Personal Identity Mesh

Identity Open Spaces are always interesting – uninterrupted hallway conversations that let you get to the nub of things – but this week's was different from the others because it was held in conjunction with a meeting of the Liberty Alliance.  This threw us all together with a bunch of people we hadn't met before, and frankly I think it was very useful.  We all got to present and discuss our work, interests and concerns.

It's hard to explain – or even imagine – what these meetings are like, because people are coming from such different places that their take-aways differ dramatically.  I'm sure a number of people will blog about this, but I'll just start by quoting Marc Canter of Macromedia fame.  One of the interesting things about Marc is that he just wants results – identity he can use in his products.

As I sit here in the blazing heat, periodically jumping into my pool – I’m feeling good about the last few days I spent in Vancouver.  It was great for me to get away from answering sales calls, improving user interfaces and dealing with Angel investors.  I found myself right back smack dab in the middle of an evolution of technology, where enterprise, mil spec encryption, security and privacy technology was being deployed for the purposes of each and every one of us to be able to control our content and meta-data.

Moving and controlling profile data is important, but we ALSO gotta control access to our content – based upon our relationships to the viewer.  Apparently Vox does this pretty well – but I haven’t checked it out – yet.

A lot of time and energy was spent up in Vancouver trying to define and speak clearly of all the different platforms and their nuances.  It was an Open Space effort, designed to correspond with a Liberty Alliance meeting, so lots of loosely structured meetings occurred where real work was accomplished.

One on hand you had all these academic and enterprise researchers and experts who are managing bank accounts, mutual fund accounts and health records, debating on details like ‘is it THIS or really THAT.  Then a bunch of the open folks – like Neustar and Cordence were there – more or less hawking their goods.

So in other words this was the “open user-centric folks” meet the SAML/Federated trust enterprise wonks fest.

I’d say it came off pretty well – espeially with Kaliya Hamlin leading the organization, facilitating the conversations and keeping things lively. I did my best to also “keep folks awake” – while only dosiing off a few times myself, during those insipid debates on “do you mean WHAT you mean or is that a semblence of meaning in your declaration?”  It was that bad.

As a vendor I went to this meeting knowing that I was a downstream participant, some one who’s issues are allot different from the folks who are tryign to stake our real estate around ’standards’.  You see – we (by defintion) have to support ALL the standards, so my only real motivation is to get as many of them to work together and adhere to each other’s standards.

And that’s what I did.  There was a whole session on ‘Protocols Converging’ (led by Dick Hardt) and that led to a few private meetings out in the hallwway, which is where al the real work gets done. I myself am excited about what Dick is gonna show and unveil at OSCON next week,but I can’t tell yah about it.

Or else I’d have to kill you……

Anyway – based upon what I heard at this meeting, here are some issues that are pretty easy for me to make:

  • At best we’ll get 2% of the populace using this stuff – even within the next few years
  • But many more people WOULD/COULD use it if it was readily accesssible, easy to use and they understand what the fuck it meant
  • Doesn’t really matter if it implements authentication, if that’s ALL it does
  • I agree with Kim Cameron – there will be two approaches to this area – card based and address based

And that’s the best way we can describe it to the humans.

The Identity space is really complicated, and our clients expect me to be an expert at it.  So I nerded out over the past few days and have the next generation acrhiutecture for PeopleAggregator designed with it in mind. 

It’ll make sure that real value can be delivered to humans – real soon now- regardless of whether or not they’re (the humans) willing to jump through all the hoops and grok all the nuances of the Identity puzzle.

There’s one inherent tradeoff for this.  If you don’t want to jump through all the hoops of getting a card or sigining up for an address (of just hacking one yourself) then you CAN’T COMPLAIN if you don’t get a phishing proofed, crypto encoded, secruity tight, hacker proof, scalable, long term, persistent unique identifier.

But if all that really gets you off, then you won’t mind jupning through all the hoops.  Those hoops require opting in, sharing, moving and adhering to all these rules – about Personal Identity Mesh. 

Getting a info card to be compatible with Kim Cameron’s Info Cards system, which will be built into Vista and is available for XP – right now – will be about getting something called a .crd fileKim showed using Info Cards to log into WordPress – just to prove that it works on a LAMP stack, open source platform.

David Recordan (of Verisign) led an excellent session on OpenID and talked about its status.  Drummond Reed was there to talk about XRI and XDI.org and inames.  All the major players in this space were there and talking to each other.

Dick Hardt had a session on coming up with a name for the unique thing we’re doing.  Its not a traditional federation, or circle of trust – its recognizing that inviiduals rely upon portals (or fancy webapp) software to get their services and that they’re probably dealing with LOTS of these services.  Each o these portals have all sorts of assertions, backend technology, web services, aliance partners and otehr infrastructure.  But what we SEE is the portal or NetVibes or PageFlakes or MySpace or Vox.

The human is then supposed to confer and rely upon (what’s known as) an identity provider or identity broker – which is usually an objective 3rd party – to verify their claims, assertions and transactions. We debated upon what to call it – but we all agreed that its something new and unique. I call this the “Personal Identity Mesh” – cause anybody can use any Identity broker – yet we’re all supposed to trust and believe in these ‘reputation systems (especially is Auren Hoffman has his way – with Rapleaf.)

Whatever the term is – its the universe that PeopleAggregator is going to support and help make happen. But we need LOTS of vendors to participate and the big boys – too.

I really like the term “Personal Identity Mesh” that came out of the “naming” discussion led by Dick Hardt.  It sums up what a lot of us are trying to do. 

I should also make it clear that I don't think there are very many who see information cards and URL-based identities as being opposed to each other.  A card can represent a URL-based identity, and a URL can be used, in a number of use cases, to represent the identity that would be conveyed through a card.  This doesn't work in all cases, but it works in enough important cases that it is very useful.

Finally, I think Marc's estimate of 2% over three years is overly pessimistic.  The big sites and big players can accelerate adoption a whole lot with the flick of the switch.  I've already had people tell me they are going to enable hundreds of millions of accounts with Information Card support.  If they do what they are saying they'll do, and if people like the experience as much as I think they will, there can be a serious network effect here.

Bad journalism or bad communication?

Identity master Ben Laurie of Google pushes back on me for picking up Eric Norlin's recent piece on Google Authentication.  Ben writes:

I’ve been trying to resist the temptation to comment on posts such as Dick Hardt’s “Google Account Authentication: two steps forward, one step back” and Kim Cameron’s “GOOGLE’S AUTHENTICATION VERSUS MICROSOFT’S LIVE ID” (which is mostly Eric Norlin’s “Google’s authentication vs. Microsoft’s Live ID“), since I work for Google and such comments might be misconstrued. However, bad journalism is bad journalism, even if you’re a blogger and I’m a Google employee, so I’m going to comment anyway. Note that, like everything I blog here, this post does not reflect Google’s views, nor does it use any knowledge I may or may not have as a Google employee.

Firstly, as everyone who pays attention knows, Google doesn’t announce what it’s going to do, only what it’s already done. So, what does it mean to contrast thus (from Eric Norlin’s piece)? “Of extreme importance is the fact that Windows Live ID will [my italics] support WS-Trust, WS-Federation, CardSpace and ADFS (active directory federation server).” vs. “Contrast all of this with Google’s announcement: create Google account, store user information at Google, get authentication from Google — are we sensing a trend?” – well, yes, the trend I’m sensing is that Windows Live ID does much what Google does today. Tomorrow they both may do something different. As of right now, what are the options? Is there any mature, reliable, secure identity federation mechanism that’s widely used? I think not. Note, BTW, that Live ID is currently vapourware, you can’t even get SDKs for it yet, let alone actually use it.

I need to begin by responding that I didn't know “Google doesn't anounce what it's going to do, only what it's already done.”  This must sound incredibly naive on my part, but it's true.

I guess I don't have a good enough understanding of the cultural differences between various companies.  I'm used to being required to share a roadmap with enterprises and large organizations.  They need that to facilitate their planning.  But in retrospect I can see that Google may not need to function this way.  I'm probably not the only one who hasn't understood this, so I appreciate Ben's explanation of how we should interpret Google's announcements.

Secondly, I agree that neither MSN nor Google nor AOL nor anyone else has a federation mechanism that's widely used outside their own properties at internet scale. 

Above all else, I agree with Ben's statement that, “Tomorrow they both may do something different.”  So peace, bro’.

Speaking of peace, Ben on Liberty:

Some have argued that Liberty is the answer to this, in that it’s mature, reliable and secure. But it isn’t widely used, partly because of complexity, partly because in its early days it royally screwed over people who might have driven adoption, like the Apache Software Foundation, and partly because of complex IPR issues. At least, I’ve heard, the IPR might be getting fixed. I watch that space with interest.

Ben on Dick Hardt:

Dick Hardt: “Google has just released Google Account Authentication. My initial reaction: great technology for rich clients and web sites acting acting on behalf of the user, but deepens the Google identity silo.” What does this mean? How does allowing applications to access a user’s Google services deepen anything? Did Dick actually read what these services do?

“The Google Account Authentication for installed apps is a bold move to standardize an API for working with installed applications. Unfortunate that it is domain centric. The user has to provide their Google credentials. Clearly the easy, safe choice that creates more value for the user’s google credential. Also makes it harder for any identity management technology to manage the Google credential.”

Well…

  • Duh, of course you have to provide a Google credential, you’re going to access a Google service. What kind of credential did you expect to present? Your Yahoo login?
  • Why does providing an API to allow applications to use user’s credentials make it harder for software to manage those credentials? I’m obviously missing something, but I can’t see what.
  • “Google Account Authentication for Web-Based Applications looks like it is opening up the SSO mechanisms that Google has been using across their various properties so that other properties can get a token to act on behalf of the user.” Hmmm … that sounds just like something an identity management technology could manage. But that problem was from a whole paragraph before, hopefully the reader will have forgotten about it by now.

Ben on the pack of us:

Its sad to see blogs following the newspaper trend, where the only articles worth writing are critical, regardless of the facts. Readership is king! To hell with accuracy!

Yikes.  Do I slither forward in a river of yellow journalism? 

I hope not.  The story I told was, “this is how Eric Norlin sees what's happening.”  He influences a lot of people, and his views are themselves important.  If Eric has drawn the wrong conclusions, it's important to get that message out – including to Eric, as has happened here.  Both Eric's piece and Ben's response have helped that happen.  I for one understand things better than I would have had none of this discussion happened.

And in case it matters, my own conclusion was actually different from Eric's.  I wrote, and I don't think it was at all critical:

.. I personally hope that Google embraces federation, Information Cards and the identity metasystem. They have enough smart people who understand these issues that I expect they will.

I see lots of room for us to work together, lots of agreement on the big picture, and  lots of good people doing the execution. 

Marcus Lasance on Information Cards

Identity heavyweight Marcus Lasance is Managing Director of U.K.-based MaXware.  He wrote this piece on E-commerce and User-Centric identity management in ITSM Watch

New ID schemas are emerging that will, hopefully, ease IT's management burden while fueling e-commerce, writes ITSM Watch guest columnist Marcus Lasance of MaXware.

Enterprise organizations and governments view customer relationship information as a key asset and are fiercely protective of this asset. Fortunes are spent on maintaining customer’s personal information and protecting this information from prying eyes as mandated by data protection legislation.

CIOs are relying on meta directory technology to solve one of the industry’s thorniest problems: how to maintain information about the same individual scattered over different databases and directories nevertheless perfectly synchronized. Corporate-managed updates are effectively replicated using standards based connectors and schema mapping between systems.

However, what this technology cannot solve is the ability to provide updates we don’t know about. In the real world, our customer’s circumstances are constantly changing, yet businesses and (most) government agencies are not automatically alerted. This is an ongoing problem, because no matter how good we are at synchronizing data across platforms and applications, it doesn’t matter when the data becomes rapidly obsolete.

No call center can solve this problem. As an industry, we need to find a more logical way to manage this; namely through user-centric computing which puts individuals back in charge of their own identities.

Today, CIOs are watching two different user-centric solutions rise in popularity: InfoCard from Microsoft and Project Higgins from the open source community.

Conventional wisdom indicates that, with the advent of Vista on countless PC desktops, InfoCard will become the de-facto way users will manage their identity information. CIOs need to take note: On a global scale, employers are expected to issue InfoCards to their employees, governments to their citizens, etc.

Greater acceptance to InfoCard is due, in part, to InfoCard’s being based on WS-Trust and providing a much more “open” solution than Microsoft’s previous and suspiciously received Passport offering. InfoCard is not designed to run exclusively on Microsoft servers or Microsoft owned networks, which means that, in principle, every home PC connected to the Internet can become an identity provider.

What will be the business implications of a huge uptake of InfoCards as a mechanism to replace good old username-password logins to most e-commerce websites? Is it another expensive hype that hasn’t lived up to its expectations like PKI, which was predicted to fuel e-commerce like a out-back fire storm?

Well-known companies like eBay and Amazon are most likely to be early adopters of user-centric computing and other e-commerce sites will soon follow suit or be left behind. Cost savings combined with better security should follow naturally.

I can see a future in which most users will have between three-and-six InfoCards that can regularly used for different types of public or private transactions. The chore of maintaining personal information relating to those cards now resides with the individual, making it easier for organizations and consumers both.

With user consent and by subscribing to change alerts from identity providers companies don’t have to waste tremendous financial and human resources managing data with a rapidly deteriorating life span. Individuals don’t have to worry about maintaining endless silos of personal data.

When consumers can assign preferred identities to trusted vendors and more anonymous identities to things like chat rooms we will eliminate the need to enter reams of personal information on webpages we don’t necessarily trust; organizations will reap the financial rewards by cost savings and better quality of information.

However, in my opinion, the really big money will be made by a few, select organizations with the financial clout and public-trusted brand names to become the default public identity providers. Remember an InfoCard does not store the actual information, just the links to it. The information itself has to be stored and secured and backed up somewhere. Some kind of identity meta system will emerge, backed by a few powerful players. Organizations will emerge with similar roles that Swift, BACS, MasterCard and VISA now perform for financial services network.

It’s possible that giants like AT&T, Nokia or BT might be able to make a few pennies every time a user selects their InfoCard (from a stash of many InfoCards) stored on a desktop or IMS mobile terminal. Imagine the total world wide economic value of such e-commerce mediators.

With the individual in control and new technologies that will soon take the pain out of logging on the new services, user-centric computing could once more revitalize the e-commerce industry, and the market opportunity to become an identity service provider might mean even bigger business for a lucky few.

Interesting thoughts, though I actually think, in the fullness of time, Information Cards will convey subtle aspects of identity like reputation in various contexts, and be much more bottoms-up than Marcus suspects.

EXTENDING THE BRIDGE BETWEEN TECHNOLOGY AND HUMANS

Brad Judy, from the IT Security Office at the University of Colorado at Boulder, attended one of the recent conferences where I discussed the Information Card as a way of reifying identity, and where I went on to characterize the identity metasystem as an “abstraction layer” above existing identity systems. The fact that I referred to the same thing as being a reification from one point of view and an abstraction from another captured his interest. Later he shared these comments:

During a presentation on Infocard and Cardspace, Kim Cameron made a comment about the reification of identity. During a question, I noted that it was interesting to hear a layer of abstraction being referred to as reification. Kim noted that he was mixing contexts and that Infocard/Cardspace was reification for the end-user and abstraction for the IT personnel.

One human's abstraction is another human's reification.

If abstraction can be considered indirection, the old computing saying from David Wheeler may apply: “Any problem in computer science can be solved with another layer of indirection. But that usually will create another problem.” The benefit of abstraction as reification is that the additional problems created might be ones that we are already adept at addressing (we know driver's licenses quite well).

There has long been a gap between technology and humanity that many have worked to bridge. I would argue that for most of the history of computing, the user has had to meet the computer more than half-way – was it ever the natural inclination of humans to punch holes in cards to accomplish a task? Kim gave the example of sending people off for extended periods of word processor training in the early days of word processors, and the virtually non-existent training needed now (a combination of greater ease and early exposure). He also gave the example of explaining command line file management to users and how the visual file folder reified digital file management for the end user. Such GUI concepts certainly opened up the PC to a much broader audience as the bridge between technology and humans passed the half-way point.

Not having been a software architect over the past twenty years, I can't say if the ongoing gap has been the result of the limitations of technology or a mindset that users must meet the computers half-way. The lesson of the PC is that true accessibility by the general population requires technology to meet them 90-95% of the way. (Perhaps this should have always been expected, after all, we never expect This seems to be occurring through the adoption of existing human models/paradigms/methods of use and interaction to software and hardware. While it wasn't the focus of this recent event, two presentations brought this home: tablet PC's and Cardspace.

Tablet PC's, particularly software like OneNote represent the adoption of a long standing human activity to a digital medium. It isn't the first tech to tackle the note-taking and handwriting space, but it reifies and extends in a way that may complete the bridge between the personal computer and the person. A direct representation of paper and pen (a method institutionalized over hundreds of years), extended with the ability to categorize, search, transmit and more. I'm reminded of a statement by a co-worker (not directed at me), “Stop giving me #$&@ing hardcopies, you can't grep paper.” The platform has a lot of possibility with interesting software like MagicPaper/Physics Illustrator. The limited success of “true” tablets (aka. Slates) indicates that decades of computer use with a keyboard, and sometimes mouse, have developed an institutionalize method of use that must be hybridized with traditional methods for the greatest progress.

CardSpace exists to reify the experience of digital identity in a way that links it to an existing model for identity familiar to most users: an identity card. From the visual representation to the concept of identity providers and multiple ID's. The identification “card” is also hundreds of years old, although they have evolved greatly from hand-written letters authenticated by signature or stamp, to the modern passport and drivers license, authenticated by physical attributes and electronic validation. The InfoCard will also likely be a hybrid of this old paradigm and a common computing experience: the password. Although the concept of a password predates modern technology, its use has truly exploded in the past several years. Because InfoCards aren't single, physical objects that can be tightly controlled, they will largely rely on the ubiquitous password for protection (perhaps other techniques will be used, but I expect passwords will protect most InfoCards).

So the IT industry continues to build the largely one-sided bridge, abstracting their way across the gorge. Years of software and hardware have provided the proverbial water under the bridge (not to mention a landscape scattered with half-started and falling bridges). For their part, many people have stretched far from their side to make contact and have found a combination of productivity and frustration. Hopefully not many have fallen into the gorge. Perhaps the golden age of computing is truly just around the bend as the bridge is completed and proven stout (an important point raised by Scott Charney, also at the event).

I'm struck by Brad's perception of Information Cards as a bridge between user perception on the one hand and a technological abstraction (metasystem) on the other.  That's completely right, and it's important to put it in the wider context of other attempts to do the same thing.

WILL HARRIS ON PRIVACY AND WEB 2.0

Via Terrell Russell a report on Will Harris's piece on the danger that Web 2.0 represents “the end of privacy”.

Will Harris recently wrote about his views on the end of privacy. He blames the Web 2.0 phenomenon and all the data users are willingly posting and publishing on the network. Well, mostly he blames big business.

“My firm belief is that the net effect of the Web 2.0 movement will be a marked loss of privacy on the internet, one which leads to big business knowing more about you than it ever did before.”

He then moves quickly into talking about how these conglomerates will eventually own all the marketing data it can buy and proceed to advertise, advertise, advertise.

When the Web 2.0 bubble bursts – when the massive buyouts are done, the millionaires are made and the sites we love today are in the hands of big business – the innovation will grind to a halt, and what’s left will be the endless grinding of the marketeering machine.

If anything, I think this is the blunt end of the stick.

The other end is much more dangerous as, once this data is aggregated and compiled, it can be singularly lost or sold to more unscrupulous characters. Big business being what it is – is not the boogeyman here. I am concerned, same as Will, about large corporations feeling they can advertise personally to me whenever and wherever they want – but I’m much more concerned about their potentially cavalier tossing around of all this personally aggregated data without scrubbing it for merely statistical purposes.

Ideally, we move to an identity metasystem (with identity providers and identity brokers) and these companies only know what we let them know about us. Arguably, we can do that today without more software or more technical tools to trickle into mass adoption, simply by not playing – not participating – but that kind of defeats the point of having the conversation, doesn’t it? We need tools to protect us AND that let us do what we want to do online – buy, sell, communicate.

Eventually, online life and offline life will be a blurry distinction that nobody bothers to make. It will just be life.

I do like Will's piece.  Everyone should check it out, even though he has completely missed the central point.  

I speak, as usual, in the architectural conditional.

Will get's what's happening, but not what will start happening when Web 2.0 gets serious about long-term business strategy.  One day people will get to, er, the “things that will destroy our business model” phase. 

Luckily, the fix isn't so hard, if people tune in now.  More when the rest of me has arrived back from Europe.

 

WILL MERCHANTS USE GBUY?

I thought the following excerpt from a thoughtful piece by Steve Bryant at eWeek‘s GoogleWatch might interest you.  Steve is led to consider the Third Law of Identity – Justifiable Parties: 

Why does Google want to automate the advertiser click cycle and make it as fast as it possibly can? 

The first reason is obvious: Google makes money on click conversions. The more clicks done quickly, the more money for Google, and the happier the advertiser.

The second reason is that by automating the click cycle, Google will be vastly improving the efficacy of its search results, and how searches correlate with AdWords. Unlike destination sites that measure success by how much time is spent on a page, Google measures success by how quickly a user navigates off Google. The company is constantly testing out data centers to see which center returns the best results that get users off Google quicker.

There are other reasons: Google will begin compiling transactional data. That data alone, even without trending analysis, is worth billions. Google will also become the first company to own not only the method of advertising, but also the data on what advertising works best. Perhaps most importantly, GBuy, when combined with Google's new Cost Per Action feature, has the potential to significantly reduce click fraud.

But there's the rub. Will merchants actually use GBuy?

Of course, you say, why would they not? You could use Google for everything! AdWords, Page Creator, Analytics, GBuy … it's a virtuous circle of Googledom. And yes, even a curmudgeon like me is attracted to the idea of one Google to rule them all.

But let's not forget this has been tried before. It was called Yahoo PayDirect. Yahoo started the service as a competitor to PayPal. Unlike Google, Yahoo had a product incentive for this service. That is, Yahoo had a then-robust classifieds and auctions business that it wanted to tie PayDirect into. The math was simple: User browses Yahoo products, user buys with Yahoo system, Yahoo gets profit. PayDirect was free (most of the time), but it didn't work. Yahoo folded PayDirect in 2004, mostly because PayPal simply owned the market.

Of course, Google has several competitive advantages that Yahoo did not have. But what Google doesn't have — and this is important — is product to sell.

The main reason PayPal succeeded was because eBay was developing at the same time. There was no other easy way to pay an auctioneer, so users turned to PayPal. The two companies became so closely intertwined that eBay decided to buy PayPal and integrate it directly. Purchasing PayPal made perfect sense. As a merchant, why would eBay want give another vendor control of its clients?

This is the challenge that Google faces with GBuy. If you talk to a lot of retailers, I think you'll hear them saying the same thing: “Why would I give Google control of my customer?” Google's not selling anything. And traditionally, the merchant takes payment for an item because it's the merchant — not Google — that has to fulfill the order.

Of course, there is a new breed of merchant online that just aggregates content and has no interest in owning customers at all. Think Shopzilla. For sites like those, perhaps GBuy is the golden ticket.

But back to the traditional merchants. Online merchants already track purchases made via Google AdWords. They've already bought software to track orders, or they've integrated a code into their inventory systems that correlates a sale with an AdSense referral. There's an entire marketplace of shopping cart software that's already integrated PayPal.

So the question inevitably becomes: If I'm a merchant, and I've already gone through the trouble of integrating PayPal, and PayPal is cheaper and it's trusted, why would I switch to GBuy?

One possible answer to that question is that GBuy is free for AdWords customers. Yes, that's a great incentive. But don't expect GBuy to eclipse PayPal with that feature alone. Companies with large marketing budgets will be advertising over multiple sites, not just with Google AdWords. Does it make sense to switch to GBuy for a 1-2 percent gain? Perhaps.

At any rate, the market will decide. I'm still cautiously optimistic about GBuy. If merchants can be incentivized by the potential to reduce click fraud, and if they're not leery of giving too much control to Google, perhaps they'll switch…

GOOGLE'S AUTHENTICATION VERSUS MICROSOFT'S LIVE ID

Here is a piece by Eric Norlin over at zdnet.com. Windows Live ID is the identity backbone used by Microsoft's web properties and services – for example, by hotmail. For those who haven't followed the bouncing ball, Windows Live ID is the latest evolution of Passport, which has undergone a name change to convey its focus within Window Live services – as well as its ability to federate in a multi-centered identity landscape.

Recent announcements of Google's authentication service have prompted comparisons to Passport, and even gotten to Dick Hardt (of “Identity 2.0″ fame) to call it the, “deepening of the identity silo.” I'd like to contrast Google's work with Microsoft's recent work around Live ID.

Microsoft's Live ID *is* the old Passport — with a few key changes. Kim Cameron's work around the identity metasystem has driven the concept of InfoCards (now called CardSpace) deep inside of Microsoft. In essence, Kim's idea is that there is a “metasystem” which utilizes WS-Trust to translate tokens, so that all identity systems can interact with each other.

Of extreme importance is the fact that Windows Live ID will support WS-Trust, WS-Federation, CardSpace and ADFS (active directory federation server). This means that A) Windows Live ID can interact with other identity metasystem implementations (Open Source versions, for example); B) that your corporate active directory environment can be federated into Windows Live ID; and C) the closed system that was Passport has now effectively been transformed into an open (standards-based) and transparent system that is Live ID.

Contrast all of this with Google's announcement: create Google account, store user information at Google, get authentication from Google — are we sensing a trend? While Microsoft is now making it easy to interact with other (competing) identity systems, Google is making it nearly impossible. All of which leads one to ask – why?

I honestly believe that Microsoft is ahead of Google on this one for a very simple reason: Passport taught Microsoft some very painful, first-hand lessons. Passport forced Microsoft (over a period of years) to re-examine their fundamental approach to identity. Further, it forced them to figure out how to monetize the idea of identity applications — and not simply the aggregation of identity itself. Conversely, Google's business is now built on the aggregation of identity data, and they have yet to walk the painful Passport path.

Will the market force Google to learn the same lesson? I don't know. On the other hand, one company is clearly advancing the cause of “identity 2.0″, “web 2.0″, “Net 2.0″ — call it what you will — and that company is Microsoft. The other company is deepening the silo and building the walled garden — and that is *so* late 90s.

While I love being in the software olympics as much as the next guy, I personally hope that Google embraces federation, Information Cards and the identity metasystem. They have enough smart people who understand these issues that I expect they will.