Kim Cameron's Identity Weblog

Andre Durand of Ping Identity has told me about what he'll be demonstating at Catalyst 2006 – important stuff.  As the post at the right puts it:

A user authenticates to a healthcare portal leveraging a self-asserted InfoCard. The user’s credentials are validated by a Java InfoCard Server built by Ping Identity. PingFederate is then used to enable federated single sign-on to a remote Web site without a redundant user authentication.

I've spent a lot of time over the last year trying to convince colleagues across the industry that InfoCard technology is not positioned against Liberty or SAML or WS-Federation technology – that federation protocols could be used on portals powered by WS-Trust through InfoCards. 

Now Ping has an implementation that actually proves it.  I guess this means I can take a break, cool my jets, lay low, and chill.  Thanks Andre.

Under the covers, the integration can be done in a number of different ways, so I look forward to seeing the details of how Ping has approached it.  To download the Ping poster and see the details, click here.

I'm impressed by Ping's ability to continue to innovate in the identity world.

This is a note to those (over 100 testers now) who are using my site to sanity-check their infocard implementations. 

For those who missed the first ten minutes of the movie, one of my motivations when I set up this site was to break down the industry fault lines that were undermining the emergence of an identity metasystem reaching across all platforms and technologies.  So I set out to learn more about the concerns and successes of people running on platforms other than the one I work on.  This led me first to Radio Userland, and then to WordPress, which itself runs on top of MySql, PHP and Linux or other Unix derivatives.  My blog runs in in this environment.

As the conversation evolved I wanted to prove that the Identity Metasystem and InfoCards can, with a bit of work, reach across any technology – and does not involve rocket science.  I wanted my friends in the REST community to see how straightforward all of this was.  So I wrote a library for accepting InfoCards in PHP and made it available to anyone who might find it useful by posting it on my site.

Recently I've enhanced this code to solve a problem that emerged in interoperability testing.  I don't think I broke anything else, but, hey!, I have no test organization, eh?  So this is a notice for everyone with an implementation to retest before turning up at a public demo and finding out I've changed spmething!  Help me make sure I haven't introduced an error that breaks your work.

Once I've gone through this phase I'll replace the code currently on my site with the new verson.

Phil Becker is Editor In Chief of Digital ID World.  His analysis consistently seems on-time and profound.  I don't think it's well known, but besides his wisdom in business matters, he has an amazing technical background: he wrote some of the code that helped put men on the moon. 

I have to admit that I'm a bit biased towards Phil because his magazine once gave me a prize, which, from a design point of view, was of a distinctly superior quality.  That's a good sign.

But since meeting him I've turned to Phil for a reality check more than once.  Like Doc Searls, Jamie Lewis and Craig Burton, he sees the big picture.  What example should I choose?  Recently, when we were chatting about how to explain InfoCard to enterprise architects, he said, “Kim, stop explaining it.  Start telling people how they can be part of it.  That's what they want to know.”   

Now he has written his “Identity Fallacies” – or three of them, at least.  They offer practical advice for the enterprise and beyond.  You have to love the way Phil explains things.  I hope this post will get those new to the identity metasystem reading his work (the left-brained may want to start at the first fallacy and read forward from there):

Like the second identity fallacy the identity data centralization fallacy recurs frequently because it seems so logical. It has kept identity management the province of very large companies for many years. Thankfully this is finally changing, albeit somewhat slowly.

A significant goal for many identity management initiatives is to gain centralized management and control, and intuitively it seems that the easiest path to that result is to aggregate all the identity data in a centralized data store. But identity data by its nature has distributed origins, and attempting to aggregate the data itself leads to an insoluble set of problems and side effects, especially at internet scale.

Centralization of any data suffers from reliability and performance problems at scale, requiring significant “brute force” to overcome. But when identity data is centralized a huge number of side effects occur that will ultimately undermine the success of the endeavor – even if the technical aspects are successfully worked out. Perhaps the most visible example of this was the Microsoft Passport project. Microsoft demonstrated that the technical problems of an internet scale centralized identity system could be solved. They also pretty well demonstrated that the side effects were so numerous and undesirable that a successfully implemented centralized identity data system wouldn't be accepted by the marketplace. This experience was a major factor in Microsoft's Identity Architect Kim Cameron formulating his Laws of Identity which attempt to describe the attributes an internet scale identity system must have to achieve marketplace acceptance.

It still might seem that in an enterprise centralizing identity data is a good idea. But it generally isn't, for a variety of reasons. First, identity data is a very dynamic thing. It requires constant updating to remain current, and if it isn't current then using it to manage other things becomes risky. Even in an enterprise where identity data seems pretty straightforward, it turns out that it has many different natures that end up forcing portions of it to be managed by very different parts of the business. For example, HR tends to manage actual employees as they onboard and offboard. But department managers tend to manage things like promotions, temporary assignments, etc. that create changes in their identity data and corporate resource access requirements. And who in the company handles contract labor, consultants, business partnerships, etc? Certainly not any centralized business process for them all exists.

The result is that if IT tries to centralize identity data because that makes it easier for them to use it to manage their networked computing resources, they end up creating a structure that is politically and structurally at odds with the business processes of the enterprise. This has brought many identity management projects up short, severely lengthening their deployment times, reducing their scope, and limiting their effectiveness dramatically. In governmental identity projects, centralization of identity data creates most of the limitations that cause political reactions as well.

Thankfully the technology of identity management has begun to move past the concept of centralizing the identity data and is now providing tools such as virtualization and federation that allow the identity data stores to be organized to align with the identity data management while allowing them to be networked, managed by centralized policy, and presented in a variety of ways that don't reflect back on their management. The shift from a directory-centric view of identity management to a provisioning-centric view of identity management is the first step down this road. many more steps are now emerging to widen the applicability of identity to manage broad, networked business process oriented views of computing for regulatory compliance auditing as well.

But as each new person approaches identity management, it seems they have to go through the step of learning why identity data centralization is always a bad idea. it seems only after they realize the implications of this identity fallacy can they move on to understand how identity must really be deployed to be successful.

This is so interesting I can barely keep myself from making a number of comments.  But I need to concentrate on some other burning issues.  I'll come back to this as soon as I can.

I am glad to see I am providing Robin Wilton and various of his friends with suitable amusement these days. Luckily this doesn't distract him too much from interesting comments on the dynamics shaping federated identity frameworks.

First, on yesterday's topic of ‘identity protection and financial services’, you may be heartened to learn that the Financial Services Technology Consortium (FSTC) is working on stronger mutual authentication as part of the solution to this problem, and has just concluded Phase One of its ‘Better Mutual Authentication’ project. More information at www.fstc.org.

The FSTC has been looking closely at SAML and Liberty for several years now, and concluded back in 2003 that Liberty technology could help financial services organisations improve security and identity management.

I think what's changed since then is the increased recognition that strong authentication is, simply stated, a great example of a web service which one member of a circle of trust can provide to other members.

Second, Liberty members (especially the techier ones) are watching with interest as Kim Cameron is gradually exposed to some of the (frankly fun) group dynamics among the participants. You know how it is; you get to know people over the course of sometimes heated debate about identity principles, and every so often you have one of those arguments which looks to any outsider like a bare-knuckle dust-up. It's only when you know the two participants and their history that the whole thing looks altogether less vicious and more amusing.

There's also a good deal of innocent amusement to be had from reading these lines in Kim's blog:

“One of them asked why Liberty hasn’t caught on more since it has been around for almost five years. Not knowing Conor I might have imagined he would sidestep the issue with marketing gloop. “

As Kim immediately discovered, Conor is fresh out of marketing gloop… and is not expecting a re-stock ;^)

Without wanting to get into the subsequent to-and-fro between Conor, Paul Madsen and others, I'd just note this, as I have done in public comment on several occasions:

Those looking for mass adoption of Liberty often ask why large-scale e-commerce adoptions are not more visible. I think the e-commerce boom of the late 90s offers instructive parallels. The B2C bubble was highly visible and easily grasped, conceptually, by those seeking to understand this new technological phenomenon. However, there was both more money and greater longevity in the B2B market using exactly the same technology.

I think we're seeing some of the same thing in the identity market. Yes, there's adoption and growth in B2C applications – and that will continue; but there's a steadier undercurrent of adoption for B2B applications, even if those are not always as visible to the consumer or onlooker.

An interesting event to look out for is the point at which it becomes realistic for G2C identity infrastructures to intersect with B2C applications. That's not primarily a technology event – it's one driven by market and policy conditions – but in my view, if you're looking for candidate technologies to make it happen, Liberty is at or near the top of the list.

To me this doesn't look much like a bare-knuckle dust-up – just a good discussion.

I love avatars and 3D, and I am fascinated by ActiveWorlds and Second Life.  So how could I not flip over this article by Mark Wallace at 3pointD.com.  He discusses not only those topics, but identity as well:

This was going to be a brief post about some new features of the ActiveWorlds software that was just released, but it turned into a longer contemplation of how the 3D Internet will work once many, many more of us have a presence in such online spaces.

Chris from SWCity, a community in ActiveWorlds that I’ve been meaning to visit ever since I blogged it back in April (sorry, guys!), sends news that AW recently released a preliminary build of the new Version 4.1 of its software. I don’t spend a lot of time in ActiveWorlds so I can’t say how much better this is than the last version, but a couple of things jump out at me from the release notes that are notable or at least cool-sounding — including a kind of identity portability. And some of it seems to point, in a platform-agnostic way, to what would seem to be the future of 3D spaces on the Internet. But first the new AW stuff:

• AW now has particle objects. De rigeur for Second Life, but will be big new fun for AW residents.

• New objects called “movers” can be used to make vehicles. Again, old hat for SL, though perhaps AW will actually do this better. SL’s vehicles mostly suck.

• (This sounds very cool:) “Users may define zone objects, which can be used to define a 3d spatial volume where the normal world properties are replaced or changed.” Anti-gravity plot, anyone?

Plus the ability to slide downhill, handy-sounding interface features, and native voice support. But one of the most intriguing additions to AW 4.1 is the following:

• “Personal Avatars allow you to take a unique avatar to almost any world.”

Unlike Second Life or There.com, in which practically all the land masses of the virtual world exist on the same map, accessible as a single “login space” (i.e., one login gives you access to any region of the world), ActiveWorlds exists as a series of discrete, disconnected spaces — including 3D home pages — that are accessed from a central hub. But you don’t always get to take the work you’ve done on your avatar from one to the next, forcing you to re-tweak and/or remodel who you are for each separate world. The Personal Avatar feature should let you bring your “self” from one world to the next with little trouble.

This kind of thing points the way forward for virtual worlds, if you ask me. Second Life is a unique community; it’s the America of virtual worlds, a land of opportunity and a melting pot of different people and peoples, all tossed into the mix in a big beautiful jumble. (What does that make There.com? The Caribbean of virtual worlds? The California?) But I’d argue that the one-world model of SL is a temporary condition, something that will become a smaller subset of a larger picture as individuals gain more and more power to create their own 3D online spaces.

I’d bet things are headed toward a more distributed metaverse, one in which you can create your own little 3D online corner of the Internet that doesn’t exist on any 2D map aggregating such spaces. (There will continue to be 2D Web pages as well, of course.) You’ll still be able to travel from one to the next, but it will be more like traveling from one Web page to another; you won’t necessarily be able to walk next door to visit the neighbors.

Contiguous 3D spaces won’t disappear altogether under the distributed metaverse model. Groups of people will band together into loose confederacies of interest and community and create larger spaces that will exist on their own 2D maps. But there will eventually be too many people on the 3D Internet to make it feasible to manage them all through a visual interface. Imagine if you had to use a 2D map to navigate through or even look at the 11 billion Web pages that are out there. Impossible. Even 1 million such locations isn’t practical to represent that way. Larger contiguous communities will still exist, but you’ll still need an information-based way to navigate between these.

And you won’t want to show up at each new 3D homepage or in each community looking like a newb. This is already a problem on the Web, where we have to create a new username and password for any site we visit that offers more than just something to browse (which is why Kim Cameron at Microsoft and many other people are working on a solution to this). I just counted 46 logins I use on a semi-regular basis, and there are probably a couple dozen more than I use less frequently. I’m probably something of an outlier, but even having just a Netflix, Amazon, Gmail, iTunes, Second Life (or ActiveWorlds) and World of Warcraft login is starting to be too much. Can I really expect all my online friends and associates to reside (as far as their online “lives” go) in the same 3D world? Already I know people in almost a dozen 3D worlds, and that number will only rise as time passes. While I see no problem with donning a world-specific avatar for playing World of Warcraft or EVE Online, it just doesn’t make sense to switch visual identities, reputation, account information and inventory each time I want to visit a different social or commercial or otherwise utilitarian world — just as it doesn’t make sense that I have almost 100 login handles for using the Web.

Which is where ActiveWorlds’ Personal Avatars come in. I can’t tell you which 3D technology is going to become dominant, whether its AW’s, SL’s, There’s, Multiverse’s or one that’s yet to emerge. But whatever it is (or whatever set of such technologies, more likely), we’ll want a way to navigate between them more seamlessly than we can navigate between even 2D Web sites today. I think the nicest way to do this would be to develop some kind of protocol, either for 3D sites themselves or for portability of avatars and identity, just as an “identity metasystem” is being contemplated now. And this is just what ActiveWorlds’ Personal Avatars are for the spaces that run on that platform.

Just as TCP/IP helps connect the otherwise incompatible networks that make up the Internet, something will one day connect the otherwise incompatible worlds that make up the metaverse. AW’s Personal Avatars are only the earliest manifestation of this kind of thing. It’s quite a bit further off than right around the corner, but it’s not too early to serve up as food for thought. Bon appetit!

I first started to believe in the inevitability of avatars at a super-hip conference organized by Jerry Michalski and Ester Dyson somewhere back in the 1990’s.  Maybe it was Doc who got me invited.  Anyway, there were a bunch of smart web innovators there, including some pretty cool guys with a web browser that had a “magic carpet”.  

It turned out there were legions of subscribers who rode these magic carpets together on tours that went site-crawling using avatars that looked like Marilyn Monroe and James Dean and other sex symbols of various sorts.  The system's inventor showed me how to create a magic carpet of my own.  Incredibly, a gaggle of avatars lept onto my carpet within a few seconds. 

My friend said, “Now just type in the name of your web site, and the magic carpet will take everyone to it.”

I said, “Really?”  The realization of what was about to happen suddenly hit me.  I didn't actually want to, but since everyone was waiting I typed my URL, which pointed to a web site all about identity and metadirectory technology.

Then the avatars all started to scream and burp and jump off the carpet as fast as their legs – those that had legs – would take them.  It was kind of symbolic.

Identity was really a niche thing in the 90’s.  I thought it would probably take a decade to make it into the same paragraph as an avatar.

And I guess it did.