Digital Identity within E-Business and E-Government by cyf16036


									Digital Identity within
  E-Business and E-Government:
 Where are we now and
 Where do we go from here

   William Barnhill
   Booz Allen Hamilton
   What are the basics of Identity 2.0?
   Where are we now?
   Where are we going?
   What does the future hold?
   Questions and Comments?
What are the basics of Identity 2.0?
What identity is and isn’t

 on identity:
       The collective aspect of the set of characteristics by which a thing
        is definitively recognizable or known
   More precisely:
       A digital representation of a set of claims made by one party
        about itself or another digital subject [Identity Gang]
   Some say identity = reputation, others not
   IMHO, reputation is just a possible set of claims
   Note the above definition says ‘thing’ not person:
       A corporation can and does have an identity
       So does an online community
       Less clear are things that cannot express free will: routers, etc.
   Identity is not identification, that’s just one use
The Core Concept of Identity 2.0
   User-Centric Identity
       User consent –
            User always can allow or deny whether information about
             them is released or not (reactive consent management)
       User control –
            User has ability to policy-control all exchanges of identity
             information (proactive consent management)
            User delegates decisions to identity agents controlled through
       User-centered –
            Pete Rowley describes this core subset of the previous two as
             ‘People in the protocol’
            User is actively involved in information disclosure policy
             decisions at run time
Identity In e-Business and e-Gov

   Identity 2.0 drivers in e-Business and e-Gov
       Spam: > 50% of blogs are spam blogs (splogs)
       Growing risk of identity theft
       Niche marketing requires greater identity
       Regulation: e.g. China’s 18-digit ID numbers to
        combat gaming addiction in those under 18
   The Identity Meta-System
       No single identity solution will work for everyone
       Consistent user experience across different systems
       Interoperability of identifiers, identity claims through
        encapsulating protocol...the IP of identity
Where are we now?
Identity standards in our hands

   SAML 2.0 : OASIS
   OpenId:
   Liberty ID-WSF
   CardSpace: Microsoft
   Username/Password

              Source: Eve Maler, from
Where are the problems?

   We are in the pre-IP world of Ethernet, Token Ring, etc (SAML,
    OpenID, i-names, WS-Trust, ID-WSF)
   Publish your information once, relinquish control
   SPAM cost $21.58 billion annually, according to the 2004 National
    Technology Readiness Survey
   Identity fraud cost $56.6 billion in 2006
   Existing standards have not been used to solve the above problems
   Each existing standard addresses different facets of identity from the
    perspective of different users
   No single standard acts as the gem that holds the facets together
   Thorny issues:
        How do we represent claims in a way translatable to everyone?
        How do we represent claims in a way translatable to everyone?
        How do we capture negotiation of what claims are needed?
    Identity standards on the horizon
   The identity meta-system
        MS vision, implemented in InfoCard
   Higgins
        Novell’s vision for an identity meta-system, implemented in the
         Bandit project
   OpenID
        Community vision for very lightweight identity meta-system,
         implemented in Apache Heraldry project
   i-names
        Extensible Resource Identifiers (XRI) are exponentially more
         valuable for a lightweight identity system, implemented in XDI i-
   Many others, see
Where are we going?
       Kim Cameron’s Laws of Identity
          User Control and Consent: Identity systems must only reveal information
           identifying a user with the user's consent.
          Minimal Disclosure for a Constrained Use: The identity system must disclose the
           least identifying information possible, as this is the most stable, long-term solution.
          Justifiable Parties: Identity systems must be designed so the disclosure of
           identifying information is limited to parties having a necessary and justifiable place in
           a given identity relationship.
          Directed Identity: A universal identity system must support both "omni-directional"
           identifiers for use by public entities and "uni-directional" identifiers for use by private
           entities, thus facilitating discovery while preventing unnecessary release of
           correlation handles.
          Pluralism of Operators and Technologies: A universal identity solution must
           utilize and enable the interoperation of multiple identity technologies run by multiple
           identity providers.
          Human Integration: Identity systems must define the human user to be a
           component of the distributed system, integrated through unambiguous human-
           machine communication mechanisms offering protection against identity attacks.
          Consistent Experience Across Contexts: The unifying identity metasystem must
           guarantee its users a simple, consistent experience while enabling separation of
           contexts through multiple operators and technologies.
Will they work in the enterprise?

   Short answer: Yes
   Inward facing answer: Yes, but…
       Enterprise security and compliance requirements may
        force up front user consent within the enterprise
       May limit operators and technologies allowed
   Outward facing answer: Unqualified yes
       Your customers, and quite possibly future laws, will
        require enterprises to protect the identity of their
       Enterprises will be required to protect their own
        identity to combat phishing and spam
Identity Meta-system Requirements

   For adoption…
       Open in all senses of the word…a communal barn-raising
       Simply complex…Simple at its core, with the capability of handling
        complexity by adding plug-ins of some form
   Microsoft’s Kim Cameron states 5 key pieces:
       A way to represent identities using claims
       A means for identity providers, relying parties, and subjects to
       An encapsulating protocol to obtain claims and requirements
       A means to bridge technology and organizational boundaries using
        claims transformation
       A consistent user experience across multiple contexts,
        technologies, and operators
Convergence in the Identity space

   URL-based vs Card-based vs Token-based
   Convergence between URL-based and Card-
    based identity
   Convergence starting to happen between URL
    based and token based identity
   Towards full convergence and a true identity
       URL-based identity => Resource identifier-based
       XRI-based identity => a possible full convergence
       The i-broker concept
Identity Standards Adoption

   Adoption is happening right now
   The grassroots/Web 2.0 adoption vector
       URL-based identity: OpenID, YADIS
   The Enterprise adoption vector
       Token+Card-based identity (WS-Trust, CardSpace)
What does the future hold?
Identity 2.0 Services are a Blue Ocean

   Blue Ocean vs a Red Ocean
   Characteristics of a Blue ocean market
       Pioneering vs. Competitive, breeds cooperation
       Creating or redefining demand
       Key to sustainable success
   Many service offering possibilities, few providers
   Current providers are more co-operative, incl.
   So…Identity 2.0 Services is a blue ocean
What the future may hold

   An Identity Meta-System (IMS) standard that
    specifies core IMS requirements and possible
   Multiple flavors of an Identity Meta-System
    (InfoCard, Bandit, XDI I-Brokers) that implement
    that standard
   Standards for reputation representation and
    interchange, leading to reputation as a real value
What you can do
   Help raise the barn!
       Join two Open Source projects
   Why two?
       Because you’ll be looking at the problem from different
        perspectives, and because we need more people as bridges
   Join or form OASIS Identity-related technical committees
   Talk to your enterprise leadership:
       How user-centric is their identity?
       Do they have documented Identity Management policies and
       If not, help them write them, or out-source it (in the interests of full
        disclosure, Booz Allen has an IdM group)

   User-centric identity will be crucial as software-
    as-service, knowledge management, and social
    software become widespread in the enterprise
   Adopting the right emerging identity standard for
    your enterprise will have significant ROI
   Identity 2.0 brings several new market
    opportunities, most of them tied to Open Source
   We’re still at the stage where an Identity
    Management (IdM) consultant needs to know
    many standards, but convergence is happening.
Questions and Comments?

To top