Somewhat surprisingly, a whole series of speakers have been talking about the importance of identity today at the O’Reilly Etel conference. From the telcos (France Telecom in the morning), to several softphone providers, myself and now Microsoft. I’ve also had numerous side conversations with people who recognize the problem, don’t want to contribute to more identity stovepipes and are a very receptive audience for URL-based identity. URLs, and the open, multi-party YADIS effort just make a lot of intuitive sense …

Unfortunately I didn’t get the name of the speaker from Microsoft because he was a last-minute replacement and seems to have disappeared. Although he didn’t title the talk that way, it was really identity that he was talking about, almost exclusively.

Surprisingly, he didn’t mention InfoCard a single time. But then, he was talking about presence and e-mail and real-time communications, and things like that, which I don’t think InfoCard attempts to address. (Does it, can somebody correct me if I’m wrong?) URLs would make a lot of sense for the use cases he was talking about … I wonder how Microsoft is going to integrate those approaches …

Digital Identity is maturing — into three sets of distinct standards that serve the needs of three distinct stakeholders. I’m writing this to give some context to the O’Reilly Etel conference sessions on "User-controlled Identity" (BOF Tuesday night) and "Identity Crisis: Namespaces out of control" (my talk Thursday morning).

Just a few years ago, identity was largely fragmented into many proprietary, single-application or single-purpose stovepipes. There were only two exceptions: Microsoft’s Passport and the then-new Liberty Alliance effort to build a rival to Passport that was not dominated by Microsoft.

Since, Liberty has been quite successful within enterprises and at the boundaries of enterprises with some of their business partners, such as 401k providers inside corporate portals; I recently heard a prediction that Liberty is on track to have 1 billion (!) identities by the end of 2006. Passport has largely been discontinued for non-Microsoft sites, and will be superseded by Microsoft’s new InfoCard initiative, built on WS-Trust and a number of Microsoft technologies. InfoCard is expected to be bundled with each copy of Windows Vista.

But two major things happened in this evolution that, in a way, few expected:

• An entire new branch of identity emerged almost overnight: user-controlled identity, or as some people call it, "independent identity". At its heart was the realization that "we are the people", that identity should emanate from the people whose identity it is, rather from outside organizations — whether government or business. In hind-sight, we shouldn’t have been surprised: this is a direct reflection of the societal mega-trend of the democratization of technology and information that seems unstoppable and that is very disruptive.
• There is now almost universal agreement that for identity to matter as a technology, and to become a real enabler for business, it must be universal, and therefore universally interoperable. Nobody has been more relentless in evangelizing this vision (he calls it the identity "meta-system") than Kim Cameron at the very same Microsoft that only a few years ago wanted to take over the world with Passport.

So as 2006 dawns and the identity conversation continues, it is becoming clear that identity is rapidly consolidating around three architectural pillars, shown in the following diagram:

This diagram does not show technologies that remain effectively proprietary — whether account management systema of large websitea, or protocols whose evolution is controlled by a single company. The labels on the diagram indicate the primary ideas and proponents.

1. The Liberty identity pillar. This pillar is ready-made for corporate adoption: identity is “given” to the individual by the corporation (e.g. the employer), and it is the corporation that decides which identity attributes are managed and shared with whom. Even if the corporation gives the individual many choices, it is ultimately the corporation who decides whether or not to give those choices to the individual. Typically, Liberty implementation projects are between companies; the individual does not participate directly.
2. The WS-*-based identity pillar, which, at this juncture, is largely driven by Microsoft. InfoCards is a new "Identity Selector" application that will be bundled, we are told, with every copy of Windows Vista when it ships. It is based on a number of WS-* standards, some WS-* specifications that are expected to become standards at some point, and some Microsoft extensions. As Vista has not shipped yet, there are still many open questions, such as whether it will ever be seriously supported on non-Microsoft operating systems or non-PC devices, or how it could interoperate with non-WS-* based architectures and protocols.
3. The URL-based identity pillar, which is largely an open-source, grassroots effort. It aims to put the individual fully in control: over identity providers, over attributes, over whether or not to have an identity or how many, over which software to run from which vendor, and over the feature set associated with their identity. Its most visible sign is the use of URLs to point to people, just like we use URLs to point to companies or documents. This pillar is rapidly coming together in the YADIS community, which essentially facilitates an open marketplace of interoperable identity-related features from which the individual may pick as many or as few as they like.

As we go into 2006, at least two of these pillars are still in flux: Microsoft Vista/InfoCard is not on the market yet, and YADIS is only at version 0.83 (although OpenID and LID, from which YADIS emerged, have been stable for some time) The current focus of work is within those pillars: get Vista/InfoCard out the door, make it interoperable with, say, IBM’s web services implementations, as well as working hard to make the URL-based identity implementations interoperable.

However, by the end of 2006, chances are that the pillars are solid and working well, and that construction has moved on to making the three pillars interoperable. Questions like the following ones will move up to the top of the agenda:

• “Given we have a broad Liberty infrastructure and given that we are upgrading our PCs to Vista, how can we use InfoCard on the PC with Liberty on the backend?”
• “Given that so many blogs are already a form of URL-based identity (bloggers talk about themselves, list their contact info, addresses, social network etc.), how can we use that together with InfoCard?”
• “Given that our customers want to bring their own, user-controlled identity when they interact with our website, how can we connect user-controlled identity with company-controlled identity?” (example).

People today sometimes still ask "But won’t pillar X (depending on who is doing the asking, X is a different pillar) take over the world and become the one and only way of doing identity?" I hope that this discussion makes it clear that such an outcome is quite unlikely. We have those three pillars, they have evolved and exist for good reasons, and each of them will remain compelling to its stakeholders for its own reasons. But the good news is that it’s just three of them, and so there is a good chance we can connect all three of them over the next so many years and make them interoperable.

Which means, that going into 2006, it looks quite possible that we’ll be getting universal, interoperable identity after all. Yes! One thing is sure: it will disrupt many businesses, and create a range of novel business opportunities. I hope this article will help you navigate the currents.

[P.S. I have updated this post based on feedback I have received, mostly on terminology; the major message is the same, however.

Blogging is a funny thing. One never knows which posts gets picked up by others and which doesn’t; and which is discussed publicly and which only one-on-one on the back channel.

My recent piece The Identity Landscape of 2006 is one of those cases where there has been little public discussion and a lot of back channel discussion. Let me try to summarize what I heard because it may be of interest:

• Nobody — to me, at least — has made the point that I’m wrong about what I called "the three pillars". That’s good, because that’s why I decided to pen this piece in the first place. Some question whether the term “pillar” is right or whether we should rather talk about a continuum. I’d argue that there are few, if any, products/projects connecting those three things yet, so I think is discrete metaphor, like “pillar” is probably appropriate at this stage. Once large-scale interoperability occurs — anybody’s guess when at this time — I will of course change that term.
• Nobody disagreed that there are good reasons for why those pillars exist. Some question whether the light-weight approaches, growing up from things like blogs, are “true” identities; I’d say that what is and isn’t a “true” identity is in the eye of the beholder, and I don’t think anybody would argue that they can’t grow, which they do anyway on an almost weekly basis in some places.
• Nobody disagreed that identity simply must become interoperable to have value, and that sooner or later, these three “pillars” will have to be bridged.

That’s all great. But I also got push-back on two of my particular choices of terms:

• "user-controlled": it apparently came across to some that way, but I did not mean to imply at all that what Kim and Microsoft have been working on does not give a lot of control to the user, because it does. (Note: somebody should list those new levers of control one day, that would be very worthwhile doing.) I just happen to think that the URL-based approaches give more control to the user, and that’s why that pillar is labeled "user-controlled" and the others are not. I guess I will have to expand on that when I get around to it.
• "Microsoft-controlled": that was easy to predict, as I did, but I probably did not make my case well enough.

He counted the number of accounts he has on-line, and came up with 380.

Somehow that number does not sound like his on-line experience is very pleasurable…

Steve Gillmor’s blog post, download MP3 from here (careful, it’s over an hour and a half! There was certainly a lot to discuss.)

Doc, Steve, thanks for having me!