Linux For Suits

January 2003



Grounds for Identity

"Identity" became a hot topic last year. But it won't matter until it becomes the focus of a serious open source project.


A year ago, identity was mostly the concern of privacy and crypto weenies. The only company taking much public interest in the subject was Microsoft, which was busy scaring everybody with its Passport identity management system, and the Hailstorm initiative that went along with it. (Microsoft folks tell me they never meant to scare anybody, and that they privately refer to Passport as "Piñata" because of all the bashing it takes.)

But over the next three quarters, identity became a Big Deal, certified by its own high-profile Web site and trade show: Digital ID World (DIDW) <http://www.digitalidworld.com>. The first DIDW took place early last October in Denver (a week ago as I write this). It was very well-run and well-attended for a first effort by people who were, for the most part, new to the business. Those people included PingID.com, which is the commercial counterpart of PingID.org, an open source effort.

When Don Marti got a look at advance promotion for DIDW, he called the speaker lineup "scary". There were lots of big companies and associations (Microsoft and the Sun-led Liberty Alliance, for starters), a lot of small companies trying to sell stuff to big enterprise customers, and almost nobody representing individual (especially privacy) interests. Except for me. And frankly I had to push to get myself added to the speaker lineup. I did that through my position on the advisory board of PingID.

At the show I made as much trouble as I could. On the opening day I moderated a panel on identity and open source; and on the closing day I gave a talk about the open source nature of Internet infrastructure -- and the need for open identity protocols and other standards that commercial interests alone would be unlikely to provide.

In my talk, I presented a slide that compiled a list of phrases assembled from buzzwords I heard in one talk after another at the show:

Driving this droning was a default assumption that identity could be "managed" and "controlled" -- in spite of the fact that the Net is anything but.

At the end of my open source panel, Brent Glass said this from the audience (quoting notes taken by another audience member):

I believe the answer is yes. But to explain how, I'll start with some history.

Back in the late 80s and early 90s, Craig Burton, Jamie Lewis and other Novell veterans at The Burton Group <http://www.tbg.com> quietly changed the way we conceived networks, shifting us from a technical to a service model. Thanks to TBG's efforts, we began talking about networks as collections of interoperable services such as directory, security, management, file, print and messaging. At first the "network services model" was applied to LANs and enterprise systems such as Lotus Notes. But when the Internet began to lithify into a whole new world that supported pretty much everything, the model came to apply there as well. Protocols such as TCP/IP, HTTP, SMTP, IMAP, POP3, LDAP and DHCP not only define the Net's working infrastructure, but also provide its services.

Compared to even an old commercial LAN like Novell's NetWare, the Net's roster of services are still primitive and few. In fact, their primitive nature helps account for much of their ubiquitous adoption. Openness and simplicity are good things to have in protocols. But the fewness of network services on the Net is another matter. If "the history of the Internet is the history of its protocols", as Vint Cerf says, we're still in the paleozoic. There are still no common protocols for printing over the Net. Directory services are minimal (DNS covers very few bases and LDAP just covers directory access). Aside from email, messaging is a mess. Jabber's IM protocols are widely adopted, but hardly ubiquitous. Thanks to AOL's and Microsoft's childish refusal to interoperate with each other, instant messaging for most of us remains stuck at the Prodigy vs. Compuserve stage.

But if IM is an embryo, ID is an unfertilized egg.

To shift metaphors in a botanical direction, think of the Net as Mother Earth and all this corporate droning as seed thrown on dry ground. What's more, the enthusiastic seed spilling at DIDW reminded me of every other cycle of enthusiasm that gets launched whenever the ground starts to shake. Big companies and governments try to protect and extend the existing order while startups start waging a leadership revolution. Both miss the fact that all Net-based architectures, old and new, are grounded on a geology that nobody owns, everybody can use and anybody can improve.

Jon Udell, the veteran Byte editor, saw both the elementary conflict which the show embodied, and the challenge that remained. He wrote, "By the end I felt like Peter Finch in Network, whose skull was pried open by Ned Beatty in order to receive the cosmology of money." Finch's character was the TV anchorman who famously lost his mind on camera and commanded his audience to go to their windows and shout "I'm mad as hell and I'm not going to take it any more". Beatty's character was the CEO of the network who spoke to Finch in the voice of a burning bush, saying "You have meddled with the primal forces of nature."

The movie Network, however, was made a quarter century ago, when giant corporate forces still ruled the world. Today big business operates by the grace of the Net. The creators of the Net -- the makers of ubiquitous protocols that are as central and beyond ownership as the core of the Earth -- are the gods behind the primal forces of today's business world.

Those gods still have work to do, as Jon Udell explains:

Project is the right word. Not protect.

In his presentation to DIDW, Jamie Lewis of The Burton Group used this graphic to illustrate digital identity infrastructure. It made complete sense, as his stuff usually does. But it was still an outside view.

With Jamie's permission, I borrowed the same graphic for my presentation on identity infrastructure, and turned it around, so the view was from the inside, and expressed the kind of power I want in my relationships with networked businesses.

This second view is that of a fully empowered customer, not a "captive", "managed" or "controlled" consumer.

If we create the protocols, APIs and other standards that let customers relate at full power with the companies they choose, consumer becomes an obsolete noun. The companies that are now in full charge of the identities they confer on each of us will no longer have full control, because now they will have to relate and not just distribute. But because we show up as customers rather than as consumers, the range of business possibilities are much larger. The tradeoff is a good one for both sides.

But it won't begin until we get those protocols and APIs -- which won't happen unless somebody decides to write them for everybody. Maybe that effort will come from the noncommercial world, as it did with HTTP and SMTP. Or maybe it will come from the altruistic side of the commercial world, as it did with SOAP and RSS.

My guess is that it will come from both, as it does with Linux (if we give full credit to the companies that employ the developers who continue to improve code that nobody owns and everybody can use). Once it does, there will be real grounds for enthusiasm.


Doc Searls is Senior Editor of Linux Journal.