Yes or No?

Ben Laurie of Google writes that something important was left unsaid in the recent discussion of federation and large Internet properties:

The end result of the blog deathmatch between me, Kim, Eric and Dick was a deathly silence on what I consider to be the core issue.

OK, its nice that Microsoft are developing identity management software that might not suck (but remember, it still doesn’t satisfy my Laws of Identity) but the question that’s being posed about Google applies equally to Microsoft, and, indeed, anyone else with an identity silo.

So, here’s the question: is Microsoft going to accept third party authentication for access to Microsoft properties?

How about it, Kim?

OK.  The answer to your question is “yes”.  Windows Live ID is going to accept third party authentication for access to Microsoft properties.

Let me quote from the Windows Live ID Whitepaper.  It seems like I gave the wrong link before, so I've checked that this one works.  I've also copied the paper onto my blog as I always do so my links will be permanent.  The original appears here.  The quote below is one of several places where these issues are discussed in the paper, so it's probably worth checking out the whole paper (about 8 pages).

How Does Windows Live ID Participate in the Identity Metasystem and Work with “InfoCard”?

Microsoft is working with others in the industry to create an identity metasystem that brings existing and future identity providers into a connected identity ecosystem and empowers end users to control the use of their identities. The Windows Live ID service will participate in the identity metasystem as one identity provider among many, able to accept claims from other identity providers and transform them so they can be used within Microsoft online services. This participation will include acceptance of self-issued and managed “InfoCards.” It will thus provide full support for the “InfoCard” identity model.

Roles of the Windows Live ID Service in the Identity Metasystem

Microsoft has published its vision of a universal identity solution that is inclusive of a plurality of identity operators and technologies—the identity metasystem. In such a metasystem, identity providers, relying parties, and subjects can select, request, transfer, transform, and consume identities through a suite of well-defined and open Web Services (WS-*) protocols. Microsoft is working to implement components of the identity metasystem, as are many other companies in the industry. As a result, various building blocks for the metasystem are being developed. Some of these components will be delivered to end users in the form of software installed and running locally on their computers and devices, while others will be online services.

The design philosophy of the identity metasystem is not to replace the existing identity systems in use today, but instead to bring these existing systems together by enabling interoperation among subjects, relying parties, and identity providers through industry standard protocols. The Windows Live ID service will participate in the identity metasystem as a “managed” identity provider already at Internet scale. Windows Live ID will bring a large base of end users and relying parties to the metasystem, taking us one step closer to Internet-wide identity federation and doing our part to help the industry move beyond the “walled garden” paradigm.

The Windows Live ID service will play several essential roles that are strategic for Microsoft. The service:

  • Is an Internet-scale identity provider intended primarily for users of Microsoft online services, which are all relying parties of the Windows Live ID service.
  • Is open and issues claims in a form that can be consumed by any relying party, any device, and any other trusted identity authority.
  • Serves Microsoft online services as a “claims transformer,” allowing those services to accept identities issued by third-parties. Third-party identity providers include other Internet service providers and managed-identity providers, such as the planned Active Directory Security Token Service (STS).
  • Will be the identity provider and federating authority for third party services and software built on top of the Microsoft online services platform

So now some other questions remain.  Who can federate with Windows Live ID and what are the conditions?  What will the business model be?  What services will people want to use that cause them to seek to federate? 

So don't take me as sounding glib.  There are lots of important issues that the Windows Live ID folks are still thinking about.

Meanwhile your comment that “its nice that Microsoft are developing identity management software that might not suck” is one of the nicest things anyone has ever said to me, and I'll treasure it.


Get over to Craig Burton's blog

Craig Burton is blogging up a Perfect Storm at  In fact he's posting so many nice little nuggets that you only see about a day and half's worth when you go to his site with a browser.  Make sure you navigate back using the calendar.

Since a couple of the recent pieces concern things I'm involved with, I'll pick up on those.

Let's start with the discreetly named Vendor Lock in Sucks:

Microsoft plans link between directory, Live services: ”

Microsoft is planning to sync its Active Directory with its Live Web-based services to give users single sign-on for applications and services both inside a company network and on the Web.

Technically a good idea. Fewer namespaces and fewer administration models. Reality is, customers are loathe to get roped into Msft centrism. Msft has yet to make the cut to OS inpdependent Internet services.

Trust me, that is the future. The longer they put it off, the worse it is for everybody.

The open source community isn't much better. Politics is winning over common sense.

It will be interesting to see how Ozzie guides the company towards this end. Gates hasn't, won't. Ballmer is worse, Allchin…I have no more to say about that.

Let me talk to Craig directly for a minute.

Craig, take a look at the Windows Live ID whitepaper and let me know what you think of it. 

In my view it is consistent with a number of the ideas you've brought to the industry for a long time now. 

As far as I can see, there won't be anything proprietary about the way Windows Live ID federates with Active Directory or anything else – it will just use the WS-Federation and WS-Trust specifications, which are being implemented more widely, by more vendors, every day – and can be used on a royalty-free basis.

So then how does this initiative lock anyone in? I'm a non-lockin sort of guy.  We need to win customer support by producing products that are cool to use and manage; that have superior reliability and integration with dev tools; and that are open to other implementations.

As for your comments on Bill (and his friends), you just can't produce the kinds of technologies we are about to deliver in fifteen minutes.  Our work has been going on for a while (!) and involved a lot of patient investment.  The truth is, Bill has been a great supporter of ubiquitous Internet identity and I want to stand up for all he's done to help, just as I would do for you.  This said, Ray also brings a lot to the table.

Craig also has a recent post on Cardspace:

A Sandbox to Play In:

Pamela Dingle, who always has the intestinal fortitude to ask the best darn questions at Catalyst (and other conferences), has posted a good “quick start” guide for anyone wanting to play around with Windows CardSpace. Via that post, I found this CardSpace “sandbox” site, which has some interesting pointers on it.”

Jamie Lewis points to some Cardspace resources. I opened my control panel the other day, and there was a new control panel named “Digital Identities.” It let me create an infocard. I have no idea what to do with it, but I know it came from Kim's group. I will try to find out more about this.

This is getting exciting.  So Craig, now, while you are on identityblog, choose Login.  When you get to the login page, click on my Information Card icon (a placeholder while we all agree on a real icon).  Let me know how that goes too.

UPDATE:  The original link for the Live ID Whitepaper was broken – I have fixed it.

Soothing music all around

Google's Ben Laurie continues with a post I'd call “Cogent with cloudy periods”:

Not surprispingly, my post “Google Account Authentication” attracted some pretty instant responses, as well as comments on the post itself.

On further reflection, comparing Live ID with Google’s authentication is comparing apples and oranges. Live ID may allow people to choose who they accept authentication from, but where does it say that anyone is planning to accept anyone’s word other than their own? In particular, where do Microsoft say they’re going to grant access to Microsoft properties using identity tokens issued by anyone other than Microsoft?

Interesting. Let me explain how I see it. The Windows Live ID whitepaper is about the technical architecture of Windows Live ID, and new capabilities allowing it to be part of a standardized, multi-centered, federated identity fabric. This includes support for Information Cards. Reading the paper, it's easy to see how enterprises or groups of users could gain access to Windows Live services using their native systems federating with Windows Live ID, rather than requiring separate accounts. The business model for this would be totally straightforward.

Now, in terms of how the protocols work, a similar federation relationship could be established between a Windows Live and a Yahoo or a Google. But the business models there are way harder to figure out. You need multiple players to buy in – it needs to be a win/win/win. I don't think anyone has figured this stuff out. Basically, it's a lot easier to change technologies than to change business models.

Still, to me, it makes sense to put a safer, more flexible technical infrastructure in place that offers advantages within current business models while simultaneously laying the groundwork for new approaches as they arise. But let's try to see the two as relatively autonomous.

Ben continues:

Eric Norlin says: “Lots of people inside of Microsoft now understand *why* they must open the silo, and that learning is precisely because of their experience with Passport.” But is this actually true? What Microsoft appears to have learnt is that it can’t get everyone to accept its credentials. So, what’s the next best thing? Get everyone to use MS technology for accepting credentials. Perhaps that’ll even lead to Passport Mark II where the default is to trust Microsoft. Where does Microsoft’s work on Infocard or Live ID or whatever-the-passport-nom-de-jour is show that Microsoft has any intention whatsoever of opening their silo? What it shows is that they think everyone else should open their silo.

This mish-mashes so many orthogonal ideas together that it gets a wee bit looney. If the following sounds disconnected, it's because the way Ben connected things doesn't make any sense to me:

  • It's true that a lot of us at Microsoft want to “open the silo”. That doesn't make it easy, or make it obvious what to do.
  • WS-Trust is not Microsoft Technology, unless IBM is now part of Microsoft – not to mention the hundred or so other companies who have worked on the WS specifications.
  • Information Cards are not Microsoft proprietary for two reasons: first, the protocols are in OASIS standardization and available royalty-free; and, second, because there is a consortium building real open-source implementations today (OSIS).
  • I don't understand why Ben wants to confuse a service offering like Windows Live ID with a cross platform technology initiative like the Identity Metasystem.
  • I'm even more mystified at the implication that our Cardspace implementation of Information Cards is a plot. It doesn't offer special advantages to Windows Live ID. Services like those offered by Google get equal billing with services that might come from Microsoft. What is the sin here?
  • Given the difference between services and open cross platform technology, why call Cardspace “the-passport-nom-de-jour” – except to be naughty?

Anyway, I'm just going to assume Ben had a bad hair day, which everyone has a right to.

Parhaps the flurry of postings made it look like people were ganging up on Google – not at all my intention – I still think that on identity our interests converge and we're all in similar places.

At any rate, Ben concludes thus:

Fred asks: “could you explain why Google shouldn’t allow their accounts system to be accessed by Yahoo credentials?”

All I can say is what I already said: there isn’t a widely used, mature, reliable, secure identity federation mechanism available today. Whether Google wants to do this or not, in practice, they can’t. Such decisions have to wait for standardised mechanisms to emerge, in my view.

Dick is “suprised to see this post given conversations we had”. Well, Dick, if the fact that I don’t always agree with you is surprising, then you’d better stock up on soothing music or something.

I think the situation calls for soothing music all around. How about Iggy Pop?

Eric Norlin and Dick Hardt hold firm

Eric Norlin responds to the Ben Laurie post I addressed here

Ben Laurie, an employee of Google who is quite clear about the fact that he does not represent Google itself, is responding to my earlier post contrasting Google and Microsoft. Ben's pushing back on my contrasting of Google's Account Authentication versus Microsoft's Live ID, and my treatment therein. Specifically:

1. Ben states that “everyone knows” that Google only annnounces what they've already done (as opposed to what he sees as Microsoft's urge to announce what its going to do).

2. There is no “mature, reliable, secure identity federation mechanism” that's widely used (thus, implying that there's nothing for Google to use).

3. That the release of Google Account Authentication does NOT deepen the existing internet identity silo.

4. That I have (somehow) fallen into the “newspaper trend” of writing articles that are “critical regardless of facts.” (ouch)

Let me try to respond:

1. I guess that subconsciously I knew that Google only announced what it had already done, but that really wasn't the point of my piece. My piece was a contrast meant to highlight an observation that I was making — namely, that Microsoft had learned a lot of important lessons from Passport; lessons that companies like Google may not have learned. Now, at the end of the day, I'm dependent upon my ability to observe based upon my available information. Since Google's PR department is — shall we say — a little opaque, most of us journalist-blogger types are left to discern what we can from what Google has done or is doing (precisely as Ben says). Furthermore, since no one from Google contacted me to correct me about my observations regarding Google's Account Authentication (I'd be glad to be officially corrected), and since Google has not changed what they're doing in any significant way, then I have no new information to change my mind.

2. Ben's right that there is no “internet scale” identity federation mechanism. SAML has gained widespread adoption, but is not suited for “internet scale.” Same goes for Liberty. There are, of course, a TON of people working on this problem — OSIS, YADIS, Sxip, the identity gang, Microsoft, etc., but I won't argue with Ben on this — there isn't a mechanism that's widely used.

3. We disagree on point number 3 — and Dick Hardt presents why. In response to Ben's statement – “What kind of credential did you expect to present? Your Yahoo login?” – Dick responds, “Uh, actually, yes.” This points out the fundamental problem at the heart of all of this “identity 2.0” stuff that I've been talking about: the existing silos (Google, Yahoo!, eBay, etc.) have *no* immediate business reason for opening their identity silos (at least, not that they can see). Lots of people inside of Microsoft now understand *why* they must open the silo, and that learning is precisely because of their experience with Passport. At the end of the day, Google is reinforcing its identity silo. That was the ultimate point of my post – and the one that I wish Google would respond to openly and directly.

4. I actually don't think I have fallen into some “newspaper trend.” If anything I am (and Digital ID World is) a member of the larger identity community. My post relied solely on the facts that Google has given me. If they change the facts (i.e., correct me), then I'll change my observation. At the end of the day, this is a communal exercise, and if I somehow have a misperception of what's going on (from Google's or Ben's point of view), then I'd bet that *lots* of people in identity have the same misperception. And if that is true, then its Google's PR department's job to change it.

Let me close with this: I'm not trying to start some “vendor war,” or make Google “evil,” or take shots at the big kid on the block, or anything. We started Digital ID World because we knew that identity was a huge problem that crossed all boundaries, and we wanted it to turn out okay. It could go badly. It could not turn out okay. Its quite possible that the silos only get deeper, the walled gardens return, identity never has its “browser moment” (where it explodes into common usage). Do I want to see identity succeed? You bet I do. I don't think I've ever hidden that. As such, I try to call things as I see them.

Bottom line: I'd love for someone who does represent Google publicly to correct my horrible misperception of what they're doing in identity. In fact, they can come be on the Digital ID World keynote panel — “What do the largest internet sites think about identity?” –and make sure the entire identity community understands them (that's an open invite). Google, will you join us and set us straight?

Meanwhile, Dick Hardt says:

Ben Laurie from Google responded to my post on Google Account Authentication: two steps forward, one step back. A few comments that I’d like to respond to:

Duh, of course you have to provide a Google credential, you’re going to access a Google service. What kind of credential did you expect to present? Your Yahoo login?

Uh, actually, yes. That is the idea behind Identity 2.0, that I could use my Yahoo login to authenticate to Google and to access Google services.

How does allowing applications to access a user’s Google services deepen anything? Did Dick actually read what these services do?

Yes, I did read with great interest what the services do. As for why this deepens the identity silo, these new identity APIs make it easy for non-Google applications to consume Google services, but it is tied to the user’s Google credential, increasing the value of that Google credential, but creating a bigger barrier to services similar to Google’s, and increasing the users reliance on the Google credentials. Good for Google, but starts to reduce user’s options.

As of right now, what are the options? Is there any mature, reliable, secure identity federation mechanism that’s widely used?

Ben is correct, there is no mature, reliable, secure identity federation mechanism that’s widely used. But that has not stopped Microsoft from working to create one and announcing that they will be using it in their products in the future. Google could participate in defining Identity 2.0 architectures and make them widely used because they are Google.

Personal Identity Mesh

Identity Open Spaces are always interesting – uninterrupted hallway conversations that let you get to the nub of things – but this week's was different from the others because it was held in conjunction with a meeting of the Liberty Alliance.  This threw us all together with a bunch of people we hadn't met before, and frankly I think it was very useful.  We all got to present and discuss our work, interests and concerns.

It's hard to explain – or even imagine – what these meetings are like, because people are coming from such different places that their take-aways differ dramatically.  I'm sure a number of people will blog about this, but I'll just start by quoting Marc Canter of Macromedia fame.  One of the interesting things about Marc is that he just wants results – identity he can use in his products.

As I sit here in the blazing heat, periodically jumping into my pool – I’m feeling good about the last few days I spent in Vancouver.  It was great for me to get away from answering sales calls, improving user interfaces and dealing with Angel investors.  I found myself right back smack dab in the middle of an evolution of technology, where enterprise, mil spec encryption, security and privacy technology was being deployed for the purposes of each and every one of us to be able to control our content and meta-data.

Moving and controlling profile data is important, but we ALSO gotta control access to our content – based upon our relationships to the viewer.  Apparently Vox does this pretty well – but I haven’t checked it out – yet.

A lot of time and energy was spent up in Vancouver trying to define and speak clearly of all the different platforms and their nuances.  It was an Open Space effort, designed to correspond with a Liberty Alliance meeting, so lots of loosely structured meetings occurred where real work was accomplished.

One on hand you had all these academic and enterprise researchers and experts who are managing bank accounts, mutual fund accounts and health records, debating on details like ‘is it THIS or really THAT.  Then a bunch of the open folks – like Neustar and Cordence were there – more or less hawking their goods.

So in other words this was the “open user-centric folks” meet the SAML/Federated trust enterprise wonks fest.

I’d say it came off pretty well – espeially with Kaliya Hamlin leading the organization, facilitating the conversations and keeping things lively. I did my best to also “keep folks awake” – while only dosiing off a few times myself, during those insipid debates on “do you mean WHAT you mean or is that a semblence of meaning in your declaration?”  It was that bad.

As a vendor I went to this meeting knowing that I was a downstream participant, some one who’s issues are allot different from the folks who are tryign to stake our real estate around ’standards’.  You see – we (by defintion) have to support ALL the standards, so my only real motivation is to get as many of them to work together and adhere to each other’s standards.

And that’s what I did.  There was a whole session on ‘Protocols Converging’ (led by Dick Hardt) and that led to a few private meetings out in the hallwway, which is where al the real work gets done. I myself am excited about what Dick is gonna show and unveil at OSCON next week,but I can’t tell yah about it.

Or else I’d have to kill you……

Anyway – based upon what I heard at this meeting, here are some issues that are pretty easy for me to make:

  • At best we’ll get 2% of the populace using this stuff – even within the next few years
  • But many more people WOULD/COULD use it if it was readily accesssible, easy to use and they understand what the fuck it meant
  • Doesn’t really matter if it implements authentication, if that’s ALL it does
  • I agree with Kim Cameron – there will be two approaches to this area – card based and address based

And that’s the best way we can describe it to the humans.

The Identity space is really complicated, and our clients expect me to be an expert at it.  So I nerded out over the past few days and have the next generation acrhiutecture for PeopleAggregator designed with it in mind. 

It’ll make sure that real value can be delivered to humans – real soon now- regardless of whether or not they’re (the humans) willing to jump through all the hoops and grok all the nuances of the Identity puzzle.

There’s one inherent tradeoff for this.  If you don’t want to jump through all the hoops of getting a card or sigining up for an address (of just hacking one yourself) then you CAN’T COMPLAIN if you don’t get a phishing proofed, crypto encoded, secruity tight, hacker proof, scalable, long term, persistent unique identifier.

But if all that really gets you off, then you won’t mind jupning through all the hoops.  Those hoops require opting in, sharing, moving and adhering to all these rules – about Personal Identity Mesh. 

Getting a info card to be compatible with Kim Cameron’s Info Cards system, which will be built into Vista and is available for XP – right now – will be about getting something called a .crd fileKim showed using Info Cards to log into WordPress – just to prove that it works on a LAMP stack, open source platform.

David Recordan (of Verisign) led an excellent session on OpenID and talked about its status.  Drummond Reed was there to talk about XRI and and inames.  All the major players in this space were there and talking to each other.

Dick Hardt had a session on coming up with a name for the unique thing we’re doing.  Its not a traditional federation, or circle of trust – its recognizing that inviiduals rely upon portals (or fancy webapp) software to get their services and that they’re probably dealing with LOTS of these services.  Each o these portals have all sorts of assertions, backend technology, web services, aliance partners and otehr infrastructure.  But what we SEE is the portal or NetVibes or PageFlakes or MySpace or Vox.

The human is then supposed to confer and rely upon (what’s known as) an identity provider or identity broker – which is usually an objective 3rd party – to verify their claims, assertions and transactions. We debated upon what to call it – but we all agreed that its something new and unique. I call this the “Personal Identity Mesh” – cause anybody can use any Identity broker – yet we’re all supposed to trust and believe in these ‘reputation systems (especially is Auren Hoffman has his way – with Rapleaf.)

Whatever the term is – its the universe that PeopleAggregator is going to support and help make happen. But we need LOTS of vendors to participate and the big boys – too.

I really like the term “Personal Identity Mesh” that came out of the “naming” discussion led by Dick Hardt.  It sums up what a lot of us are trying to do. 

I should also make it clear that I don't think there are very many who see information cards and URL-based identities as being opposed to each other.  A card can represent a URL-based identity, and a URL can be used, in a number of use cases, to represent the identity that would be conveyed through a card.  This doesn't work in all cases, but it works in enough important cases that it is very useful.

Finally, I think Marc's estimate of 2% over three years is overly pessimistic.  The big sites and big players can accelerate adoption a whole lot with the flick of the switch.  I've already had people tell me they are going to enable hundreds of millions of accounts with Information Card support.  If they do what they are saying they'll do, and if people like the experience as much as I think they will, there can be a serious network effect here.

Bad journalism or bad communication?

Identity master Ben Laurie of Google pushes back on me for picking up Eric Norlin's recent piece on Google Authentication.  Ben writes:

I’ve been trying to resist the temptation to comment on posts such as Dick Hardt’s “Google Account Authentication: two steps forward, one step back” and Kim Cameron’s “GOOGLE’S AUTHENTICATION VERSUS MICROSOFT’S LIVE ID” (which is mostly Eric Norlin’s “Google’s authentication vs. Microsoft’s Live ID“), since I work for Google and such comments might be misconstrued. However, bad journalism is bad journalism, even if you’re a blogger and I’m a Google employee, so I’m going to comment anyway. Note that, like everything I blog here, this post does not reflect Google’s views, nor does it use any knowledge I may or may not have as a Google employee.

Firstly, as everyone who pays attention knows, Google doesn’t announce what it’s going to do, only what it’s already done. So, what does it mean to contrast thus (from Eric Norlin’s piece)? “Of extreme importance is the fact that Windows Live ID will [my italics] support WS-Trust, WS-Federation, CardSpace and ADFS (active directory federation server).” vs. “Contrast all of this with Google’s announcement: create Google account, store user information at Google, get authentication from Google — are we sensing a trend?” – well, yes, the trend I’m sensing is that Windows Live ID does much what Google does today. Tomorrow they both may do something different. As of right now, what are the options? Is there any mature, reliable, secure identity federation mechanism that’s widely used? I think not. Note, BTW, that Live ID is currently vapourware, you can’t even get SDKs for it yet, let alone actually use it.

I need to begin by responding that I didn't know “Google doesn't anounce what it's going to do, only what it's already done.”  This must sound incredibly naive on my part, but it's true.

I guess I don't have a good enough understanding of the cultural differences between various companies.  I'm used to being required to share a roadmap with enterprises and large organizations.  They need that to facilitate their planning.  But in retrospect I can see that Google may not need to function this way.  I'm probably not the only one who hasn't understood this, so I appreciate Ben's explanation of how we should interpret Google's announcements.

Secondly, I agree that neither MSN nor Google nor AOL nor anyone else has a federation mechanism that's widely used outside their own properties at internet scale. 

Above all else, I agree with Ben's statement that, “Tomorrow they both may do something different.”  So peace, bro’.

Speaking of peace, Ben on Liberty:

Some have argued that Liberty is the answer to this, in that it’s mature, reliable and secure. But it isn’t widely used, partly because of complexity, partly because in its early days it royally screwed over people who might have driven adoption, like the Apache Software Foundation, and partly because of complex IPR issues. At least, I’ve heard, the IPR might be getting fixed. I watch that space with interest.

Ben on Dick Hardt:

Dick Hardt: “Google has just released Google Account Authentication. My initial reaction: great technology for rich clients and web sites acting acting on behalf of the user, but deepens the Google identity silo.” What does this mean? How does allowing applications to access a user’s Google services deepen anything? Did Dick actually read what these services do?

“The Google Account Authentication for installed apps is a bold move to standardize an API for working with installed applications. Unfortunate that it is domain centric. The user has to provide their Google credentials. Clearly the easy, safe choice that creates more value for the user’s google credential. Also makes it harder for any identity management technology to manage the Google credential.”


  • Duh, of course you have to provide a Google credential, you’re going to access a Google service. What kind of credential did you expect to present? Your Yahoo login?
  • Why does providing an API to allow applications to use user’s credentials make it harder for software to manage those credentials? I’m obviously missing something, but I can’t see what.
  • “Google Account Authentication for Web-Based Applications looks like it is opening up the SSO mechanisms that Google has been using across their various properties so that other properties can get a token to act on behalf of the user.” Hmmm … that sounds just like something an identity management technology could manage. But that problem was from a whole paragraph before, hopefully the reader will have forgotten about it by now.

Ben on the pack of us:

Its sad to see blogs following the newspaper trend, where the only articles worth writing are critical, regardless of the facts. Readership is king! To hell with accuracy!

Yikes.  Do I slither forward in a river of yellow journalism? 

I hope not.  The story I told was, “this is how Eric Norlin sees what's happening.”  He influences a lot of people, and his views are themselves important.  If Eric has drawn the wrong conclusions, it's important to get that message out – including to Eric, as has happened here.  Both Eric's piece and Ben's response have helped that happen.  I for one understand things better than I would have had none of this discussion happened.

And in case it matters, my own conclusion was actually different from Eric's.  I wrote, and I don't think it was at all critical:

.. I personally hope that Google embraces federation, Information Cards and the identity metasystem. They have enough smart people who understand these issues that I expect they will.

I see lots of room for us to work together, lots of agreement on the big picture, and  lots of good people doing the execution. 


Here is a piece by Eric Norlin over at Windows Live ID is the identity backbone used by Microsoft's web properties and services – for example, by hotmail. For those who haven't followed the bouncing ball, Windows Live ID is the latest evolution of Passport, which has undergone a name change to convey its focus within Window Live services – as well as its ability to federate in a multi-centered identity landscape.

Recent announcements of Google's authentication service have prompted comparisons to Passport, and even gotten to Dick Hardt (of “Identity 2.0” fame) to call it the, “deepening of the identity silo.” I'd like to contrast Google's work with Microsoft's recent work around Live ID.

Microsoft's Live ID *is* the old Passport — with a few key changes. Kim Cameron's work around the identity metasystem has driven the concept of InfoCards (now called CardSpace) deep inside of Microsoft. In essence, Kim's idea is that there is a “metasystem” which utilizes WS-Trust to translate tokens, so that all identity systems can interact with each other.

Of extreme importance is the fact that Windows Live ID will support WS-Trust, WS-Federation, CardSpace and ADFS (active directory federation server). This means that A) Windows Live ID can interact with other identity metasystem implementations (Open Source versions, for example); B) that your corporate active directory environment can be federated into Windows Live ID; and C) the closed system that was Passport has now effectively been transformed into an open (standards-based) and transparent system that is Live ID.

Contrast all of this with Google's announcement: create Google account, store user information at Google, get authentication from Google — are we sensing a trend? While Microsoft is now making it easy to interact with other (competing) identity systems, Google is making it nearly impossible. All of which leads one to ask – why?

I honestly believe that Microsoft is ahead of Google on this one for a very simple reason: Passport taught Microsoft some very painful, first-hand lessons. Passport forced Microsoft (over a period of years) to re-examine their fundamental approach to identity. Further, it forced them to figure out how to monetize the idea of identity applications — and not simply the aggregation of identity itself. Conversely, Google's business is now built on the aggregation of identity data, and they have yet to walk the painful Passport path.

Will the market force Google to learn the same lesson? I don't know. On the other hand, one company is clearly advancing the cause of “identity 2.0”, “web 2.0”, “Net 2.0” — call it what you will — and that company is Microsoft. The other company is deepening the silo and building the walled garden — and that is *so* late 90s.

While I love being in the software olympics as much as the next guy, I personally hope that Google embraces federation, Information Cards and the identity metasystem. They have enough smart people who understand these issues that I expect they will.