[Dave Birch] A conversation today set me thinking (yet again) about why things are not getting better. Once again, I must ask why is it that the identity management situation does not seem to be improving much? In particular, surprisingly little seems to be happening in federated identity. Not because the standards needed to do it don’t exist, or exist but don’t work, but because they don’t overcome the trust barrier. Why should a company trust another company’s credentials? Or, at least, why should a company trust another company’s credentials unless the both belong to a “gang”? Businesses want certainty in these matters, they want to see that liabilities are distributed in a known and understood way, so that everyone knows where they stand. Thus, in a scheme such as MasterCard or IdenTrust, each of the participants can assess risk and reward properly. But if I’m FaceBook, should I accept a MySpace identity? What if the MySpace identity claims to be under or over 18 and I’m going to rely on that credential in some way?

Oddly, while nothing much is happening in federation in the mass market — I’m no nearer being able to log on to one bank with another bank’s credential than I was a decade ago — there has been some progress in government systems. An example of something that has actually been working in the U.S. is FiXs, or the Federation for Identity Cross Credentialing Systems. The FiXs are a network of government agencies and private sector institutions that have assembled the federally-mandated interoperable authentication between the Department of Defense and contractors. They have created a bridge between government and companies doing business with the government, ensuring that trusted credentials are issued and given appropriate access. Javelin point to this as a prime example of an effective public/private partnership and I wonder if we shouldn’t look at this more bottom-up approach as a way forward. If we somehow facilitate the growth of the interoperability in limited (but potentially large) domains and then look to perhaps interconnect those domains, we may begin to assemble the kind of digital identity infrastructure that was being envisaged in earlier days.

So what domains could we look at for evidence that this might, in fact, be the way the world is going. Well, so far the vast majority of real-world federation roll-outs have been internal or enterprise type deployments: organisations authenticating users to an outsourced service provider (such as a Fidelity 401K, or AOL’s Radio Service). Connor says in that piece that

the time has come for federation and Single-Sign-On to be adopted in a more general fashion.

I think this too, both because as a consumer and citizen I am fed up with managing multiple passwords (the traditional SSO justification) but also because our clients want to do more online, want to move services online, want to deliver more efficiently online but can’t in the absence of an infrastructure. Now, that infrastructure isn’t just about managing passwords: it’s about managing identities, credentials and reputation. This is where it is getting bogged down, since no consensus is emerging about how any of these things should be organised and managed in a mass market.

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]

1 comment

  1. I have a smart card “issued” by the United States Government (really Lockheed Martin and Senture), a Transportation Workers Identity Credential. It actually got accepted instead of my driver’s license at an airport (with some cajoling). It follows FIPS 201, has an identity certificate, PIN, finger biometric, and digital photo (though less useful for SSO) it could be chained to the Federal Bridge (separate story), so why can’t I use this for logging onto web sites (I know the technical reasons but humor me).
    The problem is that each of the schemes I have run across really seem to be the case where some is trying to own the Federation, aka “just trust me with your data, I’m the most benign, altruistic clearinghouse you will ever run into”.
    Am I just too juiced on the kool-aid but jeez, shouldn’t some Federation start looking at what’s out there instead of trying to reinvent the credential wheel.

Leave a Reply to Salvatore D'Agostino Cancel reply


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this: