The "identity bus" is, of course, still just a vision, but at least it is a beginning. Understanding and building toward an identity industry that is "the identity bus" should be the mission of every serious identity vendor out there.
[From Identity Bus: More than meets the eye | CSO Blogs]
Kim has been talking about this as well. There’s a lot to commend this way of thinking. From the technical side, we all understand what a bus implies: standards and interfaces, "plug and play", commodity units. Whether this is realistic in the identity space needs further discussion, because the industry may not be yet know enough about what is wanted, what the real requirements are, in order to be able to come up with some building blocks of lasting value. Yet in a discussion this afternoon, in connection with the use of mobile phones in the identity infrastructure, I did start to think that perhaps instead of endless industry bodies, government studies and new experiments, it might be better to just start plugging a few bits and piece together.
So how might an identity bus function? I think we can all understand the markitecture: my application uses the buses to exchange some identity information with your application, without having to know anything about your application or (more importantly in the strategic context of this discussion) you. Now, while it is possible to imagine how to do this at the low level, it’s much harder to see how it might come together at the business level, for the same reasons that have dogged PKI in the B2B space since the very beginning. Outside of closed user groups, there aren’t the trust relationships there in the first place. That’s why they can’t be implemented using the technology. It’s not because the technology doesn’t exist, but because the relationships don’t.
But let’s suppose that at one level, the national level, there is one organisation that is "trusted" in the sense that lawyers understand (to do with the transfer of liabilities). Then we could make some progress. At the national level, we can take the identity bus idea here and reformulate it as the identity utility, regulated by the government in some way (because the government’s national identity scheme would be connected to it) but provided largely by the private sector. The utility "pipes" identity to where it is consumed. The government identity need not be used in transactions, but it would serve to substantially reduce the cost to other private sector organisations of them issuing their own identities: What I mean by this is that it will be simpler, cheaper and more efficient for (say) Lloyds TSB to issue me with some form of electronic ID (who knows — a 2FA OpenID, or something like that) if they can use a government identity service to cut a whole lot of of cost and overhead out of the process.
So I can kind of see how it might all work, at least in outline. For business, though, we need to consider the meter as well. Should we charge a flat fee for the use of the utility or a small amount each time someone gets on the bus (oops, analogy overload)? There’s no reason for it to be free, but there’s a reasonable debate to be had around the best way to charge. Apart from anything else, there’s the psychological factor: Something that’s free isn’t valued.
Well, whether the bus transporting identity around or the utility piping identity for consumption is the better metaphor who knows, but they both help to improve the richness of discussion. We need some way of communicating the vision of digital identity at work and these will do.
These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto