People don’t buy plumbing, they buy a nice house that happens to include plumbing (otherwise it wouldn’t be a nice house).

So if OpenID and all the other members of the “Open Stack” are mere plumbing, as I have come to believe, they are the plumbing of what? What is the equivalent of the house here, i.e. the thing that people buy or want?

It could be the plumbing of the internet. Like HTTP, TCP/IP, DNS and so forth. But I think that misses the picture: stovepipe sites work just fine on the internet without these new technologies.

It could be the plumbing of what some people now call the “social web”. Perhaps, but I have to admit I have a hard time believing that anybody will go out and want to acquire “the social web” like they would acquire a house. It’s even easier to say “I’m going to get an OpenID today” than it is to say “I’m going to get the social web today”.

I think that “what” is the big elephant that has been in the room since the very first identity discussion that I participated in so many years ago.

That is what we need to figure out, as a budding industry, more than anything. Plumbers have no business, and plumbing supply stores have no customers, unless there are houses and people want to buy them.

I do have some opinions … some other day.

This time, they moved the second IIW of the year forward to November. As usually, it will probably be worth it.

I’m registered.

Time: Tuesday, November 03, 2009 at 9:00 AM - Thursday, November 05, 2009 at 5:00 PM
Location: Computer History Museum, Mountain View, CA

So what exactly are we all building here?

OpenID?

OpenID plus OAuth plus Yadis/XRD(S) plus Portable Contacts plus OpenSocial plus activity streams? That’s a handful, so some have been calling it the “Open Stack“. Is that what we are building?

But what about RSS (and syndication in general), iCal feeds, widgets, mash-ups and so forth? They go beyond the “Open Stack” but clearly relate somehow.

Today’s insight: they are all internet plumbing and that’s why they all don’t matter in the end.

None of them matters to the end user, just like nobody cares about the plumbing for a faucet vs. one for a sink. Except for the plumbers, of course, who cannot understand why the world doesn’t passionately want the latest and coolest pipe fitting underneath their sink.

Ever been at the receiving end of a pitch by a plumbing supply salesman? Being plumbing supply salesmen is exactly what we are doing when we are out there pitching all these acronyms.

So instead of calling them Open Stack or any other fancy kind of name, let’s call them all what they are: plumbing. Necessary, but fundamentally boring to almost everybody.

The question becomes this: a lot of plumbing supply companies are rather successful businesses, and high-priced plumbing supplies do indeed sell. What is it that these guys know that we OpenID / Open Stack guys don’t?

Bob Blakley at the Burton Group just published a report on “The Business of Identity Services”. He focuses on services at the identity provider side and outlines possible identity services businesses on the identity provider side in some detail.

It seems he is more optimistic about new identity services business opportunities than I am at this time.

He concludes:

Business opportunities for identity services providers are being created by the expansion of the
universe of identity requirements and by severe cost pressures arising from the recession that began in 2008. Identity services businesses have emerged in response to these opportunities, and more such businesses will continue to emerge in the coming few years. The time to start evaluating these services and judging their cost reduction potential and business risks is now.

Perhaps we don’t really disagree. After all, there is a big timing difference between enterprises starting to evaluate something (which is what he recommends at this time), and the time something actually is deployed (which is when there might actually be a business, which was the focus of my post).

Martin Kuppinger, leading analyst of all things digital identity, based in Munich, Germany, called earlier this week for a conversation about business models for identity product and service companies.

A good reason to ponder what we’ve learned in the past year or so about those business models or, more correctly, lack thereof. Here are my thoughts:

On the identity provider side:

• It’s been conclusively established that there is no business model for a standalone hosted identity provider. Many companies have tried, with nothing to show for it. FreeYourID is the latest to give up. With MyLID.net, we had one of the first ones at NetMesh, but stopped investing in it years ago. Seems we did the right thing there. There is no indication that some newcomer could suddenly make it work either.
• White-labeled hosted identity provider. Some companies tried that, and at some point it looked like there was a “there” there, but the vast majority of identity providers on the internet are homegrown. Major companies (say, banks) that should want to be identity providers so far have shown no inclination to want what we would want them to want. There are no indications that this will change any time soon.
• Authentication provider (i.e. a minimalistic identity provider that only wraps a standard identity protocol, like OpenID, around strong authentication, like a smart card). This could work for vendors in the strong authentication business, but so far there is no existence proof. I don’t think anybody has really tried, so it’s too early to tell.
• Identity provider as part of a larger product that does not focus on identity per se. This approach has been very successful. Examples: Amazon is an identity provider of their customers for the merchants on their site. Facebook Connect. Downside: it’s not a new business opportunity, only an add-on to an existing business.
• Identity provider software. Long-established, moderately successful, dominated by enterprise software companies like Oracle, Sun, IBM etc. Not a new business opportunity either. No evidence that it works for sites outside of the corporate firewall though.

On the relying party side:

• Relying party software kits. There is a range of open-source libraries with many customer complaints against them. They prove just how hard it is to productize such a kit, and there is no evidence that anybody would license such software. Does not look like a business opportunity.
• Relying party functionality as part of a larger product tends to be in high demand. However, that’s just another feature of an existing product, and thus not a business opportunity except perhaps for being acquired real quick by the vendor of the product.
• Relying party functionality as-a-service is an interesting idea that has been around for a few years with little uptake. However, that may be changing slowly. A number of business questions will have to be sorted out before there is any chance of major uptake. And: can sufficient revenue be generated from it? Nobody knows.
• Strategy or technical consulting related to accepting identities. That opportunity certainly exists, and we’ve helped a few customers there and earned a few dollars. However, it remains to be seen whether there is a mainstream market for it, not just a few early adopters.

Value-added services:

Many people have ideas for value-added services that could be sold once sufficiently many users used internet identities at enough sites. The trouble is that the transaction volume for OpenID (or any other identity technology on the internet) is still far too low to make this viable.

So the verdict here is: perhaps in the future.

So what’s an analyst, or conference organizer, or entrepreneur, or venture capitalist to do? My take:

Hang in there, keep the burn rate low, make no major moves, would be my advice. (Believe it or not, sometimes I’m being asked about my advice on this.) All the signs are pointing in the right direction, the latest being Google’s major OpenID push. Let’s not confuse being majorly annoyed how long this is all taking (speaking about myself here) with something being fundamentally wrong (because there isn’t).

Sooner or later, at least the value-added services opportunity will emerge. Perhaps others. But so far it has not yet.

P.S. of course I appreciate your comments, particularly if you disagree