Belated notes from Digital ID World

Here are some belated notes from the digital ID conference. I couldn't post from there because there was no FTP connection to the outside world.

I'm at the digital ID conference. InfoWorld's special report this week on identity management and provisioning was nicely timed! Unfortunately I missed Phil Windley's talk, while the airport shuttle was giving me a scenic tour of the Denver metro area. He's blogging up a storm, by the way. Apparently Phil can listen, think, and write all at once. Astonishing. Here's the conference's aggregated weblog.


Ken Klingenstein, who is project director for the Internet2 Middleware Initiative and Chief Technologist at the University of Colorado at Boulder, is a firehose of information about, and enthusiasm for, Shibboleth. It is, first of all, a scheme for federated Web SSO -- or as Ken says, ISO, for Initial Sign On. OpenSAML is the format used to share authentication assertions within a federation. It's therefore Liberty-like, but with a privacy twist that Liberty hasn't (yet) addressed. In Shibboleth there's strong accounting of which items of personal info are released. That, as much as the SSO effect, is what makes Ken think this system could have commercial legs.

Ken notes that while we have certification authorities (sort of), we lack attribute authorities. From the Shibboleth FAQ:

Often, a set of attributes about a user are what is actually needed rather than name with respect to giving the user access to a resource. For example, pubs and bars don't register their customers by name, but rather ensure that each customer is at least the minimum drinking age.

(See "Translucency and selective disclosure")

Identity, in and of itself, isn't incredibly hard. Wrapping useful context around identity is the trick.

Shibboleth is an open source project, with a major release due shortly. How long does it take to implement the system? "Between 4 hours and 3 years," Klingenstein joked. Translation: if you've done your homework, built directories, defined users and roles, then you can layer Shibboleth on top. Otherwise, roll up your sleeves and get busy. No shortcuts.

Enterprise identity roadmap

Jamie Lewis, CEO of the Burton Group, sang the same tune from an enterprise rather than a higher-ed perspective. An identity at its core can be anything, a random number even. Building a context around it -- managing the attributes, not the identity -- is the strategic business issue. And it's really strategic. Do it well, you enable new business models. Screw it up, you'll regret it.

Jamie's roadmap for identity management:

It starts with a directory, which can be an LDAP or other repository, and can be virtual -- for example, your mail system is authoritative for email addresses, the HR system for family info. What identity products and services do, then, is help you build out more attributes. Enterprises need help to define users, groups, and roles. And they need even more help when it comes time to undefine them. Reliably shutting down all of a terminated employee's accounts within 24 hours is a critical, but today almost unattainable, requirement. Solutions to that problem will not have a hard time demonstrating ROI.

On the subject of federated identity vis a vis XML Web services standards, Jamie is optimistic. He sees SOAP, WS-Security, and SAML as the basis of an emerging consensus which, in his view, creates a new role for PKI. His example: rather than issue certs to every employee, a company certifies itself, and then signs SAML assertions on behalf of its employees. Nice point! As confusing as the XML Web services stack may appear, it is not recapitulating X.500's monolithic architecture. SOAP, WS-Security, and SAML are well-scoped to support organic growth. Since that's the only way forward, I'm encouranged by Jamie's hopeful outlook.

Former URL: