Digital Identity within E-Business and E-Government:Where are we now andWhere do we go from here William Barnhill Booz Allen Hamilton
Agenda • What are the basics of Identity 2.0? • Where are we now? • Where are we going? • What does the future hold? • Questions and Comments?
What identity is and isn’t • Dictionary.com on identity: • The collective aspect of the set of characteristics by which a thing is definitively recognizable or known • More precisely: • A digital representation of a set of claims made by one party about itself or another digital subject [Identity Gang] • Some say identity = reputation, others not • IMHO, reputation is just a possible set of claims • Note the above definition says ‘thing’ not person: • A corporation can and does have an identity • So does an online community • Less clear are things that cannot express free will: routers, etc. • Identity is not identification, that’s just one use
The Core Concept of Identity 2.0 • User-Centric Identity • User consent – • User always can allow or deny whether information about them is released or not (reactive consent management) • User control – • User has ability to policy-control all exchanges of identity information (proactive consent management) • User delegates decisions to identity agents controlled through policy • User-centered – • Pete Rowley describes this core subset of the previous two as ‘People in the protocol’ • User is actively involved in information disclosure policy decisions at run time
Identity In e-Business and e-Gov • Identity 2.0 drivers in e-Business and e-Gov • Spam: > 50% of blogs are spam blogs (splogs) • Growing risk of identity theft • Niche marketing requires greater identity • Regulation: e.g. China’s 18-digit ID numbers to combat gaming addiction in those under 18 • The Identity Meta-System • No single identity solution will work for everyone • Consistent user experience across different systems • Interoperability of identifiers, identity claims through encapsulating protocol...the IP of identity
Identity standards in our hands • SAML 2.0 : OASIS • OpenId: OpenID.net • Liberty ID-WSF • CardSpace: Microsoft • Username/Password Source: Eve Maler, from http://www.xmlgrrl.com/blog/archives/2007/03/28/the-venn-of-identity/
Where are the problems? • We are in the pre-IP world of Ethernet, Token Ring, etc (SAML, OpenID, i-names, WS-Trust, ID-WSF) • Publish your information once, relinquish control • SPAM cost $21.58 billion annually, according to the 2004 National Technology Readiness Survey • Identity fraud cost $56.6 billion in 2006 • Existing standards have not been used to solve the above problems • Each existing standard addresses different facets of identity from the perspective of different users • No single standard acts as the gem that holds the facets together • Thorny issues: • How do we represent claims in a way translatable to everyone? • How do we represent claims in a way translatable to everyone? • How do we capture negotiation of what claims are needed?
Identity standards on the horizon • The identity meta-system • MS vision, implemented in InfoCard • Higgins • Novell’s vision for an identity meta-system, implemented in the Bandit project • OpenID • Community vision for very lightweight identity meta-system, implemented in Apache Heraldry project • i-names • Extensible Resource Identifiers (XRI) are exponentially more valuable for a lightweight identity system, implemented in XDI i-brokers • Many others, see http://wiki.idcommons.net/moin.cgi/IdentityLandscape
Kim Cameron’s Laws of Identity • User Control and Consent: Identity systems must only reveal information identifying a user with the user's consent. • Minimal Disclosure for a Constrained Use: The identity system must disclose the least identifying information possible, as this is the most stable, long-term solution. • Justifiable Parties: Identity systems must be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship. • Directed Identity: A universal identity system must support both "omni-directional" identifiers for use by public entities and "uni-directional" identifiers for use by private entities, thus facilitating discovery while preventing unnecessary release of correlation handles. • Pluralism of Operators and Technologies: A universal identity solution must utilize and enable the interoperation of multiple identity technologies run by multiple identity providers. • Human Integration: Identity systems must define the human user to be a component of the distributed system, integrated through unambiguous human-machine communication mechanisms offering protection against identity attacks. • Consistent Experience Across Contexts: The unifying identity metasystem must guarantee its users a simple, consistent experience while enabling separation of contexts through multiple operators and technologies. Source: http://msdn2.microsoft.com/en-us/library/ms996422.aspx#identitymetasy_topic2
Will they work in the enterprise? • Short answer: Yes • Inward facing answer: Yes, but… • Enterprise security and compliance requirements may force up front user consent within the enterprise • May limit operators and technologies allowed • Outward facing answer: Unqualified yes • Your customers, and quite possibly future laws, will require enterprises to protect the identity of their consumers • Enterprises will be required to protect their own identity to combat phishing and spam
Identity Meta-system Requirements • For adoption… • Open in all senses of the word…a communal barn-raising • Simply complex…Simple at its core, with the capability of handling complexity by adding plug-ins of some form • Microsoft’s Kim Cameron states 5 key pieces: • A way to represent identities using claims • A means for identity providers, relying parties, and subjects to negotiate • An encapsulating protocol to obtain claims and requirements • A means to bridge technology and organizational boundaries using claims transformation • A consistent user experience across multiple contexts, technologies, and operators
Convergence in the Identity space • URL-based vs Card-based vs Token-based • Convergence between URL-based and Card-based identity • Convergence starting to happen between URL based and token based identity • Towards full convergence and a true identity meta-system • URL-based identity => Resource identifier-based • XRI-based identity => a possible full convergence • The i-broker concept
Identity Standards Adoption • Adoption is happening right now • The grassroots/Web 2.0 adoption vector • URL-based identity: OpenID, YADIS • The Enterprise adoption vector • Token+Card-based identity (WS-Trust, CardSpace)
Identity 2.0 Services are a Blue Ocean • Blue Ocean vs a Red Ocean • Characteristics of a Blue ocean market • Pioneering vs. Competitive, breeds cooperation • Creating or redefining demand • Key to sustainable success • Many service offering possibilities, few providers • Current providers are more co-operative, incl. Microsoft • So…Identity 2.0 Services is a blue ocean
What the future may hold • An Identity Meta-System (IMS) standard that specifies core IMS requirements and possible profiles • Multiple flavors of an Identity Meta-System (InfoCard, Bandit, XDI I-Brokers) that implement that standard • Standards for reputation representation and interchange, leading to reputation as a real value currency
What you can do • Help raise the barn! • Join two Open Source projects • Why two? • Because you’ll be looking at the problem from different perspectives, and because we need more people as bridges • Join or form OASIS Identity-related technical committees • Talk to your enterprise leadership: • How user-centric is their identity? • Do they have documented Identity Management policies and procedures? • If not, help them write them, or out-source it (in the interests of full disclosure, Booz Allen has an IdM group)
Summary • User-centric identity will be crucial as software-as-service, knowledge management, and social software become widespread in the enterprise • Adopting the right emerging identity standard for your enterprise will have significant ROI • Identity 2.0 brings several new market opportunities, most of them tied to Open Source • We’re still at the stage where an Identity Management (IdM) consultant needs to know many standards, but convergence is happening.