Lots happening in world of identity management
The last couple of weeks have seen a lot of activity in identity management land. Last week saw
Burton Group's Catalyst Conference, which is always one of the key events in the identity management calendar. Although I wasn't able to be there it has been admirably covered by Sun's
Mark Dixon and
Digital ID World's Eric Norlin and Phil Becker (
here,
here,
here,
here,
here and
here). The conference also saw a meeting of the
Identity Gang, briefly summarised by
Kaliya Hamlin aka Identity Woman here. The discussions continue this week at the Berkman Center for Internet & Society with the
Identity Mashup Conference.
With all this activity, it is not surprising that there has been a fair amount of news, but I wanted to call out a couple of announcements that caught my eye. Both relate to user-centric identity, which as I discuss in our recent report on
identity management is a separate world from identity management behind the firewall but:
As more and more of the interactions with businesses are performed digitally, individuals will want to use a single identity with multiple organisations. They will want to manage their identity and control how that identity is used and how much information is exposed, dependent on the context of the interaction.
For organisations operating in a "business-to-consumer" context, it is important to pay close attention to ongoing developments and how enterprise identity management vendors plan to coexist.
Although neither announcement specifically calls out bridging these two worlds, they are both associated with ensuring a consistent desktop experience for individuals (and one which is applicable whether or not the individual is behind a corporate firewall) as they are authenticated by a variety of identity providers. This doesn't span the divide but it is an important plank in that bridge.
Following on from the
Higgins Project and
Bandit, yesterday saw the
announcement of another, to my mind complementary, open source user-centric identity project: the Heraldry Identity Project proposal within the Apache Software Foundation. This is welcome news, given the objectives of bringing the world of lightweight URL/XRI-based identities to the desktop by combining the
Yadis identity service discovery protocol with the
OpenID single sign-on authentication protocol and developing a common desktop component. Being a user of
LID (which is interoperable with OpenID and Yadis) and the VeriSign (whose David Recordon proposed the Heraldry project to Apache)
Personal Identity Provider, I have first-hand experience of the need to hide the underlying mechanics and provide individuals with a consistent desktop experience - it is meant to be user-centric after all. What I find particularly encouraging is the desire to exploit
OSIS, the potential open source implementation of Microsoft's CardSpace (formerly InfoCard), since this promises to ensure a consistent experience for individuals, irrespective of their desktop platform. Obviously, it is still very early stages for both Heraldry and OSIS (not least because the intellectual property issues need to ironed out!) but this is a good start.
The second announcement - or more correctly
news story - concerns Microsoft's plans to release a software development kit for the
Windows Live ID service. Windows Live ID is the reincarnation of Passport, fulfilling the same authentication role for Microsoft's Live services as Passport did for the MSN services. Live ID goes beyond Passport, though, acknowledging the importance of federation and the need to work with CardSpace. With the SDK it will be possible for application developers to use the Live ID service within rich client applications, thereby allowing individuals who are already users of Live Messenger/Mail/Search ... to be authenticated without having a new set of user credentials. The sheer number of individuals using the various Live Services, together with Microsoft's foothold in the developer community, suggests that Live ID will become a significant identity provider.
Microsoft also plans to provide an SDK for service providers, the Relying Party Suite (RPS), to allow them to use the Live ID service. Given the past failure of Hailstorm, primarily because Microsoft had naively assumed that service providers would be prepared to relinquish control of their valuable customer data, I am not so sure that this SDK will prove as attractive.
