A few weeks ago, Henry Story posted an excellent comment to my blog about Identity in the Browser, linking to his blog post Global Identity in the iPhone browser, which described the use of foaf+ssl certificates to autheticate access to a website. 

Yesterday, I participated in a somewhat spirited discussion with colleagues about the pros and cons of using certificates in mobile devices to provide better security than common username/password techniques.  Getting away from typing passwords on a cell phone would be very helpful.  The main thing I really like about the method Henry described is the ease in selecting different certificates, which may represent different personas for a user.  Being able to increase security and ease-of-use at the same time is encouraging.

However, I think we need to overcome some other key hurdles to bring this method into the mainstream.  Some issues include:

• How will certificates be distributed and installed, particularly to people who are not particularly technology savvy?
• What methods will be used to verify that certificates match a person’s real Identity?
• What will it take to get a critical mass of online sites to adopt this method of authentication?
• What happens if the phone is lost or stolen?

It will be interesting to seek how these and other relevant issues are resolved.

Technorati Tags: Identity, Identity Management, IDIB, Certificate, foaf+ssl

I admit it.  I stalk Identity Management on Twitter.  I do so by dedicating a Tweetdeck search column to the term "Identity Management." This morning, my stalking paid off.  I picked up a tweet from @TechRSS introducing me to MyID.is, a service that purports to validate a person’s true identity over the Internet:

"MyID.is Certified users store their certified identity information to the service and create a link between an Internet community and their verified true identity stored at MyID.is Certified. By getting your digital ID certified, the service will compare it from trusted data sources such as your bank info and public registers."

The two methods used during the validation process include:

1. Being charged a random certification fee (between €2 and €5)  to a credit card with the same name being certified. The user must later submit the precise amount charged to the MyID.is website.
2. Submitting the user’s real postal address, to which is sent a printed letter with a code that must be later submitted.

I haven’t yet used this service, but it represents a novel approach to verifying a person’s real Identity.  It isn’t completely foolproof, but scamming the system would require both a fraudulent credit card account and a fraudulent postal address. 

This is but one approach in the general area of Identity assurance – focused on validating that a person is really who he or she claims to be.  In an online environment rife with imposters and anonymity, this is a breath of fresh air.

Of course, the validation process is not immediate – like online denizens usually prefer.  You don’t automatically know that I am the person whom I claim to be, just because I registered at the MyID.is site.  I must wait for the precise amount of my credit card charge to show up on my account statement and for the printed letter to arrive.  I’ll report back when my certification is issued.  Maybe then you will be convinced that I am The_Real_Mark_Dixon (like @The_Real_Shaq, but with a minor fraction of his fan base and monthly income).

Technorati Tags: Identity, Identity Management, Digital Identity, Identity Assurance

While pondering the ProtectServe/Relationship Manager proposition, use cases and protocol flows set forth by Eve Maler, in the context of a discussion of open architectures for citizen/government interaction I had earlier in the day, I came up with the bizarre notion that perhaps the best analogy for an Identity persona claimed by an individual is not an ID card, but an ID HAT.

We often talk about wearing different hats in life … some of mine are listed in my Twitter bio: "Husband, father, grandfather, social networking afficionado and Identity Management professional."  In one short phrase, five hats I commonly and proudly wear are identified.  Of course, I can choose to don other hats or expose other personae in my relationships with people or systems, either in person or in cyberspace.

In the case of online relationships, the trick is to provide the service I choose to relate with – the "consumer" in the ProtectServe model – with precisely the subset of my "user" data, that represents the hat I choose to wear in that relationship (my selected persona).  In the ProtectServe model, I depend on the Authorization Manager (aka CopMonkey) to provide the consumer with a token representing my chosen hat.

Now here’s where the hat concept becomes more useful … in addition to being a useful metaphor for my chosen persona, HAT is also an acronym for "Have a Token," which is  precisely the action I authorize the relationship manager to complete on my behalf.  Through this trusted third party, I have offered a token (Have a Token) to the consumer representing the HAT I choose to wear in our relationship.

Whether or not ID HAT analogy has legs will be for others to decide.  But for me, it was an analogy that helped me understand a somewhat complex concept.

By the way, (many) hats off to Eve and the other brilliant thinkers who came up with the ProtectServe concept!

Technorati Tags: Identity, Identity Management, Digital Identity, ProtectServe, ID Hat

A few days ago, I mentioned that Identity in the Browser (IDIB) was emerging as an interesting Identity Management topic.  After following a somewhat spirited internal email thread on the subject, I compiled a list of twenty issues that should be addressed as this topic is explored:

1. Can a general approach be defined that would work in all the commercial browsers?
2. Impact on mobile web, not just desktop/laptop web
3. Ease of use for broad range of Internet users
4. Security of authentication process
5. Phishing resistance
6. Security of browsers as a focal point for Identiy
7. How does this support cloud computing
8. Use of or interaction with standards or emerging standards 9e.g. SAML, OpenID, OAuth)
9. Hosted vs. client-based Identity selectors
10. Support for multiple identities or personae
11. Support for multiple identity providers
12. Matching what service providers (SP) want with what Identity providers (IP) and attribute providers (AP) can deliver
13. Accommodating self-registered and organization-registered identities and attributes
14. Complexity issues with federation (e.g. multiple sessions, timesouts and logouts)
15. Policy enforcement across multiple organizations and entities
16. Audit/compliance/governance
17. Applicability of certificate based authentication
18. Impact on InfoCard/CardSpace approach
19. Impact on Higgins approach
20. Licensing fees for use of specific technologies

Technorati Tags: IDIB, Identity, Identity Management, Digital Identity, Browser

Dave Kearns published a nice article today about Eve Maler, whose latest title is Emerging Technologies Director, Sun Microsystems Identity Software.  Although Eve told me she was a bit embarrassed by that headline, I think it fits well. 

Dave speaks highly about Eve and then introduced the proposed ProtectServe web protocol Eve described in her blog post To Protect and Serve and further addressed in her post ProtectServe: getting down to (use) cases.  These posts are indicative of the innovative thinking that has been Eve’s hallmark at Sun.

But perhaps it is Eve’s musicianship, home remodeling, artistic stitching and photography that earned Eve the Renaissance Woman title.

Technorati Tags: Identity, Identity Management, Digital Identity, ProtectServe

Almost sounds like an old country song …

It’s really too early in the morning for normal people to blog, but insomnia is a double-edged sword.  It deprives my body of sleep, but creates extra time to read and think.

Three Identity subjects I have been reading about and intend to blog about in the near future include:

• Identity in the Browser.  Work by Google and discussions in the Concordia group are beginning to address how identity selector capabilities centered in the browser might provide an alternative to methods currently championed by Microsoft and Higgins.  My particular interest is how this effort might yield the right balance between ease of use and sufficient security by focusing right at the point where people are accessing the Internet.
• Identity in a Box.  How can Identity Management software be effectively packaged in configurable appliances to streamline implementation and lower costs for mid market enterprises? 
• Identity in the Cloud.  What are the challenges and opportunities for delivering Identity services within the highly virtualized, scalable and diverse cloud computing paradigm?

If you have thoughts in these areas, please let me know what you think.

Technorati Tags: Identity, Identity Management, Digital Identity, Cloud Computing, Higgins, CardSpace

This evening I visited wefollow.com, a "user-powered Twitter directory."  Any one with a Twitter address can join the directory by specifying up to three tags of choice — Identity attributes as it were.  My three tags: #identity, #LDS and #Arizona.

It was nice to see that way out on the long tail of Twitterdom, with my follower count only about 0.1% of @THE_REAL_SHAQ or @BarackObama, I can still crack the top twenty in each of my chosen categories.

I’d guess that proves that there’s a lot of folks who haven’t signed up yet.

But I enjoyed seeing fellow Identity afficionados like @metadaddy, @iglazer, @LudoMP, @ncrown and @hmathew in the top 25 of #Identity.

Technorati Tags: Identity, Twitter, WeFollow, Digital Identity, Long Tail

This evening I stumbled across Twittersheep, that creates an interactive cloud of keywords from the Twitter profiles of people who follow me on Twitter. It makes for some interesting exploration of the company I keep – my "flock" in Twittersheep-speak.

It made me think of the Old Testament verse from Isaiah 53:6; "All we like sheep have gone astray …"

Technorati Tags: Twitter, Digital Identity

After I blogged recently about Identity theft, I received a note from a representative of Uni-Ball, the pen company, who pointed out their contribution to fighting Identity Theft:

"As it becomes more difficult to get new lines of credit, identity thieves may be drawn more to commit check fraud. These crimes may take the form of stolen checks, using checks thrown into the trash by unknowing consumers, or a type of identity theft known as "check washing." Check washing occurs when checks or other tax-related documents are stolen from the mail or by other means and the ink is erased using common household chemicals, allowing thieves to endorse checks to themselves. This is where something as simple and inexpensive as a select uni-ball pen can help. Select uni-ball pens contain specially formulated gel ink (trademarked Uni-Super Inkâ„¢) that is absorbed into the paper’s fibers and can never be washed out."

We in the information systems business too often think of all problems being solved by innovative applications of computers and software.  Here is one example of how a key part of the solution to Identity theft is solved in a much simpler way.

Technorati Tags: Identity Theft, Uni-Ball, Ink

Today’s Phoenix Business Journal included an interesting article about how businesses, not just individuals, are increasingly becoming a target for identity thieves.  Arizona leads the nation in the rate of identity theft, with the dubious honor of having "149 identity theft cases reported for every 100,000 people for last year."

"The number of incidents has increased as the economy has sunk into recession, and it’s creating a situation of a ‘perfect storm’ in the information technology security business," said Eduard Goodman, chief privacy officer for Scottsdale-based Identity Theft 911 LLC.

The article further states, "Businesses have unique challenges when dealing with the problem. As storehouses for employee and customer information, a stray laptop left in a car or at the airport can have dramatic ramifications."

In that light, Goodman has some good advice for all of us, "Businesses need to treat personal identifiable information like they would money.  You wouldn’t leave cash lying around" for someone to steal.   Don’t make that mistake with your data.

From the consumer viewpoint, the Arizona Federal Credit Union website offers some valuable information about how to prevent and/or recover from identity theft.

Technorati Tags: Identity Theft