For all of you federation geeks out there....

Trustgenix has released a new version of their product. An interesting thing on several points:

1. they've chosen the "protocol translation" route for product marketing -- which I'm assuming says something about the customers that they're servicing.

2. they're shipping SAML2.0 -- a standard that many have been waiting on.

[later...]

A Ping Identity release says that downloads of their federation products increased 76% in Q3.

Is the promise of federation on the near-term horizon?

So often it seems we talk about the "BIG" issues. I'm on a mailing list that seems to spend a great deal of time and energy trying to build a lexicon and taxonomy for digital identity (a task I gave up on after "federation" became the word of choice for an entire niche industry ;-). But, I think you can tell that you're in the middle of a market that's growing when you begin to see companies releasing very specific applications of technology. Check this out:

Authentica secures BlackBerry:

Authentica next month plans to release an extension to its enterprise rights management software that can lock down e-mail on BlackBerry handhelds. Called Authentica Secure Mobile Mail, the product lets users receive encrypted messages and set permissions on e-mail--for example, when a message can be viewed or blocking forwarding and copy-pasting. E-mail can be set to expire at a certain time or recalled. Administrators can also remotely delete e-mail, which could be useful when a BlackBerry is lost or stolen, according to Authentica, which plans to announce the product on Monday.

This is really interesting to me...a company building and releasing a product that's targeted at one specific thing. They're not boiling the ocean, or selling a platform that does it all. They're just securing BlackBerries. Is that a "huge market"? Probably not. Is it a nice little business line that should get some traction? Yeah, I'd guess it is.

The more we see companies releasing technology that does one thing, the happier I get....I think it means our industry is maturing and blossoming.

I'm getting very excited for digital identity in 2006.

Phil Windley (and Doc Searls and Drummond Reed and Kaliya) have organized an Internet Identity Workshop that's taking place at this week at Berkley.

Phil has extensive coverage on his blog, but he's also posted a summary over at ZDNet. Quoting:

We wanted to discuss design philosophy and architectures of these working systems. I was interested to see who's not here: none of the "federated identity" vendors, none of the directory vendors, and so on. As usual, big companies are catering to the the behind-the-firewall needs of CIOs while small, innovative companies are seeking out business opportunity on the 'Net. Financial services firms and analysts are represented in a fairly healthy way–not surprising since they've been hit hard by the phishing scams enabled by the lack a credible identity infrastructure on the Internet.

Its interesting to see that the financial services guys are looking at the "grassroots" stuff --- not suprising, but interesting.

Here is Phil's blog aggregator for the whole shindig.

And here is the technorati tag page for the event (complete with photos).

Some interesting thoughts from the blogosphere:

1. Kaliya is talking about attaining symmetry in the relationship between businesses and individuals. Currently, businesses and individuals have a relationnship of asymmetry -- when I interact with a business, they store and control the information about my interactions with them. But, increasingly, individuals are asking for control over that information. As that demand grows, we're seeing a changing world -- a shift from asymmetry to symmetry of that relationship.

The problem, of course, is that so many of the large "portals" (eBay, Yahoo!, Amazon, Google) base their business models on keeping identity information siloed. So, what happens when that silo crumbles? Opportunity, for sure.

It seems like this whole debate is really coming to the forefront of things. For more, see AttentionTrust.org.

2. David Weinberger is talking about a talk that Joshua Schacter, creater of del.icio.us gave at Berkman. Here's the quote that caught my eye:

Delicious is adding social networking. You'll be able to designate people as members of your "network" so you can keep up with what they're tagging and you'll be able to create groups within which bookmarks can be kept private. Eventually, Delicious may disambiguate tags in part by weighing your groups'/network's use of them more heavily. In any case, the addition of social networking will create yet more unintended consequences...something to look forward to.

When Delicious adds tags to designate people as part of your network, it takes a step firmly into a world that converges social software and digital identity.

So, take 1 and 2 together and I start thinking:

3. Johannes Ernst recently made a comment that "Web 1.0" was about monologue and "Web 2.0" was about dialogue. Web ".0"s aside, I do agree that something fundamental has changed since 1999.

Pre-1999, the web was all about post, read, link. Then userland and blogger and RSS and social software and "web 2.0" companies started happening. Since then (for me "then" was when i first used Blogger, which i think was the summer of 1999), the web has really gotten conversational.

A conversational web is dragging all kinds of stuff into a world of digital identity. We see it in the problems: spam, blog comment spam, the usefulness of social networks, etc. But we also see it on the edges.....

Kaliya is talking about individuals redefining how they want to interact with companies and a whole discussion is starting around new ways for individuals to control their personal information.

Delicious is allowing you to "tag" people in your network -- yet another instance of social software getting really social and becoming identity software.

The conversation is enlarging....Phil and I have been talking about this a LOT lately. Expect the Digital ID World 2006 stuff to start coming out soon, and expect us to address all of these issues in a big, big way.

(ps: those of you emailing asking how i fared with Wilma -- thanks for the thoughts, all is fine. we're struggling with some basic infrastructure like power, etc. But we're getting by...)

Coming back to life post-Wilma and finding a couple of interesting links:

1. Yadis or "Yet another distributed identity system" is an effort at interoperability between OpenID and LID.

2. IdM Journal is Dave Kearns' site that is devoted to identity. The site combines his musings at Virtual Quill with a feed of press releases -- lotsa news there.

It looks like nCipher is acquiring, or at least planning to acquire, Abridean. Price tag: 17.9 million.

DataPower (a company that supplies a lot of identity functionality) gets picked off by IBM, and Abridean gets picked off by nCipher....and the identity wave continues to build.

(pardon the oceanic metaphor: i'm in south florida preparing for Wilma ;-)

Great confusion stands regarding Vista, the Trusted Platform Module and Apple. David Berlind is trying to clear some of it up, but it doesn't look like he's getting much help from any party.

From what i know and understand, here's how things shake out:

1. The part of TPM that is supported in Vista is a chunk that allows full volume encryption. In a nutshell, this is a little feature that means if a traveling CEO for Big Company X loses his laptop, all is still fine in the world. At this point, there isn't any evidence that Microsoft is taking this any further than that.

2. Apple does appear to have shipped some TPM-enabled stuff in its last developer release. It would appear they're doing so to combat software piracy.

3. The Trusted Platform Module is put out by an industry group, The Trusted Computing group -- and has radically different roots and scope than Microsoft's NGSCB (used to be Palladium) work.

So you see, it really isn't an evil corporation or not evil corporation debate. Rather, it is a fundamental question about the use of hardware and software in conjuntion to combat certain security and identity problems. The debate should be around whether that is a bad idea. Generally speaking, that debate is not happening.

Pat Patterson tells me that the comments on this blog are broken (more on that in a second) - and dick hardt suggests we install his new blog comment system, Sxore.....

Pat's comments were about my tension points....

namely, that he's seeing a tension between the world of real implementation and the work that standards bodies are doing -- a tension wherein the standards are WAAAAAY ahead of what's actually happening.

His example is that most enterprises are only doing SAML1.x style SSO, while the standards have moved on to account linking, web services abstractions, etc.

good point - thanks Pat!

I've been thinking a lot this week about the "tension points" in the identity world. This is an exercise that we do as we prepare to work on and "lock" the content for our Digital ID World 2006 show (exciting!). So, here are some of the tension points i'm thinking about:

1. Security and Privacy in RFID: It seems that there's some doubt as to the security of RFID tags -- which doesn't sound like a big deal until everyone's Passport has one.

2. The Identity Silo: I'm thinking about this a LOT lately -- the business model tension that exists between keeping identity information silo'd and putting it back in the hands of the user....working on getting some CEOs from Big Silo companies onstage to debate this (and I'm picturing doc searls as the moderator ;-).

3. Directory-based Infrastructure: I've been hearing a lot of rumblings lately that the directory infrastructure in the enterprise is either A) crumbling B) too expensive to maintain or C) not scalable. Companies in the virtualizaiton space are addressing this -- but there's a bigger question here, and its one of decentralization -- specifically, where the architectural balance point that's optimal between decentralization and centralization.

4. Platforms or Solutions: A vendor tension to be sure, but one I think a lot of our attendees will really be interested in. Do I buy an identity management *platform* from the big guy (as Gartner would advise), or do I implement a reference architecture (i.e., Burton Group) and seek best of breed solutions?

5. Is Security a subset of Identity, or is Identity a subset of security? Oh yeah, this is one that actually gets people in the "biz" moving -- especially if they're old security pro's.

That's what I've been thinking for now - -what am I missing?

This blog entry isn't exactly about digital identity, but it does explore a really interesting point from last week's Web 2.0 conference:

Because mash-up services usually don't own or control the data, the way most mash-ups compete is on having a better or more flexible User Interface, or adding extra data. This is a crucial point about the business models for mash-ups - because the data is open, what matters is what you do with the data and how you present or deliver it. In a way this represents what the ideal open Web 2.0 model is all about - free the data and innovate on top of that.

That last bit really struck me - "free the data and innovate on top of that." This actually occurred to me last week in a bit of a different form:

The Web as Platform: when the web is platform, a couple of things happen....

1) the platform can't be owned

2) product features are normally open via APIs - so any real attempt at product differentiation via features gets commoditized rapidly

The result is that innovation occurs on top of the data released via APIs -- ie, some data (google's search patterns) is kept private and valuable and some data is released via open APIs. The key to realizing value in a Web 2.0 world is getting right the mix of what data to keep and what to open up. One half of that key is --

free the data and innovate on top of that.....

It seems that Lufthansa's IT arm has developed a biometric system for passenger check-in.

Quoting:
The SecBoard system consists of two parts. The first part is registration. At an enrollment station, passengers' fingerprints are recorded, digitized and stored on a smart card, which only needs to be issued once but can be used again in all future flights. In addition to the fingerprint data, the card contains a photo of the passenger, personal information and a serial number. At check-in, the serial number is linked to the check-in data.

The second part of the system is the boarding station between check-in and the aircraft, where a fingerprint check is conducted. The fingerprint data from this check is compared with the fingerprint data stored in the card. If the data matches, the passenger can board the aircraft.

Dan has written his typically great piece summarizing some of the happenings at Web 2.0. Read the whole thing, but pay attention to this quote:

Personalization and social networking are becoming less burdensome for users, but they still have along way to go. A single log-on for services is a good step, but homogenizing services so they all look and feel the same can sap of the stuff that made it sticky for users in the first place. And, the more sophisticated Web users will want to be in control of their own identity and the data trails of their online activity. Without open standards, people end up in walled gardens, with all of their preferences locked into a particular portal (see attentiontrust.org). In other words, I want to take my Amazon data trail to another site, or my Yahoo personalizations to another portal, so I don't have to start from scratch.

Buried inside of eBay's acquisition of a Verisign technology around online payments is the fact that they two companies have struck an agreement around identity stuff as well.

Quoting:
Under the terms of the agreement, eBay will adopt a new kind of transaction protection from VeriSign that will give customers one-time passwords or digital certificates, guarding against identity theft. The new program will begin sometime next year.

Today the Liberty Alliance released guidelines for negotiating the legal and privacy hurdles associated with federated identity.

Quoting:
The 15-page document, targeted at policy managers, was developed through Liberty Alliance's Public Policy Expert Group (PPEG), which includes members from the Business Industry Political Action Committee, a U.S. pro-business group; the U.S. General Services Administration, a U.S. government procurement and policy agency; plus Oracle (Profile, Products, Articles) and Sun Microsystems (Profile, Products, Articles).

The Liberty technical architecture does not inherently address liability or indemnification, as those are issues that are contractual between the service vendor and the customer, said Michael Aisenberg, chair of Liberty's PPEG and director of government relations for VeriSign (Profile, Products, Articles).

Because the identity management side of Digital ID World, its easy to lose sight of the other aspects of identity -- especially RFID. So, its helpful when acquisitions come along to remind us that RFID is identity technology, and still vitally important to the larger identity technology world.

Quoting:
BEA said the software will complement its own WebLogic middleware, allowing customers to treat RFID data as another asset that can be made available throughout an organization to be incorporated into applications and business processes.

Here's an article wherein an guy from Trend Micro advises that people stop banking online until the pharming threat is taken care of.....

Quoting:
"I would avoid banking online as you just can't tell if you are experiencing a pharming attack," he told journalists at the Virus Bulletin conference in Dublin, Ireland, "I would say to people 'stop banking online'."

While banks introduce new security measures, it appears that criminals are finding ways around them fast, Perry said. "Cybercrime today is much more sophisticated. Malware has reduced trust in the internet."

The solution (of course ;-) -- Identity.

This purchase of Dave Winer's weblogs.com ping server by Verisign really has me going this morning -- mostly because it relates so heavily to all of the stuff i learned at last week's Web 2.0 show.

The article talks about how the purchase relates to Verisign's efforts to get into supporting the "blogosphere" infrastructure - and how one of the key missing components there is (you guessed it) *identity*. As it turns out, many of the blogosphere's emerging problems (blog spam, trackback spam, comment spam and cross-blog authentication) are solved by identity -- and this acquisition puts Verisign on the path to thinking about doing something about that.

Quoting from the article:
The second technique is to analyze a blog's origin. VeriSign is looking at identity authentication using domain keys, a PKI standard that Yahoo Inc. came up with and Google and other ISPs adopted to use for e-mail authentication. E-mail is, after all, the original patient suffering from the problem of spam, Graves pointed out.

Thus, VeriSign will be looking at supplying a lightweight digital hash or signature for blog posts. Instead of having a simple blacklist of sploggers, the company could set up and maintain a credit score for bloggers, for example.

A "credit score for bloggers" -- hmmmm, sounds remarkably like the credibility topic that Phil brought up in the last newsletter.

An interesting point here:

None of this stuff -- ie, the intersection of the blogosphere with identity -- is concerned with "standards." Which is to say that while the Googles and Yahoos and Verisigns of the world seem to be gravitating toward a web 2.0 model that intersects with identity, none of them are talking about liberty or SAML or WS-* or OASIS, etc. In fact, Google and Amazon have a distinct history of NOT adopting standards, but preferring the proprietary route.

I'm trying to coalesce all of these ideas into an article about what i learned at Web2.0 (kind of my "what i did on summer vacation" piece"), and hoping to write that tomorrow.....

Two big themes here at Web2.0:

1. User Generated Content: video, blogging, podcasts, etc.

2. the Architecture of Participation: the idea that the web has become a fundametally 2 way conversation - not simply a "post and reply" place.

Two thoughts around this:

1. both of the above *require* knowing who is who (or that who is anonymous) to ensure integrity and quality.

2. The web's architecture is somehow different. It was built by the rules of very old communications forums -- post, view, reply. That is changing - its becoming a much more dynamic medium that is conversational and more subtle in its expression -- ie, its becoming more like natural human behavior, and thereby requiring more and more identity.

I don't know why, but it feels to me like there are three types of conferences.

1. What I'd call an "alpha geek" show.
These shows cater to entrepreneurs, VCs and pundits. That said, these shows often recruit very big names to speak (Jeff Bezos, Terry Semel, etc). But what really characterizes these shows is that the sponsors and exhibitors use the show as a branding and thought leadership space -- making announcements, etc -- and not as a space where they connect directly with buyers. These shows tend to focus on emerging phenomenon, funding of start-ups and start-up's initial product launch.

2. What I'd call a buyer's show.
The buyer's show is kind of the middle of the conference growth curve. These shows are focused on connecting buyers with sellers -- and (in our case) are focused on what is usually called "real-world" content. Often characterized by end-user deployment stories, these shows are about helping enterprise managers succeed.

3. The Expo show.
The expo show are the big ones -- indicative of a more mature industry. These shows tend to combine some aspects of #2 with a much more "show-casey" feel - complete with schwag and parties and press junkets.

Web 2.0 is clearly in category 1. Digital ID World is clearly in category 2, but interestingly, we started very clearly in category 1. Is this a natural show growth curve? Maybe, maybe not. PC Forum has always stayed in Category 1.

funny note: the easy way to know which category you're in is to count the number of Macs versus PCs. Predominance of Macs - category 1. Predominance of PCs - category 2. Dead even - you're at an expo.

Its day 2 and the conference is still a-buzz. Yesterday seemed like a day of people dancing *around* identity -- that is, outside of the two head-on announcements:

Sxore - Sxip's blog comment and reputation management system

and

AttentionTrust - a non-profit devoted to giving user's control over how their attention is owned and stored.

Beyond that it seemed like so many companies just skirted the issue, but the hallway conversations where heartening, as it seemed that many people recognize that absolute NEED for identity.

From Tim O'Reilly calling out AttentionTrust as an "identity play" to a hallway conversation with Marc Cantor ("lots of energy in these companies and they ALL need identity!") -- the identity is center message rings true.

One of the early afternoon sessions here at Web 2.0 was led by AttentTrust.org....

In short, AttentionTrust.org is a non-profit organization that believes that people should have control over their attention records.

They've launched their Attention Recorder -- a firefox plugin that allows you to track what you look at (clicks, etc) and store them locally on your computer. The hope being that this will provide a minimal platform on which an ecosystem can evolve. That ecosystem could include things like giving copmanies your attention record (explicitly not implicitly) in exchange for something (monetary or otherwise).

One of the peole involved (Seth Goldstein?) is working on a company (Root Markets) that uses the AttentionTrust mechanism (attention.xml) to serve up highly qualified lead generation (opt-in, etc).

As Tim O'Reilly pointed out in the session (quoting): "This is really an identity play."

Precisely! They're creating a mechanism that allows individuals to control, organize, interact with and traffic in their attention as an attribute. All of your collective search queries become an attribute, pages looked at an attribute, and via that aggregation - "authentic leads" can be built as an application on top of the very "Web2.0", distributed platform of user-attention records.

There is, of course, an identity problem here -- think of "faked" attention attributes generated by code that spits out fake attention records -- but really, that should be solvable.

Further - Tim went on to speak about the power he think is released in users being able to combine their "attention record" with their "personal data." Suddenly, I can use (as a collected attribute) things like:

Male, 34yrs old, Caucasion, residence in Florida
pays attention to
ZDNet blogs
Doc Searls
Forbes RSS feeds
etc etc etc......

Its all very interesting - and I think serves as a *great* example of the intersection between identity and web2.0....

A couple of additional thoughts from my side:

Companies already use Role-based Access Control (RBAC) -- ie, an airline mechanic at Southwest signs in and is allowed access to resources based solely on his *role* as airline mechanic.

Imagine Attention-based Access control (ABAC) -- the ability to access certain buckets of resources based upon the specfics of my attention attribute.

Really interesting possibilities! Of course, its still just approximating me via my actions, not identifying me as I wish to be identified...but somehow, just somehow, I think you could add a simple authentication event to this and then suddenly you have portable, authenticated repuations getting access to resources based on their attention behavior.....

thoughts?

...from Web2.0.

At the very first Digital ID World, I felt like we spent three days defining digital identity. There is very much the same feel here at Web2.0 -- most sessions seem to start with a "what is web2.0?" discussion.

Many connections to identity in this space -- i'll be highlighting those in the coming hours/days.

You know how sometimes you can feel the buzz at a show? That's definitely here at Web2.0. Some would call it "hype" - but its only hype if there's no substance behind it.

I'll try to post some things this week that further evolve an understanding of the intersection between Digital Identity and Web2.0 In the meantime, I'm pointing to an Infoworld article and commenting (my comments in bold):

Some of the announcements expected at the show include:

-- KnowNow (Profile, Products, Articles) will introduce a real-time notification service that delivers RSS content directly to end-users as soon as it is available, saving them from having to check their RSS feeds on a Web site, news reader or aggregator. The new service, called KnowNow eLerts, delivers the notifications via its eLert toolbar or deskbar, according to the company.

RSS alerts - as that grows, I see corporate authentication mechanisms and various repuatational personalizations coming into play - i.e., identity.

-- Topix.net will announce that its NewsRank article categorization technology has been rolled out to 177 newspaper and television station Web sites from Gannett Co., Knight-Ridder, and Tribune Company. The technology automates the process of presenting readers with content that is related to the article they are reading at the moment, according to the company. NewsRank is also available to other media companies beyond Gannett, Knight-Ridder and Tribune, each of which owns a 25 percent stake in Topix.net.

Personalization technologies have been around since the 90s (anyone remember NetPerceptions?) - but they're all based on algorithmic magic that approximates *really* knowing you based on what you do or like. At some point, we're going to see personalization collide with identity -- and then you'll get technology that *actually* knows you instead of just approximating knowing you.

-- Startup Bunchball will introduce a social networking site in which users can set up groups with friends, family and colleagues and interact with them using socially-oriented applications hosted by the company. The site will also foster the creation of a community of Flash developers who will provide the applications. "For developers, Bunchball.com is a site where they can create and deploy social applications with unprecedented speed, because we handle all the 'plumbing' for them, from databases to servers to presence, chat, online file storage, etc ...," wrote Bunchball founder Rajat Paharia in an e-mail. "We don't charge developers for this, and instead give them ways that they can make money off of their creations, including an advertising revenue share and the ability to sell content."

Again, I launch my "identity as a service" rant. Maybe it won't come in terms of enterprise identity management, but as a social application that grows into a web of hosted identity applications. Guess who's *gotta* be thinking about this - Yahoo, eBay, Google, Microsoft - take your pick.

-- Flock, also a startup, will preview its "social" Web browser, which will feature tools to help users organize, search and share bookmarks, to create blog entries and to manage RSS feeds, according to information provided by the company.

-- Morfik will announce and preview a development environment designed to automate and simplify the creation of AJAX (Asynchronous JavaScript and XML) applications. Morfik expects to release the product in the last quarter of 2005.

-- PubSub Concepts will announce it is funding a "major" open source development effort related, among other things, to blogging and the semantic Web, according to the company.

One of the really exciting things that I see happening is a spate of startups getting funded - i know i know, VC money has its pitfalls and there's an awful lot just slushing around (even O'Reilly has a fund now!)....but I keep seeing fascinating identity fundings. Have you seen them? Applied Identity, A10 Networks, etc. And then there's the "microsoft feeder fish" companies - companies that make their living off of Active Directory. Man, that looks like an ecosystem! ;-)

California is the first state to enact an anti-phishing law. Infoworld reports on it, saying:

Under the Anti-Phishing Act, these victims may seek to recover either the cost of the damages they have suffered or US$500,000, whichever is greater; government prosecutors can also seek penalties of up to $2,500 per phishing violation.

It may also serve to inspire other legislation, perhaps even at the federal level, he said. "You can't discourage the symbolic purpose of this," he added "It's a statement to these guys that this is not acceptable behavior."

I'm off traveling cross-country to attend the Web 2.0 conference -- so look for blogs from there! ;-)