I am Card-enabled

Since a few weeks I have been running IE 7 Beta on my desktop at home. Kim’s blog pointed me to Craig Burton’s blog that pointed me to this sandbox site for .NET 3.0 and Infocards.

I downloaded the July CTP of .NET 3.0, expecting a lengthy install, a few reboots and possible some problems. None of that. In about ten minutes the software was installed and I was already creating a self-issued card. Minutes later I could seamlessly log in to the sandbox and to Kim’s blog (where I could finally post a comment about a previous post).

So it seems that .NET 3.0 July CTP and Cardspace are already showing a great deal of quality. Good work!

Coffee-shop loyalty card, an identity?

In this blogpost I was explaining why I didn’t think the example of a coffee-shop loyalty card as an identity was very good. Pat Patterson was so kind to comment, explaining why such a card was indeed an identity. After some thought I think we are thinking about two different things. In other words, it comes down to the definition of a coffee-shop loyalty card.

I started by:

… a coffee-shop loyalty card is used as an example of a card-based identity. That confuses me. Assuming, from the example, that the card does not contain any personal information like name or address, how can it be seen as a card-based identity? The only connection this loyalty card has with a person (identity) is that it is carried around by one. But that would make a lot of items suddenly card-based identities. The card cannot be used to identify or authenticate a person and has only value to the person carrying it around but it is in no way connected to that person. Following this reasoning, the 10 EURO note I am carrying around also is a card-based identity.

Then Pat commented

The coffee-shop loyalty card is an identity. The coffee-shop can build a profile of your purchasing habits over time. Sure, it’s identified as ‘74382432′ rather than ‘Joe Schmoe’, but it’s still your coffee habit.

And it’s easy for the coffee shop to link ‘74382432′ to ‘Joe Schmoe’ – they could encourage you to register your card online in return for free coffee; alternatively, they can just read your name off your credit/debit card the first time you use it to pay for coffee…

If the loyalty card points to me, either direct or indirect, it is representing an identity. However, I started with the assumption (although I admit that this was not very clear from the earlier post) that the loyalty card did not contain any such information.

If you say that a coffee-shop loyalty card is an identity, whose identity are you referring to? In case the card is completely anonymous (no number, no name …) it is the identity of whoever is carrying the card around at that time. If I drop the card on the floor then the person who finds it will get the benefits associated with the card.

So, depending on what information the card contains, it can point to nobody (or should I say everyone) or to a very specific person. I personally wouldn’t call the card an identity when it is pointing to nobody.

Is there an identity silo paradox?

When reading Eric Norlin’s latest blog, I was very pleased to see that he got the point I was making on the Identity Workshop Google group:

Put simply the identity silo paradox is this: The largest sites on the internet have built silos (some ever-deepening) of identity information. Simultaneously, the “identirati” have been working on standards and methods that are based on the premise of opening up those silos, yet (paradox coming) the large sites currently have no valid business reason for doing so. Why would eBay open up their reputation system? Why would Google allow you to use a Yahoo! credential to login to their systems?

Today we have identity silos that we think are interoperable because of missing technology to glue them together. That is one of the reasons why the “identirati” have embarked on a quest to create standards and methods targeted at opening these silos. But is a lack of the right technology really the only reason?

Even when Google, Microsoft and Yahoo! would use the same technology, I doubt they will ever enable interoperability. All of them are not only a provider of identities, they are also a provider of services and they make profit on the services, not the identities. Being able to hold a tight grip on the identities enables them to have a hollistic approach for branding their ecosystem. Think about it, Microsoft Cardspace will extend the metaphore of a “card” to a real graphical representation of it. Do you think Yahoo! will not take the opportunity to get Yahoo! branding all over their cards? If a user would login to a Google service using a Yahoo! card, that would to the user almost feel as if they are using a Yahoo! service!

Will this change over time? Probably. As Eric points out, the forces on the web will eventually lead to more interoperability and not only on the technology front. But today, identity silos have no business reason to break down the walls and accept identities from elsewhere.

Ben Laurie from Google (and Apache SSL fame) said the following:

Where does Microsoft’s work on Infocard or Live ID or whatever-the-passport-nom-de-jour is show that Microsoft has any intention whatsoever of opening their silo? What it shows is that they think everyone else should open their silo.

To me, Ben is right on target with that remark. So it seems like we are heading towards the same identity silos but walled for different reasons.

On the bright side, at least on Vista, users will finally have a consistent and secure experience when dealing with identities thanks to Infocards and more specifically Microsoft’s Cardspace. That alone is worth the effort.

Address-based identities versus Card-based identities

I was reading this blog entry about address-based identities versus card-based identities. I am still thinking about the contents and will post some more thoughts about that blog in the next few days. There was however one example in the blog I would like to comment on right away:

Whatsmore, both address-based identity and card-based identity can be further classified in some very helpful ways:

  • Address-based identities can be broken into resolvable and non-resolvable. While an address-based identity is always unique in the address space in which it is assigned, that doesn’t necessarily mean it can be resolved, i.e., dereferenced via a mechanism or protocol that provides further discover or communications with a digital subject. An email address is a good example of the former; a browser cookie a good example of the latter.
  • Card-based identities can be broken into addressable and non-addressable. This means that some card-based identities may contain an address-based identity and some may not. A business card is the classic example of an addressible card-based identity; in fact the primary purpose of most business cards is to share address-based identities. On the other hand a coffee-shop loyalty card is a good example of a non-addressable card-based identity: while it describes identity-related attributes of its owner (how many cups of coffee they have purchased), it may not contain any address-based identity whatsoever (not even your real-world name).

In the second bullet a coffee-shop loyalty card is used as an example of a card-based identity. That confuses me. Assuming, from the example, that the card does not contain any personal information like name or address, how can it be seen as a card-based identity? The only connection this loyalty card has with a person (identity) is that it is carried around by one. But that would make a lot of items suddenly card-based identities. The card cannot be used to identify or authenticate a person and has only value to the person carrying it around but it is in no way connected to that person. Following this reasoning, the 10 EURO note I am carrying around also is a card-based identity.

Welcome

Since a few months I have been walking around with the idea of blogging. Not about my personal life but about my work in the world of identity and access management.

A few years ago the company I worked for, SilverStream, was acquired by Novell. Since that moment I have been involved in identity management. Currently I work for Ascure, a Belgian company specialising in Information Security. I am still focused on the subjects of identity and access management in my role as competence center leader.

When time permits, I hope to share some of my ideas and thoughts about the subject.

Hope to see you back soon!