Posted 3:57 PM (0) comments

Cardspace context UPDATE

Good post today ("No User Context Decisions in your Enterprise?") from Pam Dingle summarizing her panel at Brainshare (which I'm now sorry I missed). Cardspace and other user-centric ID schemes have a definite place in the enterprise, if only for the context-switching that Pamela outlines.

UPDATE: A video of the session ( with Pam Dingle, Patrick Harding, Kim Cameron and Dale Olds) has now been posted at the Bandit Project site.

We'll be exploring this same topic at the European Identity Conference when I host a panel of Dale olds (Bandit Project), Johannes Ernst (OpenID) and Robin Wilton (Liberty Alliance) called "Putting Context in Identity: User-Centric Context." It's an area that will heat up in the near future...

Labels: cardspace, context, EIC, enterprise, openid, user centric

Posted 8:11 AM (0) comments

Off Course-On Target

Wayne Hodgins blog is called "Off Course-On Target" and subtitled "Where unexpected paths lead to great discoveries." Today he took a look at digital identity and fretted over the lack of uniform standards. But it's the analogy and stories Wayne tells - especially about how the shape of screw threads could have lost World War II for the allies - that make it such fascinating reading.

And the moral - perhaps best stated as "the perfect is the enemy of the good" - is something the entire IdM community should take to heart. Consensus and compromise should be our watchwords.

Labels: cardspace, digital identity, liberty alliance, openid, standards

Posted 9:23 AM (0) comments

More self-issued stuff

Jeff Bohren jumps into the discussion but unfortunately misses the target and crashes badly.

He says: "First party claims such as personal info can and should be made directly by the consumer who owns them. Information Cards provide a convenient way to do that. I see no compelling business case for a third party to make first party claims in a B2C scenario." But there is a definite compelling reason - we rarely believe (or, at least, we shouldn't believe) without verification the claims that a stranger makes to us. Just ask any single woman who goes to a bar on a Saturday night! The third party, the trusted third party, provides validation for the claims. The claims are offered by the first party, directed by the first party and even initiated by the first party, but without the validation of the third party they are completely worthless.

He goes on to note: "The mistake is saying an identity oracle can divulge whether your credit is good enough for the purposes of the transaction without divulging your credit score itself. I don’t believe that is possible in practice. If you say 'Jeff’s credit score is as good as %90 of the people who have not defaulted on a loan of that amount', then you have for practical purposes divulged Jeff’s credit score. " Um, no, you haven't. Any more than the Oracle agreeing that you are of legal age to purchase alcohol could be said to 'divulge' your age. "Over 21" covers a whole lot of ground. A validation that I am of legal age to buy says nothing about whether I'm of legal age to claim Social Security benefits, far less is it an indicator of my actual age. For the credit score, the RP decides what score is acceptable and asks the Oracle if the first party's score meets that criteria. No numbers are divulged, but the transaction can proceed.

In general, we need to think of the Identity Oracle as a binary soothsayer - only yes or no answers are forthcoming.

Labels: cardspace, liberty alliance, oracle

Posted 8:23 AM (3) comments

Hashing it all out

I've tried to stay out of the fracas that Pamela Dingle, Gerald Beuchelt, and Paul Madsen have been engaged in over the merits of self-issued information cards. But Ben Laurie has now chimed in, so I can hold back no longer.

What Pamela and Ben seem to be overlooking is that the first presentation of the iCard to the bank is not the first communication. The bank is not relying on the self-issued card for verification of your identity. As Ben points out, "we have to have a relationship with the bank to get this off the ground in the first place, regardless of authentication mechanism, and, however that relationship works, we can use it to inform the bank about our self-issued card."

The iCard becomes, de facto, a second factor authentication token - but the identity of the holder (and, by the same token, the issuer) is validated out of band by some other mechanism. This is simply not comparable to going to an on-line retailer, for the first time, and being validated with a managed card. Ben adds that this method means there's "no need for IdPs, CAs or any of that stuff." But what he really means is that there's no requirement for CardSpace in this scenario - any second-factor token agreed between the bank and the user would do.

Oops, it seems Phil Hunt almost beat me to the punch here, although his tangent is more tangential than mine...

You can all go back to discussing your social life now, Pam, Paul and Gerry - oh, that's right, he doesn't actually HAVE a social life.... :)

Labels: cardspace

Posted 9:36 AM (4) comments

More on the Identity Oracle

I tried to leave this comment on Kim Cameron's blog, but pushing the "post" button seems to send IE (which I have to use there in order to submit an identity card) into the never-never..
********************************************
Drop it while you can, Kim. Bob's right on this one. The "Identity Oracle" is a business model, not a technology feature. As I've said many times (and countless others have re-iterated), the technology is easy, it's the people that are the hard part.

"Claims transformation" is simply changing data from one format to another, or one protocol to another, etc. It's technology. It may be a necessary part of the infrastructure for an Identity Oracle, but it's only one small part.

For my take on the Identity Oracle, watch next Wednesday's Identity Management Newsletter.

Labels: attribute exchange, cardspace, oracle

Posted 4:56 PM (0) comments

Identity as a service

An interesting post today, from Jonathan Penn at Forrester. For the most part he's quoting his fellow analyst, Andras Cser, but does through in his own two cents worth in agreeing with Cser's definition of Identity as a Service (IDaaS):

"...implementing identity and access management functionality predominantly as Web services in a service oriented architecture within the enterprise. Various line of business applications, policy management applications, and other services then call these IM Web services either autonomously or in an choreographed manner."

I also would like to jump in with a big "+1" for this definition. It's what I was thinking of when I said about Microsoft's CardSpace: "I'm addressing the enterprise market, which needs to pay attention to CardSpace right now. Many of your in-house developers are already using the .Net framework and Microsoft's Visual Studio to create and maintain your in-house apps and services. Handling authentication, though, has been difficult at best. Now a hero has ridden forth."

Software as a service (SaaS) is going to come first to the enterprise, and IDaaS is going to be a major enabler of that technology. And CardSpace (and the associated iCard open source technology) will be the major building block of that foundation.

Labels: cardspace, digital identity, enterprise, saas