This is a really interesting post that is examining Adam Bosworth's thoughts on software development - specifically in the context of Salesforce.com's success.

Quoting:
"The company does not obsess about the grand plan. Because you know what? Like all grand plans, it doesn't survive the encounter with reality, and it is reality, not the grand plan, that matters."

The larger point is that companies like Salesforce.com are delivering features on radically rapid basis (every 2 weeks!) - and then reacting to how the market uses or doesn't use them.

This brings (once again) to my mind the idea of an identity management company that offers IdM functionality in modules as a hosted service. I'm not sure if VCs read this blog or not, but I'm wondering when this idea gets funded. Sure, its risky - but hey - that's why they call it a 'startup'? ;-)

In any case, i can envision a hosted services IdM company that breaks open the midsize business market.....a company that delivers features on a rapid basis - and knows how they get used because they're *hosted*; a company takes an existing (granted, emerging) business model and applies it to an acknowledged hot sector.

I see all of the appliance vendors that are getting funded in this space - but where's the hosted IdM company?

Mr. Benioff - do you have this trick up your sleeve?

Two Microsoft links that are unrelated (in the press eyes, anyway):

1. InfoCard Integration Still Could Make It Into IE 7.0

Mary Jo Foley is writing about Kim Cameron and his team - and their efforts to get InfoCards into IE7.0, safari, etc.

2. Microsoft: No substitutes for Trusted Platform Module allowed

Meanwhile, David Berlind is addressing some of the finer points of Vista's inclusion of the TPM (1.2b to be specific). If that's confusing, throw in some non-interoperable smart cards and USB dongles, and you'll be getting close....

T-systems, an arm of Deutsche Telekom, is launching a pilot in Germany around healthcare identity cards. Infoworld covers it here.

Quoting:
For the pilot, the participating insured patients are issued electronic health cards, and the physicians are given electronic professional cards. In the doctor's office, patients and physicians must insert their chip cards into write-and-read stations and enter their PIN (personal identification number). Only authorized physicians have access to patients' data. The same procedure applies for both patients and doctors in the Bottrop hospital.

Moreover, because the health professional card includes the physician's signature, which is saved on the chip, doctors can also sign prescriptions electronically. T-System issues the signatures via its own T-Telesec-Trustcenter.

Surfing around this morning (something I rarely do anymore - now its all feeds), I stumbled upon Esther's entry on anonymity.

Quoting:
For starters, I think many people will move pretty rapidly from no identity to multiple identities. Whether you're simply an individual attempting to remain fluid and not get caught in a single identity (only a studious geek, or only a fun-loving mom or a talented musician) or you're concerned about privacy and you want multiple identities to throw the authorities off track (!), expect to see more and more people with multiple identities that may or may not be easily traced. (For sure, most such identities will be traceable by authorities with subpoena power, but not by your neighbors, your colleagues or even your prospective employer.) In fact, we expect to see some people create decoy identities to throw surveillors off the scent, fighting too much information with disinformation and fake "kompromat" (compromising materials). This is a well-known technique in (mostly) fictional societies troubled with too much transparency for individuals and too little for transparency for the authorities.

Esther's writing brings me back once again to "Norlin's maxim." For those of you that haven't been reading us since day zero, "Norlin's maxim" began as a bit of a joke - mostly me making fun of people who make up a law and then name it after themselves. The problem is - it may turn out to be true.

To review - Norlin's maxim:
The internet inexorably drags all information it touches into the public domain over time. The rate at which it drags that information is directly correlated to the amount of contact it has with that information.

Re-stating: the internet is NOT a network of anonymity. Rather its a network that drags information into the public domain over time. So what might have appeared as anonymity was just information that hadn't been made public *yet.*

My simple proof (back in 2002) was Google -- google your name today and google your name 30 days from now. More information about it exists online 30 days from now.

In any case, Esther's exploring the fading of anonymity and how to deal with it. She was prompted by the question - What won't we have in 2035?

Big news for us -- we're very excited, and available to answer any and all questions....the press release is below.

Digital ID World and IDG World Expo Join Forces

Premier identity event reaches new plateau in serving the identity industry

FRAMINGHAM, MA, September 23, 2005 – IDG World Expo, the leading producer of world-class tradeshows, conferences and events for technology markets, and Digital ID World, Inc. today announced that the two companies will work together to make Digital ID World even more valuable and relevant for the identity community. Digital ID World®, the premier identity industry event dedicated to digital identity technologies and solutions, is scheduled to take place in Spring 2006.

“Our May 2005 event was a watershed moment where both attendees and vendors saw the power and value of this event, and they wanted it to grow and expand in new directions,” said Phil Becker, founder and conference co-chair of Digital ID World. “To better serve this community, we are joining forces with IDG World Expo, giving us the capability to be very responsive to the demands of this rapidly growing industry. We now have the tools to make this event even more impactful and valuable for vendors and attendees, while continuing our tradition of vendor-neutral industry advocacy.”

Digital ID World will combine the identity industry expertise of Phil Becker, Founder and Conference Co-Chair of Digital ID World, with IDG World Expo’s expertise as a world class event producer. IDG World Expo will manage all aspects of bringing the audience and vendors together, while Digital ID World, Inc. will continue to organize the strategy, develop the conference content and communicate with the identity industry leaders about the direction of the event.

Digital ID World provides business executives and IT managers with an exclusive conference opportunity to interact with thought leaders, developers and providers of identity solutions. With real world deployment case studies focused on the enterprise and presentations covering identity-based technologies, standards, business processes, Web services security and RFID, Digital ID World offers superior networking, in-depth information and practical advice.
“Phil Becker founded Digital ID World in 2002 to help foster and grow the identity industry, and this industry is moving to the next stage of its evolution, in large part because of his diligent efforts,” said David Korse, CEO, IDG World Expo. “We’re excited to work with Digital ID World to help enterprises and vendors who are harnessing identity technologies and solutions.”

About Digital ID World
Digital ID World is the premier identity industry event. Digital ID World provides business executives and IT managers with an exclusive conference opportunity to interact with thought leaders, developers and providers of identity solutions. With presentations covering deployments, identity-based technologies, standards, business processes, web services security and RFID, Digital ID World offers superior networking, in-depth information, and practical advice.

About IDG World Expo
IDG World Expo (www.idgworldexpo.com) produces technology-focused tradeshows, conferences and events for professionals seeking world-class education, peer-to-peer networking and one-stop comparison shopping. As the leading technology event management company, IDG World Expo leverages its experience and knowledge of technology-focused events and conferences, enabling technology companies to capture the attention and loyalty of influential buyers. IDG World Expo's portfolio of conferences and events includes Macworld Conference & Expo®, LinuxWorld Conference & Expo®, Bio•IT World Conference + Expo®, Wireless Sensing Solutions®, Syndicāte™, GridWorld™, Real Time CRM Solutions™, OSBC™, RoboBusiness and RoboNexus. IDG World Expo is a business unit of IDG, the world's leading technology media, research and event company.

About IDG
International Data Group (IDG) is the world's leading technology media, research, and event company. A privately-held company, IDG publishes more than 300 magazines and newspapers including Bio-IT World, CIO, CSO, Computerworld, GamePro, InfoWorld, Network World, and PC World. The company features the largest network of technology-specific Web sites with more than 400 around the world. IDG is also a leading producer of more than 170 computer-related events worldwide including LinuxWorld Conference & Expo®, Macworld Conference & Expo®, DEMO®, and IDC Directions. IDC provides global market research and advice through offices in 50 countries. Company information is available at http://www.idg.com.
###

Contact:

Mike Sponseller
IDG World Expo
+1.508.424.4837
mike_sponseller@idg.com

In my continuing attempt not to be *totally* North American-centric ;-)

Bull buys single sign-on company Enatel

Mark Dixon (of Sun) is talking about the identity grid -- a concept first elaborated by Waveset (prior to Sun acquiring them).

And he's making udpates around virtualization of data stores, SOA, and federation "services".....I'm *really* getting interested in how so much enterprise vocabulary is changing to "services."

Everyone's probably seen the big news about the "re-org" -- my immediate question is where is all the identity work now living inside of Microsoft??

That is, of course, a trick question -- the answer is *everywhere.* ;-)

The CEO of Trustgenix has written an article about federation gateways as protocol translators -- one of the continuing *hot* issues in the world of federation (arcane, yes - but hot ;-).

Quoting:

Central to a federated identity system is the trust relationship between a Web site/organisation that authenticates users (known as an identity provider) and the site that relies on this authentication to provide secure access to a Web application or service (known as a service provider). A federation gateway eliminates the need for an identity provider site and a service provider site to use the same federated identity management protocol and version.

Aladdin has commissioned a study - which reports a doubling of the use of spyware for identity theft in the last month. If the report is at all true, then its quite alarming.

Quoting:
The report noted that 15% of spyware threats are now designed to log keystrokes, as well as steal user passwords, logged-on user names, administrator passwords, instant messaging content and e-mail addresses.

Microsoft Acquires Identity and Access Management Solutions Provider Alacris

quoting the press release:

Today, Microsoft® Windows provides a best-of-breed platform for utilizing smart cards and other strong authentication technologies on the desktop through Active Directory® and Microsoft Certificate Services. However, enterprise customers are still challenged with the complexity of provisioning smart card hardware, deploying digital certificates, managing certificate revocation, and auditing IT pro and end-user activity. The key to successful smart card implementation is tailoring the infrastructure to the specific needs of the organization. Alacris’ products address this need by delivering integrated solutions that provide simplified management and end-user experiences through advanced policy and workflow.

Two articles are pointing to a larger theme -- identity as infrastructure:

Article One -- Oracle upgrades app server with SOA in mind -- points to how identity is being integrated into the application server.

Article Two -- Microsoft looks to spread InfoCard authentication technology -- talks about Microsoft's efforts to get the Infocard backplane integrated into Safari and Mozilla (Firefox).

Both of these articles point to a larger phenomenon that we've been talking about and hoping for for some time now -- the idea that identity must become part of the infrastructure *before* any really useful identity applications come along.

Actually, I'd like to elaborate on that a bit - i think there are a LOT of interesting identity applications out there, but that they lack the adequate identity infrastructure that would allow them to realize their full value.

First there was news of massive identity theft associated with the victims of Hurricane Katrina, and now comes news that identity technology is being used to help sort out the aftermath.

RFID chips used to track dead after Katrina

Quoting:
The U.S. Disaster Mortuary Operational Response Team (DMORT) and health officials in Mississippi's Harrison County are implanting human cadavers with RFID chips from VeriChip in an effort to speed up the process of identifying victims and providing information to families, VeriChip said Friday. In addition, the County Medical Examiner's office in Lafayette County, Miss., said it will stock RFID chips and scanners for future disaster relief. Louisiana is also expected to begin using the system soon, which should help officials cope with the estimated 500 unidentified bodies in the state.

Dreamforce was one big conference this week, and Microsoft's PDC was the other.

Kim Cameron is blogging about the identity-related presentations that took place -- and giving us some details:

The new InfoCard bits are not only less visually displeasing (!) than the initial (wireframe) beta, but support what we call "managed cards", meaning identity relationships with identity provider vendors and operators - independent of any particular platform (e.g. Windows, Linux, Unix, etc). Basically, by implementing a Security Token Service (STS), and then giving a user to whom you are willing to issue tokens a (signed) configuration file, your identity provider can be set up as an InfoCard in the user's Identity Selector. For those unfamiliar with the terminology, an STS is simply a service that implements WS-Trust - anyone can build one, and the PDC bits include an example of a simple Identity Provider STS built using Indigo.

First, the quote:

"The STS offers a unified model for managing credentials across different types of authentication methods," said Price. Microsoft's WinFX programming model lets developers program to it while InfoCard offers a single interface on the client PC, he said.

Translation:
I've said here several times that the truly important thing about the InfoCards effort is that it provides a unified metaphor for both enterprise identity and end-user identity -- two worlds that, until now, have been very separate.

Really, its not simply InfoCards -- its a lot of companies that are trying this. But in the context of Microsoft, you can think of it this way:

"STS" (secure token service) -- enterprise means of dealing with InfoCards

Infocards -- the end-user component that the individual will use

WinFX -- the developer libraries for intereacting with STS and InfoCards

As I've stated previously, the REAL ID act creates a defacto national ID card here in the US, as a result of creating a minimum bar (an unfunded mandate) for state's driver's licenses (including biometric identifiers).

This GCN article outlines some things said by Richard Clarke, Bush's former counterterrorism chief:

“You should want the highest form of technology and security for your privacy information, and frankly, we don’t have that today,” Richard Clarke said. A federated identity card would not necessarily be a national ID card, but privately issued identification cards, he said. Clarke spoke about managing smart cards and biometric identifiers at a Sept. 13 conference in Washington, hosted by the Center for Strategic and International Studies.

Phil Windley makes an interesting observation -- Identity, be it offline or online, is just flat out more important than it used to be.

Phil goes on to talk about the increasing intersection of offline and online identities, but he doesn't really ask or address *why* identity is becoming more important than it used to be.

Phil Becker (i know, lotsa "phils" ;-) and I talk about this frequently - namely, the idea that the world is becoming increasingly networked. And, as the network becomes predominant, the only organizing paradigm that works in light of efficient marketplaces (ie, secure, negotiable, anonymous or identified, etc) is that of identity.

Stated more simply -- the networking of our world *requires* that identity be the organizing paradigm. Thus, identity is simply more important than it used to be. And that importance will only increase....

That idea is at the core of why security is derived *from* identity, and not the current prevailing notion that identity is a subset of security...

This article speaks to the growing call for massive smart card implementations in the US - especially in light of the REAL ID Act.

To be clear, the REAL ID Act mandated a minimum bar for states around driver's licenses (what many would call an unfunded mandate) - and, in effect, created a de facto national id card. In that context, many smart card advocates are saying - why not do real implementations the right way?

Will this be the boon to smart cards? I kinda doubt it, but we'll see.

One of the great tech waves is that of gaming. I've noticed that its a real generational divider as well -- I'm betting that Phil doesn't play Xbox (i know he doesn't - he collects and restores pinball machines), while I play Xbox (but mostly just sports games with an occasional Medal of Honor), and someone 10 years my junior would be a gaming junkie.

I've argued before that gaming and identity intersect -- in fact, I think the Xbox team has realized this in ways that the playstation and nintendo guys haven't, though I really don't know to what extent.

This article talks about how some "professional" gamers are starting to get corporate sponsorships to compete in organized competitions - with the average sponsored gamer earning 30-40,000 per year before prize money.

Imagine a future where gaming is a spectator sport. Suddenly, gaming platforms become hubs for social and economic interaction - and those little "profiles" that make up your gaming persona become *major* pieces of your digital identity.

Its fascinating to watch the Software as a Serivce world collide with the identity world. Over at Dreamforce, Salesforce.com's conference, they're launching AppExchange, which looks like it could serve as a foundation for some hosted identity stuff.

Sxip is there and making announcements....

Phil Windley, like me, is thinking about the identity implications of the eBay - Skype deal:

This whole thing will be interesting to watch from an identity standpoint as well. eBay and Skype were both huge repositories of identity data. Now, the combined entity is gigantic. There will be plenty of opportunity for misstep. TO really exploit the combined entity, eBay will have to normalize the identities in some way. If they do it right, they could be a key player in Identity 2.0.

eBay is buying Skype, an interesting purchase to be sure.

As I put on my identity-colored glasses, I see

(arguably) the World's Largest Reputation system
PLUS

Presence
PLUS

Payment System
EQUALS

Very large network of identity-based transactions and interactions

This acquisition suddenly makes eBay seem much more of a head-to-head competitor with Yahoo! and Google.

This article is supposed to let us know how much adoption of identity technologies is taking place, but in the process of doing so, I also get to learn a little about Hong Kong ID Cards. Quoting:

In many countries, of course, ID cards are part of daily life. One expatriate colleague in Hong Kong now carries with him a smart ID card with all his details stored. He has the latest generation card, which is currently being rolled out to more than 3 million citizens in Hong Kong. He says that only once in all his years in the territory has he been asked to show it to police. Less reputable looking characters - those without tailored shirts with French cuffs - do get stopped quite regularly. They must present a card - complete with photograph - that holds information about themselves, as well as their visa status.

For those of you that aren't into hip techno-speak, that translates as:

"Identity Management - sofware as a service"

context: At the last Digital ID World, I said something to Jamie Lewis, CEO of Burton Group, about how i was *waiting* for a company (startup?) to offer an identity management platform as a service.

Jamie doubted me (I don't know if he still does) -saying that he didnt' think enterprises would want that kind of sensitive information residing somewhere else. I, of course, said -- well maybe enterprises don't, but the mid-market just might.

And then I read this.

Just a little blog entry about a recent dust-up between Microsoft and Salesforce.com....and it brought me back to IdM - SAAS.

I mean, what's Salesforce.com's average customer - a company with 100-1000 employees? i'm betting. Identity Managment as a service for a company that size is a slam dunk.

Has Salesforce.com thought of this? I dunno - they seem pretty smart over there, so you'd think so.

I think I have Benioff's email address around here somewhere....let's see if I can't prove Jamie wrong ;-)

Quoting from here:

According to Radicati Group, the Identity Management market, including all segments -- full-suites, provisioning, secure access/authentication, and federated identity solutions -- will reach over $1.2 billion in 2005 in worldwide revenues, and grow to over $8.5 billion by 2008.

Phil Windley is writing great blog entries that are related to his new book on digital identity (aptly titled, "Digital Identity" ;-). Today Phil is covering the importance of naming policies and their effects on data standardization and synchronization.

Quoting:
A policy on naming can also help enforce data standardization efforts. Such a policy might include requirements to use information from the metadata repository or to use identities in established data stores in preference to creating new identities.

One of the most important naming roles a policy can perform is to grant authority for creating enterprise-wide identifiers. For example, how are email identifiers created? Who has authority to determine the format of employee numbers?

A wonderful NetworkWorld article that leads with the idea that identity is about much more than just security. Quoting:

Identity management and the associated identity servers and protocols are becoming increasingly important components of corporate information-security strategies. But to look at identity purely as a means for authentication (and subsequently, authorization) is to miss the greater point: identity is the link between the business process and the people implementing the business process.

Is it finally sinking in? ;-)

Quoting from this article:

The research firm, which interviewed 1,000 American adults for the study, found that many consumers were worried that their personal information could either be stolen by hackers and phishers or sold to third parties by banks. Nearly 83 percent of those who conduct banking online reported such concerns, while 73 percent of respondents said personal information theft is a deterrent for them.

"The industry needs to convey that they are, in fact, addressing the fundamental issues of personal information protection and theft associated with online banking, because the public's misperception is what's deterring growth," Doug Cottings, senior vice president at Ipsos Insight, said in a statement.

Phil Windley is blogging about Yahoo!, Flickr, and Identity, or more specifically about the pile of identity that Yahoo! stepped in when it asked Flickr users to get a Yahoo! ID.

All of it, of course, is really about companies managing identities in silos. And managing in silos is all about not understanding the Net.

Articles like this one brings me back to a topic I've been thinking about an awful lot lately - one that I'm working into an article. The outline goes something like this:

1) DRM raises the objection from some developers of "they're altering what i can do with *my* computer."

2) this begs the question: Who "owns" your computer? or more properly -- do you have the absolute right of ownership and control of your computer IF IT IS CONNECTED TO THE NET.

3) my old joke of "Norlin's Maxim" may be becoming a non-joke/truth. Norlin's Maxim: The Net drags everything it touches into the public domain. The rate at which this happens is directly correlated to how much (often/extent) something touches the Net. Proof: google your name today. google it 30 days from now. more info is available as time passes.

4) Add 2 and 3 together and what do you get? You get the conclusion that you *do* own your computer as long as it is never connected to the Net. Once you connect to the net, you enter into an as-yet-not-fully-understood dance of information sharing. This is the nature of networking itself. See Kim's laws.

5) 4 is why identity must become core infrastructure. You do not own your computer, and the only viable means for sustaining any non-hierarchical order in the Network is a construct of identity.

6) See Doc's NEA (nobody owns it; everybody uses it; anyone can improve it); "your" computer is part of that the instant you plug in and its then not simply "your" computer anymore. Its a shared resource that is part of a much larger ecosystem. Allowing all parties to participate and manage their roles in that ecosystem dance is the hard part that faces us. Hierarchy won't solve it (that's the knee-jerk response), it will break the Net itself.

....I'm still working on the implications for DRM, TPM, NGSCB, etc.....

...and hoping to write this piece in the next few weeks.

Sometimes I feel like I'm constantly blogging the same thing over and over and over again. Take this USA Today article about computer security on college campuses. It covers the standard topics (with my usual responses in parens):

A) student loses computer (identity problem - TPM, Secure Startup in Vista, or in the new Apple chip - maybe).

B) Sensitive data stored on open systems (identity problem - see Kim's laws, legislation articles, federation as future solution, restore power to the end-user, not using the SSN as an identifier).

C) Lax security at over 30 university breaches (identity problem - see how the Net forces identity as an infrastructure and how our lack of it is the root of our computer security problems).

D) Wifi network security problems (identity problem - its not just about encryption; see how the network demands identity as a core infrastructure).

E) "we're hiring security managers" (identity problem - identity is not a subset of security, rather security is a result of identity as a core infrastructure).

See - all these identity problems being mis-framed as security problems.

Am I the head of the department of redundancy department?