I'm just back from Catalyst, the yearly Burton Group Conference with a strong Identity theme. My hallway conversations left me with the impression that everyone who attended the Identity and Privacy strategies track thought it was a great success this year. I popped in to see what Anne Thomas Manes was up to in the Application Platform Strategies track as well. I think the Burton Group's work on integrating the worlds of application and identity strategy is tremendously useful and important. Hats off to all involved! Burton is doing a European conference in the fall, as described here.
Scott Blackmer, speaking at Catalyst, just referred to something he saw on the Net about how it’s amazing that we can track the calves of a cow born in Canada right to their pens in Washington state, but we can’t track 11 million illegal aliens. The suggestion is that we give each illegal alien a cow.
Of course I'm an alien, so I don't think this is very funny, eh? But I'll take my cow anyway.
Then there was this tale from the crypt:
Jarrod Jasper of GM just told the story about an employee phone that was not deprovision when the employee left. The former employee decided to run a 900 number service through the phone. That one phone cost GM $50,000 per month—for 18 months—before it was shut down. Whoa!
Failure of the weakest link mustn’t lead to catastrophe. For example, smart card deployments are sufficient protection against social engineering and inside attacks. Encrypting the channel doesn’t stop dumpster diving.
Don’t put the role before the start. Role engineering is important, but it doesn’t drive the project.
Not every identity nail requires the technology hammer. Technology may be fine, but without governance, it will fail.
Use of a system invites abuse of the system. Test the architecture with attack vectors.
Identifying things doesn’t make the more secure. Identification can improve security, but security isn’t an inevitable outcome. Over-identification has repercussions.
Identity isn’t about the individual. It’s about the relationship. IdM encompasses the services community’s need for organization.
There are a lot more than seven flaws.
Finally, Phil covered the “Identity Gang” meeting that preceded the conference itself. It's a good description of what went on, and I agree with his conclusion that we need to move on to something a bit more structured.
I spent yesterday afternoon in an identity BOF meeting in San Diego. (See pictures at Kaliya’s Flickr site.) As you might expect, there’s plenty of people with an interest in identity systems at Burton Group’s Catalyst conference and so we took the opportunity to have a face-to-face discussion with about a dozen people who care about identity metasystems.
The topics today were far ranging and difficult to summarize, but there were some interesting issues.
There seems to be big disagreement (surprise) around whether HTTP, SMTP, and the like are completely broken from an identity standpoint or whether they can be salvaged. If not, then Microsoft’s move to SOAP-based protocols for the identity metasystem is a necessary first step for any transactions where identity is important.
To put this in perspective, banks and other financial institutions have pretty much been forced to abandon email as a means of communicating with their customers because of phishing. This is a problem even with things like SSL that allows, but doesn’t require that, users check the integrity of the sites that they visit.
Moving to different protocols requires different clients, or at least changes to existing clients to understand the new infrastructure. Of course, InfoCards (Microsoft’s proposed digital identity system) includes such a client, buried deep in the OS.
Kim Cameron believes that we can’t ask humans to manage multiple systems at the experiential level as well as manage the trust decisions, and everything else we need from them. This is a little bit of a “one client to rule them all” strategy, but there’s some sense to it. The browser is a great example of how a UI standard provides a common UI experience (at least to some degree) regardless of the vendor.
Another issue I found interesting had to do with auditing and transparency. One critical requirement for enterprise identity systems is auditing in order to ensure compliance, etc. For an Internet wide infrastructure there are other auditing requirement. For example, the user may want to disable auditing for privacy reasons. Of course, you may not be obligated to provide service without auditing enabled. The policy negotiation requirements in such a system boggle the mind.
Related to that is the need to provide human readable equivalents of machine readable tokens and assertions and to ensure that they are confluent. The microformats discussion that’s caught my eye lately seems suited to that requirement. I wonder if microformats can meet other requirements as well (and what they might be).
Fourth party auditing of actions provides checks and balances to protect entities from abuses by authenticating gatekeepers or asserting identifiers. Many times these fourth parties would be courts operating in widely varying jurisdictions. The metasystem can’t enforce these actions, only provide for them with proper transparency and auditing.
Another point of contention seems to be the very name “identity metasystem” itself. I think it was coined by Microsoft innocently enough to describe an identity system that ties other identity systems together. I think some would prefer it was called a “network” or something else. The work “system” implies there’s a there there, but in reality, it’s more about protocols and interop.
I think that we need to get this group, along with others together for a more formal discussion where we can get to the heart of what we can all agree on, find out where we really disagree (that’s not clear), and use that as an underpinning to understanding proposals. I’d like to see the various proposals laid out with philosophical beliefs, understand how those beliefs influence architectural choices, and then dive into whether we can agree that specific architectures support those various philosophies. I’m thinking of organizing a workshop in October (in the slot Digital ID World used to use) to do just that.