More on Higgins

October 14, 2006

My thanks to Pete Rowley for sharing insights on Higgins.  Based on his post I have furthered my understanding but I still don’t know if the answer is Yes or No 😉 

Higgins seems to be an elephant (in the sense of the 3 blind men).  It depends on your perspective – identity provider, service provider, or infrastructure provider.   The identity provider can plug in any number of capabilities/protocols, the service provider can leverage from the identity pool with common APIs (just give me the identity stuff!), and the infrastructure can easily stitch a variety of identity services together both internally and across federations.  This is good.  The beauty is a well-defined, componentized framework for plugging all these pieces together.

Now, back to the question.  What is the difference between Higgins and a virtual directory?  I think Pete is suggesting they are similar but Higgins may be better componentized, structured, comprehensive and open relative to your classic virtual directory.  I am sure the virtual directory vendors will throw rocks at this.  In defense of the virtual directory vendors, I still don’t see any fundamental capability that Higgins provides that cannot also be delivered by a virtual directory.

Just so you don’t think I don’t have a position.  Higgins is helping to define the architecture of the identity meta-system.  Virtual directories will adapt (note that Novell is engaged with Higgins), but Higgins is a leader defining the new identity frontier.



Higgins vs. Virtual Directory

September 22, 2006

Can someone tell me the significant difference between a virtual directory and Higgins (besides Higgins is open source)?  I get the impression this is not a popular question.  While at DIDW I suggested we should rename Higgins to Virtual Directory 2.0.  The response was “Shush, don’t say that.”  I don’t really like dancing around issues.


User-centric Identity and the Enterprise – A collision in the making?

September 22, 2006

It has been awhile.  Just returned from Digital ID World.  Great discussions and enlightenment on my part.  I have seen a few blog discussions about the Patrick Curry /
Kim Cameron session on user-centric identity in the enterprise.This is a great discussion and I believe that user-centric identity (as manifested in the user experience) is likely to arrive at the enterprise much like the Internet did – I am here, deal with it.  I see an interesting contradiction in the drivers.  The user’s want control of their information / identity.  I have heard user’s voice their objection to a corporation mandating a federation with what they perceive as their personal information – classic example, 401K accounts.  On the flip side, the motivation for the corporation is to provide federation as a means to reduce the cost of support, primarily in password resets for the many accounts – a significant cost.  Allowing a user to be in the middle of, or decide, on a federation or passing of “identity” information allows the user to negate this corporate cost driver. 

I suppose if we have an intersection of user-centric identity and corporate-mandated federation we might have a win-win compromise if most users choose to federate and those that chose otherwise are savvy enough to manage their own passwords and don’t call the help desk for a reset.  Then every one would be happy – yea, right.

Actually I am optimistic that user-centric and enterprise federation will result in a better world, I just haven’t figured out all the details quite yet.


Bookkeeping details

July 25, 2006

As I grok more about the distinction between personal identity and corporate identity it seems wise to say: 

This is my personal blog.  It does not reflect the views of my employer, and I am not speaking as my employer’s representative.  If you quote me, please respect my right to contribute opinions without connection to my employer.


User-centric Identity Contexts

July 7, 2006

A recent discussion on the ID Workshop group has been about user-centric identity and the corporation.  As a part of that discussion Phil Becker pointed out we use the term “user-centric” in multiple contexts and it really means different things in different contexts.  Below is my first pass at a potential list of contexts for the term “user-centric”. 

I think the list Phil proposed is: 

User-centric architecture – is this about the user in the protocol?  I don’t think it is intended to be about where the data resides.  I am still unclear about how this fleshes out given there seems to be agreement it does not mean the user makes a decision, nor sees every exchange of identity data. 

User-centric experience – So is this just CardSpace and OSIS? 

User-centric control – I suppose this would be about the user having some say in what attributes of their identity in what context are shared.  This could be a user in the middle each time, or include delegation via the likes of an i-broker. 

User-centric management – Managers are vague, management is vague (sorry).  How is this different from user-centric control, if at all?  Is control about flow and management about the maintenance of identity attributes (CRUD)? 

User-centric data – Don’t know if Phil proposed this as a category, but I have some trouble with this one.  Notice what is not on the list is user-centric identity *ownership*.  Is that what we mean here?  I am stuck on the idea that I have no ownership of any meaningful identity data.  See my previous posts.  We might have control, but the only identity attributes anyone else would care about are owned by someone else, at least asserted by others.  What you own that is not issued/asserted by others is fantasy. 


Stirring the pot

July 6, 2006

So here is a thought.

What is user-centric identity?  It is not a thing, it is a process.  In the digital world, user-owned identity is simply self-asserted and of inconsequential value.  For an identity to have value, its characteristics (attributes) must be attested to by third parties.  These third parties must have credibility either from their legal founding (such as credit card companies, my employer) or from the shear number of consistent independent attestations (reputation systems).  The fact that I own any aspect of my digital identity is a myth.  User-centric identity is about controlling the distribution of that information.

Digital identities that I *truly* own are simple avatars that have no value beyond fantasy.


“MY” Identity and the Identity Tiers

July 6, 2006

I have been mulling Doc Searl’s discussion of Independent Identity (, including Andre Durand’s 3-tiers of identity.   

Let’s start with Andre’s 3-tiers:

  • “T1 identities are both timeless & unconditional. They are your true personal digital identity and are owned and controlled entirely by you, for your sole benefit.”

I read this and ask – what is my “true personal” identity?  Is it who I really am as opposed to some avatar?  I don’t think who I REALLY am has a digital manifestation.  Is it attribute that I own?  Or attributes that I have asserted?   

What attributes about me do I actually own?  My name? – Not really, I can assert my name but it has no real significance unless attested to by some authoritative 3rd party.  I cannot even change my name without a court filing.  So what of my name do I own?  Are there aspects of my digital identity that I do own?  I am leaning toward nothing of any significance.  I own, can assert, can prove, and can change of my own volition only things like hair color, weight, dress, behavior, etc.  Some things I own but cannot change (at least easily) are my many biometrics.  But who cares?  What can I do with these?  To do anything connected back to the real world requires some kind of T2 identity.  Any legitimate T1 identity you have seem to be a simple collection of “authenticator” attributes.  They provide identification, but not identity (a Phil Becker concept). 

  • “Tier 2 is Assigned (Corporate): one given to you by some silo. Every card in our wallets, other than our business cards, are these.”

Tier 2 identity is where the action is.  These are the identities that actually have meaning to connect the digital world to the real world (i.e. – doing business).  These identities might not have been given to you by the corporation, but they are in some way controlled by a legal institution, not you.  As I pointed out above this even includes your name.  It certainly includes those things in our wallet that Andre pointed out.  Why do we carry a wallet – to do business like buy things, drive a car, get on an airplane.  I would even claim that our business cards (excluding the self-employed) are not ours to own and control. 

I think what distinguishes the meaningful T1 from T2 is a potentially vague temporal difference in the tie to a 3rd party.  Also I would claim T1 identity that many would say is “MINE” only has real value when attested to by an authoritative 3rd party.  Again, what my name is without the drivers license to back it up does not carry much weight.  If I classify T1 identity as authenticator attributes then T2 are the “authorizer” attributes.  

  • “Tier 3 is Abstracted (Marketing) and applies to those conditions where some company knows, say, your name and address, but nothing besides that, which doesn’t stop them from spamming you with junk mail.”

I don’t think I am interested in this space, possibly other than to wish it went away. 

I think there is another view of this.  T1 identity only has meaning when connected to reputation.  There are no other attributes that I would care about because I have no assurance they are true.  However if I can authenticate an identity is associated with a known reputation I can make business/commerce decisions.  This is the path that I think the social discussions are following.  However, I am thinking that in the personal world T1 identity without reputation has little if any value.  In the business world T1 identity even with reputation has little value, it is all about T2. 

So now what does Doc mean when he says MY identity?  I have previously said I believe identity is simply a collection of attributes about a subject in a context.  That seems to be contrary to Doc’s definition of MY identity.  Given that Doc’s a smart guy (that reputation thing), does he mean MY identity is about me having control, management, distribution rights, to the various collections of identity and associated attributes where I am the subject in any context?  I would presume this is independent of who owns, asserts, or is authoritative for any given attribute.  Because, in the pure sense I have no digital identity that is MY identity – even reputation is bestowed by others.