Monthly Archives: July 2008

Slaying the Straw Men

I have a lot of respect for Johannes Ernst. He has done a lot of great work in identity and even though we disagree on many things about OpenID, I always like hearing what he has to say. That said he has drafted quite a platoon of straw man arguments to fight, and one of them looks remarkably like me:

Having said that, I think it’s not a bad idea to respond to the various points that are being made as I understand them. To make this easier, I’ll paraphrase and summarize:

  • Argument 1: “OpenID will never come to anything, as half a billion of available identities means nothing if there aren’t similarly many places where one can use those identities.” This is known as the relying party adoption problem, compounded by extrapolating past trends linearly – which is of course not the way markets work.
  • Argument 2: “Unless I can have one single identity that works for the entire web, OpenID has no value proposition and nobody will ever use it.” I call it the OpenID-all-or-nothing argument.
  • Argument 3: “If OpenID does not break down walled gardens, and so far it has not, it’s useless.” I call it the OpenID-matters-only-as-a-political-tool fallacy.
  • Argument 4: “Facebook is going to win the internet identity war with a proprietary approach, there is nothing anybody will or can do about it, and OpenID (and by implication, all other identity technologies) are going to be irrelevant.” One could call this the Passport 2.0 argument.

Setting the straw men to the side where they won’t get hurt, this is really all very simple. Either OpenID is gaining widespread market adoption in terms of actual use by consumers or it isn’t. And this question is actually very easy to answer, given the right cooporation.

The OpenID identity providers and relying parties could publish actual OpenID use numbers. For instance Netmesh, Yahoo, Versign, and MySpace could publish how many distinct OpenID authentications they perform on a monthly basis. Likewise OpenID service providers could publish how many users authenticate via OpenID on a monthly basis. Even if only a few of these companies published numbers you could still ballpark the adoption rate.

But call me skeptical if you want (no really, I like it when people call me skeptical), but I have seen no evidence that OpenID is being used by more than a relatively small population of technology enthusiasts. I won’t even hazard a guess at what percentage of the half billion OpenID enabled accounts that represents.

But the companies that service those half billion accounts could.

Trying out Cuil

I am going to experiment with Cuil as my primary search engine for a while. My motivation for this is based primarily on privacy. From the Cuil privacy policy:

Privacy is a hot topic these days, and we want you to feel totally comfortable using our service, so our privacy policy is very simple: when you search with Cuil, we do not collect any personally identifiable information, period. We have no idea who sends queries: not by name, not by IP address, and not by cookies (more on this later). Your search history is your business, not ours.

If only more service providers would make such a commitment.

An old favorite gets acquired

Before I was in the Identity Mgt space I developed network management software. I was one of the developers of a very cool SNMP management application generation tool called Taboret. It allowed a user to bring up the MIB for a SNMP agent in a browser and drag and drop MIB elements onto a form to create a custom management application for the device.

The Taboret system was developed in C++ and was supported for Solaris, HP-UX, AIX, and Windows-NT. For the user interface we used a very nice multi-platform GUI library called Ilog Views. I always liked Ilog, a French company. They wrote very nice software libraries.

I just read that Ilog has been acquired by IBM. Good for them.

What’s my motivation?

William Vambenepe has some keen observations about requirements here in this post about Cloud computing:

There are three types of user requirements. The Animoto use case is clearly not in the first category but I am not convinced it’s in the third one either.

  1. The “pulled out of thin air” requirements that someone makes up on the fly to justify a feature that they’ve already decided needs to be there. Most frequently encountered in standards working groups.
  2. The “it happened” requirements that assumes that because something happened sometimes somewhere it needs to be supported all the time everywhere.
  3. The “it makes business sense” requirements that include a cost-value analysis. The kind that comes not from asking “would you like this” to a customer but rather “how much more would you pay for this” or “what other feature would you trade for this”.

When cloud computing succeeds (i.e. when you stop hearing about it all the time and, hopefully, we go back to calling it “utility computing”), it will be because the third category of requirements will have been identified and met. Best exemplified by the attitude of Tarus (from OpenNMS) in the latest Redmonk podcast (paraphrased): sure we’ll customize OpenNMS for cloud environments; as soon as someone pays us to do it.

I can absolutely attest to point number one as it pertains to standards groups. But its point number three that I wanted to highlight as it relates to a theme I have been discussing a lot lately. Namely that IdM is messy because enterprise software vendors in general won’t externalize identity in their products beyond AD authentication.

Now I am not implying that enterprise software vendors are lazy. Rather it’s a matter of priorities. Enterprise software vendors typically have a backlog of feature requests and fixes that they need to work on. The ones that they get asked for the most, or that they feel will give them competitive advantage, that will get the priority.

Like William says, it’s not whether the customer wants a feature, but how much are they willing to pay for it and what other features would they give up in exchange.

Dave Kearns believes that if there is an IdM roadmap laid down, vendors that implement it will “reap the rewards” and those that don’t will be destined for “where are they now”. Perhaps Dave is right. But history shows us quite the opposite. Look at strong authentication for example. Despite dramatic reductions in cost and increased options, despite all the experts’ advice, and the presence of a solid roadmap, the vast majority of authentication in enterprises is password-based. And very little enterprise software supports strong authentication out-of-the-box.

So what will it take to spur enterprise vendors to support externalized identity? I really don’t know. Yet.

There is no there there

Pamela Dingle has an epiphany about IdM and channels Gertrude Stein:

So here we are, a little bit lost, I think. Certainly not “There” – but I think the expectation that anyone ever gets “There” is false anyway.  In the process of deciding that we’re lost, I had to sit and think about what exactly Enterprises expect to accomplish in buying Identity product;  I’ve come up with my own definition, in as concise a form as I can think to make it;  I’ll post it shortly and see how it stands up to scrutiny.

I eagerly await Pamela’s thoughts on this, but it the mean-time I would like to share a few of my own. First, as frustrating as IdM is, it’s really no different that the other kinds of management enterprises undertake. Change management, systems management, application management, security management, and network management all suffer from the same kinds of challenges as identity management.

These challenges arise out of a natural consequence of enterprises not considering manageability (identity or otherwise) when selecting or creating enterprise software. As a result enterprise software vendors give little thought or effort to implementing it.

Dave Kearns wants to get everyone together to talk it all out. Helpful, I suppose, but limited because of the absence of enterprise application vendors. Without application vendor buy in, identity management is going to continue to be a mess.

BTW, I talk a little about this here as well.

While I sympathize with Pamela on this, there is a big danger to the message that no one ever gets “there”. If IdM is seen as a never ending journey of discovery too many vendors will decide to just “stay here” rather than “go to a there that doesn’t exist”. It’s the identity architect’s job to articulate an achievable vision of identity management for a specific enterprise. The enterprise must then take that vision and decide what to implement and when. It’s frustratingly slow process, but it’s process that does slowly improve the situation.

Two for the show

Ian Yip has more yet another humorous summary of the virtual-meta-active-directory-identity-bus-hub-proxie debate. You can catch Part II here and Part I here.

I almost want to keep this debate going just so I can read Part III.

MySpace goes for OpenID

Simon Wilson points out that MySpace is announcing OpenID support. Reading these posts one could easily come to the conclusion that there are now 500 million people using OpenId, as opposed to a much smaller number of technology adopters.

I wonder. Has anyone made an attempt to estimate the number of people using OpenID? I would be very curious to see the estimates.

Although definitely a win for OpenID, it still doesn’t help where the shortfall really is, and that is in meaningful OpenID enabled relying parties. It’s telling to note that MySpace is not (unless I missed it) promising to let users log in to MySpace using OpenID.

You can’t build a highway with nothing but on ramps.

Accounts and Identities

Nishant Kaushik makes a very good point in his latest post on the Virtual Directory vs AD debate:

Here is my point. Martin says “AD is the directory…”. I say that “AD is a directory…”, and that too because Windows forced it on those enterprises, not because of their Identity Management needs. Yes, almost all the Fortune 500 have AD, but are they using it as an Identity Store, or as a Windows Account Store (which is very different)?

To answer the rhetorical question, the vast majority of AD deployments are not intended as identity stores (at least from my experience). In most enterprises AD is used to manage and control user access to Windows workstations, the intranet, email, and enterprise web applications. AD is not usually intended as a central repository of identity, although it often becomes that with varying degrees of success.

And here is the real crux of the matter: most enterprises don’t really want an identity solution. What they want is a “spend less money, get everyone access to what they need when they need it, keep the bad guys out, keep us out of the headlines, and the CEO would  really, really, like not to go to jail” solution.

They have been, in many cases, sold on the idea that identity management is the solution that they want. And indeed it can be part of the solution.

But here is the brutal truth, and the reason that enterprise identity management is so messy. Almost all enterprise applications are account-based not identity based. Very few products support externalizing the identity concept in their products. They most you will usually see is supporting AD or another LDAP for authentication. Less often you might see simple group membership for authorization. A few commendable vendors such as SAP support SAML, but it’s a very small list. Support for external identity services or other identity standards such as SPML and XACML is nearly  non-existent.

Which ties in with the question Nishant closes with:

By the way, why is it that architectural purists don’t ask when Microsoft will make it possible for Windows environments to work against any directory and not just AD, but Oracle Applications must support directories other than OID? In the end, both Microsoft and Oracle are wrong to push proprietary stores into deployments, contributing to the mess we have.

Failure usually is an option

And happens with depressing regularity in IT projects. I just discovered a blog, IT Project Failures, that documents it (hat tip to the IT Skeptic). I especially liked this bit about Ethnographic Research.

A brutal beating, with math

Bob Blakely delivers a savage beating to the FBI Terrorist Watch List:

I’ve been waiting for this event, because the one millionth entry gives us a nice round number to do the calculations which demonstrate that the terrorist watch list is as close to completely useless as it’s possible for a manmade artifact to get. (Note that the database doesn’t actually contain a million identities; it’s got a million records representing – at a guess – about 400,000 distinct individuals. But since it’s my birthday we’re gonna pretend that there are a million identities, in order to make all the math turn out nice and pretty.)

Of the people matched, (50 + 6) / (990,000 + 50 + 6) = 0.006% are terrorists. Put another way, 99.994% of all people matched are innocent.

It’s bad enough that we’re letting 90% of the terrorists cross our border without additional checks, and that we’re putting 990,000 innocent people through unecessary additional checks.

Bob makes the modest proposal of cutting to the chase and just putting everyone on the watch list. Bob points out that’s obviously where we are heading with this.

Now there is an interesting opportunity for a user-centric web application. A Terrorist Watch List Self-Registration web page. Perhaps it could be Information Card enabled.

Of course I’m sure Bob knows the real reason this list exists, and it has nothing to do with actually catching bad guys. It exists so the traveling public believes that the government can catch bad guys. Perhaps the logic is that the more hellish they make travelling the more confident the public will be in the security.