Day: July 23, 2006

Soothing music all around

Google's Ben Laurie continues with a post I'd call “Cogent with cloudy periods”:

Not surprispingly, my post “Google Account Authentication” attracted some pretty instant responses, as well as comments on the post itself.

On further reflection, comparing Live ID with Google’s authentication is comparing apples and oranges. Live ID may allow people to choose who they accept authentication from, but where does it say that anyone is planning to accept anyone’s word other than their own? In particular, where do Microsoft say they’re going to grant access to Microsoft properties using identity tokens issued by anyone other than Microsoft?

Interesting. Let me explain how I see it. The Windows Live ID whitepaper is about the technical architecture of Windows Live ID, and new capabilities allowing it to be part of a standardized, multi-centered, federated identity fabric. This includes support for Information Cards. Reading the paper, it's easy to see how enterprises or groups of users could gain access to Windows Live services using their native systems federating with Windows Live ID, rather than requiring separate accounts. The business model for this would be totally straightforward.

Now, in terms of how the protocols work, a similar federation relationship could be established between a Windows Live and a Yahoo or a Google. But the business models there are way harder to figure out. You need multiple players to buy in – it needs to be a win/win/win. I don't think anyone has figured this stuff out. Basically, it's a lot easier to change technologies than to change business models.

Still, to me, it makes sense to put a safer, more flexible technical infrastructure in place that offers advantages within current business models while simultaneously laying the groundwork for new approaches as they arise. But let's try to see the two as relatively autonomous.

Ben continues:

Eric Norlin says: “Lots of people inside of Microsoft now understand *why* they must open the silo, and that learning is precisely because of their experience with Passport.” But is this actually true? What Microsoft appears to have learnt is that it can’t get everyone to accept its credentials. So, what’s the next best thing? Get everyone to use MS technology for accepting credentials. Perhaps that’ll even lead to Passport Mark II where the default is to trust Microsoft. Where does Microsoft’s work on Infocard or Live ID or whatever-the-passport-nom-de-jour is show that Microsoft has any intention whatsoever of opening their silo? What it shows is that they think everyone else should open their silo.

This mish-mashes so many orthogonal ideas together that it gets a wee bit looney. If the following sounds disconnected, it's because the way Ben connected things doesn't make any sense to me:

  • It's true that a lot of us at Microsoft want to “open the silo”. That doesn't make it easy, or make it obvious what to do.
  • WS-Trust is not Microsoft Technology, unless IBM is now part of Microsoft – not to mention the hundred or so other companies who have worked on the WS specifications.
  • Information Cards are not Microsoft proprietary for two reasons: first, the protocols are in OASIS standardization and available royalty-free; and, second, because there is a consortium building real open-source implementations today (OSIS).
  • I don't understand why Ben wants to confuse a service offering like Windows Live ID with a cross platform technology initiative like the Identity Metasystem.
  • I'm even more mystified at the implication that our Cardspace implementation of Information Cards is a plot. It doesn't offer special advantages to Windows Live ID. Services like those offered by Google get equal billing with services that might come from Microsoft. What is the sin here?
  • Given the difference between services and open cross platform technology, why call Cardspace “the-passport-nom-de-jour” – except to be naughty?

Anyway, I'm just going to assume Ben had a bad hair day, which everyone has a right to.

Parhaps the flurry of postings made it look like people were ganging up on Google – not at all my intention – I still think that on identity our interests converge and we're all in similar places.

At any rate, Ben concludes thus:

Fred asks: “could you explain why Google shouldn’t allow their accounts system to be accessed by Yahoo credentials?”

All I can say is what I already said: there isn’t a widely used, mature, reliable, secure identity federation mechanism available today. Whether Google wants to do this or not, in practice, they can’t. Such decisions have to wait for standardised mechanisms to emerge, in my view.

Dick is “suprised to see this post given conversations we had”. Well, Dick, if the fact that I don’t always agree with you is surprising, then you’d better stock up on soothing music or something.

I think the situation calls for soothing music all around. How about Iggy Pop?

Eric Norlin and Dick Hardt hold firm

Eric Norlin responds to the Ben Laurie post I addressed here

Ben Laurie, an employee of Google who is quite clear about the fact that he does not represent Google itself, is responding to my earlier post contrasting Google and Microsoft. Ben's pushing back on my contrasting of Google's Account Authentication versus Microsoft's Live ID, and my treatment therein. Specifically:

1. Ben states that “everyone knows” that Google only annnounces what they've already done (as opposed to what he sees as Microsoft's urge to announce what its going to do).

2. There is no “mature, reliable, secure identity federation mechanism” that's widely used (thus, implying that there's nothing for Google to use).

3. That the release of Google Account Authentication does NOT deepen the existing internet identity silo.

4. That I have (somehow) fallen into the “newspaper trend” of writing articles that are “critical regardless of facts.” (ouch)

Let me try to respond:

1. I guess that subconsciously I knew that Google only announced what it had already done, but that really wasn't the point of my piece. My piece was a contrast meant to highlight an observation that I was making — namely, that Microsoft had learned a lot of important lessons from Passport; lessons that companies like Google may not have learned. Now, at the end of the day, I'm dependent upon my ability to observe based upon my available information. Since Google's PR department is — shall we say — a little opaque, most of us journalist-blogger types are left to discern what we can from what Google has done or is doing (precisely as Ben says). Furthermore, since no one from Google contacted me to correct me about my observations regarding Google's Account Authentication (I'd be glad to be officially corrected), and since Google has not changed what they're doing in any significant way, then I have no new information to change my mind.

2. Ben's right that there is no “internet scale” identity federation mechanism. SAML has gained widespread adoption, but is not suited for “internet scale.” Same goes for Liberty. There are, of course, a TON of people working on this problem — OSIS, YADIS, Sxip, the identity gang, Microsoft, etc., but I won't argue with Ben on this — there isn't a mechanism that's widely used.

3. We disagree on point number 3 — and Dick Hardt presents why. In response to Ben's statement – “What kind of credential did you expect to present? Your Yahoo login?” – Dick responds, “Uh, actually, yes.” This points out the fundamental problem at the heart of all of this “identity 2.0” stuff that I've been talking about: the existing silos (Google, Yahoo!, eBay, etc.) have *no* immediate business reason for opening their identity silos (at least, not that they can see). Lots of people inside of Microsoft now understand *why* they must open the silo, and that learning is precisely because of their experience with Passport. At the end of the day, Google is reinforcing its identity silo. That was the ultimate point of my post – and the one that I wish Google would respond to openly and directly.

4. I actually don't think I have fallen into some “newspaper trend.” If anything I am (and Digital ID World is) a member of the larger identity community. My post relied solely on the facts that Google has given me. If they change the facts (i.e., correct me), then I'll change my observation. At the end of the day, this is a communal exercise, and if I somehow have a misperception of what's going on (from Google's or Ben's point of view), then I'd bet that *lots* of people in identity have the same misperception. And if that is true, then its Google's PR department's job to change it.

Let me close with this: I'm not trying to start some “vendor war,” or make Google “evil,” or take shots at the big kid on the block, or anything. We started Digital ID World because we knew that identity was a huge problem that crossed all boundaries, and we wanted it to turn out okay. It could go badly. It could not turn out okay. Its quite possible that the silos only get deeper, the walled gardens return, identity never has its “browser moment” (where it explodes into common usage). Do I want to see identity succeed? You bet I do. I don't think I've ever hidden that. As such, I try to call things as I see them.

Bottom line: I'd love for someone who does represent Google publicly to correct my horrible misperception of what they're doing in identity. In fact, they can come be on the Digital ID World keynote panel — “What do the largest internet sites think about identity?” –and make sure the entire identity community understands them (that's an open invite). Google, will you join us and set us straight?

Meanwhile, Dick Hardt says:

Ben Laurie from Google responded to my post on Google Account Authentication: two steps forward, one step back. A few comments that I’d like to respond to:

Duh, of course you have to provide a Google credential, you’re going to access a Google service. What kind of credential did you expect to present? Your Yahoo login?

Uh, actually, yes. That is the idea behind Identity 2.0, that I could use my Yahoo login to authenticate to Google and to access Google services.

How does allowing applications to access a user’s Google services deepen anything? Did Dick actually read what these services do?

Yes, I did read with great interest what the services do. As for why this deepens the identity silo, these new identity APIs make it easy for non-Google applications to consume Google services, but it is tied to the user’s Google credential, increasing the value of that Google credential, but creating a bigger barrier to services similar to Google’s, and increasing the users reliance on the Google credentials. Good for Google, but starts to reduce user’s options.

As of right now, what are the options? Is there any mature, reliable, secure identity federation mechanism that’s widely used?

Ben is correct, there is no mature, reliable, secure identity federation mechanism that’s widely used. But that has not stopped Microsoft from working to create one and announcing that they will be using it in their products in the future. Google could participate in defining Identity 2.0 architectures and make them widely used because they are Google.