Using Consumer Identities for Business Interactions

Mike Jones writes about an “identity mashup” that drives home a really important lesson:  the organizational and technical walls that used to stand in the way of Internet business are dissolving before our very eyes.  The change agent is the power of claims.  The mashup Mike describes crosses boundaries in many dimensions at once:

  • between industries (medical, financial, technical)
  • between organizations (Medtronic, PayPal, Southworks, Microsoft)
  • between protocols (OpenID and SAML)
  • between computing platforms (Windows and Linux)
  • between software products (Windows Identity Foundation, DotNetOpenAuth, SimpleSAMLphp)
  • between identity requirements (ranging from strong identity verification to anonymous comment)

This is a super-concrete demonstration of the progress being made on the “Identity Metasystem” so many of us in the industry have been working on.   My favorite word in Mike's piece is “quickly”, to which I have taken the liberty of adding my own emphasis:

Medtronic, PayPal, Southworks, and Microsoft recently worked together to demonstrate the ability for people to use their PayPal identities for participating in a Medtronic medical device trial, rather than having to create yet another username and password. Furthermore, the demo showed the use of verified claims, where the name, address, birth date, and gender claims provided by PayPal are relied upon by Medtronic and its partners as being sufficiently authoritative to sign people up for the trial and ship them the equipment. I showed this to many of you at the most recent Internet Identity Workshop.

From a technology point of view, this was a multi-protocol federation using OpenID and WS-Federation – OpenID for the PayPal identities and WS-Federation between Medtronic and two relying parties (one for ordering the equipment and one for anonymously recording opinions about the trial). It was also multi-platform, with the Medtronic STS running on Windows and using the Windows Identity Foundation (WIF) and DotNetOpenAuth, the equipment ordering site running on Linux and using simpleSAMLphp, and the opinions site running on Windows and also using WIF. A diagram of the scenario flows is as follows:

Identity Mash-Up Diagram

We called the demo an “identity mash-up” because Medtronic constructed a identity for the user containing both claims that came from the original PayPal identity and claims it added (“mashed-up”) to form a new, composite identity. And yet, access to this new identity was always through the PayPal identity. You can read more about the demo on the Interoperability @ Microsoft blog, including viewing a video of the demo. Southworks also made the documentation and code for the multi-protocol STS available.

I’ll close by thanking the teams at PayPal, Medtronic, and Southworks for coming together to produce this demo. They were all enthusiastic about using consumer identities for Medtronic’s business scenario and pitched in together to quickly make it happen.

 

Claims based identity tops IT security concerns

John Fontana has crossed the floor, moving from the critics box to the stage.  

Many people will remember John's articles at Network World, where he served as one of the most talented and informed journalists in the world writing about network infrastructure for as long as I can remember. 

While it is sad to lose him in his role as journalist, I really look forward to what he will do at his new digs: Ping.  

I know his ability to explain identity and its issues and technology in words people can actually understand will benefit the whole identity ecosystem.  Kudos to Andre Durand and Ping for having the wisdom to bring him over.

Meanwhile, there's exciting news in this post from the new John: 

If I could say it better than my former Network World colleague Ellen Messmer I would, but I can’t so I’m just going to link to her story on Gartner’s survey that shows identity management projects rank first in the top five priorities for IT's security spending.
The results of the survey come from interviews with IT professionals at 308 companies.

But let me highlight two paragraphs from Ellen's story:

“Identity management appears to be taking the lead as a top priority as businesses look to deploy some of the more advanced federated identity technologies both within the enterprise for single sign-on and as a way to potentially extend identity-based access control into cloud-computing environments.”

And this one:

“But in terms of firewalls as a priority, [Gartner] notes that there's a movement to install next-generation firewalls.”

On that last point, check this link to From Firewall to IdentityWall.

[John is on Twitter where he also puts together a Tweet list]

Interview on Identity and the Cloud

I just came across a Channel 9 interview Matt Deacon did with me at the Architect Insight Conference in London a couple of weeks ago.  It followed a presentation I gave on the importance of identity in cloud computing.   Matt keeps my explanation almost… comprehensible – readers may therefore find it of special interest.  Video is here.

 

In addition, here are my presenation slides and video .

U-Prove Minimal Disclosure availability

This blog is about technology issues, problems, plans for the future, speculative possibilities, long term ideas – all things that should make any self-respecting product marketer with concrete goals and metrics run for the hills!  But today, just for once, I'm going to pick up an actual Microsoft press release and lay it on you.  The reason?  Microsoft has just done something very special, and the fact that the announcement was a key part of the RSA Conference Keynote is itself important:

SAN FRANCISCO — March 2, 2010 — Today at RSA Conference 2010, Microsoft Corp. outlined how the company continues to make progress toward its End to End Trust vision. In his keynote address, Scott Charney, corporate vice president of Microsoft’s Trustworthy Computing Group, explained how the company’s vision for End to End Trust applies to cloud computing, detailed progress toward a claims-based identity metasystem, and called for public and private organizations alike to prevent and disrupt cybercrime.

“End to End Trust is our vision for realizing a safer, more trusted Internet,” said Charney. “To enable trust inside, and outside, of cloud computing environments will require security and privacy fundamentals, technology innovations, and social, economic, political and IT alignment.”

Further, Charney explained that identity solutions that provide more secure and private access to both on-site and cloud applications are key to enabling a safer, more trusted enterprise and Internet. As part of that effort, Microsoft today released a community technology preview of the U-Prove technology, which enables online providers to better protect privacy and enhance security through the minimal disclosure of information in online transactions. To encourage broad community evaluation and input, Microsoft announced it is providing core portions of the U-Prove intellectual property under the Open Specification Promise, as well as releasing open source software development kits in C# and Java editions. Charney encouraged the industry, developers and IT professionals to develop identity solutions that help protect individual privacy.

The company also shared details about a new partnership with the Fraunhofer Institute for Open Communication Systems in Berlin on an interoperability prototype project integrating U-Prove and the Microsoft identity platform with the German government’s future use of electronic identity cards.

As further evidence of how the company is enabling a safer, more trusted enterprise, Microsoft also today released Forefront Identity Manager 2010, a part of its Business Ready Security strategy. Forefront Identity Manager enables policy-based identity management across diverse environments, empowers business customers with self-service capabilities, and provides IT professionals with rich administrative tools.

In addition, Charney reviewed company efforts to creatively disrupt and prevent cybercrime. Citing Microsoft’s recently announced Operation b49, a Microsoft-led initiative to neutralize the well-known Waledac botnet, Charney stated that while focusing on security and privacy fundamentals and threat mitigation remains necessary, the industry needs to be more aggressive in blunting the impact of cybercriminals. Operation b49 is an example of how the private sector can get more creative in its collective approach to fighting criminals online.

“We are committed to collaborating with industry and governments worldwide to realize a safer, more trusted Internet through the creative disruption and prevention of cybercrime,” Charney said.

Readers may remember the promise I made when Microsoft's purchase of U-Prove and Credentica was announced in March 2008 and some worried Microsoft might turn minimal disclosure into something proprietary:

[It isn't…] trivial to figure out the best legal mecahnisms for making the intellectual property and even the code available to the ecosystem.  Lawyers are needed, and it takes a while.  But I can guarantee everyone that I have zero intention of hoarding Minimal Disclosure Tokens or turning U-Prove into a proprietary Microsoft technology silo.

So here are the specifics of today's annoucement:

  • Microsoft is opening up the entire foundation of the U-Prove intellectual property by way of a cryptographic specification published under the Microsoft Open Specification Promise (OSP).  
  • Microsoft is donating two reference SDKs in source code (a C# and a Java version) under a liberal free software license (BSD); the objective here is to enable the broadest audience of commercial and open source software developers to implement the technology in any way they see fit.
  • Microsoft is releasing a public Community Technology Preview (CTP) of the integration of the U-Prove technology (as per the crypto spec) with Microsoft’s identity platform technologies (Active Directory Federation Services 2.0, Windows Identity Foundation, and Windows CardSpace v2).
  • As part of the CTP, Microsoft is releasing a second specification (also under the OSP) that specifies the integration of the U-Prove technology into so-called “identity selectors” using WS-Trust and information cards.

I really want to thank Stefan Brands, Christian Paquin, and Greg Thompson for what they've done for the Internet in bringing this work to its present state.  Open source availability is tremendously important.  So is the achievement of integrating U-Prove with Microsoft's metasystem components so as to show that this is real, usable technology – not some far-off dream.

At RSA, Scott Charney showed a 4-minute video made with the Fraunhofer FOKUS Institute in Germany that demonstrates interoperability with the German eID card system (scheduled to begin rolling out in November 2010). The video demonstrates how the integration of the U-Prove technology can offer citizens (students, in this case) the ability to minimally disclose authoritative personal information.

There is also a 20-minute video that explains the benefits of integrating the U-Prove technology into online identity management frameworks.

The U-Prove code, whitepaper and specifications, along with the modules that extend ADFS V2, WIF and CardSpace to support the technology, are available here.

Not Invented Here

There's a new comic strip about software with the, um, mysterious title, Not Invented Here (I just caught the preposterous domain name:  http://notinventedhe.re)…   The strip deals with issues like security, and comments posted by readers say things like, “I DEMAND you take the bug out of my company's conference room immediately!” and “Wow, it is as if you have a mole in our office!”.   So, with the authors’ permission, here's a taste.

It all starts off innocently enough:

Wait.  I think I've met these people.

Yikes.  Maybe I am these people!

And if you're in the business, you can't miss this one, which will take you over to the NIH site.

If you're wondering where this can possibly come from, the strip is by Bill Barnes and Paul Southworth.  I don't know Paul yet, but readers may know Bill's work from Unshelved, which has been making librarians guffaw for years (an  easy task?)  The truth is, Bill knows a lot about what goes on with software – in fact one of his gigs was herding cats during the first version of CardSpace.  Now he's totally dedicated to his strips – should be a lot of fun – and enlightening too. 

Federation with ADFS in Windows Server 2008

Steve Riley at Amazon takes a fascinating and non-ideological approach on his new blog.  The combination will keep me tuned in – I expect others will feel the same way.  He writes:

“As I've talked with customers who have deployed or plan to deploy Windows Server 2008 instances on Amazon EC2, one feature they commonly inquire about is Active Directory Federation Services (ADFS). There seems to be a lot of interest in ADFS v2 with its support for WS-Federation and Windows Identity Foundation. These capabilities are fully supported in our Windows Server 2008 AMIs and will work with applications developed for both the “public” side of AWS and those you might run on instances inside Amazon VPC.

“I'd like to get a better sense of how you might use ADFS. When you state that you need “federation,” what are you wanting to do? I imagine most scenarios involve applications on Amazon EC2 instances obtaining tokens from an ADFS server located inside your corporate network. This makes sense when your users are in your own domains and the applications running on Amazon EC2 are yours.

“Another scenario involves a forest living entirely inside Amazon EC2. Imagine you've created the next killer SaaS app. As customers sign up, you'd like to let them use their own corpnet credentials rather than bother with creating dedicated logons (your customers will love you for this). You'd create an application domain in which you'd deploy your application, configured to trust tokens only from the application's ADFS. Your customers would configure their ADFS servers to issue tokens not for your application but for your application domain ADFS, which in turn issues tokens to your application. Signing up new customers is now much easier.

“What else do you have in mind for federation? How will you use it? Feel free to join the discussion. I've started a thread on the forums, please add your thoughts there. I'm looking forward to some great ideas.”

I really look forward to this.  Let's see where it goes…  

Given the mail I get from mutual customers, I know Steve will end up with some interesting insights.

Identity Roadmap Presentation at PDC09

Earlier this week I presented the Identity Keynote at the Microsoft Professional Developers Conference (PDC) in LA.  The slide deck is here, and the video is here.

After announcing the release of the Windows Identity Foundation (WIF) as an Extension to .NET, I brought forward three architect/engineers to discuss how claims had helped them solve their development problems.   I chose these particular guests because I wanted the developer audience to be able to benefit from the insights they had previously shared with me about the advantages – and challenges – of adopting the claims based model.  Each guest talks about the approach he took and the lessons learned.

Andrew Bybee, Principal Program Manager from Microsoft Dynamics CRM, talked about the role of identity in delivering the “the Power of Choice” – the ability for his customers to run his software wherever they want, on premises or in the cloud or in combination, and to offer access to anyone they choose.

Venky Veeraraghavan, the Program Manager in charge of identity for SharePoint, talks about what it was like to completely rethink the way identity works in Sharepoint so it takes advantage of the claims based architecture to solve problems that previously had been impossibly difficult.  He explores the problems of “Multi-hop” systems and web farms, especially the “Dreaded Second Hop” – which he admits “really, really scares us…”  I find his explanation riveting and think any developer of large scale systems will agree.

Dmitry Sotnikov, who is Manager of New Product Research at Quest Software, presents a remarkable Azure-based version of a product Quest has previously offered only “on premise”.  The service is a backup system for Active Directory, and involved solving a whole set of hard identity problems involving devices and data as well as people.

Later in the presentation, while discussing future directions, I announce the Community Technical Preview of our new work on REST-based authorization (a profile of OAuth), and then show the prototype of the mutli-protocol identity selector Mike Jones unveiled at the recent IIW.   And finally, I talk for the first time about “System.Identity”, work on user-centric next generation directory that I wanted to take to the community for feedback.  I'll be blogging about this a lot and hopefully others from the blogosphere will find time to discuss it with me.

 

John Fontana on SAML Interoperability

John Fontana writes about the SAML interoperability test in ComputerWorld, turning quite a bit of his attention to Microsoft:

“Microsoft completed its first SAML interoperability test and the results are in: Active Directory Federation Services 2.0 software received a passing grade.

“Microsoft's federated identity platform passed its first SAML 2.0 interoperability test with favorable marks, signaling the end to the vendor's standoff against the protocol.

“The eight-week, multivendor interoperability workout conducted by the Liberty Alliance and the Kantara Initiative also resulted in passing marks for two other first-time entrants – SAP and Siemens. Return testers Entrust, IBM, Novell and Ping Identity also passed. Results were announced Wednesday.

“The Liberty Interoperable testing was a great opportunity to verify that Active Directory Federation Services (AD FS) 2.0 is interoperable with others’ SAML 2.0 implementations. This should give our customers confidence that their federation deployments using ADFS will ‘just work,'” says Conrad Bayer, product unit manager for federated identity at Microsoft.

“In the past, Microsoft has been dismissive of the Security Assertion Markup Language (SAML), a standard protocol for exchanging authentication and authorization data between and among security checkpoints, preferring the WS-Federation and other protocols it helped develop. The company previously supported the SAML token, but never the transport profiles of the protocol…

As much as I love John, I don't think “dismissive” really describes our attitude – at least I hope it doesn't.  It is true that our initial thinking was that the world would be a “tidier place” if people used one single protocol that worked both for “Active Clients” (e.g. applications that run on your PC or phone) and “Passive Clients” (web pages served up in a browser).  We saw WS-Federation as a way to achieve that technical symmetry.  But I and others have also said for several years that we saw much of what people were doing with SAML as being innovative and positive.  And we have made it very clear that an Identity Metasystem means “no silos”.  

Today you can see the results of this thinking in our new product.  ADFS V2 does everything it can to conform with the Identity Metasystem idea.  That means supporting SAML as well as the other Federation and Claims Transformation protocols (e.g. WS-Trust and WS-Federation). I think the synergy will be great for our customers and the industry.

John goes on to say: 

“Full matrix” testing means all participants must test against each other. The test was conducted over the Internet from points around the globe using real-world scenarios between service providers and identity providers as defined by the SAML 2.0 specification.

Microsoft participated in the testing with Active Directory Federation Services 2.0 (formerly code-named Geneva), which is slated to ship later this year. ADFS 2.0 is part of a larger identity platform that includes Windows Identity Foundation and Windows Cardspace.

Microsoft said earlier this year it would have SAML 2.0 certification before it released Geneva. The SAML profiles ADFS 2.0 supports cover the core features of federation.

ADFS 2.0 provides identity information and serves as a Security Token Service (STS), a transformation engine that is key to Microsoft's identity architecture. ADFS lets companies extend Active Directory to create single sign-on between local network resources and cloud services.

[Read more here]

Levitra vs viagra

The Proposal for a Common Identity Framework begins by explaining the termnology it uses.  This wasn't intended to open up old wounds or provoke ontological debate.  We just wanted to reduce ambiguity about what we actually mean to say in the rest of the paper.  To do this, we did think very carefully about what we were going to call things, and tried to be very precise about our use of terms.

The paper presents its definitions in alphabetical order to faciliate lookup while reading the proposal, but I'll group them differently here to facilitate discussion.

Let's start with the series of definitions pertaining to claims.  It is key to the document that claims are assertions by one subject about another subject that are “in doubt”.  This is a fundamental notion since it leads to an understanding that one of the basic services of a multi-party model must be “Claims Approval”.  The simple assumption by systems that assertions are true – in other words the failure to factor out “approval” as a separate service – has lead to conflation and insularity in earlier systems.

  • Claim:  an assertion made by one subject about itself or another subject that a relying party considers to be “in doubt” until it passes “Claims Approval”
  • Claims Approval: The process of evaluating a set of claims associated with a security presentation to produce claims trusted in a specific environment so it can used for automated decision making and/or mapped to an application specific identifier.
  • Claims Selector:  A software component that gives the user control over the production and release of sets of claims issued by claims providers. 
  • Security Token:  A set of claims.

The concept of claims provider is presented in relation to “registration” of subjects.  Then claims are divided into two broad categories:  primordial and substantive…

  • Registration:  The process through which a primordial claim is associated with a subject so that a claims provider can subsequently issue a set of claims about that subject.
  • Claims Provider:  An individual, organization or service that:
  1. Registers subjects and associates them with primordial claims, with the goal of subsequently exchanging their primordial claims for a set of substantive claims about the subject that can be presented at a relying party; or
  2. Interprets one set of substantive claims and produces a second set (this specialization of a claims provider is called a claims transformer).  A claims set produced by a claims provider is not a primordial claim.
  • Claims Transformer:  A claims provider that produces one set of substantive claims from another set.

To understand this better let's look at what we mean by  “primordial” and “substantive” claims.  The word “primordial” may seem a strange at first, but its use will be seen to be rewardingly precise:  Constituting the beginning or starting point, from which something else is derived or developed, or on which something else depends. (OED) .

As will become clear, the claims-based model works through the use of “Claims Providers”.  In the most basic case, subjects prove to a claims provider that they are an entity it has registered, and then the claims provider makes “substantive” claims about them.  The subject proves that it is the registered entity by using a “primordial” claim – one which is thus the beginning or starting point, and from which the provider's substantive claims are derived.  So our definitions are the following: 

  • Primordial Claim: A proof – based on secret(s) and/or biometrics – that only a single subject is able to present to a specific claims provider for the purpose of being recognized and obtaining a set of substantive claims.
  • Substantive claim:  A claim produced by a claims provider – as opposed to a primordial claim.

Passwords and secret keys are therefore examples of “primordial” claims, whereas SAML tokens and X.509 certificates (with DNs and the like) are examples of substantive claims. 

Some will say, “Why don't you just use the word ‘credential'”?   The answer is simple.  We avoided “credential” precisely because people use it to mean both the primordial claim (e.g. a secret key) and the substantive claim (e.g. a certificate or signed statement).   This conflation makes it unsuitable for expressing the distinction between primordial and substantive, and this distinction is essential to properly factoring the services in the model.

There are a number of definitions pertaining to subjects, persons and identity itself:

  • Identity:  The fact of being what a person or a thing is, and the characteristics determining this.

This definition of identity is quite different from the definition that conflates identity and “identifier” (e.g. kim@foo.bar being called an identity).  Without clearing up this confusion, nothing can be understood.   Claims are the way of communicating what a person or thing is – different from being that person or thing.  An identifier is one possible claim content.

We also distinguish between a “natural person”, a “person”, and a “persona”, taking into account input from the legal and policy community:

  • Natural person:  A human being…
  • Person:  an entity recognized by the legal system.  In the context of eID, a person who can be digitally identified.
  • Persona:  A character deliberately assumed by a natural person

A “subject” is much broader, including things like services:

  • Subject:  The consumer of a digital service (a digital representation of a natural or juristic person, persona, group, organization, software service or device) described through claims.

And what about user?

  • User:  a natural person who is represented by a subject.

The entities that depend on identity are called relying parties:

  • Relying party:  An individual, organization or service that depends on claims issued by a claims provider about a subject to control access to and personalization of a service.
  • Service:  A digital entity comprising software, hardware and/or communications channels that interacts with subjects.

Concrete services that interact with subjects (e.g. digital entities) are not to be confused with the abstract services that constitute our model:

  • Abstract services:  Architectural components that deliver useful services and can be described through high level goals, structures and behaviors.  In practice, these abstract services are refined into concrete service definitions and instantiations.

Concrete digital services, including both relying parties and claims providers, operate on the behalf of some “person” (in the sense used here of legal persons including organizations).  This implies operations and administration:

  • Administrative authority:  An organization responsible for the management of an administrative domain.
  • Administrative domain:  A boundary for the management of all business and technical aspects related to:
  1. A claims provider;
  2. A relying party; or
  3. A relying party that serves as its own claims provider 

There are several definitions that are necessary to understand how different pieces of the model fit together:

  • ID-data base:  A collection of application specific identifiers used with automatic claims approval
  • Application Specific Identifier (ASID):  An identifier that is used in an application to link a specific subject to data in the application.
  • Security presentation:  A set consisting of elements like knowledge of secrets, possession of security devices or aspects of administration which are associated with automated claims approval.  These elements derive from technical policy and legal contracts of a chain of administrative domains.
  • Technical Policy:  A set of technical parameters constraining the behavior of a digital service and limited to the present tense.

And finally, there is the definition of what we mean by user-centric.  Several colleagues have pointed out that the word “user-centric” has been used recently to justify all kinds of schemes that usurp the autonomy of the user.  So we want to be very precise about what we mean in this paper:

  • User-centric:  Structured so as to allow users to conceptualize, enumerate and control their relationships with other parties, including the flow of information.

Information Cards in Industry Verticals

The recent European Identity Conference, hosted in Munich by the analyst firm Kuppinger Cole, had great content inspiring an ongoing stream of interesting conversations.   Importantly, attendance was up despite the economic climate, an outcome Tim Cole pointed out was predictable since identity technology is so key to efficiency in IT.

One of the people I met in person was James McGovern, well known for his Enterprise Architecture blog.  He is on a roll writing about ideas he discussed with a number of us at the conference, starting with this piece on use of Information Cards in industry verticals.  James knows a lot about both verticals and identity.  He has started a critical conversation, replete with the liminal questions he is known for:

‘Consider a scenario where you are an insurance carrier and you would like to have independent insurance agents leverage CardSpace for SSO. The rationale says that insurance agents have more personally identifiable information on consumers ranging from their financial information such as where they work, how much they earn, where they live, what they own to information about their medical history, etc. When they sell an insurance policy they will even take payment via credit cards. In other words, if there were a scenario where username/passwords should be demolished first, insurance should be at the top of the list.’

A great perception.  Scary, even.

‘Now, an independent insurance agent can do business with a plethora of carriers who all are competitors. The ideal scenario says that all of the carriers would agree to a common set of claims so as to insure card portability. The first challenge is that the insurance vertical hasn't been truly successful in forming useful standards that are pervasive (NOTE: There is ACORD but it isn't widely implemented) and therefore relying on a particular vertical to self-organize is problematic.

‘The business value – while not currently on the tongues of enterprise architects who work in the insurance vertical – says that by embracing information cards, they could minimally save money. By not having to manage so many disparate password reset approaches (each carrier has their own policies for password history, complexity and expiry) they can improve the user experience…

‘If I wanted to be a really good relying party, I think there are other challenges that would emerge. Today, I have no automated way of validating the quality of an identity provider and would have to do this as a bunch of one offs. So, within our vertical, we may have say 80,000 different insurance agencies whom could have their own identity provider. With such a large number, I couldn't rely on white listing and there has to be a better way. We should of course attempt to define what information would need to be exposed at runtime in order for trust to be consumed.’

This raises the matter of how trust would be concretized within the various verticals.  White listing is obviously too cumbersome given the numbers.  James proposes an idea that I will paraphrase as follows:  use claims transformers run by trusted entities (like state departments of insurance) to vet incoming claims.  The idea would be to reuse the authorities already involved in making this kind of decision.

He goes on to examine the challenge of figuring out what identity proofing process has actually been used by an identity provider.  In a paper I collaborated on recently (I'll be publishing it here soon) we included the proofing and registration processes as one element in a chain of factors we called the “security presentation”.  One of the points James makes is that it should be easy to include an explicit statement about the “security presentation” as one element of any claim-set being submitted (see Jame's post for some good examples).  Another is that the relying party should be able to include a statement of its security presentation requirements in its policy.

James concludes with a set of action items that need to be addressed for Information Cards to be widely usedl in industry verticals:

‘1. Microsoft needs to redouble its efforts to sell information cards as a business value proposition where the current pitch is towards a technical audience. It is nice that it will be part of Geneva but this means that its capabilities would be fully leveraged unless it is understood by more than folks who do just infrastructure work.

‘2. Oasis is a wonderful standards organization and can add value as a forum to organize common claims at an industry vertical level. Since identity is not insurance specific, we have to acknowledge that using insurance specific bodies such as ACORD may not be appropriate. I would be game to participate on a working group to generate common claims for the insurance vertical.

‘3. When it comes to developing enterprise applications using the notion of claims, …developers need to do a quick paradigm shift. I can envision a few of us individuals who are also book authors coming up with a book entitled: Thinking in Claims and XACML as there is no guide to help developers understand proper architecture going forward. If such a guide existed, we… (could avoid repeating) …the same mistakes of the past.

‘4. I am wildly convinced that industry analysts are having the wrong conversations around identity. Ask yourself, how many ECM systems have on their 2009 roadmap, the ability to consume a claim? How many BPM systems? In case you haven't figured it out, the answer is a big fat zero. This says that the identity crowd is evangelizing to the wrong demographic. Industry analysts are measuring identity products what consumers really need which is to measure how many existing products can consume new approaches to identity. Does anyone have a clue as to how to get analysts such as Nick Malik, Gerry Gebel, Bob Blakely and others to change the conversation.

‘5. We need to figure out some additional identity standards that an IDP could expose to an RP to assert vetting, attestation, indemnification and other constructs to relying parties. This will require a small change in the way that identity selectors work but B2B user-centric approaches won't scale without these approaches…’

I know some good work to formalize various aspects of the “security presentation” has been going on in one of the Liberty Alliance working groups – perhaps someone involved could post about the progress that has been made an how it ties in to some of James’ action items. 

James’ action items are all good.  I buy his point that Microsoft needs to take claims beyond the current “infrastructure” community – though I still see the participation of this community as absolutely key.  But we need – as an industry and as individual companies – to widen the discussion and start figuring out how claims can be used in concrete verticals.  As we do this, I expect to see many players, with very strong participation from Microsoft,  taking the new paradigm to the “business people” who will really benefit from the technology.

When Geneva is released to manufacturing later this year, it will be seen as a fundamental part of Active Directory and the Windows platform.  I expect that many programs will then start to kick in that turn up the temperature along the lines James proposes.

My only caution with respect to James’ argument is that I hope we can keep requirements simple in the first go-around.  I don't think ALL the capabilities of claims have to be delivered “simultaneously”, though I think it is essential for architects like James to understand them and build our current deliverables in light of them. 

So I would add a sixth bullet to the five proposed by James, about beginning with extremely simplified profiles and getting them to work perfectly and interoperably before moving on to more advanced scenarios.  Of course, that means more work in nailing the most germane scenarios and determining their concrete requirements.  I expect James would agree with me on this (I guess I'll find out, eh?…)

[By the way, James also has an intriguing graphic that appears with the piece, but doesn't discuss it explicitly. I hope that is a treat that is coming…]