Thursday, October 01, 2009
Tell us what you really feel...In an Open Letter to Steve Ballmer, Craig Burton rants about the ridiculous policy Microsoft has for controlling updates and enhancements:
As we drove further down to path to understand why, we were told the following unbelievable conversation. (The following is not an exact quote, but close.)
And what was the momentous change Burton was asking about?
Unfortunately, Ballmer has never understood the importance of identity to the fabric of computing, so he's never going to permit what he would perceive as "feature creep" in the regular monthly updates. That's good news for Microsoft's competitors, and bad news for it's customers.
Monday, July 13, 2009
Geneva was betterAt it's Worldwide Partners Conference today, Microsoft announced the formal names for the products and services that had been going under the code name "Geneva":
Not nearly as catchy as "Vista", but that name has too much baggage. My preference would have been for Geneva Federation Services, Geneva Identity Foundation and GenevaCards. But, then, I don't make the big bucks!
Thursday, June 04, 2009
Pre-selecting (is that like pre-boarding?)
Paul Trevithick has a good post today taking a look at the experience of a user who doesn't have an identity card selector installed (or, perhaps, has a selector - e.g., with IE - but no cards). Faced with a choice of the openID NASCAR billboard and tthe tiny purple Infocard logo the user is more than likely to opt for a familiar logo in the openID display - if they even notice the tiny .
He goes on to suggest various behaviors for a mouseover event which would, at least, let the user know what the icon represented. He then offers a popover showing the logos of up to four "trusted" (by the RP, presumably) card issuers with the user able to click on one and be carried through the process of creating a card, downloading a selector (if needed) and then re-directed to the original site to complete the infocard authentication process.
Besides taking an inordinate amount of time (something internet users appear to not want to do), it places infocard relying parties on the slippery slope of favoring some card issuers over others leading to abusive behavior (charging for placement/positioning, blackballing, etc.).
Perhaps the ICF (Information Card Foundation) should consider issuing it's own "super logo" which would present, on a rotating basis, all card issuers...
Wednesday, October 29, 2008
Understanding GenevaKuppinger-Cole's Felix Gaehtgens is posting from Microsoft's Professional Developers Conference (PDC) about the just announced platform called "Geneva". Read the article for sure, but Felix also thinks, as he wrote to me, "...most people really don't 'get it' (even a lot of the other analysts, press people and developers keep mixing up concepts). " So in an attempt to clear up the confusion, he'll be hosting a Webinar this Friday to explain it all.
It's planned so that most people will have daylight access (8:30 AM PST / 11:30 AM EST / 4:30 PM CET) - well, except for the Asia-Pacific region, but I'm sure it will be archived for them.
Geneva, the successor to Active Directory Federation Services, is without a doubt the most important Identity announcement Microsoft has ever made.
Unfortunately, it won't ship for at least a year.
If you can get your hands on an early release, do so. In the meantime, listen to Felix' webinar.
Other good readings on Geneva:
Tuesday, September 09, 2008
Virtual Loyalty cardsWhat is possibly the first leveraging of information card technology was announced today by aptly named "fun communications": the virtual loyalty card.
WebCard Loyalty offers customers, dealers and the issuers of customer loyalty cards true added value. For the customers, the virtual loyalty card means that different user names and passwords are now a thing of the past. The technology is based upon the open standard for information cards that is available for almost all operating systems and browsers. Also, for example, information cards are implemented in the Windows CardSpace™ technology. CardSpace provides a reliable and secure authentication and authorization mechanism (User-Centric Identity Management), which due to its Client technology is immune to phishing attacks. The login process is significantly simplified. Dealers benefit from this as well: It raises the entry barrier, increases the utilization volume, as well as enhancing the data quality. Not only this, but the virtual loyalty card provides both dealers and identity providers with an instrument for targeted marketing measures (bonus point programs, discounts on partner sites, partner advertising, coupon promotions) that enable them to build up long-term customer and partner loyalty. The customer identification and improved customer profiles open up interesting and profitable business models within the partner network.
Privacy, security - and targeted marketing! It's the holy grail, isn't it?
Sunday, August 10, 2008
"We have met the enemy..."OpenID's leading lights appear to be down on the technology, it seems. After last week's note about Dick Hardt's seemingly wistful look at OpenID ("...one wonders if the identity opportunities of OpenID have passed.") comes today's note from Scott Kveton (chair of the OpenID Foundation board). Reacting to a Randy Stross' New York Times piece highly critical of OpenID, Kveton says: "The OpenID community has identified two key issues it needs to address in 2008 that Randy mentioned in his column; security and usability."
If usability is bad (and the discussions on the OpenID email discussion lists support that notion), and security is a problem - what, exactly, does it have going for it?
Is it, perhaps, time for the leading lights to move on to a user-centered technology which does show promise of being an identity provider that is very usable and also quite secure? As Mr. McGuire might have said to Ben in The Graduate:
Mr. McGuire: I just want to say one word to you - just one word.
Or, as Eddie said to Saffie: Just put me through to Zermatt!
Thursday, July 31, 2008
OpenID - the denoument?There's been much agitation for Facebook to join the likes of MySpace and Yahoo! in the OpenID community. But when Facebook recently announced it's "Connect" service (a service to port ID information among various web sites), without a link to OpenID, much angst was experienced in that vocal group of supporters of the open source identity protocol. In particular, Sxip's Dick Hardt - one of the co-founders of the OpenID Foundation - mused about the future of so-called "user-centric" identity. Earlier (in "Facebook Connect - fatal blow for OpenID?") Hadt said: "Given the momentum and immediate value of a Facebook identity system and the lack of OpenID RP deployment, one wonders if the identity opportunities of OpenID have passed."
Other co-founders (Johannes Ernst, David Recordon) tried (with smoke, mirrors and whistling in the dark) to refute Hardt but, in my opinion, failed miserably. OpenID is a victim of its own early success. Too many people, with too many conflicting agendas signed on in the hope of designing OpenID in their image. From the early fights over iNames through the querulous (and tedious) fights about Attribute Exchange, security and other aspects of a mature identity protocol there was resistance from the majority of the developer base who really only wanted an easy way to login to blogs. Nothing wrong with that. A simple, somewhat reliable way to ease the authentication process for blog comments while fending off robots and spammers is a worthy goal.
Perhaps this is the time for the visionaries within the OpenID community, those who have the vision of what a full-fledged open-source identity protocol should be, to bow out of that movement and form another one. Or, perhaps put their time and energy behind an existing movement such as the Bandit Project's DigitalME initiative. They could even create an STS (Security Token Service) to bridge OpenID and the InfoCard system so that they could be "true to their roots."
OpenID, it seems, is never going to be a secure, robust, full-featured identity system so let's stop pretending that it can be. Let it be what it is and let's move on.
Friday, March 28, 2008
Cardspace context UPDATEGood post today ("No User Context Decisions in your Enterprise?") from Pam Dingle summarizing her panel at Brainshare (which I'm now sorry I missed). Cardspace and other user-centric ID schemes have a definite place in the enterprise, if only for the context-switching that Pamela outlines.
UPDATE: A video of the session ( with Pam Dingle, Patrick Harding, Kim Cameron and Dale Olds) has now been posted at the Bandit Project site.
We'll be exploring this same topic at the European Identity Conference when I host a panel of Dale olds (Bandit Project), Johannes Ernst (OpenID) and Robin Wilton (Liberty Alliance) called "Putting Context in Identity: User-Centric Context." It's an area that will heat up in the near future...
Friday, February 15, 2008
Off Course-On TargetWayne Hodgins blog is called "Off Course-On Target" and subtitled "Where unexpected paths lead to great discoveries." Today he took a look at digital identity and fretted over the lack of uniform standards. But it's the analogy and stories Wayne tells - especially about how the shape of screw threads could have lost World War II for the allies - that make it such fascinating reading.
And the moral - perhaps best stated as "the perfect is the enemy of the good" - is something the entire IdM community should take to heart. Consensus and compromise should be our watchwords.
Tuesday, November 06, 2007
More self-issued stuffJeff Bohren jumps into the discussion but unfortunately misses the target and crashes badly.
He says: "First party claims such as personal info can and should be made directly by the consumer who owns them. Information Cards provide a convenient way to do that. I see no compelling business case for a third party to make first party claims in a B2C scenario." But there is a definite compelling reason - we rarely believe (or, at least, we shouldn't believe) without verification the claims that a stranger makes to us. Just ask any single woman who goes to a bar on a Saturday night! The third party, the trusted third party, provides validation for the claims. The claims are offered by the first party, directed by the first party and even initiated by the first party, but without the validation of the third party they are completely worthless.
He goes on to note: "The mistake is saying an identity oracle can divulge whether your credit is good enough for the purposes of the transaction without divulging your credit score itself. I don’t believe that is possible in practice. If you say 'Jeff’s credit score is as good as %90 of the people who have not defaulted on a loan of that amount', then you have for practical purposes divulged Jeff’s credit score. " Um, no, you haven't. Any more than the Oracle agreeing that you are of legal age to purchase alcohol could be said to 'divulge' your age. "Over 21" covers a whole lot of ground. A validation that I am of legal age to buy says nothing about whether I'm of legal age to claim Social Security benefits, far less is it an indicator of my actual age. For the credit score, the RP decides what score is acceptable and asks the Oracle if the first party's score meets that criteria. No numbers are divulged, but the transaction can proceed.
In general, we need to think of the Identity Oracle as a binary soothsayer - only yes or no answers are forthcoming.
Hashing it all outI've tried to stay out of the fracas that Pamela Dingle, Gerald Beuchelt, and Paul Madsen have been engaged in over the merits of self-issued information cards. But Ben Laurie has now chimed in, so I can hold back no longer.
What Pamela and Ben seem to be overlooking is that the first presentation of the iCard to the bank is not the first communication. The bank is not relying on the self-issued card for verification of your identity. As Ben points out, "we have to have a relationship with the bank to get this off the ground in the first place, regardless of authentication mechanism, and, however that relationship works, we can use it to inform the bank about our self-issued card."
The iCard becomes, de facto, a second factor authentication token - but the identity of the holder (and, by the same token, the issuer) is validated out of band by some other mechanism. This is simply not comparable to going to an on-line retailer, for the first time, and being validated with a managed card. Ben adds that this method means there's "no need for IdPs, CAs or any of that stuff." But what he really means is that there's no requirement for CardSpace in this scenario - any second-factor token agreed between the bank and the user would do.
Oops, it seems Phil Hunt almost beat me to the punch here, although his tangent is more tangential than mine...
You can all go back to discussing your social life now, Pam, Paul and Gerry - oh, that's right, he doesn't actually HAVE a social life.... :)
Wednesday, October 10, 2007
More on the Identity OracleI tried to leave this comment on Kim Cameron's blog, but pushing the "post" button seems to send IE (which I have to use there in order to submit an identity card) into the never-never..
Drop it while you can, Kim. Bob's right on this one. The "Identity Oracle" is a business model, not a technology feature. As I've said many times (and countless others have re-iterated), the technology is easy, it's the people that are the hard part.
"Claims transformation" is simply changing data from one format to another, or one protocol to another, etc. It's technology. It may be a necessary part of the infrastructure for an Identity Oracle, but it's only one small part.
For my take on the Identity Oracle, watch next Wednesday's Identity Management Newsletter.
Thursday, August 16, 2007
Identity as a serviceAn interesting post today, from Jonathan Penn at Forrester. For the most part he's quoting his fellow analyst, Andras Cser, but does through in his own two cents worth in agreeing with Cser's definition of Identity as a Service (IDaaS):
"...implementing identity and access management functionality predominantly as Web services in a service oriented architecture within the enterprise. Various line of business applications, policy management applications, and other services then call these IM Web services either autonomously or in an choreographed manner."
I also would like to jump in with a big "+1" for this definition. It's what I was thinking of when I said about Microsoft's CardSpace: "I'm addressing the enterprise market, which needs to pay attention to CardSpace right now. Many of your in-house developers are already using the .Net framework and Microsoft's Visual Studio to create and maintain your in-house apps and services. Handling authentication, though, has been difficult at best. Now a hero has ridden forth."
Software as a service (SaaS) is going to come first to the enterprise, and IDaaS is going to be a major enabler of that technology. And CardSpace (and the associated iCard open source technology) will be the major building block of that foundation.
© 2003-2006 The Virtual Quill, All Rights Reserved Home