Much discussion has happened recently about various attack vectors against OpenID, most brought up in the spirit of "I want to help fix it", which is great. In this post, I will try to summarize the how to achieve a "security gradient" for OpenID that allows implementors to choose the tradeoff that suits their application best; because it clearly is a tradeoff between security and cost (in its various forms, such as additional hassle or education for end users). This is becoming particularly important as businesses are exploring how to leverage the rapidly growing OpenID community and deployments for business purposes.

I’m at Doc Searls’ Vendor Relationship Management workshop in Redwood City today. It’s hosted at the sidelines of the Liberty 2.0 meeting this week.

Update: In the first version, I mistakenly had not attributed Bob Blakley who had blogged about On “The Absurdity of Owning One’s Identity” first. My apologies.

Today’s news illustrates the limits of what I’d call the radical approach to user-centric identity: it is simply not acceptable to fully owning (an expansive version of) all of it:

Microsoft Corp. has landed in the Wikipedia doghouse after it offered to pay a blogger to change technical articles on the community-produced Web encyclopedia site.

If we took a radical approach to user-centric identity, there should be no controversy at all: Microsoft should "own" and control all information about itself, and not only should be allowed to edit all information about itself, but should be the only source of identity information about itself.

Note how ludicrous this sounds, in particular about Microsoft. I realize that one could argue that the rules are different for individuals vs. companies, and about direct identity information like name and phone number vs. the history and properties of technical features — but I don’t think it changes the picture substantially: after all, a very similar row erupted last year when congressional staffers "removed unpalatable facts from articles on senators". If the individual was the only entity through which their identity information should be made available, this would not be controversial but the expected behavior. So the radical approach to user-centric identity is not feasible in the real world.

On the other hand, it is clearly a very good idea to put more control over identity information into people’s own hands, instead of more big companies "having (safe) sex with your data", as Doc Searls put it so memorably.

Bob Blakley’s and Phil Windley’s approach for distinguishing between identity and reputation goes a long way for solving this conundrum. Phil summarizes it well:

Identity is my story about me. Reputation is your story about me.

Applying this, the conundrum disappears: Wikipedia should be a source of other people’s information about me (or Microsoft, or senators), ie reputation information in Phil Windley’s terminology. We react so negatively because there is a perception of a conflict of interest between the subject, and their reputation. We have no problem also letting Microsoft be in complete control over their own story about themselves. When we talk about "user-centric identity" we only talk about the identity part, not the reputation part, which has to remain under control of others, otherwise public rows erupt as this example shows.

Where exactly that balance resides between identity and reputation information, and how to technically manage it, will certainly create many more interesting discussions (and controversies) to come … for now, let’s just recognize that there is a difference and who “owns” what is very different.

The CAD/CAE systems I used with in the late 80’s were all special-purpose machines, i.e. hardware configuration, operating system, and application had been optimized for the specific purpose of doing CAD. While, obviously, general-purpose computers were underneath, that’s not how we thought about them: we thought about them as an integrated solution for a specific problem, called computer-aided design (or engineering), and that’s what they were for and optimized for; e.g. special keyboards, special mice, special screens and so forth.

Then, rather suddenly, the special-purpose CAD workstation gave way to a general-purpose engineering workstation that was sold as such. CAD packages became just one of many possible software applications one could run on it. The larger horizontal market (that of general-purpose workstations, with vertical-specific applications on it) had subsumed the specialized vertical market (vertical-specific integrated solutions that were integrated and optimized for that vertical from top to bottom).

Is the same thing going to happen in identity? There are many identity-related protocols in a variety of vertical industries. For example, in healthcare, there is HL7’s (that’s the premier health standards organization) CCOW (PDF) work that includes things such as defining the identity of patients. There are many other examples in other industries where either definitions of identity protocols / data models / … exist, or are under active consideration. How do they relate to the horizontally applicable technologies that like CardSpace, WS-*, OpenID, LID, Liberty, SAML etc.?

I tend to think of it this way:

Typically there is no danger in a vertical standard taking over, or even just being applicable across the entire market in a horizontal fashion — vertical standards tend to be far too specific for that, defining, say, "patient" very well, but not a general-purpose "person(a)". On the reverse, one could sometimes think that there is also no danger of any horizontal standard being successfully applied to solve problems in a vertical industry — horizontal standards don’t tend to be specific enough to provide enough value in those verticals: precisely because horizontal standards don’t define "patient" and all the specific information that needs to be known about patients to be useful in healthcare. The same argument applies in different industries as well, of course.

However, as our world gets more connected, and as people use identity technologies in a variety of contexts (e.g. from the same PC to interact with a social networking site, their healthcare provider and their bank), identity technologies that are completely different and oblivious to each other, simply because they grew historically in different verticals, are not going to cut it any more. Users demand more service, which in this case means: "dear technologists, I don’t care about horizontal and vertical and all the reasons why those have been different in the past. Make my life easier, and more consistent, because I’m not going to change the way I interact with you just because it your technology history is different in your industry." There is also the issue of cost and distribution: just like in the case of the CAD workstations, horizontal technologies have a cost advantage because development and other costs can be written off over many verticals, not just one as in case of vertical standards.

So my prediction is that horizontal identity technologies are going to continue to intrude on the turf of what so far have been vertical identity technologies, and ultimately will be very successful there, simply because the users demand it and there is a clear cost advantage. However, that only works once the verticals-specific bits of what’s needed in a particular vertical have been re-architected to work on top of the horizontal technology, instead of on those parts of the vertical technology that really only were defined in the vertical in the first place because no horizontal technology had been applicable at the time: in my diagram above, that means that where the boxes overlap, the horizontal technology wins out; the parts of vertical technologies that aren’t touched by the horizontal technology will remain in the vertical because without those, the value proposition in the vertical isn’t there. Note that this is exactly the dynamics of what happened with CAD workstations: hardware and operating system largely turned out to be horizontal technologies, while the applications were the parts specific to the vertical and stayed there (and by the way: has the market grown since! We can expect the same in identity as this transition occurs)

A rearrangement along these lines provides the best of both worlds: benefiting from the ubiquity and cost advantages of horizontal technologies wherever possible, while keeping (and now have been freed to even more intensely work on) the specifics in the various industries. If you are in a particular vertical and are looking at this situation related to identity, at NetMesh we would be happy to work with you to make this a reality.

If you have not read Time Magazine’s recent "Person of the Year: You" piece, I urge you to get it. It uses Big Words, Bigger Words than I have heard in a long time about anything, technology or otherwise. It is about the fundamental change in the fabric of our society that is caused by individuals empowering themselves through technology, and so You beat out Ahmadinejad, Kim Jong Il, Rumsfeld, al-Sadr, the new Pope and many other people who clearly mattered in 2006. Listen to this:

It’s about the many wresting power from the few and helping one another for nothing and how that will not only change the world, but also change the way the world changes….

We’re looking at an explosion of productivity and innovation, and it’s just getting started, as millions of minds that would otherwise have drowned in obscurity get backhauled into the global intellectual economy…

And here it comes: (emphasis is mine)

… for seizing the reins of the global media, for founding and framing the new digital democracy, for working for nothing and beating the pros at their own game, TIME’s Person of the Year for 2006 is you.

…[it] is a massive social experiment, and like any experiment worth trying, it could fail. There’s no road map for how an organism that’s not a bacterium lives and works together on this planet in numbers in excess of 6 billion. But 2006 gave us some ideas. This is an opportunity to build a new kind of international understanding, not politician to politician, great man to great man, but citizen to citizen, person to person.

I absolutely agree. However, before it happened it would have been inconceivable to me that a mainstream publication like Time goes out on a limb — which is what it is, from a mainstream perspective — and uses such Big Words. Times are a-changin’, and dramatically and irreversibly so. One wonders (shudders?) what Time will write when our children are the same age as we are now.