Thursday, July 09, 2009

(0) comments


Last chance (deadline is July 11) to submit for Net-ID '09 coming in October in Berlin.

The European Conference on Digital Identities “Net-ID – Identity, Trust, Privacy and Security“ will come back to Berlin, Germany, in the fifth year of its history. It will take place on October 1-2, 2009, in the Steigenberger Hotel Berlin. Net-ID 2009 contains 4 tracks with the following
– Enterprise Applications, Best Practices and Case Studies
– eIDs in the Focus of E-Government
– Data Protection and Privacy
– Trends and Future

- Please submit to:
or by fax to: +49-221-5907480


Thursday, January 22, 2009

(0) comments

Isn't that cute?

It never ceases to amaze me that the younger generations always think they invented everything (social unrest, "relevant" music - even sex) and that we "old folks" just don't understand. So I wasn't really that surprised when the usually knowledgeable Eric Norlin wrote:

"Identity's first wave (roughly 2001-2008) was all about building the noun that is 'identity.' Identity's second wave (projected - 2009 to 2016) will be all about building the verbs that live on top of identity."
Identity's "first wave" was 20-25 years ago when we were building authentication & authorization systems using NIS, StreetTalk or NetWare's Bindery. The second wave came in the early nineties with the release of Novell Directory Services, iPlanet, OID and other x.500-derived services.

What started in 1998 was actually the 3rd wave - workflow added to the directory services, authorization and authentication begat Electronic Provisioning which lead inexorably to today's plethora of identity-based services.

Still in its infancy is the fourth wave - when "identity-based" gives way to "identity-enabled" providing us with a rich fabric of services which know who we are, where we are, where we want to go, what we want to do and how we want to do it. But it has taken 30 years to get here - not 10.


Tuesday, September 16, 2008

(0) comments


Pam Dingle has a bit of a rant today about the term "user-centric." Well, not about the term itself but about people's desire (e.g., the entire Burton Group) to get away from it.

"Sure, there are a few blind worshippers of the cult of user-centric out there, but I firmly believe that common sense has to win out in deployment scenarios, and that various technologies should and will be used where applicable to solve problems. "

"If, on the other hand, all this is about is finding a positive, all-encompassing touchy-feely name to give to the systems-formerly-known-as-user-centric so that isn’t all about conflict, fine — pick a new name already. I only ask that if you’re going to diss the current buzzword, can you please at least supply an alternative suggestion. Otherwise we end up in limbo where nobody wants to use the old term, but nobody has a new term either, making us all look like indecisive idiots."

I think it's about more than just a term, more than just a feel-good quality, Pam. The "User-centric" term was coined, initially, to try to differentiate internet-based individual identity protocols from those used within the enterprise. But it's really all identity, and there doesn't need to be a distinction. That's why I wrote, last month, "Why there's no 'user-centric' or 'enterprise-centric' identity," where I said:

"Enterprise-centric identity management, we postulated, is really all about tying together all the activities and attributes of a single entity into a readily accessible (and reportable and auditable) form; while user-centric identity is about keeping various parts of your online life totally separated so that they aren't accessible and no report can be drawn.
So how do we have a framework that allows for both tying together all of a user’s activities (enterprise-centric) while at the same time allowing distinct separation of activities as decided by the user?
We start by defining identity as a group of “personas” (see 'Defining identity, persona, role'). Any persona can be made up of a group of personas or roles. Each of those personas can be linked, or separated, as the entity identified by them wishes. One of those personas is (or, rather, could be) an 'enterprise persona.' That one brings together '…all the activities and attributes of a single entity' performed for or related to that enterprise '...into a readily accessible (and reportable and auditable) form.'
So there is no 'user-centric' or 'enterprise-centric' identity. There is just an entity with AN identity made up of various personas some of which may be controlled or limited in some way by an outside organization – not only by the enterprise but also by governments, social organizations, etc. The ability to keep these personas separate, where legally able to do so, must be a given. Each persona will have different identity needs and requirements, of course, but that’s what will drive the 'identity economy' as vendors seek to satisfy those needs and requirements in accordance with the laws. The government’s laws, the enterprise’s 'laws', the fraternal and social organization’s 'laws' and the Laws of Identity as laid down by [Kim] Cameron. "

Labels: , , , , , , ,

Tuesday, August 12, 2008

(0) comments

Identity [finally] Happens

I wrote about Boeing's Marty Schlieff in the newsletter last spring after the Internet Identity Workshop. Marty's a "deep thinker" about identity issues, and wants to foster more rigorous thinking among enterprise identity architects. His idea for a blueprint/roadmap for enterprise identity inspired a session we're doing at the upcoming Digital ID World and now Marty's taken it into his own hands to do something by launching his own weblog "Identity Happens". Pay attention to it.

Marty is making a stab at creating an OSI-like model for identity. Like OSI, though, I think his model is a better illustration of the concepts than it is a blueprint for constructing anything. He posits 8 "layers":

  • Privileges
  • Platform Roles & Attributes
  • Accounts
  • Provisioning Roles & Attributes
  • Context
  • Subject
  • Persona
  • Entity

But there's considerable overlap, if not actual equality, of some: "Persona", the two different "Roles", etc. Still, it's a start, a beginning to the discussion - and that's not a bad thing at all.

Labels: ,

Tuesday, July 15, 2008

(0) comments

Attention architects - BYOB

Pam Dingle posts today ("We’re a little lost.") about her disappointment, nay her disillusionment with the hodge-podge of identity services available to the average enterprise and the decided lack of a roadmap for connecting them up. She notes, "In reality, however, I don’t see a patchwork of complimentary products - I see a whole bunch of products with a whole bunch of overlap and no obvious or well-stated way for an Enterprise to figure out how to knit it all into an actual solution for their original problem. "

She's right, of course. There does need to be a roadmap, a diagram, a "well-stated way" to hook up all of these services so that they are complimentary and they do interoperate rather than compete for attention and bandwidth. It's an issue that came up at last spring's Internet Identity Workshop when Boeing's Marty Schleiff introduced a session called "Enterprise Identity Roadmap for enterprise identity architects: a discussion," and which I wrote about in the newsletter. What I said was:

So why IIW? In a nutshell, precisely because it wasn’t Catalyst or DIDW. Those structured conferences, dominated as they are by slideware presented by a speaker on a stage don’t lend themselves to free-form discussion. Certainly there are “Birds of a Feather” sessions – usually after hours in inconvenient locations. There are also informal get-togethers (usually involving libations) that go into the wee hours while knotty issues are discussed. But there doesn’t seem to be a venue for those involved in planning and implementing enterprise identity systems and architectures to meet in a vendor-neutral environment to swap stories, sound warnings and point out new initiatives. Marty wants to change that.
This seems to be as good a place as any to announce that we have found a venue. At the upcoming Digital ID World (Sept. 8-10 in Anaheim), Program Chair Eric Norlin has convinced me to moderate just such a session - me, a few microphones and (hopefully) an audience of enterprise identity architects - ready to talk about where they are, where they've been, where they hope to go and how they want to get there. If you've an interest in enterprise ID architecture (Pam, are you listening?) then I hope to see you in that audience.

Labels: , , ,

Monday, April 07, 2008

(1) comments

The blind philosophes of Identity

Kim has now responded ("Through the looking glass") to my Humpty Dumpty post, and we're beginning to sound like a couple of old philosophes arguing about whether or not to include "le weekend" and "hamburguer" and other Franglais in the French dictionary.

We really aren't that far apart.

In his post, Kim recalls launching the name "metadirectory" back in '95 with Craig Burton and I certainly don't dispute that. In fact, up until 1999, I even agreed somewhat with his definition:

"In my world, a metadirectory is one that holds metadata - not actual objects, but descriptions of objects and their locations in other physical directories."

But as I continued in that Network World column:
"Unfortunately, vendors such as Zoomit took the term 'metadirectory' and redefined it so it could be used to describe what I'd call an überdirectory - a directory that gathers and holds all the data from all your other directories."

Since no one took up my use of "uberdirectory," we started using "metadirectory" to describe the situations which required a new identity store and "virtual directory" for those that didn't.

So perhaps we're just another couple of blind men trying to describe an elephant.

Labels: , , ,

Friday, September 21, 2007

(1) comments

More on ownership

David Recordon has now further developed the ideas ("We Are Opening the Social Graph") first presented in the "Thoughts on the Social Graph" manifesto he wrote along with Brad Fitzpatrick. It's an important work, but begins with a flaw which may, ultimately, prove fatal.

"Your lists of friends and connections on the social websites that you use, sometimes called your social graph, belongs to you. No one company should own who you know and how you know them."

This is a strawman argument, though, as no company claims to own this data. And, in fact, there can be no ownership of what amounts to, simply, a group of facts. What companies do own, however, are the tools for constructing the graph. And, I fear, too many will see the tools - and their output - and claim it as their own.

But consider this analogy:

You take your dirty clothes to the laundromat. You wash them in the washers there, then dry them in the dryers. The laundromat doesn't claim 'ownership' of your clothing (either dirty or clean), but neither can you claim 'ownership' of the cleaning process nor of the equipment (the 'tools') used to do the cleaning. You pay the laundromat for the use of their tools and processes and , in return, you're presented with clean clothes. The "cleanliness" was always present in the clothes, it simply needed some processing to bring it out.

So, too, your friends and relationships need processing in order to form a rational 'social graph'. You can pay some company (either in cash or in kind) to do that for you (like the laundromat) or you can buy or "roll your own" tools to do so (just as you can buy your own washer and dryer).

The sooner we can get away from the disastrous "ownership" meme, the sooner we can get to the fun and interesting parts of identity.

Labels: , ,

Thursday, September 13, 2007

(1) comments

Nobody "owns" my identity data

Mary Hodder, Doc Searls and Drummond Reed have all weighed in over the last day or so on the issue of ownership of identity data. Mary originally quibbled (as did I) over the use of the word "ownership" but now writes:

I've decided that it makes more sense for users to:

1. own their data, solely
2. give a non-exclusive license to sites they "partner" with when they put data at those sites.
3. be able to remove the data, to the extent the site can take it out (backup tapes are problematic)
4. part of the non-exclusive license to the sites needs to include that the sites can distribute the data (RSS feeds, etc) about their activities OR the sites need to have a way for the user to specify the lack of distribution of data or metadata, if the user chooses.

I can't agree. Very little identifying data, in fact, do I actually "own" in the sense that I can do what I please with it. I don't, for example, "own" my social security number, my credit card accounts, my mailing address, my wife (that's a co-owned relationship), etc. At best, I might be thought to be able to control the distribution of the identity data within certain very well defined parameters. But in many cases there are also other parties who also control distribution within "certain very well defined parameters" (e.g., the bank can distribute information about my credit card accounts to certain third parties).

"Ownership" is the wrong word, the wrong paradigm, the wrong meme.

Drummond, in his post, talks about Identity Rights Management (IRM), a much more interesting concept which deals with the distribution and use of identity data. Done right, IRM is neutral on the "ownership" issue but deals with the entities who have rights to distribute and use identity data, how those rights can be licensed or assigned and how the licensing can be enforced through the use of Identity Rights Agreements (IRA). Like Reed, I also urge you to dive in to IRM and IRA by subscribing to the new mailing list.


Wednesday, January 03, 2007

(0) comments

Identity principal

Scott Wilson introduced me to the term "principal" for the human entity to which a digital identity is attached. He sums it up as " 'the person for whom a broker executes an order', that is, the entity outside the system that asserts an identity." He references Stephen Downes, Andy Powell and, especially, a long treatise by Dave Snowden which talks about the five characteristics of an identity -

"1. An identity is not the same thing as a role.
2. An identity does not have rigid boundaries, nor is it susceptible of precise definition.
3. Identity is not absolute, it can change in context or over time although the point of transition (the establishment of a new identity) may not be clear either at the time or in retrospect.
4. Identity in human systems is a strange attractor (to take a key concept from complexity theory).
5. Identity is established by robust resilience and if we understand identity from the perspective of a complex adaptive system then interdependence becomes more important than autonomy."
I might not agree with all that Professor Snowden says, but it is a good starting point for discussion.


© 2003-2006 The Virtual Quill, All Rights Reserved


[Powered by Blogger]