Monthly Archives: July 2008

Slaying the Straw Men

I have a lot of respect for Johannes Ernst. He has done a lot of great work in identity and even though we disagree on many things about OpenID, I always like hearing what he has to say. That said he has drafted quite a platoon of straw man arguments to fight, and one of them looks remarkably like me:

Having said that, I think it’s not a bad idea to respond to the various points that are being made as I understand them. To make this easier, I’ll paraphrase and summarize:

  • Argument 1: “OpenID will never come to anything, as half a billion of available identities means nothing if there aren’t similarly many places where one can use those identities.” This is known as the relying party adoption problem, compounded by extrapolating past trends linearly – which is of course not the way markets work.
  • Argument 2: “Unless I can have one single identity that works for the entire web, OpenID has no value proposition and nobody will ever use it.” I call it the OpenID-all-or-nothing argument.
  • Argument 3: “If OpenID does not break down walled gardens, and so far it has not, it’s useless.” I call it the OpenID-matters-only-as-a-political-tool fallacy.
  • Argument 4: “Facebook is going to win the internet identity war with a proprietary approach, there is nothing anybody will or can do about it, and OpenID (and by implication, all other identity technologies) are going to be irrelevant.” One could call this the Passport 2.0 argument.

Setting the straw men to the side where they won’t get hurt, this is really all very simple. Either OpenID is gaining widespread market adoption in terms of actual use by consumers or it isn’t. And this question is actually very easy to answer, given the right cooporation.

The OpenID identity providers and relying parties could publish actual OpenID use numbers. For instance Netmesh, Yahoo, Versign, and MySpace could publish how many distinct OpenID authentications they perform on a monthly basis. Likewise OpenID service providers could publish how many users authenticate via OpenID on a monthly basis. Even if only a few of these companies published numbers you could still ballpark the adoption rate.

But call me skeptical if you want (no really, I like it when people call me skeptical), but I have seen no evidence that OpenID is being used by more than a relatively small population of technology enthusiasts. I won’t even hazard a guess at what percentage of the half billion OpenID enabled accounts that represents.

But the companies that service those half billion accounts could.

Trying out Cuil

I am going to experiment with Cuil as my primary search engine for a while. My motivation for this is based primarily on privacy. From the Cuil privacy policy:

Privacy is a hot topic these days, and we want you to feel totally comfortable using our service, so our privacy policy is very simple: when you search with Cuil, we do not collect any personally identifiable information, period. We have no idea who sends queries: not by name, not by IP address, and not by cookies (more on this later). Your search history is your business, not ours.

If only more service providers would make such a commitment.

An old favorite gets acquired

Before I was in the Identity Mgt space I developed network management software. I was one of the developers of a very cool SNMP management application generation tool called Taboret. It allowed a user to bring up the MIB for a SNMP agent in a browser and drag and drop MIB elements onto a form to create a custom management application for the device.

The Taboret system was developed in C++ and was supported for Solaris, HP-UX, AIX, and Windows-NT. For the user interface we used a very nice multi-platform GUI library called Ilog Views. I always liked Ilog, a French company. They wrote very nice software libraries.

I just read that Ilog has been acquired by IBM. Good for them.

What’s my motivation?

William Vambenepe has some keen observations about requirements here in this post about Cloud computing:

There are three types of user requirements. The Animoto use case is clearly not in the first category but I am not convinced it’s in the third one either.

  1. The “pulled out of thin air” requirements that someone makes up on the fly to justify a feature that they’ve already decided needs to be there. Most frequently encountered in standards working groups.
  2. The “it happened” requirements that assumes that because something happened sometimes somewhere it needs to be supported all the time everywhere.
  3. The “it makes business sense” requirements that include a cost-value analysis. The kind that comes not from asking “would you like this” to a customer but rather “how much more would you pay for this” or “what other feature would you trade for this”.

When cloud computing succeeds (i.e. when you stop hearing about it all the time and, hopefully, we go back to calling it “utility computing”), it will be because the third category of requirements will have been identified and met. Best exemplified by the attitude of Tarus (from OpenNMS) in the latest Redmonk podcast (paraphrased): sure we’ll customize OpenNMS for cloud environments; as soon as someone pays us to do it.

I can absolutely attest to point number one as it pertains to standards groups. But its point number three that I wanted to highlight as it relates to a theme I have been discussing a lot lately. Namely that IdM is messy because enterprise software vendors in general won’t externalize identity in their products beyond AD authentication.

Now I am not implying that enterprise software vendors are lazy. Rather it’s a matter of priorities. Enterprise software vendors typically have a backlog of feature requests and fixes that they need to work on. The ones that they get asked for the most, or that they feel will give them competitive advantage, that will get the priority.

Like William says, it’s not whether the customer wants a feature, but how much are they willing to pay for it and what other features would they give up in exchange.

Dave Kearns believes that if there is an IdM roadmap laid down, vendors that implement it will “reap the rewards” and those that don’t will be destined for “where are they now”. Perhaps Dave is right. But history shows us quite the opposite. Look at strong authentication for example. Despite dramatic reductions in cost and increased options, despite all the experts’ advice, and the presence of a solid roadmap, the vast majority of authentication in enterprises is password-based. And very little enterprise software supports strong authentication out-of-the-box.

So what will it take to spur enterprise vendors to support externalized identity? I really don’t know. Yet.

There is no there there

Pamela Dingle has an epiphany about IdM and channels Gertrude Stein:

So here we are, a little bit lost, I think. Certainly not “There” – but I think the expectation that anyone ever gets “There” is false anyway.  In the process of deciding that we’re lost, I had to sit and think about what exactly Enterprises expect to accomplish in buying Identity product;  I’ve come up with my own definition, in as concise a form as I can think to make it;  I’ll post it shortly and see how it stands up to scrutiny.

I eagerly await Pamela’s thoughts on this, but it the mean-time I would like to share a few of my own. First, as frustrating as IdM is, it’s really no different that the other kinds of management enterprises undertake. Change management, systems management, application management, security management, and network management all suffer from the same kinds of challenges as identity management.

These challenges arise out of a natural consequence of enterprises not considering manageability (identity or otherwise) when selecting or creating enterprise software. As a result enterprise software vendors give little thought or effort to implementing it.

Dave Kearns wants to get everyone together to talk it all out. Helpful, I suppose, but limited because of the absence of enterprise application vendors. Without application vendor buy in, identity management is going to continue to be a mess.

BTW, I talk a little about this here as well.

While I sympathize with Pamela on this, there is a big danger to the message that no one ever gets “there”. If IdM is seen as a never ending journey of discovery too many vendors will decide to just “stay here” rather than “go to a there that doesn’t exist”. It’s the identity architect’s job to articulate an achievable vision of identity management for a specific enterprise. The enterprise must then take that vision and decide what to implement and when. It’s frustratingly slow process, but it’s process that does slowly improve the situation.

Two for the show

Ian Yip has more yet another humorous summary of the virtual-meta-active-directory-identity-bus-hub-proxie debate. You can catch Part II here and Part I here.

I almost want to keep this debate going just so I can read Part III.

MySpace goes for OpenID

Simon Wilson points out that MySpace is announcing OpenID support. Reading these posts one could easily come to the conclusion that there are now 500 million people using OpenId, as opposed to a much smaller number of technology adopters.

I wonder. Has anyone made an attempt to estimate the number of people using OpenID? I would be very curious to see the estimates.

Although definitely a win for OpenID, it still doesn’t help where the shortfall really is, and that is in meaningful OpenID enabled relying parties. It’s telling to note that MySpace is not (unless I missed it) promising to let users log in to MySpace using OpenID.

You can’t build a highway with nothing but on ramps.