Big news in the federation space today as HP has acquired Trustgenix.

The link is a press release (i.e., not worth quoting ;-) - we're digging for more info as I write.

In the meantime, the federation landscape (major players) looks as follows:

CA: federation in the suite
HP: federation in the suite
Oracle: federation in the suite
Novell: federation in the suite
Sun: federation in the suite
IBM: federation in the suite
BMC: federation in the suite

RSA: federation as stand-alone component; part of the suite.

Ping: federation as a stand-alone server.

Maxware: federation server (which i don't know enough about).
Fischer: federation services
Symlabs: federation server (i think; ?)

Microsoft: federation in the microsoft suite.

that's off the top of my head, who am i missing?

[Later:]
John Fontana writes about the acquisition...

Turns out that the CDC wants to track all travelers with personal contact info and companions attached, so as to notify them when they've been exposed to a health problem.

Slashdot is asking if they can't do it anonymously...

Identity problem anyone?

Funny thing is, our de facto national id - the driver's license - could function to sovle this. Remember, unbeknownst to *anyone*, driver's licenses have been mandated to have all sorts of common factors in them -- including something smart card-like.....

So, the next time you check in to an airline, they scan your biometrically/smart card driven driver's license or state id card, and you're tracked...

Doc recounts the first anniversary of identity as a Subject That Actually Goes Somewhere -- STAGS....

Digital ID World has always been honored to have Doc at our shows - helping to engage with, guide, make fun of, and push forward our conversations. His closing keynote at DIDW has become legendary - a last session that draws a larger crowd every single year.

He will, of course, be at Digital ID World 2006 (May 15-17, Santa Clara Marriott)...and he will, of course, be doing his customary good work - although there is a whisper that we may move him from last to first this year to *frame* the conversation versus *recounting* it.

we shall see.....either way, we're glad that DIDW has been the epicenter of conversations like this in the past - and trust me - we're doing TONS to make that continue in the future. Watch this space ;-)

Dave Kearns and Sara Gates (of Sun) have been speaking about this for several days (in several places) -- a survey finding that people take their business elsewhere in the event of identity theft.

No surprise there. And I can't help thinking that some of our business models around "customer data" are just flat out broken.

You may have noticed that a little ole link to Digital ID World 2006 has appeared on the left column of our homepage...

We've been working very hard on content for the show, and we're pretty deep in the weeds of it right now. In the midst of all of that, though, some things have become clear:

Real World Deployments: as we look back at our past shows, and some of the other avenues that folks can walk down for identity information, we see that the real differentiator for us is Real World deployments -- putting enterprises and end-users on stage to tell their story.

Really, the value of a conference comes from conversational interacting with peers. If I'm Sr. Director of IT something at Coporation X, then what I really want is to hear from someone similar to me about their experience, and engage with them around how we might help each other think through problems. Pundits are cool and all, but value comes in collaboration.

And so, we're really renewing our committment to customer-driven content. Two things highlight this:

A) the experience in NYC -- at that small summit, we put something like 27 enterprises onstage in 1.5 days. yikes. I didn't even realize how packed that show was until after it was over.

B) how we do "content" -- yes, we get paper submissions, but we don't simply cull our content from what gets submitted. we spend time talking with enterprises, having conversations, questioning leading thinkers -- and then we sit down and plot out things we think people want to hear or *need* to hear on a matrix. From there, Phil and I literally go out and recruit our speakers (focusing on customers, of course) - we find the right person for the right slot or channel.

The end result: real world deployments on stage.

The bottom line: i don't wanna watch a vendor pitch anymore than the next guy, and i really don't want to subject our attendees (conversationalists ;-) to it.

Our message to vendors: send us your customers. We will put vendor's customers on stage - talking about their experiences.

Our motivations are aligned with our attendees: to deliver the highest quality of collaboration and networking possible around the topic of digital identity. To do that, we're focused on real-world deployments.

If you know of one we should be talking with, email me:

eric AT digitalidworld.com

1. Dave Kearns has named Kim Cameron his Network MVP -- an award similar to the one we awarded Kim back at Digital ID World 2005, and one that Dave is right to give. Kim's work has been tremendous, but now it begs the question:

Who deserves an award at Digital ID World 2006 (May 15-17)?

email me -- eric AT digitalidworld.com

2. Sara Gates has an interesting post about identity theft. Echoing some sentiments that have been ringing in a lot of places lately (quoting):

And – stop using SSN as an identifier! One reason identity theft has so much power is in its potential. You can search for and find, John Doe’s social security number if you hack into any of thousands of databases – alma maters, credit card companies, insurance companies. But what if we could – and I believe we can, (CAUTION: shameless plug ahead – using Sun’s identity management technology) – completely eradicate the use of social security numbers as a primary means of identifying people? What if we could use technology to go find everywhere you have this nine-digit number, with or without dashes, and take it out? After all, only the U.S. Social Security Administration really needs your social security number.

And 3. Johannes Ernst is summarizing discussions about why URLs should be used in lightweight identities.

News out that Hitachi, Mastercard and some VC types have set up a new joint venture to develop and promote "cards based on a multi-application operating system called Multos, which can add various functions such as biometric user identification to conventional cards."

Smells to me like somthing that is at least secondarily related to the strong authentication article that I posted last week.

Like many people who saw the Attention Trust presentation at the Web 2.0 conference, I've been waiting for the launch of Root to see the Attention Recorder in action.

To refresh: The Attention Trust (and attention "recorder") is based on the idea that where people spend their attention contains value -- for all constituents in the value chain.

Root is a "platform" that caters to the different constituencies. "Consumers" (it is billed) can manage their digital identity. "Advertisers" connect with highly qualified leads, etc......

It's all very interesting to me - and I'm glad to see Root acknowledging that they're working on digital identity, especially after the grief that I gave Steve G., and Tim O'Reilly and Esther Dyson gave the whole bunch publicly.

Yes, its all about attention, but let's call this what it is -- an identity-based platform for ad serving ;-) (at least for now).

According to this story, Tivo has filed for a patent around personal video recorders and RFID.

Quoting:
TiVo Inc. has filed a patent application to the U.S. Patent and Trademark Office earlier this month that suggests company inventors believe radio frequency identification (RFID) technology will become inserted into clothing, jewelry, key chains, and even under the skin in the body.

Whether TiVo actually decides to build in the feature, the patent is for a personal video recorder (PVR) that recognizes viewer preferences through an RFID chip embedded in clothing, jewelry or "inserted somewhere [in] the user's body.

Hey, is it me, or is the "protocol war" between WS-Federation and SAML quietly raging underground?

Last week, Don Schmidt of Microsoft made some fairly -- uh -- aggressive statements regarding WS-Federation and SAML2.0 (and their absolute non-support of it).....

And now this week Roger Sullivan (coincidentally from Oracle ;-) is saying (of SAML2.0):

"The goal is to make this the de facto standard for federation..."

Hmmm....Kim Cameron made us all feel like we were starting to play a little bit more nicely in the federation standards sandbox - but, maybe that was a bit too optimistic.

I've been saying for some time that the world would have to live with two federation standards (WS-Federation and SAML2.0) for some time to come. I guess I was more right than I knew...

Mike over at TechCrunch is blogging about companies he'd like to profile that don't exist.

Number 3 on his list is a "portable reputations" company.

Quoting:
Here’s what we need - a referee and a scorekeeper. Open (I didn’t say free, mind you) APIs in and out, not just links to feedback scores. Figure out the rules (keep it flexible) and let other applications feed the database. Somebody please build this. Or eBay, open up your Feedback API.

I've known about OpenID for some time now, but this is the first that I've heard of Videntity. What is it, you ask?

Quoting:
Videntity.org is an OpenID registrar. Here you can register for free to receive an OpenID Identity, which includes a personalized web address you can use at any OpenID compatible website. This address will look like danda.videntity.org. (that's mine) As you can see, it is simple to remember and use, and it looks a lot like an email address.

The same address can also be typed into a web browser to load your personal "Videntity Card" web page, for example http://danda.videntity.org. Your Videntity Card page can display as much or as little as you like about yourself. So it is great for printing the address on business cards, in your email signature, and using as a single point of contact for new people that you meet.

And it looks like it has a social networking component as well...

From the "straight news" file: The Liberty Alliance continues its role in certification of interoperability around products -- announcing four new companies that have gained certification.

Dave Kearns points us to this article, which makes an interesting statement...

Quoting:
Fresh research in the UK shows that 73% of banks now cite identity management as their top transaction security concern, which has made identity management rise from being fifth to the most important driver for transaction security spend.

The number of banks now assigning separate budget for identity management has risen from 22% to 60% since 2003. Moreover, two-thirds of the banks’ transaction security infrastructures are either receiving or require immediate upgrade, the company said.

Wow.

For some reason, the title of John Fontana's piece on Oracle is conjuring up images of The Hulk for me. Does that mean I wouldn't like Larry Ellison when he's angry? ;-)

John does a good job of piecing together Oracle's suite and explaining their strategy for integrating it with their other offerings (via BPEL apparently), but I do question the idea that Oracle's "identity management suite" is now done and they have all of the pieces they'll need......

I question that if only because I think we're going to see simultaneous consolidation of functionality into suites and breaking apart of functionality into niche solutions. The result (combined with some startup energy) will be that things are emerging that we couldn't possibly *know* should be part of a suite.

And then here's the obvious one: multi-mode or 2-factor strong authentication.

The FFEIC guidelines are having (and going to have) a *huge* impact on the strong auth market -- suddenly people are realizing that strong auth is about risk evaluation and management. Its been reframed as a "business" decision and that makes all of the difference in the buying world.

It means that we're going to see increasing partnerships between the big guys and the strong auth guys -- and, eventually, i'd imagine -- acquisitions.

Strong auth is an old topic reborn. Between the FFEIC and the new movement for interoperability (see OATH, see the Liberty Alliance), I think we're seeing strong auth come out of a period of disillusionment and into a period of living in the sun.....

And it will be a driver for other technologies as well. Federation, to name one...

Dave Kearns has a write up of some observations and learnings from Digital ID World-FS.

(nod to the Soup Guy)....well, at least not if you're running Active Directory Federation Server...

That was the loud and clear message from Don Schmidt of Microsoft.

Quoting the Infoworld article:
SAML 2.0 protocols are fine for strictly Web single sign-on, Schmidt said. But the WS-Federation protocols are better equipped to deal with a distributed Web services environment for message reliability, transaction support and security, he said. SAML 2.0 does not have reliable messaging or transaction support, he said.

The problem for businesses is when they want to federate but have chosen a different set of protocols. Vendors are developing translators between the two standards, but Schmidt said those potentially could have a security problem since there a middle point where the data is processed, although he said he believes those systems will improve.

Mulling over the Oracle acquisition and thinking aloud...

Who really is pressured by these acquisitions?

1. Computer Associates: Probably not. They've got their own acquisitions, and are down the road to product integration.

2. Microsoft: Arguable, I suppose, but I think Microsoft is playing this game in a decidedly different way from Oracle.

3. IBM: Probably not -- again. IBM offers a pretty deep set of IdM offerings.

4. Sun: I doubt that. Like IBM, Sun's offerings are pretty deep.

5. Smaller best of breed solutions: I take these out because I think these vendors are operating on a different architectural sale --by that I mean that Oracle's proposition is to provide an entire "suite."

Who does that leave? RSA and Novell.

Novell: Probably does feel the pressure of these acquisitions.

RSA: RSA is the interesting one -- if only because RSA had a pretty deep partnership with Thor. Assuming that something changes in that partnership, RSA is suddenly missing a provisioning side to things. On the other hand, they offer two-factor authentication in ways that Oracle can't touch.

Bottom line: Even if these companies compete on "suites", it still comes down to the customer's requirements, prioritization and architectural leanings.

Anyone who's talked to me in the last month knows that Phil and I have been noodling over the "theme" for the next Digital ID World show (May 15-17 at the Santa Clara Marriott)....

One large idea that we've been pounding on is that of "identity silos." By that we mean not only the end-user experience of having a bunch of different identities silo'd inside of corporations (the "identity meta-system" topic), and the integration or bridging of identity silos across partners and M&A activity (federation), but also the internal silo issues that enterprise IT guys are facing.

These internal silos are about things like management consoles, virtual directories, meta-directories, legacy infrastructure, etc.

And so it is that the Oracle acquisition of OctetString and Thor technology takes on a particularly interesting angle. This eWeek piece does a really nice job of summing it all up. In addition, it covers the "vendor sports" angle of suite versus best of breed, and IBM vs. Oracle vs. CA vs. insert your large vendor here.

Quoting:
Bob Maddy, vice president of IBM's Tivoli strategy, said Oracle has it all wrong anyway. "They're not really solving the customers' core problem," he said. "What they don't need is more silos of management. People who are doing identity and access, how do you tie all that information to the underlying infrastructure? They have no technology in this space. It's all manual with their tools."

So silos cover all kinds of Identity issues......

We're open to any comments folks have -- lemme hear from you -- eric AT digitalidworld.com.

One other side of the acquisition story is this: the funding of startups and launching of startup products is happening at a pace that is at least as fast as consolidation in the industry. In other words, we've got an exploding marketplace on our hands folks......So many companies to watch, so little time.

...everything! Ok, I'm kidding.

Oracle purchased Thor Technology and OctetString today -- adding provisioning and virtual directory capabilities to their identity management suite.

The press release is here.

More details as we hear them.

Oh, by the way, the news was yet again broken at Digital ID World. We really do mean it when we say big stuff happens at our conferences ;-)

Phil Windley, an old friend to Digital ID World, has posted audio files from his recently thrown Internet Identity Workshop....very worth checking these out.

Last week, we threw a small party in NYC. Okay, it wasn't actually a party - well, unless you consider in-depth discussions of the ins and outs of identity management by financial services professionals a party.

Digital ID World - FS was a great time. And more than that - really informative.

It was also unlike any show we've ever done before. Traditionally, Digital ID World is an all-out, 4 track, community gathering, news-making event. Digital ID World-FS was a close knit, no content to get posted afterwards, gathering -- by design.

Next up: the Mother of All Digital Identity Events --

Digital ID World 2006 (may 15-17, santa clara marriott).

Details to follow...

A senior IBM exec has called for a global body to establish standards around identity management.

Quoting the ZDNet article:

What's missing right now, he noted, is a trusted third party to authenticate trustworthiness. "So we've got inconsistent and incomplete implementation [in individual countries], and also no standard approach to the future nor a target to shoot at."

My immediate reaction is that this sounds like a sure-fire quagmire. Enterprises are working on their identity management problems. Governments are working on their identity management problems. Groups are working on individual identity problems.

Do we need a "trusted third party" for identity verification? Probably.

Do we need *another* body working on standards and procedures? I hope not.

Actually, its not like the Liberty Alliance is *just* beginning to morph their purpose - that happened awhile back with the invention of Special Interest Groups and things like the ID Fraud working group. Now, Liberty has announced ID-SAFE - its working group for strong authentication interoperability and standards.

My main question is this: How does this relate to OATH - the verisign led initiative for a standard around authentication???? anyone?

In any case, Liberty began as an organization focused on federated identity. Now, its an organization focused on identity, in general.

Okay, not quite. But Steve Ballmer actually uses the word "federation." I know that doesn't seem like much, but when you step back to where Digital ID World was in January 2002 -- well, you suddenly see how far we've come.

Quoting:
Clearly, if you just look at what we have done already with identity and Active Directory federation with Passport, you start to get a Live element, if you will, of Windows Server. Perhaps the most important thing we do is to allow developers to federate their own applications running on their own servers with the rest of our cloud-based (on the network) services.

Off to Digital ID World - FS.....

And so it finally arrives.

This week we're throwing our "FS" (financial services) show in NYC. All of the preparations are made, the content is going to be awesome, and hey - we even have attendees showing up! ;-)

The event should be pretty unique in that we've worked really hard to put financial services IT types on stage telling their stories. Its one of the few forums where FS-IT guys can hear from and speak to their own.....getting approval for financial services firms to talk is never easy.

Hope to see you there!

I'm trying to read new identity blog entries -- add to my list of RSS subscriptions.

Today I'm reading Scott C. Lemon's blog.

Scott's got some interesting thoughts about how a Firefox form-fill "on steroids" would interact with InfoCards, LID, Sxip, and federation protocols. Good reading - check it out.

Is it me, or is the universe of identity protocols dizzying at times? I'm around it constantly, and *I* find it to be a bit much. Identity Alphabet Soup --lemme count the protocols: Liberty ID-FF1.2, Liberty WSF2.0, SAML2.0, SAML1.1, WS-Trust, WS-Federation, Shibboleth, OpenID, LID, Passel, SXIP, XRI/XDI -- and then go throw in firefox plugins, proprietary extensions, product specific feature sets -- yikes.

Maybe the explosion of protocols and means for accomplishing things is an indicator of where we are in our development and soon to be history....

[Later...]

I also just discovered Sara Gates' new blog - aptly named, From Here to Identity.

Microsoft's general counsel is calling for a national privacy law - one main part of which would "allow consumers to limit how information about them is used and should apply to online and offline businesses equally."

The use of individual data is becoming a white-hot topic --one that we're addressing in a limited fashion at next week's Digital ID World/FS show, and one that you know we'll be tackling head-on at Digital ID World 2006 (shhhhh! did i mention it'll be May 15-17, Bay Area -- mark your calendars!).

Anyone out there know someone at eBay they can get me in touch with? The article mentions eBay supporting a national law, and I want to start thinking about getting folks like that on stage for a panel in May. Please drop me an email (eric AT digitalidworld.com) or leave something in comments if you do. Thanks.

I've known about and followed Passmark Security for some time -- their CTO, Louis Gasparini, attended a couple of the earlier Digital ID World shows when he was still at Wells Fargo.

Now, with the new FFIEC guidelines for online authentication, Passmark's story and stock (figuratively speaking) is on the rise.....

You can learn more about them and the implications of the FFIEC guidelines at next week's Digital ID World / FS (financial services) summitt in New York.

Here's an interesting one...

The Search Engine Journal is reporting on some patents that Google has applied for -- and they caught my eye:

Google has filed for an organic search patent, termed Personalization of placed content ordering in search results, to serve organic search results based on user profiles. Google has also applied for a similar behavioral targeting patent for its advertising network, but this seems to be a first from Google with plans to integrate user profiling into natural search ranking.

Google is another one of those companies that a bunch of folks have been talking about as an identity play -- these patent applications confirm it.

Scoble's over there saying that its all about attention (and Steve Gillmor's AttentionTrust.org)....it may be, but attention is all about identity. Even Steve admitted that when pressed by Tim O'Reilly at the Web 2.0 show.

The U.S. State Departments requirement that all passports be enabled with an RFID chip by October 2006 is a pretty controversial subject. In this excellent Wired article, Bruce Schneier rips the whole tangled argument apart, and finds one concern still unaddressed:

RFID chips, including the ones specified for U.S. passports, can still be uniquely identified by their radio behavior. Specifically, these chips have a unique identification number used for collision avoidance. It's how the chips avoid communications problems if you put a bagful of them next to a reader. This is something buried deep within the chip, and has nothing to do with the data or application on the chip.

The State Department has done a great job addressing specific security and privacy concerns, but its lack of technical skills is hurting it. The collision-avoidance ID is just one example of where, apparently, the State Department didn't have enough of the expertise it needed to do this right.

Highly recommended - read the whole thing.

Microsoft went and launched their "live" line of stuff -- which kinda looks like office and blogging and search and IM, supported by ads or subscriptions or licenses. Did I get that right? All bases covered ;-)

One quote that caught my eye:

"It's easy. It's live, and it has 'me' at the center of the universe," said Blake Irving, a Microsoft vice president who was on stage to demonstrate Windows Live.

Yea, I know - some of you will claim I'm wearing identity-colored glasses, but come on....."me at the center" -- sounds like an identity thing to me. Maybe Kim Cameron can tell us how InfoCards plays into Windows Live.

Can I set up an InfoCard on my Xbox (stored there) and then use my Xbox to browse to Windows Live and login in with my gamer ID....???

[further] Dan Farber blogs the following:

Microsoft's services platform will be general and comprehensive, Ozzie said. It doesn’t require Windows to use, and it will have core foundations (storage, communications, identity, relationships, advertising & billing and payment), interfaces (AJAX RSS, Web services, Client APIs & UX, native code, managed code) and solutions (Web sites, workspaces, forms & views, messaging, calendaring, libraries). In addition the platform will support not only cloud-based architectural models, but cloud-federated servers, P2P direct, P2P relayed, online and offline, Ozzie said

Identity as a core foundation.....

A quick story: Way back in the early mists of time (like 2002), when phil and I spent a lot of time on the road talking to big companies about identity, we went to Microsoft. Bill G. and Steve B. were giving some press/analyst presentation and Adam Sohn (working with Brian Arbogast) had invited us. I remember Bill having a slide on the importance of digital identity -- one that I guess Adam had fought to get into the deck. Back then I thought "aha! Gates said it - Digital ID World's success must be right around the corner!" Funny how things work ;-)

Here we are years later -- still working for greater success, and still having many of the same conversations.