TIARA.ORG – A MAJOR IDENTITY SITE

O.K.  I've hit a gold mine.  It's called Tiara.org.  Who or what is Tiara?  “A PhD student in the Department of Culture and Communication at NYU, studying social technology from a feminist perspective.”  Go to her “About me” page and it has everything except… a name – at least in a form straightforward enough to come up in a search engine.  So for me she's just Tiara.

Tiara has assembled a spectacular identity bibliography.  I'm going to ask if she'll let me put it up on identityblog – with credit to her, of course.

It turns out Tiara had blogged about the Times’ Facebook story over the weekend.  Somehow through the miracles of ping-backs this floated past my desktop:

Kim Cameron, the architect of MS’ Infocard Identity Metasystem, which I’m not at all a fan of, writes a great post on Facebook and the globalization of identity, based on the NYT article I blogged over the weekend.

Wow.  Such a smart person is not a fan of the identity metasystem.  I need to find out more about this.  None the less, we seem to agree when it comes to some of the issues raised in the Facebook article.  After quoting my piece, she continues:

Beautiful point: Facebook (& MySpace) are extremely performative communities, where the values being espoused– being cool, being “hard”, being sexy, being transgressive, being resistant– are those of mythical teenage worlds. There’s not just a generation gap between teens/young adults and their future possible bosses, there’s a culture gap between the “professional world”, where we’re not really supposed to have any sort of interesting personal lives (witness the furor over academic blogging), and the “online world”, where we’re supposed to be larger-than-life (microcelebrity again!).

I also like Cameron’s point about companies not being “invited” into these worlds. I definitely feel that Facebook is a private community, and I don’t go poke around looking for my undergraduate students, because it’s none of my business what they do in their private lives. But, again, as I said the other day, there are no regulations about searching social networking sites (or even just Google) , and there aren’t likely to be. The justification that it’s public information trumps the contextualization argument.

I talked to someone else recently who said that their local sheriff’s office uses MySpace as a first resource whenever they are looking for something or bringing someone in — of course it’s a young receptionist who does the searching. And universities like UC Santa Barbara are formulating specific policies to discipline students based on their Facebook information. So although I agree with Cameron, it’s really irrelevant. As long as sites like MySpace and Facebook are viewed as public information, they will not enjoy any type of protection from authorities or employers.

It's not really irrelevant.  There are a lot of issues buried here, and I'm not about to give up the ghost on them. 

One question I have is whether it is possible for an operator to provide access to a site for specific reasons – and prevent it for others.  In other words, is it possible to require those entering a site to sign a binding statement of use?  Can liability be associated with breaking such an agreement? 

Let's go further.  Is it possible to prevent usage of a site for commercial purposes, or purposes of employment, or in the interests of an employer? 

I'm going to be at the identity mashup hosted by Berkman Center for Internet and Society at the Harvard Law School next week.  I'll should probably be able to find a few (hundred) lawyers there.  I'll try to find out more about these issues. 

But as Tiara says in her own interesting post on the matter:

So what’s “the solution”? I’ve heard three:
1. Young people should stop putting content online.
2. Recruiters and employers shouldn’t use Google or Facebook to research potential candidates (don’t hear this one very often, although you’d think in a country where it’s illegal to ask people to include a snapshot with their resume, there might be potential room for legislation here).
3. We just have to wait until there’s no longer a divide between your “work” persona and your “life” persona. I know this sounds stupid, but I heard it from the CEO of Facebook.  (Tiara heard it from the CEO of Facebook??? – Kim)

And here’s what’s actually happening: People are obfuscating personal data by using pseudonyms that can only be identified within situated, contextual networks, or by using services which allow them to restrict who can view their personal information. This is really the only one of these solutions which makes any sense.

O.K.  So we totally agree.  Contextual separation is one of the main concepts behind the identity metasystem.  I suspect she has impressions of what we are trying to do that just aren't accurate.

In truth, InfoCards and the metasystem have been designed to enable privacy while still being able to make provable assumptions.  For example, the system can be used to allow you to limit access to your site to full-time students – and recognize them when they return – without actually knowing their names or exposing their identities to the digital grim reaper.  The very problems Tiara worries are not solvable, are actually some of those addressed by this system.

And in truth, they have to be addressed if the resulting infrastructure is to be consistent with the “third law of identity”.  Identity information should only be available to relevant parties.  As an industry we need to think about how the virtual fabric will work and offer people separation of context – or there will be a further and terrible erosion of confidence in cyberspace by those who constitute its future inhabitants.

FACEBOOK AS A BACKGROUND CHECK

If you missed this article in Sunday's New York TImes, I suggest you read it.   Alan Finder, the author, has done a great job of driving the issues home.  My son Max called me long distance and said, “Dad – you have to read this.  It's very much related to what you've been workng on.”  Imagine – my kids finally understand what I'm doing!  Against all predictions, it turns out Max is now himself trying to help a brick and mortar institution understand that it needs to live on the web – and he looks at the privacy and identity issues as something that will shape young peoples’ attitudes going forward.

I won't quote the Times article in its entirety.  The paper requires an email address to get to their stuff – and then sends you spam for having given you access.  But it's in the public interest to get the main points across.

The Times article describes how companies are using information posted in Facebook (and other similar sites) to vet job applicants.  And even more interestingly, it reports on the reactions of the applicants as they begin to understand what is happening.  They had thought they were releasing information in a context where drama and posturing (dare we say ‘humor’?) are the norm – and in what is supposedly a closed community centered around the university.  But they suddenly found it had been globalized – and was now available to anyone, anywhere for any purpose.

It seems that executives are put off by a candidate looking to party describe his interests as  “smokin’ blunts” (cigars hollowed out and stuffed with marijuana), shooting people and obsessive sex, all described in vivid slang”.  (That's funny – sounds like an interesting enough guy to me.)

As Finder says, “It did not matter that the student was clearly posturing. He was done.”

“A lot of it makes me think, what kind of judgment does this person have?” said the company's president, Brad Karsh. “Why are you allowing this to be viewed publicly, effectively, or semipublicly?”

I don't think Brad was invited into the Kids’ facebook world.  A virtual world, by the way.  Where people are atually allowed to be metaphorical.  Why is he following the kids into their heads?  Can't they have fantasies?

The article says:

Many companies that recruit on college campuses have been using search engines like Google and Yahoo to conduct background checks on seniors looking for their first job. But now, college career counselors and other experts say, some recruiters are looking up applicants on social networking sites like Facebook, MySpace, Xanga and Friendster, where college students often post risqué or teasing photographs and provocative comments about drinking, recreational drug use and sexual exploits in what some mistakenly believe is relative privacy…

“It's a growing phenomenon,” said Michael Sciola, director of the career resource center at Wesleyan University in Middletown, Conn. “There are lots of employers that Google. Now they've taken the next step…”

Companies can gain access to the information in several ways. Employees who are recent graduates often retain their college e-mail addresses, which enables them to see pages. Sometimes, too, companies ask college students working as interns to perform online background checks, said Patricia Rose, the director of career services at the University of Pennsylvania.

Another student, having no luck finding a job, researched himself on Google and found an old link to a satirical essay he had done, “Lying Your Way to the Top”.  Once he had that link removed, he suddenly started receiving offers.

“I never really considered that employers would do something like that,” he said. “I thought they would just look at your résumé and grades.”

The way today's college students use the web is remarkable and innovative.  But for many of them, their whole email correspondence and a lot of their social life is etched in bits.  That's why getting the identity metasystem right is really a gift for them.

This brings us back to compartmentalization.  In the old days, we said and even did things in our student days that we might later have regretted.  But our acts and phrases weren't globalized, written into an eminently searchable Book of Life that would be read not by God, but by man, with all of his imperfections and pomposity.

Sites like Facebook need to start getting on the identity bandwagon, looking into new mechanisms for trusted yet anonymous assertions, or they'll lose the trust of their users.  More on the dangers of globalized personal information to come…

 

ENTERPRISE AND INDIVIDUAL IDENTITY

James McGovern over at Enterprise Architecture: Thought Leadership has a nice post where he poses questions for a bunch of his blogrollers.

It's not that the questions are wicked.  He asks Dan Blum:

Would it be possible for you to figure out creative ways for others to observe the client/analyst dialog in a more public fashion? What would it take for you to start blogging more frequently?

Pat Patterson gets this one:

What would it take for you to get Liberty Alliance to embrace the WS-Federation specification? Having federation capabilities built directly into an operating system is liberating…

And for me:

I would love it if you could start talking about identity from a corporate perspective and not stay exclusively focused on consumer-centric identity. You can leave the consumer stuff to Dick Hardt…

It's true I've been dealing a lot with user-centric identity.  But James, the future of the corporation will unfold largely in the virtual world.  What will then be more important to a corporation that its relationships with its “consumers”?  The lack of a reliable grid for dealing with the individual in the digital world is, in the big picture, the most urgent corporate identity issue of our time. That's one of the reasons I was led into the problem area.

The most important thing about the identity metasystem the way it creates a unified infrastructure reaching between the corporation (or organization) and the individual (aka consumer).

What are we going to have?  One set of precepts that faces towards the inside of the corporation, and another completely different set that faces the outside?  That doesn't compute, and my work on this blog applies to both sides of this boundary.

The whole evolution of business is towards a more open mesh of interconnecting organizations in which individual relationships are key.  So empowering the individual within the organization will increasingly become the most important aspect of empowering the corporation.  The dichotomy you propose is a false one.

One of the most interesting trends I've seen is that of enterprises “kicking their employees out of the firewall”.  This isn't a good strategy in all cases, for sure, but I've seen a bunch of studies of companies that have slashed IT expenditures by treating their own employees as external individuals (factors of 10)!  More than one of these just tell their employees to buy their own PCs outfitted with various programs “off the street” and expense them back to the company – and still get order of magnitude savings.  They only keep there line of business apps remain behind the firewall.

I'm not proposing this as a direction forward – simply reporting on trends I see.

Reliable identity-based collaboration between individual users which also integrates with organizational identity will empower them both the users and the organizations.  Making progress on this front is the most important single thing we can do right now to help the corporations we work for benefit from technology.  That is the big picture.

One key takeaway from your request is that I should explain where I'm coming from a lot better.  On a related theme, I'm getting ready to spend more time on the challenges of being “the relying party” in identity transactions, so I'll try to build these notions into what I'm writing.

You probably know that metadirectory, self-management and provisioning of identities all form an interconnected cluster of passionate interests for me.  Note to self:  start writing about these issues too.

GUIDANCE AND TEST PLAN FOR RELYING PARTIES

I got a note recently from federation master Mike Beach – a man with a great deal of experience in terms of how users react to security:

Is it just me or does your site have an invalid cert.  When I attempt to
login using my new Infocard in IE7 I get the infamous “warning, go back, do
not enter, danger ahead” and things go all red (really more pink).

Given the primary drivers of Infocard are to save us from all the web evils
of today it would seem this is contrary reinforcement when I must ignore all
the security warnings to log in.

I thought, “That's weird.  I don't get that problem.”  – you know, the ancestral “That's funny.  It doesn't happen on MY box.”  But of course it really was happening to Mike, so I wrote back and asked if he could send some screenshots.  It turned out this wasn't necessary – he had already figured out the problem.

He had been visiting identityblog using this URL:  https://www.identityblog.com/.  

When he clicked on Login he was redirected to https://identityblog.com/wp-login.php.  

But my certificate is limited to https://www.identityblog.com/.  Therefore IE (correctly) saw Mike's identityblog.com and the certificate's www.identityblog.com as being different – resulting in the redish bar.  It looked like this:

 

That's enough to confuse anyone.  So clearly, redirecting to something that isn't consistent with your certificate is a no-no.  I was setting up an experience that would undermine my user's understanding of what was happening to her, breaking law six.  I should have been checking and redirecting to www.identityblog.com even if the user didn't supply the “www”.  Strangely, I had done the Dashboard link correctly – it was only the Login link that had the error.

All of which goes to show there are a set of gotchas that we have to nail down in terms of establishing prescriptive guidance for how a site should deal with these issues in order to be consistent.  We need a checklist – or better still, a test plan.  A wiki would be a good way to elaborate this.

Another big takeaway is that an identity 2.0 relying party has an obligation to make sure it doesn't do things that send mixed signals (in my case, nice InfoCard experience but big red warning bar in IE).  Everyone has to co-operate with the goal of not confusing the user.

It's worth pointing out that none of this is primarily an InfoCard problem.  The same considerations apply to any use of https.  But in the InfCard case we want to make sure we have the deployment practices nailed down to a higher level than has previously been the case.

PERSONAL INFOCLOUD

Somehow I tumbled into Personal InfoCloud today.  It's a thought provoking site by Thomas Vander Wal, with all kinds of nooks and crannies that lurch off into explorations, from many points of view, of how information and technology could be restructured from the vantage point of the individual.  You should poke around yourself to get a sense for how these ideas hold together;  but here's part of a post on the Come To Me Web:

The improved understanding of the digital realm and its possibilities beyond our metaphors of the physical environment allows us to focus on a “Come to Me” web. What many people are doing today with current technologies is quite different than was done four or five years ago. This is today for some and will be the future for many.

When you talk to people about information and media today they frame it is terms of, “my information”, “my media”, and “my collection”. This label is applied to not only information they created, but information they have found and read/used. The information is with them in their mind and more often than not it is on one or more of their devices drives, either explicitly saved or in cache.

Many of us as designers and developers have embraced “user-centered” or “user experience” design as part of our practice. These mantras place the focus on the people using our tools and information as we have moved to making what we produce “usable”. The “use” in “usable” goes beyond the person just reading the information and to meeting peoples desires and needs for reusing information. Microformats and Structured Blogging are two recent projects (among many) that focus on and provide for reuse of information. People can not only read the information, but can easily drop the information into their appropriate application (date related information gets put in the person's calendar, names and contact information are easily dropped into the address book, etc.). These tools also ease the finding and aggregating of the content types.

As people get more accustomed to reusing information and media as they want and need, they find they are not focussed on just one device (the desktop/laptop), but many devices across their life. They have devices at work, at home, mobile, in their living space and they want to have the information that they desire to remain attracted to them no matter where they are. We see the proliferation of web-based bookmarking sites providing people access their bookmarks/favorites from any web browser on any capable device. We see people working to sync their address books and calendars between devices and using web-based tools to help ensure the information is on the devices near them. People send e-mail and other text/media messages to their various devices and services so information and files are near them. We are seeing people using their web-based or web-connected calendars to program settings on their personal digital video recorders in their living room (or wherever it is located).

Keeping information attracted to one's self or within easy reach, not only requires the information and media be available across devices, but to be in common or open formats. We have moved away from a world where all of our information and media distribution required developing for a proprietary format to one where standards and open formats prevail. Even most current proprietary formats have non-proprietary means of accessing the content or creating the content. We can do this because application protocols interfaces (APIs) are made available for developers or tools based on the APIs can be used to quickly and easily create, recreate, or consume the information or media.

People have moved from finding information and media as being their biggest hurdle, to refinding things in “my collection” being the biggest problem. Managing what people come across and have access to (or had access to) again when they want it and need it is a large problem. In the “come to me” web there is a lot of filtering of information, as we have more avenues to receive information and media.

The metaphor and model in the “I go get” web was navigation and wayfinding. In the “come to me” web a model based on attraction. This is not the push and pull metaphor from the late 1990s (as that was mostly focussed on single devices and applications). Today's usage is truly focussed on the person and how they set their personal information workflow for digital information. The focus is slightly different. Push and pull focussed on technology, today the focus is on person and technology is just the conduit, which could (and should) fade into the background. The conduits can be used to filter information that is not desired so what is of interest is more easily identified.

It's exciting that Thomas has already had the identity aha.  I think a framework like the one he proposes – based on attraction – is probably an early harbinger of the identity big bang.

 

A SAML FEDERATION SUPPORTING INFOCARDS

Andre Durand of Ping Identity has told me about what he'll be demonstating at Catalyst 2006 – important stuff.  As the post at the right puts it:

A user authenticates to a healthcare portal leveraging a self-asserted InfoCard. The user’s credentials are validated by a Java InfoCard Server built by Ping Identity. PingFederate is then used to enable federated single sign-on to a remote Web site without a redundant user authentication.

I've spent a lot of time over the last year trying to convince colleagues across the industry that InfoCard technology is not positioned against Liberty or SAML or WS-Federation technology – that federation protocols could be used on portals powered by WS-Trust through InfoCards. 

Now Ping has an implementation that actually proves it.  I guess this means I can take a break, cool my jets, lay low, and chill.  Thanks Andre.

Under the covers, the integration can be done in a number of different ways, so I look forward to seeing the details of how Ping has approached it.  To download the Ping poster and see the details, click here.

I'm impressed by Ping's ability to continue to innovate in the identity world.

NEW IDENTITYBLOG INFOCARD SOFTWARE

This is a note to those (over 100 testers now) who are using my site to sanity-check their infocard implementations. 

For those who missed the first ten minutes of the movie, one of my motivations when I set up this site was to break down the industry fault lines that were undermining the emergence of an identity metasystem reaching across all platforms and technologies.  So I set out to learn more about the concerns and successes of people running on platforms other than the one I work on.  This led me first to Radio Userland, and then to WordPress, which itself runs on top of MySql, PHP and Linux or other Unix derivatives.  My blog runs in in this environment.

As the conversation evolved I wanted to prove that the Identity Metasystem and InfoCards can, with a bit of work, reach across any technology – and does not involve rocket science.  I wanted my friends in the REST community to see how straightforward all of this was.  So I wrote a library for accepting InfoCards in PHP and made it available to anyone who might find it useful by posting it on my site.

Recently I've enhanced this code to solve a problem that emerged in interoperability testing.  I don't think I broke anything else, but, hey!, I have no test organization, eh?  So this is a notice for everyone with an implementation to retest before turning up at a public demo and finding out I've changed spmething!  Help me make sure I haven't introduced an error that breaks your work.

Once I've gone through this phase I'll replace the code currently on my site with the new verson.

STRAIGHTENING OUT OUR NAMING

Well, it's a good thing I read Pamela Dingle's blog or I might have missed out on this breaking news: 

Aha!

Looks like Microsoft has released the official name of their Infocard windows client — Windows Cardspace. Well I'm not sure if it's official, but somebody from MS has blogged about it, so that's good enough for me (-:

I like the name – it is catchy and will be easy for help desk personnel around the world to refer to. It is also Googleable, and it doesn't have the terrible generic sound that 99% of the big stack mentality monster corps seem to be blindly adhering to these days (ie ). If it had been MS Card Manager or MS Identity Manager, I would have been very unimpressed (-:

It also solves the question of – “InfoCard” vs “InfoCards” as the official name, and it is also now easy to know whether you are talking about the client or a single card.

The same blog entry also talks about the new name for WinFX – go check it out, I wouldn't want to ruin all the surprises…

Nice work y'all, I bet it feels good to get to this milestone!

Thanks Pamela.  I like it too.  I would like to congratulate the Department of Naming, which turns out to be as able to party as anyone, for coming up with something so close to the spirit of what we are about.   

As Pamela says, I think this will go a long way towards reducing the confusion between Microsoft's client piece (what is now called Windows Cardspace) and InfoCards – the things that you see in your Windows Cardspace or your Linux Identity Selector or your mobile phone.  The word ‘InfoCards’ is still just a placeholder of course, but it's clearly different from “Windows Cardspace”. 

Speaking of which, someone pointed out Pamela's blog has not been in my blogroll (it is now!).  Which is ridiculous because she's doing such good stuff.  Just as bad, Johannes de Beer pointed out my spelling of Johannes Ernst's name has been wrong for, er, about a year.  And I know Johannes discreetly mentioned it once (blush), and that I fixed it and then it somehow reverted during an update (hand wave, gurgle).  So apologies all around – it's what comes from having this darn day job.

 

IDENTITY FALLACIES

Phil Becker is Editor In Chief of Digital ID World.  His analysis consistently seems on-time and profound.  I don't think it's well known, but besides his wisdom in business matters, he has an amazing technical background: he wrote some of the code that helped put men on the moon. 

I have to admit that I'm a bit biased towards Phil because his magazine once gave me a prize, which, from a design point of view, was of a distinctly superior quality.  That's a good sign.

But since meeting him I've turned to Phil for a reality check more than once.  Like Doc Searls, Jamie Lewis and Craig Burton, he sees the big picture.  What example should I choose?  Recently, when we were chatting about how to explain InfoCard to enterprise architects, he said, “Kim, stop explaining it.  Start telling people how they can be part of it.  That's what they want to know.”   

Now he has written his “Identity Fallacies” – or three of them, at least.  They offer practical advice for the enterprise and beyond.  You have to love the way Phil explains things.  I hope this post will get those new to the identity metasystem reading his work (the left-brained may want to start at the first fallacy and read forward from there):

Like the second identity fallacy the identity data centralization fallacy recurs frequently because it seems so logical. It has kept identity management the province of very large companies for many years. Thankfully this is finally changing, albeit somewhat slowly.

A significant goal for many identity management initiatives is to gain centralized management and control, and intuitively it seems that the easiest path to that result is to aggregate all the identity data in a centralized data store. But identity data by its nature has distributed origins, and attempting to aggregate the data itself leads to an insoluble set of problems and side effects, especially at internet scale.

Centralization of any data suffers from reliability and performance problems at scale, requiring significant “brute force” to overcome. But when identity data is centralized a huge number of side effects occur that will ultimately undermine the success of the endeavor – even if the technical aspects are successfully worked out. Perhaps the most visible example of this was the Microsoft Passport project. Microsoft demonstrated that the technical problems of an internet scale centralized identity system could be solved. They also pretty well demonstrated that the side effects were so numerous and undesirable that a successfully implemented centralized identity data system wouldn't be accepted by the marketplace. This experience was a major factor in Microsoft's Identity Architect Kim Cameron formulating his Laws of Identity which attempt to describe the attributes an internet scale identity system must have to achieve marketplace acceptance.

It still might seem that in an enterprise centralizing identity data is a good idea. But it generally isn't, for a variety of reasons. First, identity data is a very dynamic thing. It requires constant updating to remain current, and if it isn't current then using it to manage other things becomes risky. Even in an enterprise where identity data seems pretty straightforward, it turns out that it has many different natures that end up forcing portions of it to be managed by very different parts of the business. For example, HR tends to manage actual employees as they onboard and offboard. But department managers tend to manage things like promotions, temporary assignments, etc. that create changes in their identity data and corporate resource access requirements. And who in the company handles contract labor, consultants, business partnerships, etc? Certainly not any centralized business process for them all exists.

The result is that if IT tries to centralize identity data because that makes it easier for them to use it to manage their networked computing resources, they end up creating a structure that is politically and structurally at odds with the business processes of the enterprise. This has brought many identity management projects up short, severely lengthening their deployment times, reducing their scope, and limiting their effectiveness dramatically. In governmental identity projects, centralization of identity data creates most of the limitations that cause political reactions as well.

Thankfully the technology of identity management has begun to move past the concept of centralizing the identity data and is now providing tools such as virtualization and federation that allow the identity data stores to be organized to align with the identity data management while allowing them to be networked, managed by centralized policy, and presented in a variety of ways that don't reflect back on their management. The shift from a directory-centric view of identity management to a provisioning-centric view of identity management is the first step down this road. many more steps are now emerging to widen the applicability of identity to manage broad, networked business process oriented views of computing for regulatory compliance auditing as well.

But as each new person approaches identity management, it seems they have to go through the step of learning why identity data centralization is always a bad idea. it seems only after they realize the implications of this identity fallacy can they move on to understand how identity must really be deployed to be successful.

This is so interesting I can barely keep myself from making a number of comments.  But I need to concentrate on some other burning issues.  I'll come back to this as soon as I can.

IT'S A FUN GROUP OF GUYS, REALLY…

I am glad to see I am providing Robin Wilton and various of his friends with suitable amusement these days. Luckily this doesn't distract him too much from interesting comments on the dynamics shaping federated identity frameworks.

First, on yesterday's topic of ‘identity protection and financial services’, you may be heartened to learn that the Financial Services Technology Consortium (FSTC) is working on stronger mutual authentication as part of the solution to this problem, and has just concluded Phase One of its ‘Better Mutual Authentication’ project. More information at www.fstc.org.

The FSTC has been looking closely at SAML and Liberty for several years now, and concluded back in 2003 that Liberty technology could help financial services organisations improve security and identity management.

I think what's changed since then is the increased recognition that strong authentication is, simply stated, a great example of a web service which one member of a circle of trust can provide to other members.

Second, Liberty members (especially the techier ones) are watching with interest as Kim Cameron is gradually exposed to some of the (frankly fun) group dynamics among the participants. You know how it is; you get to know people over the course of sometimes heated debate about identity principles, and every so often you have one of those arguments which looks to any outsider like a bare-knuckle dust-up. It's only when you know the two participants and their history that the whole thing looks altogether less vicious and more amusing.

There's also a good deal of innocent amusement to be had from reading these lines in Kim's blog:

“One of them asked why Liberty hasn’t caught on more since it has been around for almost five years. Not knowing Conor I might have imagined he would sidestep the issue with marketing gloop.

As Kim immediately discovered, Conor is fresh out of marketing gloop… and is not expecting a re-stock ;^)

Without wanting to get into the subsequent to-and-fro between Conor, Paul Madsen and others, I'd just note this, as I have done in public comment on several occasions:

Those looking for mass adoption of Liberty often ask why large-scale e-commerce adoptions are not more visible. I think the e-commerce boom of the late 90s offers instructive parallels. The B2C bubble was highly visible and easily grasped, conceptually, by those seeking to understand this new technological phenomenon. However, there was both more money and greater longevity in the B2B market using exactly the same technology.

I think we're seeing some of the same thing in the identity market. Yes, there's adoption and growth in B2C applications – and that will continue; but there's a steadier undercurrent of adoption for B2B applications, even if those are not always as visible to the consumer or onlooker.

An interesting event to look out for is the point at which it becomes realistic for G2C identity infrastructures to intersect with B2C applications. That's not primarily a technology event – it's one driven by market and policy conditions – but in my view, if you're looking for candidate technologies to make it happen, Liberty is at or near the top of the list.

To me this doesn't look much like a bare-knuckle dust-up – just a good discussion.