Andre Durand

Discovering life, one mistake at a time.

Archive for February, 2003

SourceID SSO Surpasses 300 Installations in First Month

February 20, 2003 By: Andre Category: Ping Identity


Ping Identity Corporation (, today announced that SourceID SSO (, an open source Java toolkit for interoperable single sign-on (SSO) adhering to the Liberty Alliance specification has today surpassed 300 installations in the first month of open source availability, with over 33% of the installations coming from global Fortune 1000 companies. Read Release

The Ultimate Big Brother?

February 18, 2003 By: Andre Category: Musings

I was listening to Tim O’Reilly discuss databases one afternoon at his Open Source conference. He was talking about how there were at least three different approaches to building databases:


1. manually populate them one record at a time.

2. build a bot to populate them somewhat automatically.

3. or lastly, allow people to do what they do in the normal course of their day-to-day activities and let the database grow organically as a by-product. 


He then went on to talk about how Napster knows what’s hot in music and how it represented the #3 type of database – always current, always being updated.


Well, if you think that Napster learned about our music preferences, what do you think Google has leared about each of us in the past two years?

Bruce Schneier on “The Importance of Authentication”

February 18, 2003 By: Andre Category: Ping Identity

Authentication is more important than encryption.  Most people’s security intuition says exactly the opposite, but it’s true.  Imagine a situation where Alice and Bob are using a secure communications channel to exchange data.  Consider how much damage an eavesdropper could do if she could read all the traffic.  Then think about how much damage Eve could do if she could modify the data being exchanged.  In most situations, modifying data is a devastating attack, and does far more damage than merely reading it.”

Many of the companies we’re talking to share this concern, especially as it relates to ‘shared authentications’. If you have not established ‘trust’ with the party you’re dealing with, how much weight do you place on their security and authentication methods? How much do you authorize a shared user to do on your network, how much liability are you willing to expose yourself to? These concerns are the central issues that PICA attempts to resolve in a federated world.

Like Eric always says. “TRUST, feels good — means nothing.”

No one company is bigger than identity – not even Microsoft

February 18, 2003 By: Andre Category: Ping Identity

I was musing this morning on the notion that of all the companies even remotely large enough to attempt to coral identity, Microsoft is certainly at the top of the pile. But try as they might, identity is bigger than even Microsoft can swallow. The truth is, no one company has a 360 degree view on our identity and only the identity-owner remains as the lowest common denominator in a world full of scattered T2 identity fragments. Fundamentally, this is the reason that I believe that identity federation is the way in which corporate adoption of identity will gain traction, and why I think Identity Networks are the ultimately competitive vehicle with which to organize something as large as this.

Philosophy of Identity – by Timothy Grayson

February 18, 2003 By: Andre Category: Ping Identity

Timothy Grayson of the Canada Post (and advisor to Ping) recently published this paper urging us to all consider the ‘softer’ underbelly of digital identiy before it’s too late.  


Abstract: Technological development has created the necessary environment, and market demand the imperative to establish a strong digital identity framework.  In pursuing digital identity as a solution to a technical/economic problem, we are giving too little thought to the importance of the “softer” non-commercial aspects of identity.  Now, before it’s too late, we need to address the foundation of identity:  its features and characteristics.  


More than that we need to delve into the philosophical underpinnings of social identity.  Clearly understanding its nature and limitations, we can examine some of the essential constraints and requirements for digital identity.  Purposeful social identity is the result of external entities granting credentials attesting to and tying a unique set of identifying attributes to a unique person.  Only a state has the power to register, grant, maintain, and enforce such credentials.  This established identity-granting process fosters system integrity and a discrete 1:1 mapping of individuals to their respective identities. 


A complete identity per se has many layers, with each layer built outward from foundations within it, ultimately reducible to that core identity from which all others are derived.  Various role identities may present the same structure and many of the attributes of a core identity, but they are subordinate or even ancillary to the core.  The purpose of this paper is not to identify a business nor to propose solutions to digital identity challenges.  Rather, the exploration of identity is purely for the sake of understanding and clarity, as many potential traps and obstacles become apparent in the full context and understanding of social identity.


Read Paper

Scaling Web Services Securely – An Interview with Tony Scott

February 16, 2003 By: Andre Category: Ping Identity

Eric came across this interesting Interview with Tony Scott (CTO – GM) where he said, There are lots of things that can be done very securely. They just don’t happen to scale very big. That’s the EXACT problem we’re attempting to solve with the PingID Network, namely, how to scale identity interchange without sacrificing security.

Introduce LIVE Services from PingID Network

February 15, 2003 By: Andre Category: Ping Identity

Well, we’ve finally figured out where we’re going to ‘land’ the PingID Network (a separate company from Ping Identity which has been organizationally modeled after VISA and the PLUS ATM Networks).

In traditional open source fashion, we figured we’d announce these service (which will become available in April of this year) and see who comes out of the woodworks.

Advice to Microsoft Regarding Open Source Software

February 13, 2003 By: Andre Category: Life

David Stutz – Former Microsoft Employee Writes…

“Digging in against open source commoditization won’t work – it would be like digging in against the Internet, which Microsoft tried for a while before getting wise. Any move towards cutting off alternatives by limiting interoperability or integration options would be fraught with danger, since it would enrage customers, accelerate the divergence of the open source platform, and have other undesirable results. Despite this, Microsoft is at risk of following this path, due to the corporate delusion that goes by many names: “better together,” “unified platform,” and “integrated software.” There is false hope in Redmond that these outmoded approaches to software integration will attract and keep international markets, governments, academics, and most importantly, innovators, safely within the Microsoft sphere of influence. But they won’t .” Read Entire Article

Identity Management Architecture

February 13, 2003 By: Andre Category: Ping Identity

I thought this Burton Group graphic on Identity Management presented to SIMC by Jamie Lewis was particularly good.

The Pendulum Swings Fastest in the Middle

February 13, 2003 By: Andre Category: Life

The issue is not what’s better: CopyLEFT of CopyRIGHT –they both have their place, as do hybrid strategies like Ping.

It’s funny how in attempting to understand something entirely new, people view the world through the goggles of their past (what they know or what neat little piles of understanding that they can place the new concept into).

I have a saying, the Pendulum Swings Fastest in the Middle. I use it in connection with the concept that HYBRID open source/commercial strategies (neither CopyLEFT or CopyRIGHT) are like gene-splicing the best of both into one coherent strategy. I did that with Jabber, Inc. and I’m doing it again, albeit a bit more aggressively in Ping.  

When I founded the commercial company Jabber, Inc. in 2000, there was a lot of concern and a lot of confusion around our business model. No-one quite understood that we were a commercial company, funding an open source project that built a product that competed with our own commercial Jabber server. They didn’t understand that we were serving two different markets, that every success of the open source project added a feather to the success cap of Jabber, Inc., and that every new Jabber, Inc. customer (Disney was the first) added to the pride of the Jabber community at large. The notion of ‘MUTUALISM’ didn’t exist – both parties benefit from each other.

I remember standing in front of my competitors at the early Pulver instant messaging shows and explaining EXACTLY what we were doing, just to see if anyone really understood it. Three years later, most of those companies no longer exist — clearly they didn’t.

Phillip Windley (Disclosure: He’s a Ping Advisor) recently wrote a piece on Ethics and Fiduciary Duties that generated quite a bit of fuss. In response to one of the posts, Phillip pointed out:

“…I love open source projects and have been a beneficiary of them since I started working on the Internet in the 80’s. I also believe that there is significant promise in open source business models. I applaud companies like jBOSS and Jabber for exploring business models that are trying to that show open source is a viable way of creating shareholder value. I do not believe, however, that “information wants to be free” or that open source is inherently good and other models inherently evil.”

Phillip. Thank You. You are now involved in a project which will attempt to push that boundary even further. We are at Ping exploring new territory when it comes to new business models. We take nothing for granted. We’re gene-splicing the best characteristics of what a commecial venture can offer an open source project, and what an open source project can offer a commercial venture. There is nothing that is inherently mutually exclusive about the goals of open source and the objectives of a for-profit venture (both give a little in the relationship – but both receive more in return), and I’d argue that with a bit of work, both can in fact achieve their goals in an accelerated fashion.

While I’m on the soap box — I believe there is also some mis-understanding now with respect to what Ping is doing. MY VISION, MY REASON FOR BEING INVOLVED IN THE IDENTITY SPACE AT ALL, WAS TO COUNTER WHAT I FELT WAS HAPPENING WITH RESPECT TO CORPORATE INTERESTS AND MY IDENTITY. 

However, I’m pragmatic, and I’m patient, and I have absolutely no problem methodically working towards an end-goal which may involve hundreds of steps or even years to mature.

Bryan wrote something that I thought was really funny the other day in an email I thought might be appropriate to share. It was in response to some flack that we appear to be getting in aligning ourselves with Liberty. He joked that we should rewrite our license to read as follows:

“…SourceID hereby grants licensee permission to use licensed software for purposes of EVIL, exclusively. Any deployment of licensed software for purposes of GOOD are expressly prohibited. Exceptions to this prohibition will be granted in such cases of demonstrable EVIL ULTERIOR MOTIVE, which must be filed in advance and approved by SourceID prior to license grant.”

Here’s the bottom line: Myself, Bryan, Eric and everyone involved in Ping have a very deep-seated interest in seeing that the identity industry steers itself in a direction which ultimately empowers the individual. But, we’re also running a business, and have determined that the best way for us to achieve our goals, is to ensure that we’re long-term players in the conversation, and that will require that we ‘land’ this company in the here and now, in ways which we believe are critical to the development of the industry as a whole. We have a long-term view on the industry, and are in no particular rush. This could very well be a decade long-haul.