Thursday Aug 27, 2009

Aegis USA - Identity Appliances

Two of the large challenges in the Identity Management market are the cost of entry and time to value.  With their announcement last week of the AegisUSA Identity Solution Continuum, our friends of AegisUSA are focusing on both of those challenges. 

I think the most innovative part of this announcement is the unveiling of appliance-based turnkey solutions "that deliver enterprise-level identity management functionality. Aegis Identity Appliances arefunctional IAM solutions configured to scale for future identity management growth and expansion. Preconfigured Appliances include Password Management, Single Sign-On (SSO), Federated Identity InCommon® Quickstart, and Google Apps Provisioning, with additional point solutions planned in the near future."

Helping companies quickly and easily accrue real value in Identity Management while building a solid foundation for future expansion is a fundamental best practice for Identity Management.  It appears that the AegisUSA approach should bring real value to customers.

Technorati Tags: , , , ,

Friday May 15, 2009

Weave Identity - Synergistic Creativity

A week ago, I blogged about the Mozilla Labs Weave project enabling automatic website login.  A couple of days ago, thanks to Pat Patterson, I read Dan Mills' blog about the effort and watched his video again.  I thought Dan's pragmatic vision about the role the browser could play in simplifying the authentication process was quite perceptive:
"Part of the guiding force here is that we think that regardless of the inner mechanism (a federated identity, a simple username and password, or something else), in the end the action of logging in is essentially the same. Therefore, as the browser we should try to provide a similar experience, regardless of the method being used. As the user’s agent we should also strive to act on the user’s behalf when possible, and we believe this is one of those cases."
The comments to Dan's post were also thought-provoking.  They ranged from
"This is just super-cool and something that \*everyone\* has been waiting for unknowingly. I don’t know why it hasn’t already been done!"
"I’m sorry guys, but I have to strongly disagree with your entire approach here."
What excites me about what happened here is more than just another cool experiment and demo.  Rather than just talk about it, some enterprising folks tackled a real-life problem, formulated an interesting idea, made a quick prototype, put it out for everyone to see, and invited discussion around this visible strawman.   The next prototypes will get better and better.  Real progress has been made and will continue. This is a bright example of what I like to call "synergistic creativity."

Way to go, guys!

P.S. I used to think I coined the term "synergistic creativity," but found that Dean Patrick R. Dugan of Ohio State University beat me to the punch.  I still like the concept!

Technorati Tags: , , , , , , ,

Wednesday Apr 29, 2009

Security Certificates on Cell Phones

A few weeks ago, Henry Story posted an excellent comment to my blog about Identity in the Browser, linking to his blog post Global Identity in the iPhone browser, which described the use of foaf+ssl certificates to autheticate access to a website. 

Yesterday, I participated in a somewhat spirited discussion with colleagues about the pros and cons of using certificates in mobile devices to provide better security than common username/password techniques.  Getting away from typing passwords on a cell phone would be very helpful.  The main thing I really like about the method Henry described is the ease in selecting different certificates, which may represent different personas for a user.  Being able to increase security and ease-of-use at the same time is encouraging.

However, I think we need to overcome some other key hurdles to bring this method into the mainstream.  Some issues include:
  • How will certificates be distributed and installed, particularly to people who are not particularly technology savvy?
  • What methods will be used to verify that certificates match a person's real Identity?
  • What will it take to get a critical mass of online sites to adopt this method of authentication?
  • What happens if the phone is lost or stolen?

It will be interesting to seek how these and other relevant issues are resolved.

Technorati Tags: , , , ,

Friday Apr 03, 2009

Identity Assurance with

I admit it.  I stalk Identity Management on Twitter.  I do so by dedicating a Tweetdeck search column to the term "Identity Management." This morning, my stalking paid off.  I picked up a tweet from @TechRSS introducing me to, a service that purports to validate a person's true identity over the Internet:
" Certified users store their certified identity information to the service and create a link between an Internet community and their verified true identity stored at Certified. By getting your digital ID certified, the service will compare it from trusted data sources such as your bank info and public registers."
The two methods used during the validation process include:
  1. Being charged a random certification fee (between €2 and €5)  to a credit card with the same name being certified. The user must later submit the precise amount charged to the website.
  2. Submitting the user's real postal address, to which is sent a printed letter with a code that must be later submitted.
I haven't yet used this service, but it represents a novel approach to verifying a person's real Identity.  It isn't completely foolproof, but scamming the system would require both a fraudulent credit card account and a fraudulent postal address. 

This is but one approach in the general area of Identity assurance - focused on validating that a person is really who he or she claims to be.  In an online environment rife with imposters and anonymity, this is a breath of fresh air.

Of course, the validation process is not immediate - like online denizens usually prefer.  You don't automatically know that I am the person whom I claim to be, just because I registered at the site.  I must wait for the precise amount of my credit card charge to show up on my account statement and for the printed letter to arrive.  I'll report back when my certification is issued.  Maybe then you will be convinced that I am The_Real_Mark_Dixon (like @The_Real_Shaq, but with a minor fraction of his fan base and monthly income).

Technorati Tags: , , ,

Thursday Apr 02, 2009

Have a Token: ID Hats and Personae

While pondering the ProtectServe/Relationship Manager proposition, use cases and protocol flows set forth by Eve Maler, in the context of a discussion of open architectures for citizen/government interaction I had earlier in the day, I came up with the bizarre notion that perhaps the best analogy for an Identity persona claimed by an individual is not an ID card, but an ID HAT.

We often talk about wearing different hats in life ... some of mine are listed in my Twitter bio: "Husband, father, grandfather, social networking afficionado and Identity Management professional."  In one short phrase, five hats I commonly and proudly wear are identified.  Of course, I can choose to don other hats or expose other personae in my relationships with people or systems, either in person or in cyberspace.

In the case of online relationships, the trick is to provide the service I choose to relate with - the "consumer" in the ProtectServe model - with precisely the subset of my "user" data, that represents the hat I choose to wear in that relationship (my selected persona).  In the ProtectServe model, I depend on the Authorization Manager (aka CopMonkey) to provide the consumer with a token representing my chosen hat.

Now here's where the hat concept becomes more useful ... in addition to being a useful metaphor for my chosen persona, HAT is also an acronym for "Have a Token," which is  precisely the action I authorize the relationship manager to complete on my behalf.  Through this trusted third party, I have offered a token (Have a Token) to the consumer representing the HAT I choose to wear in our relationship.

Whether or not ID HAT analogy has legs will be for others to decide.  But for me, it was an analogy that helped me understand a somewhat complex concept.

By the way, (many) hats off to Eve and the other brilliant thinkers who came up with the ProtectServe concept!

Technorati Tags: , , , ,

Wednesday Apr 01, 2009

Identity in the Browser (IDIB) - More Complexity than Meets the Eye

A few days ago, I mentioned that Identity in the Browser (IDIB) was emerging as an interesting Identity Management topic.  After following a somewhat spirited internal email thread on the subject, I compiled a list of twenty issues that should be addressed as this topic is explored:
  1. Can a general approach be defined that would work in all the commercial browsers?
  2. Impact on mobile web, not just desktop/laptop web
  3. Ease of use for broad range of Internet users
  4. Security of authentication process
  5. Phishing resistance
  6. Security of browsers as a focal point for Identiy
  7. How does this support cloud computing
  8. Use of or interaction with standards or emerging standards 9e.g. SAML, OpenID, OAuth)
  9. Hosted vs. client-based Identity selectors
  10. Support for multiple identities or personae
  11. Support for multiple identity providers
  12. Matching what service providers (SP) want with what Identity providers (IP) and attribute providers (AP) can deliver
  13. Accommodating self-registered and organization-registered identities and attributes
  14. Complexity issues with federation (e.g. multiple sessions, timesouts and logouts)
  15. Policy enforcement across multiple organizations and entities
  16. Audit/compliance/governance
  17. Applicability of certificate based authentication
  18. Impact on InfoCard/CardSpace approach
  19. Impact on Higgins approach
  20. Licensing fees for use of specific technologies
I'm sure this list isn't exhaustive, nor is it even prioritized.  It does illustrate, however, that any new approach must cover much ground if it is to be effective.

It will be interesting to monitor progress as these topics are discussed in more detail.

Technorati Tags: , , , ,

Eve Maler: Renaissance Woman

Dave Kearns published a nice article today about Eve Maler, whose latest title is Emerging Technologies Director, Sun Microsystems Identity Software.  Although Eve told me she was a bit embarrassed by that headline, I think it fits well. 

Dave speaks highly about Eve and then introduced the proposed ProtectServe web protocol Eve described in her blog post To Protect and Serve and further addressed in her post ProtectServe: getting down to (use) cases.  These posts are indicative of the innovative thinking that has been Eve's hallmark at Sun.

But perhaps it is Eve's musicianship, home remodeling, artistic stitching and photography that earned Eve the Renaissance Woman title.

Technorati Tags: , , ,

Thursday Feb 19, 2009

Prawo Jazdy - Mistaken Identity

BBC News reported yesterday that police in the Irish Republic mistakenly established separate identities for over 50 individuals named Prawo Jazdy, seemingly a notoriously illusive violator of traffic laws, before anyone realized that "Prawo Jazdy" means "Drivers License" in Polish!  Thanks to @rjhorniii for sharing the article reference on Twitter.

Technorati Tags: , ,

Wednesday Jan 28, 2009

OpenSSO Community Day

Yesterday, Sun announced a "community day for OpenSSO enthusiasts around the time of the CommunityOne Conference in New York.
All are welcome, attendance is free, and continental breakfast plus lunch will be provided. ... Hosted by New York University at the Kimmel Center in Greenwich Village, New York, and sponsored by Sun Microsystems, this is an opportunity for OpenSSO contributors, deployers and users to come together in an informal unconference setting."

For more information or to sign up, please visit the OpenSSO Community Day page on

Technorati Tags: , , , , ,

Wednesday Jan 07, 2009

What do YOU think about Digital Identity in Open Government?

Yesterday, I blogged about an Open Government Workshop to be held at MIT on January 15th to address the role of Digital Identity in modern government.   You can participate in framing the discussion by participating in this online forum.  Please take a few minutes to read questions others have submitted and vote on which topics you think are most relevant.
Here are the five questions I submitted:
  • How can personal Digital Identity attributes be leveraged to personalize the interaction a citizen has with a government agency while protecting confidential citizen information?
  • How can Digital Identity be leveraged to effectively enable citizen/government interaction without using a National ID card system?
  • How can static Digital Identity attributes (e.g. name, age) be combined or blended with contextual attributes (e.g. location, current interest) to enrich citizen/government interaction without compromising confidential information?
  • How can confidential Digital Identity attributes provided by a citizen to one organization or agency be effectively used for an overall citizen/government experience without divulging that information to other organizations?
  • Are there ways Digital Identity systems employed by private enterprise be leveraged to provide e-government authentication and authorization services?
What are yours?

Technorati Tags: , , ,

Tuesday Jan 06, 2009

The Role of Digital Identity in Open Government

An Open Government Workshop to be held at MIT on January 15th,  will address the role of Digital Identity as a key enabler for effective interaction between citizens and government leaders. 

This workshop is being organized by Dazza Greenwood of on behalf of the MIT eCitizen Architecture Program, the MIT Media Lab SmartCities Group and the eCitizen Foundation.

The Digital Identity part of the workshop is being directed by Bruce Bakis of Mitre Corporation, Team Leader of the Safeguarding Digital Identity research project for the Institute for Information Infrastructure Protection.  In an invitation to Identity Management community, Bruce stated:
"Several goals in the Obama-Biden technology agenda articulated at fit right into our Digital Identity wheelhouse. Two of these really hit our sweet spot: Create a Transparent and Connected Democracy, and Lower Health Care Costs by Investing in Electronic Information Technology Systems.

"So, here’s what we’re doing: holding several virtual events and one “real” one to compile and present to the Obama-Biden administration a prioritized list of issues, problems and questions.  During the “real” event we will hold three interrelated discussions:
  • The use of Digital Identity as a key enabler (for the other two agenda items and so much more)
  • How to Create a Transparent and Connected Democracy that’s open, effective, privacy preserving and secure;
  • How to Lower Health Care Costs by Investing in Electronic Information Technology Systems."
You can register here for participation in the January 15th event.  You can participate in formulation of the dialogue that will occur at the main event by using this online forum to submit and rank questions to be addressed during the event.

Technorati Tags: , , ,

Wednesday Dec 17, 2008

Identity Deserves our Best

In his NetworkWorld Identity column today, Dave Kearns quotes Ping Identity CEO Andre Durand speaking about the Golden Guardian comic strip. I particularly like Andre's comments about "life, energy and passion":

"I believe we're at an important juncture in our industry, one that will require everyone do their part. If we fail, we could become like so many other industries where life, energy and passion have left, and all that is left is apathy. Identity is so important, it deserves our best.
Yes, Identity is important.  It does deserve our best.  This industry impacts so many facets of our professional and personal lives.  The threats to privacy and security are real.  But the benefits for successful Identity management implementation are also real.  It is a great time to be involved.

Thanks, Andre, for your profound words.  Thanks, Dave, for sharing these thoughts with us.

Technorati Tags: , , ,

Wednesday Nov 12, 2008

Integrated Identity Infrastructure

This morning, my Sun Microsystems colleague Rakesh Radhakrishnan published a blog post that proposed an "Integrated Identity Infrastructure acting as the Common Service Building Block" that provides foundation Identity services for multiple areas in the communications and media markets, including the flowing use case areas:
I am intrigued with this concept of an Integrated Identity Infrastructure enabling a wide ranging set of business and consumer functions.  I look forward to more good discussion in this area.

Technorati Tags: , , ,

Tuesday Nov 11, 2008

OpenSSO Enterprise - Download it Now

Today is the official release date of Sun's OpenSSO Enterprise product, the 8.0 version of the product set formerly known as the "Access Manager/Federation Manager", which was publicly announced on September 30th.


So, what's new in this release?
  • The Fedlet - a lightweight way for service providers to quickly federate with a SAML 2.0 identity provider
  • Multi-Protocol Hub - allows companies that are members of a circle of trust to speak different federation protocols
  • Identity Services - invoke AAA services using your IDE of choice or any programming language (e.g. Java, .NET, PHP, Ruby, etc.)
  • Express Builds - deploy next-generation features from the OpenSSO community with the same support and indemnification provided with commercial releases
  • Ease of Use - new task-based UI for common federation-related operations
  • Ease of Install - just drop the WAR file into your servlet-container of choice, hit it with a browser and, in the simplest case, supply admin passwords
  • Much more, including: centralized server configuration (no more text file), centralized agent configuration (no more text files).
Give it a whirl - download it here today!

Technorati Tags: , , , ,

Wednesday Oct 15, 2008

LinkedIn Identity

This morning, my colleague Hubert Le Van Gong drew my attention to the Liberty Alliance group on LinkedIn. It is great to see an expanding number of Identity Management groups available on LinkedIn.  I currently belong to these LinkedIn groups which are focused on Identity Management or Information Security topics:

Technorati Tags: , , , ,

Discovering Identity was founded on in May 2005 as a means of documenting my exploration of the field of Identity and Access Management. In February, 2010, I switched to hosting the blog at In March 2012, I began posting Oracle-related information in both places.

Thanks for stopping by.

Please connect with me in cyberspace at LinkedIn or Twitter.

The views expressed on this blog are my own and do not necessarily reflect the views of my employer, Oracle Corporation, or any other person or organization.


« February 2017