Wednesday, October 15, 2003
Digital ID World, Digital Identity Primer
Phil's useful talk focused on explaining the emerging standards for identity infrastructure, using examples like booking a flight and concurrently renting a car online, or setting up an ecommerce site online that also has a credit card processing facility. The identity standards that will enable these kinds of arms length transactions involving customers and one or more companies are XML signatures, XML encryption, SAML and SPML.
The final standard Phil discussed is XACML, which is more suited for internal use, and really more of a programming language. Phil discussed how organizational policies are communicated from top down, usually beginning with a Word document that can either get discarded or not translated to code and operations that are uniformly deployed to a company's servers. "Policies are a nice exercise that keep CIOs fully employed." XACML strives to solve this problem. The translation need only be done once, and enables uniform updates in a streamlined manner.
"Federation" involves single sign-on between/across organizations (e.g., book a flight, rent a car), and encompasses issues beyond just the technological standards: policies, legal issues, etc. Sun was right: "The network is the computer." Some examples of the different kinds of efforts in this area include Liberty Alliance and Microsoft Passport (now built into .NET, and, in Phil's estimation, Microsoft's effort to dominate this area the way it has dominated the OS and business apps).
At this point, Cory Doctorow raised what may be the question of the conference: are these emerging standards all latent SCOs? Nobody is making representations about not suing over incorporation and re-use of the intellectual property involved in these standards. It makes sense to deal with these issues on the front end, rather than building infrastructure out of ideas that might be proprietary, or in any event claimed as proprietary further down the road. Cory: "We didn't build infrastructure out of GIFs [referring to the Unisys flap]; we're talking about building infrastructures out of XACML."
Phil's concluding thought: Security is something that happens when you have a good digital identity management strategy, but is not the focus.
Unless otherwise expressly stated, all original material of whatever nature created by Denise M. Howell and included in the Bag and Baggage weblog and any related pages, including the weblog's archives, is licensed under a Creative Commons License.