ID biz models “in the future maybe” says Johannes

Johanne Ernst is a builder of Identity technologies (and one of the clearest thoughtful thinkers about identity technologies and markets. He just posted a great post about business models in the identity space. I know he has at various times tried raise money as an entrepruner in this space – so he has thought a lot about the business models.

For those of you who don’t know Johannes he developed Light-Weight Identity (LID) a URL based ID system at the same time Brad Fitzpatrick did at Live Journal and then participated in merging it all together into YADIS discovery which became woven together with OpenIDv1, XRI/i-names  and sxip to become OpenIDv2. He also was the first drawer of the identity triangle (OpenID, SAML, InfoCards) which evolved into the Venn of Identity.

Many people have ideas for value-added services that could be sold once sufficiently many users used internet identities at enough sites. The trouble is that the transaction volume for OpenID (or any other identity technology on the internet) is still far too low to make this viable.

The mot important sentence is this one – Let’s not confuse being majorly annoyed how long this is all taking (speaking about myself here) with something being fundamentally wrong (because there isn’t).

I take heart with what he has to say especially because he addresses it to a big part of what I do – organize (un)conferences to continue momentum for the field.

From his post:

Value-added services:
Many people have ideas for value-added services that could be sold once sufficiently many users used internet identities at enough sites. The trouble is that the transaction volume for OpenID (or any other identity technology on the internet) is still far too low to make this viable.

So the verdict here is: perhaps in the future.   

So what’s an analyst, or conference organizer, or entrepreneur, or venture capitalist to do?

My take: Hang in there, keep the burn rate low, make no major moves, would be my advice. (Believe it or not, sometimes I’m being asked about my advice on this.) All the signs are pointing in the right direction, the latest being Google’s major OpenID push. Let’s not confuse being majorly annoyed how long this is all taking (speaking about myself here) with something being fundamentally wrong (because there isn’t).

Sooner or later, at least the value-added services opportunity will emerge. Perhaps others. But so far it has not yet.

IIW & Identity Community Bumps in the Road

This is cross posted on the IIW blog .

When we first started meeting (the early “seedling” meetings of community) at other people’s conferences, there were Microsoft people, Liberty Alliance/SAML people, Shibboleth implementers, user-centric folks (OpenID, LID, sxip, i-names/xri), big idea folks (Doc Searls), etc. We met for a couple of hours at a time and knew there was common ground, but knew we needed more time to really understand each other: to have more of a shared language and develop enough strength in the relationships in the community to work together. We figured we needed to have more time to meet together, so we convened the Internet Identity Workshop. That first event was amazing and quite formative – kicking off the conversation that would lead to OpenIDv2 via Yadis. Kim Cameron presented his 7 laws of identity that have become foundational to community thinking and introduced the idea of information cards and selectors; much work is now happening around this.

Soon afterward Brett McDowell the ED at Liberty Alliance approached me and Phil about having an Internet Identity Workshop (IIW) next to (the days following and in the same location) an upcoming Liberty Alliance meeting. We thought this was a great idea to create more space for people to meet about user-centric identity technologies and issues. When Microsoft got wind of this, boy did I get an earful – they felt that the neutrality of IIW would be totally compromised if it came to be that closely associated with Liberty Alliance (remember Liberty Alliance was originally formed by Sun and others in response to Microsoft Passport).

IIW had provided a forum for anyone working on user-centric identity technologies to come together without anyone making an “agenda” for the meeting or creating a “technology road map.” Literally anyone who came could put a subject on the agenda on the day of the event. All parties did want to increase dialogue and cross-pollination among the groups, and we found a way through by jointly (IIW and Liberty Alliance) producing what we named the Identity Open Space (we also said we would be open to co-producing with others who asked – we did two with Digital Identity World). It was in Vancouver Canada and Kim Cameron along with several Microsoft folks along with many in the user-centric community attended and because it was the two days after a Liberty Alliance meeting many Liberty people were also there, and it was a good event that moved the industry forward.

Right in the middle of getting this worked out – I on a personal level had a very intense experience being caught in the middle – a giant trade association on one side and Microsoft on the other. We (me, Phil, Doc, Kim, Brett) managed to navigate this as a community and do the right thing and we became stronger as a community for having done so.

We continued to have IIW’s every 6 months and in 2006 it was clear we were going beyond just IIW and needed a community home/container to connect community efforts and provide common services (blogs, wikis, bank account for doing common work like holding events). We held a series of conversations and decided to create a community organization, drawing on an existing one, Identity Commons – the community liked the purpose and principles approach for bringing people together. As a codition of brand transfer to a our nonprofit organization we worked on our version of purpose and principles. There were some delays in actually getting the organization legally formed and the brand transfered, but in 2007 we were an official organization: a network of organizations, initiatives, and projects all working on different aspects of a people-centric identity layer of the web. There are several places you can read about community history and background around Identity Commons. I wrote “What the heck is Identity Commons?”.

Next fall we are hosting our 9th event. Many things have move forward significantly in the community – OpenIDv2, OAuth, Venn of Identity paper, OSIS Interop, Concordia use-cases, Information Card evolution including Augmented Browsing with Action Cards, Portable Contacts, Open Social, OpenID/OAuth hybrid, Activity Streams, Distributed Social Networking, Discovery particularly XRD. So what has made IIW work so well in fostering the kind of collaboration and innovation that has emerged from it?

  • We have kept the space free: no one has the ability to buy time at the conference.
  • All ideas are welcome: there is no committee controlling the agenda, so politics about what is “on the agenda” or “not” just doesn’t happen.
  • It is a working workshop to solve real problems, move technical projects forward and discuss interoperability among them.
  • We put attention towards creating the space for relationships between people to form naturally over time and thus enabled trust to grow.

Valentines Day at RSA

I had a great day yesterday here at RSA. I awoke at 5am to make the train down to the valley. Arriving at 7:30 at the wrong convention center (Santa Clara instead of San Jose) I managed to take a taxi and make it in time to see Bill on stage and the Demo of InfoCards. Talking with a blogger over at ComputerWorld – his impression is that it is the “son of passport” unfortunate given how involved Kim has been in the community and how it seems that it is a good innovation that will be open to adoption by others. In that discussion it occurred to me that it might be wise to have a ‘search champ’ like event for the role out of this identity stuff. So that marketing doesn’t just walk and talk like it always has. If it is really different then it needs to be different. Maybe Liz can help out :)

I went on to the show floor and ran into Jeff ubois.
I interviewed the HP guys on their identity management solutions. Particularly the customer facing ones. I got “provisioned” (they asked me for all my real information – I assume for later marketing purposes – isn’t that ironic you go to a security show and they are harvesting you data like crazy.) I was Identity Woman ‘agent’ at the MK-6 and I went and logged into the CKA (central knowledge agency). in the process i checkboxed what information I wanted them to have. [I have pictures of all this but lost the camera battery so will have to wait on finding that to get them uploaded]

‘they get it’ the differentiation is not in “security” or the protocols – SAML they all do that. It is in user experience and supporting end users being in control of the flow of their information. We talked about two

I found the guys at Biopasswords – they two factor authentication by creating a algorithm of how you type. This way you type your password and it has to be write along with your pattern of typing it.

I went to the ping party and ‘formally’ met Andre Durand and talked to Eric Norlan.

The evening was concluded with a lovely dinner with Pam and Janelle from Nulius Secundus and Bob. We figured out that if added up how long the three of us had been married in total less then 1/2 as long as Bob has married.

Then we had a ‘women of identity’ slumber party.

Kim Cameron’s Panel about Identity @ SD Forum

This is from the SD Forum on Interoperability January 31, 2006.

Prateek Mishra – Oracle
What is the identity problem?
It is stuck in a few places at employwer, bank and you want to
how does your identity get from your identity provider – the places were you have defined your identity to all these business processes and services.

We want to do this across the internet. There is the protocol piece – we know how to transmit identity from point a to point b this is solved…

Governence models how to transfer identity in trusted ways from point a to point b. Folks like Liberty Alliance have white papers and frameworks for this. This is a non-trivial problem. How you maintain and create governance?

How do you have normal folks sitting at their computers manage their identities in intuitive ways. How do they have a tool

Identity is stuck it wants to be free.
Protocol – Token Representaiton – solved
Governence and Infrastructure – somewhat solved
How does a person leverage these multiple identities?

Kim Cameron – fan of SAML and Liberty
As we move to more interconnected set of systems we need an identity layer. When you have an architectural whole of this magnitude you have a huge number of kludges.

Meta System

Users have no way of predicting how they should work – knowing when they are in danger.

old days fighting over token rings vs. ethernet – we got TCP/IP that encapsulated both.

We need a metasystem (I got a tiny bit distracted here, sorry. So the transcription is not perfect)

Karen Wendel, Identrus
Metasystem – single interface from an identity perspective.
Everyone has a visa card – that folks each having a card for each store. The industry would be stuck without interoperable.
Rules used consistently throughout the world.
VISA would take responsibility for legal, technical and policy issues.

Identrus was owned by the banks. Your identity will be given to you. It takes responsibility around the policy stuff. Legal aspects of your identity – dispute resolution. Liability of relying party who maintains it and lifecycle. We run this network and commonality on global basis.

(from there website) Identrus provides the global standard for identity authentication.
As communications expand and the world shrinks, knowing who’s who in the electronic universe becomes vital.
Identrus offers a full range of technology and services that support every aspect of safe eTransactions.

Rena Mears, Deloitte
Access – from a privacy point of view is different from access from a security point of view
Assertions and Claims are different

Kim Cameron..
Claims are assertions which are in doubt
everything being claimed has to be doubted so we can establish trust.

They considered using Claims but it would have become SCML (scammel)

It is to the benefit to the SAML make things secure in the browser. Shibboleth the hardest thing is home site discovery – infocards visual representation and

pick one of the 5000 higher education institutions…
or pick ‘your’ university identity.

Identrus: This is what we would call an identity provider.

SAML is the transport language
SAML is used between a portal and services to the portal.

I propose we have new ways of the user authenticating to the portal.
The systems still exist.

What constitutes and identity and the needs for security.
How does language play in this space – there are a lot of different models – identity is not the same as authentication or security.

problem blending identity and security – PKI
you get these people

anyone who works with a protocol they get infected by the protocol and their vision blurs and and narrows.
We need more fanatics about protocols

one of the challenges for us as a community – identity does more then authenticate – sign things and create legal contracts – engage in business transactions, incur liability and regulatory transactions.

you can’t look at the papers and not see an inherent relationship between identity and security.

Who has stepped up to be the binder of identity to the individual.

there is not such thing as single monlithic identity
there are multiple notions of identity useful for different contexts
Shibolith context higher education
Identrus is a context and a governance model

We like Infocards if we could use it when we get to the line in the spec it says Identity provider discovery – out of band
authentication is out of band for SAML

everyone is bound by
the bank that issues the identity to the person
the bank binds to the person – labile to up to 10 million dollars
issued within all the legal requirements

there all these pockets of identity – the level of binding – between issuer and relying party – it does not transfer through the bridge structure.

A lot of the federated model you don’t have that level of binding between the parties.

We will work with the bridges and it is a different element.

The government – thinking of itself as the ‘binding’ authority – reasons for relative autonomy.

Belgium a national identity card – but no card readers
One group was the association of mayors – they were now being asked to sign their legal documents with their individual citizen identity – they used to sign their documents with a stamp of their office – we must think of roles.

The issue is PRIVACY.
the characteristics that really respects privacy are the characteristics of a system that really is difficult to penetrate.

All of the identity issues – any initiative that takes this forward we should all applaud.

Passel: identity. remixed.

DizzyD presented on Passel and The Identity Gang is in the HOUSE! Johanes, Doc, Phil, Mary and Mary – wow three identity women.
He also didn’t really approach it right he didn’t get all the different systems and how they worked and we were all in the audience correcting him. It really highlighted the need for the workshop we are hosting in October.

Here is the summary:
How do I as user my identity on the web?
The ‘story that started it all’
Wife’s machine got Trojan. I had to change all passwords everywhere.

What is Identity?!
Identity is just another class of information we manage.
It’s a second-order problem. When I get on the net I get on it to do Identity Management other tasks.

What is Identity [Italicized] ?
Depends on the setting

Bottom line two fundamental types
third party vouch for and self asserted

His summary of the other stuff..

What are the options:
All others are not inherently evil.
everyone is throwing protocols against the wall and seeing which ones stick.
who do you trust to host you identity?

trust relatinoship between two entities on your behalf
“asserting” used a lot in this world….and I will use it a lot

Standards are well documented and widely deployed. Lots of infrastructure required for trust relationships. Conditionals and trust relationships not viable from an open source stand point. Took a lot of time for a second order problem.

Identity is locked into who the identity provider. You can change home sites. not locked in. Run on own machine. Powerful for users with centralized for user to move.

Send information back and forth and urls based.

No dynamic scripting needed. You have your identity URL tell via meta tag where identity server is. enter URL – blog URL. LiveJournal do you allow it to authenticate?

Can’t i-names do this?
He asserted wrongly that there was not reputation (global services launch will embed reputation in the messaging/contact system.

For Internet-scale Identity needs

  • Aggregate IDentity
  • Decentralized and open
  • Divers programming Language/environments
  • Interoperable implementations
  • Bootstrap off existing trust models

Gives you more control over data
Aggregates your identity via user-centric three-piece architechure
implemntations already started Perl, PHP, Java and C#
Pluggable trust models.

Generalized model for proving any DNS-based identifier
Trust Model

  • how you prove the signer
  • person x
  • Moving identity information proving that a
  • protocol how move around
  • plug in how you trust information

Agent (principle’s computer)

  • aggregates into portfolio
  • public private key and fingerprint
  • natively if not
  • Zip file on key – use on different locations

Signer (site that makes assertions)

  • signer issues token with for example 4 hour life span
  • agent must retrieve new token from

Target (relying party)

  • how does the
  • retrieval of public key.

Technorati Tags: , , ,