RSA is not the best conference for identity related news and topics, but there were more than a few interesting story lines that emerged last week (and no, I am not referring to what went on at the Ping Party). One of those was the announcement that Microsoft would not be shipping Cardspace 2.0, which is being widely interpreted as the death of Cardspace. Mike Jones points out that this may be an exaggeration, and until I see Pam pronounce it dead, I won’t be writing any obituaries. But I did want to share a thought that has been rattling around in my brain for a while.

The day before RSA started, the Kantara and IIW folks gathered in a studio not far from the Moscone Center for ID Collaboration Day. One of the sessions was about the work that the Universal Login Experience Work Group of Kantara has been doing in trying to solve the usability problem of 3rd party logins at sites that want to be open and accommodating of providers and protocols. And when we look at the Cardspace experience, one thing is crystal clear: it has to be SIMPLE.

Debates over what is simple, which button goes where, how to order things, etc will go on and on. But when I step back and think about it, I see that a good workable model already exists which has gained a lot of traction – that of the browser-based login helper. This goes from Firefox/IE/Chromes in-built password manager, to the venerable Sxipper, to the upstart (but on the rise) cloud-based solutions like LastPass. They solve the problem by giving the user a simple, intuitive UI to work with, without relying on metaphors like cards or avatars. And it is obvious that all the debates about whether users would trust some random service to remember their sensitive passwords goes out the window when it just works.

Sxipper UI (from sxipper.com)

Granted, they are dealing with the (relatively) simpler problem of form-filling. But there is no reason why the UX couldn’t be expanded to handle IdP-based AuthN, where instead of selecting the user name in the widget, I select the provider. Having the widget (service) remember which providers I have registered and commonly use, and also remember usage history would not be a problem. And the UX for presenting multiple personae already exists and, more importantly, is understood.

I’m sure there are technical nuances that would need to be solved. But I’m focusing on the specific usability aspect of the problem, and it seems to me that there is already a successful model that can be built upon. And I’m also sure that I am not the first one to think of this, so if there are reasons why this wouldn’t work that have been previously discussed and blogged about, please point me to them. Because it could impact some of the work we are doing at Oracle. And nobody wants us making a mistake

Update (2/22 at 8pm): Kim Cameron wrote a post that seems to at least confirm what I am thinking here.

Tags: Authentication Services, Cardspace, Federated Consumer Authentication, Identity In The Browser, Information Cards, Password Management, User-Centric Identity

Dave postulates that the solution is based in the idea of Digital Personas. If I am reading his thesis correctly, he basically says that a person (an entity) can keep his online transactions un-linkable by using different personas (as represented by different information cards) that are kept separate and distinct at the source (namely the user and his IdP). In this way, common identifiers are avoided (not sure about that, since the most common identifier – an email address – is likely the same across most, if not all, of your personas), and so correlation reports cannot be built that harvest and mine data.

While Dave is clearly working with the constraint of what is possible today (both on a technological and legal footing), I think this solution puts too much of a burden on the end-user, since this requires the user to maintain multiple personas across the various applications he interacts with. In other words, even if the persona I want to present (PII attributes, credit cards, etc) to two different applications is exactly the same, I would need to create two different personas (in effect duplicates) if I want to make sure that there is no linkability. One can see the potential for persona explosion.

This is like saying that a user (who is extremely paranoid and wants no one building a consumer profile by looking at his purchase history) should maintain a different credit card (in effect tens or a few hundred) for every merchant he interacts with. That is comletely impractical. But just like there is no recourse today for consumers in this arena (the SSN, home address information, etc that every credit card record has enables complete linking, and results in the massive databases that telemarketers thrive and live on), it seems that there are no legal and technological solutions enabling the consumer to use the same persona while guaranteeing non-linkability. It’s an interesting problem that I think needs to be addressed by the identity community, because if it isn’t, linking of our online identities will happen (whether we want it or not), because the burden of maintaining multiple personas is just too much work, and user habits will prevail (just like it does in the matter of username-passwords).

Tags: Digital Persona, Enterprise Identity, Information Cards, Personal Identity Management, User-Centric Identity

Information Cards try to mirror the familiar, real-world experience of presenting cards to prove identity and provide information in the online world, and aims to do so in a safe, secure manner that is resistant to phishing, pharming and MITM attacks. Despite having been put into the wild a few years ago, and despite the tireless efforts of people like Kim Cameron and Pam Dingle to make it accessible, there are scant few web sites (of any note, anyway) that actually allow people to use information cards. The ICF (much like the OpenID foundation, which also kicked into high gear a few months ago) is looking to put some weight behind the effort to evangelize the technology and expand its adoption in the marketplace. As it states on the ICF Web site, the foundations purpose is to

Advance the use of the Information Card metaphor as a key component of an open, interoperable, royalty-free, user-centric identity layer spanning both the enterprise and the Internet.

It will be very interesting to see how the ICF goes about doing this, and when results will start to show. But this is undoubtedly the beginning of something big. For all of us.

Links:

• Press Release announcing the ICF
• New York Times article
• SC Magazine coverage

Tags: Burton Catalyst Conference, BurtonGroupCatalyst08, Information Card Foundation, Information Cards, OpenID, Personal Identity Management, User-Centric Identity

But I couldn’t keep myself from commenting on the most recent wave of acquisitions in the identity space. Both have some interesting consequences for the identity management market.

IBM acquires Encentuate
First up is the acquisition of Encentuate, a provider of enterprise single sign-on (E-SSO) and strong authentication technology, by IBM (see the press release here). The big effect of this acquisition will be on customers who bought IBM’s current offering in the eSSO space – IBM ITAM ESSO (that mouthful stands for IBM Tivoli Access Manager for Enterprise Single Sign-On). That product was based on an OEM of Passlogix’s v-GO product suite. Obviously IBM cannot have two products in their stable doing the same thing, so the logical assumption is that over the next release or two, ITAM ESSO will shift from being based on the Passlogix technology to the Encentuate technology.

You can read the views of some folks on the acquisition here, here and here. I found Ian Yip’s reaction most interesting, especially since he used to work at IBM. He pulled no punches in telling customers of ITAM ESSO what to expect, saying that in the future they will be forced into an upgrade that isn’t really an upgrade:

“What marketing won’t say is that the “upgrade” from 6.0 (based on Passlogix) to 7.0 (based on Encentuate) is essentialy a rip and replace. There is no seamless upgrade. Sure, they’ll probably offer some tools to “help”, but the upgrade process will need professional services either from IBM Software Services or IBM Business Consulting Services because the single sign on templates will be completely different between the Passlogix and Encentuate products.”

Ian thinks that IBM ITAM ESSO customers are the losers in the deal (along with Passlogix, who suddenly lost a revenue stream). However, it doesn’t really have to be that way. Passlogix is also the OEM component in Oracle’s E-SSO offering,
Oracle Enterprise Single Sign-On Suite (something that Ian believes raised IBM’s ire). So there is another option available to ITAM ESSO customers – instead of doing a rip and replace of ITAM ESSO with the next version of ITAM ESSO, do an upgrade of ITAM ESSO to Oracle eSSO Suite. Being based on the same product, the shift is sure to be so much smoother. And you get the added benefit of direct integration with Oracle Identity Manager, through the Oracle eSSO-Provisioning Gateway that Oracle ships.

Of course this sounds self-serving, and a bit simplistic, but it is also quite logical, and likely to be an approach that could save many an enterprise many a headache.

And IBM’s move certainly serves as validation of the maturity and viability of E-SSO as a technology.

Microsoft acquires Credentica
Next is the acquisition of Credentica by Microsoft. Credentica’s U-Prove technology attempts to tighten up the security of identity transactions by decoupling the parties involved in a manner that prevents transmission and use of extraneous data, without sacrificing authenticity of everything involved in the transaction. It uses PKI technology to secure the authentication and identity data flow between an Identity Provider (Issuer) and a Service Provider (Verifier) in a user-centric manner. The big claim of the technology is the ability to enforce minimal disclosure of identity data (also referred to as “zero-knowledge” proofs for privacy).

In layman’s terms, the U-Prove technology claims to provide people a way to disclose personal information in a manner that does not threaten their privacy, or expose them to identity theft. It also limits the disclosure of information to unintended parties, preventing accounts from being linked across different service providers. Kim Cameron does an excellent job of explaining (and making a case for) all this on his blog.

Everyone is talking about the ability of U-Prove to immediately provide a security layer to Microsoft CardSpace that it previously lacked. The way that managed cards work, the IdP can accumulate knowledge about the user by analysing the card requests it is fulfilling on behalf of the user. Minimal disclosure tokens make it possible to obfuscate the SP interaction, making it impossible for the IdP to understand how the issued cards are being used, thereby rendering it unable to aggregate any information.

To understand more, read this article in eWeek’s Microsoft Watch.

Tags: Access Control Management, Identity 2.0, Information Cards, Oracle Identity Management, Oracle Identity Manager, Personal Identity Management, User-Centric Identity

That is probably how a lot of us in the identity community feel about the topic of interoperability. We have been talking about interoperability for so long, and have seen so many efforts come and go, that we may be feeling a bit jaded despite knowing how crucial it is to the survival of all that we have worked for. However, this year has seen some promising developments that again give us hope. Microsoft announcing the interoperability of CardSpace with OpenID at the RSA Conference was one such development. And more recently, I have come to learn of the Concordia Project, launched by members of the Liberty Alliance.

From their website you get a sense of what they are trying to accomplish:

“The Concordia project is a global initiative designed to drive interoperability across identity protocols in use today. It does this by soliciting and defining real-world use cases and requirements for the usage of multiple identity protocols together in various deployment scenarios, and encouraging and facilitating the creation of protocol solutions in the appropriate “homes” for those technologies.”

Reading more on their wiki, it sounds like a big requirements gathering exercise aimed at documenting real problems that cannot be solved unless protocol interoperability exists. These requirements can then be fed to the appropriate technical group for resolution. The hope is that by focusing on requirement gathering, they can gather good data independent of vendor or protocol bias. Going back to basics is often a good way of avoiding the issues that plagued earlier attempts. Eric Norlin also points out that it is significant that this is the first organization focused on protocol interoperability that Microsoft will be an active participant in.

To take advantage of next week’s Catalyst Conference, the Liberty Alliance is co-sponsoring the Concordia Workshop on June 26 at the San Francisco Hilton (where Catalyst will take place). The workshop will try to define and understand deployer needs with regards to interoperability and harmonization of different identity standards and protocols, through presentations by AOL, Boeing, GM, the Government of British Columbia and the US GSA. Sounds like an interesting opportunity to hear what some of the active consumers of identity technology are trying to do. I will definitely be checking it out to understand more and figure out how the project may be helpful to us as we define the ISF.

Attendance at the workshop is free; you can register and review the agenda at the workshop registration page.

Tags: Burton Catalyst Conference, BurtonGroupCatalyst07, Information Cards, OpenID, Project Concordia

This move, combined with Microsoft’s contribution of the CardSpace technology to the open-source community via OSP (Open Specification Promise) license, underscores their commitment to making the identity metasystem a reality. Interoperability of identity systems is a key requirement to making an internet identity layer a reality, and these two pieces of news show that we are moving closer to a day when we can take our identity with us to different websites, rather than having a different identity for each website.

Tags: Information Cards, User-Centric Identity