Alexander van Elsas left a comment on my post “On Identity Business Models or Lack Thereof” that I feel I have to respond to. It is not the first time I have heard a comment along these lines, so this is more a response to “everybody”, not specifically just to him. He writes:

…The underlying issue (imo) is that there isn’t a user demand. Users either don’t know or care, and it is therefore hard to get them to use a standalone hosted identity provider and pay for it.

…The technology is not the biggest bottleneck right now, it’s the naiveness of the user.

Pardon me, but this very much sounds like the old “our software is great, if it wasn’t for those darned users”. To which the equally old, and always-correct answer is: “No, the user is never the problem. As vendors, we either solve a problem for our users, in which case they pay us, or we don’t. If users don’t use our ’solution’, we either don’t solve an actual problem, or we don’t explain well enough how we solve the problem, or our solution is simply not good enough for the user.”

At this point, it is very clear that consumer identity providers do not solve a problem for users that is commensurate with paying money. (I would go further and say that the product category “consumer identity provider” is most likely never going to be able to get many users paying for it.)

To quote Pip Coburn: “People are only willing to change when the pain of their current situation outweighs the perceived pain of trying something new.” We are not there yet in identity land, even if we’d all like to be there.

We went to Yosemite this past weekend. In the past, we’ve seen deers, coyotes of course, an occasional rattle snake, a bobcat once, and every few years, a bear.

And this Sunday morning, in two encounters, a total of five bears, right from Tioga Road without even getting out of the car! Here are two of them. Of the five, three were youngsters and two adults.

Amazing.

Nico Popp, over at VeriSign, has an interesting post outlining how he thinks the US federal government will adopt OpenID:

… there is a clear view that the deployment of low level assurance identities is only a critical first step, not an end in itself. With the initial OpenID pilot, the administration is seeking to teach Internet users how to conveniently and confidently re-use their identities across multiple sites. Federation is a new behavior and as such, it requires training. Federal and State web sites will provide an important training ground of relying parties. … once consumers are comfortable using distributed identities, it becomes possible to alter the login experience by introducing stronger security and identity assurance. This is the ultimate end game since high assurance identity services are pre-conditions to new strategic initiatives.

He reports that there is broad understanding that identity management along the lines of OpenID is critical for many other initiatives, including health care:

To counter balance the $900B expense that the new Obama plan calls for, electronic health records must come to reality. However, eHealth requires access control across a large and complex ecosystem. Users must be able to register, login and access private data across physicians, hospital, pharmacies, labs, insurance, and employers Web sites.

And, I may add, it is clear that having separate usernames and passwords for each one of them is a non-starter. The fact that both Google and Microsoft are OpenID supporters and offer electronic health record-like software as a service could act as a very useful jolt to the health technology vendor cabal, too.

Interesting to see how this will shake out …

Remember high-profile Grand Central Networks, which was one of the very few high-flying tech startups after the collapse of the dot-com bubble? (Not to be confused with what became Google Voice, they only reuse the domain name.)

Grand Central was founded by Halsey Minor, with the vision of electronically connecting companies and ASPs via standard protocols, so information could flow across companies along a supply chain, for example.

His envisioned architecture was modeled along the lines of a phone company: give everybody a simple plug to plug into, and do a lot of complicated routing and switching in a centralized manner as a service. Perhaps later connect to other phone companies.

That model failed, of course. Part of the reason may have been that the whole web services movement with all of its complexity and its associated high software prices took the vision sideways. He might simply have been too early in the market. And the phone company architecture may also have been the wrong one.

But I’m getting the impression that the identity community is attempting to do the same thing, whether we know it or not. Interestingly:

1. we started with identifying users and proving to other entities who they are. (The URL as globally unique identifier, and single-sign-on, via LID and OpenID)
2. then we added the movement of some related data (profile exchange, PAPE)
3. the ability to authorize others to access information (OAuth)
4. more complex related information (Portable Contacts)
5. now we are getting into moving larger amounts of data (artifact binding)

It’s a very gradual and slow process, but if we keep going down that path, where will we end up? I think it includes right where Halsey Minor wanted to be. And there is a chance that this approach will work: consumer/open internet-driven adoption works better for this, “free” works better, a decentralized/federated/multi-party approach works better as it aggregates a lot more business cases, a pluggable systems approach works better and so forth.

If it turns out to work, it will be at least 10 years after his vision, more likely 15.

Stuff for thought. Being the first in the market is for suckers.

Today’s news about major identity initiatives in the US Federal Government is indeed great news.

But it does make me think. Kick Willemse asked the key question on an OpenID mailing list:

How about a dutch (international) OP fullfilling all criteria?

What about one in Russia or China? Would the US government accept identities asserted by an entity outside of the country? What about Iran? Before the revolution?

What about a multi-national headquartered, in, say, New York? That serves some of its identities from a data center in Mexico? If it now moved headquarters to Bermuda, when then? What if it was acquired by a Chinese company with strong ties to the Chinese government?

Given that identities last much longer than the whims of foreign relations (or M&A activities), doesn’t this open up so many different cans of worms?

The only solutions to all these issues that I can think of are:

• either the individual is in charge of identity provider selection
• or the US government becomes its own identity provider, which in general is not an unreasonable position to take (think passports)

But neither of those is foreseen in the deployments that are planned. So I’m confused where exactly this might be going …