Burton Group Identity Blog

Blogger: Gerry Gebel

We played host to the latest Concordia meeting earlier this week at Catalyst. It's been so busy, I'm just now getting around to posting a few comments. Others have published some excellent observations here, here, and here.

At the meeting, end user organizations (AOL, Boeing, GM, Gov of British Columbia, and GSA) described usage scenarios, highlighted key requirements, and offered sage advice to the standards development and IdM product communities. What a concept - injecting real user requirements into the standards process! Let's just say that more interaction is needed between producers of standards and products - and the organizations that buy and deploy them. There was a lot of commonality of requirements between the presenting organizations that remain inadequately addressed. You can see these requirements posted here.

Thanks to the Concordia team for holding their meeting at Catalyst, it surely enriched the conference.

Blogger: Mike Neuenschwander

I just finished John Clippinger’s book, “A Crowd of One: The Future of Individual Identity”. It’s an eloquently written, ambitious, and timely work relating social theory to digital identity. John masterfully draws on intellectual insights from a wide range of disciplines (including social science, political science, evolutionary biology, neuroscience, and history) to weave a narrative that’s accessible to a general audience. The message is simple: highly evolved trust frameworks are wired into the biology of all living things; so why do we persist in reinventing primitive (aka authoritarian) strategies for cooperation?

John argues that it’s mostly our collective lack of appreciation for natural trust mechanisms—even though we’re all familiar with them from everyday experience. Signals of health, wealth, and competence are extant in human society, but are usually exchanged subconsciously. John points to the Enlightenment as the era of emergent self-awareness that established many of our existing presumptions on the nature of identity. Now, with recent advancements in the fields of evolutionary biology and neuroscience, science is beginning to unravel the relation between self-awareness and social-awareness. John is among the writers constructing a new narrative on trust and cooperation based on this scientific evidence.

In my view, all identity architects should demonstrate substantial familiarity with the subject matter of this book before attempting to practice their trade. Which makes me wonder why John’s collaborators in the “identity gang” haven’t yet reviewed his book? My guess: they’re so focused on validating the user-centric model that it’s tremendously inconvenient right now to absorb the implications of “A Crowd of One.” Still, it lends new meaning to the book’s title that John is the solitary “voice in the wilderness” among the identity gang-sters.

But on this blog, John has plenty of company. Our posts on the laws of relation (symmetry, risk, and projection), the Limited Liability Persona (LLP), OpenID, and the Real ID bill (to name a few) are founded in the same science John borrows from in “A Crowd of One.” And as it turns out (entirely coincidental by the way), we’re spending all morning in the IdPS track at Catalyst discussing the issues this book addresses. We’ll even propose an architecture for moving forward with social trust online. So I’m calling “A Crowd of One: The Future of Individual Identity” required reading for Catalyst 2007. At 200 pages, you’ll have time to get through it before June 29th (and at only $12 to your door, you don’t have to worry about budget either).

Here are a few excerpts to get you started:

The problem statement: “The Net is moving from an open world of reciprocity and trust to a progressively enclosed, fearful, punitive, and monitored world of legal and economic sanctions to enforce the interests of influential oligopolies.” (pg. 182)

The problem with proposed solutions: “Impersonal formal and economic sanctions can actually undermine people’s natural inclination toward altruism and cooperation…. A more realistic path to global security is to avoid reliance on coercion and control, and sanctions and rebukes, and instead to establish those conditions under which fairness and transparency can evolve through mankind’s innate propensity for trust and cooperation.” (pg. 178)

The squishy nature of identity: “There is no single, unique, irreducible ‘identity’…” (pg. 156). I couldn’t agree more; I said something similar in my post on “Identity’s Inconvenient Truth.”

The closer: “In one sense having a negative identity [which we at Burton call an LLP] is like having a persistent but anonymous identity online; it is never disclosed in full, it reveals just enough of itself to enter into a relationship, and only it knows or experiences all its potential layers [see our “Relational Association Theorem”]. By having a persistent, anonymous identity, it is possible to authenticate parts of your identity so as to have trusted relationships without disclosing the full identity.”  (pg. 155) John goes on to say, “given the importance of negative identity in the biological world, it should arguably be extended to the digital world, become the ‘default’ for online identity.” (pg. 156)

See you at Catalyst!

Blogger: Gerry Gebel

In February, we prodded the vendor community to meet the challenge of conducting an interoperability demonstration for XACML. We're happy to report that the OASIS XACML Technical Committee responded by creating an interoperability project team, consisting of BEA, CA, IBM, JBoss/RedHat, Jericho Systems, Oracle, Securent, and Symlabs. This ambitious group of vendors has been working over the past several weeks to create and test a number of interoperability scenarios that will be on display in 2 weeks at the Catalyst conference. The use cases scenario document is available at the XACML web site. On our recent TeleBriefing, Hal Lockhart and Rich Levinson explained what is happening at the event and the podcast is available here.

With a growing interest in XACML version 2.0, which was published more than 2 years ago, it's great to finally have a public interoperability demonstration. To set expectations, this demonstration event will not guarantee interoperability for all XACML-based products, but it will give an indication of maturity for the industry. After the conference, we'll interview all the participants and document the project in a summary report for Burton Group clients. However, we encourage you to attend the conference to see the demonstration first hand on Thursday evening, June 28. It's your opportunity to ask the vendors detail questions about the interop scenario - and how this standard may apply to authorization scenarios in your own environment. See you there!

Blogger: Mark Diodati

At Burton Group, we speak about identity proofing as essential for a reliable identity infrastructure.  I discuss identity proofing in my January, 2007 P2P Identity Proofing blog entry.  I would take a sufficiently identity-proofed password over a poor identity-proofed smart card any day.

Knowledge-based authentication (KBA) permeates most identity systems today, and is the default identity proofing technique in IdM.  The problem with KBA is that the answers are generally easily guessed by a fraudster.  The result is that KBA is probably not a good choice for stronger authentication systems (for example, smart cards and one-time password devices) and applications allowing material monetary transfers or access to private data.  I don’t want to dismiss KBA completely.  I’ve spoken to some customers that have implemented KBA for employees with the right internal controls (for example, encrypting the answers and auditing identity proofing transactions) and the right level of access (these accounts can’t access the secret recipe or move money around).

What can be used in lieu of KBA in an online scenario?  One option is what I call dynamic KBA.  Dynamic KBA pulls questions and answers from information sources like public records, credit reports, and perhaps the employee’s last pay stub.  The answers are generally much harder to guess and unknown by system administrators.  Another option is out-of-band (OOB) identity proofing.  One OOB identity proofing technique is calling the user at a phone number of record via an automated service, and then reading a “vouch code” to the user.  The user enters the vouch code into the online application to prove his identity.

So, how does adequate identity proofing relate to EMC/RSA’s acquisition of Verid?  Verid provides dynamic KBA services, which complement EMC/RSA’s existing consumer authentication products.  Given the escalating level of identity theft and consumer fraud, the use of “plain ole” KBA for users accessing private information and moving material amounts of money is not sufficient.  If RSA can integrate the Verid technology in a holistic manner with its consumer authentication offerings, the acquisition is a good thing.

The consumer authentication market does not suffer from a lack of dynamic KBA and OOB identity proofing solutions.  However, many financial institutions interested primarily in compliance with the FFIEC authentication “guidance” have not implemented better identity proofing because the guidance does mandate the use of these techniques.  I hope that more financial institutions and other organizations implement better identity proofing.