Ben Laurie of The Bunker Secure Hosting has a provocative post about the two emerging (and that's important) leaders in user-centric identity: OpenID and CardSpace. He quite rightly points out that at present OpenID's:

popularity is entirely on the provider side. There are no consumers of note.

and that CardSpace:

appears to live in its own little world, supported only by Microsoft products

I think this is to be expected given that we are still in the early stages of both.

Where I find myself disagreeing with Ben, however, is with his conclusion about CardSpace:

So why does this make Cardspace like Passport? Well, the fear with Passport was that Microsoft would control all your identity. The end result was that Microsoft was the only serious consumer of Passport. When Cardspace is deployed such that all providers and consumers of identity are really the same entity, then all its alleged privacy advantages evaporate. As I have pointed out many times before, when consumers and providers collude, nothing is secret in Cardspace (and all other standard signature-based schemes). So, there’s no practical difference between Cardspace and Passport right now.

Ben's right about the implications for privacy when the those consuming identity information collude with those providing it but that's not an issue peculiar to CardSpace.

Even Microsoft would (and indeed does) agree that Passport was a failure due to the company's control of identity data, I think Ben doesn't tell the whole story. It wasn't just down to control of an individual's identity data. It was also due to the fact that Passport and Hailstorm were designed from the outset to wrest control of identity data from Microsoft's business partners and customers. The same can not be said of CardSpace and that's why I believe there is a difference between CardSpace and Passport. There are already examples, Otto in Germany springs to mind, of organisations other than Microsoft using CardSpace and, as I said, it's still early days.

Microsoft agrees to participate in ID project ... For the first time representatives of Liberty Alliance and Microsoft are going to sit down together ... Microsoft is to meet this month with vendors and organisations that are backing several different identity management systems. The Microsoft meeting suggests that cooperation between the software giant and its peers is improving.

These are just a few examples of press excitement resulting from the formal announcement of the Liberty Alliance's Concordia project and the news that Burton Group's Catalyst 2007 conference will host a panel discussion between representatives from Liberty, Microsoft and OpenID about identity interoperability. Perhaps it's because I have been following identity so closely over the last few years but I can't say that this really justifies the implication of the headlines that this represents a significant change of heart for Microsoft. Microsoft has been an active participant (and arguably leading) the charge towards interoperable identity solutions for a number of years.

Far more interesting, as far as I am concerned, is what the panel will be discussing. Concordia is initially focusing on gathering real-world use cases some of which will be presented to the panel. With effective identity management so critical to many of the strategic challenges and opportunities that organisations are faced with today, it's time to move away from "vendor sports" and address the needs of those organisations.

Sun yesterday announced:

a new initiative around support for OpenID, a decentralized, web-friendly single sign-on mechanism that allows consumers to reuse a single login across different websites, tackling the "login explosion" problem. OpenID is currently limited to facilitating low-risk transactions such as blog comments. Through its new initiative, Sun is exploring what changes and practices are needed to make OpenID applicable to a broader spectrum of business and IT challenges. The company will actively encourage participation from customers and technology partners through a series of activities and real-life implementations that are initially driven by Sun's Chief Technologist's Office.

It would be all too easy to focus on vendor sports and discuss this announcement in the context of Microsoft's embracing of OpenID at the RSA Conference in February. But I will avoid the temptation (not least because I think the sport wouldn't be much of a spectacle).

I also don't want to join the ongoing debate (at least over at the Identity Gang) sparked by this statement in the press release:

People using Sun- based OpenID identifiers at an OpenID-accepting website can convey in this simple and secure manner that they are indeed Sun employees, a piece of information that can enable access to employee discounts and unlock other special services all across the web.

which confuses authentication with authorisation - contractors may be given OpenID identifiers to access particular services but they are not Sun employees; what happens in the future if Sun provides OpenID identifiers to partners in the future but a service provider is working on the assumption that OpenID identifiers have only been issued to employees?

No. It's this statement which captures my particular interest:

As enterprises increasingly open up access to data and services to wider audiences and improve usability, the use of a decentralized technology like OpenID will be an appealing way to manage account proliferation. Integration with existing deployments, which often involve enterprise-ready technologies like SAML and the Liberty Alliance's Identity Web Services Framework will become an essential consideration. Sun is working with customers and partners to combine and converge these technologies to maximize effectiveness.

I discussed the importance of convergence of user-centric and enterprise-centric approaches to identity in our report on identity management. Although there have been some very valuable discussions in the identity community, this has not resulted in much pragmatic guidance for enterprises assessing the implications of OpenID and other user-centric identity technologies behind the firewall. Sun's experiment should hopefully provide some valuable insight. I for one look forward to hearing more.