If you haven't signed up for our free weekly Digital Identity Newsletter, you are missing the best source to keep up with what's happening in the industry. Just go to the home page and put your email address in that little box at the top center of the page. That's it, and the newsletter will show up in your email every Thursday morning bright and early.

If you wonder what the newsletters look like, check out the archive of this year's past newsletters to see. Just having this in your email each week will make it impossible for you to lose track of what's happening in the world of digital identity.

Nullsoft, an America Online Group headed by Justin Frankel, quietly released Waste which allows small groups (up to 50 or so people) to set up a P2P network that is secure through the integration of digital identity. "The software ... offers encryption and authentication to prevent non-invitees from accessing the private networks. The real play is when you've got small networks of co-workers or friends who can share whatever they want securely."

This is a use of digital identity oriented computing that was predicted in Eric's recent article and Waste is a great example of what you will see a lot more of in the coming years as people start to think about applications and software from an identity point of view. The organization of networked computing around identity is so compelling (like it's the only way that will really work out) that you'll see applications like this one appear where the builder is compelled to the design by the need, and gets there even when he doesn't think of identity per se. But this is a classic digital identity application, and one that can't deliver without being identity-centric.

Philips, Visa team on wireless pay-card | CNET News.com
At the beginning and end of the day, the most important (highest priority) digital identity applications will always center around economic transactions. This technology would be an early stage of that...

InfoWorld: Oracle, Plumtree target Sarbanes-Oxley : May 28, 2003: By James Niccolai: Applications
Sarbanes-Oxley is becoming one of the prime legislative drivers of enterprise identity management. The key is the word "audit" -- when you see the need for an "audit trail," your digital identity sensors should immediately begin ringing.

Security / Is that a biometric device in your pocket? - Tech Update - ZDNet

Once you authenticate yourself via the telephone--with a password, your voice, or both-- the original application that asked for your username springs to life as though you had just entered your password with the keyboard or authenticated with local biometrics. The reason this is called out-of-band authentication is that the authentication data --- whether it was your password or your biometric information --- takes a different network path (or band) to the authentication server than does the username. The username goes over the Internet or a local area network, while the authentication data passes over the public telephone system. Waller claims that this sort of out-of-band authentication is much more secure than other forms where both the username and authentication data are essentially packaged together and travel across the same network.

Identity management tips
Here are eight tips for folks looking at enterprise identity management. Allow me to add a ninth:

Realize that "identity management" is a re-architecting of your IT systems -- one that, if done properly, can unlock tremendous value and create amazing efficiencies.

No Passport, no problem

Using Passport doesn't eliminate the need for a Web site owner to write and maintain a user database, it only eliminates the need to maintain the authentication credentials (such as the password).

Gaining perspective on digital identities
A good overview piece on the process of Enterprise Identity Management. Be sure to check out the cool "road map" graphic from Deloitte and Touche...

Radio ID chips may track banknotes | CNET News.com

Radio tags the size of a grain of sand could be embedded in the euro note if a reported deal between the European Central Bank (ECB) and Japanese electronics maker Hitachi is signed.

Line56.com: Building Trust on the Internet
Roger Sullivan, CEO of Phaos Technology, provides a brief overview and outline of the work of the Liberty Alliance...

As we've reported, Bill Gates has understood that Identity is important since at least early last year. Lately, he's even let us know he now understands that "Identity is Center", at least in his way. Now, in a speech to CEOs, Bill Gates has finally learned how to smoothly work the basic drivers of digital identity into his speaking.

"Historically, the IT department knew that its equipment was all in the glass house and understood how to deal with that. Today, it's cell phones that people are carrying around and downloading information to. It's portable devices, it's spreadsheets that people have on different desktops, and in a sense, the scope of their responsibility and how much they should invest in making those people more effective is something that a lot of companies have had a hard time seeing exactly what that level should look like."

This sums up what is happening pretty well in three sentences (even if one of them is a run-on sentence) and this is *very* much better than most people can do.

As computing becomes distributed, networked, and used from everywhere at any time the only way to have it be secure, manageable, and organized coherently so it works as desired is to orient it around the identity of the user and the identity of the owner of the data and applications. Management of the infrastructure is also reorienting around the identity of the devices and software apps that comprise it.

This is already beginning to release a lot of power, but it is only the tip of what will happen as the change propogates more widely. However, while the past year has seen much progress in realizing this, many still suffer the full thrall of the "what happened?" syndrome. I 100% agree with Mr. Gates when he says:

"This is where I think in some ways people are really underestimating what can be done. It's kind of natural if you overestimate what an industry can deliver ... that you cycle back to where you underestimate those things."

One-by-one people are beginning to get over being stunned by the "end of the world as we know it", and are starting to see the implications and absolutely huge nature of the paradigm change that is coming at them. As you look to the future of computing, however, you will fail to fully appreciate it unless you realize that Identity is Center.

Anticipating a post-Web, post-PC world | CNET News.com

That's what's happening today. The technologies and concepts generating buzz at industry gatherings like PC Forum, O'Reilly's Emerging Technology Conference, and Supernova include social software, the semantic Web, Web logs, rich Internet applications, Web services, unlicensed wireless, grid computing, digital identity, broadband media. The more one looks at these developments, the more hidden connections appear. They are pieces of a larger whole, which we don't yet have words to describe.

Kevin and I communicate via email on a somewhat regular basis, and I've tried twice now to make it to Supernova (his conference), but failed because of scheduling.....

...after posting this, I will (jokingly, of course) send Kevin an email to politely remind him that he left out the grandaddy conference that looks to the past to understand the future (see Phil's opener from last year) -- Digital ID World.

DHS details future border-control system - Computerworld

Starting next January, the DHS will authenticate a visitor's identity through a minimum of two biometric identifiers. During the initial stage of the program, fingerprints and photographs will be used, said Hutchinson. However, as the technology is perfected, additional biometric identifiers, such as facial recognition or iris scans, may be used too.

Enterprise Software / It's time to rebuild the Internet - Tech Update - ZDNet

Another critical part of taking friction out of interacting on the Internet is creating standard authentication and security models that work across the more decentralized architecture of the Internet. Ozzie pointed to firewalls as a major problem that disrupts cross-enterprise communication, and gives a false sense of security. Given that most cyber security breaches come from insiders, that may be the case, but right now firewalls are one of the few lines of defense.

Ozzie believes that the industry should embrace a more "cellular" model for trust and authentication instead of the current hierarchical security model. "Today, each enterprise has its own directory. The different directory products allow for delegation and assume that trust is hierarchical--meaning the boss authorizes employee access levels --but that's not the way people interact across increasingly decentralized enterprises or within peer groups," Ozzie said. Groove has built a more cellular-oriented trust and authentication model to get around the firewall problem in its own domain, but it won't be easy to go beyond that realm.

TIA Gets New Name, Old Questions Persist

The Total Information Awareness program, now called the Terrorism Information Awareness program, under development at the Pentagon's Defense Advanced Research Projects Agency, will integrate data search, pattern recognition and collaborative software to analyze potential terrorist threats. Because of public controversy over the secret research, Congress ordered DARPA in January to submit a report explaining the project, its efficacy and its impact on privacy.

InfoWorld: Privacy advocates: Congress must police data gathering: May 20, 2003: By : Security

Earlier this month, leaders of the Defense Advanced Research Projects Agency's (DARPA) Total Information Awareness (TIA) data-mining research project, now renamed Terrorism Information Awareness, and the Transportation Security Administration's (TSA) Computer Assisted Passenger Pre-screening System (CAPPS II) told a U.S. House subcommittee that their projects wouldn't collect the wealth of information some privacy advocates fear they would.

I forgot to get this posted yesterday, but a bit of identity history:

Yesterday in 1911 (May 19, 1911) was the first time that anyone in the United States was convicted using fingerprints as evidence (it happened in NY State, I believe)....

MetaSMB: The Self-Organizing, Loosely Coupled Directory
Jamie is writing about an interesting initiative from Dan Bricklin (co-creator of Visicalc) -- a way to do some pretty effective Metadata stuff for small to midsized businesses.

I view this as a percolation of identity in the small to mid-sized part of the ecosystem -- one that, to date, hasn't gotten much attention at all.

I've been on the phone most of this moring with some folks that *really* don't understand the identity story....so forgive me if I rant a little:

There is a fundamental change that is occuring. It is beginning with the rearchitecting of our IT networks, but it will extend to bridge the very ways in which our electronic world meets our physical world. And it doesn't matter whether you call it ".NET" or "web services" or "distributed computing" -- because the underlying change is all the same -- We are transforming our networks of anonymity into networks of identity.

This change is being driven in 3 primary ways:

Legislatively -- through things like Article 26 (?) in the EU's charter, the Patriot Act, Sarbannes-Oxley, HIPPA, Graham Leach-Bliley, etc.

Economically -- bottom line: digital identity is no joke -- it is just plain good business. It saves money.

Security -- oh by the way, it makes systems more secure while you're at it.

Can this change be stopped? No. It is inexorably going to happen. Why? Because our electronic networks (especially those focused on economic transactions) will grind to a halt otherwise.

Are there concerns? Sure there are.

Understanding that a fundamental change is occuring shouldn't be one of them.

(eric steps down off of soapbox.)

InfoWorld:  Simple, practical paves the way for wireless success :  May 19, 2003 : By  Ephraim Schwartz :  Wireless
An interesting article about the coming of telematics to the industries that use commercial vehicles. As the "networks of anonymity" that are our current commerical fleets become "networks of identity," efficiency and security are increased.

The "identity story" of productivity increases is becoming *the* common thread...

This article indicates that finally people are starting to realize that nearly all types of networked computing technology are inherently dangerous as things stand today. It isn't about open source vs. proprietary, Windows vs. Linux, P2P vs. Client/Server, or anything else that people often focus on. Rather, it's about whether or not identity has been "handled properly" by the infrastructure the software runs in.

Today, the answer is nearly universally NO, and as a result expect to see a "sudden rise in identity problems" as awareness of what we've really done sinks in. It looks to me like his might be the year that what people *fear* shifts from the unknown "new stuff" to the "unknown nature of the stuff I thought I understood but just woke up about."

That is a good trend, as this is the first step on the road to understanding that "Identity is Center" and to initiating the proper thinking about identity that is required to design identity infrastructures that return control of network technology to its users.

This latest security issue with Passport highlights the problem with any highly centralized identity infrastructure. That is, a single point of failure can compromise everything, and even if it doesn't you can't easily prove it didn't. And it is easy to create a hole as happened here. Microsoft was responding to user desires by allowing email management, and an unforseen side effect occurred. With extremely large centralized systems, this is an exponentially more likely occurrance - it's inherent in the centralized vs. distributed structures.

Microsoft is one of the few companies with the resources and corporate determination to keep doing the work it takes to fully secure such a system, and eventually Passport is likely to be one of the most secure systems in the world. The question is, by the time this can be proved, will anyone still care?

This all illustrates why, for most uses, a distributed approach to identity (such as federation) is what will actually deploy. In that type of architecture, security difficulty doesn't escalate exponentially with scale, liability boundaries can be agreed upon and technically proved, and any failure will be isolated to a small portion of the identity information. And with any failure the maximum exposure that might have occurred can be quickly determined and risk management will be reasonable.

Since identity infrastructure will forever be tightly intertwined with risk management and liabilty, architectures that naturally minimize both are most likely to deploy to wide scale, and those that don't - won't.

Security Flaw Shows Microsoft Passport Identities Can't Be Trusted

Enterprises considering Passport services should delay adoption until at least November 2003 or until Microsoft has completed a thorough security review of Passport, including outside reviewers.

How to choose a provisioning tool - Computerworld

"When I left my position as an investment adviser, no one asked me to return my physical access card, despite the fact that I was going to work for a competitor virtually across the street. I could easily have re-entered my former employer's office and accessed the files of every single one of their clients. And because my former employer failed to turn off my e-mail account, I received group e-mails from my former colleagues discussing how they planned to attempt to steal my clients!"

A Scanner Skips the ID Card and Zeroes In on the Eyes
This NYT article (reg required) talks about the implementation of iris-scanning technology in the Amsterdam airport:

Every year, millions of travelers pass through Amsterdam's Schiphol Airport. For most of them, waiting at the passport-inspection counter is part of the routine. But about 7,000 frequent travelers have a way to speed up the process. In exchange for an annual subscription fee and background check, they are able to confirm their identities to the Dutch immigration service by letting one of seven infrared cameras scan their irises.

The ties between the financial industry and identity are more than obvious. This "cross-border payment mechanism" just came to my attention this morning, and the SSO opportunities seem obvious...

Federated identities: The epicenter of the real-time enterprise - Computerworld
A nicely done article from the CTO of Waveset (they'll be at this year's conference), includes gems like:

As companies move toward zero-latency business models, federated identity management must evolve to ensure real-time monitoring and control over user access rights and profile data across circles of trust. Centralized identity management solutions that aren't designed for a highly distributed paradigm will be unable to keep up with this next generation of high-velocity, collaborative commerce.

News: Microsoft's Passport to doom
Everybody deserves a good rant sometimes, right?

In the terms and conditions of Passport, it says: "Microsoft is not responsible for any loss that you may incur as a result of any unauthorized person using your account or your password." So even though its software is flawed, if someone takes advantage of that flaw, Gates and co. are not responsible.

New hacking tool sees the light | CNET News.com

Govindavajhala's technique could be useful in stealing data from smart cards, which look like credit cards but have memory and a simple processor implanted in the card. Since getting a hold of someone's smart card is much easier than cracking the case on a PC, the attack would be feasible.

Wired 11.06: View
....or as David Weinberger wrote in an email when he sent this link to me: "DRM totally sucks." Hmmmm....as you can guess, he and I disagree on that one.

Story: Digital rights: What MS could learn from Apple - ZDNet
David's writing about MSFT and DRM -- topics that are close to some articles I just penned (not published yet). Look for them soon...one on how En-Scub ensures that Piracy will continue, and one on the uselessness of the term "DRM."

Court draws a line for online privacy | CNET News.com

The ruling is significant, because the appeals panel attempted to address some muddy legal issues related to online data collection. These questions include what, in the online world, constitutes protected "content" for the purposes of intercepting communications--a technique commonly used by law enforcement agencies.

Can Sarbanes-Oxley rekindle IT spending? | CNET News.com

Eight-five percent of 60 companies that responded to the AMR Research survey said Sarbanes-Oxley will require changes to their IT and application infrastructure.

Digital ID World - Conference 2002
If for some reason you weren't able to be at last year's Digital ID World conference, here are the proceedings (both powerpoints and audio). Truly, it was a great experience....and this year will be even better...

The Register
Funny thing, perception. I was in the same room as this guy when Bill Gates gave this speech -- and I heard *none* of what he's talking about.

Now, I don't mind a little "perspective journalism" (I do it myself), but at some point I have to wonder if the journalist's personal hatred of something isn't causing bias to the point of non-sense.

Combine this piece with Orlowski's slamming of O'Reilly's Emerging Tech Conference, and you begin to think that The Register's modus operandi is now to bash, condescend and trash....kinda like the Gossip Rags -- with about the same level of integrity.

At WinHEC, Microsoft Discusses Details of Next-Generation Secure Computing Base
Here's the Microsoft Press Pass En-Scub interview with Peter Biddle and Bryan Willman...

Psst, I hear that . . .

Let me put this another way: They say you can't have too much of a good thing?. . . Convenient online anonymity just might be an exception.

Passport woes point to process, credibility problems

Microsoft scrambled late Wednesday and Thursday to turn off the e-mail update feature and patch the problem, according to Adam Sohn, product manager of Passport at Microsoft. The password update feature was patched and the password e-mail service restored by early Thursday morning, with only a "handful" of .Net Passport customers affected, Sohn said.

InfoWorld: WinHEC: 'Palladium' for servers a long way out: May 09, 2003: By Joris Evers: Platforms

Features such as hot swappable processors can "really cook your noodle in a trusted computing model," Biddle said at Microsoft's Windows Engineering Hardware Conference (WinHEC).

Microsoft: A separate look for security | CNET News.com

...A hacker can create a spoof page with dogs' names running along the border but, in all likelihood, not one reading "Buffy, Skip and Jack Daniels--and in that order," Biddle said.

Passport problems could cost Microsoft | CNET News.com

"Of course we should have caught it; we should catch every (issue)," he said. "That's what you are working toward. We are always looking. There is not a beginning or end to this kind of effort."

InfoWorld: Microsoft sets sights on DRM market: May 08, 2003: By Scarlet Pruitt: Security
Phil and I have been discussing the name, "DRM" -- mostly because the term is so tainted already, that it is essentially negative.

We're working on a newer terminology. One possibility DPT - Data Protection Technology. That would encompass DRM, "trusted" computing, document protection, etc.

InfoWorld: WinHEC - Microsoft expects slow adoption for NGSCB: May 08, 2003: By Joris Evers: Security

AMD thinks NGSCB might be in most PCs by 2008, said AMD Platform Security Architect Geoffrey Strongin.

"My crystal ball is pretty fuzzy. I don't think ubiquity by 2008 is unreasonable," he said.

Microsoft turns to emulators for security demo

Microsoft Tuesday demonstrated its closely watched Next-Generation Secure Computing Base security technology for the first time, but had to fall back on emulators because critical hardware parts were not ready yet.

Yahoo! News - Gates Touts New Secure Computing System

There's a lot of bad, FUD-filled coverage around this topic right now.....I'm very close to an article to help straighten a few things out.

Protection sought for online critics | CNET News.com
A range of free-speech activists are supporting a bill that would require Internet service providers (ISPs) to notify customers if their identity is going to be revealed. The ISPs would have to tell the customers either by U.S. mail or through a notice on the bulletin board where the posting appeared. Once notified, the customers would have a chance to file an objection.

This article speaks of the En-Scub demo that we witnessed yesterday at WinHEC. There has apparently developed some sort of flap over the demo, in that some of it was running on actual hardware, while some of it was emulated. Hence, the strange out of place sentence in the opening paragraph.

I must confess, I don't understand what the big deal is about. A demo is just that "a demo" -- there is usually some level of emulation in any demo.

(note: still trying out this "running notes" experiment; lemme know if its useful or a waste of time.)

The Ecosystem of En-Scub
========================

(walkin' in midway through)

flow between Smart Card - TPM (TCPA) - and En-Scub....

the combined three protects against basically all threat models with the exception of an insider software attack and an insider hardware attack.

Target Markets: Vertical Sementation (a graph where axis X is security exposure and Y is Size of companies/security spending)

highlighted companies: gov't, financial, healthcare, legal, insurance (high on the graph); prof. svcs, telecom, pharma (medium on the graph); education, manufacturing, retail (low on the graph). (See my just posted article, "Where to draw the line?" Guessed right on that one! ;-)

What makes them "high" on the graph: a distributed environment, privacy issues, significant amount of customer/client data, focus on ensuring hiearchy of info access, managing secure/non-repudiatable interactions.

what else contributes: remote access, secure collaboration.

Customer quotes regarding En-Scub: from healthcare, pharma, investment banking and general global 1000 enterprise. No names of companies provided. All point to the same need for a "virtual walled garden."

En-Scub and Smart Cards make each other better

EJN: I repeat....how long till Microsof acquires a Smart Card company? (for their software not hardware)

corp, gov and vertical opps follow; mass consumer and e-commerce opp to follow.

Distributed computation involving money, rights, property or expectations -- impacted by "trust" in systems; large scale growth opp for PC space.

Provides a tangible reason to buy a new PC; "Trusted" brands; Product leadership.

"TCPA,TCG and NGSCB": msft founding member of tcpa and tcg; focus is on the next spec TPM 1.2 (security support component in the En-Scub space).

TPM1.1 in the market; TPM1.2 availavle q1/04; En-Scub 1.0 with TPM 1.2 - future version of Windows.

EJN: never been to a conference like this. the presentations are meant to convince the audience to include En-Scub in their product plans. interesting approach. I wonder how the difference between RSA and this happens (did RSA start as this?)

Info at: www.microsoft.com/ngscb
email: ngscb_qa@microsoft.com

Industry Perspectives on NGSCB
==============================
(done by Gartner)

2003 spending on IT 868B per year in US (growth 03-06 at 6.2%)
Latin American growing at 8.8%

Hardware segment: PC 185B per year; Cell phones 100B per year (2 biggest markets).

Real-time enterprise: movement of biz systems to real-time.

E-business will fuel spending in tech industry by 2005. Next generation of IT generate cash (via realtime savings) and revenue.

PC evolution: replacement cycles lengthen; buy on price, service support - not technology; design evolution continues; pda, wireless, convergence offer new opps; vendors focused on realtime biz will gain; pc disposal becoming important.

Separated computing model: trust required for biz implementation....can bring windows capability to a broad array of clients.

En-scub enables platform-level encryption; encrypted harddrives.

Security opps: "push money" (paypal), trust based biz models, anonymous transactions (?), secure email, global financial freedom. Trusted platforms create these opps.

EJN: whew! End of the day, and this gartner presentation isn't the *most* exciting thing ever...

(Please note: these are my "running notes" from a session; unedited and comin' at ya....where it says, "EJN:" - that indicates my comment not the session.)

Nash: Directions on msft security
=================================

The Internet: everyone connected. This power brings connectivity and *risk*. Risk flows to all device types (in numbers).

Need: a security model that provides protection to that proliferation....expect newer applications that have greater value. Corporate boundaries disappear. The ability to provide control in that atmosphere demands a change.

Right: a right to a trustworthy computing environment.

Platform that is trustworthy: applications and hardware.

4 areas of focus: security, privacy, reliability & biz integrity.

EJN: Nash is summarizing the pre-conditions to an identity switch...ie, the proliferation of a distributed network that moves toward handling high-value interactions.

response: fundamentals, architecture, innovation = Platform evolution.

EJN: heard most of this presentation at RSA, so I'm working on an article.

Mike Atalla with the Rights Management Server demo -- pretty cool stuff. Think of being able to put policy rules around your email....ie, when you say "confidential - do not fwd," people actually *can't*.

Nash is onto En-scub (palladium). Think of en-scub (the nexus) as a slimmed down operating system that can operate more securely.

Key thing: in the long term, to enable the things that are aspired to by the internet -- it only becomes attainable if "we" (msft") can deliver an environment of trust.

NGSCB components:
1. strong process isolation
2. sealed storage
3. secure path to and from user
4. attestation

(drill down)

1. roots protection in the hardware; secure kernel (the "nexus"); mediates processes via nexus to isolate apps.

benefits: prevents machine misconfiguration; protects apps and info; end user - my private info is protected from bad software.

2. Walled data; encrypts data based on hardware secrets; protects keys with hardware/nexus; protects data on a per-app basis.

benefits: keeps stored data inaccessible to bad software; end user - my info is private.

3. more secure collaboration; establishes security btwn user and program; prevents snooping and spoofing; proves user presence.

benefits: conforim confidentiality of transaction; confirm integrity; "fingertip to eyeball" security.

4. Attestation (most important) - authenticate trustworthiness; defines the secure environ; defines what should be trusted; verifies that things remain trustworthy; extends how trust works beyond the desktop.

benefits: know what can run; decide who/what to trust; delgate trust decisions ot someone else (can); endu user - software can't hijack my browser.

(intel takes the stage)

(demonstrating NGSCB) -- first time ever seen live; they're hacking into machines. using the hacks to look for "account numbers" - first in a non-En-Scub environment; then in an En-Scub environment.

An demonstrating the "secure channel" via a chat application. (trying to use a key stroke logger).....

Cool stuff -- all shown to protect the user (not the Record company -- disappointing, i know).

Lots of En-Scub demos, etc are flying around the halls now....and this page looks to have a Q&A posted soon. Watch this space for those updates...

Phil and I have made it to WinHEC, though I won't quite be able to fulfill my dream of real-time blogging. They have Wi-fi, but only really in and around the internet cafe (the signal isn't strong enough in the main presentation hall to hook in there). However, the Press Room has a smokin' fast ethernet connection, so -- while we won't be real-time, we will be often-time.

That said....

Bill Gates gave a pretty entertaining keynote this morning (complete with the standard Microsoft demos, videos and powerpoints). Highlights:

1. A video called, "Behind the Technology." Modeled after VH1's "Behind the Music," this little ditty detailed the "twists and turns" of the technology industry. The video featured Clinton, Buffett and other big-wigs and was pretty entertaining. Big moments included:

A) Bill Gates (subtitle "Altair enthusiast") talking about the "simplicity, light blue hue and industrial qualities" of the Altair....saying it reminds him of something (as the picture of the Altair morphs into a Mac) [big laugh from the crowd].

B) "The industry that spawned a rivalry": referring, of course, to Jobs & Gates -- and the accompanying movie with Anthony Michael Hall as Gates. (cut to Hall on screen) Hall says," It was pretty hard to get into the role -- the caffieneted beverages, the cold pizza, the lack of showering, the no sleep." (cut to Bill Gates) Gates says, "That guy doesn't look anything like me -- he's a TOTAL geek!"

2. "Athens": Athens is the new prototype from HP/Microsoft. Imagine a flat panel with phone, speakers, bluetooth, everything attached. You walk up to the screen and different lights tell you whether you have voice mail, email, faxes, or appointments waiting. You pull out your USB device (containing crucial docs), plug it into the side of the monitor (it contians a smart card chip); place your thumb on the side of it (biometric authentication) - boom, the machine comes to life. (Note: we'll be looking into WHO is making those smart card/biometric/usb devices - my first guess is Authentec.)

3. Meta-point from the keynote/demos: The integration of distributed data requires identity as an organizing principle. Granted, we've been saying that for some time, but it continues to get driven home at events like these.

4. New Terms: Phil and I have been discussing the irrelevance of the term "Digital Rights Management" because it has gotten *so* politicized (and not in a positive light). As such, we've been on the lookout for some new terms that might encompass DRM......thoughts after Gates' keynote:

CS/DDS: which stands for

Communications Security/Distributed Document Security

Lemme know what you think....

More will follow this afternoon, we're both busy writing articles, but intend to attend all of the breakout sessions this afternoon. I'll be taking notes during those and transferring them to the blog (in real rough form, i'm sure) later this afternoon. Stay tuned...

This is an interesting article from NetworkWorldFusion outlining some real-world implementations of ID Management systems. The article would seem to imply that Computer Associates is becoming a major player quickly (beating out Tivoli and Novell on some bids, at least).....something that wasn't on my radar screen

In response to the Benetton Privacy flap, Philips says it will add a kill switch to its RFID tags.

This is representative of how many identity technologies will evolve. First, a technical problem will be solved, then the privacy implications will get thought about, then a technical change to deal with the privacy problems will occur so the technology can deploy. You can expect to see this "cycle" in many places as identity starts to actually deploy. Further, expect the privacy "fix" itself to evolve over time to become more granular and refined.

Financial firms get new guidelines on customer IDs - Computerworld

The U.S. Treasury Department has released final regulations designed to prevent the funding of terrorist activities and money laundering. The rules are part of the Customer Identification Program (CIP) of the USA Patriot Act.

Security at What Price?

When Microsoft Corp. raises the curtain on the first piece of its Next-Generation Secure Computing Base for Windows technology this week, company executives said it will mark the beginning of a fundamental shift in the architecture of the PC and the way users interact with their machines.

NGSCB Feature May Help Pirates, Study Says

Record labels and movie studios are eagerly anticipating the potential file protection capabilities of Microsoft Corp.'s Next-Generation Secure Computing Base technology, but new research contends the architecture's security features may also help pirates and file swappers protect their ill-gotten gains.

Longhorn, new PCs on tap for WinHEC | CNET News.com
Phil and I are headed to WinHEC this week -- mostly to check our "Enscub" (the pronounciation of NGSCB -- formerly Palladium)....

I'll try to blog real-time notes of some of the sessions, something I've never done before. We shall see...

Identity Management and Web Services: The Yen and Yang of Distributed Computing

Just as the business processes IT supports are changing, then, enterprise identity management must change as well. Today, most companies manage identity on a per-application basis. But identity must become more persistent through the continuum of any given business process, spanning not just multiple applications, but multiple organizations. Only then can identity provide the predicates for security, regulatory compliance, risk and liability management, and other core business functions. Thus, identity-based security mechanisms are a core component of the Web services framework.

A Smart Card Day in Paris - Chip Technology - CIO Magazine May 1,2003

IN PARIS, IT'S HARD to imagine a day without smart cards. Invented in France in 1979, the small plastic cards get their brains from a computer chip that can be programmed to allow consumers to chat on their cell phones, buy baguettes and ride the metro. Equipped with a password, they can be used as security devices at office complexes and military bases.

Passport to get Web services stamp | CNET News.com

Passport will eventually work with Web services standards, including Web Services Description Language (WSDL) and Simple Object Access Protocol (SOAP), Microsoft said. It will also conform to WS-Security, a security specification devised by Microsoft and IBM. The software maker hopes that standards compliance will lead to greater adoption of Passport by developers as a single sign-on technology for inclusion in Web applications.

Tyco, mostly known lately for its high rolling ex-CEO and accounting issues, is now betting that the time for RFID is here. This article indicates that they are forming a new Tyco SensorID RFID Solutions Team and want to become a "single source, global partner for retailers and retail merchandise companies looking to deploy large-scale RFID systems."

In short, they think that the RFID business is ready for a big player to consolidate smaller players as the market matures. It will be interesting to see how this turns out, as it would mark a tipping point in RFID deployment if they are right...

News: Face the facts on surveillance

On my way into work today, I counted more than thirty-five cameras watching me, and that's excluding those watching the road for the congestion charge, those behind windows, those in police or other vehicles, or those in any way concealed. It used to be that you could take a certain comfort from the knowledge that short of employing half the country to watch the other half, a severe shortage of eyeballs would leave you some privacy in your outdoor life. Not now. Our friend the computer can identify us by face, gait, body proportions--and this week, Intel even released open source lip-reading software. Who needs microphones?