Posted 4:35 PM (0) comments

Identity taxonomy

Kim has now introduced another Microsoftie into the identity mix. Carl Ellison appears to back up Kim, while making the same (to me) semantic error of believing that an entity can have multiple identities. As he puts it:

I suspect that each individual has an inherent identity, but that it is irrelevant. Rather, I define the identity of person P as being a function not I(P) but rather I(P,O,t) - the identity of P from the point of view of observer O at time t.

Each individual does have an inherent identity - (DNA + fingerprint). This is an absolute unique identifier for every person who lives, will live or has ever lived. Other attributes, (such as aliases and qualifiers) can be attached to the object which has that identity. Multiple subsets of these attributes can be extracted each of which I call a persona. It is this persona which Carl, Kim and (as previously mentioned) Scott Lemon call "identity". But using identity to describe any one of multiple personae is simply confusing to those who aren't intimately involved in the identity conversation. We must build a taxonomy of identity so that everyone involved with IdM and IAM can, intelligently, converse. Interested readers might wish to peruse the "Privacy Glossary", particularly the entry for identity as a jumping off point.

Posted 1:40 PM (0) comments

Craig Burton mis-speaks

Craig Burton makes what's becoming an all too common error in talking about Kim Cameron's Laws of Identity when he confuses Microsoft's Passport with the never implemented technology code-named Hailstorm, but officially known as ".Net/MyServices". It was Hailstorm that caused Sun Microsystems to rush off and hastily assemble the meeting which gave birth to the Liberty Alliance. To the best of my knowledge, in fact, Passport wasn't even a part of Hailstorm except by analogy. But all the bad publicity Hailstorm got also succeeded in drawing down the market for Passport. Still, they were separate technologies.

Posted 8:49 AM (0) comments

The Fourth Law

Kim has now posted his Fourth Law of Identity which is:

The Law of Directed Identity
A universal identity system MUST support both "omnidirectional" identifiers for use by public entities and "unidirectional" identifiers for use by private entities, thus facilitating discovery while preventing unnecessary release of correlation handles.

In his explanation of the law, Kim touches on many of the aspects of what I've called "Persona," (part of the "Taxonomy of Identity" proposed by the Directory Interoperability Forum's Ed Harrington)which, in turn, is linked to Andre Durand's "Three Tiers of Identity." Andre, of course, is honcho of PingID, and it was that organization's Eric Norlin who started Kim Cameron on the path to discovering the drawbacks to Bluetooth (which figure prominently in the discussion of the 4th law) with his discussion of the "Polycomm scenario."

The fourth law also recalls many of the aspects of Novell's DigitalME which allowed for the creation of multiple identity "cards" which would be presented to (previously defined) groups, and which almost became the foundation for the "Personal Directory" that was an on-again, off-again project at Novell. Maybe, finally, it's time has come.

Posted 9:15 AM (2) comments

Why Passport failed UPDATE 12/7

Ping ID's Eric Norlin comments on Kim Cameron's 3rd law include the idea that Microsoft's Passport may have failed as a generalized identity system simply because it was hosted by Microsoft, not by some other third party ("people wouldn't accept it because of the microsoft stigma").

Cameron replies that "There are somewhere near 200 million active Passport accounts." But these are people who are already dealing with Microsoft - with MSN or Hotmail, for example. There are many, many people to whom any of those services are anathema. Passport was doomed from the start.

Both Kim and Eric also appear to equate the somewhat open source Sxip network with Passport but there is a major difference. Sxip itself does not hold users' identity data. Rather, it acts as a verification and validation service for third party servers which hold users' identity data. Its a different way of approaching the same problem, but its far too early to tell if it will get any traction.

UPDATE: Dick Hardt (of SXIP) has just posted a look at Passport from a vendor's perspective (he attempted to implement it at ActiveState) and demonstrates why it got no traction on that end, either.