Monday, October 24, 2005
The correct way to think about identity...
There are two bloggers on identity management that I read with passion. First, there is Archie Reed of HP and the second would be Kim Cameron of Microsoft. Sadly, both are having the wrong conversations when it comes to identity. The perspective they share is from the viewpoint of the consumer when the conversation from the perspective of the corporation is more interesting.
For example, due to laws such as Sarbanes Oxley a manager needs to attest on a periodic basis that all of their direct reports have access to the systems they need while not having access to the systems they don't. While this appears as a somewhat simple statement, when dissected it becomes more difficult. Imagine working in a large enterprise where there are 200,000 employees. Wouldn't it be useful to record centrally the notion of attestation? Wouldn't it be useful in a court of law when the government comes with their subpoenas that this recording was digitally signed? Makes me wonder if Archie and Kim ever had the opportunity to talk to the folks at Accenture, PWC and Deloitte about certifying identity?
Even if you were to ignore corporate environments for a moment, the conversation is still flawed. Users don't pick a digital identity solution. Nowadays with large enterprises prefering to buy systems over building systems inhouse, they don't pick a digital identity solution either. In the real world, identity is analogous to plumbing in that it simply is embedded into a larger context.
When one buys a house, they specify things like color of paint on the walls, siding and carpet but usually don't have much say in the color of the pipe of their plumbing. Identity is plumbing. Users don't demand plumbing and users don't demand identity in the sense they blog about it.
Others within the blogosphere are now talking about Sxip and Identity 2.0 which they will repeat mistakes already made. As an architect and advocate of open source wherever possible, they did good here by making it open. Likewise, they have done an equal good job of solving for various system qualities (i.e. availability, scalability, performance, etc) and have even done wonderful in advocating various standards around it. But they failed on two important aspects...
First, they didn't define how Sxip will interoperate with other identity implementations. After all, we can't believe that their will be a single uber-identity? Do we really have faith in corporate America and their ability to adopt the same identity proposed by this standard such that there is one?
Interoperability is key to the success or failure of an approach. Sxip if done correctly should interoperate with identity approaches used in corporate America today including Kerberos, Active Directory and so on. The one pet peeve that torques me is when open products don't interoperate with other open products. How about making it interoperate with OpenSAML?
Kim Cameron has done a wonderful job of coming up with a metasystem whitepaper but too are leading us in a direction that is not ideal. Reference architectures need reference implementations. I really hope that Kim will push his bosses to create an open source reference implementation of the identity metasystem, otherwise I would encourage others to run in the opposite direction. Sxip did get this right.
Some within the community will argue whether the approach used by Sxip is really standards based in that it wasn't ran through a standards body. My own thinking in this matter is they did the right thing. The vast majority of standards bodies are filled with vendors looking for standards as an advanced form of branding. Standards bodies themselves need to invite end users to participate and ratify standards and stop being insular.
Anyway, I hope that Kim Cameron has thought about making Sxip interoperable with the identity metasystem he is proposing. Inquiring minds would love to know...