Identity – Page 13 – Kim Cameron's Identity Weblog

Federation: the promise of potentially transforming our business

Ping's Andre Durand has announced an award that not only says good things about his company, but is a crystal clear indication of the importance federated identity technology will inevitably acquire as people adopt it:

“A few days ago Morgan Stanley awarded Ping their CTO Summit Innovation Award. Ping was the sole recipient of this years award, which recognizes those which hold the promise of potentially transforming Morgan Stanley’s business. VMware won the award in 2005 — we really like that comparison! Who knew virtualization was going to be as big as it is today 3 or 4 years ago?

“Every year Morgan Stanley receives around 200 applications from companies to present at their CTO Summit. They internally vote and select 36 to present. Of these, only four ever get as far as contracts and of those, only one receives this award. We presented Ping Identity and our product, PingFederate back in 2006 (is the ulterior motive obvious enough?). As hoped, earlier this year Morgan Stanley became a customer, using our technology to secure and integrate their employees’ use of on-demand applications such as Salesforce.com among other things.

“It’s great to finally see identity federation receive the recognition it deserves for enabling companies to secure their virtual borders. It’s going to be a good year!”

Ping's success doesn't surprise me given the high standards it sets itself. And we all expect Morgan Stanley's CTO to be forward-thinking and “on the money”, so to speak.

But still, this is a remarkable bellwether in so clearly recognizing the transformative nature of identity. Congratulations are due both to Ping and to Jonathan Saxe, Managing Director, Global Chief Information Officer of Morgan Stanley.

Internet as extension of mind

Ryan Janssen at drstarcat.com published an interview recently that led me to think back over the various phases of my work on identity. I generally fear boring people with the details, but Ryan explored some things that are very important to me, and I appreciate it.

After talking about some of the identity problems of the enterprise, he puts forward a description of metadirectory that I found interesting because it starts from current concepts like claims rather than the vocabulary of X.500:

…. Kim and the ZOOMIT team came up with the concept of a “metadirectory”. Metadirectory software essentially tries to find correlation handles (like a name or email) across the many heterogeneous software environments in an enterprise, so network admins can determine who has access to what. Once this is done, it then takes the heterogeneous claims and transforms them into a kind of claim the metadirectory can understand. The network admin can then use the metadirectory to assign and remove access from a single place.

Zoomit released their commercial metadirectory software (called “VIA”) in 1996 and proceeded to clean the clock of larger competitors like IBM for the next few years until Microsoft acquired the company in the summer of 1999. Now anyone who is currently involved in the modern identity movement and the issues of “data portability” that surround it has to be feeling a sense of deja vu because these are EXACTLY the same problems that we are now trying to solve on the internet—only THIS time we are trying to take control of our OWN claims that are spread across innumerable heterogeneous systems that have no way to communicate with each other. Kim’s been working on this problem for SIXTEEN years—take note!

Yikes. Time flies when you're having fun.

When I asked Kim what his single biggest realization about Identity in the 16 years since he started working on it was, he was slow to answer, but definitive when he did—privacy. You see, Kim is a philosopher as well as a technologist. He sees information technology (and the Internet in particular) as a social extension of the human mind. He also understands that the decisions we make as technologists have unintended as well as intended consequences. Now creating technology that enables a network administrator to understand who we are across all of a company’s systems is one thing, but creating technology that allows someone to understand who we are across the internet, particularly as more and more of who we are as humans is stored there, and particularly if that someone isn’t US or someone we WANT to have that complete view, is an entirely other problem.

Kim has consistently been one the strongest advocates for obscuring ANY correlation handles that would allow ANY Identity Provider or Relying Party to have a more complete view of us than we explicitly give them. Some have criticized his concerns as overly cautious in a world where “privacy is dead”. When you think of your virtual self as an extension of your personal self though, and you realize that the line between the two is becoming increasingly obscured, you realize that if we lose privacy on the internet, we, in a very real sense, lose something that is essentially human. I’m not talking about the ability to hide our pasts or to pretend to be something we’re not (though we certainly will lose that). What we lose is that private space that makes each of us unique. It’s the space where we create. It’s the space that continues to ensure that we don’t all collapse into one.

Yes, it is the space on which and through which Civilization has been built.

Drstarcat on Project Pamela

drstarcat.com is doing “A History of Tomorrow's Internet” – a dive into Information Cards, CardSpace, Higgins and now, in Part Five, The Pamela Project. The “future history” is a personal tale that is definitely worth reading. The most recent post introduces us to Pamela Dingle herself – a woman who has played a key role – both technically and as a leader – in advancing Information Cards.

Drstarcat writes:

“As I’ve explained more than once in this blog, a greater problem than finding reliable Identity Providers is getting the websites we know and love to become Relying Parties. That is exactly the problem that Pamela has deemed to attack with her eponymous project. As the project’s mission statement says, “The Pamela Project is a grassroots organization dedicated to providing community support for both technical and non-technical web users and administrators who wish to use or deploy information card technologies.” Given the difficulties I experienced even USING iCards as a non-technical web user, this seems like a pretty ambitious task, and as part of this post, I’m going to try to get my blog up and running. First, a few words about Pamela and the history of the project.

“Pamela first ran into the issues surrounding Identity in her role as a technology consultant in Calgary in 1999. Anyone who’s done any large-scale enterprise software installation has likely had a similar experience–try to do anything and you’ll run into a myriad of (often semi-functional) authentication and directory services before you can even get off the ground. She’d been working on Peoplesoft installations and with Oblix (an enterprise self-service password management tool later acquired by Oracle), when she attended her first Burton Identity conference in 2001. It was here she first began to think of Identity as a (the?) core technology problem, as opposed to something peripheral to what she wanted to get done. It’s a realization that, once had, can become a little consuming (trust me, I spend WAY too much time building software to be blogging about anything–especially, SOFTWARE).

“Her second “ah-ha” moment came when, if my notes serve me correctly, she was “hit on the head with a brick” by Kim Cameron at the 2002 Catalyst conference. There he drew her a brief sketch on a napkin where he showed the three party system (Subject, Relying Party, Identity Provider) that is at the core of most of the emerging identity systems. She was hooked, but it wasn’t until in 2005, when Kim added some sample PHP Relying Party code to his blog that she saw a place where she could contribute. As a sometimes PHP hacker, she took the simple code, and began to port it over to some of her favorite PHP frameworks (WordPress, Joomla, and MediaWiki). Since that time, she and about 10 other contributers have been working to get a 1.0 version of the product out, which, given Pamela’s commitment, I suspect will be about like most other project’s 2.0 release.

“Before writing about my experience installing the WordPress v0.9 plugin, a word about the seemingly self-promulgatory name of the project because I think it says a lot about Pamela as a person and the Identity movement she’s part of. According to Pamela it’s the last name she would have thought of as a woman working as a technologist. As she explains, it’s hard enough as a woman to get recognized as a serious technologist without drawing unnecessary attention to yourself. Having a wife who is one the best Java engineers in NYC, but who also is regularly asked if she REALLY wrote the stunning code she produces, I can attest this is true. It’s because of this stereotype though that Pamela chose the name. She was tired, as someone who is self-admittedly “vocal”, of this kind of self-inflicted sheepishness. So in “defiance to self-regulation”, and at Craig Burton’s urging, she chose The Pamela Project…

“I’ll let you know how my experience actually USING the Pamela project goes in my next post. In the mean time, as you wait in breathless anticipation, why not go over to the project’s site and ask Pamela how you can be of use. This is a big project and they’re going to need all the help they can get.”

[More here.]

Virtual Corporate Business Cards

Martin Kuppinger is one of the key analysts behind the amazing European Identity Conference just held in Munich. This was “User Centric Meets Enterprise Identity Management” with a twist: our European colleagues have many things to contribute to the discussion about how they fit together…

For a taste of what I'm talking about, here is a posting that I found dazzling. There are no weeds encumbering Martin's thinking. He's got the story: Virtual Corporate Business Cards.

Yes, I know – it is a little redundant talking about “corporate” and “business” in the context of virtual cards. But it is one of the most obvious, interesting and feasible business cases around Identity 2.0.

What do I mean by that term? My idea is about applying the ideas of Identity 2.0 and especially of InfoCard to the business. Provide every employee with an InfoCard or even some of them and you are better suited to solve many of today’s open issues.

How to issue these cards

I have this in mind for a pretty long time. I remember that I had asked Don Schmidt from Microsoft about the interface between Active Directory and CardSpace some time before EIC 2007. Active Directory might be one source of these cards. Just provide an interface between AD and an Identity Provider for InfoCards and you are able to issue and manage these cards based on information which still exits in the Active Directory. For sure, any other corporate directory or meta directory might work as well.

Today these technical interfaces are still missing, at least in an easy-to-use implementations. But it won’t take that long until we will see them. Thus, it is time to start thinking about the use cases.

How to use these cards

There are at least three types of cards I have in mind:

Virtual business cards: They are used when someone represents his company. How do you ensure today that every employee provides current and correct information when he registers with other web sites? How do you ensure that he acts in the web like you expect him to do? How do you ensure that he enters the correct title or the correct information about the size of your business when registering? InfoCards are the counterpart to your paper-based business cards today, but they can contain more information. And there might be different ones for different purposes.

Virtual corporate cards: They are used for B2B transactions and interactions. Add information like business roles to the cards and you can provide all these claims or assertions which are required for B2B business. These cards can be an important element in Federation, providing current information on the role of an employee or other data required. For sure there can be as well several cards, depending on the details which are required for interaction with different types of business partners.

Virtual employee cards: They are used internally, for example to identify users in business processes. Again, there might be a lot of information on them, like current business roles. You might use them as well to improve internal order processes, identifying the users who request new PCs, paper, or what ever else.

With these three types I might even have to extend the name for the cards, I assume. But I will stick with the term I have in the title of this post. The interesting aspect is the flexibility which (managed) InfoCards provide and the ability to manage them in context with a leading directory you have.

Due to the fact that you are the Identity Provider when applying these concepts you can ensure that no one uses these cards after leaving the company. You can ensure as well that the data is always up-to-date. That’s by far easier than with some of today’s equivalents for these future type of cards.

I will blog these days about two other ideas I have in mind in this context: The way the concept of claims Microsoft’s Kim Cameron is evangelizing will affect end-to-end security in business processes and SOA applications in general and the idea of using InfoCards for all these personalization and profiling ideas which have been discussed many years ago. I’m convinced that Identity 2.0 concepts like InfoCards and claims are a key element to solve these threats and bring these things to live.

There is a lot of business value in these concepts. And they will affect the way businesses cooperate, because they are much easier to implement and use than many other approaches.

I'm with you 100% Martin. That's the most concise and comprehensible description of enterprise Information Cards that I've seen.

Flickr, Windows Live ID and Phishing

We talk a lot in the identity milieu about opening up the “walled Gardens” that keep our digital experiences partitioned between Internet portals. Speaking as a person who dabbles in many services, it would be really great if I could reuse information rather than entering it over and over again. I think as time goes on we will get more and more fed up with the friction that engulfs our information. Over time enough people will feel this way that no portal will be able to avoid ”data portability” and still attract usage.

Even so, many have argued that today’s business models don’t allow more user-centric services to evolve. That’s why it has been fascinating to read about the new Flickr Friend Finder. I think it is tremendously significant to see organizations of the stature of Flickr, Yahoo, Google and Microsoft working closely together so people can easily associate their pictures on one site with their friends and colleagues from others.

Once people decide to share information between their services, we run smack dab into the “how” of it all. In the past, some sites actually asked you to give them your username and password, so they could essentially become you. Clearly this was terrible from a security and identity point of view. The fact is, sharing requires new technology approaches.

Windows Live has moved forward in this area by developing a new “Contacts API“. Angus Logan gave us a great overview on his blog recently, taking us through the whole experience. I recommend you look at it – the design handles a lot of fascinating issues that we’ll be encountering more and more. I’ll just pick up on the first couple of steps:

Go to the Friend finder

Select Windows Live Hotmail (you can also select Yahoo! Mail and GMail) – I’d imagine soon there will be FacebookThe-New-Faces-at-Facebook / LinkedIn / insert social network here.

If you aren’t already authenticated, use your Windows Live ID to sign in (IMPORTANT: Notice how you are not sharing your Windows Live ID secret credential pair with Flickr – this is a good thing!)

If you have followed my work on the problems with protocols that redirect users across web contexts, you will see there is a potential problem here.

If Flickr plays by the rules, it will not learn your username and password, and cannot “become you”. It really is a step forward.

But if a user gets used to this behavior, an unreputable site can pretend to send her to Windows Live by putting up a fake page. The fake can look real enough that the user gives away her credentials.

A user called davidacoder called this out on Angus’ blog:

I think this whole approach will lead to many, many, many hacked Windows Live ID accounts. If you guys seriously believe that average users will be able to follow the rule “only type in your credentials on login.live.com” your are just naive. AND your own uber-security guy Kim Cameron is telling that very story to the world for years already. I wouldn’t mind so much if a Live ID was a low-value asset, but you bring people to associate some of their most valuable assets with it (email, calendar, contacts). I find the whole approach irresponsible. I just hope that at some point, if someone looses his credentials this way, he will sue you and present Kim Cameron’s blog as evidence that you were perfectly aware in what danger you bring your users. And to make a long story short, I think the Live ID team should fix the phising problem first (i.e. implement managed infocards), before they come up with new delegation stuff etc that will just lead to more attack surface. Very bad planning.

I admire David’s passion, although I’d prefer not to be used in any law suits if that is OK with everyone. Let’s face it. There are two very important things to be done here.

One is to open up the portals so people can control their information and use it as they see fit I totally endorse Angus’ work in this regard, and the forward-looking attitude of the Windows Live team. I urge everyone to give them the credit they deserve so they’ll continue to move in this positive direction.

The other is to deal with the phishing problems of the web.

And let me be clear. Information sharing is NOT the only factor heightening the need for stronger Internet identity. It is one of a dozen factors. Perhaps the most dangerous of these is the impending collision between the security infrastructure of the Internet and that of the enterprise. But no one can prevent this collision – or turn back the forces of openness. All we can do is make sure we apply every effort to get stronger identity into place.

On that front, today Neelamadhaba Mahapatro (Neel), who runs Windows Live ID, put up a post where he responds to David’s comment:

Earlier this week a comment was left on Angus Logan’s blog, it got me thinking, and I want to share what we are doing to create phishing resistant systems.

We are absolutely aware of the dangers of phishing on the Internet.

We understand the probability of attack goes up when the value of the asset that is being protected is higher than the strength of authentication protecting that asset – watch this video by Kim Cameron to see OpenID phished.

We have put certain measures in place to counteract phishing attempts which are listed below.

Self Issued InfoCards

In August 2007 we announced beta support for self issued InfoCards with Windows Live ID (instead of username/password). The Windows Live ID team is working closely with the Windows CardSpace team to ensure we deliver the best solution for the 400 million+ people who use Windows Live ID monthly. Angus’s commentor, davidacoder, also asked for the Windows Live ID service to become a Managed InfoCard provider – we have been evaluating this; however we have nothing to announce yet.

Additional Protection through Extended Validation Certificates

To further reduce the risk of phishing, we have implemented Extended Validation certificates to prove that the login.live.com site is trustworthy. I do however think more education for internet users is required to help drive the understanding of what it means when the address bar turns green (and what to do when it doesn’t). When authenticating in a web browser, Microsoft will only ask for your Windows Live ID credential pair on login.live.com – nowhere else! (See this related post).

Neel continues by showing a number of other initiatives the group has taken – including the Windows Live Sign-in Assistant and “roaming tiles”. He concludes:

We’re constantly looking for ways to balance end-user security/privacy and user experience. If the barrier to entry is too high or the user experience is poor, the users will revolt. If it is too insecure the system becomes an easy target. A balance needs to be struck… Using Windows CardSpace is definitely a move forward from usernames & passwords but adoption will be the critical factor here.

And he’s right. Sites like Windows Live can really help drive this, but they can’t tell users what to do. The important thing is to give people the option of using Information Cards to prevent phishing. Beyond that, it is a matter of user education. One option would be for systems like Live ID to automatically suggest stronger authentication to people who use features like data sharing and off-portal authentication – features that put password credentials more at risk.

Microsoft must “U-Prove” what its plans are

Kuppinger Cole‘s analyst Felix Gaehtgens calls on Microsoft to move more quickly in announcing how we are going to make Credentica's Minimal Disclosure technology available to others in the industry. He says,

“On March 6th, almost a month ago, Microsoft announced its acquisition of Montreal based Credentica, a technology leader in the online digital privacy area. It’s been almost a month, but the dust won’t settle. Most analysts including KCP agree that Microsoft has managed a master coup in snapping up all patents and rights to this technology. But there are fears in the industry that Microsoft could effectively try to use this technology to enrich its own platform whilst impeding interoperability by making the technology unavailable. These fears are likely to turn out to be unfounded, but Microsoft isn’t helping to calm the rumour mill – no statements are being made for the time being to clarify its intentions.”

Wow. Felix makes a month sound like such a long time. I'm jealous. To me it just flew by. But I get his message and feel the tines of his pitchfork.

Calling U-Prove a “Hot Technology” and explaining why, Felix continues,

“…if Microsoft were to choose to leverage the technology only in its own ecosystem, effectively shutting out the rest of the Internet, then it would be very questionable whether the technology would be widely adopted. The same if Microsoft were to release the specifications, but introduce a “poison pill” by leveraging its patent. This would certainly be against Microsoft’s interest in the medium to long future.”

This is completely correct. Microsoft would have to be completely luny to try to partition the internet across vendor lines. So, basically, you can be sure we won't.

“There is a fair amount of mistrust in the industry, sometime even bordering on paranoia because of Microsoft’s past approach to privacy and interoperability. The current heated discussion about the OOXML is an example of this. Over the last years, Microsoft has taken great pains to alleviate those fears, and has shown an willingness to work towards interoperability. But many are not yet convinced of the picture that Kim is painting. It is very much in Microsoft’s interest to make an official statement regarding its broad intentions with U-Prove, and reassure the industry if and how Microsoft intends to follow the “fifth law of identity” with regards to this new technology.

We are working hard on this. The problem is that Microsoft can't make an announcement until we have the legal documents in place to show what we're talking about. So there is no consipiracy or poison pill. Just a lot of details to nail down.

All about Phorm

The Law of User Control is hard at work in a growing controversy about interception of people's web traffic in the United Kingdom. At the center of the storm is the “patent-pending” technology of a new company called Phorm. It's web site advises:

Leading UK ISPs BT, Virgin Media and TalkTalk, along with advertisers, agencies, publishers and ad networks, work with Phorm to make online advertising more relevant, rewarding and valuable. (View press release.)

Phorm's proprietary ad serving technology uses anonymised ISP data to deliver the right ad to the right person at the right time – the right number of times. Our platform gives consumers advertising that's tailored to their interests – in real time – with irrelevant ads replaced in the process.

What makes the technology behind OIX and Webwise truly groundbreaking is that it takes consumer privacy protection to a new level. Our technology doesn't store any personally identifiable information or IP addresses, and we don't retain information on user browsing behaviour. So we never know – and can't record – who's browsing, or where they've browsed.

It is counterintuitive to see claims of increased privacy posited as the outcome of a tracking system. But even if that happened to be true, it seems like the system is being laid on the population as a fait accompli by the big powerful ISPs. It doesn't seem that users will be able to avoid having their traffic redirected and inspected. And early tests of the system were branded “illegal” by Nicholas Bohm of the Foundation for Information Policy Research (FIPR).

Is Phorm completely wrong? Probably not. Respected and wise privacy activist Simon Davies has done an Interim Privacy Impact Assessment that argues (in part):

In our view, Phorm has successfully implemented privacy as a key design component in the development of its Phorm Technology system. In contrast to the design of other targeting systems, careful choices have been made to ensure that privacy is preserved to the greatest possible extent. In particular, Phorm has quite consciously avoided the processing of personally identifiable information.

Simon seems to be suggesting we consider Phorm in relation to the current alternatives – which may be worse.

To make a judgment we need to really understand how Phorm's system works. Dr. Richard Clayton, a computer security researcher at the University of Cambridge and a participant in Light Blue Touchpaper, has published a succinct ten page explanation that that is a must-read for anyone who is a protocol head.

Richard says his technical analysis of the Phorm online advertising system has reinforced his view that it is “illegal”, breaking laws designed to limit unwarranted interception of data.

The British Information Commissioners Office confirmed to the BBC that BT is planning a large-scale trial of the technology “involving around 10,000 broadband users later this month”. The ICO said: “We have spoken to BT about this trial and they have made clear that unless customers positively opt in to the trial their web browsing will not be monitored in order to deliver adverts.”

Having quickly read Richard's description of the actual protocol, it isn't yet clear to me that if you opt out, your web traffic isn't still being examined and redirected. But there is worse. I have to admit to a sense of horror when I realized the system rewards ISPs for abusing their trusted role in the Internet by improperly posing as other peoples’ domains in order to create fraudulent cookies and place them on users machines. Is there a worse precedent? How come ISPs can do this kind of thing and other can't? Or perhaps now they can…

To accord with the Laws of Identity, no ISP would examine or redirect packets to a Phorm-related server unless a user explicitly opted-in to such a service. Opting in should involve explicitly accepting Phorm as a justifiable witness to all web interactions, and agreeing to be categorized by the Phorm systems.

The system is devised to aggregate across contexts, and thus runs counter to the Fourth Law of Identity. It claims to mitigate this by reducing profiling to categorization information. However, I don't buy that. Categorization, practiced at a grand enough scale and over a sufficient period of time, potentially becomes more privacy invasive than a regularly truncated audit trail. Thus there must be mechanisms for introducing amnesia into the categorization itself.

Phorm would therefore require clearly defined mechanisms for deprecating and deleting profile information over time, and these should be made clear during the opt-in process.

I also have trouble with the notion that in Phorm identities are “anonymized”. As I understand it, each user is given a persistent random ID. Whenever the user accesses the ISP, the ISP can see the link between the random ID and the user's natural identity. I understand that ISPs will prevent Phorm from knowing the user's natural identity. That is certainly better than many other systems. But I still wouldn't claim the system is based on anonymity. It is based on controlling the release of information.

[Podcasts are available here]

Is New Zealand's government a ‘justifiable party’?

Vikram Kumar works for New Zealand's State Services Commission on the All-of-government Authentication Programme. As he puts it, “… that means my working and blog lives intersect….” In this discussion of the Third Law of Identity, he argues that in New Zealand, where the population of the whole country is smaller than that of many international cities, people may consider the government to be a “justifiable party” in private sector transactions:

A recent article in CR80News called Social networking sites have little to no identity verification got me thinking about the Laws of Identity, specifically Justifiable Parties, “Digital identity systems must be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship.”

The article itself makes points that have been made before, i.e. on social networking sites “there’s no way to tell whether you’re corresponding with a 15-year-old girl or a 32-year-old man…The vast majority of sites don’t do anything to try to confirm the identities of members. The sites also don’t want to absorb the cost of trying to prove the identity of their members. Also, identifying minors is almost impossible because there isn’t enough information out there to authenticate their identity.”

In the US, this has thrown up business opportunities for some companies to act as third party identity verifiers. Examples are Texas-based Entrust, Dallas-based RelyID, and Atlanta-based IDology. They rely on public and financial records databases and, in some cases, government-issued identification as a fallback.

Clearly, these vendors are Justifiable Parties.

What about the government? It is the source of most of the original information. Is the government a Justifiable Party?

In describing the law, Kim Cameron says “Today some governments are thinking of operating digital identity services. It makes sense (and is clearly justifiable) for people to use government-issued identities when doing business with the government. But it will be a cultural matter as to whether, for example, citizens agree it is “necessary and justifiable” for government identities to be used in controlling access to a family wiki or connecting a consumer to her hobby or vice.” [emphasis added]

So, in the US, where there isn’t a high trust relationship between people and the government, the US government would probably not be a Justifiable Party. In other words, if the US government was to try and provide social networking sites with the identity of its members, the law of Justifiable Parties predicts that it would fail.

This is probably no great discovery- most Americans would have said the conclusion is obvious, law of Justifiable Parties or not.

Which then leads to the question of other cultures…are there cultures where government could be a Justifiable Party for social networking sites?

To address, I think it is necessary to distinguish between the requirements of social networking sites that need real-world identity attributes (e.g. age) and the examples that Kim gives- family wiki, connecting a consumer to her hobby or vice- where authentication is required (i.e. it is the same person each time without a reliance on real-world attributes).

Now, I think government does have a role to play in verifying real-world identity attributes like age. It is after all the authoritative source of that information. If a person makes an age claim and government accepts it, government-issued documents reflects the accepted claim as, what I call, an authoritative assertion that other parties accept.

The question then is whether in some high trust societies, where there is a sufficiently high trust relationship between society and government, can the government be a Justifiable Party in verifying the identity (or identity attributes such as age alone) for the members of social networking societies?

I believe that the answer is yes. Specifically, in New Zealand where this trust relationship exists, I believe it is right and proper for government to play this role. It is of course subject to many caveats, such as devising a privacy-protective system for the verification of identity or identity attributes and understanding the power of choice.

In NZ, igovt provides this. During public consultation held late last year about igovt, people were asked whether they would like to use the service to verify their identity to the private sector (in addition to government agencies). In other words, is government a Justifiable Party?

The results from the public consultation are due soon and will provide the answer. Based on the media coverage of igovt so far, I think the answer, for NZ, will be yes, government is a Justifiable Party.

It is noteworthy that if citizens give them the go-ahead, the State Services Commission is prepared to take on the responsibility and risk of managing all aspects of the digital identity of New Zealand's citizens . The combined governement and commercial identities the Commission administers will attract attackers. Effectively, the Commission will be handling “digital explosives” of a greater potency than has so far been the case anywhere in the world.

At the same time, the other Laws of Identity will continue to hold. The Commission will need to work extra hard to achieve data minimization after having collapsed previously independent contexts together. I think this can be done, but it requires tremendous care and use of the most advanced policies and technologies.

To be safe, such an intertwined system must, more than any other, minimize disclosure and aggregation of information. And more than any other, it must be resilient against attack.

If I lived in New Zealand I would be working to see that the Commission's system is based on a minimal disclosure technology like U-Prove or Idemix. I would also be working to make sure the system avoids “redirection protocols” that give the identity provider complete visibility into how identity is used. (Redirection protocols unsuitable for this usage include SAML and WS-Federation, as well as OpenID). Finally, I would make phishing resistance a top priority. In short, I wouldn't touch this kind of challenge without Information Cards and very distributed, encrypted information storage.

Identity bus and administrative domain

Novell's Dale Olds, who will be on Dave Kearns’ panel at the upcoming European Identity Conference, has added the “identity bus” to the metadirectory / virtual directory mashup. He says in part :

Meta directories synchronize the identity data from multiple sources via a push or pull protocols, configuration files, etc. They are useful for synchronizing, reconciling, and cleaning data from multiple applications, particularly systems that have their own identity store or do not use a common access mechanism to get their identity data. Many of those applications will not change, so synchronizing with a metadirectory works well.

Virtual directories are useful to pull identity data through the hub from various sources dynamically when an application requests it. This is needed in highly connected environments with dynamic data, and where the application uses a protocol which can be connected to the virtual directory service. I am also well aware that virtual directory fans will want to point out that the authoritative data source is not the service itself, but my point here is that, if the owners shut down the central service, applications can’t access the data. It’s still a political hub.

Personally, I think all this meta and virtual stuff are useful additions to THE key identity hub technology — directory services. When it comes to good old-fashioned, solid scalable, secure directory services, I even have a personal favorite. But I digress.

The key point here as I see it is ‘hub’ vs. ‘bus’ — a central hub service vs. passing identity data between services along the bus.

The meta/virtual/directory administration and configuration is the limiting problem. In directory-speak, the meta/virtual/directory must support the union of all schema of all applications that use it. That means it’s not the mass of data, or speed of synchronization that’s the problem — it’s the political mass of control of the hub that becomes immovable as more and more applications rendezvous on it.

A hub is like the proverbial silo. In the case of meta/virtual/directories the problem goes beyond the inflexibility of large identity silos like Yahoo and Google — those silos support a limited set of very tightly coupled applications. In enterprise deployments, many more applications access the same meta/virtual/directory service. As those applications come and go, new versions are added, some departments are unwilling to move, the central service must support the union of all identity data types needed by all those applications over time. It’s not whether the service can technically achieve this feat, it’s more an issue of whether the application administrators are willing to wait for delays caused by the political bottleneck that the central service inevitably becomes.

Dale makes other related points that are well worth thinking about. But let me zoom in on the relation between metadirectory and the identity bus.

As Dale points out in his piece, I think of the “bus” as being a “backplane” loosely connecting distributed services. The bus exends forever in all directions, since ultimately distributed computing doesn't have a boundary.

In spite of this, the fabric of distributed services isn't an undifferentiated slate. Services and systems are grouped into continents by the people and organizations running and using them. Let's call these “administrative domains”. Such domains may be defined at any scale – and often overlap.

The magic of the backplane or “bus”, as Stuart Kwan called it, is that we can pass identity claims across loosely coupled systems living in multiple discontinuous administrative domains.

But let's be clear. The administrative domains still continue to exist, and we need to manage and rationalize them as much tomorrow as we did yesterday.

I see metadirectories (meaning directories of directories) as the glue for stitching up these administrative continents so digital objects can be managed and co-ordinated within them.

That is the precondition for hoisting the layer of loosely coupled systems that exists above administrative domains. And I don't think it matters one bit whether a given digital object is accessed by a remote protocol, synchronization, or stapling a set of claims to a message – each has its place.

Complex and interesting issues. And my main concern here is not terminology, but making sure the things we have learned about metadirectory (or whatever you want to call it) are properly integrated into the evolving distributed computing architecture. A lot of us are going to be at the European Identity Conference in Munich later this month, so I look forward to the sessions and discussions that will take place there.

Through the looking glass

You have to like the way, in his latest piece on metadirectory, Dave Kearns summons Lewis Carroll to chide me for using the word “metadirectory” to mean whatever I want:

“When I use a word,” Humpty Dumpty said, in rather a scornful tone, “it means just what I choose it to mean—neither more nor less.”
“The question is, ” said Alice, “whether you can make words mean so many different things.”
“The question is,” said Humpty Dumpty. “which is to be master—that's all.

Dave continues:

Kim talks about a “second generation” metadirectory. Metadirectory 2.0 if you will. First time I've heard about it. First time anyone has heard about it, for that matter. There is no such animal. Every metadirectory on the market meets the definition which Kim provides as “first generation”.

It's time to move on away from the huge silo that sucks up data, disk space, RAM and bandwidth and move on to a more lithe, agile, ubiquitous and pervasive identity layer. Organized as an identity hub which sees all of the authoritative sources and delivers, via the developer's chosen protocol, the data the application needs when and where it's needed.

It's funny. I remember sitting around in Craig Burton's office in 1995 while he, Jamie Lewis and I tried to figure out what we should call the new kind of multi-centered logical directory that each of us had come to understand was needed for distributed computing.

After a while, Craig threw out the word “metadirectory”. I was completely amazed. My colleagues and I had also come up with the word “metadirectory”, but we figured the name would be way too “intellectual” – even though the idea of a “directory of directories” was exactly right.

Craig just laughed the way he always does when you say something naive. Anyone who knows Craig will be able to hear him saying, “Kim, we can call it whatever we want. If we call it what it really is, how can that be wrong?”

So guess what? The thing we were calling a metadirectory was a logical directory, not a physical one. We figured that the output of one instance was the input to the next – there was no center. The metadirectory would speak all protocols, support different technologies and schemas, support referral to specific application directories, and preserve the application-related characteristics of the constituent data stores. I'll come back to these ideas going forward because I think they are still super important.

My message to Dave is that I haven't changed what I mean by metadirectory one iota since the term was first introduced in 1995. I've always seen what is now called virtual directory as an aspect of metadirectory. In fact, I shipped a product that included virtual directory in 1996. It not only synchronized, but it did what we used to call “chaining” and “referral” in order to create composite views across multiple physical directories. It did this not only at the server, but optionally on the client.

Of course, there were implementations of metadirectory that were “a bit more focussed”. Customers put specific things at the top of their list of “must-haves”, and that is what everyone in the industry tried to build.

But though certain features predominated in the early days of metadirectory, that doesn't mean that those features ARE metadirectory. We still live in the age of the logical directory, and ALL the aspects of the metadirectory that address that fact will continue to be important.

[Read the rest of Dave's post here.]