Monthly Archives: March 2008

The Gore TV IPO

BusinessWeek rips into Al Gore for his Current TV IPO in this devastating critique (hat tip to Bruce Webster). From the article:

Something about this deal just doesn’t sit right with me. Gore isn’t just taking piles of cash. According to the filing Gore, who is listed as executive chairman, and his CEO partner, lawyer-turned-entrepreneur Joel Hyatt, each loaned the company $1 million to get it started. They’ll get that back in the IPO. But the two guys also collect hefty salaries for a company that hasn’t shown a profit in three years—taking down $491,677 apiece last year in cash, plus bonuses of $550,000 each for, in Gore’s case, helping get the company new affiliate agreements, broadening exiting agreements, and putting together a management team. The two currently receive $600,000 a year in salary and are eligible for additional bonuses, according to the IPO filing.

By comparison, at the time of the Google IPO in 2004, its two founders were each taking home a total of $356,556 in salary and bonuses, while sitting on top of a company that had earned nearly $106 million the year before.

And the bit about the Class B share structure is pretty damming too.

I don’t have any problem with someone who has a successful IPO. I also think Current TV has an intriguing business model, as far as I undestand it. This is the kind of merging of the old and new media that I think we will see a lot more of.

But I can do without the moralizing sermons from someone who can pull off this kind of sweet deal.

Are we getting on the bus or thrown under it?

It seems the furious debate over the Virtual-directory vs the Meta-directory is now devolving into the general agreement that we need an Identity Bus to move forwards. Dave Kearns writes:

Kim talks about a “second generation” metadirectory. Metadirectory 2.0 if you will. First time I’ve heard about it. First time anyone has heard about it, for that matter. There is no such animal. Every metadirectory on the market meets the definition which Kim provides as “first generation”. It’s time to move on away from the huge silo that sucks up data, disk space, RAM and bandwidth and move on to a more lithe, agile, ubiquitous and pervasive identity layer. Organized as an identity hub which sees all of the authoritative sources and delivers, via the developer’s chosen protocol, the data the application needs when and where it’s needed.

I think, I hope, that Kim will agree with me that this ID layer (the “ID bus”) instituted as a hub (or transformation device) is what we need to go forward. I’m not wedded to calling it the Virtual Directory, but I’m certainly not going to call it the metadirectory, either.

In my opinion an Identity Bus should act as both a Virtual-directory and Meta-directory. In fact I have often discussed exactly this with colleagues in the IdM space. Why isn’t there a product on the market today that can be both a Virtual-directory and a Meta-directory? What makes the notion especially appealing to me is that the same connectors (or adapters if you prefer) that can be used for Meta-directory functionality to push data to legacy applications could be turned around to expose the same data virtual directory fashion to other directory enabled applications.

I am looking forward to a discussion about what an Identity Bus would look like. Perhaps I will build a prototype for fun (I’m kind of weird that way). But in this discussion we should always keep in mind that customers cannot move forwards without a means to identity enable the hodge-podge of legacy applications that must still be supported. It may not be sexy to provision users and do password resets to an AS400 application that has been in production since the 90s, but it must be done.

And there is one important thing that must happen. Customers need to start demanding identity enablement of some sort from their vendors. Far too many enterprises don’t make identity enablement an important criterion when selecting a vendor. Thus they wind up with products that force them into a Meta-directory solution. Until that changes, no one is getting on the bus.

Who do you trust and why?

Ben Laurie has issues with the Microsoft purchase of Crenditica that deal, ironically enough, with trust. Specifically Ben does not trust Microsoft to make the U-Prove technology interoperable with other products. Also playing a part in this is Microsoft’s strange reluctance to support identity standards that they did not create (SAML for instance). This position does little to endear Microsoft to experts in the identity community.

Yet on the other hand Microsoft identity experts such Kim Cameron, Mike Jones, and (now) Stefan Brands are held in the highest regard in the community. They are known to be strong supporters of openness and interoperability. But the obvious fear is that as honorable as their intentions may be, they are only in a position of influence, not control.

What is a vendor to do?

What you should do is trust that Microsoft, like every other company, will behave in accordance to the law in a way that will increase their profits or market share. To expect any company to do otherwise would be unwise. This may sound obvious, yet I often hear debates in this community that boil down, in essence, whether a companying is being “fair” or not.

That said, I expect Microsoft will make the specification underlying the U-Prove technology freely available for other vendors to use. With the standard restriction that the non-assertion convenant applies only to using the specification for interoperating with U-Prove and other U-Prove compatible technologies. If recent history is an indicator I suspect they will also sponsor interoperability events and give you technical assistance implementing the specifications. I have personally been involved in an such efforts around WS-Federation (pre-OASIS) and Cardspace and the experiencees were very rewarding.

Microsoft won’t renege on any of it’s promises simply because it would not be in their financial best interest. As valuable it is, getting widespread adoption of U-Prove is going to be tough. Microsoft is going to need the participation of other vendors to do it.

Would you buy a computer from the CIA?

If the CIA tried to sell commercial computers, would you buy one? Of course you wouldn’t. One doesn’t need to be a conspiracy theorist to think that just wouldn’t be prudent.

Now here is a slightly different question. Would you buy networking equipment from the Chinese military (the PLA)? Again, of course you wouldn’t. How about a company closely tied to and perhaps even controlled by the Chinese military? This is exactly the kind of uncertainty that is torpedoing a deal to sell 3Com to several investors, including China’s Huawei Technologies.  You can read more about it here and here.

Now I am not suggesting that Huawei Technologies or any other Chinese company has or intends to embed back doors into its computers or computer components.  But the relationship between the Chinese military and some of the major Chinese manufacturers is a very serious issue.

A shade of what’s to come?

Matt Flynn has some good thoughts on Obama’s Passport breach here and here. He makes the great point that you can’t prevent people from using authorized access for invalid purposes. You can catch them after the fact, which should act as a deterrent, but you can’t actually prevent it.

This Passport controversy is something that should be remembered when we start to talk about nationalized health care. If you think Passport information is tempting to the curious government worker, what about famous people’s health care records? Do we really want the federal government maintaining a nation-wide database of all of our health-care issues, just like they do our Passport related information?

I don’t.

Which is better Phillips or Flat-head?

When planning a wood-working project one of the more interesting decisions one can make is what kind screws to use. Flat head screws allow for more torque to be applied for the same size head. Phillips head screws are easier to drive and counter-sink.

Of course when you have to take something apart the choice is pretty much already made for you. If you need to take out a bunch of Flat-head screws, it really helps to have a Flat-head driver. Standing around with a box full of Phillips drivers cursing the builder for not anticipating your choice of drivers is a bit counter-productive.

As is the whole silly Virtual-directory versus Meta-directory debate.

Dave Kearns has declared the Meta-directory as a “last century technology”. Perhaps is it. But the applications that customers need to bring into their identity infrastructure often date to the last century as well. It’s pretty hard to apply a virtual directory solution to applications that are not directory enabled to begin with.

And some future applications may not be much different. As Kim Cameron points out, your application developers and vendors may not buy into the whole Virtual-directory vision:

I admire many aspects of Dave’s thinking about identity.  But I pity anyone who follows his really ideological argument that virtual directory solves everything and distributed storage just isn’t needed.  We need both.

He’s asking readers to bet against databases.  He’s asking them to bet against the programming model used by application developers.  He’s asking them to forget about performance.  He’s asking them to take all the use cases in the world and stuff them into his Prius – which is actually more like a hobby horse than a car.

Once you have identity data distributed across stores you either have chaos or you have metadirectory.  I’ll explore this more in upcoming posts.

Meanwhile, if anyone wants to bet against the future of databases and integration of identity information into them, drop me a note and I’ll set up a page to take your money.  And at the same time, I recommend that you start training for a second career.

As I look at, you don’t provide value by telling a customer that they need to re-engineer production systems to adhere to a new identity philosophy. You provide value by providing solutions to their existing problems. If a Meta-directory is the best fit, use it. If a Virtual-directory is a better fit, use it.

My old thesis advisor at the U. of Florida had a great saying:

An engineer is someone who measures with a micrometer, marks with a piece of chalk, and cuts with an ax.

Sometimes a Meta-directory makes a mighty fine ax.

An interesting question not asked enough

Matt Flynn relays an interesting question about federation. The question essentially boils down to this:

How do we audit federation-enabled access to business services?

What I find interesting is not the question or the answer, but how often the question is asked.  A few years ago I made the utterly wrong prediction that this would be a big issue by now. With all the attention being paid to compliance in the IdM space over the past few years, there are several explanations as to why this issue is hardly ever discussed:

1)      Few businesses are really using federation to enable access to important services to their business partners.

2)      Of those that are many are using a federation service provider such as Covisint. Covisint supplies auditing tools and services to address this need.

3)      In some cases federation has been added after the fact to an existing partnership where access was granted via provisioned user IDs and passwords. In this case the service provider likely already has auditing capabilities that are still applicable after the conversion to federation. This was the case with several federation deployments I was involved with at OpenNetwork/BMC.

I had also predicted that this issue, along with the difficulty of establishing the legal agreements needed for federation would drive business partners to federation service providers like Covisint.