Category: Digital Identity

How to safely deliver information to auditors

I just came across Ian Brown's proposal for doing random audits while avoiding data breaches like Britain's terrible HMRC Identity Chernobyl: 

It is clear from correspondence between the National Audit Office and Her Majesty's Revenue & Customs over the lost files fiasco that this data should never have been requested, nor supplied.

NAO wanted to choose a random sample of child benefit recipients to audit. Understandably, it did not want HMRC to select that sample “randomly”. However, HMRC could have used an extremely simple bit-commitment protocol to give NAO a way to choose recipients themselves without revealing any of the data related to those not chosen:

  1. For each recipient, HMRC should have calculated a cryptographic hash of all of the recipient's data and then given NAO a set of index numbers and this hash data.
  2. NAO could then select a sample of these records to audit. They would inform HMRC of the index values of the records in that sample.
  3. HMRC would finally supply only those records. NAO could verify the records had not been changed by comparing their hashes to those in the original data received from HMRC.

This is not cryptographic rocket science. Any competent computer science graduate could have designed this scheme and implemented it in about an hour using an open source cryptographic library like OpenSSL.

Ben Laurie notes that the redacted correspondence itself demonstrates a lack of basic security awareness. I hope those carrying out the security review of the ContactPoint database are better informed.

Cross industry interop event at RSA 2008

From Mike Jones at self-issued.info here's the latest on the Information Card and OpenID interop testing coming up at RSA.  The initiatives continue to pick up support from vendors and visitors will get sneak peaks at what the many upcoming products will look like.

33 Companies…
24 Projects…
57 Participants working together to build an interoperable user-centric identity layer for the Internet!

Come join us!

Tuesday and Wednesday, April 8 and 9 at RSA 2008, Moscone Center, San Francisco, California
Location: Mezzanine Level Room 220
Interactive Working Sessions: Tuesday and Wednesday, 11am – 4pm
Demonstrations: Tuesday and Wednesday, 4pm – 6pm
Reception: Wednesday, 4pm – 6pm

OSIS Participants RSA 2008

Metadirectory and claims

My friend and long-time collaborator Jackson Shaw seems to have intrigued both Dave Kearns and Eric Norlin in an  amusing (if wicked) post called You won't have me to kick around anymore

You won't have me to kick around anymore!

No, not me. Hewlett-Packard.

I heard about a month ago that HP was going to bow out of the IDM business. I didn't want to post anything because I felt it would compromise the person that told me. But, now that it has made the news:

Check out Burton Group's blog entry on this very topic

Burton Group has been contacted by HP customers who report that HP is no longer going to seek new customers for its Identity Center product. We have contacted HP and the company confirms that HP Software has decided to focus its investment in identity management products exclusively on existing customers and not on pursuing additional customers or market share. HP is in the process of reaching out to each customer regarding the change.

Seriously – you thought HP was a contender in this space???!!! No, no, Nanette. Thanks for playing. Mission failure…

Let's be honest. The meta-directory is dead. Approaches that look like a meta-directory are dead. We talk about Identity 2.0 in the context of Web services and the evolution of digital identity but our infrastructure, enterprise identity “stuff” is decrepit and falling apart. I have visions of identity leprosy with this bit and that bit simply falling off because it was never built with Web services in mind…

There is going to be a big bang in this area. HP getting sucked into the black hole is just a step towards that…

As graphic as the notion of identity leprosy might be, it was the bit on metadirectory that prompted Dave Kearns to write,

That’s a quote from Quest’s Jackson Shaw. Formerly Microsoft’s Jackson Shaw. Formerly Zoomit’s Jackson Shaw. This is a guy who was deeply involved in metadirectory technology for more than a dozen years. I can only hope that Microsoft is listening.

Back at Jackson's blog we find out that he was largely responding to a session he liked very much given by Neil MacDonald at a recent Gartner Conference.  It was called “Everything You Know About Identity Management Is Wrong.”  Observing that customers are dissatisfied with the cost of hand tailoring their identity and access management, Jackson says,

Neil also introduced the concept of “Identity as a service” to the audience. At the Directory Experts Conference, John Fontana wrote “Is Microsoft’s directory, identity management a service of the future?”   What I am stating is quite simple: I believe a big-bang around identity is coming and it will primarily be centered around web services. I hope the resultant bright star that evolves from this will simplify identity for both web and enterprise-based identity infrastructure.

Active Directory, other directories and metadirectory “engines” will hopefully become dial tone on the network and won't be something that has to be managed – at least not to the level it has to be today.

Without getting overly philosophical, there is a big difference between being, metaphorically,  a “dial tone” – and being “dead”.   I buy Jackson's argument about dial tone, but not about “dead”. 

Web services allow solutions to be hooked together on an identity bus (I called it a backplane in the Laws of Identity).  Claims are the electrons that flow on that bus.  This is as important to information technology as the development of printed circuit boards and ICs were to electronics.  Basically, if we were still hand-wiring our electronic systems, personal computers would be the size of shopping centers and would cost billions of dollars.  An identity bus offers us the possibility to mix and match services in a dynamic way with potential efficiencies and innovations of the same magnitude.

In that sense, claims-based identity drastically changes the identity landscape.

But you still need identity providers.  Isn't that what directories do?  You still need to transform and arbitrate claims, and distribute metadata.  Isn't metadirectory the most advanced technology for that?  In fact, I think directory / metadirectory is integral to the claims based model.  From the beginning, directory allowed claims to be pulled.  Metadirectory allowed them to be pulled, pushed, synchronized, arbitrated and integrated.  The more we move toward claims, the more these capabilities will become important. 

The difference is that as we move towards a common, bus-based architecture, these capabilities can be simplified and automated.   That's one of the most interesting current areas of innovation. 

Part of this process will involve moving directory onto web services protocols.  As that happens, the ability to dispatch and assemble queries in a distributed fashion will become a base functionality of the system – that's what web services are good at.  So by definition, what we now call “virtual directory” will definitely be a base capability of emerging identity systems.

Microsoft says, “U-Prove it”

Ralf Bendrath chided me yesterday for bragging about having proven Bruce Schneier wrong in his concern that there is not a “viable business model” for the Credentica technology.  (In my defense, Bruce had said, “I'd like to be proven wrong.”, and I was just trying to oblige him.)

Anyway,  I think Joe Wilcox's article in eWeek's Microsoft Watch provides some unbiased analysis of the issue.

Sometimes, Microsoft really spends its money well, such as last week's acquisition of U-Prove technology from Credentica.

This is a damn, exciting acquisition. It's strategic and timely.

U-Prove is, simply put, a privacy/security protection mechanism. The technology works on a simple principle: Enable transactions by revealing as little information as possible.

Credentica's Stefan Brands, Christian Paquin and Greg Thompson have joined Microsoft, where they will work as part of the Identity and Access Group. Microsoft also acquired associated U-Prove patents.

Brands is a well-regarded cryptographer and author of “Rethinking Public Key Infrastructures and Digital Certificates; Building in Privacy,” which explains the principles behind U-Prove. The book is available for free download, courtesy of MIT Press. He brings a somewhat radical approach to cryptography: Disclose or collect little—ideally no—private information during any transaction process. During most transactions, whether online or offline, too much personal information is exposed.

I vaguely recall Brands from Zero-Knowledge Systems, where he went in early 2000. About six months earlier I consulted Zero-Knowledge Systems’ chief scientist for a story about an alleged cryptographic flaw/back door in then unreleased Windows 2000.

Brands, his colleagues and U-Prove will first go into Windows Cardspace and Windows Communications Foundation. Microsoft's Brendon Lynch explained in a Thursday blog post:

“Credentica's U-Prove technology will help people protect their identities by enabling them to disclose only the minimum amount of information needed for a transaction—sometimes no personal information may be needed at all. When this technology is broadly available in Microsoft products (such as Windows Communication Foundation and Windows Cardspace), enterprises, governments and consumers all stand to benefit from the enhanced security and privacy that it will enable. We look forward to a world where people have more control of their personal information and are better protected from harms of online fraud and identity theft.”

Kim Cameron, Microsoft's identity architect, does a wonderful job explaining Brands’ “minimal disclosure” approach in a Thursday blog post and how the company may apply it. The basic concept: to use other cryptographic means to verify identity “without revealing the signature applied by the identity provider.”

Microsoft has made one helluva good acquisition, whose potential long-term benefits I simply cannot overstate. The company has been trying to tackle the identity problem for nearly a decade. Early days, Passport acted as a single sign-on for multiple services, a heritage Windows Live ID expanded. But U-Prove departs from Microsoft's past identity efforts. The idea is to identify you without, well, identifying you.

Microsoft online services would look dramatically different with an identity mechanism that truly protected privacy and security on both sides of the transaction all while guaranteeing both parties that they are who they say they are, without necessarily saying who they are.

The best conceptual analogy I can think of is Swiss or offshore banking, where an account holder presents a numerical token or tokens that verify his or her right to account access but not the individual's identity or necessarily the token's issuer. Such a mechanism could be a boon to business and consumer confidence in online transactions as well as reduce petty fraud.

Microsoft's money would be better spent on more acquisitions like this one, rather than frittering away valuable resources on Yahoo. Microsoft is operating on the false premise that Google's huge search lead also puts it ahead in advertising—too far to catch up without a means of leaping ahead. Yahoo is the means.

But Microsoft is mistaken. Online activities and transactions are more complex than that. Search is one strategic technology, but there are others that Google doesn't control. If Microsoft could take a strategic lead protecting identity around transactions, the company could better enable all kinds of Web activities, and in so doing raise its online credibility. Privacy concerns have dogged Google.

I think Microsoft should take half of its proposed Yahoo offer and spend it on more acquisitions like Credentica's U-Prove technology. I'm not the first to suggest that Microsoft spend $20 billion on smaller companies. But I will say that U-Prove is an example what Microsoft should do to bolster its online technology portfolio in more meaningful ways, without taking on the hardship of a large, messy acquisition like Yahoo.

Reactions to Credentica acquisition

Network World's John Fontana has done a great job of explaining what it means for Microsoft to integrate U-Prove into its offerings:

Microsoft plans to incorporate U-Prove into both Windows Communication Foundation (WCF) and CardSpace, the user-centric identity software in Vista and XP.

Microsoft said all its servers and partner products that incorporate the WCF framework would provide support for U-Prove.

“The main point is that this will just become part of the base identity infrastructure we offer. Good privacy practices will become one of the norms of e-commerce,” Cameron said.

“The U-Prove technology looks like a good candidate as an authentication mechanism for CardSpace-managed cards (i.e., those cards issued by an identity provider),” Mark Diodati, an analyst with the Burton Group, wrote on his blog

In general, the technology ensures that users always have say over what information they release and that the data can not be linked together by the recipients. That means that recipients along the chain of disclosure can not aggregate the data they collect and piece together the user’s personal information.

[More here…]

Eric Norlin has this piece in CSO, and Nancy Gohring's ComputerWorld article emphasizes that “U-Prove is the equivalent in the privacy world of RSA in the security space.”  Burton's Mark Diodati covers the acquisition here.

Gunnar Peterson from 1 Raindrop notes in That Was Fast

…the digital natives may be getting some better tooling faster than I thought. I am sure you already know there is a northern alliance and Redmond is U-Prove enabled. I fondly remember a lengthy conversation I had with Stefan Brands in Croatia several years ago, while he patiently explained to me how misguided the security-privacy collision course way of thinking is, and instead how real security is only achieved with privacy. If you have not already, I recommend you read Stefans’ primer on user identification.

Entrepreneur and angel investor Austin Hill gives us some background and links here:

In the year 2000, Zero-Knowledge acquired the rights to Dr. Stefan Brands work and hired Stefan to help us build privacy-enhanced identity & payments systems.  It turns out we were very early into the identity game, failed to commercialize the technology – and during the Dot.Com bust cycle we shut down the business unit and released the patents back to Stefan.  This was groundbreaking stuff that Stefan had invented, and we invested heavily in trying to make it real, but there weren’t enough bitters in the market at that time.  We referred to the technologies as the “RSA” algorithms of the identity & privacy industry.  Unfortunately the ‘privacy & identity’ industry didn’t exist.

Stefan went on to found Crendentica to continue the work of commercialization of his invention. Today he announced that Microsoft has acquired his company and he and his team are joining Microsoft.

Microsoft’s Identity Architect Guru Kim Cameron has more on the deal on his blog (he mentions the RSA for privacy concept as well).

Adam Shostack (former Zero Knowledge Evil Genius, who also created a startup & currently works at Microsoft) has this post up.   George Favvas, CEO of SmartHippo (also another Zero-Knowledge/Total.Net alumni – entrepreneur) also blogged about the deal as well.

Congratulations to Stefan and the team.  This is a great deal for Microsoft, the identity industry and his team. (I know we tried to get Microsoft to buy or adopt the technology back in 2001 🙂 

(I didn't really know much about Zero-Knowledge back in 2000, but it's interesting to see how early they characterized of Stefan's technology as being the privacy equivalent of RSA.  It's wonderful to see people who are so forward-thinking.)

Analyst Neil Macehiter writes:

Credentica was founded by acknowledged security expert Stefan Brands, whose team has applied some very advanced cryptography techniques to allow users to authenticate to service providers directly without the involvement of identity providers. They also limit the disclosure of personally-identifiable information to prevent accounts being linked across service providers and provide resistance to phishing attacks. Credentica's own marketing literature highlights the synergies with CardSpace:

“`The SDK is ideally suited for creating the electronic equivalent of the cards in one's wallet and for protecting identity-related information in frameworks such as SAML, Liberty ID-WSF, and Windows CardSpace.”

This is a smart move by Microsoft. Not only does it bring some very innovative and well-respected technology (with endorsements from the likes of the Information and Privacy Commissioner of Ontario, Canada) which extends the capabilities of Microsoft's identity and security offerings; it also brings some heavyweight cryptography and privacy expertise and credibility from the Credentica team. The latter can, and undoubtedly will, be exploited by Microsoft in the short term: the former will take more time to realise with Microsoft stating that integrated offerings are at least 12–18 months away.

[More here…]

Besides the many positives, there were concerns expressed about whether Microsoft would make the technology available beyond Windows.  Ben Laurie wrote:

Kim and Stefan blog about Microsoft’s acquisition of Stefan’s selective disclosure patents and technologies, which I’ve blogged about many times before.

This is potentially great news, especially if one interprets Kim’s

Our goal is that Minimal Disclosure Tokens will become base features of identity platforms and products, leading to the safest possible intenet. I don’t think the point here is ultimately to make a dollar. It’s about building a system of identity that can withstand the ravages that the Internet will unleash.

in the most positive way. Unfortunately, comments such as this from Stefan

Microsoft plans to integrate the technology into Windows Communication Foundation and Windows Cardspace.

and this from Microsoft’s Privacy folk

When this technology is broadly available in Microsoft products (such as Windows Communication Foundation and Windows Cardspace), enterprises, governments, and consumers all stand to benefit from the enhanced security and privacy that it will enable.

sound more like the Microsoft we know and love.

I hope everyone who reads this blog knows that it is elementary, my dear Laurie, that identity technology must work across boundaries, platforms and vendors (Law 5 – not to mention, “Since the identity system has to work on all platforms, it must be safe on all platforms”). 

That doesn't mean it is trivial to figure out the best legal mecahnisms for making the intellectual property and even the code available to the ecosystem.  Lawyers are needed, and it takes a while.  But I can guarantee everyone that I have zero intention of hoarding Minimal Disclosure Tokens or turning U-Prove into a proprietary Microsoft technology silo. 

Like, it's 2008, right?  Give me a break, guys!

Know your need

Here's a great comment from the smart and witty Paul Madsen.   He really his the nail on the head with his “Know your Need” corollory

In announcing Microsoft's purchase of the Credentica patents (and hiring of Stefan's core team), Kim uses the ‘need to know’ analogy.

That danger can be addressed by adopting a need-to-know approach to the Internet.

(For the life of me, I just cannot get Sgt Shultz's ‘I know nothing’ out of my head.)

Credentica's U-prove technology promises to close off a (depending on the deployment environment, potentially big) ‘knowledge leak’ – if the IDP doesn't need to know what/where/why/when/who the user does with the assertions it creates, then the principle of minimal ‘need to know’ means that it shouldn't.

Cardspace seems a great application for U-Prove to prove itself. As Stefan points out, ‘its a good thing’ to influence/control both client and server.

Separately, I see the flip side of ‘need to know’ as ‘know your need’, i.e. entities involved in identity transactions must be able to assess and assert their needs for identity attributes. This is the CARML piece of the Identity Governance Framework). Put another way, before a decision is made as to whether or not some entity ‘needs to know’, it'd be nice to know why they are asking.

I agree that it is sometimes a positive and useful thing for a claims provider to know the user's “what, where, why, when and who”.  So everything is a matter of minimization – but within to the requirements of the scenario.

I don't actually buy the “influence/control both client and server” phraseology.  I'm fine with influence, but see control as an elusive and worthless goal.  That's not how the world works.  It works through synergy and energy radiating from everywhere, and those of us who are on this odyssey must tap into that.

From The Economist: the Identity Parade

It's great to see mainstream publications really taking the time to understand and convey the issues of digital identity and privacy.  A recent article in the Economist discussed the Laws of Identity at length.  Cambridge researcher Ross Anderson and others are quoted as well.  Here's an excerpt that gives you a sense for the full article

Internet users have become used to providing personal information to any convincing-looking box that appears on a screen. They have little idea of either the technology that helps to provide electronic security in practice or the theoretical principles that determine whether it will work. According to Mr Cameron, “there is no consistent and comprehensible framework allowing them to evaluate the authenticity of the sites they visit, and they don't have a reliable way of knowing when they are disclosing private information to illegitimate parties. At the same time they lack a framework for controlling or even remembering the many different aspects of their digital existence”…

Cybercrime discredits the use of the internet not only by business but by government too. Mr Cameron suggests rethinking the whole issue, starting from the principle that users may be identified only with their explicit consent. That sounds commonsensical, but many big government databases do things differently. Britain's planned central records for the NHS, for example, will assume consent as it combines all the medical records held in local practice databases.

The second principle, says Mr Cameron, should be to keep down the risk of a breach by using as little information as possible to achieve the task in hand. This approach, which he calls “information minimalism”, rules out keeping information “just in case”. For example, if a government agency needs to check if someone falls into a certain age group, it is far better to acquire and store this information temporarily as a “yes” or “no” than to record the actual date of birth permanently, which would be much more personal and therefore more damaging if leaked.

Third, identity systems must be able to check who is asking for the information, not just hand it over. How easy it is for the outside world to access such information should depend on whose identity it is. Public bodies, Mr Cameron suggests, should make themselves accessible to all comers. Private individuals, by contrast, should be protected so that they have to identify themselves only temporarily and by choice…

[More here…]

UK Chip and PIN vulnerable to simple attack

LightBlueTouchpaper, a blog by security researchers at Cambridge University, has posted details of a study documenting easy attacks on the new generation of British bank cards.  Saar Drimer explains, “This attack can capture the card’s PIN because UK banks have opted to issue cheaper cards that do not use asymmetric cryptography”.  Let's all heed the warning: 

Steven J. Murdoch, Ross Anderson and I looked at how well PIN entry devices (PEDs) protect cardholder data. Our paper will be published at the IEEE Symposium on Security and Privacy in May, though an extended version is available as a technical report. A segment about this work will appear on BBC Two’s Newsnight at 22:30 tonight.

We were able to demonstrate that two of the most popular PEDs in the UK — the Ingenico i3300 and Dione Xtreme — are vulnerable to a “tapping attack” using a paper clip, a needle and a small recording device. This allows us to record the data exchanged between the card and the PED’s processor without triggering tamper proofing mechanisms, and in clear violation of their supposed security properties. This attack can capture the card’s PIN because UK banks have opted to issue cheaper cards that do not use asymmetric cryptography to encrypt data between the card and PED.

Ingenico attack Dione attack

In addition to the PIN, as part of the transaction, the PED reads an exact replica of the magnetic strip (for backwards compatibility). Thus, if an attacker can tap the data line between the card and the PED’s processor, he gets all the information needed to create a magnetic strip card and withdraw money out of an ATM that does not read the chip.

We also found that the certification process of these PEDs is flawed. APACS has been effectively approving PEDs for the UK market as Common Criteria (CC) Evaluated, which does not equal Common Criteria Certified (no PEDs are CC Certified). What APACS means by “Evaluated” is that an approved lab has performed the “evaluation”, but unlike CC Certified products, the reports are kept secret, and governmental Certification Bodies do not do quality control.

This process causes a race to the bottom, with PED developers able to choose labs that will approve rather than improve PEDs, at the lowest price. Clearly, the certification process needs to be more open to the cardholders, who suffer from the fraud. It also needs to be fixed such that defective devices are refused certification.

We notified APACS, Visa, and the PED manufactures of our results in mid-November 2007 and responses arrived only in the last week or so (Visa chose to respond only a few minutes ago!) The responses are the usual claims that our demonstrations can only be done in lab conditions, that criminals are not that sophisticated, the threat to cardholder data is minimal, and that their “layers of security” will detect fraud. There is no evidence to support these claims. APACS state that the PEDs we examined will not be de-certified or removed, and the same for the labs who certified them and would not even tell us who they are.

The threat is very real: tampered PEDs have already been used for fraud. See our press release and FAQ for basic points and the technical report where we discuss the work in detail.

[Thanks to Richard Turner for the heads up.]

New plans for German identity card

IdealGovernment's William Heath describes a planned identification card for German citizens that incorporates a pseudonym capability for electronic commerce: 

The German Home Office has confirmed that a new electronic identity card for German citizens will incorporate the use of pseudonyms for secure web access.

According to the plans of the German Home Office, a credit card sized electronic identity card will be introduced in 2009. It will replace the larger, non-electronic identity cards currently in use. “Apart from the usual personal information, the electronic identity card will contain biometric information, in particular digital fingerprints of both index fingers, and additional information for facial recognition”, says secretary of state August Hanning.

Hanning confirmed that the new identity card will contain a pseudonym function. In a leaked letter to Gisela Piltz, a Member of German Parliament for the Liberal Democrats (FDP), Hanning stated that the card could be used as a “passport for the internet” in the future. “The new identity card offers the possibility of an electronic identity proof for E-Government- and E-Business-applications”, writes Hanning.

The central idea is that the individual card number is used to generate a pseudonym that cannot be reconverted mathematically into the original card number. This pseudonym could then be used to register at, for example, eBay, or any other web service that requires personal identification.

I don't yet know the details of how this works.  I would be concerned if the card generates a single pseudonym that remains constant everywhere it is used.   This would still be an “identifier beacon” that could be used to link all your digital activities into a super-profile. Such a profile would be as irresistable to marketers as it would be to organized crime, so we can be pretty sure it would emerge .  If any aspect of this profile is linked to a molecular identity, all of it is.

In a sense, using a pseudonym that ends up creating a super-dossier would be worse than just using an official government identity, since it would create false expectations in the user, breaking the First Law of identity that ensures the transparency of the identity system so the user can control it.

Regardless of the details of the proposal, it is great to see the German government thinking about these issues.  Once you start to look at them, they lead to the requirement to also support “directed identities”.  There are leading academics and policy makers in Germany who are capable of guiding this proposal to safety.  The key here is to take advantage of the new generation of intelligent smart cards, identity selectors and web service protocols.

[Read more on the  e-health Europe site.]

Eric Norlin takes OpenID to CSOs

Digital ID World's Eric Norlin explains why security executives should pay attention to OpenID in this article from CSO – the Resource for Security Executives

Kim Cameron has posted another thoughtful piece about why he (and by extension Microsoft) is supportive of OpenID. For those of you that don't eat, sleep, dream and breathe identity, Kim is the guy at Microsoft that was responsible for writing the “Seven Laws of Identity,” which led to the idea of an identity metasystem, which effectively gave birth to all kinds of meetings (the “identity gang”), which led to things like OpenID and Higgins really taking off. Bottom line: Kim's a VIP in the identity world (he's also one helluva nice guy).

Kim's main point is this:

“My takeaway is that OpenID leads to CardSpace. I don’t mean by this that Information Cards replace OpenID. I just mean that the more people start using cross-site identities, the more the capabilities of CardSpace become relevant as a way of strengthening OpenID and put it in a broader technology context.

Information Cards were created to put in place an infrastructure that can solve the security problems of the web before they explode in our faces. It’s a serious technology and involves secure high-strength products emerging across the industry.”

Its important to note that Kim is thinking about identity ecosystems, not “one protocol to rule them all.” Really, it comes down to making the use of an identity a “ritual.” That sounds a bit off, I know, but hear me out. Believe it or not, the great majority of humanity had its first contact with email in a workplace setting. Now, if the interface (and interaction) for email was substantially different for work-usage and home-usage (or should I say, WorkUsage and HomeUsage?), do you think the adoption curve would've been the same? I don't.

One of the essential points that Kim's been hammering on for a couple of years is that we have to make the underlying “ritual” of using identity similar in a foundational sense.

Yet one more reason why you (as a CSO) should be paying attention to OpenID. After all, people don't always first see and experience things in the workplace.

This matter of influences from the internet converging with the enterprise is incredibly important, and I'm going to expand on it soon.  By the way, it was Eric's encouragement that got me hooked on writing the Laws of Identity.