Posts tagged: icard

Open Identity for Open Government

At the Gov2.0 conference yesterday, US government announced Open identity for Open Government initiative.

PayPal is one of the participants that has joined the pilot programs for both OpenID and Information Card.

ReadWriteWeb provides a good explanation of the initiative here.

A good FAQ is available at ICF website here.

I consider this as another forcing function that provides an opportunity for several providers to work together. There is no dearth of opinions in the identity community :-) . GSA, I believe has done a tremendous job in putting together the ICAM profiles for OpenID , Information Cards and the Trust framework .The profiles have allowed the providers to focus and converge on some of the important issues surrounding the technologies.

RE: OpenID
There has been some questions from the very start (and there is still no consensus) if the resting state should be lightweight, simple to use, distributed, low-value transactions. Or should it grow and evolve towards more security, trust, e-commerce and whatever comes with it.

If the answer is latter, then the ICAM profile is very appropriate. The mandatory use of SSL, directed Identity, support of white list, trust framework for certification, sensitvity towards PII etc. are all good steps for a robust identity framework geared towards value-transactions. One could argue that the trust frameworks would push it towards a centralized system but hopefully there will be several entities serving as trust framework providers.
Authentication is a critical function for any site and it’s understandable that a site (that has something to protect) wouldn’t outsource it without first establishing trust (implicit or explicit). This has been one of the sticky points in the community since establishing trust (via RP specific whitelist or third party providers) can potentially hinder adoption and innovation.

RE: Information Card
Even though a lot has been done in the past few years, a few issues still remain:

  • Platform support for information card/selector is limited.
  • The UI experience is too foreign and that’s get even more challenging due to the maturity level of current selectors.
  • Mobility/portability of cards (and hence identity) is still unresolved.
  • There are very limited “maintained” tool/libraries for relying parties to use.
  • The issues around running a managed card provider (e.g. practices around issuing/renewing/revoking cards, cert/key expiry, advising user in an intelligent and non-intrusive way on what claims should (or not) be shared with the RP etc.) haven’t yet surfaced. Hopefully the pilot will make IdPs (that includes us) think harder on some of the production issues around running a card server.

Irrespective of how far the Open Identity initiative will go, it’s definitely a step in the right direction.

Name “the thing”

During one of the conferences last year, Bob made some interesting points regarding adoption of new technologies. As a general rule, they need to be

  • easy to describe
  • easy to get
  • easy for first time use.

Given the above guidelines, I believe we still have some work to do when it comes to describing Information Cards (or whatever “the thing” is).

The card metaphor has been there for a while. I believe we all understand fairly well the concept of physical cards in our wallet and how to pick one based on the context. However, explaining how that can be mapped to the digitial world has been challenging.

In conversations with technologists, implementers, early adopters, consumers, I have seen the use of following terms interchangeably and therefore spending the first part of the discussions in getting the terminology right.

  • Information Card
  • InfoCard
  • CardSpace
  • Self Issued Card
  • Managed Card
  • Personal Card
  • Password Card
  • p-card, pcard
  • m-card, mcard
  • i-card, icard
  • h-card, hcard, Higgins card
  • r-card, rcard, Relationship card,
  • a-card, acard, Action Card
  • IMI Cards
  • Digital Cards, Identity Cards…
  • and my favorite – “the thing”

This, in addition to the basic identity terminology (IdP, RP, AP, SP, Selector, Client, Agent, Active, Passive…) and multiple protocols doesn’t make things easy.

I understand there are multiple things that are being described here – the protocol, the GUI Metaphor, the token format, the blob that the user stores on his PC and so forth. I also understand the need of innovation and may be it’s too early to agree on a single terminology. But if the techonology does get some success and the branding people start joining the discussions, it’s only going to get tougher.

So…here is my request to ICF:
“Get an agreement on the basic naming conventions, share the results and stick to it.”

Image | WordPress Themes