Identity Management Panel


I attended an identity management panel moderated by Arnaud Sahuguet of Google. On the panel were Rick Hull, Bell Labs, Conor Cahill, Intel, Kim Cameron, Microsoft, Mike Neuenschwander, Burton Group, and Stefan Brands, Credentica & McGill University.

Arnaud started off with the famous "no one knows your a dog" cartoon and the ACLU pizza video. He asked each panelist how many different identities they have. The answers ranged from 40 to 313 (Cahill knew exactly). Kim said he uses classes of identities (my own strategy) for different kinds of sites.

Converged networks (wireless, television, Internet) make the problem of identity more difficult. Many are not free. Subscriber and user are subtly different notions.

Rick Hull said that federated ID management should increase user ease-of-use, but unless someone makes money from it, it won't happen. Businesses will realize increased "stickiness" and decreased churn, but that's hard to quantify. Some possible sources of revenue include increased ad revenue from targeted ads, increased eCommerce sales via the Web, and direct charges for identity services. We can grow this by building on current walled-garden relationships between identity and service providers.

Conor Cahill, a strong Liberty Alliance proponent, starts off admitting that to date, there's no large eCommerce implementation of Liberty. SSO hasn't been adopted outside the enterprise. Why? There's no perceived benefit for the service provider. In fact, they see a downside: a loss of relationship with the user. Furthermore, users haven't perceived the pain.

There's a new driver, however: phishing attacks. Managing strong authentication, including tokens, is more costly than passwords and this may force banks to sign onto (no pun intended) the notion of federated identity.

Kim Cameron introduced his laws of identity and talked about InfoCard. Kim said it wasn't evil he feared so much as incompetence. The primary role Microsoft can provide in the identity space is by adopting an infrastructure and working collegially across the industry.

Mike said that he was encouraged by incompetence. The ACLU pizza video would require linking up things in a way that would be very difficult. When you get to know something their identity, in the sense of credentials, is not something you care about. We don't typically ask dates or new acquaintances for their ID card. Liberty takes a stylistic approach to identity that is based on an engineering solution rather than a social approach. InfoCards takes yet another.

Wikipedia is another example of where identity matters but not so much because of credentials, but because of social aspects. You get the feeling that people are watching and that your actions will be found out. This is identity arising out of social context. This is identity based on recognition and shared experiences. These are the bases upon which society can begin to work on identity.

Stefan talks about building transaction systems that have identity flows at their core. This protects against external and internal attacks. One main objective is to minimize the powers of the central host or provider. This is a failing of current solutions. Clients are particularly dumb because we can't ask user's to install software (actually Microsoft can).

Stefan talks about Canada's eGovernment initiative where they've tried to implement SSO. Various agencies, and particularly provincial governments, have been reluctant to turn over control of "their" users to a centralized service.

We should look to the financial industry as a metaphor. There are dozens of financial instruments including credit cards, cash, money orders, and so on. These have developed because users have different needs, there are various trust relationships, and so on. This is a good way to think of the various user-centric identity technologies that have sprung up. They have different uses and relying parties will pick the one that fits best.

Mike says that the term "user-centric identity management" is a funny term because if it were really about the user we wouldn't say "user" and we wouldn't say "management." I'm not sure people do say "management" with the term "user-centric identity."

Someone in the audience ask for the financial drivers behind user-centric identity and Mike said, I think, that their aren't any. I'd disagree. In fact, I think that user-centric identity systems reduce financial risk for relying parties and identity providers alike and this are more likely over time to be adopted.

All in all, this was a nice panel, but it was pretty tutorial in nature. That's understandable given that most attendees weren't very familiar with the identity space.