Monday Sep 28, 2009

Thanks, Dave!

I was honored today to have the wise sage of Identity, Dave Kearns, refer to me a “fellow grandfather” and borrow content from my DIDW post (with my permission, of course) in his article about Digital ID World.  It’s always great to share thoughts with Dave.

Thursday Sep 17, 2009

Digital ID World – Final Thoughts

I missed the final sessions of Digital ID World on Wednesday because of commitments in California.  Judging from the Twitter traffic, it sounded like some great stuff was discussed.

As a follow-up to my posts for Day 1 and Day 2, here my top ten final thoughts about the conference (without the benefit of Day 3):

  1. Most Stimulating Information. Jeff Jonas’ discussion about using data analytics to discover space-time-travel characteristics of individuals was both challenging and disturbing.
  2. Newest Identity Concept. Phil Windley’s proposal to enable contextualized, purpose-based user experiences using the web browser as a point of integration triggers lots of new thoughts about extracting value from the Internet.
  3. Most Reinforced Notion. The Identity Management market is maturing.  Companies are seeking to learn best practices for getting the most out of their investments.
  4. Biggest Question in my Mind. How much validity should we place in Symplified’s claim that “Federation is Dead.  Long Live the Federation Fabric?”
  5. Most Enjoyable Networking Moments.  Meeting folks in person I have only met virtually beforehand.  In person wins every time.
  6. Most-asked Question.  Nearly everyone whom I spoke with asked me something about the Oracle acquisition of Sun.  That happened to be the easiest question for me to answer: “Until the deal closes, we are independent companies.  We must wait until then for details.”
  7. Best Trade Show Giveaway. An LED flashlight from Novell.  Incandescent bulb flashlights seem to be quickly joining buggy whips in the dustbins of history (except for special cases).
  8. Biggest Pet Peeve.  No power strips or WIFI were provided for attendees.  This severely limited note taking and real-time blogging.
  9. Most Entertaining Event.  No, not the parties.  It was the Chinese guy who drove my taxi to the airport.  He chattered non-stop for the whole trip about technology, Maryland, California, Utah, Idaho, Micron, Sun Microsystems, Oracle, potato chips, microchips, stock trading, traffic and dishonest taxi drivers.  What a hoot!
  10. Biggest Disappointment. The show seems to get smaller each year – both in the number of attendees and participating vendors.  Will it survive?

That’s my list.  What do you think?

Tuesday Sep 15, 2009

Digital ID World - Day 2

didw09 Today was really the first “official” day of the Digital ID World conference, but for me – Day 2.  So, here are some short highlights of the sessions I attended.

Cops and Robbers, Las Vegas Style – Jeff Jonas, Chief Scientist, IBM Entity Analytic Solutions

  • Las Vegas is his “laboratory” for identity analytics – resorts typically have 100+ systems and 20,000+ sensors
  • Context engines close the gap between the rapidly increasing amount of digital data and the less rapid growth of “sense-making” algorithms
  • Mobile operators are accumulating 600 billion cellphone transaction records annually and are selling this data to third parties who use advanced analytics to identify space/time/travel characteristics of individual people

Context Automation – Phil Windley, CTO, Kyntetx

  • Current focus in web marketing is focused on servers, using the metaphor of “location”
  • Focus on “purpose” from the client’s perspective, using an intelligent, adaptable browser, will bridge between server-based silos to give users a richer, more purposeful experience

The Implications of Privacy on IDM – Larry Ponemon, Founder and Chairman, Ponemon Institute

  • Many cultural differences are evident between nations and areas of the world with regard to privacy, security and identity management expectations.
  • Companies doing business internationally will need to be sensitive to cultural and legal issues in the nations where they do business.
  • People are growing tired of fact-based identity
  • Perceptions of privacy are inextricably linked to identity and authentication

Business Process and Legal Issues in Cross-Org Secure Collaboration – Peter McLaughlin, Foley & Lardner

  • Regulatory language should be treated as a floor, rather than a ceiling
  • Normal industry practices may represent minimum requirements but may not guarantee compliance
  • Make sure your business partners abide by same laws your company is subject to
  • Reputational risk will always stay with your company, but you may seek to share financial risk with partners

Identity Governance Frameworks – Marc Lindsey, Levine, Blazak, Block & Bootby

  • Legal agreements seek to apportion liability - who is responsible for what?
  • Comprehensive frameworks for governing such agreements are emerging
  • Modern federation agreements need to be better than the old EDI agreements

Dealing with International Privacy Laws – Discussion led by Larry Ponemon, Founder and Chairman, Ponemon Institute

  • Complex international privacy laws affecting data transport hamper organizations' ability to do their legitimate work.
  • Will it be easier or harder to deal with international differences in privacy laws in five years?  (majority of audience said no)

Federation is Dead: Long Live the Federation Fabric – Symplified

  • Federation must move to utility model to overcome issues of costs and complexity associated with one-to-one integration.

Building Good Practices into Your Processes – Edward Higgins, Vice President of Security Services, Digital Discovery Corporation

  • Education of employees on good security practices is critical part of getting value from your IDM investment


Digital ID World - Day 1

didw09 On Monday and Tuesday this week, I attended the Digital ID World (DIDW) conference held at the Rio Hotel in Las Vegas.  It has been enjoyable to take the pulse of the industry from yet another vantage point and connect with fellow Identity Management practitioners from diverse locations.  Of course, the first question nearly everyone asked  me had something to do with Oracle, but, of course, I can’t talk about that.  So, here are very brief highlights of each session I attended the first day (Authentication and Virtual Directory “Summit Sessions”):

The State of Authentication and its Impact on IDM – Jim Reno, CTO, Arcot

  • “Risk Based Authentication” is a fourth factor of authentication, augmenting traditional factors (what you have, know, and are)
  • Authentication should consider context when assessing risk

Authentication Case Study – Naomi Shibata, former GM/COO, MLSListings

  • Communications with users is essential prior to authentication system rollout

The Future of Authentication – panel including Jim Reno and Naomi Shibata, moderated by Bill Brenner, Sr. Editor of CSO Magazine

  • Business, legal, regulatory and liability issues are more onerous than technical issues when considering an authentication system
  • Authentication technology advances usually occur in response to advances in threats
  • Enterprises should periodically re-verify appropriateness of installed authentication systems in light of advances in technology and threats
  • Identity assurance is increasing in importance

Identity Service Virtualization and Context Management – Michel Prompt, CEO/Founder, Radiant Logic

  • It is difficult to define Identity without understanding the context in which it is used
  • Understanding relationships between identity objects enables a global model that links identities together to enable contextual views
  • Such Identity linking can occur in a virtualization layer between diverse identity repositories and applications which consume those identities

Case Study: Identity Services and Virtualization – Bill Brenner, CSO Magazine and Mohammad Khattak, Booz Allen Hamilton

  • Dynamic Access Control requires consolidate identity repository with many sources of identity information
  • When aggregating data sources, we need to understand the trust level in each source repository

Impact of Oracle/Sun Acquisition – David Rusting, Unisys and Todd Clayton, CoreBlox

Note: I am restricted from commenting on product roadmaps or anything related to the Oracle acquisition of Sun.  The following comments are views expressed by the panelists.

  • The primary discussion focused on how customers should plan for potential changes in either Sun or Oracle directory roadmaps
  • A virtualization layer between director and applications may provide a layer of abstraction to shield customers from changes in vendor roadmaps and reduce tie to single vendor
  • This may be a time to re-evaluate application needs and determine which direction to go with regards to directory technology

Stay tuned for Day 2!

Thursday Aug 27, 2009

Aegis USA - Identity Appliances

Two of the large challenges in the Identity Management market are the cost of entry and time to value.  With their announcement last week of the AegisUSA Identity Solution Continuum, our friends of AegisUSA are focusing on both of those challenges. 

I think the most innovative part of this announcement is the unveiling of appliance-based turnkey solutions "that deliver enterprise-level identity management functionality. Aegis Identity Appliances arefunctional IAM solutions configured to scale for future identity management growth and expansion. Preconfigured Appliances include Password Management, Single Sign-On (SSO), Federated Identity InCommon® Quickstart, and Google Apps Provisioning, with additional point solutions planned in the near future."

Helping companies quickly and easily accrue real value in Identity Management while building a solid foundation for future expansion is a fundamental best practice for Identity Management.  It appears that the AegisUSA approach should bring real value to customers.

Technorati Tags: , , , ,

Friday May 15, 2009

Weave Identity - Synergistic Creativity

A week ago, I blogged about the Mozilla Labs Weave project enabling automatic website login.  A couple of days ago, thanks to Pat Patterson, I read Dan Mills' blog about the effort and watched his video again.  I thought Dan's pragmatic vision about the role the browser could play in simplifying the authentication process was quite perceptive:
"Part of the guiding force here is that we think that regardless of the inner mechanism (a federated identity, a simple username and password, or something else), in the end the action of logging in is essentially the same. Therefore, as the browser we should try to provide a similar experience, regardless of the method being used. As the user’s agent we should also strive to act on the user’s behalf when possible, and we believe this is one of those cases."
The comments to Dan's post were also thought-provoking.  They ranged from
"This is just super-cool and something that \*everyone\* has been waiting for unknowingly. I don’t know why it hasn’t already been done!"
"I’m sorry guys, but I have to strongly disagree with your entire approach here."
What excites me about what happened here is more than just another cool experiment and demo.  Rather than just talk about it, some enterprising folks tackled a real-life problem, formulated an interesting idea, made a quick prototype, put it out for everyone to see, and invited discussion around this visible strawman.   The next prototypes will get better and better.  Real progress has been made and will continue. This is a bright example of what I like to call "synergistic creativity."

Way to go, guys!

P.S. I used to think I coined the term "synergistic creativity," but found that Dean Patrick R. Dugan of Ohio State University beat me to the punch.  I still like the concept!

Technorati Tags: , , , , , , ,

Friday Apr 03, 2009

Identity Assurance with

I admit it.  I stalk Identity Management on Twitter.  I do so by dedicating a Tweetdeck search column to the term "Identity Management." This morning, my stalking paid off.  I picked up a tweet from @TechRSS introducing me to, a service that purports to validate a person's true identity over the Internet:
" Certified users store their certified identity information to the service and create a link between an Internet community and their verified true identity stored at Certified. By getting your digital ID certified, the service will compare it from trusted data sources such as your bank info and public registers."
The two methods used during the validation process include:
  1. Being charged a random certification fee (between €2 and €5)  to a credit card with the same name being certified. The user must later submit the precise amount charged to the website.
  2. Submitting the user's real postal address, to which is sent a printed letter with a code that must be later submitted.
I haven't yet used this service, but it represents a novel approach to verifying a person's real Identity.  It isn't completely foolproof, but scamming the system would require both a fraudulent credit card account and a fraudulent postal address. 

This is but one approach in the general area of Identity assurance - focused on validating that a person is really who he or she claims to be.  In an online environment rife with imposters and anonymity, this is a breath of fresh air.

Of course, the validation process is not immediate - like online denizens usually prefer.  You don't automatically know that I am the person whom I claim to be, just because I registered at the site.  I must wait for the precise amount of my credit card charge to show up on my account statement and for the printed letter to arrive.  I'll report back when my certification is issued.  Maybe then you will be convinced that I am The_Real_Mark_Dixon (like @The_Real_Shaq, but with a minor fraction of his fan base and monthly income).

Technorati Tags: , , ,

Thursday Apr 02, 2009

Have a Token: ID Hats and Personae

While pondering the ProtectServe/Relationship Manager proposition, use cases and protocol flows set forth by Eve Maler, in the context of a discussion of open architectures for citizen/government interaction I had earlier in the day, I came up with the bizarre notion that perhaps the best analogy for an Identity persona claimed by an individual is not an ID card, but an ID HAT.

We often talk about wearing different hats in life ... some of mine are listed in my Twitter bio: "Husband, father, grandfather, social networking afficionado and Identity Management professional."  In one short phrase, five hats I commonly and proudly wear are identified.  Of course, I can choose to don other hats or expose other personae in my relationships with people or systems, either in person or in cyberspace.

In the case of online relationships, the trick is to provide the service I choose to relate with - the "consumer" in the ProtectServe model - with precisely the subset of my "user" data, that represents the hat I choose to wear in that relationship (my selected persona).  In the ProtectServe model, I depend on the Authorization Manager (aka CopMonkey) to provide the consumer with a token representing my chosen hat.

Now here's where the hat concept becomes more useful ... in addition to being a useful metaphor for my chosen persona, HAT is also an acronym for "Have a Token," which is  precisely the action I authorize the relationship manager to complete on my behalf.  Through this trusted third party, I have offered a token (Have a Token) to the consumer representing the HAT I choose to wear in our relationship.

Whether or not ID HAT analogy has legs will be for others to decide.  But for me, it was an analogy that helped me understand a somewhat complex concept.

By the way, (many) hats off to Eve and the other brilliant thinkers who came up with the ProtectServe concept!

Technorati Tags: , , , ,

Wednesday Apr 01, 2009

Identity in the Browser (IDIB) - More Complexity than Meets the Eye

A few days ago, I mentioned that Identity in the Browser (IDIB) was emerging as an interesting Identity Management topic.  After following a somewhat spirited internal email thread on the subject, I compiled a list of twenty issues that should be addressed as this topic is explored:
  1. Can a general approach be defined that would work in all the commercial browsers?
  2. Impact on mobile web, not just desktop/laptop web
  3. Ease of use for broad range of Internet users
  4. Security of authentication process
  5. Phishing resistance
  6. Security of browsers as a focal point for Identiy
  7. How does this support cloud computing
  8. Use of or interaction with standards or emerging standards 9e.g. SAML, OpenID, OAuth)
  9. Hosted vs. client-based Identity selectors
  10. Support for multiple identities or personae
  11. Support for multiple identity providers
  12. Matching what service providers (SP) want with what Identity providers (IP) and attribute providers (AP) can deliver
  13. Accommodating self-registered and organization-registered identities and attributes
  14. Complexity issues with federation (e.g. multiple sessions, timesouts and logouts)
  15. Policy enforcement across multiple organizations and entities
  16. Audit/compliance/governance
  17. Applicability of certificate based authentication
  18. Impact on InfoCard/CardSpace approach
  19. Impact on Higgins approach
  20. Licensing fees for use of specific technologies
I'm sure this list isn't exhaustive, nor is it even prioritized.  It does illustrate, however, that any new approach must cover much ground if it is to be effective.

It will be interesting to monitor progress as these topics are discussed in more detail.

Technorati Tags: , , , ,

Eve Maler: Renaissance Woman

Dave Kearns published a nice article today about Eve Maler, whose latest title is Emerging Technologies Director, Sun Microsystems Identity Software.  Although Eve told me she was a bit embarrassed by that headline, I think it fits well. 

Dave speaks highly about Eve and then introduced the proposed ProtectServe web protocol Eve described in her blog post To Protect and Serve and further addressed in her post ProtectServe: getting down to (use) cases.  These posts are indicative of the innovative thinking that has been Eve's hallmark at Sun.

But perhaps it is Eve's musicianship, home remodeling, artistic stitching and photography that earned Eve the Renaissance Woman title.

Technorati Tags: , , ,

Wednesday Mar 25, 2009

We Follow #Identity

This evening I visited, a "user-powered Twitter directory."  Any one with a Twitter address can join the directory by specifying up to three tags of choice -- Identity attributes as it were.  My three tags: #identity, #LDS and #Arizona.

It was nice to see that way out on the long tail of Twitterdom, with my follower count only about 0.1% of @THE_REAL_SHAQ or @BarackObama, I can still crack the top twenty in each of my chosen categories.

I'd guess that proves that there's a lot of folks who haven't signed up yet.

But I enjoyed seeing fellow Identity afficionados like @metadaddy, @iglazer, @LudoMP, @ncrown and @hmathew in the top 25 of #Identity.

Technorati Tags: , , , ,

Thursday Mar 19, 2009

Flocking around Twitter

This evening I stumbled across Twittersheep, that creates an interactive cloud of keywords from the Twitter profiles of people who follow me on Twitter. It makes for some interesting exploration of the company I keep - my "flock" in Twittersheep-speak.

It made me think of the Old Testament verse from Isaiah 53:6; "All we like sheep have gone astray ..."

Technorati Tags: ,

Thursday Feb 19, 2009

Prawo Jazdy - Mistaken Identity

BBC News reported yesterday that police in the Irish Republic mistakenly established separate identities for over 50 individuals named Prawo Jazdy, seemingly a notoriously illusive violator of traffic laws, before anyone realized that "Prawo Jazdy" means "Drivers License" in Polish!  Thanks to @rjhorniii for sharing the article reference on Twitter.

Technorati Tags: , ,

Wednesday Jan 28, 2009

OpenSSO Community Day

Yesterday, Sun announced a "community day for OpenSSO enthusiasts around the time of the CommunityOne Conference in New York.
All are welcome, attendance is free, and continental breakfast plus lunch will be provided. ... Hosted by New York University at the Kimmel Center in Greenwich Village, New York, and sponsored by Sun Microsystems, this is an opportunity for OpenSSO contributors, deployers and users to come together in an informal unconference setting."

For more information or to sign up, please visit the OpenSSO Community Day page on

Technorati Tags: , , , , ,

Wednesday Jan 07, 2009

What do YOU think about Digital Identity in Open Government?

Yesterday, I blogged about an Open Government Workshop to be held at MIT on January 15th to address the role of Digital Identity in modern government.   You can participate in framing the discussion by participating in this online forum.  Please take a few minutes to read questions others have submitted and vote on which topics you think are most relevant.
Here are the five questions I submitted:
  • How can personal Digital Identity attributes be leveraged to personalize the interaction a citizen has with a government agency while protecting confidential citizen information?
  • How can Digital Identity be leveraged to effectively enable citizen/government interaction without using a National ID card system?
  • How can static Digital Identity attributes (e.g. name, age) be combined or blended with contextual attributes (e.g. location, current interest) to enrich citizen/government interaction without compromising confidential information?
  • How can confidential Digital Identity attributes provided by a citizen to one organization or agency be effectively used for an overall citizen/government experience without divulging that information to other organizations?
  • Are there ways Digital Identity systems employed by private enterprise be leveraged to provide e-government authentication and authorization services?
What are yours?

Technorati Tags: , , ,

Discovering Identity was founded on in May 2005 as a means of documenting my exploration of the field of Identity and Access Management. In February, 2010, I switched to hosting the blog at In March 2012, I began posting Oracle-related information in both places.

Thanks for stopping by.

Please connect with me in cyberspace at LinkedIn or Twitter.

The views expressed on this blog are my own and do not necessarily reflect the views of my employer, Oracle Corporation, or any other person or organization.


« July 2016