Mike Neuenschwander consented to have his photo taken to headline my blog today, the second of the Catalyst Conference. Lots of information – fifteen pages of notes. I hope these summaries are helpful to you.

Jamie Lewis (Burton) – Internet.net: What Kind of Internet Do We Want and Need?

• We have hit a crossroads in the Internet – what kind of Internet do we want and need?
• There isa crisis of confidence in the Internet (e.g. Phishing has rendered emails from banks unusable for communicating with customers).
• Web 2.0 is the “participatory web”.
• Internet lacks concept of interoperability Identities.

Dave Passmore (Burton) – Net Neutrality

• Network operators can look deep into packets and decide whether it is in their business interest to block or slow down performance for competitive services
• Net neutrality legislation is difficult to write and legislators are reticent to address the subject.
• Network operators are migrating to the IP Multimedia Subsystem (IMS) to replace the Public Switched Telephone Network.

Dan Blum (Burton) – Can we Control the Internet without Killing It?

• Bank of America’s SiteKey is good example of improved security without introducing other physical devices.
• Full spectrum defense includes defense in depth and breath. It must include technology + governance + operations.
• Security must be normal way of doing business.
• Some people think we need a whole new Internet. Don’t expect to see it in next 20 years.

Mike Neuenschwander (Burton) – Identity and Privacy

• Privacy is a key issue
• As you rely on social interactions, you will rely less on Identity
• Trust emerges out of a continuing relationship. If I culture a relationship multiple times over time, the reliability of therelationship will grow and trust will naturally emerge.
• Identity acts as a common pool resource. Drawing on a common pool resource (Identity) to solve a common pool resource problem (Internet) is dangerous.
• If people who use the system are involved in the governance of the system, it works better
• SSL is widely used to create sessions between end points. What is the “SSL” for relationships?

Anne Thomas Manes (Burton) – Next Generation Applications and Services

• Web 2.0 is a term coined by Tim O’Reilly
• Web 2.0 could be called the “participatory web” where individuals can participate in the web using blogs, wikis, mashups (e.g. Craig’s list overlay on Google Maps), social networking (e.g. Linkedin, Orkut, Myspace) and Tagging.
• Whole communities can collaborate.
• To use Semantic Web applications like RDF and Owl, you need to think like a physicist.
• Rich Internet Application technologies (RIA) (e.g. AJAX) seek to improve the user experience.
• New governance models must emerge. Governance by community work in some cases (e.g. Wikipedia).
• User want a consistent experience across sites. In order to do that, events and reputation must persist over time.
• Today – each vendor owns your identity on their site. That probably won’t change.

Mike Neuenschwander (Burton) – Thinking Outside the Domain: The Emergence of User-centric Identity and the Democratization of Federation

• The Internet as many other “commons pool” resources, is falling victim to the propensity for participants to be self serving, rather than beneficial to the whole. Individual/commercial rationality overpowers collective interest.
• A social dilemmas are collaborative action problems, with alternate solutions.
• Collaborative Action Problems are typically solved with strong central governance, but that doesn’t sound like the Internet. Identity management is an strong administrative style suited to clearly delineated domains.
• Other styles of dealing with Identities include User-Centric Identity and a social style, which is less dependent on Identities and more on reputation, relation and reciprocity.
• The User-centric management style relies less on facilitated management, but relies heavily on identity information. This is not replacement for domain-centric management, but an alternal approach.
• Some online properties (e.g. Wikipedia, eBay reputations, online gaming worlds) prosper without strong identity.
• The foundation of cooperation is not really trust, but the durability of the relationship over time.

Panel Discussion – Jamie Lewis (Burton), Kim Cameron (Microsoft), Eve Maler (Sun Microsystems), Dick Hardt (Sxip), Michael Graves (Verisign) – User-centric Identity: Is it Really Identity that We Need to Manage?

Verisign (PIP) Personal Identity Provider (Michael Graves)

• PIP is a home base to start with.
• It now supports OpenID, but will support multiple protocols
• Why should we trust PIP or any service provider? You need to trust someone to get started.
• We must agree on the “rail gauge” that connects people.
• Leverage the URL name space that people know.

Sxip (Dick Hardt)

• DIX is the core of what they are doing at Sxip.
• Use SAML 2.0 for defining messages.
• The user is the hub for data transactions.
• User’s experience must be consistent.
• Convergence of Sxip work and SAML.
• Early in the process, but many companies are partcipating.

Liberty Alliance (Eve Maler)

• Sun has just issued a non-assertion covenant regarding SAML
• Liberty may be perceived as enterprise centric, but is quite comfortable with user centricism.
• Nothing prevents a Liberty circle of trust concept from including the user?.
• User mediated Identity flow is just one use case.
• We must build in the maxium level of security into the architecture, but be able to turn that down as necessary.

CardSpace vs. InfoCard (Kim Cameron)

• InfoCards are visual representation of an Identity. Could be possibly hosted on any platform.
• CardSpace is the Windows implementation.
• The complexity of security layer should be pushed down so no one sees it (like TCP/IP)
• With the user in the middle, the identity provider is decoupled from relying party. These two parties don’t need to know each other.

Jamie Lewis (Burton)

• Quit arguing about the composition of asphalt. Go build some cars.

Bob Blakley (IBM) – Identity and Community in Human Society

• Access to information about us enables power over us, in many situations – Asummetric Information is Power
• Trust builds over time. Betrayal causes distrust.
• Repitition changes the game – maximizes mutual gain.
• We take chances in order to build trust, and build up our trust reality through experience.
• Corporations have a perpetual lifetime and seek to limit liability by laying off risks to investors or others
• People provide money and information to corporations. In exchange, we accept goods and services and assume risk.
• Corporations not capable of intimacy – they don’t value intimacy or trust
• The Identity Metasystem is a terrible idea and must never be built.
• We should build the Meta-Identity System.
• An example of meta Identity data is a wrist band at a nightclub. It shows that you passed the age test to come in, but doesn’t reveal your age.
• We must stop moving identity data around and concentrate on using meta data.

Scott Blackmer (Technology Law & Consulting) – Thinking about the Unthinkable: Managing your Risk Exposure from Security Breaches Involving Protected Personal Data

• Personal information is the latest controlled substance.
• Law and the marketplace expect you to protect personal identifiable information.
• Identity theft is the fastest growing crime in America.
• Identity theft is direct danger to individuals and their employees.
• Almost $50 billion per year in direct business costs and losses due to identity theft.
• One announcement per week of major, mass identity theft.
• California is setting trend in regulation regarding identity theft. 25 other states have adopted similar legislation.
• Heavy penalties for companies that have security breaches. FTC has broad investigative powers.
• Put together incidence response team in advance – speed matters.

Privacy Roundtable – Mike Neuenschwander (Burton), Dan Beckett (Burton), Bob Blakley (IBM), Scott Blackmer (Technology Law & Consulting)

• In over half of identity theft cases, people don’t know where or how the loss occurred.
• Different laws apply to public and private sectors.
• New federal legislation (Financial Data Protection Act) will prevent blocking of credit information unless fraud has occured.
• Only credit reporting companies are regulated under theFair Credit Reporting act.
• Legislation and regulations evolve slowly in response to experiences.
• Biometrics: lots of work going on. Strongly couple people with identification documents (e.g. Passports). Several significant challenges: Cannot guaranteed that all people have the right body part. Sensitivity to environmental conditions. Significant statistical challenges – may have 5000 false positives in a population of 1 million, even if there is four-nines accuracy.
• By March 2008, states must issue IDs, including biometric attributes, under standard federal governments haven’t defined yet.
• Inexpensive methods, such as using laptop cable locks and sending data via fedex or UPS as “high value” packages, can substantially reduce Identity theft.
• Use standard information security methods to protect sensitive Identity information.

Gerry Gebel (Burton) – Federated Identity: Isn’t Everyone Doing It?

• Federation has been talked abut for a long time. We now see significant growth, but is not ubiquitous
• SAML has solidified its position in the market.
• Some successes include an enterprise with up to 50 federation partners and multimillion user deployments outside the telecom industry.
• Obstacles to deployment include lack of awareness, plus concerns about risk, security, liability and audit.
• Burton Group is starting a federation pilot. The project starts in 3Q2006.
• Standards camps (SAML, OASIS WS-SX, Liberty ID-WSF, WS Federation) are making progress.
• Few startups in the Federation space – most are mature companies.
• User centric identity distorts the current model, which has been primarily an enterprise model.

Edmund Yee (Chevron) – Exploring the Role of Federated Identity in the Energy Community

• Chevron is trying to build good connectivity with other companies in the energy industry.
• Seek to share risk of huge capital projects.Business cases include enabling joint operations and third-party collaboration, where companies seek to share risk of huge capital projects, integrating the supply chain from exploration through distribution, and integrating Vendor, Customer, & Service Provider Relationships.
• They considered several technology options, including point to point secure connectivity, private networks, creating and managing third-Party accounts and Identities for each participating company.
• They chose a Community of Interest federation model with a central trust model
• A proof of concept was conducted last October
• A larger pilot system will be deployed this year
• The broader energy industry is staying on the sideline until they see results from an expanded POC.
• If everyone signs up, tens of thousands of companies. Could be very big.

Mike Ferraro, Kishan Mallur (Harvard) – Adapting Centralized Application Security (SSO) to a Federated World

• Tens of thousands of web sites and applications
• Needed to federate with external and internal groups.
• Standard view of federation involves 2 parties: Identity Providers and Service Providers.
• Had many identity providers and service providers. Point to point federation would have been too complex.
• A federation of Identity Services provides a centralized federation service.
• Significant internal pressure to use Shibboleth. External pressure to use liberty. Decided to build their own.
• 90% of their solution is home grown, using open SAML. Interfaces are SAML compliant.
• May consider commercial product if it meets their requirements.

Technorati Tags: Identity,
Digital Identity,
Identity Management,
Catalyst Conference,
Burton Group