Off topic

I picked up an iPod this weekend for entertainment on my travels.  Can you believe how much information that little box, 1/2 the size of a deck of cards can carry.  My entire collection of 200+ CDs only fills about 1/2 of its capacity. Guess I need to enlarge my collection.  Technology is amazing.

Identity Mashup 06

I am sitting at the airport waiting for my return flight to Seattle.  I spent the last 3 days here in Boston attending the Identity Mashup 06 un-conference.  An entertaining and very different experience from the more corporate focused conferences I usually attend such as Catalyst and DIDW.  It was much more touchy-feely, focused a bit more on the individual rather than the enterprise – an excellent stimulus to broaden my thinking.  It was also amazing to interact with nearly all the great minds in the identity space.

There are many things swirling around in my head, but some have points that seem to be gelling into potentially coherent thoughts.

First I found it curious that after 2 days of conference I don’t recall anyone using the “federation” word.  Given the technologies we were discussing this seemed rather peculiar to me.  This morning I realized why that might be.  As I said above, this conference was more “personal” focused and federation is a rather impersonal techno term.  I believe people at the Mashup were using the word “relationship” instead.  I would claim “federation” and “relationship” are fundamentally the same thing.  I didn’t get universal agreement, but I am going with it for now.

Second item coming together was prompted by a comment from Dick Hardt.  During one of the panel discussions he asked “what exactly is the problem we are trying to solve?” – One of my favorite questions.  My answer so far is:

• Preventing the theft of identity (my definition is the third item of this post) directly from the user (such as phishing and spoofing)
• Preventing the theft of a user’s identity from some other third party (“Sorry boss, I lost my laptop.”)
• Establishing an environment where the user has trust and surety that they can conduct transactions with confidence (secure e-Commerce)
• Providing the ability for relying parties to make transaction decisions based on authoritative identity attributes (trusted assertions)
• Making all the various identity providers, protocols, etc. invisible to the application developers.  (They just want to know who it is and what should I let them do?)

The third item is the definition of identity.  A small few still seem to hold the perception identity is “who I am”.  The majority of folks are now talking about an identity representing a subject (or subjects) within a context.  I agree with this definition but  being a programmer at heart I am trying to boil it down to bits and bits.  Aren’t we really talking about a collection of data attributes about the subject(s)?  As we talked about the “i-Card” Paul Trevithick suggested it also reflected relationships – not quite sure what those “bits” look like yet.

A last thought for now.  Higgins – seems like a worldly, multi-lingual virtual directory?

I met many new people at the conference.  I left excited about the energy and collaboration developing around the idea of an identity metasystem.

The beginning

A number of things have motivated me to try my hand at blogging. At first I was concerned with the time commitment, but I have discovered by looking at blogs from others I respect that I don’t have to post every day, or week, and in several cases every month. OK!

I just returned from what I considered as a most exciting Burton Catalyst conference.  I claim this based on the quantity of thought provoking material around user-centric identity such as Higgins, DIX, Information Cards,
Mike Neuenschwander’s pro-social management systems, and Bob Blakley’s metadata “oracle”. The material presented at the conference, along with the hallway and bar discussions helped me to start piecing much of this together.  Prior to the conference I had some perception we had a number of concepts competing in the “user-centric identity” space. Probably true, but I left the conference with a picture of how many pieces can fit together to address, and maybe solve (ok, improve) the whole problem (the definition of which in itself is mind boggling).

There are a number of problems in the security/identity including phishing, identity theft, trust, manageability (fundamentally no-brainer security that minimizes cost to the enterprise).  What got me thinking at Catalyst is how the various efforts/ideas listed above address different dimensions of the problem.  So much to sort out here…but some brief observations:

-         I started with the idea that user-centric identity could solve the corporate problem of lost/stolen identities (credit to a colleague who planted the seed).  If corporations did not have identity information then they could not lose it.  Good idea, not reality. 

-         Next Higgins.  A framework that defines a standardized identity interface and how providers plug-in (immensely simplified).  Great idea – see previous bullet.  Corporations and service providers will not be ejecting all user identity data any time soon.

-         People are increasingly not trusting the Internet. An idea with significant merit because most people are not computer savvy and security knowledgeable.  Enter the Information Card idea – clearly addresses the interface issue with today’s phishing attacks and could transform jargon and mystery into user comprehensible interaction.

-         One of Mike Neuenschwander’s presentations stimulated thought around a common issue I deal with in the corporate world – manageability.  His point was that administered domains work well in closed environments, but don’t scale.  Given today’s reality of global, collaborative environments we need new workable models.  The federation thing?

-         Bob Blakley’s presentation on metadata sharing, instead of *DATA* sharing was right on.  I realized this was the connection of privacy to the ISO Access Control Framework.  Many are developing Policy Decision Points today that can support decision making without revealing private information(I am working on this).  Of course there is the small matter of how the “oracle” knows how to make the decisions. 

Time to go pack for the Identity Mashup in Boston.  I spend much of my time looking at current leading edge things but I am anticipating next week I will get glimpses into the “distant” future.  

Exciting, wish I could transport to Boston. Guess I will get up at 4am for now.