Johannes Ernst's Blog [XML]  [LID]

Microsoft and OpenID: The User-Centric, Open Identity Layer for the Internet Opens for Business

With Bill Gates' keynote announcement today that Microsoft will support OpenID, integrated with CardSpace and a number of other Microsoft products, it is no exaggeration to say that the user-centric digital identity movement has reached its most important milestone so far.

The need for better digital identity management on the open Internet has been undisputed for some time: many kinds of cyber-attacks (like phishing) are rising rapidly, e-mail spam with falsified return addresses is already drowning out legitimate e-mail by volume, and the number of usernames and passwords that a typical user has to remember is going from the dozens to the hundreds. Many promising new products, such as mash-ups of access-controlled data, are only feasible once this problem is solved. A broadly-deployed solution for this problem is overdue.

So far, there have been three major digital identity initiatives:

  • The Liberty Alliance, originally created as a counterpoint to Microsoft's Passport, and now largely focused on identity interoperability between enterprises.
  • The information cards effort, spearheaded by Microsoft with CardSpace and the open-source community with the Higgins project.
  • URL-based identity (OpenID), with implementations from many vendors and open-source projects.

Historically, these initiatives have evolved independently of each other. However, in spite of the competition that clearly has gone on between them, it has been fairly clear to everybody (except the most die-hard proponents of the not-invented-here paradigm) that digital identity on the public internet only has a meaningful future if the plumbing — such as how many protocols are under the hood, and how they integrate — is hidden from the user.

In response, many interoperability initiatives were started: Project Higgins develops open-source code to talk any identity protocol from the same application programming interface and with the same card-based user interface. OSIS, a project that we helped put together, brings together most large software vendors and open-source projects to harmonize their work towards the same objective. OpenID itself is a convergence project of several other initiatives. The Identity Commons was put together as the overall umbrella organization, and so forth.

But Microsoft's announcement today is the first truly significant product commitment for convergence, acknowledging that the identity layer will not only consist of WS-Trust (Microsoft's preferred identity protocol so far), but also include OpenID, which is probably the fastest-growing identity technology on the open internet. There have been other announcements, most notably IBM and Novell's backing of multi-protocol Higgins, but they are eclipsed by today's announcement, because of the relative position of Microsoft in the market, and its distribution channel.

So now that we have reached this milestone, what's next? I think it is safe to make the following predictions:

  • We will see a cacophony of vendor announcements that they also support the user-centric identity layer, using both cards and URLs as paradigms.
  • The explosion in innovation around user-centric identity that we have seen already will further accelerate, creating many new businesses.
  • Businesses will move the user-centric digital identity discussion from "let our engineers figure out how the technology works" to "we need a strategic plan for how we avoid disruption of our business and take advantage of this instead".

Make no mistake: user-centric identity is highly disruptive, for almost everybody doing business on-line. Not only will users start refusing to use their username and password at your site and demand that you accept their own preferred means of authentication, user-centric identity will further accelerate the mass movement of control from vendors to users, all the way to ideas such as Vendor Relationship Management that today sound whacky, but may not for long.

Many companies will choose to ignore user-centric identity for some time; they do this at their own peril. Others will take the short-sighted approach that simply by not participating in user-centric identity, their users will have no choice but to interact with them the traditional way. (Wake up! The times of "as long as it's black" are irrevocably over.) And the leading companies in their markets will use these technology for strategic advantage, supported by technology providers such as NetMesh whose goal it is to given them the tools to be successful in this new world. There is an unprecedented opportunity here to serve customers better, in a way that customers prefer and that leverages not only the company's own assets but the the customer's entire social network and the concurrent innovations by the user-centric identity ecosystem that's growing every day.

We're s for an interesting ride ... and Microsoft just caused the ride to switch gears.

[permanent link]    Add to [del.icio.us

Summary of Bill Gates' Talk on OpenID and CardSpace Today

Here is a summary of what Bill Gates said about OpenID and CardSpace at his RSA conference keynote. (Thanks to Mike Jones, who took these notes and let me publish them):

  • Slide: Evolution of Identity: Making the Vision Real (with picture of two cards in hands)
  • People are used to choosing what credential to use where for what purpose (talking about cards in our wallets)
  • We use a variety of physical tokens to represent these things
  • CardSpace creates a vehicle to allow people to have a GUI for credentials that represent their identities or personas in particular situations
  • Each thing in the physical world conveys a particular set of information and discloses just enough information
  • CardSpace provides a drag & drop interface for identity
  • People will have to acclimate to it
  • People can create their own credentials and others can give you credentials
  • The system reasons about what the right credential is for you to simplify things for users
  • WS-* hints about what credentials that are being looked for
  • CardSpace shows candidates for credentials

Then they segued to the OpenID collaboration announcement:

  • Issues of reputation and trust are foundational on the Internet
  • Different levels of trust are needed in different contexts, such as blogs and access to enterprise resources
  • People have been thinking about issues of trust
  • OpenID 2.0 is doing this in the blog / Web 2.0 world, others are coming at this from the enterprise space
  • We see these approaches as being complementary
  • "Today we are announcing that we are supporting OpenID 2.0 and that they're extending what they've done to enable the use of strong credentials"
  • They're doing this because they see that it solves problems and attacks that a pure password approach has
  • We're excited about this marriage of CardSpace and Web 2.0
  • This will help eliminate the possibility of man-in-the-middle attacks
  • CardSpace is built on our work on the WS-* specifications
  • OpenID will be endorsing the CardSpace marriage later today
  • We see this as a very smooth continuum with a common GUI metaphor

Wow, how far a little identity URL can go!

[permanent link]    Add to [del.icio.us

OpenID and CardSpace Marry!

Wow! After two years of hard work, we are finally getting real convergence in identity land! Today, Bill Gates is announcing has announced in his keynote at the RSA conference that Microsoft will support OpenID. Here are some posts covering the news:

At NetMesh, we've held for a long time that URL-based identity (OpenID, with its roots LID, i-names and Sxip), and other technologies such as CardSpace have to come together so we can really get to an interoperable, multi-vendor, user-centric identity layer for the open internet. That's why we helped put together OSIS, and lots of activities of that nature.

Now even Bill Gates supports the same vision! Yippie!! (apologies for being too excited, but this is exciting!)

Just pointed out to my wife — who wrote the first line of code, ever, about three years ago, implementing URL-based identity — that in some way, she should now be famous!

[permanent link]    Add to [del.icio.us