James McGovern posted a number of questions and thoughts on Federated Identity and Authorization (the most recent installment is here), and challenged a bunch of us to respond. Well, here are some answers from my point of view:

Hopefully, Johannes and Kim can tell me if Cardspace as a user interface and open ID as a protocol will be extended in the future to support authorization or should some other standards body start a similar initiative. Of course being able to specify via Cardspace the relationship between me and my daughter and whether I can see her medical records would be cool. I would assume that OpenID would support carrying XACML?

I can’t answer for Microsoft, and leave it to Kim to answer that part of the question. The thing to keep in mind about OpenID is that OpenID is an open community that has no central planner who says "this is what is on the roadmap and this is what isn’t". So I can’t answer the question about what OpenID as a community will or won’t do — nobody can. That is a feature, not a bug, by the way

What is clear, however, is that authentication isn’t very useful if it can’t be connected to authorization, and all OpenID implementations (including ours at NetMesh) have some support for authorization. There aren’t any standard protocols, however, and authorization support is still baked into applications instead of being interchangeable. Looking ahead, I would consider it entirely possible though that somebody in the community builds another Yadis service type for XACML of some kind, demonstrates how useful it is in the context of OpenID, and it moves into the OpenID process. (James, would you like to do that? That’d be really cool … the nice thing about an open-source-style community like OpenID is that anybody can innovate within it, no permission required.)

To date, the discussion and more importantly the reference implementations have all been done in either Java or .NET. Should Ruby on Rails and Smalltalk become second-class citizens in this regard?

That isn’t quite true for OpenID: Ruby has been supported as a first-class citizen for some time. I haven’t heard of Smalltalk support, however.

Anyone have thoughts on how federated identity should work against RACF?

It most certainly should work with it. I personally don’t have the expertise to say how, but I think we have a customer who has actually done that integration for URL-based identity, so it presents an OpenID user experience on the front and uses RACF on the back.

Enterprises nowadays have a preference to buy vs build. So this begs the question of whom in the identity space is working with … software vendors …? Or are we hoping that they [enterprise software vendors] will take their own initiative to get it themselves and simply build in?

That is already happening in some internal projects, for basic protocol support. I would fully expect, however, that a new range of products will show up on the market that employ user-centric identity in novel ways and that do not map on product categories as they are known today. Those new products will likely not be developed by the incumbent vendors.

Is it possible for a NON-Sun employee to tell the world why anyone would want to join Liberty Alliance if your primary business model isn’t technology? It seems as if those whose primary business model isn’t technology is outnumbered by at least twenty to one. Even the industry analysts no longer talk about the Liberty Alliance which hints that it is no longer relevant…

Admittedly, some Liberty folks got a bit blindsided by the newer stuff that is going on, like CardSpace, OpenID, OSIS, Higgins etc. However, many of the Liberty folks are engaging in the community, are trying hard to understand why some of those technologies have popped up and what they are trying to accomplish, and how to integrate with the many good things Liberty has created already. I think we should give them credit for working hard to stay relevant, and there is a no reason to believe Liberty doesn’t have a continuing role to play.

We all know that the US healthcare system — just like the healthcare systems of many other countries — has become unsustainable. We also know from experience that changes in the healthcare industry come slowly; probably quite a bit more slowly than the double-digit growth rate of health expenses that is reaching 20% of GDP.

So Quo Vadis Health?

Fortunately, increasingly many people both inside and outside of the healthcare industry are seeing this not just as a problem, but as an opportunity. To give this community a "virtual water cooler" to hang out, we recently put up a wiki and a couple of mailing lists at:

health20.org

If you are interested in the unconventional, the disruptive, the new new thing in healthcare, why don’t you join us? There will be a second HealthCamp some time in February, building on the success of the first HealthCamp in San Francisco. Sign up the announce mailing list to find out where and when.

Since Adam Bosworth ran around with a business card that said "health" at PC Forum, I’ve been wondering what he’s been up to at Google.

Today, finally a somewhat clarifying post: Google will do something about healthcare, but it’s not clear yet what exactly.

My gut reaction is two-fold:

• Good: I trust Google a lot more to get out a product that actually works than healthcare software companies whose leading-edge software products are still based on MUMPS. And even if nothing else ever happens, it will scare up the establishment some, which is a good thing, too.
• Cautious: so far, there are many questions about Google’s commitment to fully safeguarding the privacy of information stored with them, *particularly* from Google itself. So far, they haven’t needed that so much, but this is going to be extremely critical.

Update:: Just found this picture on Flickr of when the diagram below was created.

Doc Searls (Cluetrain editor, Linux Journal senior editor, Harvard Fellow, revolutionary in a Firefox shirt, and all-around nice guy) is embarking on a very ambitious project at Harvard whose impact could be exceedingly far-reaching, called "Vendor Relationship Management" (in a parallel to "Customer Relationship Management", just the other way round).

He told us more about it yesterday at the Internet Identity Workshop. While it is difficult to claim that numbers like this don’t look like they are exaggerated, I would estimate that if this kind of model becomes successful, not only billions but trillions of dollars are going to be shifted from one place to another — in short order. Steve Gillmor, who went to the session, went as far as saying that in his view, it was a given that this was going to occur, and in a reasonably short time frame. And all enabled by user-centric identity …

So how does it work? The basic idea here is that instead of you thinking what you want to buy, and then going "like a bee from flower to flower" (to quote Doc), from vendor to vendor on their terms, you create some kind of a "personal RFP" on your own terms, and let vendor offers come in.

Here is an example: let’s say you want to travel to Boston for a week, have a meeting on Tuesday in one place, and another on Thursday in another place, stay in a hotel with free WiFi and use your Gold status on United. Today, you have to figure it out all yourself, such as looking through the United website the way they want you to look for a flight on it (and only a flight), then the hotel’s website, and then map to figure out whether or not to rent a car and which rental agency has the MP3-player enabled car that seats 6 that you want.

With Vendor Relationship Management, you would construct an RFP saying what you want, put it somewhere (e.g. on your blog), and vendors would propose solutions to your problem. No self-assembly required.

The following diagram emerged on the white board during the session, which captures the flow:

At the heart of the process is the Personal RFP, which captures the information expressing what you intend to buy. It is assembled — preferably partially automated — from a variety of information sources, such as:

• written / assembled by the user
• the user’s identity information, such as residence address or frequent-flyer membership
• the user’s preferences, such as non-smoking hotel rooms
• the user’s observed actions, such as (thanks to Steve Gillmor for this example) the fact the he never uses Microsoft Office, but only Google’s on-line tools, which is a strong indicator that he prefers to fly on an airline with internet connectivity (this is a hard one, but very compelling)

This Personal RFP is then shared with a number of vendors, e.g. by submitting it to them, submitting it to some intermediary, or just publishing it to the cloud. Vendors decide whether or not to create an offer that addresses the RFP, and submit to the user. Through a process of comparison (e.g. determining the solution match with some kind of quality function), the offers are ranked and the user makes his decision.

I would love to blog "my bread machine is broken, I’m willing to entertain offers" and then have vendors offer me what matches my actual bread-baking behavior (and not what they want to sell me because it creates the highest sales commissions). Instead of opening dusty boxes in retail stores, or trying to wade on Amazon’s terms through their particular way they think I should be thinking about buying a bread machine. Of course, this is in no way limited to bread machines but applies to pretty much everything in the consumer world and much in the business world. I would think that the power of IT (or ICT) that we now have at our disposal can make this process affordable for a mass market, and not remain reserved for high-ticket items in a business-to-business context only.

It’s clear that for this to work, we need user-centric, portable identity. But given all the adoption and buzz that OpenID is getting these days, and given that Windows Vista (and thus CardSpace) is now actually being shipped, that doesn’t seem to be much of an obstacle …

<gazing to the stars>trillions … wake up Johannes, do something about it!

Wow, our article "The case for OpenID" got slashdotted this morning.