Building Internet identity systems

Today was the first day of Internet Identity Workshop, a two day gathering of people interested in identity on the Internet.  I've got detailed blog posts and pictures at my site.  Unlike many gatherings, this workshop has very little "vendor" content, although there are certainly vendors there.  Much of what's happening in the Internet identity space tends to be grassroots and do-it-yourself.  This is definitely what some call "bottom-up" identity.  The use cases and needs outside the firewall are, frankly, very different than those behind the firewall. 

The two big players in the identity space, Microsoft and Liberty Alliance, were both present and accounted for.  They presented back-to-back and I couldn't help notice some similarities and differences in their attitude.  Both are here because this group of people has been engaging in a conversation about identity that just can't be ignored.  In the words of Brett McDowall from Liberty:  “The world belongs to those who show up; this is important, so here we are."  The differences are in the approach.  Whereas Microsoft, embodied in Kim Cameron, has been interacting with this group informally for over a year now, Liberty's approach was an invitation to join their more formal process.  While I appreciate the invite, I have a tough time seeing this loose collection of individuals participating in a realistic way in the Liberty Alliance process.

Also included in the discussion were a handful of Internet identity systems with existing implementations.  We wanted to discuss design philosophy and architectures of these working systems.  I was interested to see who's not here: none of the "federated identity" vendors, none of the directory vendors, and so on.  As usual, big companies are catering to the the behind-the-firewall needs of CIOs while small, innovative companies are seeking out business opportunity on the 'Net.  Financial services firms and analysts are represented in a fairly healthy way--not surprising since they've been hit hard by the phishing scams enabled by the lack a credible identity infrastructure on the Internet.

Some of the things most people agree on include:

• Anyone requesting identity information must provide reasons for the request and justify how it will be used
• Personas should be compartmentalized by context (your online church group vs. your online gambling group)
• Identifying data should be released only with user consent
• Users should have fine-grained control over the information released
• Systems should include support for anonymous and pseudonymous identity transactions
• Provide a low barrier to entry
• Interoperate with and use existing standards.
• Provide a user-consistent experience by ensuring that the user always sees the same agent regardless of context

They didn't agree on things like:

• The format of the identifier (URI, XRI, or something else altogether)
• The degree of decentralization that is necessary or even desirable
• How much control is needed by any one group
• SOAP, REST, or something else
  

Everyone is watching Microsoft as the 800 pound gorilla in the discussion, but they have been very open and inclusive.   This is the first time most of these people have had a chance to spend real time talking to each other and listening to each other's ideas.  The discussion was lively and the ideas were engaging.  Tomorrow will be a more free form discussion and we'll probably do it again in six months or so to see how things have developed.  There's plenty of room for consolidation in this space, but like anywhere else, people's dreams and business plans sometimes get in the way of that.