Attending both of these conferences within a week of each other, this is a study in contrasts. PC Forum caters largely to the technology establishment (if there is such a thing), VP level and above, with a sprinkling of entrepreneurs like myself. Its value is in providing a venue in which people, many of whom have known each other for many years, can congregate and talk about the larger trends and technologies affecting the business, with, I’d say, a focus on their disruptive potential.

Mix ‘06, on the other hand, — at least the sessions I attended — turned out to be much more about specific product plans (of Microsoft, naturally) and specific case studies, with far less emphasis on the larger picture. While PC Forum featured talks like one about which features of the Indian healthcare systems are vastly superior to the American one due to, among other things, smarter use of information technology, Mix ‘06 would have talks on "the cool things I built with Windows Media Center". In a way, it focuses on product evolution instead of industry disruption.

I had the fortune to be on panels, on related subjects, in both conferences. By coincidence (or maybe not) Kim Cameron, Microsoft’s identity architect, was on both as well. Today’s panel of Mix ‘06 was one of the better panels I’ve ever been on: all participants — Kim from Microsoft (moderator), Hilary Ward from Citigroup, Paul Trevithick from Socialphysics/Parity/Berkman, Stefan Brands from Credentica and myself — were quite well prepared and articulated their points quite well. There’s a value in preparation; a conference call and lunch beforehand in this case, and that helped us all being concise and to the point.

But the big question in all of these discussions on identity is always the same: there are so many initiatives and technologies and business circumstances: how are all of these ever going to come together? Pretty much everybody, ourselves at NetMesh very much included, believes that digital identity technologies themselves are just an enabler — of more security, of more privacy, of more convenience, of reduced business risk, of new categories of software previously impossible, all the way to entirely new markets.

But this will only become possible if we all in identity land get our cool stuff together and make it interoperable, otherwise none of the hoped-for outcomes will occur. Very few people disagree with that conclusion either (I should say that some still do disagree, albeit fewer all the time, taking an approach of "we have the one and only superior technology", left as an exercise for the reader who belongs to this category…). Microsoft is exhibit A in this case: in spite of uncounted billions in the bank and incredible market reach, they feel they cannot do identity alone — which is why people like me get to speak at Microsoft conferences like Mix ‘06. If Microsoft feels they can’t do things alone, who can?

But fortunately, the needed convergence may be more close than we think. The recent Yadis specification was a great step in the right direction, because it shows that in spite of competitive pressure, people can rally around the common good. I hope we can replicate this on a larger level, and the signs so far a good, although I can’t talk about them yet; stay tuned. (And get in touch if you share this vision!)

[Written on the plane yesterday]

What if everybody’s digital identity technologies would seamlessly interoperate with everybody else’s? What if many people could come up with new ideas and protocols, and everybody could build on top of each other’s work without either having to ask for permission, or having to re-invent the wheel?

The recent release of the Yadis 1.0 specification is a huge step into this direction. It breaks identity stovepipes wide open to innovation and new applications. Let me give you an example.

Let’s say you have this really cool idea to integrate presence into digital identity. You think that if people were able to not just authenticate, or just convey information about themselves to websites without having to fill out new forms, but also could convey their presence at PCs, mobile devices, or what have you, the world would be a better place and you’d make a boatload of money in the process. (Now I have no idea whether that is true for this example, but let’s just assume that for the purpose of this example: somebody is having a unusual, but potentially quite intriguing idea related to digital identity.)

Before Yadis, you essentially had to build an entire digital identity implementation yourself, including single-sign-on, attribute exchange, cryptography, message protocols etc. etc. Alternatively, you could make a bet and say: "I believe LID authentication is going to take over the world, that’s why I will integrate with LID and LID only" (because you usually can’t afford to integrate with N different protocols.) But what if LID’s default GPG-based authentication did not take over the world, and some people wanted to authenticate with OpenID’s Diffie-Hellman approach instead? Or the other way around? Or some other technique suddenly took over? You’d be screwed and all the coding you did would have been in vain; not because your idea about presence and identity was bad, but because you made the wrong bet on somebody else’s technology that was peripheral to what you really wanted to accomplish.

With Yadis, you don’t bet on LID authentication vs. OpenID authentication or whatever other kind of authentication. You only bet that there will be authentication, and it will be discoverable through Yadis. You do not have to bet on which of the techniques will win, because your new idea will work with any of them! And if tomorrow somebody invents the GreatestAuthTechnologyEver protocol, that’s discoverable through Yadis, and it takes over the world in 10 days, you simply sit there, doing nothing, being just very glad you chose Yadis as the framework into which you plugged your new idea. Because it will continue to work just as well.

It sounds a little bit too good to be true, I admit, but I don’t think it is. Here is a actual, real-world example that we just experienced at NetMesh: the LID Profile for Contact Information Management had been designed only with LID authentication in mind, because at the time it was designed, OpenID did not even exist! Through the magic of Yadis, we can (and do!) now run LID profile queries just as well when OpenID authentication is used. Most importantly, the contact information management protocol can and is being used without any changes, and not only that, our code that implements it is also completely unchanged! That’s the kind of thing Yadis allows. Of course, we had to add a code module to understand OpenID authentication to our LID code base, but only in one place, without impacting higher-level functionality such as profile queries, or authenticated messaging, etc. So Yadis allows orthogonal things to remain orthogonal, on a protocol level as well as on an implementation level.

[Side note: a number of people have realized already that this kind of plug-and-play of protocols based on service discovery is in no way limited to identity, and they are right. It wouldn't surprise me if the Yadis protocol showed up in many places that have nothing to do with identity; its benefits as a simple but powerful, REST-ful service and meta-data lookup protocol the same everywhere, and hard to ignore.]

So here it is: Yadis 1.0, an open standard produced open-source-style in an open, multi-vendor collaboration, and implemented already by a variety of projects and vendors. Thanks everybody in the Yadis community who helped make Yadis happen! It’s a great to see that many companies and individuals can get over (perceived) competitive differences and collaborate to grow the entire market. I feel honored having had the opportunity to work with you all, and look forward to continuing this as we go after even larger opportunities. (I have some ideas …)

The success of the Yadis project as evidenced by the new spec also proves that "open source standards development" is a process that can work just as well as open-source development. Adoption of digital identity technoloies has certainly become much easier, and much safer, in the process. Imagine you’d have to go to your CEO and say "my vendor with the uniquely superior technology (or so you thought) just went out of business, sorry" instead of "we built on Yadis, so even if one of those guys goes away, there’s a whole community of developers and other companies with whom we can do business just as well."

’nuff said, enjoy!

Do I need to say more? This is Dave Winer, who just took a bunch of digital pictures, trying to upload them from his laptop in broad daylight … Why does this remind me of the beginnings of photography?

He says:

A lot of attention and money is being poured into Health care by US Department Of health and Human Services, who are promoting standards for Electronic Health Records systems, and a National Health Information network. The belief being that standards will promote interoperability and create a frictional-less flow of health care information between standard stores of information. This slippery flow of information will then open up heath care and enable a new mass market in which consumers now empowered by their own portable information and widely disseminated provider quality information, can shop for care on a level playing field.

… [It] would be a simple, secure, open extensible protocol for the exchange of health care information.

… It’s no accident that the most successful Internet protocols have the letter “S” (for simple) in their names. By being open, its specification would be widely disseminated and available on the Internet so that anyone could implement it. By being a simple protocol and one that leveraged existing protocols, its implementation and development would be simple. Implementation in a broad set of languages would increase the velocity of its uptake and use. Being open, it would not be owned by any special interest, and if its creation followed an open source, beneficial dictatorship model its creation could be marshaled and be “architecturally consistent.” Concentrated leadership and vision would speed its creation in contrast to a standards body based solution. Its openness would endow it with a level of trust by its users who could see into its structure and governance. This openness could be carried through into its implementation so that the contents of a transfer would be open to all parties in a specific transaction.

It would need to be extensible so that a small subset of the protocol could be immediately launched and put into use. This small subset would form the core of the protocol which could be extended by its users to bootstrap an exchange. It has always annoyed me that standards take so long to emerge because the participants want to get it right first time. In reality this is impossible since the real-world is simultaneously evolving and providing new and enhanced meaning to the standardized concepts.

Go ahead and read the whole piece. So, Adrian, are you going to propose such a protocol?!?

On the plane down, I happened to sit next to Ted Cho, the CEO of Opinity. They are of course building a reputation system, and we had a lot of things to talk about where reputation meets URL-based, user-controlled identity.

Stepping into Alamo, I stoood in a long line right behind Dave Winer. That gave us quite some time to chat, mostly about why RSS is so threatening to so many established businesses. I tend to believe that so far, we have only seen the first wave of disruption; when it hits enterprise software, it will be equally if not more disruptive.

Kaliya, who is also here, just pointed out the IRC backchannel: #pcforum, who has about 10 people on it right now.