Andre Durand

Discovering life, one mistake at a time.
Subscribe

Archive for January, 2003

Exhaustive List of Identity Related Weblinks

January 30, 2003 By: Andre Category: Ping Identity

Since January of last year, I’ve maintained a list of links to just about every article, story, company, whitepaper etc. which I’ve come across which touches the Digital Identity industry. I use a service which Kevin Dougherty programmed for me called ‘FrontFlip’ at www.frontflip.com. (you’re free to sign-up and use it yourself if you’re interested).


The weblink repository has a search engine feature, so feel free to comb through it if you’re interested.

Nokia invests in Ping Identity Corporation

January 28, 2003 By: Andre Category: Ping Identity

Ping Identity Corporation (www.pingidentity.com), a privately held software company developing infrastructure solutions for digital identity in support of federated identity management, today announced the closing of a strategic investment through Innovent, an entrepreneurial innovation unit of Nokia (NYSE: NOK). Read Press Release

Announcing the PingID Network

January 28, 2003 By: Andre Category: Ping Identity

Ping Identity Corporation today announed the formation of the PingID Network, a member-owned identity network addressing the business needs of identity federation. Read Entire Press Release. Key points of this announcement are:

 

Identity interchange is a business problem as much as it is a technical problem.

 

Establishing and ensuring quality in Identity Interchange requires business agreements. – Federated SSO opens the door to security and liability problems — of enough magnitude that they must be dealt with on a legal and business process basis.

 

Example: Company A (an online travel service) authenticates an individual via the Liberty spec. The individual proceeds to move to Company B (an online stock trading service) and explicitly links the accounts (federated SSO) via the Liberty spec. Said individual then attempts to sell a stock holding that is *dropping rapidly*. For some reason, the authentication that Co A performed causes a glitch in Co B’s systems — and the individual is not logged in on a timely basis, and thus not able to execute the sale of their rapidly dropping stock. Who’s at fault? Where are the lines of liability drawn?

 

Establishing and maintaining business agreements with partners can become inefficient or cost-prohibitive as every companies ‘circles of trust’ continue to expand. The PingID Network addresses the business issues of identity federation:



  • Standardized Operating Rules (Provides common legal framework).


  • Reduces Risk and Liability associated with ID Fraud.


  • Provides Dispute Resolution Procedures


  • Provides business services for enabling dynamic federation<o:p></o:p>


  • Member-Owned organizational model (akin to VISA or PLUS)

Announcing the PingID Network

January 28, 2003 By: Andre Category: Life

Ping Identity Corporation today announed the formation of the PingID Network. Key points of this announcement are:

 

1. Identity interchange is a business problem as much as it is a technical problem.

 

2. Establishing and ensuring quality in Identity Interchange requires business agreements. – Federated SSO opens the door to security and liability problems — of enough magnitude that they must be dealt with on a legal and business process basis.

 

Example: Company A (an online travel service) authenticates an individual via the Liberty spec. The individual proceeds to move to Company B (an online stock trading service) and explicitly links the accounts (federated SSO) via the Liberty spec. Said individual then attempts to sell a stock holding that is *dropping rapidly*. For some reason, the authentication that Co A performed causes a glitch in Co B’s systems — and the individual is not logged in on a timely basis, and thus not able to execute the sale of their rapidly dropping stock. Who’s at fault? Where are the lines of liability drawn?

 

3. Establishing and maintaining business agreements with partners can become inefficient or cost-prohibitive as every companies ‘circles of trust’ continue to expand.

The PingID Network addresses the business issues of identity federation:



  • Standardized Operating Rules (Provides common legal framework).


  • Reduces Risk and Liability associated with ID Fraud.


  • Provides Dispute Resolution Procedures


  • Provides business services for enabling dynamic federation


  • Member-Owned organizational model (akin to VISA or PLUS)

Updating the Tiers of Identity

January 23, 2003 By: Andre Category: Life

I first wrote about the Three Tiers of Identity back in March of 2002. Since then, a tremendous amount of discussion has been stimulated and suggestions made by guys like Doc Searls, Mitch Ratcliff, Ming and Eric Norlin and most recently, Linda Elliott. In recognition that my understand around the Tiers of Identity have been significantly enhanced by the comments and suggestions of others, I thought I’d update the grid.


































Tier


Name


Attributes


Example


Description


0


Real Identity


Me


Physical


Biometric


DNA


Retinal Scan


Fingerprint


etc.


This is you. Sans any name or ‘handle’ by which people refer to you in the spoken or written language.


1


Personal Identity


My Identity


Virtual


Personal


Timeless


Unconditional


Total Control


Any ‘handle’ or ‘name’ which I select for myself where I control the associating information.



e.g. “Andre Durand”



This is the digital identity that you own and control. You may or may not bind this identity to your T0. They key to this digital identity is that YOU and YOU ALONE control it. Note that it’s possible to have more than one T1. The handle to a T1’s can evolve over time, recognizing marriage, divorce or legal name changes.


2


Corporate Identity


Our Identity


Virtual


Conditional


Granted


Issued


Mutual Control


§ Corporate Title


§ Corporate Email Address


§ Mobile Phone Number


§ Credit Card Number


§ United Mileage Plus Number


§ Social Security Number


§ Drivers License Number



Most of our existing digital identities are T2 (Corporate) identities. They are assigned and/or conditionally and temporarily granted and can be revoked.


3


Inferred Identity


Marketing Identity


Reputation


Their Identity


Virtual


Assigned


Abstracted


No Control


Andre Durand is a ‘loyal customer’ or a ‘Gold frequent flyer’ or ‘1st time customer’ or a ‘high-net worth individual’.


May or may not tie to a T0 or even a T1. Relates to us through demographics or our reputation (interaction history).

Three Phases of Identity Infrastructure Adoption

January 21, 2003 By: Andre Category: Musings

Unfortunately, there has been a tremendous amount of time, energy and money spent within the past five years by well intentioned visionaries who like myself, saw an opportunity to enable end-user control over digital identity, but were not able to capitalize on the opportunity.


While I owe my involvement in the identity industry to a similar personal passion – to see that end-users are ultimately in control over their digital identity, I’ve come to appreciate the timing of the opportunity, and the phases in which the industry will likely evolve.


Understanding the nuances of the progression of adoption of identity related technologies is likely the secret ingredient of any winning strategy for vendors in the identity space, and in the spirit of being true to my other passion — open source & open strategies — I’m going to lay out my ideas here in an open manner.


To begin, let’s start with a bit of background. Back in March of 2002, I published an essay which put forth the notion that there were in fact three tiers of identity. For simplicity, I’ll summarize the three tiers of identity below:


Tier 1: Personal (My) Identity – A T1 identity is your true and personal digital identity and is owned and controlled entirely by you, for your sole benefit. T1 identities are both timeless & unconditional and can exist for people as well as for devices and/or programs or objects, with the exception that a device or program T1 identity operates only as an AGENT of a personal (human) T1 (every object is owned and/or controlled by someone). We refer to object T1’s as ‘T1a’.

Tier 2: Corporate (Our) Identity – A T2 (corporate) identity refers to our digital identities that are assigned to us by corporations (e.g. our ‘customer accounts’). Nearly all of the existing digital identities are T2 identities — our title (assigned to us by our employer), our cell phone number (assigned to us by our mobile phone operator), our United Mileage Plus number (assigned to us by United Airlines), our social security number (assigned to us by the Government), our credit card number (assigned to us by our credit card companies) and the list goes on and on. T2 identities are both conditional & temporarily assigned and they can be revoked by either us or the company which issued them – thus you can think of them as ‘our’ identity.  

Tier 3: Marketing (Their) Identity – A T3 identity is an abstracted identity in that it identifies us through our demographics and other reputation like attributes, but does not need to do so in a 1:1 manner. T3 identities speak to the way in which companies aggregate us into different marketing buckets for the purposes of advertising or communicating with us. For example, we’re either a ‘frequent buyer’ or a ‘one time customer’ etc. T3’s are typically based upon our behavior in our interactions with business. The entire CRM market caters to T3 identities.


Where I and others who share a passion for the subject have steered the discussion towards enabling an infrastructure in support of the T1 identity, the fact is, neither end-users nor the world around us is ready for this infrastructure at this time, and many companies have both tried and failed to develop market share for technologies which supported the notion of a T1 identity.   


The problem with attempting to build support for T1 infrastructure (e.g. personal identity servers or even P2P based identity clients) at this time is to do so would leave that infrastructure isolated and misunderstood from existing corporate infrastructure (corporate systems do not yet speak the language of identity), and as such, would lack real utility in practical every day use. Any T1 infrastructure built and deployed in Phase I (see below) of the industries development is likely to receive only limited adoption, while lacking mainstream appeal.


The purpose of this essay is to introduce the notion that there might in fact be at least two intermediate phases which MUST take place before the world is prepared in all respects to absorb and indeed ‘enable’ the true utility of a T1 identity. These steps, or phases, and a brief description of their characteristics follow:



Phase I: Federation of T2 Identity


The first phase of digital identity infrastructure adoption will be characterized by a ‘linking’ of existing identity systems. What is now referred to within the industry as ‘identity federation’, companies are now beginning to figure out the language of connecting or linking their existing T2 identity databases or LDAP directory repositories, authentication systems, authorization systems and user management systems. This is a critical first step towards the broader notions of a ‘universal’ digital identity infrastructure, because it represents a small, incremental improvement over the way in which things are currently done, and does not require a ‘rip and replace’ strategy for corporations who are looking to gain incremental utility from their existing IT investments.


Enterprise interest in the Liberty Alliance Project and the work being done by only validate the fact that this is in fact a logical starting point for corporations to focus.


The reason Phase I is so important is not that it allows corporations to maintain some semblance of security while dealing with the inevitability of their disappearing firewall, but that in the process of federating, companies will define the common language (protocol) of identity interchange, a language which MUST be installed and understood by all enterprise applications PRIOR to the T1 identity having any real world utility.


The advantages of Phase I from an enterprise perspective are that they allow corporations to take a logical, useful but incremental first step. It also allows them to engage partners in more meaningful interactions while providing conveniences to end-users through things like single sign-on.


The disadvantage of T2 Identity Linking (identity federation) is that there is a tremendous amount of redundancy in maintaining accurate information across N databases (for the same individual) and this redundancy is an extremely inefficient way to do things. That said, customer databases have been and will continue to be viewed as both sacred and highly protected informational assets, and not something companies will be willing to give up anytime in the near future.


Phase II: Transition and Equilibrium


One characteristic that we are entering Phase II will be that consumers will become much more aware that they have a digital identity and that they are being used by corporations. At this point, end-users will begin to desire or in some cases even demand (e.g. legislation) to have more control over the use and access to their digital identity profile and attribute data. As a result of this awareness and in fact real demand, there will be a renewed interest to build-out T1 Identity Infrastructure, the difference being that this time, the T1 infrastructure will be built using the pre-installed language of identity invested in so heavily by corporations in Phase I (a key distinction in terms of the potential for success of T1). Because both T1 and T2 now co-exist in Phase II, equilibrium will likely emerge with respect to ‘who controls what aspects of your data’.


Note that Phase II may or may not actually be a transition Phase. It might indeed be a final state. Indeed, it is quite possible that the evolution of identity infrastructure never progresses beyond Phase II and I don’t believe that this as actually a bad thing. The co-existence of T1 and T2 systems could work provided a fair and balanced equilibrium with respect to control is reached between the needs and desires of the individual and the requirements of businesses to communicate with and service their customers. The only reason I can envision the world progressing in it’s evolution beyond Phase II and towards Phase III would be because of external pressures such as legislation or the efficiencies gained in Phase III through the elimination of redundant information would outweigh enterprises concerns that ‘fair use’ (Phil Becker) would in some way break or cease to exist.  


Phase III: The True T1 Emerges


In Phase III, T1 has evolved to the point where companies begin to rely upon the integrity of the T1 (maintained by the individual) and query the T1 to update their T2’s. When (and if) this occurs, T2’s as we know them today will likely forever change. It will be as if the T1 becomes the ‘master’ and T2 the ‘copy’.


The advantage of Phase III from the consumer or end-user perspective is that finally, they will be in complete control over their digital identity. From a corporate point of view, the advantage to them will be that the need to maintain a redundant copy of an end-users account information and the costs associated with maintaining that data (ensuring that is current and accurate) will be eliminated. Personally, I do believe that provided ‘fair use’ is accommodated, Phase III offers the most advantages to both the individual and the corporation.


Once again, I’m not sure that the world ever evolves as far as a Phase III, but I do believe that Phase I and II are precursors for even the possibility of a Phase III as described within.

Three Phases of Identity Infrastructure Adoption

January 21, 2003 By: Andre Category: Musings

Interestingly enough, an essay I published hypothesizing Three Tiers of Identity back in March of 2002 has sparked some recent discussion between Doc, Mitch and others. Furthermore, recent news of RSA’s T1 identity initiative and a number of T1 based identity products have lead me to formalize my own thoughts on the subject of timing and the T1 identity.


In this essay, I lay out my ideas related to identity industry adoption timing, and what I feel are the required pre-cursors for a fully viable T1 infrastructure. Read the Essay.

SourceID SSO v1.0 (beta 1) Released

January 20, 2003 By: Andre Category: Ping Identity

After many months of around the clock programming, Bryan Field-Elliot (Ping’s CTO) today finished the first release of Ping’s first software product — SourceID SSO v1.0b, a Java toolkit for implementing the Liberty Protocol v1.1 to do federated single sign-on. Details can be found at:


Presenting at Colorado Venture Capital in the Rockies 2003

January 18, 2003 By: Andre Category: Ping Identity

Ping’s been invited to present at this years Colorado Venture Capital in the Rockies. Looks to be quite the shin-dig at the Ritz-Carlton Bachelor Gulch in Beaver Creek, CO. It will be our first formal initiative towards a Series A round of financing.

Speaking at PC Forum 2003

January 18, 2003 By: Andre Category: Life

I was surprised to receive a panel invitation today to speak at Esther Dyson’s PC Forum 2003 that Jamie Lewis (CEO of The Burton Group) is hosting on Identity Management. I’ll be in good company with Craig Mundie (CTO Microsoft), Jonathan Schwartz (Sun Microsystems) and Gordon Eubanks (CEO Oblix).