Digital Identity within E-Business and E-Government: Where are we now and Where do we go from here William Barnhill Booz Allen Hamilton

Agenda n What are the basics of Identity 2.0? n Where are we now? n Where are we going? n What does the future hold? n Questions and Comments?

What are the basics of Identity 2.0?

What identity is and isn’t n Dictionary.com on identity: l The collective aspect of the set of characteristics by which a thing is definitively recognizable or known n More precisely: l A digital representation of a set of claims made by one party about itself or another digital subject [Identity Gang] n Some say identity = reputation, others not n IMHO, reputation is just a possible set of claims n Note the above definition says ‘thing’ not person: l A corporation can and does have an identity l So does an online community l Less clear are things that cannot express free will: routers, etc. n Identity is not identification, that’s just one use

The Core Concept of Identity 2.0 n User-Centric Identity l User consent – n User always can allow or deny whether information about them is released or not (reactive consent management) l User control – n User has ability to policy-control all exchanges of identity information (proactive consent management) n User delegates decisions to identity agents controlled through policy l User-centered – n Pete Rowley describes this core subset of the previous two as ‘People in the protocol’ n User is actively involved in information disclosure policy decisions at run time

Identity In e-Business and e-Gov n Identity 2.0 drivers in e-Business and e-Gov l Spam: > 50% of blogs are spam blogs (splogs) l Growing risk of identity theft l Niche marketing requires greater identity l Regulation: e.g. China’s 18-digit ID numbers to combat gaming addiction in those under 18 n The Identity Meta-System l No single identity solution will work for everyone l Consistent user experience across different systems l Interoperability of identifiers, identity claims through encapsulating protocol...the IP of identity

Where are we now?

Identity standards in our hands n SAML 2.0 : OASIS n OpenId: OpenID.net n Liberty ID-WSF n CardSpace: Microsoft n Username/Password Source: Eve Maler, from

Where are the problems? n We are in the pre-IP world of Ethernet, Token Ring, etc (SAML, OpenID, i-names, WS-Trust, ID-WSF) n Publish your information once, relinquish control n SPAM cost $21.58 billion annually, according to the 2004 National Technology Readiness Survey n Identity fraud cost $56.6 billion in 2006 n Existing standards have not been used to solve the above problems n Each existing standard addresses different facets of identity from the perspective of different users n No single standard acts as the gem that holds the facets together n Thorny issues: l How do we represent claims in a way translatable to everyone? l How do we capture negotiation of what claims are needed?

Identity standards on the horizon n The identity meta-system l MS vision, implemented in InfoCard n Higgins l Novell’s vision for an identity meta-system, implemented in the Bandit project n OpenID l Community vision for very lightweight identity meta-system, implemented in Apache Heraldry project n i-names l Extensible Resource Identifiers (XRI) are exponentially more valuable for a lightweight identity system, implemented in XDI i- brokers n Many others, see

Where are we going?

Kim Cameron’s Laws of Identity n User Control and Consent: Identity systems must only reveal information identifying a user with the user's consent. n Minimal Disclosure for a Constrained Use: The identity system must disclose the least identifying information possible, as this is the most stable, long-term solution. n Justifiable Parties: Identity systems must be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship. n Directed Identity: A universal identity system must support both "omni-directional" identifiers for use by public entities and "uni-directional" identifiers for use by private entities, thus facilitating discovery while preventing unnecessary release of correlation handles. n Pluralism of Operators and Technologies: A universal identity solution must utilize and enable the interoperation of multiple identity technologies run by multiple identity providers. n Human Integration: Identity systems must define the human user to be a component of the distributed system, integrated through unambiguous human- machine communication mechanisms offering protection against identity attacks. n Consistent Experience Across Contexts: The unifying identity metasystem must guarantee its users a simple, consistent experience while enabling separation of contexts through multiple operators and technologies. Source:

Will they work in the enterprise? n Short answer: Yes n Inward facing answer: Yes, but… l Enterprise security and compliance requirements may force up front user consent within the enterprise l May limit operators and technologies allowed n Outward facing answer: Unqualified yes l Your customers, and quite possibly future laws, will require enterprises to protect the identity of their consumers l Enterprises will be required to protect their own identity to combat phishing and spam

Identity Meta-system Requirements n For adoption… l Open in all senses of the word…a communal barn-raising l Simply complex…Simple at its core, with the capability of handling complexity by adding plug-ins of some form n Microsoft’s Kim Cameron states 5 key pieces: l A way to represent identities using claims l A means for identity providers, relying parties, and subjects to negotiate l An encapsulating protocol to obtain claims and requirements l A means to bridge technology and organizational boundaries using claims transformation l A consistent user experience across multiple contexts, technologies, and operators

Convergence in the Identity space n URL-based vs Card-based vs Token-based n Convergence between URL-based and Card- based identity n Convergence starting to happen between URL based and token based identity n Towards full convergence and a true identity meta-system l URL-based identity => Resource identifier-based l XRI-based identity => a possible full convergence l The i-broker concept

Identity Standards Adoption n Adoption is happening right now n The grassroots/Web 2.0 adoption vector l URL-based identity: OpenID, YADIS n The Enterprise adoption vector l Token+Card-based identity (WS-Trust, CardSpace)

What does the future hold?

Identity 2.0 Services are a Blue Ocean n Blue Ocean vs a Red Ocean n Characteristics of a Blue ocean market l Pioneering vs. Competitive, breeds cooperation l Creating or redefining demand l Key to sustainable success n Many service offering possibilities, few providers n Current providers are more co-operative, incl. Microsoft n So…Identity 2.0 Services is a blue ocean

What the future may hold n An Identity Meta-System (IMS) standard that specifies core IMS requirements and possible profiles n Multiple flavors of an Identity Meta-System (InfoCard, Bandit, XDI I-Brokers) that implement that standard n Standards for reputation representation and interchange, leading to reputation as a real value currency

What you can do n Help raise the barn! l Join two Open Source projects n Why two? l Because you’ll be looking at the problem from different perspectives, and because we need more people as bridges n Join or form OASIS Identity-related technical committees n Talk to your enterprise leadership: l How user-centric is their identity? l Do they have documented Identity Management policies and procedures? l If not, help them write them, or out-source it (in the interests of full disclosure, Booz Allen has an IdM group)

Summary n User-centric identity will be crucial as software- as-service, knowledge management, and social software become widespread in the enterprise n Adopting the right emerging identity standard for your enterprise will have significant ROI n Identity 2.0 brings several new market opportunities, most of them tied to Open Source n We’re still at the stage where an Identity Management (IdM) consultant needs to know many standards, but convergence is happening.

Questions and Comments?