We're just getting started with a broad discussion on Identity Management.
Craig Mundie, Microsoft CTO/Advisor to Gates is kicking off the discussion.
"Identity, Conext and Presence"
- Principal: a person, machine or program
- Identity: the set of all attribute values for a principal
- Persona: who the principal is in a given context
- Authorization: the rights of the particular persona.
He's arguing that today our identity is tied up in the overlapping worlds of the personal, the commercial, and the governmental. Each of these worlds involve creation and management of identities, and they increasingly overlap.
How much control will we all have over these identities, many of which are being created on our behalf?
He notes that digital identity is truly in its infancy.
Notes that they're helping created managed namespaces that cross the enterprise / personal idenity worlds. They're using Passports to participate in interactions inside an enterprise management by identities in ActiveDirectory. We're seeing federated identities across public systems and private systems.
He says increasing tension between government identities --- they believe they own and define root identities for people --- and personal control.
Craig shows a demo video of a future world envisioned by Microsoft research. It's basically the idea that identity and contact info will merge enabling seamless automatic communications.
Panel on the topic, hosted by Jamie Lewis, The Burton Group.
Gordon Eubanks: Oblix -- software for user/identity/directory management.
Gordon is giving a product/ROI pitch for what they do. Lots of buzz words.
Talks about large-scale identity problems, such as a large company like GM who has supply-chain problems where 70,000 users from thousands of companies need to interact with a system safely.
What's driving federation? Supply/dealer networks. Large-scale customer care online. But most companies start identity mangement with employees.
Michael Barrett: American Express (VP of Internet Tech, and President of Liberty Alliance).
Thinks it's a multi-headed beast. Three drivers/enablers:
- Driven by desire to know more about your customer (profiling)
- Technical standards for identity mangement (e.g. Liberty)
- Business issues -- benefits of identity interoperability (gives ATM banking example; only happened once users could use identity across networks)
Michael believes tech standards will be common, but that policy issues will drive how this is applied in verticals.
Andre Durand: PingID --- identity management software and service platform
Very interested in the personal aspect --- what would an infrastructure look like where an individual was in control. This led to the notion of federation, where a personal system could link and integrate with business/government that have their own systems.
Core idea is "identity roaming".
Issues of trust and authentication (and risk and liability) are enormous when linking between federated systems.
"Identity transactions" need to happen peer-to-peer, and key is frameworks that establish mutual trust and confidence. Scoring of identity validity.
BIG QUESTION: who's in charge here?
Unclear. You'll have many identities, some are in and out of your control. Do you own your social-security number, or does the government? Who controls policies on how that can be used?
There always needs to be a contract establishing rules about an identity and its uses.
Information/identity sharing can be controlled through a rights expression language (Liberty Alliance model).
Will we see top-down policies over identity transparency driven from government, who are more focused than ever on control of identity information? Most of the panelists don't seem concerned with government intrusion into personal information that is managed inside an enterprise.
This gets a lot more complex as policies differ across geographic boundaries, and where identity exists virtually in any country and where users interact with applications and data in computers anywhere.
Q: what happens when digital contact identities get it in the wrong hands? Spam as the core example. Will this proliferate?
A: we will reach equilibrium. legal acceptable use combined with technology barriers will get us to good social norms.
A: we could get to a world where you have certified channels of communication tied to your personal area network.
Q: Liberty Alliance mission appears to have shifted. What's its role today?
A: When Amex joined they did because they saw a large business need, mostly from use of cross-enterprise web services, and need for security standards that would work across enterprises.
Q: Why not just use SAML (security assertion markup language, a spec for web services authorization security)?
A: SAML doesn't do enough. Michael is also disputing the idea that Liberty was designed to bash Passport. Everyone agrees that Sun stepped in and heated that up, but that isn't the focus. Now everyone is working on Federation, across the Microsoft and Liberty Alliance world.
Q: A year ago Liberty had nothing. What does it have for me today?
A: Have started to delivery with 1.0 and beyond, including a long-term technical strategy. On track to deliver new specs in first-half this year. Chugging away and executing on the mission. What it means to you? Basic things like how personal credit card information is federated, secured and used for end-users.
Net of the Panel:
- Identity Management is a nascent field.
- Massive proliferation in identities
- Issues surround creation, control and usage
- Federation appears to be the right approach for working across domains
- Most of the implementation issues will be policy and business not technical
- Lots of specs coming, not clear whether they will take
I was hoping to hear about the connections between identity and digital rights management, as well as between identity and presence management and communications networks.