Federation in Nice

[Dave Birch]  Here I am down in Nice at the RSA Conference Europe, which really is nice, since it’s sunny and beautiful and the sea is blue.  John Madelin’s session on federation was well-attended and interesting: John was talking about identity management (IDM) in business and teasing out the elements that are complicated (messing around with certificates) as opposed to the elements that are complex (connectivity).  His point was that the "perfect storm" of pervasive networks and ubiquitous connectivity is creating an environment where something big, something revolutionary must be coming to make a fundamental change in the way identity is managed.  I may have misunderstood, but his categories of complicated and complex seemed to overlap with the connection / disconnection model that we use in technology roadmapping.  I will definitely go back to his Identity Society wiki to ponder further.  I did agree with one of this main conclusions, though it pains me to say it: no one person knows everything about identity!

Technorati Tags: business, federation

John concluded that a single, centralised IDM system is not going to work.  But nor is a simple kind of federation, because the "subgroups" are too different: in a business context, partner networks and hubs, shared enterprises and corporate networks, all involve different kinds of people and (critically) different kinds of relationships. Yet there is a need for some kind of IDM to emerge since, as John pointed out, the analysts’ cost models show that a working IDM (which he divided into directory, access and lifecycle services) would save big companies about 3,000 euros per employee per annum: why isn’t more happening?  This set me thinking — again — about why federation is taking so long to get going.

I can’t be atypical, in the sense that if someone gives me a useful "digital identity" (whether using InfoCards, OpenID or whatever) that solves no problem other than giving me single sign-on to the web sites I visit most often, then I would use it and be happy to see it federated.  In fact, I would probably use two or three, much as I use two or three different payment cards at the moment.  Perhaps one digital ID from the government, one from my company, one from bank.  The one from the government would establish my unique real identity and map it directly to virtual identities.  The one from my company might perform a similar function but it would only be useful in intranet and extranet environments.  The one from myself would, essentially, be anonymous and of no real value (but would provide convenience).  Federation might apply to these, but in limited circumstances.

But suppose I had a digital ID from a third-party (eg, my bank).  Wouldn’t other people — in the Liberty Alliance mode that we are all familiar with — be happy to accept a certificate based on this digital ID and therefore make life easy for me: shouldn’t I be able to use my bank digital ID to communicate with British Airways?  Even if I only use my bank digital ID to obtain a strongly-authenticated British Airways digital ID, it would still save considerable effort.

What strikes me is that I already have a digital ID from my bank: my EMV debit card.  Why can’t I use that to log on to do my taxes or book a hotel?  Well, there’s no smart card reader in my laptop, for one thing.  Surely my bank could provide a companion digital certificate, something I could download from my home banking site (after typing in my grandmother’s hat size and the like) to my desktop and to my laptop and then use to log in to the bank from then on.  What’s the barrier to doing this?  The cost of generating a certificate for me to download is, to all intents and purposes, zero.  It must be that it’s just too complicated: telling customers put in your card and punch in your PIN is one thing, but trying to explain to them how to download a certificates into a browser, after all these years, is another.