Marc is posting about conferences and what he'd like to see happen.....and I agree with much of what he says.

Now, this isn't a Digital ID World specific thing, but as a guy who builds conferences for a living -- I listen (and talk about) all of this with great interest.

Here's what I see and think:
1. yes - many conferences have become "the same old guys" (i saw "guys" purposefully) talking the "same old stuff".

2. yes - and even worse - a lot of conferences are simply speakers talking AT the audience....and really, we're all past being an "audience", right?

But (you knew that was coming), I still believe (as I think Marc does) that there are large numbers of IT folks (people working hard inside of enterprises) that seek out a forum where they can:

A) engage with their peers to find solutions to their problems
B) seek to learn about new ideas
C) interact with vendors (if they already have a "buying strategy") to see who can best help them

In other words, conferences can do a lot to help create a marketplace where great conversations take place.

And *that* is really the key to me.

At Digital ID World, we have always strived to not only provide great "content", but to provide a space where smart people can engage in great conversations. Along those lines, I think the keys to this are several-fold:

1) eliminate the "speaker proposal": far too many shows (which shall remain unnamed) post a speaker submission form; receive submissions; and then pick from that pile. What this results in is a whole lotta vendors (who really do think "you need schoolin'") on stage talking vendor-speak.

2) Engage the community: without a community, there is no conference; and if you're not engaging the community, you have nothing. Phil and I are *constantly* trying to talk to as many people as we can in the digital identity universe....customers, vendors, thinkers, subversives, rebels, ordinary joes, people that aren't in the "identity" business.

3) Once you've engaged, enlist: you must *work* to get the story right. Every show tells a story -- and that story is always changing. We spend (literally) days trying to figure out what story (and stories) the DIDW schedule is telling. And the only *real* way to engage is to enlist -- hunt down the most interesting people in your community and work with them to get the forum right. Sometimes, that's a presentation. Sometimes, a workshop. Sometimes - an open forum (an unconference) where the audience structures all of the content. (i'm working on some of this right now).

4) Do the legwork: why don't all shows do this - cuz its a lot of hard work - that's why.

5) Get real stories: Stories aren't enough - they need to be real. One of the problems is that we've got a cadre of "professional conference speakers" -- yeah, they're wonderful on stage, but seen 'em once -- well....you know. What we need are real stories. Phil and I seek out "customers" -- ie, real peopple that are doing real things with identity. Often these are the guys in the bowels of corporate america - guys (and gals) slaving away in relative obscurity. But you know what - they're have REALLY interesting things to say. I'd much rather hear about a guy struggling at a Utility company in the southeast, then a VP from a major software company.

I think you get the idea. What does doing all of this take? Two simple ideas:

1. Markets are conversations.
yep - the old maxim. Look - all conferences try to do is create a forum for better conversations.

2. Markets are getting smarter faster than the companies that serve them.
This one is essential. I guarantee that Sun's or Oracle's or Novell's or Microsoft's customers are smarter about what they want and what their working on than the vendors that serve them.

As for the 24/7/365 thing: that's a tough one. We're working on it. Hard.

bottom line: we know we're not perfect. we know that only hard working and constant interaction and ability to change will get us closer to our goal.

What is our goal? Simple -- to provide a conference forum that people feel they must attend, and when they do, they leave feeling overwhelmed by what they experienced.

Why do we want to do that? Because we've done moments of it in the past. I know that we've had folks come to DIDW and walk out just blown over. I know because they've told us. Of course, we're not stopping there....we want a truly "must attend" atmosphere -- not because we've put great "content" on stage, but because we've helped a community come together and accomplish real things.

I (personally) throw conferences for that community. Not the alpha geeks (sorry guys, but you're a small portion not the whole thing); the people in the trenches that only go to 1 or 2 shows a year. I want them totally satisfied and looking forward to next year.

The irony is that Marc isn't the typical guy at conferences (nor is Dave Winer) - they're not the community "at large." However, Marc has great insight and he's right to push all of us.

So Marc - I hear ya. I agree on a lot. We're working on everything -- and hope that we're getting closer all of the time.

Please, everyone, tell us what you want, who you want, what the best method is, all of it. Once you tell us, we'll work to deliver. That's our job.

Happy New Year.

It can be easy to forget that "identity technologies" are not strictly about people. The "identity of things" is a side of identity that we have always tried to cover on a consistent basis. The reason is simple: Digital ID World is about the pervasive identity infrastructure that is being built as the march of networking goes on.

To that end - Verichip has announced an IPO. An RFID company goes public - that's gotta count for something, right? ;-)

Nick over at WikID (which is probably *another* of those ID companies that you haven't heard of, but should have) has sent me his list of predictions. They are:

1. Host/mutual authentication will become critical in 2006. There will be an attack against banks using non-cryptographic based host authentication (ie, pictures, cookies).

2. Transaction authentication will become a hot topic later in the year due to session hijacking trojans.

3. Strong authentication systems that don't follow Kim Cameron's Laws of Identity will be seen as weak and catch flak for it.

4. 'Layered Authentication' where lack of a cookie or appropriate IP address triggers additional authentication will be shown to be a marketing neologism covering weaknesses. "Layered authentication" based on cryptographic mechanisms to secure session, host/mutual and transaction authentication will get alpha-geek backing, though it is unclear whether that will help adoption of such systems.

My comments: 3 is a stretch; 4 - hmmm - I'm not sure that I agree that non-cryptographic layered auth is *simply* a marketing tactic.

...But a good list nonetheless! And Nick goes on to finish with my personal-favorite prediction for 2006:

"I get the budget to attend Digital ID World."

;-)

I just posted our predictions for 2006 - along with our grades on our 2005 set.

But I'm not done!

Send me your predictions (eric AT digitalidworld.com), and I'll compile a second list of reader predictions. We can run one of those experiments to see who's better at predicting the market....;-)

Andre Durand of Ping Identity has given an interview in which he responds to the recent spate of acquisitions in the identity management space -- specifically, HP's acquisition of Trustgenix.

Quoting:
Q: Large companies seem to appreciate ID management software. In the past few years, HP, CA, BMC, Oracle and others have all filled gaps by acquiring your rivals or partners. How does it feel to be one of the last startups of this ID management space?

It's one of those things where you get bipolar about how you feel about it. Should I be ecstatic, or should I be really scared?

Many don't know that Andre Durand (CEO of Ping Identity) used to be a tennis child superstar (or something close)...

It is with a bit of holiday irony, then, that I say that Dave Kearns has now firmly placed the "federation" ball in Andre's court.....

Dave says:

Durand then brings in his own CTO, Patrick Harding, to point out what he says are the problems with this scenario. Harding gets right to his main point: "My point was that if every piece of infrastructure (i.e. firewalls, SSL VPN's, App servers, IdM systems, apps, proxies, XML gateways etc etc etc) can consume or generate a SAML Assertion then the overall trust model becomes completely unwieldy."

Maybe, just maybe, it's time to think beyond point-to-point SAML-style federation and to design a web-like structure of built-in identity authentication, verification and validation. Nothing full-blown, of course, but client-side and server-side pieces so that identity data can be federated (small "f") as a mesh, or web, of services.

Andre??

Novacoast has joined the identity management party (welcome!) -- and here's the twist -- their solution is about integrating an open source PBX. I admit to never having heard of that one before.

Quoting:
Novell Identity Manager is used by Novacoast's VoiceRD as a key component of the rapid deployment methodology. Dan Elder, Linux practice manager at Novacoast, explained that with Identity Manager, users link their Asterisk PBX deployment against an existing directory so they don't need to recreate or re-enter user data.

Elder explained that thanks to the integration in VoiceRD of Identity Manager, one directory entry can set up a user's e-mail, phone number, and voice mail. When an administrator enters a new user into the directory a corresponding entry is generated in Asterisk with a voice mailbox.

ID Managment and provisioning for phones, voicemails, etc -- I love it! Now, will someone please do the same for physical access?

Here's an interesting one:

Identix Incorporated (Nasdaq:IDNX) announced today that it was awarded a contract for its ABIS(R) facial identity management solution to help ensure "one person, one vote" in an unnamed foreign country.

Did I mention that the identity industry is sprouting new companies like weeds?

iVest -- an "internet security solution provider" that has decided to join the party.

Come one, come all...

One of the big announcements at the Syndicate conference was the Structured Blogging Initiative.

Essentially, its an impressive list of blogging ecosystem companies that have agreed to make microformats (around things like events, ad listings, event listings) interoperable.....

And its importance for identity? Well....

1. Sxip Identity is one of the companies involved - which would seem to indicate Sxip's deepening involvement in the blogging-identity world.

2. This group is seeking to "democratize" a bunch of information - so that whereas you used to go to siteX to list job ads, now you have a standard format to list that information (which allows services to be built on top of it).

Combine all of this with the growing movement around URL-based identity, and its beginning to feel like something might be about to happen in the world of blogs and identity.

I've been waiting to hear that SAP has jumped into the game.....and then, finally, today I see this:

(quoting:)

SAP AG (NYSE: SAP) and Siemens AG (NYSE: SI) has announced that they have expanded their global strategic alliance through the delivery of a flexible, standards-based identity management solution.

Delivered through the SAP NetWeaver platform, Siemens identity management solution, HiPath SIcurity DirX Identity, integrates with SAP applications to help companies automatically centralize and manage their employees’ IT access rights across the enterprise.

Is this everything SAP needs to do? Nope.
Is it a clear sign that they saw the Oracle shot across the bow? Yep.

I love it when the marketplace expands ;-)

For those of you that are interested in things like Liberty's ID-WSF "people service" - there's an upcoming webcast on the topci.

What is the "people service", you ask?

(quoting)
The Liberty ID-WSF People Service(tm), a key component in ID-WSF 2.0, is the industry's first comprehensive platform for managing social information within an open federated network environment. People Service allows consumers and enterprise users to manage social applications such as bookmarks, blogging, calendars, photo sharing and instant messaging from a common layer within the ID-WSF 2.0 framework. Liberty People Service has been developed to allow individuals to easily store, maintain, and categorize online relationships so that other socially-aware Web services applications can leverage information based on the consent and privacy controls established by a user in the federated social network. With Liberty Alliance People Service, consumers and enterprise users can now centrally manage all of their online social relationships using a federated network approach with privacy controls built into the system allowing users to leverage the privacy functionality of Liberty Web Services to more easily and securely share social and enterprise information across applications, platforms and service providers. In this Web cast, we'll overview the functionality of People Service and provide some use case examples. You won't want to miss this highly informative session.

Sounds like identity for blogs and social media ;-) They should have Johannes Ernst and Dick Hardt show up as guest commenters....

More great identity podcasting going on -- this with Dick Hardt of Sxip and Kim Cameron of Microsoft....

Listen up!

CNN is reporting on an Italian law that mandates people showing ID in order to use public Internet terminals...

I think this one probably violates 5 or 6 of Kim's 7 Laws...

Kaliya highlights her identity thoughts around the Yahoo! acquisition of del.icio.us....

Yes, the identity conversations expands (again ;-)....

Several days ago, I highlighted e-Security as a company that was realizing it was an identity company. Now we have the news that e-Security and Cisco have a fairly substantial alliance being initiated.

There's no doubt in my mind that large pieces of Cisco's business will be "identity companies." Is this alliance a prelude to an acquisition? Time will tell. But Cisco getting into the identity race in an active way sure would shake up the field (fyi: Juniper is already in).

David Weinberger has been involved in the identity space since we invited him to our first conference. He has also (always) been *against* nearly everything the identity industry would even think about doing with the Internet.

David is now writing about unique IDs --- for things (like books). In typical brilliant David style, his writing addresses not only the practical (and funny), but also the philosophical (ontological) nature of IDs.

David ends by throwing in his usual caveat about how humans don't need IDs, but by talking about the world of electronic *things* - even Mr. Weinberger may be getting closer to believing in the need for identity.

Coty just wrote to me suggesting some other companies that should be included in our continuing "market expansion" discussion. One was Equifax -- amen, let's hope *they* come to see themselves as primary attribute providers soon.

The other is in line with my Quova post from the other day -- a company called Digital Envoy. Are they an identity company? Check out their two business units:

Digital Resolve - Authentication solutions for ID theft and Fraud

and

Digital Element - content localization stuff for interactive advertising

I'll issue the same invite to Digital Envoy as I did to Quova (who's already gotten back to me) -- come to the show, drop me a line, let's get an interesting speaker presentation together outlining how these technologies are converging to solve identity problems.

In my quest to highlight companies that help to illustrate the expansion of the identity market, I bring these two companies that you might not have heard of:

Imanami - a *very* interesting company because they bill themselves as a solution that helps ease the installation of *other* identity management systems; which is to say that we have an *ecosystem* of identity software.

Edentify - an emerging provider in the "identity fraud prevention" market. Funny thing about identity technologies -- on the enterprise identity management side, *everyone* wants standards-based technology, but on the fraud prevention side, *everything* is based on "proprietary" technology.

I've been writing on Digital ID World since 2002 -- in that time, you notice some cycles. One of those cycles is the immutable fact that every nine months or so some "mainstream" tech reporter is required to write a "we'll never have our privacy again because of this scary technology" article.

Good news! The immutable fact remains true, as this Wired article shows.

We begin the article by talking about the Travolta-Cage action movie of a few years ago (Face/Off) -- which dealt with facial transplants, and then move on to draw the inevitable conclusion that we'll all need to get one with this dangerous new identity technology coming down the pipe.

The *actual* interesting thing in this article is Riya, a nifty little technology that uses Tags and some photo recognition software to help identify people in your photos. I'm betting they get acquired quickly (can you say Goo-gle?).

News that 17 people have been busted in Arizona for being involved in an identity theft and money laundering ring.

Quoting:
According to the U.S. Attorney's Office in Arizona, the 17 were recruited through Internet chat rooms by scammers in 19 countries, including Australia, Serbia and Montenegro, Mexico, Canada and Russia. The suspects cranked out counterfeit debit and credit cards, then used them to pillage accounts at local ATMs.

Some news today around Microsoft's update to Windows server -- what this article calls "Trustbridge" -- which is to say, Microsoft's federation capabilities.

At the same time, Ping is announcing a toolkit that integrates WS-Federation into Apache stuff.

Extending ADFS into perl, php, and java environments.....interesting.

Later:

Turns out that Centrify is supporting similar capabilities with its DirectControl product, while Quest announced immediate support via its Vintela line of products.

Add another company to the "federation capabilities" list that I never knew did federation (Centrify).

I think that "identirati" are already largely aware of how geolocation is an identity construct (see Liberty's geo-X services in the WSF spec)...

Along those lines, I'm pointing out Quova as a company for us to watch (I found it on Brad Feld's blog)....

Here's why:
We've been highlighting the expansion of the "identity industry" - even as many acquisitions are happening. One of the expansion methods is when companies come to *see* themselves as an identity company.

Quova does not currently think they're an identity company (and hey - maybe they're not), but they have geolocation technology that assists with compliance (identity flag), DRM (identity flag), content localization (identity flag) and identity fraud prevention (identity flag)....which is to say that i'm betting they're an identity company.

Shall we observe as they come to understand that? Heck, maybe they already do and they just aren't marketing things that way. How does a company come to know its an identity companhy? When their customers tell them so.....

Quova - come to Digital ID World this year and see if you're not suddenly finding yourself right at home....in fact, send me a speaking proposal and let's see if something interesting can't be done ;-)

Looks like some folks running UK government website may have been more concerned about themselves than their constituents. It seems they *knew* a site could be used for id fraud and just didn't get around to shutting it down for six months.

Quoting:
HM Revenue and Customs, the U.K.'s tax authority, was warned about the flaw more than six months ago. However, it only closed the tax credit Web portal down last week after it discovered criminals had used the identities of 1,500 government employees at the Department of Work and Pensions to make fraudulent claims.

*sigh*

Brad is posting about how Trust, Attention and Relevance are words that he's hearing over and over and over again in the world of user-generated content.

[begin broken record]
*Ahem* -- yes, RSS, weblogs, podcasts, etc -- in fact, all of the "Web 2.0" stuff has, at its core, an identity problem...one that's getting worse not better. Readers of this space know all of the players working in this space (to name a few):

Sxip
Root.net
AttentionTrust
YADIS
OpenID
i-names
LID
Passel
Infocards

and i'm probably missing several hundred others....

DIDW2006's theme is around managing the decentralized nature of identity -- that nature (that identities are distributed everywhere) is the core of the identity problem that brad is referring to as RAT, ART or TAR....and having one company give their solution (google) and another theirs (yahoo) and another theirs (newsgator)....

well, then, we're just running in circles, aren't we?

On the acquisition front (is this happening every other day or is it just me?), RSA has spent 145mm to buy Cyota.

While over on the major product release front, Novell released Identity Manager 3.

John Madelin of RSA is writing good stuff about authentication over on the RSA corporate blog.

Quoting:
Identification is a very powerful and important thing -- to identify a person in the frictionless world of the web is a dangerous and valuable step to take. Witness the extraordinary impact of identity theft in both financial as well as emotional terms. Of course, identification is very important, but it will gradually become a smaller and much more highly-valued component of a more layered approach.

Finally, having introduced this layered approach to authentication we can overlay typical real-world behaviours as we think about how and when to apply them in practice.

There seems to have been a renewal as of late around the idea of URL as identity (via Dave Winer and OPML), as well as through Johannes Ernst's work around YADIS....

And now, this report from a YADIS meeting that included people from Six Apart (weblogs), Verisign and Cordance (XRI)...

Looks interesting! Are we getting somewhere? Maybe. Its not traction (yet), but...

Sara Gates has posted another entry on her blog -- this time highlighting customer discussions:

(quoting)
The interesting thing is that we have moved from talking about the management OF identities to the management of our business BY identity. Identity is what brings meaning and security to business transactions.

Amen and hallelujah! (sorry, my daddy was a preacher. no, really.)

The irony, of course, is that the shift from management OF identity to management BY identity was Phil's conference opening keynote back in 2004. ;-)

[later: phil informs me it was his 2003 keynote! ;-)]

...to a world wherein ads are served on something *more* than behavior....

identity-based ad serving -- powerful, and probably somewhere just around the corner...

Sun's announcement today that it will make ALL of its identity management suite free (at least in a "test drive" sense) is pretty radical.

This suite includes sso, federation, provisioning, password managment, synchronization, directory services, access control -- and a bunch more.

What does it all mean? Hmmmmm....

At a high level, commoditization of the "stack" will only accelerate the market and bring about the next wave of identity applications and technologies.....the disruption in will cause ripples that we'll be watching for months.

Fasten your seatbelts, things just got even more interesting.

Phil's newsletter from last night began to explore the idea that the "identity ecosystem" (of technologies) is actually expanding and growing at rate that is faster than we all realize. As someone who gets an awful lot of press releases from "identity companies" - either newly funded, or deciding to be -- I can say that i TOTALLY agree; the number of companies in our ecosystem is absolutely growing and growing quickly.

The theoretical underpinnings of "why" is something that we're always exploring - but one of the keys seems to be the fact that identity as a technological construct is really about removing friction from "the network."

By "the network" I mean *everything* that is being networked together -- from the internet, to backend systems, to mobile devices, to individuals, to legacy infrastructure. And when the nature of a technological construct (identity) is to remove friction from an ever-expanding network, then (by extension) the construct itself is something that has to expand at a rate at least equal to the network itself.

What that all really means is that identity technologies are being "born" at a rate equal to the expansion of our networked world.

The result is a growing ecosystem of identity technologies and vendors -- some specialized, some innovate, some vertical, some platforms -- the diversity is everywhere. Did you know, for instance, that there is an identity management platform vendor that ONLY sells to the healthcare industry? (If you're wondering who, its Sentillion.)

Along those lines -- some links to "identity" companies that a lot of folks haven't even heard of yet:

Portrait Software

e-Security

ImageWare

...and have you heard of A10, Applied Identity, Realm Systems....

the list goes on and on and on.

[Later:]

Trusted Network Technologies has a really good post that provides some perspective on the expansion of the identity ecosystem....ending with a great sentence:

As this market matures, it keeps getting more and more interesting.

And by "matures" they mean "is just beginning to grow up" -- think of the identity market as a 10year old ;-)

Okay, maybe I'm just in the mood to be impressed, but this map is REALLY cool. Click on stuff and watch the identity universe expand ;-)

I can't find attribution for this work, but whoever out there did this - Kudos!

The only thing I knew about Triplesec prior to 10 minutes ago was that you need it to make a good margarita ;-)

It turns out that Triplesec is:

Triplesec is a strong authentication server based on the Apache Directory Project. Strong authentication servers enable authentication using One Time Passwords (OTP) usually generated from a hardware device called a token. Triplesec is used with the Hauskeys mobile application for generating HOTP values. Your cell phone becomes the only device you need with strong authentication using OTPs.

Unlike other strong authentication servers, Triplesec is unique since it does not require invasive changes to applications and operating systems for authentication to occur using the HOTP algorithm. Triplesec is able to non-invasively use OTPs because it uses standard protocols. It contains both an LDAP and a Kerberos protocol server.

wow. who knew? (not me.)

I, of course, consider strong authentication to be one of the new primary drivers -- so I'm always excited to learn about new companies (at least for me) in this corner of the identity ecosystem.

Even more exciting is this. Just yesterday, Phil and I were talking about how an open source identity management platform would indicate a growth cycle in core identity management technologies....

Now - the next question -- does this project have any customer traction?