Phil Becker on Identity's First Big War: a history lesson

Phil Becker is getting us ready for the DIDW in Santa Clara this September 11:

It's been half a decade since the first, and biggest, “identity war” ended. It is worth revisiting what happened (and what was learned) in light of how identity technology is gaining traction and beginning to face related challenges that could lead to similar issues arising again.

History has a way of looking inevitable in hindsight, like it really couldn't have turned out any different than it did. Those who lost can easily seem like they were just shortsighted, venal or stupid while others look unnaturally aware and smart. The truth is usually somewhat different, and if we are to benefit fully from the lessons of history, we must review it as objectively as possible.

“You could start a consultancy with what you learn at this conference.” -Katarina Kreutzfeldt, Managing Director, KOGit, GMBH

Before I begin, however, I want to remind all my readers our annual Digital ID World conference is just two weeks from Monday. It's August, and easy to think that it's further away than that. I wouldn't want you to miss out because you didn't get that two week advance air fare discount, or plan time to attend until too late. This year's conference is shaping up to be our best ever on several fronts. Check out the conference web site at and when you register be sure you don't forget the $200 off discount code in the ad above.

I'm also doing a webinar next Thursday, August 31, exploring the convergence of physical and logical identity through deployment experience. As you can see from our conference schedule, I believe that deployment experience is the best way to understand identity technology. This webinar looks at this subject through a deployment experience, a subject that has been mostly talk but which is now becoming reality . You can register for that free webinar at:

The first identity war didn't start out as a war at all. It began when Microsoft, who had fully committed to web services long before anyone else, realized that an internet scale authentication infrastructure was required before those services could truly gain the traction they had envisioned.

As a company, Microsoft tends to look at computing problems through the lens of the user experience. In the case of the internet, this led them to see (earlier than most) the tremendous friction that requiring a user to log in to each web site with separate credentials created. In 1999, they began to address that problem with Passport, which they felt that they could grow to become an internet scale authentication system.

Here is the Schedule and here are the Exhibitors.

Brian Arbogast, then VP of .NET Core Services, summarized this in 2001 when he said, “Back in 1999, Microsoft looked at the Internet landscape. More and more, when people went to Web sites — to shop, retrieve news stories, download software or participate in chats — they had to log in, giving their name, password and, often, additional information. There are so many user names and passwords that people have to remember today that it can create a pretty frustrating experience; in fact, most people write that information down on paper — which is not a safe or secure way to store this information. Authentication services like Microsoft Passport are designed to help transform today's Internet and computing experience by enabling single sign-in to multiple sites and services with one secure password.”

Note how all of this is framed from the perspective of the user experience, with no recognition of how centralizing authentication might create side effects that people would be unhappy with. It is this framing of the problem that led Microsoft to miss those implications that would ultimately launch the first identity war. This view also led most of those involved in identity management at that time to view it narrowly as an exercise to achieve single sign-on.

In March of 2001, Microsoft took Passport to the next level, announcing Hailstorm, a way to use web services to create a unified identity experience on the internet. Announcing Hailstorm on March 19, 2001, Bill Gates said, “The .NET vision encompasses the idea of having your information wherever you want to go. This includes the future cell phones, your TV set, your tablet form factor PC, your desktop PC. Wherever you are, and whatever role you're in, whether you're working, you're acting as a family member, you're acting on behalf of some other group you belong to, your information will be there available in the context that's most appropriate for what you're trying to get done.”

Examining that sentence reveals that on one level, Microsoft understood precisely where the internet was going and what identity would have to provide to get it there. It is a classic example of how visionaries can see something so clearly that they miss (or drastically underestimate) the implications. Microsoft felt that the internet was just one centralized authentication system away from its “big bang” of value creation, and missed the devil that lurked in the details.

On stage that March day was Ray Ozzie, the person that Bill Gates is now turning Microsoft strategy over to. At that time Ozzie was CEO of Groove Systems, and said “what it's really about is enabling individuals out on the Internet who need to work together the ability very quickly, very spontaneously, to get together, to share information, to interact with one another directly over the Net — even across firewall boundaries. We believe that the services that are inherent to ‘HailStorm’ provide for a much richer user experience, and in general put the user in control of information that formerly has been in the control of apps of various types.”

Again, you see the focus on enabling a user experience, including the need for the user to feel in control of the identity transactions and information. At the same time, there was little or no understanding of the implications of the architecture chosen for the identity infrastructure. But those implications weren't missed by the public and the real “storm” was one of fear that Passport/Hailstorm just might work, with the result that Microsoft would end up controlling the identity information of the internet. The rumblings that would lead to the first identity war had begun.

In 2001, enterprise was also realizing it needed a way to unify its authentication infrastructures. It was being seen that directories just couldn't grow big enough to centralize all authentication without becoming projects that cost far more than they were worth, and that the cultural impact of centralizing all of the processes behind managing the data they held was unreasonable. In 2001, this pressure led to the SAML protocol efforts. These efforts to create a standard way to share authentication information across domains advanced very quickly and several demonstration projects with the proposed protocol occurred.

One of the first articles I wrote for the Digital ID World web site in 2002 was:  The Digital ID Wars Intensify…

In that article I wrote “last September marked the real beginning of the Single Sign On wars, and this is currently the hottest battlefield in the Digital Identity struggle (although there are many other battlefields that will show their faces as the struggle continues.)” The reference was to the formation of the Liberty Alliance in September 2001. That group formed specifically to find an alternative way to achieve single sign on without creating a centralized identity system. Liberty proceeded to build on the foundation of SAML, create their ID-FF protocol, and release it by July 2002. The word federation entered the identity conversation and the concept of networking decentralized identity domains using standardized protocols began gaining acceptance.

Under the pressure of the first identity war, Liberty Alliance did its job so rapidly and well that it has largely been forgotten how significant it was. The ID-FF protocol was incorporated into SAML 2.0, and the sub-battle over how federation would occur has largely been put to rest. The first identity war officially ended when Microsoft quietly shelved the renamed Hailstorm project, MyServices.

This first identity war deeply affected how identity technology has evolved since then. It is useful to revisit it because several large internet sites are again in the midst of deciding whether their identity systems should be open or closed, and how they should be architected. If they don't pay attention to what Microsoft learned in the first identity war, we can expect to see some bad experiences again.

Following the first identity war, Microsoft, deeply impacted by the experience, came to realize that *how* identity was implemented had far more implications than they initially imagined. In response they put more effort into the WS-* protocols to create far richer capabilities than just single sign on and allow greater flexibility in how those capabilities could be architected. In recent years, Kim Cameron has worked on defining a WS-* identity meta-system that allows interoperability between different identity infrastructures while creating an identity based user experience to be part of the forthcoming Microsoft CardSpace in Vista. Nearly all identity management systems today acknowledge that decentralization will grow, that federation is a required mode, and several competing user-centric identity architectures are vying for acceptance.

There are many more lessons to be drawn from the first identity war, among them being that understanding what is needed functionally is quite different from understanding how it should be provided or the implications of different approaches on how users will accept or reject the result. Identity is complex because it carries tremendous power — power to accomplish the desired goals, and power to create unanticipated side effects.

This is why gaining a good identity-centric perspective of computing is so essential to success in IT today. It is also why you are seeing identity unifying technology from the network layers through the application layers. Without an identity perspective, IT security and infrastructure tends to take on a “Whack-a-Mole” nature where the solution to one problem only seems to create two more problems.

I'm sure it will come as no surprise that I would tell you that the *very best* way to gain such a deep identity-centric perspective is by attending the Digital ID World conference. No one who attends will leave without gaining a deeper understanding and broader perspective of the place of identity in computing, how technology is evolving, the best practices that lead to success, and how each identity technology applies to the overall set of tasks at hand based on real world experience.

Identity is a Whack-a-Mole phenomenon?  Top that, Thurcydides and Emerson!  Meanwhile, I hope to see everyone, especially Phil, at DIDW in Santa Clara.

Published by

Kim Cameron

Work on identity.