I can't say that I fully understand the synergies on this one - yet....

But I do know that Activcard acquiring Protocom continues the streak in the identity market.

We'll dig into this one to find out how the two companies will enhance the other.

For the code hounds amongst you, Andy Harjanto is working his way through all kinds of InfoCards code...all kinds of interesting stuff can be found about RPs, tokens and other assorted goodies.

Jon Udell is digging deeply into PKI, SPKI (simple public key infrastructure - the security architecture behind Groove, now Microsoft Collaboration suite), and "ceremony" as it relates to Kim Cameron's sixth law.

Jon's digging is fun to watch, but what is more amazing is all of the tentacles that go back into identity computing history.

Trusted Computing like DRM is a topic that is fundamentally in the realm of digital identity technologies - though its often not seen that way.

The Trusted Computing Group has been doing a lot of good work lately with regards to standards for establishing trusted clients and servers. Most people don't realize how many trusted clients (ie, laptops and desktops with TPM chips) have actually shipped.

Its interesting - for all of the heat that the DRM guys take, the TCG guys are quietly going about their business and shipping product. I'd be that - just like the mass adoption of email and internet usage - trusted computing will gain its first foothold in the workplace.

A panel of experts has agreed with some of the basic conclusions of my recent article on the proposed bills for "data security."

This quote comes from the article:
"If we start notifying everybody for everything that looks like it might be harmful, we're going to cry wolf so much that we're going to move away from this great medium that we're working with."

I agree -- following all of these proposed guidelines could result in so much notification as to make notification irrelevant. Eventually, Internet users would be like smokers -- they wouldn't read or care about that warning label on the side of the pack.

Now CU's servers have been hacked -- with the usual being compromised: SSNs, names, adresses, dates of birth, etc.

Why is this? Are universities just better targets? Are they lax in their procedures? I wouldn't think so, but -- its getting weird how many universities are getting hacked.

Digital ID World has often spoke of the "hype curve" or "hype cycle" that technologies go through -- basically charting how expectations get ahead of actual deployment capabilities. Getting out of the disappointment phase is important if the technologies are ever to reach a critical mass of deployments.

Here is a Forbes piece which is basically an "anti-hype" piece on RFID. It talks about fragmented markets, slow spending, disappointed customers - the usual stuff that accompanies the "disappointment" phase.

Will RFID recover? I think so, but it will probably take a good 18 months.

My humble opinion of where other technologies are on the hype curve:

Provisioning: in *heavy* deployment; very hot; will start seeing some customer disappointments in about 12months; outlook through the first half of 2006 - very good.

Identity Management suites: they've been hyped; they've been acquired; and they've started to get deployed; 2006 will see people begin to struggle with the monolithic deployment (much like they did with CRM and ERP); watch for the "think tactical, deploy in pieces" stories to emerge.

Enterprise SSO: about as steady as they get; E-SSO is one of those technologies that actually does what it says it will do; perceptions don't get out of line here much.

Federation: Look for 2006 to be the year of hype cycle; it began this year; Burton is now talking about how its everywhere; the "press" will pick it up in the next 12months and it will seem like *everyone* is federating. I'd bet this curve can last 24months from the start of 2006 (with the accompanying bumps and dips, of course).

Virtual Directories: I'm not sure that this technology gets a "hype cycle" - it may just get integrated/acquired into the stack.

End-user identity (Infocards, etc): just starting; the usual dose of skepticism accompanies this move; we're still 12mos out from really beginning this hype curve in earnest, but it could be accelerated according to Microsoft's product release cycles.

Identity appliances: not on the hype curve yet - but they will be, and I'll bet they rise up it quickly; security architects like buying little black boxes - its a jungian thing or something.

Identity Software as a Service: barely even on the map (save the efforts of Covisint); Jamie Lewis told me he thought Identity Management as a Service would be a hard sell; I disagree -- in 24-36months, that is.

Strong Authentication: Not hyping yet, but growing very fast; 12 months from now we'll have large scale, end-user facing deployments and the hype will kick in; and then someone will screw up really badly and we'll get the backlash.

Phishing/ID Fraud/ID Theft solutions: as far out onto the long tail as the hype curve goes.

Here's a couple of link hints as to content of my next article:

Senators propose sweeping data-security bill

and

ID Theft Bill Widens Encryption Rules

Here's another hint: Market dynamics trump security audits and FTC checks any day.

Apparently there was an email authentication summit - and an old friend of DIDW's was there - Esther Dyson. At that gathering, Esther said something truly wise (quoting the article):

"The implicit trust that existed when the Internet was created as a government-sponsored research project has evaporated, Dyson told Summit attendees in a keynote address.

Malicious hackers and organized, online criminal groups are freely exploiting weaknesses in core Internet technology such as e-mail and the Domain Name Service, she said.

With problems like spam and identity theft rampant, the organizations responsible for maintaining the Internet need to introduce "friction" back into Internet transactions that will distinguish friend from foe, she said."

Its a funny road, but i think we *do* need to add some friction back in until identity becomes part of the infrastructure -- then we can remove it again.

I just had a reporter call me about this:

Sun to Open Source Web Single Sign-on

What he can't figure out (and what i can't figure out either) is -- Is Sun open sourcing:

A) their proprietary code from Java Access Manager

or

B) standards-based code that forms the basis for their federation products

....both are good - its just not clear which it is....

(update: Sara Gates made it clear -- sun is NOT open sourcing their federation products, but rather the proprietary modules inside of Access Manager for internal SSO.)

An interesting story about patches being issued for Kerberos flaws....interesting if only because Kerb tickets are so widely used.

One of the great things about blogs is that *everyone* becomes everyone else's "reporter in the field." Here's Phil Windley covering Jamie Lewis' keynote at Catalyst:

"I'm at Catalyst today, sitting in the Identity and Privacy Strategies (IPS) track. Jamie Lewis (Burton Group CEO) is giving the keynote. It's telling, I think, that Jamie's here and not at one of the other tracks. The IPS track is in a large ballroom and the place is packed. Jamie's mostly talking about why identity management (IdM) is important now and what's driving it. "

Burton Group's annual Catalyst event has started. Phil's onsite -- meeting with tons of companies -- and sure to come back with loads of stories and insight.

In the meantime, there's the usual spate of press releases:

Entrust and Trustgenix Partner

Sxip Identity Unveils On-Demand Identity Solution

HP Pumps up ID Suite

more to follow....

Also interesting are these two posts:

1. Phil Windley's coverage of yesterday's Identity Gang Meeting

2. An article about Data Loss and Identity Management products

More "data protection" or "identity theft" bills are showing up -- first we had the Specter/Leahy bill and now we've got the Barton-Dingell bill. eWeek covered it here. The gist of the bill is this (quoting eWeek):

"The Barton-Dingell draft bill would require companies holding sensitive data to hire an information security officer, and the bill sets up a national breach notification requirement, pre-empting state laws. If a breach could result in identity theft, the compromised company must provide a free credit report and a one-year subscription to a credit-monitoring service to potential victims. "

Essentially, the bill adds an encryption and notification requirement to data brokers -- also requiring them to submit their security policies to the Feds for audit (yep, you read that right).

I'm all for good legislation - I just haven't seen any around this topic yet. I'm aiming to write something up in the next few days about what good federal legislation *would* look like. We'll call the Norlin-Becker bill ;-)

Of course, our thoughts today are with the citizens of London...

An intereting blog entry about the analog vs. digital property rights surrounding DRM - and thoughts about how all of that plays out (economically) speaking.

More grist for my mill....

In my continuing quest toward writing about the MGM v. Grokster decision, and its identity implications, I'm reading things like this opinion piece on eWeek (quoting):

"First, innovation and new art in peer-to-peer networks will be seriously curtailed in the United States. I can see technology advancements in storage, data sharing and data distribution being retarded.

If MGM vs. Grokster sounds like a strong suggestion to put three or four sets of brakes and a 500-pound lead weight on a high-performance sports car so that people can safely drive 40 m.p.h. on the information superhighway, that's probably the right image."

And so it begins....

Last week saw the introduction of a Bill by Senators Leahy and Specter -- a bill that, as Declan McCullagh points out, is heinous in its punishment of the "little guy."

Now, I'm quite sure that the Senators mean well, but this is legislation written by people that clearly have little to no idea what problem they're trying to address.

And so, as feared, the bad legislation of solvable identity problems begins...

I'm thinking about DRM and identity a lot in my spare time, lately. And, in the process, reading a lot of opposing arguments. All of that led me to (believe it or not) listening to my first podcast today --- Dave Winer's post on copy protection and DRM -- a *really* interesting post that provides context around all of this - from both a "software veteran" and "end-user" standpoint.

i'm working through a lot of thoughts in my own head around this tangle -- thinking about an article i'm hoping to write next week.....hoping, that is.

happy 4th!