I’ll be at HealthCamp this Saturday in San Francisco. The idea is to start a "health 2.0" conversation about the 2 trillion dollar (in the US) healthcare industry that’s bit like the web 2.0 discussion, or the identity 2.0 discussion, or … you get the idea. With hundreds of billions of dollars up for grabs that are currently wasted, it seems like everybody and their brothers and cousins are trying to get into the action. However, the action is going to be very disruptive, and that’s what this BarCamp wants to discuss in an unconference format.

Event information is here.

Stefan Brands, eminent privacy and security researcher, asks good questions about user-centric identity. (I think they apply regardless of protocol. I have taken the liberty to replace some geeky terms with more plain ones, because I think it’s important that as many people as possible understand these questions)

• Can the individual consent to or withhold the release of identity data to anybody, any site, any company etc.? (on a case-by-case basis, informed, non-coerced,…)
• Can the individual see the actual identity data that is flowing? (Or is it encrypted for the receiver, so the user needs to trust their software vendors?)
• Can the individual hide the identity of the receiver of the information from the software system / website / organization that stores the identity information? (for example, does Visa know it every time you show your credit card?)
• Can the individual hide which information they wish to convey to anybody from the software system / website / organization that stores the information?
• Can the individual locally store and manage long-lived identity credentials? (If not, then all the individual’s actions - and therefore accounts - can be traced, simply by tracking what happened when)
• Can the individual pick and choose which attributes of the identity credentials are disclosed to anybody?
• Can the individual avoid using the same identifiers (think: social security number)? (If not, others can easily link the individual’s actions all across the web)

Stefan’s more technical list is more precise, and a bit broader; please consider his original post for more details.

Everybody knows about phishing these days: the attempt by an attacker to trick a victim into revealing information to them by masquerading as somebody else. For example, a site called examplé.com might attempt to pretend to be site example.com. It is often initiated by e-mail, whose sender address can be easily falsified, and often works with those victims who have an existing relationship with example.com.

A novel variation is beginning to make the rounds that I’d like to call phriend phishing: the attacker masquerading as another individual that is known to the victim.

For example, let’s say you are my buddy, and like me, you frequent social networking website example.net (I actually don’t visit that particular site, for good reasons but this is just an example). This social networking site allows you to create private groups, such as "my buddies" whose content is not accessible to non-members. I have a unique user handle at this site, say jollyfellow. The phriend phisher attacks you by creating a user handle that’s very similar to mine, say jolly.fellow, and gets you to approve his request to be part of your private group, because you think it is me. It is an attack because he’s now able to access information that he should not have access to; depending on the group, that may open up all sorts of nasty "business opportunities" for the attacker.

There is an even more effective avenue for this: some sites believe that they should print more "human" identifiers (such as first and last name) instead of unique user handles. If a site does this, nothing prevents the attacker from simply calling himself Johannes Ernst using any user handle that they choose, which makes the attack even more successful. Many non-techie users would need a lot of education to even understand what the problem is here.

I’m bringing this up because of our work around the OpenID User Experience. As user-centric identity, like OpenID, is intended to empower the individual and make them safer on-line, this type of attack is one that we definitely need to build defenses against. I figured it needed a description and a name.

P.S.: How do you like it? [the name]

Let’s assume that the OpenID movement continues its dramatic growth for a few more years, and instead of a dozen technology vendors supporting it for hundreds of sites and a handful of use cases, as it is today, we’ll have hundreds of different implementations on tens or hundreds of thousands of sites, applying it to dozens of different use cases.

It’s clear OpenID needs an organizational and governance structure beyond a few mailing lists and an open-source project. But what should it be?

I wrote a version of this last week to the folks with whom we are considering putting together a "trade"/community kind of organization together for OpenID, and figure I might as well share it. I’m trying to point out some of the key differences of what OpenID might do to what other organizations have done in the past.

For example, if Big Corporations A and B both design rival, say, next-generation DVD systems, and patent the heck out of it (and have the armies of lawyers to prove it), and sign up 10 other big companies as supporters each, they may decide that they need to cross-license and merge their proposals because neither is going to win over the other, and as long as there are conflicting proposals in the market, the market is only worth 20% of what it could be.

Then they often will create a “trade” organization that, on the face of it, is dedicated to marketing A+B hybrid technology and be nice to everybody. But it is also designed, very deliberately and less visibly so, to make it rather impossible for company C — which could reasonably compete with A or B — to join in after the fact on anything resembling equal terms: because it was the goal to both A and B to make everybody kiss their feet in the first place, to extract not just as-high-as-possible profits from the technology marketed by the trade organization, but to deny any profit to their competitors. While A realized that under no circumstances would B kiss their’s, and vice versa, they sure are hell-bent to make all Cs and Ds do so. (It generally is very welcoming to those Cs and Ds that won’t infringe on the king-of-the-hill position of A and B, which is why the looks of some of those organizations is deceptive.)

I think, from a (short-sighted?) business/optimize-shareholder-returns perspective of the companies involved in OpenID today, it would be quite valid to propose that the OpenID organization would act exactly that way; in particular from the perspective of governance (e.g. who gets to propose a new form of authentication under the OpenID umbrella, or how complicated it is to develop and market an alternate OpenID implementation.)

However, I would strongly oppose that, and I believe that most people involved in OpenID so far would agree with me: because we don’t want OpenID to be something exclusive, but a basic, free/beer/speech-for-all layer for light-weight interoperable identity, that everybody can plug into in any way they wish, no kissing of feet required in any way shape or form, either now nor later. Because without that, the world won’t look the way we want it to look, and we won’t be able to do the kind of business we want to do. (certainly true for NetMesh)

Because of that — assuming we are all agreed on that — the membership structure should (and I’d argue, MUST) be designed in a way that it allows Cs and Ds to join at any time, on equal terms. Big Cs and little Cs, such as individuals. The only limits being minimal table stakes, such as being constructive, and the ability of the organization and its processes to still function sufficiently. It also means that the technologies blessed as OpenID must be free (both speech and beer): people should only contribute/propose technologies that they own under applicable IP laws and wish to license/donate for free; OpenID needs to stay away from projects and technologies where that may not be the case. (This doesn’t mean that vendors can’t use non-free technologies with OpenID, only that the OpenID organization should stay away from them to stick with its basic focus.)

It doesn’t mean either that the people/companies that put the organization together initially won’t get an extra bit of recognition, such as the title “founding partner” or such. However, that role should not inherently bestow more rights on us than on those who will come after us.

In other words, an organization for OpenID needs to be an Open-Org (I just made up that term), not a cartel.

Because of that, the analogy with many existing trade organizations in a variety of areas does not really work; we need to be mindful of that when we design the organization, its governance, membership structure and processes.

By the way, please let me know if you read this and can think of a good example of an organization that has managed to do something like this; it would be very helpful for all of us to learn from, which is why we are having this discussion about analogies in the first place.

The Ping blog quotes Mike Neuenschwander of the Burton Group on whether there’s a winner-takes-all opportunity in identity management:

“Although vendors continue to approach the IdM market as a winner-take-all proposition, features of IdM make the market extremely difficult to dominate. For one thing, the resources that identity vendors aspire to control are politically fragmented, physically distributed, and technologically diverse. No vendors to date have shown the resourcefulness and the will necessary to provide sufficiently broad interoperability to manage such a wide range of resources. In fact, vendors with the most resources have little political motivation to provide IdM for legacy or competitive products, because it’s more to their benefit to replace those systems with their own.”

As an entrepreneur related to this space, I am naturally very interested in these kinds of questions. I agree with Mike’s conclusion on much simpler grounds: the market is simply too large and too important to be dominated by any one entity. Just consider the government part of identity management: the day when one country allows another country to be the official "identity provider" of their citizens will likely never come (which is probably a good thing). And that has many downstream consequences.

However, just because there is no one entity can dominate the entire market, this does not mean that there aren’t a number of winner-take-all games in subsegments of the market. I’m rather convinced that there are. In my view, it will be a sign of further maturity of this market once we collectively understand its structure and we know which subsegments exist, what the dynamics are within each segment, and how they will overlap, ignore each other or compete.