I'm watching the Accenture Word Golf Match play between Tiger and Davis Love II on a Sunday afternoon, and I just saw a commercial advertising the end-user benefits of NEC biometrics...is that a significant event?

Digital ID World is on the road this week -- we're off to the RSA Security show -- a conference that is a necessary stop on the digital identity calendar.

Check this space for blogging updates, and look for a wrap-up article toward the end of this week...

This is an interesting article about the collision of networking and security -- a topic that is timely in light of recent acquisitions by Juniper. As Phil has pointed out in past newsletters (sign-up!) - the intersection of networking and security centers around a fundamental realization that identity is the tie that binds.

As if to highlight this fact, Cisco contacted me -- wanting to brief me on their "identity plans" at the RSA conference next week. Suddenly, the whole world's an identity company...

In what some would say is a major step forward for the "federated identity industry," Nokia has announced the completion of pilots with Orange and Vodafone around federating identities. This, of course, is the preliminary step to a major roll out to the end-user population.

Quoting:

Nokia has announced successful completion of pilots with Orange and Vodafone, featuring single sign-on for mobile devices, a technology eliminating the need for multiple entering of user authentication credentials when accessing different services, such as gaming or ticket reservations. In addition, Nokia is working with America Online, Inc., to demonstrate a prototype Nokia mobile device offering Radio@AOL, a leading online radio service. All these service pilots are based on Liberty Alliance Project specifications, a group committed to developing open, interoperable specifications for network identity.

"The Food and Drug Administration recommended today that drug makers and retailers use radio-frequency identification and other technologies to secure medications throughout the drug supply chain," this article reports.

This is an interesting use of RFID as an anti-counterfeiting device, and the FDA report says that "reliable RFID technology will make the copying of medications either extremely difficult or unprofitable."

The article acknowledges that counterfeit reduction is an ongoing task, and introduces a term I like -- "Authentication technologies for pharmaceuticals" -- which it says will be field of ongoing development.

The Internet of things takes another step...

Speaking about Sun's planned use of Java "smart cards" in PCs, Jonathan Schwartz stated: "Anonymity tends to go hand in hand with mischief...Authentication tends to eliminate this mischief."

I'm not sure I would have stated it *that* strongly. Anonymity creates an environment that more easily facilitates mischief -- but it doesn't necessarly "tend" to go hand in hand with it.

Nonetheless, Sun appears to be living up to my 2004 prediction that they'll get focused and become an identity company.

An article that points out something we tried to point out on these pages months ago -- namely, that the AAMVA (american association of motor vehicle administrators) has had a plan on the table since 9/11 to "standardize" driver's licenses in the U.S. - including biometric standards.

I've got news for you folks - a standardized driver's license in the U.S. is *as good* as a national id.

Way back in September of 1958, the Bank of America sent 60,000 "BankAmeriCards" to some unsuspecting Californians. These "credit cards" were an unknown -- there wasn't really anywhere to use them, their future utility was unclear, their purpose wasn't really understood.

Today, Verisign is announcing that they'll be giving away Digital ID credentials to school kids - so they can send encrypted email, interact with sites that require a digital signature (which ones are those?), and experience an overall safer online experience.

This quote comes from the above cited article:

"Right now, it seems premature. There is nothing really out there. They are building an infrastructure with the hope of later attracting some utility for it," said Dan Moniz, a staff technologist at the Electronic Frontier Foundation. "But, on the other hand, if you give kids all these tokens upfront, then VeriSign can later go to online retailers who want to sell to that market."

Is it just me, or does Verisign's strategy sound eerily familiar? Is it possible that someone inside Verisign has been reading Joseph Nocera's "A Piece of the Action"? Either way -- this is just damn smart.

Quarterly filings have revealed what Sun Microsystems paid for their acquisition of Waveset late last year: $136 million.

More here...

The very first Digital ID World conference saw us award Drummond Reed with a DIDW award for his creation of XNS. XNS has since been renamed and moved into OASIS (under XRI and XDI). This article talks about the recent develoments with XRI and XDI - and what it might potentially mean for identity management.

The acquisition spree is not ending, as now Oblix is buying Confluent Software. This is especially noteworthy as it recognizes the collision of identity and web services management. I expect to see these spaces blur rapidly over the next 12 months -- the result being that identity is the foundation for secure web services (but we all knew that already, didn't we?).

Quoting from the article:

The Confluent software will allow Oblix to expand its product line into new areas of security and network visibility, a company representative said. The Confluent software will let Oblix manage business processes across machine-to-machine transactions, rather than just transactions such as a person accessing a network or Web site, the representative said.

A really nicely written piece that gives an overview of the Security Assertion Markup Language (SAML). Quoting:

Single Sign-On (SSO) systems have long been proposed as the solution to this problem. By authenticating users only once and then automatically assigning those users their appropriate access privileges, SSO systems theoretically provide both convenience and security. Unfortunately, using SSO typically meant being confined to a single vendor, as there were no open standards for securely exchanging authentication credentials.

The Security Assertion Markup Language (SAML) aims to change this. Officially approved by the Organization for the Advancement of Structured Information Standards (OASIS, www. oasis-open.org) in September 2003 and already implemented by many major vendors, SAML is an Extensible Markup Language (XML)-based language for transferring both authentication and authorisation information. Once a client has logged on and authenticated, every SAML-speaking application should be able to identify him, her, or it without reauthentication.

BT has created BT Auto-ID Services, a unique offering in the RFID field in that it isn't chips or middleware or a server, but rather a hub/switch service offering:

The telecom company said the unit will provide a suite of managed RFID services that will integrate with customers' existing enterprise resource planning and warehouse management software.

BT Auto-ID Services Chief Executive Ross Hall likened the RFID infrastructure to a telephone network, with BT in the middle acting as central hub or switch--feeding in data from tags and dishing out information to a company's internal systems. "BT's expertise in (Internet Protocol) infrastructure and data management, combined with our unrivalled global network, makes BT the obvious choice for highly scalable and secure Auto-ID services," he said.

As far as I know this is unique in the RFID world....and quite interesting insofar as it is analogous to offerings by companies like Neustar in the telecomm space.

It also links back to an internal discussion that we've been having over here at Digital ID World:

Will RFID quickly consolidate down into 8-10 vendors as folks like SAP, Oracle, Microsoft and Sun integrate it into their middelware?

Or

Will RFID proliferate with a host of verticalized solutions -- each aimed at management of the data generated by RFID in light of legislative and industry directives?

Just barely caught this breaking news as well:

The world's largest smart card rollout is set to begin: starting in March, all Chinese over the age of 16 will be issued a smart card as ID document. The rollout of chip cards to 1.3 billion citizens is expected to be completed by the year 2008, according to the official news agency Xinhua. Officials of the Ministry of Public Security expect the new ID card to be a way of preventing the rampant forgery of old ID cards. The new card will be put into use in the cities of Beijing, Tianjin, Shanghai, Shenzhen and Changsha.

Wave Systems:

Lee, MA – December 18, 2003 – Wave Systems Corp. (NASDAQ: WAVX – www.wave.com), today reported that the Securities and Exchange Commission has commenced a formal investigation into certain matters relating to Wave. The SEC's investigative order, received by Wave on December 17, 2003, relates to certain public statements made by Wave during and around August 2003, as well as certain trading in Wave's securities during such time. The SEC has not concluded that there has been any wrongdoing, and Wave is cooperating fully with the SEC on this matter.

Jim Kobelius of Burton Group has published an interesting piece about federated identity standard's need for WS-eventing and WS-notification. Quoting:

To varying degrees, the flow of identity information is determined by the implementation profiles of identity management federation protocols, such as Security Assertion Markup Language (SAML) 1.1; Liberty Alliance Identity Federation Framework (ID-FF) 1.2 and Identity Web Services Framework (ID-WSF) 1.0; and Web Services Federation Language (WS-Federation) 1.0. Both Liberty ID-WSF 1.0 and WS-Federation 1.0 define complex infrastructures for brokering requests for identity-related user attributes among federated identity management domains. However, both specs fall short of defining publish and subscribe (pub/sub) protocols for handling identity information interchange across federated identity management infrastructures.

An interesting story is surfacing about the Content Management License Administrator coming out of the Open Mobile Alliance -- a supposed DRM scheme for mobile devices:

CMLA aims to ease piracy concerns among movie studios and record labels over a growing number of devices, including cell phones, capable of connecting to wireless networks. According to one source familiar with the plan, the DRM scheme will be built into mobile handsets, allowing encrypted files to be streamed onto compliant devices. Known as OMA DRM 2.0 Enabler Release, the specification could also potentially support devices connected in wireless networks based on the 802.11 standards, or Wi-Fi.

I've dropped an email to Simon Phipps (of SunMicro), who sits on many of the OMA's committees asking about the scheme...