Leverage: "Positional
advantage; power to act effectively."

Much has been said about the necessity to secure trusted
business relationships between parties in order to make federated identity
worthwhile. Eric Leach, Sun‘s director of product
management for Federated Identity products,
put a different spin on the subject in a recent presentation I attended. He
stressed that many companies, particularly in the telecom and financial services
industries, see the the emerging federation technology as an enabler to leverage
the trusted business relationships they already have in place. Federated Identies
make it possible for them to offer new products and services in a more efficient
manner.

Tags: Identity
Digital Identity
Identity Management
Sun Microsystems
Federation
Leverage
Eric Leach

The footer attached to Sun Microsystems’ press
releases states, "A singular vision — ‘The Network Is The Computer’
— guides Sun in the development of technologies that power the world’s most
important markets. Sun’s philosophy of sharing innovation and building communities
is at the forefront of the next wave of computing: the Participation Age."

I
met Sara Gates,
Sun’s Vice President of Identity Management for the first time yesterday when she
addressed a group of us Sun folks. She proposed: "We have said ‘the Network
is the Computer.’ We now say ‘Identity is the Network.’"

Quite a bold statement! What in the world does that mean? Should we care?

Here’s my interpretation …

Networking technologies transformed computing from isolated functional
islands into a highly inter-connected information universe, enabling the Information
Age – because both computing and connnectivity became ubiquitous and highly
available.

Identity technologies will transform computing into the next paradigm, the
Participation Age, because trusted Identity Relationships between all types
of online participants will become ubiquitous and highly available. The information
universe will expand to become a highly interconnected universe of trusted relationships
between digital Identities, representing real people, real enterprises, and
real communities, participating actively as never before.

The information age was all about interconnected nodes of computing power and
information. The Participation Age is all about Identity Relationships.

Establishing trusted Identity Relationships among online participants expands
the inherent value of the information universe. As trusted relationships are
established, online commerce, information sharing, community formation and interpersonal
interaction are all accelerated.

Our challenge? Build ubiquity and availability. Identity Relationships must
be more simple to establish, easier to use, more reliable, more sensitive to
personal privacy and much more secure than they are today.

I’ve been around the industry since connecting computers together required
custom hardware and software. I’ve experienced the transformation of computing
into the Information Age – to when my wife and kids miss email and IM more than
they miss television when cable TV fails. It’s great to be a part of the next
transformation – into the Participation Age — where Identity is the Network.

Tags: Identity
Digital Identity
Identity Management
Identity Relationships
Sun Microsystems
Sara Gates
Participation Age

What did you think when you read the title? Miller Genuine Draft? Or, more
correctly, Mark G. Dixon?

I find it quite ironic that a teetotalling Mormon
has the same initials as a famous beer! I still rue the day that I didn’t register
the domain mgd.com.

I just read David Matheson’s post, The
Personal and the Empirical, in which he proposes that "personal information
is empirical information specifically about an individual." He then provides
a brief summary of "six putative knowledge sources" defined by philosophers,
that can be used to determine whether or not information is private.

Based on David’s model, I will claim, through Introspection, that
MGD is my personal information, not Miller Brewing’s!
They may have the website, but the initials are mine!

As further proof, I registered =mgd
as my i-name on Identity Commons.
This time, Mr. Miller, I got there first.

p.s. Any guesses what “G” stands for? (My G, not Miller’s)

Tags:
Identity
Digital Identity
Identity Management
mgd
David Matheson
i-name
Identity Commons
Mormon

This morning I awoke at 5:00 a.m. (Austin, TX time) and posted an entry
on my blog in response to Rohan Pinto’s response
to my blog yesterday.
By the time I arrived at the Sun office at 8:30 a.m., Rohan had already posted
a thoughtful, detailed exploration of how vulnerable the whole authentication
process can be to Identity Theft. I encourage you to read his
post.

Let me share the comments I posted on his blog:

I believe you are absolutely correct that stolen identities can destroy
the whole authentication process. It was a recent article
I referenced in my
blog that got me thinking along this thread:

Your point that some method is necessary to make sure that the device from
which the authentication claim is issued is absolutely valid.

I recently learned from a good friend of mine, Dick
Luebke, about of a startup company in the Portland area, Iovation,
that is tackling this problem:

They claim the heart of their technology is "the Internet’s only
Device Reputation Authority™." I understand this to be sort of
a secure digital fingerprint for a device such as a PC or cell phone.

You may want to check it out.

Rohan is right that multiple steps of authentication are necessary to reduce
the doubt about an Identity claim to an acceptable level. As James Kobielus
stated in the Network World article I referenced above and previously, "… trust
– the foundation of identity-management federation – is in jeopardy if the industry
doesn’t proactively address identity theft on many levels." Perhaps Iovation can help provide the answers.

Tags:
Identity
Digital Identity
Identity Management
Rohan Pinto
Dick Luebke
James Kobielus
Iovation
Identity Theft
Federation

In
response to my blog yesterday, Rohan
Pinto stated that the correct response to an Identity claim should be "who
I think you are." Furthermore, the level of proof necessary to validate
my claim depends upon whether I’m offering something of value to you
or requesting something of value from you. I like that reasoning.

So, first comes my claim – "this is who I am, and this is what I offer
or request." Then comes your question – "who do I think he is, and
what does he want or offer?" Therein lies the big challenge for authentication
(do I believe him?) and authorization (what do I trust him to do?).

While the burden of proof for a claim lies with the subject that makes the
claim, the decision about how deep that proof must be and what transactions
will be authorized lies with the receving subject.

Last night I was with a group of my peer Identarati
from Sun cruising on beautiful Lake
Austin, near Austin, Texas. One
guy mentioned a customer requirement that Sun’s Access
Manager product should grant a user access to a financial application only
on weekdays between 8 a.m. and 5 p.m. and only if he or she had authorization
to deal with transactions over $100,000. (something like that)

In this scenario, the user would assert his claim – presumably user name and
password – and the Access Manager product would need to make the following decisions:

• AIs the claim believable to an acceptable
  level of proof? (authentication)
• Is this person allowed to access this system at all? (authorization)
• Is the current time within the authorized time frame? (authorization)
• Is this person authorized to deal with transactions over $100,000? (authorization)

Claim. Authentication. Authorization. It works for me!

Tags: Identity
Digital Identity
Identity Management
Identarati
RohanPinto
Sun Microsystems
Access Manager
Austin
LakeAustin

An
article in yesterday’s USA Today Money section, "Biometric
IDs could see massive growth," illustrates a natural disconnect between
"Who I am" and "Who I claim to be." The US government’s
trial Registered
Traveler program uses biometric ID cards as a mechanism to prove that a
traveller is who he says he is. It is not enough for a person to claim to be
someone; he or she must prove that claim, using a set of mutually-accepted
identification mechanisms.

Before stating the Laws
of Identiy, Kim Cameron defines
a digital identity as "a set of claims made by one digital subject about
itself or another digital subject." He further points out that a claim
is "an assertion of the truth of something, typically one which is disputed
or in doubt."

In a prospective interchange, we have one party claiming something to be true.
On the other hand, the recipient must validate that claim – remove the doubt.
The key challenge is how to prove, to the satisfaction of the receiving party,
whether a claim is indeed true. Biometrics attempt to connect physical characteristics
(e.g. fingerprints, retina scan patterns, DNA match?) with digital identifiers to validate
Identity claims. Trusted
third parties can be used to vouch for the validity of claims.

Both digital identity and physical identiy systems are faced with that challenge
– to prove whether claims are true. A variety of technologies can be combined
to validate claims in different environments, for different applications.

I suppose that every known claims-validation system could be compromised or spoofed if
enough money and resources were applied. Therefore, the risk of mistaken identity
will never fall to zero. The trick is to reduce the risk to an acceptable level.

Thirty four years ago next month, I took an engineering drafting class while
a freshman at

BYU. The instructor, Max Raisor, would draw something on the
chalkboard, take a step back to examine his work and then proclaim, "Good
enough for who it’s for!"

In reality, proving a claim is like that. It really means reducing the doubt
about the claim to a level acceptable for a connection to be made, or a transaction
to be consumated – where the level of doubt about "Who I Claim to Be" is good enough
for who its for.

Tags:
Identity
Digital Identity
Identity Management
Biometric
Registered Traveler
Laws of Identity
BYU

Mistaken: "Based on error; wrong: a mistaken view of the situation."

In the fall of 1976, there were at least two Mark Dixons besides myself attending
Brigham Young University. The problem was that
the other Mark Dixons were single. I was newly married. On numerous occasions, we
would get interesting telephone calls from young ladies wanting to talk to "Mark
Dixon, please". My new bride took it all in stride, believing me when I
assured her that these young ladies wanted to talk to the other Mark
Dixons.

One day we received a perfumed letter from a young girl in Salt Lake City inviting
"Dear Mark" to accompany her to a formal dance at her high school.
Not knowing the right address for the Mark Dixon she wanted to reach, we traced
her return address to her home phone number, and talked to her Dad! He got quite
a kick out of his daughter’s exploits. I’m sure she was duly embarrassed to
learn she had sent the letter to the wrong address!

Like my recent horse
story, we must be sure that Identity attributes are sufficient,
durable and measureable
to uniquely identify someone.

Applying this principle to the Identity Management world, Ken Weiss of Charles Schwab & Co. put it this way (in large, bold letters) at the recent Catalyst conference:
"There is no substitute for a consistently applied
opaque unique identifier."

Tag: Identity

“Don’t do no dumb stuff.” – JoAnn Larsen*

James Kobielus’ recent Network World article, "Identity
theft threatens federation," highlights an issue I’ve been pondering
for some time – how threats to the integrity of online interaction accelerate
because an ever-increasing number of rotten apples do dumb stuff.

Maybe
Moses did understand our era. If we all obeyed
at least four of those 3,000-year old Ten Commandments, this bad stuff wouldn’t
happen:

• Thou shalt not covet – don’t lust for something that’s not your’s.
• Thou shalt not steal – don’t take stuff you want without paying.
• Thou shalt not bear false witness – don’t lie about it, whether
  or not you get caught.
• Thou shalt not kill – don’t blow up the guy who says you shouldn’t
  do these things.

James
Madison, the fourth president of the United States, known as "The Father
of Our Constitution" put it this way: "We have staked the whole of
all our political institutions upon the capacity of mankind for self-government,
upon the capacity of each and all of us to govern ourselves, to control ourselves,
to sustain ourselves according to the Ten Commandments of God."

I’d bet President Madison would roll over in his grave if he saw people adopting
the philosophy I saw emblazoned on a t-shirt recently, "It’s not illegal
if you don’t get caught."

Civil society is based upon mutual

trust – confidence that each member of the
society will respect each other’s rights and abide by time-tested, fundamental
principles of honesty and truth – not because someone else mandates trustworthy
actions, but because it is the right thing to do. Conversely, to the extent
people abandon the principles upon which trust is based, society loses its civility.

We Identarati
fight the consequences of broken trust. Countless hours of thought and millions
of dollars of resources are poured into the premise that bad stuff will happen
and we must be ready. The philosophy of "opposition in
all things" applies here in spades.

*JoAnn Larsen is my sister in law, a great person and frequent
author of pithy sayings.

Tag: Identity

As
I was pondering the subject of Unique Identity the other day, I remembered a
story my dad used to tell.

An old farmer couldn’t tell his two horses apart, so he trimmed the mane short
on one of them. That worked until the mane grew back. So he cut one horse’s
tail short. That worked until the tail grew back. Finally, he measured both
horses, and found that the black horse was two inches taller than the white
horse.

"Stupid farmer," I thought in derision — until I realized the farmer
was blind.

What did I learn? Attributes we use to uniquely identify horses – or people
– should be sufficient to tell them apart, durable
enough to be consistent over time and measureable
with the tools at hand.

p.s. A man once told me Richfield,
Idaho, where I attended high school, was a Unique town. He then went on
to explain how "Unique" came from two Latin terms – "Uno,"
meaning One, and "Equis," meaning Horse.

Tag: Identity

As
I was pondering the subject of Unique Identity the other day, I remembered a
story my dad used to tell.

An old farmer couldn’t tell his two horses apart, so he trimmed the mane short
on one of them. That worked until the mane grew back. So he cut one horse’s
tail short. That worked until the tail grew back. Finally, he measured both
horses, and found that the black horse was two inches taller than the white
horse.

"Stupid farmer," I thought in derision — until I realized the farmer
was blind.

What did I learn? Attributes we use to uniquely identify horses – or people
– should be sufficient to tell them apart, durable
enough to be consistent over time and measureable
with the tools at hand.

p.s. A man once told me Richfield,
Idaho, where I attended high school, was a Unique town. He then went on
to explain how "Unique" came from two Latin terms – "Uno,"
meaning One, and "Equis," meaning Horse.

Tag: Identity