Pete Rowley

Michael Graves blogs about the new personal identity provider Verisign have just unveiled. The service supports OpenID and hopefully we shall see a number of sites supporting OpenID in the coming weeks.

This development also points out a rather obvious omission from my list of possible identity providers, namely the current crop of certificate authorities who are already identity providers. Tut tut.

Mark Dixon continues his thinking about how user-centric identity will work in the real world by asking if credit bureaus will be identity providers? He has some questions formed in order to explore that:

But now the questions:

1. Will online vendors be willing to pay a fee for each identity verification?
2. Will consumers be willing to pay a fee for these transactions?
3. Will consumers trust credit bureaus to deliver reliable information?
4. Will credit bureaus offer the service out of the goodness of their hearts?
5. Does anyone really care?

I’ll take a stab:

1. Are they now?
2. Are they now?
3. Do they now?
4. Do they now?
5. Do they now?

Certainly credit bureaus are a likely supplier of identity information, and for the same reasons they supply that information now they will continue to supply that information. With user-centric identity the money still flows, it is just that the data got routed a different way. I don’t think it can be stressed enough that business adapts to the environment and not the other way around.

So who will be the identity providers? Well there is a long list of potential there, including:

• Credit bureaus
• Banks
• Schools
• Universities
• National Governments
• Local Governments
• Professional Associations
• Clubs
• Online Vendors
• Online Service Providers
• Employers
• Family
• Friends
• Colleagues
• Everyone else

Pretty much anyone who provides identity information on your behalf now. I don’t worry about credit bureaus, they know how to extract cash for services rendered. And maybe, just maybe it doesn’t make sense for them to provide your credit score directly to or through you, but then maybe, just maybe, they see an opportunity to extract cash directly from consumers in a way that reduces their costs in providing the service. Who knows?

I worry more about creating a trust framework that can scale to that level. It isn’t federation. It isn’t all PKI. I think it is somewhere in between. And servers in the sky that respond to every request for every little detail in real time don’t seem like a good answer. For anybody.

All joking aside - I believe the business relationships that do and will exist between consumers, vendors and identity providers are every bit as important as the underlying technology. But I hear people talking more about competitive protocol stacks than business plans.

I agree completely. If user-centric identity were federated identity or enterprise identity then I would be expecting a nice cost benefit analysis from the business folks who plan on selling the stuff into the enterprise. However, that just isn’t the direction this thing is coming from. This is credit cards, not backend infrastructure designed to reduce operating costs. If every customer you get in your store has a credit card and a good percentage won’t touch cash, you either get the POS hardware required to take credit cards or you lose the business. Today, every vendor site is designed around how many clicks it takes to establish a relationship with a new customer. They are counting clicks and yet the biggest barrier is filling out the web form. Let’s make that one click. Credit cards.

User-centric identity is that big dog, putting the power in the hands of the people, and hey you, enterprise, start cooking up the scoobie snacks.

Mark Dixon blogs about two additional success factors he believes are required for user-centric identity to be successful.

Okay, these may be necessary, but are they sufficient? I propose two other factors that must be in place:

1. Extremely large scale. Perhaps Dick intended this in the “Internet Scale” statement, but he didn’t explicitly say so. This is essential for mainstream adoption. If user-centric Identity is going to really work, it must be adopted by the big dogs - eBay, Amazon, Yahoo, Google … It must become pervasive.
2. Successful business model. For the big dogs to adopt this, the financial incentives must be just right for both Identity providers and relying partners. What will compel a Bank of America or American Express or Experian to become an Identity provider? Who pays the bill for the large scale infrastructure and operational overhead they will need to put in place? Why should the vendors like eBay, Amazon or Yahoo adopt this stuff, when they have already invested in Identity/Security infrastructures themselves?

I’m convinced that user-centric Identity is as much a business issue as a technology issue. If the compelling business demand is in place, the technology folks will make it work. If not, it will have been an interesting science fair project.

The first point I think is indeed covered by the term “internet scale”, but he raises the point that the “big dogs” need to be on board with it for it all to work. I wonder when it was that the internet became beholden to a few companies who decide what is in and what is out. I don’t recall Netscape getting the OK from the gopher mob to release the first commercial browser, or Sun begging the banks to be allowed to release Java, and I don’t see Microsoft asking anyone if it is OK please for them to be releasing InfoCard. In fact the history of the internet has been largely about user demand and user acceptance, collectively the users are the big dogs, and the ebays, amazons, and yahoos found their success through providing the best scoobie snacks. In any market that has not been distorted through monopoly that is the case. The successful businesses provide people with what they want, and if they don’t, if they refuse, then just like the internet the market routes around the damage. Eventually.

So “What will compel a Bank of America or American Express or Experian to become an Identity provider?”

We will, or we’ll be using someone else for the services we require. The tail isn’t wagging the dog just yet.

John Merrells makes the point that DIX is an “ethernet” for identity protocols. I would say it is akin to TCP/IP, but I agree. In its initial incarnation it attempts to solve no more than is required for exchange of identity information. It is a layer of the solution that enables the higher layers.
There are good reasons to follow the network stack model of layering functionality - we are having these high level conversations about identity because the underlying supporting infrastructure was created in layers. Those layers became commoditized at different times allowing more and more innovation to occur at the higher layers. Trying to solve the whole identity problem for the whole internet in one giant step is never going to happen - it would be like inventing “the web” as we know it today in one fell swoop.

Johannes Ernst showed a picture at the IIW that supports that argument nicely.

I was dismayed to find this advertisement on technorati, I do hope Doc gets a good price :)

Looking for Doc Searls?
Low prices, wide selection. Find exactly what you want today. www.ebay.com

I just attended the Internet Identity Workshop at the Computer History Museum in Mountain View, CA. Many others have blogged the event so I shall not repeat what has already been said. Suffice to say that there was no synergistic paradigm disruption here, oh no. There was however a 3 day discourse on what digital identity for the internet is, how we can build it, how we can move it, how to make that all happen, and in some cases how to effectively fear it.

The format of the workshop consisted of an introductory afternoon, and then, well, then there was a 2 day coffee break. The coffee break started with some serious retro-geekery as people were asked to write down (with pens, on paper) topics that they wished to discuss and to place them in a time slot on the wall for one of the 7 meeting places. From a purely tech standpoint the wall was an elegant example of a fully interactive calendar, or meeting agenda, with advanced features like undo, redo, merge and insert but without the computer - genius. I can only wonder what features Kaliya Hamlin has in store for us when she releases the much anticipated harderware, Wall 2.0. The unconference format is an interesting live study in self organizing systems, and it works.

It struck me during the course of one particular meeting that the people around the table would probably be impossible to assemble in one place, and certainly one table, in any other way. In fact due to the nature of the workshop and the people attending, there was an excellent chance that any query you might have could be satisfied by the top banana on the subject, and who would be willing to talk. Though I confess I couldn’t find anyone to tell me what to do about coffee induced shaking. You know you are in trouble when the guy fixing the coffee asks if you want your usual at a 3 day event. In keeping with the theme of discussion and interaction the entire workshop happenings are described on the wiki.

Actually, come to think of it, there was quite a bit of synergistic paradigm disruption after all.