Ceremonial identity tokens

The annual PKI deployment summit at Dartmouth College is becoming a summer tradition. Sure, it's an excuse to drive up to the impossibly picturesque town of Hanover, New Hampshire, but I'm also fascinated to learn how the leading PKI geeks in higher education are pushing that technology forward.

Universities differ from other large enterprises in ways that make them bellwethers for IT's future. The user population is transient, hardware and software monocultures cannot be imposed, and collaboration across institutional borders is mission-critical. These are excellent circumstances in which to evolve methods of identity management that will also meet the requirements of corporations as they increasingly outsource work, connect with customers through the web, and engage with partners in federations of web services. [Full story at InfoWorld.com]

Usability, or rather the lack of it, has always been PKI's Achilles' heel. The major initiatives discussed at this year's conference -- identity tokens and trust federation -- jointly address that problem.

As I mention in this week's column, the question of which token to use is far from resolved. Universities like USB tokens; the feds have mandated FIPS 201 cards; most people would rather just use chips in their cellphones if they could.

But in any of these scenarios, giving someone a token is (or should be) the kind of ceremony that Kim Cameron describes in his sixth law of identity. Yes, it's a bureaucratic procedure, but it's also a social ceremony, the psychological value of which was stressed by several of the identity administrators I spoke with. A certificate stored in your browser, on one or more computers, is just an abstraction. A token nails down the abstraction. "People find them easier to deal with than soft keystores," one fellow told me. "With a token in hand, you have something concrete you can hang the concepts on." It tangibly represents the social contract between the token issuer and the token holder.

As a happy consequence, these PKI administrators are now being pushed by their users to token-enable more resources. One trend that will help here is the maturing infrastructure for cross-institutional trust. But my hunch is that things won't really shift into high gear until the token works with doors as well as websites. My podcast with CoreStreet's Phil Libin explores what the convergence of physical and virtual security will be like.

Former URL: http://weblog.infoworld.com/udell/2005/08/16.html#a1290