Saturday, February 17, 2007

rfi User-Centric Identity and What Johannes Ernst Said


Full Q&A follows:


How do you do define user-centric identity?

I like to distinguish two forms:

In the 'weak form', identity information about me continues to be
collected and maintained by third parties ("IdP companies") and I, as
the user, have a big say in whether or not I want that information be
transmitted to another party ("Relying Party"). This is an
improvement over the state of the art, where the IdP and the RP
company get together and decide what to do with my identity
information without me being in the loop.

A real-world example of this would be for me to decide whether or not
to take out my AA frequent flyer membership card to get a 5% discount
at Hertz.

In the 'strong form', I assert my identity information myself, and
I'm my own IdP (although I might outsource the technical details of
how to do that to a service provider). A Relying Party may use other
parties to corroborate what I said about myself, e.g. ask the state
government whether I'm indeed a licensed nurse, or ask a reputation
service about how likely it is that I'm a spammer.

The latter, Doc Searls called "independent, sovereign identity".

A real-world example of this would be me handing you my business
card. Or me writing something on Wikipedia, with you being able to
check how many other edits I made and how often I was "reverted".

Interestingly enough, and while they don't map seamlessly, URL-based
identity maps more to the 'strong form', while card-based identity
maps more to the 'weak form'.

Is user-centric identity primarily a B2C requirement, or does it have applicability in the B2B world and inside the enterprise?

It absolutely has enterprise applications. One example that one of
our customers pointed out to us: while much information about
employees is maintained by enterprises in places like corporate
directories (whether the employee likes that or not), other identity
information that is relevant to business often is not. For example:
cell phone numbers. Instead, employees want to keep control over when
to hand out their cell phone numbers and to whom. The same thing
might be true about instant messaging handles, presence status,
current location in the building, schedule, etc. etc.

What standards are being developed in this space, and/or how are older standards (e.g., Liberty ID-WSF, if you can call that "old") being applied to these requirements?

Many technologies can be applied to this field, and they probably
are. But in my view, the problem is one of distribution, not of
technology. The early boost here was LiveJournal, which gave OpenID
instant distribution to millions of people, which caused a virtuous
cycle that continues unabated. And then, of course, there is Windows
Vista and its distribution. Other technologies / standards / products
don't necessarily have the same distribution dynamics.

One thing that plays into this is the "weight" of the technology.
When we invented URL-based identity at NetMesh over 2 years ago, we
consciously called it "Light-Weight Identity". Because in our view,
only technology that's sufficiently low-cost (in total cost of using
it, not just software cost) has a chance of mass distribution, and
that's one of the reasons why so many sites have found it easy to
adopt OpenID and not so easy to adopt other technologies.

How can user-centric identity and federated identity management coexist and complement each other?

The key battle here will be at the boundary of the enterprise, where
self-empowered users (customers, contractors, partners, employees)
want to "bring their identity" and companies need to support this,
otherwise users (particularly customers) will go to a different
company that serves them as they want to be served. THe challenge is
to keep what's working inside the company, but allow for external
sources of identity via user-centric technologies / processes as
well; this will take some years to be figured out because it is
rather complex, but it certainly will get solved.

Certainly that is one of the recurring discussions we have at NetMesh
with enterprise adopters.

How soon can we expect to see user-centric identity architectures baked into the leading IdM vendors' software suites?

I would defer to those "leading IdM vendors" to answer that ;-)

How soon before we see user-centric identity environments enjoy the mainstream enterprise acceptance, adoption, and interoperability now found with SAML?

Interoperability in the OpenID world is excellent. There are dozens
of independent identity providers, dozens of independent software
implementations, and hundreds of relying parties: the reports of
interoperability problems are few and far between. (Somewhat to my
surprise, I have to admit). Note that all of this works without any
formal certification regime or even a shared test suite.

My understanding is that out-of-the-box interop of more traditional
identity products is something that happens less frequently.

The best guess for the OpenID growth rate right now is 5% per week
with about 1000 relying parties at this point, so you can do the math
when ubiquity arrives ...

Does Microsoft have an early-mover advantage with CardSpace in Vista, or is it far too early to pronounce "winners" in this fast-evolving space?

Far too early. Looking backward from a few years in the future, it is
very likely that we will say that in 2006, most people still thought
the product was "identity management software" and its hosted
equivalent. But now that virtually "everybody" in technology (see
membership list in OSIS) is working real hard to make the basic user-
centric identity layer free on the internet, the question about
winners and losers will be decided on a layer above or below that
free layer. As an industry, today we all have only very rudimentary
understanding what those layers even are. So it's too early to
declare even who the contenders are, never mind the winners!

Microsoft will clearly play an important role, as will websites with
a mass audience, and big enterprise vendors. But personally I would
bet on startups -- many new appealing business models are emerging
that appear incompatible with traditional technology business models,
and that gives startups an unfair advantage against the incumbents.

What significant/serious interoperability, deployment, trust, security, usability, and other challenges do implementers face when implementing user-centric identity?

I'm not quite sure I can give you an exhaustive list here. Some of
them probable include:
- the market is immature, and there is still more slideware and
beta software around than technology that has been proven
- as a whole, we don't know yet what the attack vectors of the bad
guys will be because the bad guys haven't really started attacking yet
- many pieces of technology are missing -- e.g. see James
McGovern's recent push for XACML-related things in an OpenID context
- the business ecosystem isn't there either -- e.g. how does an IdP
get compensated for taking on authentication risk?

However, what we're seeing clearly at NetMesh is that many leading
companies in their market realize that in spite of this, they have to
move very quickly to make their play, because there is a huge
economic network effect associated with user-centric identity, and
they can't afford to let their competitors benefit from that one
first, even if many answers don't exist yet. The vendors and the
adopters are learning together ... nothing wrong with that either.

So in spite of many obstacles, companies are moving, and quite fast
at that.

To what extent and at what speed are the URL-based schemes (OpenID, LID, iNames/XRI, mIDm, Yadis, etc.) converging into a single standard/framework?

On mIDm, I don't know whether that is an ongoing project.

All others have effectively converged into the same framework since we all adopted Yadis a year ago (which in itself was a combination of the discovery pieces of XRI, LID and OpenID).

There are lots of different pieces advocated by different people on top of that same framework, many of which are competing. But that's a feature, not a bug: it allows many parties to innovate and solve problems really well for those parts of the market that they play in, and it does not limit the market to whatever one particular approach can accomplish. As particular pieces become well-understood and broadly deployed -- as it happened with Diffie-Hellman-base, browser-based Authentication -- I expect those to be supported by everybody. This kind of higher-level convergence will happen faster for some and slower for others and never for some (e.g. vertical-specific services).

So I expect the XRI folks to continue doing things that won't be adopted by everybody in the OpenID community, just like we at NetMesh continue to have (and build more) service types under the LID umbrella that not everybody in the OpenID community relates to.

To what extent will self-asserted IdPs (which I believe is also supported in CardSpace) eliminate the need for traditional (multi-user/ID) IdPs?

There will always be a need for third parties to make statements about somebody else. For example, it is unlikely a shop keeper will sell me that bottle of Gin based on my self-assertion that I'm above drinking age but don't look it.

But how exactly that is done is a matter of ongoing dispute. I could show my driver's license (basically the CardSpace model). Or, I could create cryptographic proof that I'm above drinking age without you learning how old I am, nor the government learning that I bought booze (the Credentica model). Or, I could bring a thousand people who all say that I'm above drinking age (the "wisdom of crowds" model). Or, I could give the merchant permission to ask the government in real-time, either directly or routed through me (the "3rd-party confirmation model" that has the advantage that it works for information changing in real-time).

As these examples show, some of them map to the "traditional IdP" model. Others only sort-of, and some not at all (the "Wisdom of crowds model"). I expect the majority of the market growth to come from non-traditional models, although timing would be a conjecture ...

To what extent will companies allow their employees to selectively conceal privacy-sensitive attibutes (e..g, cellphone number, presence, location in building) when the trend has been toward tighter company monitoring of e-mail, IM, etc.?

Well, that highly depends on the company. If a company's success depends on their people making maximum use of their intellectual and social resources, then getting in the way of how people want to deploy those resources is not a particularly wise business decision. And the reverse is probably true as well.


Per what Johannes said, the "distribution" and "weight" of user-centric identity technologies will determine whether, when, and how they dominate the IdM space in coming years.

Federated IdM--a la SAML and Liberty Alliance--have gone mainstream, but they're still climbing the implementation curve. They're not widely distributed in the B2C sphere because they're heavyweight to implement (i.e., to set up the requisite interoperability, trust, and implementation agreements).

I spend a year in the wilderness working with a B2B trading community trying to kickstart federation (just for cross-domain SSO) by setting up multilateral, transitive trust relationships that passed muster with all the requisite regulators, lawyers, and beancounters--and, I can tell you, it was painful.

Perhaps portal-initiated SSO (the core federated IdM use case) is just not an "internet-scalable IdM" arrangement (per an excellent whitepaper recently authored by Ping Identity). Maybe RP-initiated multiple sign on (MSO)--the core user-centric ID use case--is the way to go. Just assume that SSO is too heavyweight for dynamic, Internet-scale IdM (be it B2C or B2B). Instead, give the user the tools (e.g, identity card selectors etc.) to make their MSO experience more convenient, secure, and standardized.