product, this product has quickly improved both in quality and market acceptance.
Oracle’s acquisition in this space (Oblix) has reasonable market share and is architecturally robust. Oracle will likely be forced to maintain both products – one commercial and one free – going forward.

5. Federation: Neither Oracle nor Sun seem to have a large market share for their federation technologies, so this space remains open to strategic changes. Hitachi ID does not have any special insight about where this market segment will wind up, though the volatility in the market may well create an opening for the user-centric and claims-based technology being developed by Microsoft.

- Idan Shoham Hitachi ID Systems, Inc.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Huge layoffs at Sun--more than already anticipated (5-6K),

Huge change of culture at Sun,

Huge psychic impact on IT domain

* mega-consolidations, not just M&As

* concern for independence of JAVA, Open Source OSs, MySQL (this more so because of Oracle's db)

* hegemony of Oracle within world-class db farms

Oracle may be a better fit for Sun [than IBM]-- (Solaris/Sun platform, Oracle Fusion)

* Intensive use of Java by Oracle

* Oracle does not have IBM's data-storage model/infrastructure

* Oracle may not be anywhere near as stifling as IBM to Sun's innovation model

* Sun still has truck loads of talent that could be leveraged by Oracle

Christopher Paidhrin, IT Security Officer, ACS Healthcare Solutions

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

I think it will significantly strengthen Oracle's position in the identity space. They will be a strong player. Sun started Liberty, and now Oracle is driving it.

Dick Hardt, Sxipper (and Microsoft).

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

[B]etween the two companies they have a glut of products that will need rationalization. It's practically the whole stack from directory up to role management and beyond. A clear roadmap of product rationalization will be needed quickly in order to prevent customer chaos. No matter what, there are products that will have to go. This is an opportunity for the other vendors like IBM, Microsoft and Quest to step in during the turmoil. This really goes to show that no bet - established suite vendor or otherwise - is necessarily a safe bet!

Jackson Shaw, Quest

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Consolidating the identity management market further was undoubtedly not one of the top 5 reasons that Oracle acquired Sun but this will definitely be one of the many ripples that occur from this deal. Clearly there is significant product overlap, so there is probably going to be a period of anxiety for both Oracle and Sun identity management customers regarding which product from the Sun or Oracle portfolio wins out in the end when the merged product roadmap is finally announced.

- Tom Kemp, Centrify

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

This move represents further consolidation in the Identity and Access Management (IAM) market. While they were once a leader in the IAM space, recently Sun has struggled to maintain its momentum and market share. This has been due, in part, to Sun's focus on re-stabilizing their server business, instead of focusing on their IAM technologies. After recently shopping themselves around for acquisition by other major technology players like IBM and Cisco, the Oracle acquisition calls into question the future viability of Sun's IAM product line. Oracle has its own IAM suite that is well positioned in the market with 5.1 percent market share compared to Sun's 1.4 percent market share.

- Jay Roxe, Director of Product Marketing, Novell

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

It's safe money that there will be a period of both uncertainty and difficulty as both Oracle and Oracle/Sun customers rationalize their environments and offerings. For companies looking to make a decision, should they buy & deploy a stack now and hope their efforts are not scrapped by the vendor OR should they go with the the stack alternative that's always been there, has great references, a very healthy business, and lives and dies by this space?

- Chris Sullivan, Courion Corp.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

In the Identity and Access Management (IAM) and Governance, Risk Management, and Compliance (GRC) fields, both companies have full stacks of competing products - Oracle's stack being even a little more complete. It will be an interesting exercise - assuming that the merger is approved - for the teams from Oracle and Sun to sit together at the drawing board and plot the future product strategy. There will eventually have to be the axe for many of the products - "eventually" being the key word here. For near to medium future, it'll be integration in the style of Oracle: to carry multiple overlapping products in the portfolio at the same time, renaming the products and the installation directory, and slapping a new logo onto them. The actual evolutive "integration" will be much further down the road. When it comes to that, Oracle can learn from Sun Microsystem even while it is worth pointing out that Oracle had a clear strategy for real implementation in the IAM field from the very beginning of its acquisition tour and has made significant progress on that. However, Oracle still has a long way to go there - and integrating the complex Sun portfolio for IAM and GRC won't make things easier.

- Felix Gaehtgens and Martin Kuppinger, Kuppinger-Cole

Kantara or Kan't ara?

2009-04-22T09:19:00.000-07:00

The Liberty Alliance announced on Monday that it was morphing into another organization called Kantara (supposedly the Arabic word for "bridge," but as someone else pointed out that would more likely be anglicized as Qantara). I've been waiting for an actual list of founding organizations to be published before I commented, but I must say that Johannes has nailed it when he writes:

"Well, I'm looking for the list of announced supporters, and all I find are five testimonials, at least three of which are from long-term Liberty members. No OpenID Foundation, no OSIS, no Identity Commons, no Project VRM, no OASIS, IETF, W3C and so forth. Very few vendors, too. In my mind, that is pretty far from the threshold needed for success of any kind for any new kind of identity organization."

The folks at Liberty have been trying for almost a year to launch this organization. I participated in a meeting they held with Identity Commons last fall (see "YAUG - Yet Another Umbrella Group" and "more IDtbd ") and I find that the organizing documents for Kantara have not changed a single iota from those roundly denounced and rejected at that meeting.

One is lead to wonder, once again, what this organization can do that others - already existing - can't handle more efficiently, and with less of a Liberty Alliance heavy hand.

Holy crap!!

2009-04-20T09:14:00.000-07:00

I had to look twice at the calendar this morning when I read: Oracle agrees to buy Sun for $7.4B - Network World. But no, it was the 20th of April, not the 1st.

After all, there's so much overlap (starting with, say, MySQL) that it will be a complicated mesh-vs.-divest argument. There's virtually nothing in the IdM arena, for example, that Sun can provide which Oracle doesn't already have - and, in most cases, already have a better solution.

It's really only in the hardware business that Oracle is acquiring something they don't already have, but it seems like a very drastic step to take simply to be able to assemble their own appliances.

Maybe it's just Larry Ellison's way of telling both IBM and Microsoft that he intends to be a player in every high tech arena.

It's that time again...

2009-03-11T15:55:00.000-07:00

...time to register for the spring edition of the Internet Identity Workshop, that is.

May 18-20, 2009 at the Computer History Museum, Mountain View, California. Register now!

Self-service de-provisioning

2009-02-05T14:31:00.000-08:00

The always intriguing Pam Dingle has come up with what I believe is an entirely new feature for IdM systems - self-service deprovisioning!

In a typical self-service system, a user's accounts, authorizations, applications, etc. are pre-configured and are installed/activated the first time the user signs in. But in a post called Federated De-provisioning, Pamela extends this capability of self-service to the de-provisioning event. She describes it as:

"There is no reason why an authority could not return a set of claims at the time a terminated user attempts to authenticate to the Relying Party that says (a) do not authenticate, and (b) de-provision immediately. If the authority is set up to do so, the Relying Party is home free! The urgent use case has been taken care of (ie abuse), and the non-urgent cases can be dealt with at leisure, because the associated risk is dealt with. Who cares if it takes a month to actually delete the account, if you can guarantee that should the terminated user attempt to access the resource during that time, a real-time status check will occur and the termination will be discovered?"

Brilliant!

Let's see who's first to market with this...

Isn't that cute?

2009-01-22T10:08:00.000-08:00

It never ceases to amaze me that the younger generations always think they invented everything (social unrest, "relevant" music - even sex) and that we "old folks" just don't understand. So I wasn't really that surprised when the usually knowledgeable Eric Norlin wrote:

"Identity's first wave (roughly 2001-2008) was all about building the noun that is 'identity.' Identity's second wave (projected - 2009 to 2016) will be all about building the verbs that live on top of identity."

Identity's "first wave" was 20-25 years ago when we were building authentication & authorization systems using NIS, StreetTalk or NetWare's Bindery. The second wave came in the early nineties with the release of Novell Directory Services, iPlanet, OID and other x.500-derived services.

What started in 1998 was actually the 3rd wave - workflow added to the directory services, authorization and authentication begat Electronic Provisioning which lead inexorably to today's plethora of identity-based services.

Still in its infancy is the fourth wave - when "identity-based" gives way to "identity-enabled" providing us with a rich fabric of services which know who we are, where we are, where we want to go, what we want to do and how we want to do it. But it has taken 30 years to get here - not 10.

Happy Holidays!

2008-12-24T09:24:00.001-08:00

54" 40' or fight!

2008-12-11T17:00:00.000-08:00

It would be easier to just annex the old Oregon Territory if Microsoft really wants to corner the market on Canadian Identity gurus.

Kim Cameron quotes fellow Canuck Jackson Shaw (and also former Microsoftie) on the acquisition by Redmond of Vancouver's own Dick Hardt.

I think Dick will be good for Microsoft. I think that - as his marriage approaches - Microsoft could be good for him.

It's just that I think the software Behemoth of the northwest might be getting too much of a flavor of the Great White North. Next thing you know there'll be a Tim Horton's on campus!

Still, at least I know I'll have someone to talk hockey with next time I visit the campus...

Congrats all around!

Please show me your identity

2008-11-19T09:13:00.000-08:00

In today's newsletter I alluded to a language problem in an IBM press release, intending to delve deeper in the next issue. I'm not going to be able to do that but still wanted to point out the egregious error, so I'll do that here. In talking about IBM's partnership with multi-factor, strong authentication partners (Arcot, Gemalto, and L-1 Identity Solutions ), the release states:

"Billions of identities used in business and social networking environments – ranging from passwords, employee badges, driver’s licenses and stronger forms of authentication – are used each day to complete various types of transactions both on-line and in-person, granting individuals a wide range of physical and digital access privileges."

Passwords, employee badges, and driver’s licenses aren't identities! They're credentials. They're offered as proofs of identity claims, but that's all. Calling them identities is like calling a key a "lock." In fact, they are usually offered, in a digital context, as authentication to an account (not an identity) since one identity (you) can have multiple accounts using one or more credentials, and one account can be accessed by multiple people (or, identities) just as one key can open multiple locks, and one lock can be opened by multiple keys.

If those of us "inside" can't get the terms right, how can we ever expect the end-users to do so?

Understanding Geneva

2008-10-29T10:57:00.000-07:00

Kuppinger-Cole's Felix Gaehtgens is posting from Microsoft's Professional Developers Conference (PDC) about the just announced platform called "Geneva". Read the article for sure, but Felix also thinks, as he wrote to me, "...most people really don't 'get it' (even a lot of the other analysts, press people and developers keep mixing up concepts). " So in an attempt to clear up the confusion, he'll be hosting a Webinar this Friday to explain it all.

It's planned so that most people will have daylight access (8:30 AM PST / 11:30 AM EST / 4:30 PM CET) - well, except for the Asia-Pacific region, but I'm sure it will be archived for them.

Geneva, the successor to Active Directory Federation Services, is without a doubt the most important Identity announcement Microsoft has ever made.

Unfortunately, it won't ship for at least a year.

If you can get your hands on an early release, do so. In the meantime, listen to Felix' webinar.

Other good readings on Geneva:

Mike Jones
Pam Dingle
Don Schmidt
Vittorio Bertocci
Gerry Gebel

Paul's Desert Island Rule

2008-10-15T14:11:00.000-07:00

Paul Madsden has come up with an easy to grasp "Occam's razor" style explanation of what is - and what isn't - "reputation." He posits the Desert Island Rule, which is a:

"...test for whether a given attribute can have a reputation aspect.

Were the entity in question to be located on a desert island with no social contact with others, would the value of the attribute in question be impacted?"

That captures my sense of the notion, also.

IIW Fall 2008

2008-10-06T00:51:00.000-07:00

Only a bit over a month until the fall edition of the Internet Identity Workshop in Mountain View at the Computer History Museum. It's an always interesting event:

Venues for enterprise identity practitioners

Internet Identity Workshop throws up the question of what's next in identity? - Network ...

The geeks' identity incubator

Identity experts gather at Internet Identity Workshop

I'll be there - you should be too.

Makes me look nice...

2008-09-21T21:40:00.000-07:00

The Register's Ted Dziuba makes me look like a group-hugging flower-child with his latest story ("OpenSocial, OpenID, and Google Gears: Three technologies for history's dustbin"):

"What about OpenID, the best damned federated authentication scheme the world has ever seen, but nobody in the world can figure out how to use?"

"This situation gets really dangerous when you start to involve people from San Francisco. Every person who lives in San Francisco has the intention of starting a nonprofit organization of some sort. Therefore, if you collect a bunch of Web 2.0 engineers in San Francisco, the inevitable outcome is the OpenSocial Foundation: a nonprofit organization that only exists to support an API for programming social network applications."

Peace and love, children.

Conflating "identities," er, Personas

2008-09-19T10:42:00.000-07:00

"jhullman," of internet marketing company Pure Visibility, has a post today on the changes that technological advances have had on people's desire (and ability) to segregate their work life from their, um, "non-work" life: "What is it that has changed in the last 20 years, causing employees who may have avoided all thought of work after hours in the past to feel so compelled to answer, say, the stray business-related emails that trickle in on the weekend?"

I don't think it's the technology that makes this happen, nor is it some 3rd party aggregation of our identity data. If you don't want to be tempted to reply to work email on the weekend, have a seperate email account for your personal correspondence. Problem solved.

Well, not really. There's still the problem of getting people to actually NOT LOOK AT the office email during personal time.

The post concludes:

"'La perruque' is the french term for personal business done on company time, which no doubt spiked upon the embracing of the internet in many an organization. Michel de Certeau writes in his book 'The Practice of Everyday Life' that la perruque is a tactic used by the masses to subtly resist the powers that be. The real question is, What is the french word for the opposite, the subtle influence on employee identities exerted by the business, even the off hours?"

The French don't have a word for that, because the French would think you were crazy to do such a thing. What's the English for "joie de vivre?" - maybe we can learn from Paris...

Identity-centric

2008-09-16T13:52:00.000-07:00

Pam Dingle has a bit of a rant today about the term "user-centric." Well, not about the term itself but about people's desire (e.g., the entire Burton Group) to get away from it.

"Sure, there are a few blind worshippers of the cult of user-centric out there, but I firmly believe that common sense has to win out in deployment scenarios, and that various technologies should and will be used where applicable to solve problems. "

"If, on the other hand, all this is about is finding a positive, all-encompassing touchy-feely name to give to the systems-formerly-known-as-user-centric so that isn’t all about conflict, fine — pick a new name already. I only ask that if you’re going to diss the current buzzword, can you please at least supply an alternative suggestion. Otherwise we end up in limbo where nobody wants to use the old term, but nobody has a new term either, making us all look like indecisive idiots."

I think it's about more than just a term, more than just a feel-good quality, Pam. The "User-centric" term was coined, initially, to try to differentiate internet-based individual identity protocols from those used within the enterprise. But it's really all identity, and there doesn't need to be a distinction. That's why I wrote, last month, "Why there's no 'user-centric' or 'enterprise-centric' identity," where I said:

"Enterprise-centric identity management, we postulated, is really all about tying together all the activities and attributes of a single entity into a readily accessible (and reportable and auditable) form; while user-centric identity is about keeping various parts of your online life totally separated so that they aren't accessible and no report can be drawn.
So how do we have a framework that allows for both tying together all of a user’s activities (enterprise-centric) while at the same time allowing distinct separation of activities as decided by the user?
We start by defining identity as a group of “personas” (see 'Defining identity, persona, role'). Any persona can be made up of a group of personas or roles. Each of those personas can be linked, or separated, as the entity identified by them wishes. One of those personas is (or, rather, could be) an 'enterprise persona.' That one brings together '…all the activities and attributes of a single entity' performed for or related to that enterprise '...into a readily accessible (and reportable and auditable) form.'
So there is no 'user-centric' or 'enterprise-centric' identity. There is just an entity with AN identity made up of various personas some of which may be controlled or limited in some way by an outside organization – not only by the enterprise but also by governments, social organizations, etc. The ability to keep these personas separate, where legally able to do so, must be a given. Each persona will have different identity needs and requirements, of course, but that’s what will drive the 'identity economy' as vendors seek to satisfy those needs and requirements in accordance with the laws. The government’s laws, the enterprise’s 'laws', the fraternal and social organization’s 'laws' and the Laws of Identity as laid down by [Kim] Cameron. "

Google-oops

2008-09-15T08:39:00.000-07:00

A big tip o'the hat to Kim Cameron who today points out a security white paper from US-CERT describing an incredibly bad - and incredibly naive - security vulnerability in Google's SSO implementation.

The kicker isn't that there is a vulnerability, but, as Kim says, "the surprising fact is that the errors made are incredibly basic."

The Google wunderkind evidently ignored major parts of the SAML spec (while claiming to be SAML compliant) leaving the SSO completely open to the most basic insider attack. More incredibly, they extended this vulnerability to third parties so that their insiders could get in on the attack!

Gogle just turned ten, but it's thinking is more like that of a 17-year-old, one who knows what they want to do and can't be bothered to cross all the t's and dot all the i's in their head-long rush for personal fulfillment. They also think they'll live forever, and that they discovered sex (drugs, rock & roll, whatever). It's a very dangerous age but - if they survive it - they may go on to do great things. My hope is that the rest of us survive it, also.

more IDtbd

2008-09-15T08:18:00.000-07:00

When I posted about the IDtbd group meeting last week (see YAUG - Yet Another Umbrella Group) I worried that perhaps I was the only one not seeing the benefit of this proposed organization. Now OpenID's David Recordon has posted his notes on the meeting which - looking at those parts of the meeting I attended - appear to very accurately reflect what was said. And it would appear that those present who are not members of the Liberty Alliance remained quite skeptical of the new group. The objections, as David notes, are fairly generally accepted:

Autonomous projects
Less funding
Board has too much authority
Plan for introducing a new organization should be more incremental

He also notes that Sun's (and Liberty Alliance secretary) Bill Smith raised a strong objection to what I'd written and was "...Asking for all future meetings to be private with no public notes so that people can speak more frankly. " Sadly, that's what I've come to expect from the Liberty Alliance - let's not discuss our differences, let's simply stifle them. That organization was born in darkness from a small group of invited participants which brooked no intrusions or comments from the outside and which reserved the chairs on its oard of Directors to only those first invited organizations for a very long time.

What's really fascinating is that IDtbd claims to want "To promote harmonization" but evidently needs to stifle dissent in order to do so!

Congratulations!

2008-09-12T08:16:00.000-07:00

...to all my friends at NetPro and Quest who now will operate under the same banner. Quest, over the past 6 or 7 years, has slowly acquired a number of key players in the 3rd party Microsoft managed identity space from FastLane (back in 2000) through Vintela a couple of years ago. Each time, key players from the acquisition have come along to oversee integration and each time it seems to have gone off without a hitch.

Time will tell how the Experts Conference might be affected, but Quest has been involved there for a few years and I doubt they'll do anything to tamper with success (unlike, say, CSO and Digital ID World).

I wonder if NetPro CEO Kevin Hickey will trade in his Yankee pinstripes for Dodger blue?

Virtual Loyalty cards

2008-09-09T06:45:00.000-07:00

What is possibly the first leveraging of information card technology was announced today by aptly named "fun communications": the virtual loyalty card.

WebCard Loyalty offers customers, dealers and the issuers of customer loyalty cards true added value. For the customers, the virtual loyalty card means that different user names and passwords are now a thing of the past. The technology is based upon the open standard for information cards that is available for almost all operating systems and browsers. Also, for example, information cards are implemented in the Windows CardSpace™ technology. CardSpace provides a reliable and secure authentication and authorization mechanism (User-Centric Identity Management), which due to its Client technology is immune to phishing attacks. The login process is significantly simplified. Dealers benefit from this as well: It raises the entry barrier, increases the utilization volume, as well as enhancing the data quality. Not only this, but the virtual loyalty card provides both dealers and identity providers with an instrument for targeted marketing measures (bonus point programs, discounts on partner sites, partner advertising, coupon promotions) that enable them to build up long-term customer and partner loyalty. The customer identification and improved customer profiles open up interesting and profitable business models within the partner network.

Privacy, security - and targeted marketing! It's the holy grail, isn't it?

YAUG - Yet Another Umbrella Group

2008-09-08T11:06:00.000-07:00

This morning at DIDW I sat in on a session called "Identity Community Initiatives Working Together On A New Future" which was an organizational meeting for a new "umbrella" group called IDtbd (TBD - To Be Determined - cute, eh?). What I heard, though, led me to call this group SOLA: Son of Liberty Alliance. It's not just that the moving forces behind the group are from Liberty but also the proposed structure seems to derive from Liberty.

While the avowed messages of the group are, perhaps, laudable:

VISION: To promote harmonization, interoperability, and adoption of privacy-respecting, secure, identity-based access to digital services.

MISSION: To help member organizations leverage a common set of resources, operational frameworks, and best practices using open specifications to enable trustworthy environments for networked interactions.

the reality is one more layer of bureaucracy on top of already top-heavy structures. As just one example, someone wishing to create an OpenID project would, I'd think, join the OpenID Foundation. The OpenID Foundation is a constituent member of Identity Commons. IDTBD proposes that both Identity Commons and the OpenID Foundation become members of it. But the person creating the project could also become a member. Of course, that (to me) means the project never gets developed because the developer is spending too much time on hierarchical organization meetings as well as too much money seeking to be heard by those organizations.

The only positive thing I heard this morning, the only thing I can wholeheartedly support, was Bill Smith's statement that he wouldn't hesitate to call on the Liberty Alliance to dissolve in favor of this new organization. Well, I can agree with part of that. There are too many organizations and dissolving the Liberty Alliance (without creating a descendant) would be "...a consummation Devoutly to be wished."

Dumbing down the laws

2008-08-18T17:08:00.000-07:00

Kim Cameron has posted a "simplified" version of his Laws of Identity. Problem with simplifying, though, is that you often say something that isn't quite what you mean. Kim starts by saying:

"People using computers should be in control of giving out information about themselves, just as they are in the physical world."

I agree 100%. But one has to remember that "in the real world," people are not always in control of giving out information about themselves. Employers, teachers, medical professionals, government agencies, even social and fraternal organizations have rules governing which information can be shared and which can't (no matter how much you want to share it) as well as whose permission is needed (sometimes yours, sometimes a third party's and sometimes both) in order to release that information. So, yes, we should be able to do digitally exactly what we are able to do physically. And we should be able to do it more efficiently and, perhaps, in a more automated (and audited) manner.

Let me know when that's working.

Clayton Donley has also posted a good 'think' on the revisied Laws.

For my billionaire friends...

2008-08-18T09:09:00.000-07:00

In a widely published news story over the weekend we heard that billionaire Donald Trump was riding to the rescue of former TV talker Ed McMahon who was facing foreclosure on his $5 million mortgage. Said Trump:

"I don't know the man, but I grew up watching him on TV. I'd watch him every night. How could this happen?"

So for all my billionaire friends to whom I've given a bit of enjoyment over the years here's the deal. Y'all lend me 5 million as a lifetime, interest-free loan. I'll invest it and only take the interest. When I go (and, hey, I'm older than all of you!) the 5 mil reverts.

Have your lawyer call my lawyer and we'll write it up.

Cringe-inducing conversation UPDATE

2008-08-13T10:29:00.000-07:00

In a story in Ars Technica Six Apart's Anil Dash is quoted as saying "...democratized identity management systems like Six Apart's own OpenID..."

What the heck is that??? Do all the 'citizens' get to vote on your identity, or on their own identity, or ???????

And who in their right mind could call OpenID an "identity management system"? It's, at best, an authentication system or, even better, a signon system. But there's little management of the identities involved.

And what's with the proprietorial phrase "Six Apart's own OpenID"?

It's possible (but not bloody likely) that Ars Technica got it wrong. Still, I'm waiting for Six Apart to issue a correction/clarification.

UPDATE: Anil is saying that Ars Technica got it wrong. That what he said was "decentralized" identity management. I'd still quibble about OpenID being called an ID Mgmt System, but at least that other wierdness appears to be cleared up.

Identity [finally] Happens

2008-08-12T08:38:00.000-07:00

I wrote about Boeing's Marty Schlieff in the newsletter last spring after the Internet Identity Workshop. Marty's a "deep thinker" about identity issues, and wants to foster more rigorous thinking among enterprise identity architects. His idea for a blueprint/roadmap for enterprise identity inspired a session we're doing at the upcoming Digital ID World and now Marty's taken it into his own hands to do something by launching his own weblog "Identity Happens". Pay attention to it.

Marty is making a stab at creating an OSI-like model for identity. Like OSI, though, I think his model is a better illustration of the concepts than it is a blueprint for constructing anything. He posits 8 "layers":

Privileges
Platform Roles & Attributes
Accounts
Provisioning Roles & Attributes
Context
Subject
Persona
Entity

But there's considerable overlap, if not actual equality, of some: "Persona", the two different "Roles", etc. Still, it's a start, a beginning to the discussion - and that's not a bad thing at all.

"We have met the enemy..."

2008-08-10T09:32:00.000-07:00

OpenID's leading lights appear to be down on the technology, it seems. After last week's note about Dick Hardt's seemingly wistful look at OpenID ("...one wonders if the identity opportunities of OpenID have passed.") comes today's note from Scott Kveton (chair of the OpenID Foundation board). Reacting to a Randy Stross' New York Times piece highly critical of OpenID, Kveton says: "The OpenID community has identified two key issues it needs to address in 2008 that Randy mentioned in his column; security and usability."

If usability is bad (and the discussions on the OpenID email discussion lists support that notion), and security is a problem - what, exactly, does it have going for it?

Is it, perhaps, time for the leading lights to move on to a user-centered technology which does show promise of being an identity provider that is very usable and also quite secure? As Mr. McGuire might have said to Ben in The Graduate:

Mr. McGuire: I just want to say one word to you - just one word.
Ben: Yes sir.
Mr. McGuire: Are you listening?
Ben: Yes I am.
Mr. McGuire: 'Zermatt.'
Ben: Exactly how do you mean?
Mr. McGuire: There's a great future in Zermatt.
Think about it.
Will you think about it?
Ben: Yes I will.
Mr. McGuire:> Shh! Enough said. That's a deal.

Or, as Eddie said to Saffie: Just put me through to Zermatt!

OpenID - the denoument?

2008-07-31T07:59:00.000-07:00

There's been much agitation for Facebook to join the likes of MySpace and Yahoo! in the OpenID community. But when Facebook recently announced it's "Connect" service (a service to port ID information among various web sites), without a link to OpenID, much angst was experienced in that vocal group of supporters of the open source identity protocol. In particular, Sxip's Dick Hardt - one of the co-founders of the OpenID Foundation - mused about the future of so-called "user-centric" identity. Earlier (in "Facebook Connect - fatal blow for OpenID?") Hadt said: "Given the momentum and immediate value of a Facebook identity system and the lack of OpenID RP deployment, one wonders if the identity opportunities of OpenID have passed."

Other co-founders (Johannes Ernst, David Recordon) tried (with smoke, mirrors and whistling in the dark) to refute Hardt but, in my opinion, failed miserably. OpenID is a victim of its own early success. Too many people, with too many conflicting agendas signed on in the hope of designing OpenID in their image. From the early fights over iNames through the querulous (and tedious) fights about Attribute Exchange, security and other aspects of a mature identity protocol there was resistance from the majority of the developer base who really only wanted an easy way to login to blogs. Nothing wrong with that. A simple, somewhat reliable way to ease the authentication process for blog comments while fending off robots and spammers is a worthy goal.

Perhaps this is the time for the visionaries within the OpenID community, those who have the vision of what a full-fledged open-source identity protocol should be, to bow out of that movement and form another one. Or, perhaps put their time and energy behind an existing movement such as the Bandit Project's DigitalME initiative. They could even create an STS (Security Token Service) to bridge OpenID and the InfoCard system so that they could be "true to their roots."

OpenID, it seems, is never going to be a secure, robust, full-featured identity system so let's stop pretending that it can be. Let it be what it is and let's move on.

It's not a bug - it's a feature

2008-07-23T08:43:00.000-07:00

Jeff Bohren, in commenting on my post about "Attention architects" thinks I've overlooked an element for our Digital ID World discussion:

Dave Kearns wants to get everyone together to talk it all out. Helpful, I suppose, but limited because of the absence of enterprise application vendors. Without application vendor buy in, identity management is going to continue to be a mess.

Not an oversight, Jeff, but planned that way. Too often the vendors dominate the conversation - and pay little attention to what the customer wants. True, they claim to listen and they claim that the next version includes those features "our customers have asked for," but we all know the real truth. The plan - and it isn't my plan, but was promulgated by Boeing's Marty Schleiff - is to develop sort of a consensus roadmap for how it should be done - what steps the enterprise identity architects think should happen and in what order. Vendors who can satisfy that roadmap will reap the reward. Vendors who ignore it will wind up in my "where are they now?" file.

Dominant does not mean all-encompassing

2008-07-16T10:08:00.000-07:00

Oracle's Nishant Kaushik took some heat ("Is AD really the dominant Identity Store out there?") for not caving in to the "Active Directory is everywhere" litany. Bravo!

What some off his detractors fail to realize is that there are few, if any, organizations with more than 100 users who use AD as their sole identity datastore. Identity data - which includes not only name, rank and serial number, but also all of the attributes associated with the identity - is stored in myriads of places which can be local to the user, somewhere in the enterprise, or out in the internet cloud. And AD has no mechanisms whatsoever for getting at that data.

A service or application which wishes to consume identity data could search all possible datastores - provided, of course, it knew where they were and what protocols they supported for exporting data. How much easier, though, for the application developer to hit one datastore for everything that's needed? That should call forth no arguement from the AD-boosters - that's the argument they're using. But, as I said, AD has no way to get the data out of all of those other datastores. One thing does, though - the virtual directory.

QED

Attention architects - BYOB

2008-07-15T17:46:00.000-07:00

Pam Dingle posts today ("We’re a little lost.") about her disappointment, nay her disillusionment with the hodge-podge of identity services available to the average enterprise and the decided lack of a roadmap for connecting them up. She notes, "In reality, however, I don’t see a patchwork of complimentary products - I see a whole bunch of products with a whole bunch of overlap and no obvious or well-stated way for an Enterprise to figure out how to knit it all into an actual solution for their original problem. "

She's right, of course. There does need to be a roadmap, a diagram, a "well-stated way" to hook up all of these services so that they are complimentary and they do interoperate rather than compete for attention and bandwidth. It's an issue that came up at last spring's Internet Identity Workshop when Boeing's Marty Schleiff introduced a session called "Enterprise Identity Roadmap for enterprise identity architects: a discussion," and which I wrote about in the newsletter. What I said was:

So why IIW? In a nutshell, precisely because it wasn’t Catalyst or DIDW. Those structured conferences, dominated as they are by slideware presented by a speaker on a stage don’t lend themselves to free-form discussion. Certainly there are “Birds of a Feather” sessions – usually after hours in inconvenient locations. There are also informal get-togethers (usually involving libations) that go into the wee hours while knotty issues are discussed. But there doesn’t seem to be a venue for those involved in planning and implementing enterprise identity systems and architectures to meet in a vendor-neutral environment to swap stories, sound warnings and point out new initiatives. Marty wants to change that.

This seems to be as good a place as any to announce that we have found a venue. At the upcoming Digital ID World (Sept. 8-10 in Anaheim), Program Chair Eric Norlin has convinced me to moderate just such a session - me, a few microphones and (hopefully) an audience of enterprise identity architects - ready to talk about where they are, where they've been, where they hope to go and how they want to get there. If you've an interest in enterprise ID architecture (Pam, are you listening?) then I hope to see you in that audience.

Getting NISTy - UPDATE

2008-07-10T08:06:00.000-07:00

Oracle's Nishant Kaushik has a great post today attacking the NIST RBAC standard as fatally flawed.

He asks the question, "Is the NIST RBAC standard fundamentally flawed, given that it is missing a key element in access control decisions - relationships...?" and answers himself: "It is, and companies looking to the NIST RBAC standard as the template for how to approach role management are going to end up missing the boat."

I'll simply say that I find NIST's RBAC to be about as useful as the ISO network model - a great tool to tailor a discussion around, but really worthless as a practical implementation. Alternatively, you could thing of it as being in the same relationship to actual role implementation as the Dept. of Defense's ADA programming language is to Java or C#.

There has to be a better way.

UPDATE: My sometime drinking buddy, Archie Reed from HP, has posted a good summary of the current thinking, planning and drafting of standards for role management and RBAC.

Smoke, mirrors - and numbers

2008-07-09T09:09:00.000-07:00

RSA's Matt Flynn has been participating in the virtual directory/metadirectory conversation for some time, but his entry for today brings in more smoke and less clarity. Having been called out by Clayton Donley, Matt ripostes:

Also, it sounded like Clayton took my comments to mean that "everyone needs to be using Active Directory for everything", which was (I think obviously) not the intent. My point is that although the top 500 or 1000 companies may have a number of directories for various strategic uses, there are probably 20x that number of companies that use only Active Directory as the central and primary user store...

Now the problem here is in the numbers - the "top 500 ...companies" might harbor 5 million+ users. The "20x that number" (or, say, 10,000 companies) might total 50,000 users. Or, in other words, 1% of the total users are in all-AD environments, 99% are in heterogeneous situations. Which actually proves Clayton's point and refutes Matt's.

Additionally, of course, as long as most vendors (and most enterprises) make it so difficult to extend the schema of the central repository (whenever there is one) there will always be a need for a virtual repository for applications to use. The need for, and uses of, virtual directories is growing and is still a few years away from peaking.

A clueless manifesto

2008-07-07T18:02:00.000-07:00

A big tip o'the hat to Jeff Bohren for drawing my attention to this note from Alex Karasulu of the ApacheDS project. Now remember, he's working on a Directory Server project. Yet he says:

The VD [Virtual Directory] implementations of today like Penrose, are just hacks without a formal computational basis to them. People trying to get a product to market rapidly to sell a company. We intend to enable virtualization eventually with a solid footing in the LDAP administrative model using this concept of a view. Views, as well as triggers/SPs will enable new ways to easily solve the problems encountered in the identity space. As a teaser just think what could be done in the provisioning space if AD supported triggers? Real technology will yield solid reliable solutions instead of these band aids we’re seeing during this identity gold rush.

Too bad he's not aware of Radiant Logic, Symlabs and the Oracle (nee OctetString) virtual directories - all of which have been around longer than ApacheDS and all of which support triggering mechanisms either through straight SQL or through policy implementations. They're pretty good with "views," also. I'm still looking for that "trigger" mechanism in the LDAP model!

The role of roles

2008-07-01T08:21:00.000-07:00

Ian Glazer has just released his first post since signing on with the Burton Group, and it's a good one, about the wrong-headed notion which appears to be taking hold in the market place that roles and role management are needed before provisioning can occur. As Ian puts it:

Implicit in the idea that an enterprise cannot attempt user-provisioning because it is not ready for role management is the notion that user provisioning has no value to the enterprise without role management. This is an outdated argument that is simply not true.

In fact, the opposite is true - roles, while not requiring it, will benefit from a good provisioning implementation.

Look at it this way, even without computer-based Identity Services people need to be provisioned into the resources they will use. eProvisioning simply automates that task. While the concept of roles may be present, roles-as-a-tool is only useful within a digital context.

Acquiring, piloting, prepping and rolling-out provisioning services should really be a no-brainer decision, especially today - almost 10 years after eProvisioning was first introduced - when so much of the setup and rollout is scripted, wizard-ed, template-ed and cookie cutter-ed. It's easy to demonstrate the efficiency gains (and the budget gains) from provisioning apps & services. There's also the fact that the successful launch of a provisioning service establishes a baseline and a platform for creating the rest of a full-blown identity services implementation, even beyond role management. Govenance, Risk Management, Entitlement Management, Security Audit, Simplified Signon, Priveleged Account Management and more have a much better chance of being successful if they follow a well executed provisioning rollout.

New tricks and old tools

2008-05-16T08:09:00.000-07:00

Kim Cameron follows up on Clayton Donley's post with some thoughts of his own. And ends by quoting Clayton:

"The real solution here is a combination of virtualization with more standardized publish/subscribe for delivery of changes. This gets us away from this ad-hoc change discovery that makes meta-directories miserable, while ensuring that the data gets where it needs to go for transactions within an application."

and adding: " As soon as applications understand they are PART OF a wider distributed fabric, they could propagate changes using a publication pattern that retains the closed-loop verification of self-converging metadirectory. "

I couldn't agree more with these two erudite gentlemen.

Unfortunately, today's applications, and especially yesterday's applications still hanging around on our networks, but even tomorrow's applications for some time to come won't be written to be a part of a "wider distribution fabric," especially as that fabric doesn't yet exist in any meaningful way. And, as Kim said in an earlier posting, "Here’s the problem. Infrastructure people cannot dictate how application developers should build their applications. " We can build the infrastructure that will excel in a publish-subscribe world, but getting the apps developers to buy in to that model, well, that's something else. I'm all for building the infrastructure and plumbing of the future, but we need to adapt today's tools so that we can get the job done while waiting for the new plumbing.

optimization and expense

2008-05-12T10:11:00.000-07:00

Neil Macehiter comments on the last post:

But the issue is not with the language you use to perform the query: it's where the data is located. If you have data in separate physical databases then it's necessary to pull the data from the separate sources and join them locally. So, in Kim's example, if you have 5000 employees and have sold 10000 computers then you need to pull down the 15000 records over the network and perform the join locally (unless you have an incredibly smart distributed query optimiser which works across heterogeneous data stores). This is going to be more expensive than if the computer order and employee data are colocated.

The "expense" is there no matter how you do it. Putting all of your potentially useful data in one RDBMS is incredibly wasteful of storage space and comes at the cost of slowing down all queries. It also means that synchronizations need to be done almost constantly in order for the most up to date data to be available, a network "expense". But the search can be optimized before any data is pulled. For example, query the HR database for the lowest employee number issued after the first date you're interested in (assuming that employee numbers are issued sequentially). Then query the orders for PC purchases by that employee number or higher. Yes, it's two steps, but it's also faster than pulling down all the records to do a local join. And, I hold, less "expensive" than maintaining a huge silo of all potentially useful data.

Getting more violent all the time

2008-05-12T08:46:00.000-07:00

The distinguished Mr. Cameron has restated what he thinks is our major disagreement over synchronization and replication of identity data on the so-called "identity bus." He says:

"Sometimes an application needs to do complex searches involving information 'mastered' in multiple locations. I’ll make up a very simple 'two location' example to demonstrate the issue:
'What purchases of computers were made by employees who have been at the company for less than two years?'

Here we have to query 'all the purchases of computers' from the purchasing system, and 'all employees hired within the last two years' from the HR system, and find the intersection.

Although the intersection might only represent a few records, performing this query remotely and bringing down each result set is very expensive. No doubt many computers have been purchased in a large company, and a lot of people are likely to have been hired in the last two years. If an application has to perform this type of query with great efficiency and within a controlled response time, the remote query approach of retrieving all the information from many systems and working out the intersection may be totally impractical.

Compare this to what happens if all the information necessary to respond to a query is present locally in a single database. I just do a 'join' across the tables, and the SQL engine understands exactly how to optimize the query so the result involves little computing power and 'even less time'. Indexes are used and distributions of values well understood: many thousands of really smart people have been working on these optimizations in many companies for the last 40 years."

What Kim fails to note, however, is that a well designed virtual directory (see Radiant Logic's offering, for example) will allow you to do a SQL query to the virtual tables! You get the best of both: up to date data (today's new hires and purchases included) with the speed of an SQL join. And all without having to replicate or synchronize the data. I'm happy, the application is happy - and Kim should be happy too. We are in violent agreement about what the process should look like at the 40,000 foot level and only disagree about the size and shape of the paths - or, more likely, whether they should be concrete or asphalt.

The COBOLization of LDAP

2008-05-10T08:51:00.000-07:00

In a panel discussion at the recent European Identity Conference I referred to LDAP (Lightweight Directory Access Protocol) as "The COBOL of Identity." It came amidst a discussion of future identity-sharing protocols and was intended as 1) a cheap laugh; and 2) as a short, memorable way of saying that LDAP would always be with us.

I mentioned it again in a newsletter about the show ("Building an Identity Bus, Part 2") which has now been misread by a couple of people, so let me set the record straight.

Jeff Bohren writes: "That’s cute, but not terribly accurate. COBOL has had competing languages almost from the very beginning. If you chose to use COBOL, you did so because you felt it met your requirements better than the other existing alternatives. So Dave, what is the alternative to LDAP today? What will it be in 5 years?" That was the point, Jeff - that, like COBOL, LDAP will always be with us.

Clayton Donley opines:

"There's no pressing need to get rid of LDAP in existing applications. None at all. It works. The applications support it and will continue to support it indefinitely.
Even in next-generation application I see LDAP support being integrated -- hardly what I see of COBOL ...
What does this say about any future identity services?
They must support LDAP-enabled applications.
Does this mean that they will only support LDAP? No."

Exactly.

It does seem that when a bold thought is made as an pithy, somewhat humorous statement that it's seen as some how denigrating the subject. so let me say it once again -

Like COBOL, LDAP is so deeply ingrained in our computing arsenal that it can never be entirely replaced.

Now since one is a programming language while the other is a protocol the analogy will break down upon close inspection. But I will stand by it.

A herring of a different color

2008-04-11T08:12:00.000-07:00

You almost had me, Kim. I read your latest entry and was ready to share that olive branch. Right up to the last paragraphs when you say (about me):

"...He keeps saying I propose 'a directory that gathers and holds ALL the data from ALL your other directories.' Dave, this is just untrue and unhelpful. “ALL” was never the goal - or the practice - of metadirectory, and you know it. The goal was to represent the 'object core' - the attributes shared across many applications and that need therefore to be kept consistent and synchronized if stored in multiple places. Our other goal was to maintain the knowledge about what objects 'were called' in different directories and databases (thus the existence of 'connector space').

Basically, the ”ALL” argument is a red herring..."

Not at all. Let's step back a pace or two, or a posting or two, and think about the reasons for having this meta/virtual directory. Yes, it helps to normalize the data and keep it in sync. But if that were all, than a couple of keyboard monkeys could handle the chore and, at least in the case of normalization, could do it more quickly than a semi-automated process.

But the real reason we want to do this is so that identity data is available to applications. Available to them using a single vocabulary and a single protocol. Not that there can't be multiple vocabularies and protocols, but any one application would only need to use one of each - each application programmer would only need to use the vocabulary and protocol she was most familiar with.

But for this to be effective, the programmer needs to know that any identity data they need is available through this mechanism. And the only way any data can be available is if all data is available. The identity data must be pervasive and ubiquitous - available whenever and wherever you need it.

From the application's point of view, it should appear to be a single silo but in reality, the data will be distributed throughout the fabric of the network both within and without the enterprise, the identity provider or other data store.

The promise of the meta/virtual directory is that it can serve up the current, correct data on demand from wherever it resides. And to do that, it has to aim to provide all identity data.

Now, to forestall some people, let me add that the security of this system is a given- there need to be strict and fine-grained access controls for the data. There need to be well designed mechanisms allowing for whoever controls a bit of data to authorize its release. Without these things the system is useless because no one would use it.

But this systems needs to aim to have available all identity data, every conceivable bit of it. Because without that, the application programmer can't be sure that the bit he needs is there and so will set up alternative storage for the bits that that application needs.

We're not there yet, but we need to go that way.

Your mother was a hamster and your father smelt of elderberries!

2008-04-09T09:58:00.000-07:00

Here I'd thought I'd offered Kim Cameron a bit of an olive branch in the virtual/meta/uber directory discussion. But did he take it? Yes, he did, then attempted to whack a bunch of folks about the head and shoulders with it!

In a further attempt to clarify what he meant, Kim says:

"By 'next generation application' I mean applications based on web service protocols. Our directories need to integrate completely into the web services fabric, and application developers must to be able to interact with them without knowing LDAP."

Why Kim feels that LDAP is beyond the ken of today's application developers is beyond me, but the darker part of this is that he seems to say that only through the use of the Microsoft-controlled WS-* protocols (you can read their propaganda at their web site) can this be achieved. Nonsense.

Still, if any developers feel that only XML based scripting is acceptable to use, then I'd suggest they consider the very good LDAP replacement, DSML which has, sadly, languished for a number of years. Or there's SPML (for provisioning services). Even XACML could be used (although it would need a bit more work). The point is that there are open protocols, openly arrived at, that will do the job and today's application designers are bright enough to know how to use them.

I'm reminded by Phil Hunt's post on this issue that his work on the Identity Governance Framework, now an OpenLiberty project, also satisfies the requirement of open protocols, openly arrived at.

Another one bites the dust

2008-04-07T13:42:00.000-07:00

Well, that might be too strong, but another veteran independent Identity vendor has been acquired. M-Tech announced today that Hitachi had acquired a majority interest in the Calgary, Alberta firm.

M-Tech owns a large segment of the provisioning business in Canada, especially government (federal and provincial) provisioning. But beyond provisioning, M-Tech (now officially called Hitachi-ID) offered the full panoply of the Identity suite - password management, authentication and authorization, role management, audit and entitlement, etc. It'll be interesting to see how long it takes Hitachi to digest the acquisition (I don't think it will be very long) as well as how this will change the playing field (especially in Asia) for Sun, IBM and the others in this space. It could get very interesting.

The blind philosophes of Identity

2008-04-07T08:55:00.000-07:00

Kim has now responded ("Through the looking glass") to my Humpty Dumpty post, and we're beginning to sound like a couple of old philosophes arguing about whether or not to include "le weekend" and "hamburguer" and other Franglais in the French dictionary.

We really aren't that far apart.

In his post, Kim recalls launching the name "metadirectory" back in '95 with Craig Burton and I certainly don't dispute that. In fact, up until 1999, I even agreed somewhat with his definition:

"In my world, a metadirectory is one that holds metadata - not actual objects, but descriptions of objects and their locations in other physical directories."

But as I continued in that Network World column:

"Unfortunately, vendors such as Zoomit took the term 'metadirectory' and redefined it so it could be used to describe what I'd call an überdirectory - a directory that gathers and holds all the data from all your other directories."

Since no one took up my use of "uberdirectory," we started using "metadirectory" to describe the situations which required a new identity store and "virtual directory" for those that didn't.

So perhaps we're just another couple of blind men trying to describe an elephant.

Get on the bus!

2008-04-02T16:00:00.000-07:00

Everybody else is. Dale Olds has commented. So has Phil Hunt. Let's all get together at the European ID Conference in Munich later this month and talk about the Identity Hub, the Identity Bus, the death of the metadirectory and so much more. Suggestions for a suitable meeting place (i.e., biergarten) near the Deutsches Museum are welcome - post as comments to this post.

See you there!

Cardspace context UPDATE

2008-03-28T15:57:00.000-07:00

Good post today ("No User Context Decisions in your Enterprise?") from Pam Dingle summarizing her panel at Brainshare (which I'm now sorry I missed). Cardspace and other user-centric ID schemes have a definite place in the enterprise, if only for the context-switching that Pamela outlines.

UPDATE: A video of the session ( with Pam Dingle, Patrick Harding, Kim Cameron and Dale Olds) has now been posted at the Bandit Project site.

We'll be exploring this same topic at the European Identity Conference when I host a panel of Dale olds (Bandit Project), Johannes Ernst (OpenID) and Robin Wilton (Liberty Alliance) called "Putting Context in Identity: User-Centric Context." It's an area that will heat up in the near future...

Every day I get in the queue...

2008-03-27T10:22:00.000-07:00

Eve Maler is a pretty good guitar player & singer who also happens to work for Sun and is a Liberty Alliance evangelista. She posts today about the Identity bus/hub and states, succinctly, "I don’t get it."

"I get that people would like identity information to be understandable across widely disparate systems, and that people would like services related to (deep breath) identity, authentication, attribute lookup, authorization, and auditing tasks to be widely available so that developers can concentrate on writing secure applications rather than security applications.

It’s fair to call this an “identity layer”. But that layer is more about semantics than about simple conveyance methods or syntax, because identity is way up in the stack. These aren’t random TCP/IP packets or HTTP messages, but information about us that we want our applications to understand and treat with care and consistency."

Exactly, Eve. And that's what the proposed "Identity Hub" would do - transform protocols and data from one system and schema to another. It's not a lightweight project, there's a great deal of heavy lifting that needs to be done. But we did it for email and we did it for databases - and identity isn't that much more difficult, if at all. In fact, it's more of a synthesis of those two.

But Eve doesn't just say that and leave it alone. Oh no. She then has to get all Microsoft on us. Not, I hasten to add, that she advocates the "identity metasystem" (one of her bête noires) but she goes on to claim that if we would only all adopt SAML and the Liberty Alliance specs all of our problems would be solved.

Well, rock musicians have always been idealists, but getting to everyone using SAML? World peace is probably easier to achieve.

Meta-directories? Your father's ID store...

2008-03-26T10:18:00.000-07:00

Kuppinger Cole's Felix Gaehtgens posts today ("Meta-directories? I’d say quaint, but not quite dead.") on the demise of the metadirectory and the rise of virtualization. Felix should know, he's formerly the VP at Symlabs, a major Virtual Directory provider. He says:

"Microsoft has made an investment into that technology by rewriting MIIS pretty much from scratch. And Siemens to this date probably has the most comprehensive and advanced meta-directory implementation with its DirXmetahub component that is part of its Dir-X offering. Nevertheless, meta-directories are arguably still around mostly because Microsoft forces this technology onto its customers for what I think are political reasons: Several people working for Microsoft in the field have told me that is was in Microsoft’s interest to have Active Directory as a central component, and believe it against Microsoft’s interest to have a “filtered access”, such as a virtual directory in front of AD, abstracting information away from what should be the authoritative source. I never really understood this fear, but recently it seems that this brick wall may be slowly starting to crumble."

Read the rest of his post for a synthesis of the argument Kim and I have been having, a synthesis that could be close to a solution.

with Kim Cameron as Humpty Dumpty...

2008-03-25T11:09:00.000-07:00

One of my favorite passages from Lewis Carroll is the dialog in "Through the Looking Glass" between Alice and Humpty Dumpty:

"There's glory for you!"
"I don't know what you mean by 'glory,' " Alice said.
Humpty Dumpty smiled contemptuously. "Of course you don't—till I tell you. I meant 'there's a nice knock-down argument for you!' "
"But 'glory' doesn't mean 'a nice knock-down argument,' " Alice objected.
"When I use a word," Humpty Dumpty said, in rather a scornful tone, "it means just what I choose it to mean—neither more nor less."
"The question is, " said Alice, "whether you can make words mean so many different things."
"The question is," said Humpty Dumpty. "which is to be master—that's all."

Kim responded to yesterday's post in the "metadirectory" discussion with a Humpty Dumpty answer. He starts off with a Cameronesque peace offering ("It seems like some of our disagreement is a matter of terminology.") He then goes on to re-define "metadirectory" so that it becomes the answer to his question:

"Let’s make it clear that I see metadirectory as an evolving thing.

* First generation metadirectory dealt exclusively with a managing applications that had been conceived without reference to each other - or to any common framework (In truth, this is still an issue - see Jeff Bohren’s recent posting called “Which is better, Phillips or Flat-head?“).
* Second generation metadirectory has an additional focus: providing the framework by which next-generation applications can become part of the distributed data infrastructure. This includes publishing and subscription. But that isn’t enough. Other applications need ways to find it, name it, and so on. "

First to Jeff's posting. It's lovely. But it doesn't address the question. The application developer only cares about knowing how to access the data that the application needs. What form or format it's stored in doesn't make any difference. If the application developer only has SQL as the means of accessing data, then this puts the developer in the role of someone with a Phillips-head screwdriver trying to remove flathead screws, not the identity architect who provides multitudes of access protocols and methods for the identity data.

Kim talks about a "second generation" metadirectory. Metadirectory 2.0 if you will. First time I've heard about it. First time anyone has heard about it, for that matter. There is no such animal. Every metadirectory on the market meets the definition which Kim provides as "first generation". It's time to move on away from the huge silo that sucks up data, disk space, RAM and bandwidth and move on to a more lithe, agile, ubiquitous and pervasive identity layer. Organized as an identity hub which sees all of the authoritative sources and delivers, via the developer's chosen protocol, the data the application needs when and where it's needed.

I think, I hope, that Kim will agree with me that this ID layer (the "ID bus") instituted as a hub (or transformation device) is what we need to go forward. I'm not wedded to calling it the Virtual Directory, but I'm certainly not going to call it the metadirectory, either.

Michel Prompt (who Kim quotes extensively) calls it the "context server." I can certainly live with that.

It's unsanitary, Kim!

2008-03-24T08:14:00.000-07:00

In a blog entry today, Kim Cameron both puts words in my mouth and twists the ones that come out to serve his "straw man" purpose.

In commenting on my recent post about the death of the metadirectory, he says: "Who would want to get in the way of Dave’s metaphors? He’s on a streak. But he’s making a fundamental mistake, taking an extreme position that is uncharacteristically naive."

What did I do? I advocated the virtual directory as the better vehicle for all of the ID data needed in the SaaS world.

Kim implies that, somehow, I called for the virtual directory to be authoritative. That's simply not so. the virtual directory is merely the conduit to the authoritative source, wherever it might be. The application developer doesn't even need to know the authoritative source of the data - or need to re-write code if that source changes.

But then he goes on to say: "Application developers like to use databases and tables. They have become expert at doing joins across tables and objects to produce quite magical results. As people and things become truly first class objects in our applications, developers will want even more to include them in their databases."

I couldn't agree more. As a developer, I always prefer to have a local cache of the data I need in a (for me) easily manipulated data structure. But that does not mitigate against the use of a virtual directory. Far from it. The application database (for those who cling to it like Linus and his blanket) now can serve two purposes - one to subscribe to virtual directory data and one to publish!

The application database is the authoritative source of the application-generated data, and should be linked to the virtual directory which will consume this data and make it available for other applications and services. At the same time, any data which the application consumes - but which it is not authoritative for - can be populated at run-time from the virtual directory. For the developer who thinks this is a performance hit (and for whom accuracy is less important than an extra millisecond), a "synchronization stored procedure" would handle data changes without stealing precious time from the user-application interaction. It really is win-win.

Now the argument could be made that a synchronization engine (such as in a provisioning system) could periodically update all of the various datastores with any new or changed identity data, but that simply takes the well-known synchronization problems of the metadirectory and magnifies them by the dozens, hundreds or thousands of application datastores within the organization. That's a recipe for disaster. If an individual developer, for an individual application, wishes to sacrifice accuracy and risk the potential of error caused by out-dated data, or data whose location has changed in the hope of a spurious speed improvement (almost immediately unnoticeable due to the fluctuating nature of network thruput), they'll quickly learn, I believe, that "haste makes waste."

The further error Kim makes, though, is to believe that a virtual directory can't look like a SQL database to the application (or an XML database for web services developers). The folks at Radiant Logic would certainly disagree. It's all about the context. I'd invite Kim, and other skeptics, to our sessions on Identity and Context (including one about context and user-centric identity, as well as context and virtual directories) at next month's European Identity Conference in Munich.

Killing the Metadirectory

2008-03-21T08:00:00.000-07:00

Kim Cameron comments today about my column ("Is the metadirectory dead?") which was inspired by Kim's erstwhile colleague Jackson Shaw's blog entry ("You won't have me to kick around anymore!") which included the lines: "Let's be honest. The meta-directory is dead. Approaches that look like a meta-directory are dead."

My interpretation is that the metadirectory has finally given way to the virtual directory as the synchronization engine for identity data. Kim interprets it differently. He talks about the "Identity Bus" and says that "...you still need identity providers. Isn’t that what directories do? You still need to transform and arbitrate claims, and distribute metadata. Isn’t metadirectory the most advanced technology for that? " And I have to answer, "no." The metadirectory is last century's technology and it's day is past.

The Virtual Directory, the "Directory as a Service" is the model for today and tomorrow. Data that is fresh, always available and available anywhere is what we need. The behemoth metadirectory with it's huge datastore and intricate synchronization schedule (yet is never quite up to date) are just not the right model for the nimble, agile world of today's service driven computing. But the "bus" Kim mentions could be a good analogy here - the metadirectory is a lumbering, diesel-spewing bus. The virtual directory? It's a zippy little Prius...

Off Course-On Target

2008-02-15T08:11:00.000-08:00

Wayne Hodgins blog is called "Off Course-On Target" and subtitled "Where unexpected paths lead to great discoveries." Today he took a look at digital identity and fretted over the lack of uniform standards. But it's the analogy and stories Wayne tells - especially about how the shape of screw threads could have lost World War II for the allies - that make it such fascinating reading.

And the moral - perhaps best stated as "the perfect is the enemy of the good" - is something the entire IdM community should take to heart. Consensus and compromise should be our watchwords.

Unexpected moves

2008-01-25T09:10:00.000-08:00

Right out of left field comes the announcement that Mike Neuenschwander, formerly Burton Group Vice President and Research Director, has joined Mycroft, Inc. as General Manager. I covered Mycroft ("A marriage, a hot couple, and a single looking for a date at Catalyst") at last summer's Catalyst conference where they announced the merger with Talisen Technologies. Their business is implementing IdM solutions from other vendors - they're in the service delivery and solution implementation business.

The press release said little about what Mike's role will be, so we'll just have to see how it evolves, but I am saddened that I won't have Mike to "kick around" anymore after his Catalyst speeches!

Whose data is it?

2008-01-11T08:33:00.000-08:00

The Burton Group's Bob Blakley has a great post ("Antisocial Networking") today about the Facebook-Scoble story. The essence (or, at least one essence) of Bob's note is that relationships are a different order of data from attributes. As he says:

"Even the fact of your relationship with Scoble is not Scoble’s property, it is common property, like the kids in a joint custody arrangement. Both you and Scoble are obligated by the laws of relation here and here to treat the fact that you have a relationship, and also the details of the relationship, according to certain understandings and social conventions. If you don’t believe this, meditate on whether you think it would be OK for adultfriendfinder.com, match.com, and linkedin to share friend lists. The information Scoble tried to take out of Facebook is NOT Scoble’s property; it is relationship information. Scoble is not free to do whatever he pleases with relationship information; if he violates social understandings and conventions by disclosing the existence of or certain information about his relationship with you in the wrong context, he may embarrass or endanger you, and he will certainly endanger the relationship."

And that's what it's all about.

Of course, not all relationships are reciprocal. I have a relationship with Edith Piaf - I'm a great admirer of her singing. The relationship isn't reciprocated, of course, and not only because she's been dead for many years. But I also have a relationship with the very lively Tom Hanks, of whom I'm a fan. I don't think Tom is one of my regular readers, though, so I doubt the "fan" relationship is reciprocated.

Human relationships may need to be classified similarly to mathematical transitivity. There are:

reciprocal relationships (e.g., a is friends with b and b is friends with a);
non-reciprocal relationships (e.g., a is a fan of b but b is not a fan of a);
relatively reciprocal relationships (e.g., a is father to b, b is daughter to a); and
asymmetric relationships (e.g., a loves b, b can't stand a).

Some of these relationships will need joint permission for publication, some won't. Some will allow unidirectional publication, some will require it. It's not going to be easy, it's not going to happen soon, but a relationship calculus is going to be necessary for this to work at all.

Big fish, little pond?

2008-01-07T07:54:00.000-08:00

A Press Release I just read promotes L-1 Identity Solutions decision to acquire Bioscrypt, which is referred to as "Bioscrypt Inc., the leading provider of enterprise access control solutions headquartered in Ontario Canada,..."

I wonder how many other providers of enterprise access control solutions are headquartered in Ontario? :)

Promulgating the social graph

2008-01-03T17:42:00.000-08:00

Julian Sanchez, over at Techdirt gets it while many in the identity community - and even more who are involved in social networking - don't.

"Intuitively, it makes sense for users to be able to make whatever use they please of information about their own social networks. But in a social network, "your" information is someone else's as well."

Exactly!

The point about relationship data is that there is a relationship. And a relationship, like a contract, has two sides (well, it could have more - but that's kinky). Both sides need to be involved in the decision to distribute the relationship data. Both sides need to agree. Unless, of course, the whole "friendship" is one way. But imaginary relationships are best had with imaginary friends...

Happy Holidays!

2007-12-21T07:57:00.000-08:00

The end of 'user-centric' identity?

2007-12-15T13:10:00.000-08:00

In light of the last "tools" posting it's interesting to note that either Digital ID World's Eric Norlin recently posted their predictions for 2008 at CSO online and included this one:

"User-centric’ identity protocols will stop calling themselves ‘user-centric’: This is an adoption story. ‘User-centric’ protocols will gain some actual adoption in 2008 (yes, I'm implying that they haven't yet gotten any ‘real’ adoption). In so doing, the ‘folks in the know’ in that movement will *stop* prefacing everything they say with the words ‘user-centric,’ as they realize that their protocols may have been designed with that laudable goal in mind, but the terminology is just getting in the way. Instead of describing an ideal, they'll begin describing what they *do.*"

It is about time we stopped debating philosophy and started talking implementation, isn't it?

Tools are just tools, you know

2007-12-13T14:23:00.000-08:00

I've always been impressed by Pamela Dingle's ability to cut through the rhetoric and get to the heart of a problem. She's done it again.

Patrick Harding, Nishant Kaushik, Johannes Ernst and Matt Flynn recently participated in an impassioned (if not actually heated) discussion of User-Centric identity in the enterprise. Pamela chimed in with her usual level-headed approach.

Then, after the guys debated philosophy, Pamela - once again - reminded them that using the tools of so-called "user centric" identity (CardSpace and OpenID, for example) doesn't require buying into any sort of philosophy of data control. They're simply tools. As she put it: "If you try to tell me that using a tool such as the Identity Metasystem to accomplish something other than a user-centric philosophy is wrong, I will also laugh at you."

As I said last spring, "I’m addressing the enterprise market, which needs to pay attention to CardSpace right now." CardSpace and the identity metasystem - whether all Microsoft or using open source tools - can be a very useful tool in the enterprise, especially in an enterprise which uses a lot of home-grown applications and services. Not only for authentication (and the simplified signon possibilities), but also for authorization, role management and fine-grained entitlement control.

Tools are just tools. Use the tool that does what you want at the price you're willing to pay and let others worry about the philosophical implications.

IIW ages gracefully

2007-12-06T08:23:00.000-08:00

We've just finished the fifth Internet Identity Workshop, and it appears that a milestone has been reached - or, perhaps, that a corner has been turned. Phil Windley posted a good, succinct, history of the previous meetings in his review, and I do agree with his conclusion that reputation services appears to be the "next big thing" for IIW. But what I saw this week was a decided maturing of the event - the Concordia people, for example, were there - but spent almost all their time closeted with each other. Likewise, those involved in OSIS spent most of their time planning their next interoperability event.

The 2.0 spec for OpenID was finalized (and released) and discussion begun on the next version. The conversation has moved from "do we need OpenID" to "how can we leverage OpenID?"

Dale Olds (from the Bandit Project) even lead a session entitled "Open source identity systems in the enterprise," a topic that would have been anathema for this group just a couple of years ago.
Not that there was a lack of wild-eyed idealism, mind you, just that it was tempered a bit by progmatic considerations and the possibility that personal, user-centric identity can peacefully co-exist with enterprise-centric identity. Not only are the ID Geeks getting older, they also appear to be getting wiser.

Gartner IAM Conference

2007-11-14T09:47:00.000-08:00

I'm in LA for the Gartner ID conference, an event which I skipped last year. So far, I think I should have skipped this year, also.

The kickoff keynote was by Gartner VP Toby Bell. He's not, though, a VP in their identity practice, or anything close to it. According to his bio, his "key areas of coverage include vendors and trends in the enterprise content management (ECM) marketplace, business process management (BPM) as it applies to enterprise content (CEVA/WEBA), and content strategy, valuation, mining and analytics." He spoke about "reputation" but his biggest takeaway was "Reputation is useless in an anonymous world." I guess whistle-blowers aren't allowed in his reputation universe.

Right now I'm listening to "Financial Crimes Expert" (does that mean he's a former criminal?), Robert Rebhan. Actually, he's a former LA cop. He's talked about Shakespeare, the bible, and Batman while telling stories about "identity theft", that cringe-inducing term. 20 minutes into his talk, "Advancing Your Fraud Prevention Tactics: A Unique Look into Identity Theft and Financial Crimes" we've yet to hear the first tactic. But we have heard about how waiters & hookers steal credit card numbers.

And the internet access is spotty, too.

More self-issued stuff

2007-11-06T09:23:00.000-08:00

Jeff Bohren jumps into the discussion but unfortunately misses the target and crashes badly.

He says: "First party claims such as personal info can and should be made directly by the consumer who owns them. Information Cards provide a convenient way to do that. I see no compelling business case for a third party to make first party claims in a B2C scenario." But there is a definite compelling reason - we rarely believe (or, at least, we shouldn't believe) without verification the claims that a stranger makes to us. Just ask any single woman who goes to a bar on a Saturday night! The third party, the trusted third party, provides validation for the claims. The claims are offered by the first party, directed by the first party and even initiated by the first party, but without the validation of the third party they are completely worthless.

He goes on to note: "The mistake is saying an identity oracle can divulge whether your credit is good enough for the purposes of the transaction without divulging your credit score itself. I don’t believe that is possible in practice. If you say 'Jeff’s credit score is as good as %90 of the people who have not defaulted on a loan of that amount', then you have for practical purposes divulged Jeff’s credit score. " Um, no, you haven't. Any more than the Oracle agreeing that you are of legal age to purchase alcohol could be said to 'divulge' your age. "Over 21" covers a whole lot of ground. A validation that I am of legal age to buy says nothing about whether I'm of legal age to claim Social Security benefits, far less is it an indicator of my actual age. For the credit score, the RP decides what score is acceptable and asks the Oracle if the first party's score meets that criteria. No numbers are divulged, but the transaction can proceed.

In general, we need to think of the Identity Oracle as a binary soothsayer - only yes or no answers are forthcoming.