Stephen Wilson of The Lockstep Group in Sydney, Australia, is scheduled to present an interesting paper, Why Federated Identity is easier said than done, at the AusCERT2011 conference in May.  Based on the abstract, the complete paper should be really interesting.

Stephen states that despite,

“near universal acceptance of the idea of Federated Identity … higher risk services like banking, e-health and e-government have steadfastly resisted federation, maintaining their own identifiers and sovereign registration processes.”

He further asserts that lingering resistance to full adoption results from the fact that,

“Federated Identity is in fact a radical and deeply problematic departure from the way we do business.  … Thus the derided identity “silos” are a natural and inevitable consequence of how business rules are matched to particular contexts.”

Stephen’s final comment:

“If we focused on conserving context and replicating existing real world identities in non-replayable forms, most routine transactions could take place safely online, without the incalculable cost of re-engineering proven business arrangements.”

If Identity Federation really doesn’t match the way we do business, it will be interesting to see how Stephen expands on and clarifies that final statement in the full paper.

Oracle: “In Classical Antiquity, an oracle was a person or agency considered to be a source of wise counsel or prophetic opinion, predictions or precognition of the future, inspired by the gods.”

Thanks to Nishant Kaushik for pointing out Anil John’s thought-provoking article, Identity Oracles and their role in the Identity Eco-System.” In his introductory tweet, Nishant suggested, “Some thing for @trulyverified to think about.”

Since I recently signed up for the Tru.ly service, I thought Nishant’s advice was timely.

It was interesting to review the four characteristics of an Identity Oracle outlined by Bob Blakley, currently the Gartner Research VP for Identity and Privacy

• An organization which derives all of its profit from collection & use of your private information…
• And therefore treats your information as an asset…
• And therefore protects your information by answering questions (i.e. providing meta-identity information) based on your information without disclosing your information…
• Thus keeping both the Relying Party and you happy, while making money.

Some emerging companies fit part of this definition.  Certainly Tru.ly relies on information I provide and they verify, as an asset, and have based their business plan on such assets.

However, others come at it from different direction:  Axciom and LexisNexis offer Identity Verification and Authentication services based on publicly-available information.  Neither company has asked me whether they can use my information, but Axciom claims, “Acxiom’s identification platform utilizes demographic and geographic data in challenge questions with nearly 900 data elements for more than 300 million individuals.” LexisNexis claims, “Access to vast data resources – more than 20 billion public and proprietary records.”

Axciom and LexisNexis customers pay for the privilege of tapping into those vast stores of personal information to provide authentication and validation services.

Does this make Axciom and LexisNexis Identity Oracles?  What about Tru.ly or Trufina, or similar companies? Do the the three major credit bureaus qualify?  Perhaps none are complete Identity Oracles in the true sense of Bob Blakley’s definition.  But they are getting close.