Sean Convery

I’ve been watching the back-and-forth concerning Bruce Schneier’s argument for open home wireless networks. See his post for links to essays in support and opposition to Schneier’s points. I found Glenn Fleishman’s post particularly interesting. I don’t want to rehash the arguments for or against that have been put out already but rather wish to point out a couple simple things I didn’t see covered in enough detail (if at all). As a preface, I have an enormous amount of respect for Mr. Schneier and have met him and heard him speak while at Cisco.

First, security is a system. While I have no doubt that there are individuals with the ability to secure their home systems, the vast majority do not. Having WPA encryption raises the bar for attack against a home system (regardless of its security) just like having a firewall limits your exposure to Internet-born attacks. If the controls are easy to use and enable, why take the added risk? As an analogy, In scuba diving it is possible to dive with completely redundant systems thus substantially reducing the risk of underwater failure. I have seen many divers carry elements of such a system with them on a dive. However, the overarching principle in scuba is that you dive with a buddy. This is to ensure that if something unexpected should happen to you, there is another person there to help bail you out. I’ve been diving since the age of 13 and can count on one finger the number of divers I know of (outside the military) that engage in the dangerous act of solo diving.

Second, Schneier seems to think that the risks to him are as follows: someone breaks into his machine or someone does something illegal using his network. There is a significant third risk he doesn’t cover: the increased risk of identity theft / profiling. Watching the Internet use and search habits of a machine is very easy over an open wireless network. Watching that use over a long period of time could be very revealing (and profitable, just ask Google). What I find borderline hilarious is that the blogosphere proponents of open networks are the vary same folks that rightly went a bit bonkers when AOL released the search data of 650,000 users. This data was partially anonymized by removing the screen name of the searcher but as the New York Times and others reported, it is fairly trivial to analyze searches and derive identity. I wrote about how the same techniques might apply to enterprise Identity. What I find funny is while the damage done is at least self-inflicted in the open wireless case, the repercussions could be even more disastrous. With a persistent log of not just your searches but your internet traffic in total over a period of time, it would be very easy to tell an awful lot about you. If you think the bad guys need to be parked out front to do this, you haven’t spent enough time looking at snack-food wireless antennas.

Either your privacy is important or it isn’t. If your argument is you have nothing to hide or that you aren’t important enough for anyone to care about you, that’s your decision. (As an aside that was the government’s position as well when everyone was in arms over the Patriot Act library fiasco.) I myself will put in place simple privacy controls and quietly wait to read the facebook and myspace profiles of presidential candidate’s younger selves in the 2040 elections and beyond. As the Internet Archive has proved, the Internet is forever.

Schneier may, as Glenn assumes, encrypt traffic from his PC to some sort of VPN gateway at his network perimeter. If so, he’s covered against this risk (though I would argue as wifi connected devices proliferate doing the client VPN solution will get tedious). However, I completely agree with Glenn that it is irresponsible to not explicitly state that this is the case. Your average user with a Linksys router has no idea how to do such a thing and most consumer-grade routers do not even support it. Also, since a VPN solution operates above layer 2 it is tedious to enable and prevents easy communication with non-VPN enabled IP devices on the same network. I want my other wifi gadgets to quickly communicate with one another and my home PCs.

Finally, Schneier implies that giving a guest Internet access and having a secure network are mutually exclusive. In the time it takes him to ask “one sugar or two” as he’s preparing his guest’s tea he can easily give them the password to his wireless network. Alternatively, you can run multiple SSIDs giving open access to guest systems and secure access to his personal devices.

I keep things very simple at home: WPA with a strong password that I can easily relay to a guest without writing it down. I should probably change that password now and again but until I see some decent attacks against WPA or make an enemy out of one of my friends I’m not too worried. Of course I do my best to secure my hosts as well but I don’t count on it. When I’m at a hotel or a wireless hotspot I have secure connections for all my email accounts and I avoid doing anything in the clear that I wouldn’t want posted for all to see.

So in summary, can you make an open wireless network secure for your machines? Of course. Is it worth the risk and trouble? Probably not.

Technorati Tags: security, wireless

OpenSEA just announced that HP and Aruba have joined the Alliance. HP even indicated that it might bundle the supplicant in their PCs. There’s some fairly thoughtful analysis by Ric Turner at Computer Busienss Review here. All in all this bodes well for the Alliance and 802.1X in general. I look forward to having more members to announce in 2008!

In related news, the Open1X project just shipped 2.0.0 of the supplicant. It is now in feature freeze mode meaning the only new development to this branch will be bug fixes.

Technorati Tags: 802.1X, Supplicant

Well that was an interesting three days with a fair amount of typing. Hopefully the session notes were helpful to everyone. There is some good analysis of specific sessions over at Phil Windley’s blog. In all I thought the conference was well done and it was interesting to discuss the nascent blurring of the NAC and Identity space. The hot topic of the conference was not NAC though, but rather the user-centric identity efforts from Microsoft, Higgins, and others.

These initiatives, if you are unfamiliar with them, promise to simplify the user experience of sharing identity information on the Internet. Through a visual representation, users choose the identity profile they wish to share with a given site and can control what information is presented. These identity profiles can either be self-asserted or signed by an identity provider. Think of it as a signed version of your web browser’s auto-fill feature with a selector in advance of submitting the data.

There were a couple presentations on the enterprise applications of this functionality and most of the conversations were clothed in the trappings of web 2.0 virtues like user-centricity and distributed workflow. There were no immediate killer applications that I saw. Interestingly enough, the most compelling reason to imagine that this functionality will hit the enterprise is that consumers will like the user experience at home and will ask for it at work. What then, will user-centric identity mean in an enterprise networking context?

These systems seem to be very much like a PKI at their heart. Identities are signed and can be presented without a challenge / response from some authority each time. This is good and if it can be extended to include information within the signed identity about the role and attributes of the user, then network access decisions can be made without consulting a user directory. Of course role changes, revocation, and other intricacies threaten the simplicity of the system but the overall idea of embedding more information in a certificate is not particularly new. If these user-centric efforts produce something substantially easier to deploy and use, then a signed identity throughout the enterprise is possible and could significantly change network identity management.

Technorati Tags: Digital ID World, higgins, Identity 2.0, Infocards

Came in a bit late…

Trends:

Productivity is achieved through the integration of people with business process

Need to preserve privacy

Information about individuals is growing in different silos

New framework for IdM that is user-centric

Enables dynamic, automatic capture of people information from disparate information repositories

Facilitate integration with diverse identity management systems

Ease management of identity, profile, reputation and relationship…

IdM has poor tooling for developers. Higgins uses only one API and has plugins to CardSpace, OpenID, RSS, XRI, LDAP, etc. Other connectors can be written since this is open source

For end users, they get consistent user experience using visual “i-cards”, Privacy-enabled claims to share only what is needed (and protect private information)

They also get personal information “link and sync” services

• remembers passwords, fills in forms
• links and syncs your info across silos
• gives you more control over your personal data

End users get an Identity Metasystem

• Identity attribute service to federate this information between multiple systems and silos

They also get privacy and move from attributes to claims. Attribute is bank balance = $100K, claim is bank balance is > 20K. [SJC: Claims seem far more privacy friendly]

For enterprises they get integrated identityt, profile, reputation, and relationship information across and among complex enterprises.

Enterprises also get privcay there as well. Give users the ability to control more of their info. Employee satisfaction.

Implementation. Targets for 1.0

Packages for RPM and Debian: Suse, Red Hat, Debian, Ubuntu
OSX
Windows
Eclipse plugins

Protocols: WS-*, OpenID-H, LDAP, RSS-H

Language bindings
Java, C (core components)
PHP, Python, Ruby (relying party enablement)

Industry Collaboration

Higgins enables Interoperability, Privacy, and a user-centric foundation

Moderation Portion Begins

Phil Becker - moderator

Q: How is this related to eclipse?

A: Started out looking for tooling for identity information and the core data mapping information, CardSpace as a back end. Then started to look at various platforms and how to get CardSpace to work on multiple OSs.

Phil: So you have the developer framework / plugins, open source client piece, and service layer.

Q: Does this achieve CardSpace compatibility? Or CardSpace + extra stuff.

A: Yes, same user experience.

Q: Are there still obstacles on the IP front now that MS has opened up things from an IP front?

A: The MS announcement was great, but there are still some possible IP obstacles.

Q, Audience: What is version 1.0? How do you go from release to getting in front of the end user.

A: We’re working with the platform vendors, good cooperation from Linux folks, we’ll release the CardSpace equivalent client but also the underlying libraries to make your own version of this thing.

Q, Audience: We have 5,000 applications built around identity being in a corporate directory. If we want to move this directory out of the way to put some smarter federation-enabled service in between the app and the directory. What does the enterprise do here?

A: Working to implement plugins for Higgins, allowing consistent view-pulling this information together.

Q, Audience: Trusted chips are on PC motherboards now, how are you going to use them?

A: TPM is definitely something we want to use to acquire data. It would be a context provider like other systems. Token server could also store keys there as well.

Q: IAM, ISVs are both vying for the same customers but things are challenging because you need to pick on IAM vendor which locks you in. Or I could build in a SAML based middleware layer. What I hope is that Higgins gives a path to abstract things from a given IAM, ISV vendor. Does this seem reasonable?

A: It does exactly what you are describing. App developers have to code to specific LDAP, AD, etc. to do authentication. If the app developer supports higgins, then plugins can map this functionality to nearly anything.

Q: What about Jazz in Java?

A: Yes there will be a Jazz module.

Q: Developers may not support it as they don’t do exactly what they want?

A: We think of cardspace as an application we need to support. The best way to test frameworks is to run apps from the top all the way through to see how it works. Testing 2-3 different apps for the 1.0 release. You might also imagine identity management systems based on this technology. Novell is building on top of Higgins, etc.

Q: After 5 years, Liberty is very agnostic and does a lot of what are you trying to do. Why are you reinventing the wheel?

A: This is apples and oranges. Liberty is specifications and protocols, higgins is code and APIs. We plan to work closely with Liberty and WS-*. Higgins plans to reuse Liberty stuff to the extent they can but they are market driven.

Q: Every new app has a user database. Is higgins a good thing for them to use instead of doing their own user management?

A: Yes, use Higgins and the job is easier.

Technorati Tags: identity, Identity 2.0, Infocards, higgins

Patrick Harding, Ping Identity

Discuss where CardSpace might work in Enterprise.

Assumption that this will be very helpful in the consumer space.

Federation inside the enterprise is growing. The protocols are mostly over: SAML 2.0 and WS-Federation

Enterprise Federation hubs have enabled 5-10 spokes

Common Enterprise scenarios are : employee SSO to ASP’s, Business partner SSO to enterprise Apps, ASP’s and portals integrating 3rd party services

What is CardSpace

CardSpace is the new identity initiative in Vista: secure visual metaphor for managing identity information

In the enterprise contexst, it is the digital equivalent of your employee badge

Today federation is passive without user control using IdP and Sp with trust via SAML 2.0 Web SSO Proviles, etc.

Microsoft CardSpace, Higgins, SAML 2.0 ECP allow active federation. This allows the user to be involved and opens up new user cases.

Why CardSpace?

• Self-asserted identity information
• Standard Identity and Authenticaiton UI Metaphor
• User can control the flow of information

Scenario 1: Mixing Privacy Domains

Allows federation between work accounts and semi-personal accounts (like 401K accounts)

Scenario 2: IdP Selection / Discovery

Often an employee arrives at a service provider and needs to identify themselves to a 3rd party. I.e. going to your cell phone company and identifying yourself as an employee of a company for specific plans. SAML 2.0 can do this today but not particularly well. Cardspace enables user control into this process.

Scenario 3: Reduce Phishing Risks

Web for authentication is easy to spoof, cardspace can provide a graphically distinct authentication mechanism.

Scenario 4: Strong Authentication

Employees are required to leverage alternate stronger forms of authentication
CardSpace enables a standard UI metaphor for all auth mechanisms

[SJC: This scenarios seem a bit thin and certainly none represent a killer-app to drive adoption. Most of these problems can be solved other ways as the presenter is indicating]
Scenario 5: Role Management

Employees can choose what role they wish to be when accessing an application. Accessing an HR app as a manager, vs an employee, etc.. Simplifies temporary delegation.

[SJC: This is cool though, IT guy logging in as a user, vs. as an admin]

Ashish, Ping Identity

Demo:

Business relationship between enterprise and sales force, webex, 401k, etc.

Not blogging demo, very hard to take notes on this.
Kim Cameron, Microsoft

-Enterprises are consumer facing
-Many enterprises have relationships with individuals and small businesses
-These are often not central to consumer’s lives, but are still important when important

Think of analysts who have a website and a password, if you are asked to read something you don’t know the password to the site. You don’t normally go there, but when you want to go there, you really want to go there.

Information Card Strengths

Fast acquisition
Intermittent relationships
Risk reduction - anti phishing and information minimalization

With the proliferation of identity pollution there is a concomitant tendency for legislation to affix financial cost to those catastrophes.

With infocard technology you don’t need to store a bunch of information, just the profile. The provider doesn’t need to store the information [SJC: But why wouldn’t they? What is their motivation if they gain an economic advantage from having the information]

We don’t yet know all the best practices around infocards but we have some good ideas around how this will work.

Let’s assume more folks start using information cards. if large internet sites enable billions of users, there might be increased pressure to adopt information card for external relationship. Does it make sense for your enterprise to do something different than the enterprise employees might expect (especially in this age of de-perimeterization)

The Identity metasystem model

The identity provider, the user, and the relaying party all are able to trust one another but the user stays involved.

The model of “create a user” is broken and makes no sense. Yet this is what happened in the old domain based model. This gets really unpleasant when there are multiple domains. Federation model implied that these multiple domains could create trust relationships

Then you wind up in this meshed enterprise model which isn’t just several domains but large numbers of domains.

Empowering Users to address this problem

Achieving access control while granting access has been really really hard.

Conclusion was to disappear the user from any involvement - including the buisiness uints

General solutions require increasingly complex policies

I believe in an alternate approach - make it easy enough that users can grant their own access - albeit under adult supervision

Trust is local, and contextual. The resource owner makes the trust decision, though he might delegate. Still a matter of them controlling the access. The business units should be able to make these decisions, not IT which has been impossible as it is too hard. Information Cards can make this much easier.

Conclusions:

Simplification and visualization allow us to devolve control to the owners of resources

Give the benefits of a single user experience at home and in the enterprise.

Technorati Tags: Digital ID World, identity, Infocards

Thomas Dunbar - CSO XL Global Services

Publicly traded as XL

Parent of a group of Insurance, Reinsurance & Financial Products

$58B in assets

www.xlcapital.com

Founded in 1986 as an offshore insurance company, 50 employees when you started, but there has been a ton of mergers and acquisitions, each of which has separate naming schemes.

Had 17 IT organizations, wanted consolidation, then shared services, then one IT.

Needed to support the business:
-Organic growth
-Business unit managers is to support new services

Identity issues

• No governance model
• No standards
• No technical or application architectures
• 250 dominio applications
• many exchange organizations
• 6 notes domains
• no common naming standard
• over 40 email domains
• dozens of customer applications requiring authentication

Data - Multiple repositories of user ID

User Experience - Had to logon to 10-12 applications per day

Org Culture - Global user base increases complexity

Applications - Big gaps in security and compliance. 3000 applications, now down to 600 with goals to reduce further.

XL Key business objectives and requirements

• One company without borders
• Increased security - password standards, deprovisioning people
• SARBOX - rights and privileges,
• Increase user satisfaction and productivity - reduce logons, improve IT perception
• Cost measurement / management - Better admin and infrastructure
• Infrastructure Responsive to New business requirements - building block technology with no throwaway work.

Selling IdM at XL

Security, Productivity, User Experience were how we sold it. Sold as a phased approach with investment occurring over time.

Phase 1: Build an identity management foundation

• create a common identity
• establish its authoritative source
• develop a common directory
• identity your authorizations

Phase 2: Build a directory exchange broker (meta directory)

Phase 3: Enable web and windows apps with simplified sign-on

Phase 4: Develop enterprise directory services solution

Single identity store for all Xl employees and non-employees and brokers and partners etc.

Phase 5: Develop enterprise simplified Sign-on (round two after phase 3)

Phase 6: RBAC and Federated IdM

• Advice, don’t start here, build credibility and momentum first

• Roles are complex, not starting there

Roadmap Development Approach

• Risk Avoidance - smaller projects, use proven products
• Rapid Value Realization - immediate value and results
• Pragmatism - use existing skills and technology base
• Cost Containment -

In 2004, Initial account provisioning was created. Peoplesoft is our authoritative source. Feeds into AD, Exchange, ClearTrust, Lotus Notes

Using cleartrust, linked this into Plumtree Domino and other web apps

XL Initial success

134 Apps SSO overnight
86.4 User Sat
Help desk calls reduced 20%
New account provisioning within 5 days before new hire start date
Accounts easily deprovisioned
One common lifelong Identity
Established framework easily leveraged

In 2005, brought in more apps, more cleartrust deployment, etc. this continued through 2006. Other businesses like HR started leveraging the identity infrastructure to provide more applications.

Bringing in Oracle CoreID in 2006, better simplified sign-on, extranet portal / cleartrust integration

2007 plans - Develop approval workflow for user access, delegated admin for power users to manage other users’ rights, improve rights management and provisioning

Post IdM - Auth is AD (consultants and employees) - RSA Secure ID for remote acces, RSA single sign on manager
Authorization - AD, EDS and AD/AM, RSA Cleartrust, Custom Applications
Administration - MIIS, Oracle Virt Dir Eng, Oracle Core ID
Auditing - MIIS, Cleartrust, AD form repository

Mission pieces - User lifecycle management (2007), Feteration System (2008), Roles based access control (2008) (Doing some policies with GPO in AD/AM but looking to do more)

Formula for success - Plan ahead, don’t go it alone, detail the benefits, build momentum, communicate

• Develop a strategy
• Sell but don’t oversell
• Demonstrate business value
• Highlight security and compliance gaps
• Seek industry experts
• Form partnerships
• Goal: SSO
• Sell the ability to lower operation costs and improve user experience, focus on phased approach
• Sell better security through better managed passwords
• Don’t start too big (enterprise Provisioiing) or complex (RBAC)
• Build credibility and gain momentum through low risk / high value tactical components
• user building block mentality
• demonstrate how each piece fits into the company’s long term strategy
• Continuously sell, sell, sell
• Demonstrate success

Technorati Tags: Digital ID World, identity

Jeff Anderson - Fifth Third Bank

Came into session a bit late…

Challenges:

• Regulatory issues, Sarbox, etc.
• Financial services specific issues, Patriot act, financial mondernization act
• Identy silos are more than just enterprise directory and AD. Silos for me are every place that provides identity services (databases, applications etc.). This also includes third party services

Solution overview:

• IDM stack that we deployed: at top are the applications themselves, perhaps they are silos themselves but they need to access others. Below that is the application access layer (SOA, directory connectors, etc.). Below that is the enterprise directory (LDAP) and the virtual directory. Below that is the provisioning system
• Enterprise directory is Sun, Virtual directory is radiant
• Directory hardware, use Sun hardware on E25Ks. Since it is virtual, we don’t need to specify that this is the only source.
• Each of the three tier 1 data centers has an instance of this sun hardware.
• Virtual directory services sit on the same hardware as the LDAP store.
• Virtual directory overview: At top is virtual directory engine (core). Below that you have RDBS connectors to applications directories and databases.
• What it means to us: Virtual directory allows us to abstract the data. This allows the applications to ask one place for data without needing to understand the back end. 4 use cases:

• Directory Joins - virtual directories can join two objects into one logical system
• Protocol masking / external joins - two examples to discuss later. This has more to do with what happens when the back end system isn’t a directory but we want to use it like a directory.
• Schema transformation - legacy systems have naming inconsistencies. Virt directory allows us to make them consistent
• External data masking - when dealing with security controls we can access systems without fine grained access control by allowing the virtual directory to enforce what you are able to see.

Synchronization vs. Virtualization

• Synchronize when source of authority was unstable, unresponsive, etc.
• Virtualization for everything else.

It doesn’t matter when you move or access the data. What matters in virtualization is that you choose a product that lets you switch between the two when you need to. What happens when the back end directory changes? These are important questions to ask your vendor.

What did we do at the bank?

Identity management programs were selected to be early users of the virtual system: B2B single sign-on was the first.

Big diagram of transaction, download slides to see in detail.

Cleartrust was deployed prior to identity management effort and as the first customer of the identity service.

Why not just move the data??? Why deploy virtual directory?

Three reasons:

1. Time - lots have to change to move an identity store
2. Cost - startup costs are high
3. Regulatory Controls - If you are leaving the data in the system you have now, it has already gone through the controls. If you move the data, you have renewed requirements for audit. If you pass audit now, leave the data where it is and save yourself cost.

When you deploy a directory you’ll define the view, this is the data store, this is how you access it, the access rules, etc. Four things happen: bind request comes from SSO. Searches the entitlements to see if it is a valid user. Search for requested user. Binds as user checking the credentials.

Cleartrust for cross-silo authentication is made easier by virtual directory. I.e. using websphere for J2EE apps, need to secure the app. The app is secured through cleartrust. Challenge is when the employees don’t exist in the external directory store. Websphere doesn’t let you split what you do for console logins vs. anything else.

Lessons learned:

• Virtualization of the identity to leave it where the data resides is a powerful tool that avoids regulatory issues. Any approved data source can be used for SSO, for example.
• Remove application sequencing dependencies: since you don’t need to move identity stores, that is different than application work. No mid silo applications with a need to do things at the same time. The time different apps operate can be decoupled.
• Real-time access instead of synchronization is possible with low overhead. No large hit in access times.

Technorati Tags: Digital ID World, identity

Moderator Joris Evers - CNET

Johannes Ernst - Netmesh Inc. (JE2)

Created original Lid URL based identity scheme. URL’s can point to things. Make something simple that can be easily implemented

David Accordan (sp) - Verisign

Brought into this from an Open ID perspective and things URL based schemes make it easy to represent yourself online.

Brad ?? 6 apart - wanted users to roam around and perform identity. Developed Open ID

Drummond Reed - Cordance
chair of XRI - can be used as user centric identity. Worked on inames

Dick Hardt - Sxip Identity

produced Sxip protocol to provide unique identifier to a site, and across sites. Saw some of the openID stuff and thought that information could be linked to make the info more portable.

JE2 - Lots of smart people, lots of things that aren’t going to go away anytime soon. URL folks, WS* folks, Liberty folks, etc. Need to reconcile these worlds in order for any value to be received. LID, OpenID, and SXIP are all coming together from a protocol standpoint.

JE - Is this really a sea change?

DH - Lots of convergence work from SXIP being brought into OpenID 2.0
DR - Yes lots of convergence, a year ago we would have had four different stories.

JE - For an enterprise, where will they see the most benefit?

DH - Your traditional enterprise won’t adopt this right away. Early adopters have very acute pain. Where it might make sense is how to integrate with their own end users. A bit early for enterprises.

JE - Favorite case study for URL based identity

B? - Having to remember passwords for dozens of sites is a pain. Now with OpenID he can use one sign-in for his wiki and get into another set of wikis. Concerns around educating users that it can be secure.

DA - Since they are easy to implement, there can be a wide range of security at their identity provider vs. your identity being in a large silo. You can setup your controls in one place.

JE2 - Sarbanes compliance will not come from OpenID. 2 places it helps. First, interacting with blogger-type folks. Second, within the enterprise, the early adopters can use this. Homepages for employees at a company, very easy to extend that url to identify a user with that same URL.

DA - users understand URLs which makes URL based identity more obvious.

B? - Bootstrapping identity on the Internet can’t be done with PKI.

DR - Clickable identity but you wanted to control the spam you receive in the case of Blogs.

JE - How do you tie this in with existing enterprise identity systems

DH - Identifier is designed to be expressed outside the enterprise. You can map the URL for OpenID to your internal directory store

JE2 - Lots of users in enterprises with data owned by the enterprise. Good links between the data the company owns and the data that the user owns (i.e. IM handles, cell phone numbers, etc.) This lets the users decide who can see what data and they can update it.

JE - What do I need to deploy this in enterprises?

DH - OpenID 2.0 is still under design.

B? - OpenID 1.1 is out and should be upward compatible. All livejournal blogs have this now.

JE2 - Each company represented on panel has their own tech but much of it is interoperable.

DA - Bounty program to encourage development of OpenID 1.1.

JE - Ease of implementation is mature enough or not?

JE2 - We have deployed them today.

B? - No enterprise work yet because no one has needed it yet.

JE2 - Open source licenses are quite liberal within Apache Heraldry License.

DA - OpenID can fit in with the Higgins framework.

DH - Possibilities to work with liberty as well. Lots of different libraries for programming languages are done or underway.

B? - Approach where you get to decide how to authenticate to us is good. We’ll hang our data onto whatever ID you provide.

DR - If you are in an enterprise looking at this, watch for expectations of users to increase around using OpenID. Folks like the way this works.

JE2 - Pieces of technology stack are missing. Nothing prevents a site from setting up and spamming identities. No reputation is in place.

DA - Because there is no way to mandate reputation it allows business models around providing this since authentication comes first. No requirement to trust one meta provider.

B? - All email that is out there has no identity association

JE - How do you make the world better in the next 5 years? Where is your business?

DH - I see user centric identity will enable apps that we haven’t dreamed of in five years. Lots of things that you can do in real life that you can’t do on the net. Evolution from web as static pages to web as applications was one evolution, this will extend beyond that and create richer applications. How do I make money? That’s a good question.

DR - Business is in the services, in the applications that enable the services. Applications that his enables will change your business.

B? - I don’t care about biz, I want the web to suck less.

DA - Infrastructure needs to be built out, once you have it then the new apps can be built. [SJC: If you build it, they will come?]

JE2 - Goal of our business is to help enterprises make things work in this world.

Question - Rakesh from Sun - This user centric stuff is interesting, identity touches everything. NAC will be interesting. How do you take it from being server centric to being network enabled. Users can setup identity 2.0 representation of themselves and define what shares. This all should work with the current model through linkages.

DH - You’ve touched on an area of disagreement. Sxip’s view is that for most things the user can decide what to push to a server. Others have a view of a profile that they set access control. That is problematic as each request is contextual based on what is being asked.

DR - This will not displace the enterprise identity constructs that are being used today. It is about empowering the users to represent themselves on the network in a way that they control.

My session is next, so I stopped taking notes here. More Q&A occurred.

Technorati Tags: Digital ID World, identity

Here’s my rough notes from the third session, please expect rough writing. My comments / editorializing in brackets prefaced with “SJC”

Dick Hardt - SXIP Identity

Talk around Identity 2.0. Need temporal awareness to understand what something is.
Vitamins: hard to sell as it prevents something in the future
Painkillers: easier to sell as it stops something bad
Viagra: very easy to sell - allows something new

[SJC: Dick went through a variation on his great Identity 2.0 prezo. Deltas below]

Need to know past behavior of a job applicant in order to evaluate how he’ll do in the future

Let’s look at:

Yahoo-

Single account for multiple services. Big set of silos. When they bought flickr they had problems since flickr needed its own identity

Microsoft-

.net Passport failed. Windows Live ID is a rebranding. Info-card is a good evolution since the user is at the center.

Google-

Google has single account, lots of silos.

As a user I’d like my own account but for google this is a vitamin not viagra.

Ebay -

Has silo identities but also has reputation, has past behavior as a predictor of future behavior.

Single account via identity 2.0 has single point of failure. But you already have one login per site with the big sites and you can make the one login more secure. You can reduce the risks of that single login by making that login more secure. [SJC: Single points of failure are still single, no matter how secure, see the previous talk on a national ID card]

Wikipedia could benefit from reputation
Slashdot uses karma, what about using that karma from slashdot in other places like games. It becomes an alternative currency [SJC: Read Down and Out in the Magic Kingdom by Cory Doctorow]

Panel is now introduced:

Moderator: Dan Farber, Editor In Chief, ZDNet

Panelists:
Michael Barret - CISO Paypal - Previously president of Liberty Alliance
Michael Graves - CTO Verisign
Jim Piala (sp) - Product manager Windows Live

DF: What does MS say about Dick’s comments?

JP: Windows live and windows live ID has a key focus on identity interoperability (issuers and technologies). Need to give people control of their identities. Users like to have multiple identities, some with the same provider, some with different providers. See big opportunities with WS* and Infocards

MG: Verisign is not moving out of areas than it has been in. It is more heavily investing in those areas. Securing enterprises, PKIs, etc. Military grade deployments. Sees real growth in what companies like SXIP and Microsoft’s infocard, OpenID WG, etc.

MB: Identity gets more complex and standards hoped to go somewhere are just part of the problem. More difficult issues are what the earlier presentations explored. For financial services, can you actually pay? Less about identity, more about is what you just did similar to what you did in the past.

MG: Cardspace is an important technology to integrate with. Verisign could provide network based technology to help control the endpoint. How do I know that I can trust DNS. Cardspace provides a good toolkit to evaluate this

DF: When will the walled-garden approach be resolved. How do you make them more permeable?

MB: I never though this would happen fast. I am skeptical. Some evidence on the horizon. Hardware based authentication has to be broadly federated in order for it to work. Unconvinced that we have the protocols and the exchange mechanisms around the authentication exchange and the tie to the identity itself.

JP: All about business drivers. Not sure that economic incentives are there to allow full federation. Tightly coupled business offerings linking with one another might make more sense.

MG: Verisign is taking a very different and disruptive line. We make lockdown tech for financial institutions to manage risk. On the other end, there is the user centric notion which we believe in. Federation does not lead to universal identity. We don’t have the retail presence to risk by making a big change. Comes down to a failure of faith in federation. SSO is a better option as part of the OpenID framework.

DF: How do you convince a Yahoo or someone similar to adopt any of these solutions.

MG: You don’t, the walled gardens are last to migrate to the new future. Balance between content to keep a user in a site and the tipping point which would cause them to leave the site. Do you want to be a silo, or a hub to allow folks to flow in and out? Interoperability needs to happen via a mesh of hubs which broker these identifiers.

JP: Two reasons why we might see more users getting out of the garden. First, users need to be at the center of the experience. They care about this and are frustrated by it being closed. Users themselves will drive this. What if you could take your EBay rep to another site, how can I take my XBox live reputation to another forum? Second, no walled garden is completely walled. Partnership will be present between the gardens.

MB: We don’t have protocols which describe trust levels bewteen systems (i.e. paypal, skype, and ebay). With three auths in our own systems, how do I cross-correlate these
Question from audience, Mike Jones from MS: Depending up the value of the information secured by an ID, the current username/password standard either is good enough or not manageable nor able to be secured. How do we get users away from this?

JP: Different applications require different levels of assurance. This isn’t a bad thing, nor an impediment to federation. You just need the identity to match the scenario.

MG: Lack of success has not been because passwords are not adequate. It has been because they’ve been too difficult to use. Risk and fraud needs to be managed. Need a growth path to make things better.

MB: Each component of identity can break. At that point you are trying to predict which transactions are legitimate and what you should do to mitigate the risk. Need business specific standards. Phishing problems around user-driven identity. Not much traction in email signature standards. One of the things we are doing is to limit the phishing attacks from paypal is to sign every outbound email to try and make some progress.

Question from Phil Becker, DIDW: Question in the mind of Windows Live offerings, Enterprise IdM has advanced the notion of self service and scaling improvements to make all this more deployable. Software as a service and other service based offerings might invert the outlook, when does Windows Live start to be sell to a business. Could a business use their own authentication and then assert that to Windows Live?

JP: That is exactly what is happening. That used to be achieved using password synch between AD and Windows Live ID. Using ADFS (AD Federation Service) and WS* in the future to allow enterprises to manage their identities themselves in accordance with governance but are accepted at Windows Live services. Federation is a user experience improvement.
Question from Jeff Smith - Office: Age for purchasing alcohol are minimalist things for specific transactions. What are verisign’s thoughts on this?

MG: We are providing the infrastructure for this like Infocards is.

MB: I am doubtful whether these sorts of systems will work the way Infocards is described. This is because of the commercial dynamics of this. In practice these kinds of problems are dealt with in low-tech AUP type policies. The elegant conceptual mechanisms… I’m just unconvinced that they’ll emerge in the marketplace. Just because some merchants and consumers might want them, there may not be enough economic traction to make this happen. Need the plumbing first.

JP: The requirement for claims creates an interesting requirement on the system. Claims need to be verified perhaps by a legal framework. Few digital identities have been vetted to that level. Some electronic ID programs in Europe meet that requirement. There are no comparable identity issuers in the US.

Question from Jon Donovan, Network Appliance: All this seems consumer centric, how does this apply to enterprises? How can I trust other identities from a reputation perspective?

MG: There’s a big gap between nothing and a government issued ID. Nothing to perfect. Stepwise evolution is needed.

Paul Bran (sp) - Brighton Consulting: When can I use a better credential?

MB: If something is fradulent what is the cost to the consumer, business, or insuring entity? We honor all legitimate transactions at paypal. We exonerate customers 100% when it is not. This isn’t about technology, it is about the business decision in understanding the risk and cost. I’m a great believer in opening federation up, but the question becomes, when an auth fails because they can’t get online if their token is destroyed, how do you get that person online? At American Express we had lots of scars, but when a customer called with a forgotten password, half of the time they just forgot their username. We need to be able to disambiguate this.

JP: Large PKI/smartcard islands are increasing and more interoperability would allow these systems to be used online. Cardspace / Inforcards might be another way to increase adoption of more systems.

Pam Dingle from ? - Windows Live ID and Infocard are not the same thing and even in Vista they are separate. What is the nature of the integration planned?

JP: Windows Live ID is a hosted service at Microsoft, we’re excited about Infocard as an alternative means but we believe that as a large company we’ll need a dedicated identity service as well as use newer techniques.

Technorati Tags: Digital ID World, Infocards, Identity 2.0, Windows Live ID

I’m sitting up front at the conference as I write this. For those of you reading this blog who attend the conference, up front are two rows with tables, and more importantly AC power! I’ll try blogging some of the sessions I attend though I’m sure I’ll miss some and others–as happens at any conference–may not have anything very useful to say. I’m very interested to see how the network and application guys get along around the subject of identity. Well they are telling us to sit down as Phil is about to get started.

Technorati Tags: Digital ID World