The Beach House

Can someone tell me the significant difference between a virtual directory and Higgins (besides Higgins is open source)?  I get the impression this is not a popular question.  While at DIDW I suggested we should rename Higgins to Virtual Directory 2.0.  The response was “Shush, don’t say that.”  I don’t really like dancing around issues.

 Mike

It has been awhile.  Just returned from Digital ID World.  Great discussions and enlightenment on my part.  I have seen a few blog discussions about the Patrick Curry /
Kim Cameron session on user-centric identity in the enterprise.This is a great discussion and I believe that user-centric identity (as manifested in the user experience) is likely to arrive at the enterprise much like the Internet did – I am here, deal with it.  I see an interesting contradiction in the drivers.  The user’s want control of their information / identity.  I have heard user’s voice their objection to a corporation mandating a federation with what they perceive as their personal information – classic example, 401K accounts.  On the flip side, the motivation for the corporation is to provide federation as a means to reduce the cost of support, primarily in password resets for the many accounts – a significant cost.  Allowing a user to be in the middle of, or decide, on a federation or passing of “identity” information allows the user to negate this corporate cost driver. 

I suppose if we have an intersection of user-centric identity and corporate-mandated federation we might have a win-win compromise if most users choose to federate and those that chose otherwise are savvy enough to manage their own passwords and don’t call the help desk for a reset.  Then every one would be happy – yea, right.

Actually I am optimistic that user-centric and enterprise federation will result in a better world, I just haven’t figured out all the details quite yet.

 Mike

As I grok more about the distinction between personal identity and corporate identity it seems wise to say: 

This is my personal blog.  It does not reflect the views of my employer, and I am not speaking as my employer’s representative.  If you quote me, please respect my right to contribute opinions without connection to my employer.

 Mike

A recent discussion on the ID Workshop group has been about user-centric identity and the corporation.  As a part of that discussion Phil Becker pointed out we use the term “user-centric” in multiple contexts and it really means different things in different contexts.  Below is my first pass at a potential list of contexts for the term “user-centric”. 

I think the list Phil proposed is: 

User-centric architecture – is this about the user in the protocol?  I don’t think it is intended to be about where the data resides.  I am still unclear about how this fleshes out given there seems to be agreement it does not mean the user makes a decision, nor sees every exchange of identity data. 

User-centric experience – So is this just CardSpace and OSIS? 

User-centric control – I suppose this would be about the user having some say in what attributes of their identity in what context are shared.  This could be a user in the middle each time, or include delegation via the likes of an i-broker. 

User-centric management – Managers are vague, management is vague (sorry).  How is this different from user-centric control, if at all?  Is control about flow and management about the maintenance of identity attributes (CRUD)? 

User-centric data – Don’t know if Phil proposed this as a category, but I have some trouble with this one.  Notice what is not on the list is user-centric identity *ownership*.  Is that what we mean here?  I am stuck on the idea that I have no ownership of any meaningful identity data.  See my previous posts.  We might have control, but the only identity attributes anyone else would care about are owned by someone else, at least asserted by others.  What you own that is not issued/asserted by others is fantasy. 

Mike

So here is a thought.

What is user-centric identity?  It is not a thing, it is a process.  In the digital world, user-owned identity is simply self-asserted and of inconsequential value.  For an identity to have value, its characteristics (attributes) must be attested to by third parties.  These third parties must have credibility either from their legal founding (such as credit card companies, my employer) or from the shear number of consistent independent attestations (reputation systems).  The fact that I own any aspect of my digital identity is a myth.  User-centric identity is about controlling the distribution of that information.

Digital identities that I *truly* own are simple avatars that have no value beyond fantasy.

Mike

I have been mulling Doc Searl’s discussion of Independent Identity (http://www.itgarage.com/node/768#comment), including Andre Durand’s 3-tiers of identity.   

Let’s start with Andre’s 3-tiers:

• “T1 identities are both timeless & unconditional. They are your true personal digital identity and are owned and controlled entirely by you, for your sole benefit.”

I read this and ask – what is my “true personal” identity?  Is it who I really am as opposed to some avatar?  I don’t think who I REALLY am has a digital manifestation.  Is it attribute that I own?  Or attributes that I have asserted?   

What attributes about me do I actually own?  My name? – Not really, I can assert my name but it has no real significance unless attested to by some authoritative 3^rd party.  I cannot even change my name without a court filing.  So what of my name do I own?  Are there aspects of my digital identity that I do own?  I am leaning toward nothing of any significance.  I own, can assert, can prove, and can change of my own volition only things like hair color, weight, dress, behavior, etc.  Some things I own but cannot change (at least easily) are my many biometrics.  But who cares?  What can I do with these?  To do anything connected back to the real world requires some kind of T2 identity.  Any legitimate T1 identity you have seem to be a simple collection of “authenticator” attributes.  They provide identification, but not identity (a Phil Becker concept). 

• “Tier 2 is Assigned (Corporate): one given to you by some silo. Every card in our wallets, other than our business cards, are these.”

Tier 2 identity is where the action is.  These are the identities that actually have meaning to connect the digital world to the real world (i.e. – doing business).  These identities might not have been given to you by the corporation, but they are in some way controlled by a legal institution, not you.  As I pointed out above this even includes your name.  It certainly includes those things in our wallet that Andre pointed out.  Why do we carry a wallet – to do business like buy things, drive a car, get on an airplane.  I would even claim that our business cards (excluding the self-employed) are not ours to own and control. 

I think what distinguishes the meaningful T1 from T2 is a potentially vague temporal difference in the tie to a 3^rd party.  Also I would claim T1 identity that many would say is “MINE” only has real value when attested to by an authoritative 3^rd party.  Again, what my name is without the drivers license to back it up does not carry much weight.  If I classify T1 identity as authenticator attributes then T2 are the “authorizer” attributes.  

• “Tier 3 is Abstracted (Marketing) and applies to those conditions where some company knows, say, your name and address, but nothing besides that, which doesn’t stop them from spamming you with junk mail.”

I don’t think I am interested in this space, possibly other than to wish it went away. 

I think there is another view of this.  T1 identity only has meaning when connected to reputation.  There are no other attributes that I would care about because I have no assurance they are true.  However if I can authenticate an identity is associated with a known reputation I can make business/commerce decisions.  This is the path that I think the social discussions are following.  However, I am thinking that in the personal world T1 identity without reputation has little if any value.  In the business world T1 identity even with reputation has little value, it is all about T2. 

So now what does Doc mean when he says MY identity?  I have previously said I believe identity is simply a collection of attributes about a subject in a context.  That seems to be contrary to Doc’s definition of MY identity.  Given that Doc’s a smart guy (that reputation thing), does he mean MY identity is about me having control, management, distribution rights, to the various collections of identity and associated attributes where I am the subject in any context?  I would presume this is independent of who owns, asserts, or is authoritative for any given attribute.  Because, in the pure sense I have no digital identity that is MY identity – even reputation is bestowed by others.

Mike

I have recently been following a discussion among Phil Becker, Eric Norman, and Luke Razzell.  The discussion was primarily around identification vs. identity with a little trust thrown in.  I just contributed my $.02 to the pot and post it here for posterity. 

Identification – As Phil says the act of identifying a subject, but not the same as identity.  I believe identification and authentication are synonymous.  The identification/authentication act is the act of establishing the subject with some level of confidence that can range from zero to high.  Involved in this identification act can be things like “I remember your face”, “I see your driver’s license”, “You have provided a secret that likely others would not know” (yea, yea we could write books here).  To me this is important, but not particularly useful without identity. 

Assurance – I mention this next because it is directly related to identification.  I think it is the degree of confidence that the identification event does in fact establish the subject.  “Because I say so” is low assurance.  Facial recognition (not the computer kind, but the “I know you, I see you every day” kind) is reasonably high assurance.  There are any number of assurance variations that might increase my confidence that you are who you say you are including passwords, biometrics, tokens, etc. 

Identity – I struggle to find complexity in this one.  I claim it is a collection of attributes about a subject in a context. As a corporate employee I have a set of attributes.  In this case these attributes are most likely asserted by the corporation, provided in a way the corporation can, with an acceptable degree of assurance, connect them to my identification.  As a human being I may have several other “identities” that represent me (or a collection of people/things) in different contexts.  This is an area I am regularly challenged in – many perceive identity is “who I am”.  For any number of reasons, both legitimate or otherwise, I have avatars.  Even within the corporate world I have legitimate business reasons for multiple “personae/avatars”.  Bottom line, I don’t see identity as a complicated thing to understand. 

Relationship – This is a popular word in these discussions.  I understand what relationships are in the social world, but I don’t yet have a clear understanding of the instantiation in the digital world. 

Trust – Ah, now if you want complication here you go.  I think there are 2 kinds of trust.  There is the one I live with every day in the corporate world and there is the more social-based trust.  I agree the more interesting is the social-based trust that gets into reputation and the like.  However I think the corporate world is still struggling with the more mundane “legal” trust.  While at the recent Identity Mashup in Boston Christine Varney shared a definition of trust that resonated with me (again from a corporate perspective).  That is:  security, privacy, authenticity and reliability, recourse and liability.  I felt this covered the landscape well – I am sure the attorney’s will quickly latch on to this in the next couple of years.  Trust at a corporate level is a challenge and we are still working through this with the vision of moving to the next plateau of “federation”. 

When considering trust from the social perspective, I think the references to Bob Blakley’s talk at Catalyst 2006 hit the mark.  This is where reputation come in to the picture.  As individuals we are not caught up in the legal aspects, we are interested at a much more primal level. Can we interact, can I trust you, will we have a win-win.  In the end I think this is the much harder “trust” to develop and in the Internet age it is really all about reputation. 

Mike

I picked up an iPod this weekend for entertainment on my travels.  Can you believe how much information that little box, 1/2 the size of a deck of cards can carry.  My entire collection of 200+ CDs only fills about 1/2 of its capacity. Guess I need to enlarge my collection.  Technology is amazing.

I am sitting at the airport waiting for my return flight to Seattle.  I spent the last 3 days here in Boston attending the Identity Mashup 06 un-conference.  An entertaining and very different experience from the more corporate focused conferences I usually attend such as Catalyst and DIDW.  It was much more touchy-feely, focused a bit more on the individual rather than the enterprise – an excellent stimulus to broaden my thinking.  It was also amazing to interact with nearly all the great minds in the identity space.

There are many things swirling around in my head, but some have points that seem to be gelling into potentially coherent thoughts.

First I found it curious that after 2 days of conference I don’t recall anyone using the “federation” word.  Given the technologies we were discussing this seemed rather peculiar to me.  This morning I realized why that might be.  As I said above, this conference was more “personal” focused and federation is a rather impersonal techno term.  I believe people at the Mashup were using the word “relationship” instead.  I would claim “federation” and “relationship” are fundamentally the same thing.  I didn’t get universal agreement, but I am going with it for now.

Second item coming together was prompted by a comment from Dick Hardt.  During one of the panel discussions he asked “what exactly is the problem we are trying to solve?” – One of my favorite questions.  My answer so far is:

• Preventing the theft of identity (my definition is the third item of this post) directly from the user (such as phishing and spoofing)
• Preventing the theft of a user’s identity from some other third party (“Sorry boss, I lost my laptop.”)
• Establishing an environment where the user has trust and surety that they can conduct transactions with confidence (secure e-Commerce)
• Providing the ability for relying parties to make transaction decisions based on authoritative identity attributes (trusted assertions)
• Making all the various identity providers, protocols, etc. invisible to the application developers.  (They just want to know who it is and what should I let them do?)

The third item is the definition of identity.  A small few still seem to hold the perception identity is “who I am”.  The majority of folks are now talking about an identity representing a subject (or subjects) within a context.  I agree with this definition but  being a programmer at heart I am trying to boil it down to bits and bits.  Aren’t we really talking about a collection of data attributes about the subject(s)?  As we talked about the “i-Card” Paul Trevithick suggested it also reflected relationships – not quite sure what those “bits” look like yet.

A last thought for now.  Higgins – seems like a worldly, multi-lingual virtual directory?

I met many new people at the conference.  I left excited about the energy and collaboration developing around the idea of an identity metasystem.