Digital Identity is maturing — into three sets of distinct standards that serve the needs of three distinct stakeholders. I briefly talked about this last month at the identity developer workshop, and nobody of the many "insiders" present really disagreed, so I thought I write it down here on my blog.

Just a few years ago, identity was largely fragmented into many proprietary, single-application or single-purpose stovepipes. There were only two exceptions: Microsoft's Passport and the then-new Liberty Alliance effort to build a rival to Passport that was not dominated by Microsoft.

Since, Liberty has been quite successful within enterprises and at the boundaries of enterprises with some of their business partners, such as 401k providers inside corporate portals; I recently heard a prediction that Liberty is on track to have 1 billion (!) identities by the end of 2006. Passport has largely been discontinued for non-Microsoft sites, and will be superseded by Microsoft's new InfoCard initiative, built on WS-Trust and a number of Microsoft technologies. InfoCard is expected to be bundled with each copy of Windows Vista.

But two major things happened in this evolution that, in a way, few expected:

• An entire new branch of identity emerged almost overnight: user-controlled identity, or as some people call it, "independent identity". At its heart was the realization that "we are the people", that identity should emanate from the people whose identity it is, rather from outside organizations — whether government or business. In hind-sight, we shouldn't have been surprised: this is a direct reflection of the societal mega-trend of the democratization of technology and information that seems unstoppable and that is very disruptive.

• There is now almost universal agreement that for identity to matter as a technology, and to become a real enabler for business, it must be universal, and therefore universally interoperable. Nobody has been more relentless in evangelizing this vision (he calls it the identity "meta-system") than Kim Cameron at the very same Microsoft that only a few years ago wanted to take over the world with Passport.

So as 2006 dawns and the identity conversation continues, it is becoming clear that identity is rapidly consolidating around three pillars, shown in the following diagram:

As you probably saw already from my use of quotes in the picture, I'm going to exaggerate a bit to make my point.

1. The company-controlled identity pillar, which is rooted in the Liberty standards. This pillar is ready-made for corporate adoption: identity is "given" to the individual by the corporation (e.g. the employer), and it is the corporation that decides which identity attributes are managed and shared with whom. Even if the corporation gives the individual many choices, it is ultimately the corporation who decides whether or not to give those choices to the individual.
2. The "Microsoft"-controlled identity pillar. I have put quotes around Microsoft, because on one hand, Microsoft of course does not control WS-* (at least not by itself) which is a major component of this pillar. On the other hand, the adoption of this pillar will be driven by Windows Vista and InfoCard adoption and the particular subset of WS-* that Microsoft has chosen to support (unless of course, somebody built it into Linux or all cell phones ... but so far, I have not heard about an announcement of this kind, so I don't think I'm wrong to identify Microsoft as the major driver here)
3. The user-controlled identity pillar, where the individual is fully in control, over identity providers, over attributes, over whether or not to have an identity or how many, over the software to run, and over the feature set associated with their identity. It's most visible sign is the use of URLs to point to people, just like we use URLs to point to companies or documents. This pillar is rapidly coming together in the YADIS community, which essentially facilitates an open marketplace of interoperable identity-related features from which the individual may pick as many or as few as they like.

As we go into 2006, at least two of these pillars are still quite in flux: Microsoft Vista/InfoCard is not on the market yet, and YADIS hasn't released a 1.0 spec yet. The current focus of work is within those pillars: get Vista/InfoCard out the door, make it interoperable with, say, IBM's WS-* implementations, as well as working hard to make the URL-based identity implementations interoperable.

However, by the end of 2006, chances are that the pillars are solid and working well, and that construction has moved on to making the three pillars interoperable. Questions like the following ones will move up to the top of the agenda:

• "Given we have a broad Liberty infrastructure and given that we are upgrading our PCs to Vista, how can we use InfoCard on the PC with Liberty on the backend?"
• "Given that so many blogs are already a form of URL-based identity, how can we use that together with InfoCard?"
• "Given that our customers want to bring their own, user-controlled identity when they interact with our website, how can we connect user-controlled identity with company-controlled identity?" (example).

People today sometimes still ask "But won't pillar X (depending on who is doing the asking, X is a different pillar) take over the world and become the one and only way of doing identity?" I hope that from this discussion it is clear that it is quite unlikely that this will happen. We have those three pillars, they have evolved and exist for good reasons, and each of them will remain compelling for its own reasons. But the good news is that it's just three of them, and so there is a good chance we can connect all three of them over the next so many years and make them interoperable.

Which means, going into 2006, it looks quite possible that we'll be getting universal, interoperable identity after all. Yes!