DIDW: What do the Internet’s Largest Sites Think About Identity?
Here’s my rough notes from the third session, please expect rough writing. My comments / editorializing in brackets prefaced with “SJC”Dick Hardt - SXIP IdentityTalk around Identity 2.0. Need temporal awareness to understand what something is.Vitamins: hard to sell as it prevents something in the futurePainkillers: easier to sell as it stops something badViagra: very easy to sell - allows something new[SJC: Dick went through a variation on his great Identity 2.0 prezo. Deltas below]Need to know past behavior of a job applicant in order to evaluate how he’ll do in the futureLet’s look at:Yahoo-Single account for multiple services. Big set of silos. When they bought flickr they had problems since flickr needed its own identityMicrosoft-.net Passport failed. Windows Live ID is a rebranding. Info-card is a good evolution since the user is at the center.Google-Google has single account, lots of silos.As a user I’d like my own account but for google this is a vitamin not viagra.Ebay -Has silo identities but also has reputation, has past behavior as a predictor of future behavior.Single account via identity 2.0 has single point of failure. But you already have one login per site with the big sites and you can make the one login more secure. You can reduce the risks of that single login by making that login more secure. [SJC: Single points of failure are still single, no matter how secure, see the previous talk on a national ID card]Wikipedia could benefit from reputationSlashdot uses karma, what about using that karma from slashdot in other places like games. It becomes an alternative currency [SJC: Read Down and Out in the Magic Kingdom by Cory Doctorow]Panel is now introduced:Moderator: Dan Farber, Editor In Chief, ZDNetPanelists:Michael Barret - CISO Paypal - Previously president of Liberty AllianceMichael Graves - CTO VerisignJim Piala (sp) - Product manager Windows LiveDF: What does MS say about Dick’s comments?JP: Windows live and windows live ID has a key focus on identity interoperability (issuers and technologies). Need to give people control of their identities. Users like to have multiple identities, some with the same provider, some with different providers. See big opportunities with WS* and InfocardsMG: Verisign is not moving out of areas than it has been in. It is more heavily investing in those areas. Securing enterprises, PKIs, etc. Military grade deployments. Sees real growth in what companies like SXIP and Microsoft’s infocard, OpenID WG, etc.MB: Identity gets more complex and standards hoped to go somewhere are just part of the problem. More difficult issues are what the earlier presentations explored. For financial services, can you actually pay? Less about identity, more about is what you just did similar to what you did in the past.MG: Cardspace is an important technology to integrate with. Verisign could provide network based technology to help control the endpoint. How do I know that I can trust DNS. Cardspace provides a good toolkit to evaluate thisDF: When will the walled-garden approach be resolved. How do you make them more permeable?MB: I never though this would happen fast. I am skeptical. Some evidence on the horizon. Hardware based authentication has to be broadly federated in order for it to work. Unconvinced that we have the protocols and the exchange mechanisms around the authentication exchange and the tie to the identity itself.JP: All about business drivers. Not sure that economic incentives are there to allow full federation. Tightly coupled business offerings linking with one another might make more sense.MG: Verisign is taking a very different and disruptive line. We make lockdown tech for financial institutions to manage risk. On the other end, there is the user centric notion which we believe in. Federation does not lead to universal identity. We don’t have the retail presence to risk by making a big change. Comes down to a failure of faith in federation. SSO is a better option as part of the OpenID framework.DF: How do you convince a Yahoo or someone similar to adopt any of these solutions.MG: You don’t, the walled gardens are last to migrate to the new future. Balance between content to keep a user in a site and the tipping point which would cause them to leave the site. Do you want to be a silo, or a hub to allow folks to flow in and out? Interoperability needs to happen via a mesh of hubs which broker these identifiers.JP: Two reasons why we might see more users getting out of the garden. First, users need to be at the center of the experience. They care about this and are frustrated by it being closed. Users themselves will drive this. What if you could take your EBay rep to another site, how can I take my XBox live reputation to another forum? Second, no walled garden is completely walled. Partnership will be present between the gardens.MB: We don’t have protocols which describe trust levels bewteen systems (i.e. paypal, skype, and ebay). With three auths in our own systems, how do I cross-correlate theseQuestion from audience, Mike Jones from MS: Depending up the value of the information secured by an ID, the current username/password standard either is good enough or not manageable nor able to be secured. How do we get users away from this?JP: Different applications require different levels of assurance. This isn’t a bad thing, nor an impediment to federation. You just need the identity to match the scenario.MG: Lack of success has not been because passwords are not adequate. It has been because they’ve been too difficult to use. Risk and fraud needs to be managed. Need a growth path to make things better.MB: Each component of identity can break. At that point you are trying to predict which transactions are legitimate and what you should do to mitigate the risk. Need business specific standards. Phishing problems around user-driven identity. Not much traction in email signature standards. One of the things we are doing is to limit the phishing attacks from paypal is to sign every outbound email to try and make some progress.Question from Phil Becker, DIDW: Question in the mind of Windows Live offerings, Enterprise IdM has advanced the notion of self service and scaling improvements to make all this more deployable. Software as a service and other service based offerings might invert the outlook, when does Windows Live start to be sell to a business. Could a business use their own authentication and then assert that to Windows Live?JP: That is exactly what is happening. That used to be achieved using password synch between AD and Windows Live ID. Using ADFS (AD Federation Service) and WS* in the future to allow enterprises to manage their identities themselves in accordance with governance but are accepted at Windows Live services. Federation is a user experience improvement.Question from Jeff Smith - Office: Age for purchasing alcohol are minimalist things for specific transactions. What are verisign’s thoughts on this?MG: We are providing the infrastructure for this like Infocards is.MB: I am doubtful whether these sorts of systems will work the way Infocards is described. This is because of the commercial dynamics of this. In practice these kinds of problems are dealt with in low-tech AUP type policies. The elegant conceptual mechanisms… I’m just unconvinced that they’ll emerge in the marketplace. Just because some merchants and consumers might want them, there may not be enough economic traction to make this happen. Need the plumbing first.JP: The requirement for claims creates an interesting requirement on the system. Claims need to be verified perhaps by a legal framework. Few digital identities have been vetted to that level. Some electronic ID programs in Europe meet that requirement. There are no comparable identity issuers in the US.Question from Jon Donovan, Network Appliance: All this seems consumer centric, how does this apply to enterprises? How can I trust other identities from a reputation perspective?MG: There’s a big gap between nothing and a government issued ID. Nothing to perfect. Stepwise evolution is needed.Paul Bran (sp) - Brighton Consulting: When can I use a better credential?MB: If something is fradulent what is the cost to the consumer, business, or insuring entity? We honor all legitimate transactions at paypal. We exonerate customers 100% when it is not. This isn’t about technology, it is about the business decision in understanding the risk and cost. I’m a great believer in opening federation up, but the question becomes, when an auth fails because they can’t get online if their token is destroyed, how do you get that person online? At American Express we had lots of scars, but when a customer called with a forgotten password, half of the time they just forgot their username. We need to be able to disambiguate this.JP: Large PKI/smartcard islands are increasing and more interoperability would allow these systems to be used online. Cardspace / Inforcards might be another way to increase adoption of more systems.Pam Dingle from ? - Windows Live ID and Infocard are not the same thing and even in Vista they are separate. What is the nature of the integration planned?JP: Windows Live ID is a hosted service at Microsoft, we’re excited about Infocard as an alternative means but we believe that as a large company we’ll need a dedicated identity service as well as use newer techniques.
Technorati Tags: Digital ID World, Infocards, Identity 2.0, Windows Live ID