Tag Archives: Microsoft

Cool stuff, in twenty years

Felix Gaehtgens calls Microsoft onto the carpet about what it is ever going to do with U-Prove. Kim Cameron responds here with a call for patience. Both make good points, but I fear that as interesting as U-Prove is, it is way too far ahead of the market.

There are two reasons for this; first it is patent encumbered technology. Patent encumbered technologies fair very poorly in today’s market. After a few high profile patent fights, any technology that is patent encumbered is treated like nuclear waste by most vendors. Even if Microsoft adopts fair licensing terms it becomes a “get a lawyer first” barrier to adoption. In twenty years this won’t be a problem (so long is Microsoft doesn’t file for any more patents on related aspects).

Second, it solves a problem that the market doesn’t really care about today (although they should). This is the same problem that the notion of an Identity Oracle has. You haven’t heard much about that idea recently and for good reason. There is just no money to be made with it (yet). The use cases usually trotted out for both of these are typically edge conditions, my favorite being the RU/18 one. It’s like the Hello World of Identity.

The only people who REALLY care if you are over 18 when you buy something are your parents and the government.

In today’s world there are two privacy problems, under sharing and over sharing. Under sharing is when you have to fill out the same stupid questionnaire at every new doctor’s office you visit. Now that is an issue that people care about. I know they care about it because non-computer people complain to me about it often.

Over sharing is when you have to put your home address in to register for something even though shipping isn’t required. I almost never hear anyone complain about that and those that do just put bogus addresses in anyway. Maybe in twenty years the average person will care enough about privacy to worry about over sharing. But not today.

So U-Prove will be cool stuff in twenty years. Maybe.

Relatively not too many and not too much

While the announcement from Microsoft that LiveID will now serve as an OpenID IdP is good news for OpenID, some perspective is in order. Yet again. What does a few million more OpenIDs mean? Not much really.

As I have said repeatedly, the questions is not how many people have OpenIDs, its how many people want OpenIDs and what can they do with them once they have them? The answers are, respectively:

Relatively not too many and not too much.

By “relatively not too many” I mean the vast majority of consumers who technically have an OpenID don’t know they have one, don’t know what OpenID is, and wouldn’t use it even if they knew about it. By “not too much” I mean that even though there are a large number of RPs in terms of numbers, there are few that are important in terms of actual traffic.

The part of this now tired old game that I fine annoying is that it would be easy to measure real OpenID adoption. All that is needed is for a few of the major OpenID providers (which can now count Microsoft as a member) to publish metrics of how many OpenID authentications they perform on a periodic basis.

All the skeptics like myself could be shut up with a few simple graphs.

The fact that this data is not being published speaks louder than the periodic announcement of another huge number of OpenIDs.

Who do you trust and why?

Ben Laurie has issues with the Microsoft purchase of Crenditica that deal, ironically enough, with trust. Specifically Ben does not trust Microsoft to make the U-Prove technology interoperable with other products. Also playing a part in this is Microsoft’s strange reluctance to support identity standards that they did not create (SAML for instance). This position does little to endear Microsoft to experts in the identity community.

Yet on the other hand Microsoft identity experts such Kim Cameron, Mike Jones, and (now) Stefan Brands are held in the highest regard in the community. They are known to be strong supporters of openness and interoperability. But the obvious fear is that as honorable as their intentions may be, they are only in a position of influence, not control.

What is a vendor to do?

What you should do is trust that Microsoft, like every other company, will behave in accordance to the law in a way that will increase their profits or market share. To expect any company to do otherwise would be unwise. This may sound obvious, yet I often hear debates in this community that boil down, in essence, whether a companying is being “fair” or not.

That said, I expect Microsoft will make the specification underlying the U-Prove technology freely available for other vendors to use. With the standard restriction that the non-assertion convenant applies only to using the specification for interoperating with U-Prove and other U-Prove compatible technologies. If recent history is an indicator I suspect they will also sponsor interoperability events and give you technical assistance implementing the specifications. I have personally been involved in an such efforts around WS-Federation (pre-OASIS) and Cardspace and the experiencees were very rewarding.

Microsoft won’t renege on any of it’s promises simply because it would not be in their financial best interest. As valuable it is, getting widespread adoption of U-Prove is going to be tough. Microsoft is going to need the participation of other vendors to do it.

It’s all about control

There is this article on Identity 2.0 adoption. From the article:

Analyst group Kuppinger Cole and Partner analysed the 10 predominant topics and trends in identity management in 2008.

Identity 2.0 continues to receive the support and influence of industry giants, including Yahoo, Google, Microsoft and IBM.

I would point out that of this group only Yahoo actually supports OpenID on a web site, and then only as a provider. So far I am unaware of any major web destination that is supporting OpenID as relying party. The major players are all vying to control the user identity by making their web site the starting page for the OpenID sessions.


That’s not what I would consider Identity 2.0 adoption.

The secret is, as it always has been, to provide value and not promises

Jackson Shaw ignited quite a kerfuffle with his “The Metadirectory is Dead!” post. He follows up here with some more thoughts and is spot on with this observation:

Active Directory, other directories and metadirectory “engines” will hopefully become dial tone on the network and won’t be something that has to be managed – at least not to the level it has to be today.

We are still working with provisioning technologies that were built in the 90’s. These technologies haven’t changed much. With services to license ratios still in the 5:1 to 10:1 range we clearly haven’t been successful from a software perspective.

Fellow former Access360 coworker Ian Glazer has this humorous answer to Jackson. Dave Kearns once again flogs the tired old meta-directory versus virtual directory debate.

I completely agree with Jackson that most IdM deals are way too expensive, take too long, and involve too many services. I always say, “Customers want to buy a product, not a project.” Where I disagree with both Jackson and Dave is why. I don’t believe it has anything to do with how old the technology is or whether it’s meta-directory, virtual directory, or SOA based.

The problem with most IdM deployments are three-fold from my experience:

1)      Most enterprise software is not designed with management (identity or otherwise) in mind. Customers are unwilling to take management capabilities into serious consideration when selecting enterprise software so enterprise vendors have no incentive to make it a priority.

2)      The big IdM platforms are too complicated and too hard to install, configure, and maintain. Some of this is due to poor engineering, but a lot of it is due to trying to merge independently developed products together into one solution suite.

3)      Many of the big IdM vendors aren’t really serious about IdM as a product unto itself. They see IdM as a beachhead they must control to sell their other products or services. This drives them to over-promise which invariably leads to failed deployments and unhappy customers.

Most enterprise customers don’t want to be in the Identity 2.0 business. They don’t even want to be in the Identity 1.0 business. What they want are solutions to address specific needs at a reasonable cost.

Perhaps the future of enterprise IdM belongs to companies like Microsoft, Optimal IdM, Vintela (Quest), and Approva. Companies that are trying to provide value around specific pain points rather than trying to push a comprehensive suite solution.

Where is Microsoft going on identity?

There has been some interesting news on Microsoft and Identity recently. Of course there is the recent acquisition o f U-prove. You can read Stefan Brands’ thoughts here and Kim Cameron’s here. I think that this is in theory a great move for Microsoft that could be very beneficial to the internet at large.

The real question is whether the theoretical benefits will ever realized by significant relying party adoption. As with SAML, OpenID, and Information Cards/Cardspace, it doesn’t matter how good the idea is or how many vendors back it, if popular relying parties don’t adopt it, it will remain an interesting topic of conversation and nothing more. I hope this catches on, I am just not betting on it.

There have been some interesting discussion going on at DEC (which I missed unfortunately). John Fontana has articles on it here, here, and here. There are three interesting thoughts here; Microsoft’s notion of an Identity Bus, opening the door to more standards adoption, and IdM as a service.

Of the three I think the notion of standards adoption is the most interesting to me personally since I have been involved in a lot of these standards activities. I would love to see Microsoft add support for the SAML protocol, XACML, and SPML.

Interesting times.

Electric Fence Learning

Will Rogers once said:

There are three kinds of men: 
            The ones that learn by reading. 
            The few who learn by observation. 
            The rest of them have to touch an electric fence.

Sometimes Microsoft is one of those “Electric Fence Learning” kind of company. Let’s hope they don’t choose that course of action in this case and instead will leave this contained in a lab where it belongs.

Using a worm to spread software patches? The ways that could go wrong are just mind boggling.

A caution to this tail

The OpenID folks are abuzz about Google, IBM, Microsoft, VeriSign, and Yahoo! joining the OpenID Foundation. You can read about here, here, and here. For OpenID this is indeed a great step forward.

I am going to add a note of caution, however.  Talk is cheap. Joining the OpenID Foundation means very little by itself.  It’s what these companies do next that is important. For instance will Google enable users to authenticate to Gmail from another OpenID identity provider? Will Yahoo! or Microsoft? Or will these companies only support being an identity provider.

I expect the later, although I would love to be proven wrong. Right now there are many OpenID providers and a dearth of important relying parties and that is preventing OpenID from being really useful.

Microsoft Adopts OpenID?

Indirectly perhaps. Yahoo supports OpenID and Microsoft just bid on Yahoo.

Interesting times.