REDMOND, Wash., Sept. 16, 2002 — When people ask you about your identity, you might expect to be in a therapists chair talking about your childhood. But as the Internet has grown in popularity and as Web services seek to deliver customized, user-centric experiences, the technology industry finds itself answering a whole new set of questions around identity:
How can users simplify their digital identity experience from many disparate sets of credentials into a managed, trusted few without sacrificing security or privacy?
How can a Web site
you so they can provide you with the personalized, valuable services you desire?
How can organizations accept credentials issued by their business partners and allow those people access to their own network resources?
Digital identity, at its most basic level, is the method by which you identify yourself to a Web site, Web service, network or another user online. This does not mean there is no anonymity online. What it means is that users can decide how and when they are known online, and organizations and Web site operators can provision services and experiences around a particular identity, even if they do not know who you really are. There are several ways this happens today, using such things as login names and passwords, digital certificates, bank cards and PIN numbers.
While digital identity is only recently a hot topic in technology circles, most of us have been dealing with digital identity technology for years. Do you log into a network where you work? Do you sign in to read e-mail at home? Do you use an ATM card to access your banking information?
But a few things have changed over the past few years that lead us to a new discussion about identity on the internet. For the past several years, computer systems stored information about us in very isolated islands. There was an island of information about a user at his or her workplace, and several other islands at the various sites and services he or she used at work and at home.
Most of this information is protected by a username and password, typically as part of that particular islands security system. As the Web grew in popularity, many users found themselves with a slew of usernames and passwords across many sites. Users would store them on a list taped to the computer, or find themselves using the same password across multiple authentication systems. Both solutions offered a bad experience for the user, and present significant security risks. It was ultimately not an easy way for consumers to manage their identity online, nor did it allow for rich, connected scenarios in which services can collaborate on behalf of a user to deliver great new experiences.
In corporate networks, a slightly different challenge developed. As technology began to allow organizations to more deeply integrate and share information, and applications to better run their businesses, information mangers found that all of the disparate identity and security systems could not easily talk to each other — if at all. So when you wanted to allow four employees from your business partners network to access information inside your companys firewall, no broadly available, easy-to-manage technology was available to meet the challenge.
In October, representatives of Microsoft and other industry leaders will gather to discuss these and other issues — including social ramifications — at the DigitalIDWorld Conference 2002 ( http://www.digitalidentityworld.com/conference/2002 ), the first such major event to focus on digital identity.
Microsoft Senior Vice President and Chief Technical Officer Craig Mundie and Microsoft Corporate Vice President Brian Arbogast will deliver keynotes at the conference. On October 9 Arbogast will focus on Microsofts broad identity strategy, while Mundie will speak October 10 on the technical and policy implications of digital identity on delivering trustworthy computing.
“This is one of the most important challenges we face as an industry,”
says Arbogast, who, as the executive responsible for Microsoft’s Passport service, is helping drive the company’s strategy for digital identity.
“In order for the next wave of innovation on the internet to happen,”
“we need to go beyond the islands of identity we have today to a world of interconnected, interoperable digital identity where the user is in control. A world where the user is in control of their information, and where digital identity establishes itself as a core privacy-enhancing technology. Events like the Digital ID World conference provide a great forum for discussion and action around building the right technologies, advancing the right standards, and engaging in the right policy debates.”
In the past, notes Phil Becker, editor of Digital Identity World and one of the conference organizers, computing was always about the location of the data and the computing resources.
“The reason digital identity is emerging now as such a crucial topic,”
“is a direct and logical result of the networking and distribution of computer systems and applications.”
In the mainframe and terminal era, Becker recalls, a computer user needed to be near to a set of centralized computing resources. Even with the arrival of modems there was a one-to-one physical connection.
“Once we began connecting everything, the boundaries we had known for so long started to dissolve,”
Without those boundaries, there is nothing around which to organize manageability, control, security and data integrity and privacy except the identity of the user and the identity of the data or application owner involved in a particular transaction or set of transactions.
“We need to get to a world where people use digital identity to ensure that their data is safe when they are not in the room with it, and that it does what they expect when that data is sent somewhere else,”
Digital identity, according to Eric Norlin, a senior editor at Digital Identity World and a co-organizer of the conference, helps bridge the physical and electronic worlds.
“On one side is the physical world we all live in, which can be considered a giant local area network (LAN), and on the other side is electronic existence, or the giant LAN that we call the Internet,” Norlin says.”
Digital identity bridges physical LAN and electronic LAN for individuals. Digital identity lies squarely between purely electronic and purely physical existence. This is what makes it so important and timely and pressing, and a little scary.
Digital identity lies at the center of much of what the technology industry is working on today, Norlin notes.
“Whether you are talking about digital rights management, privacy, national security, Web services, B2B or B2C scenarios, solving the problems and meeting the challenges around digital identity will have a major impact on the success of the industry in the years to com,”
“we view the challenge as a many faceted one. We needed to develop a vision that cuts across businesses trying to build identity systems and integrate with their partners and customers and for Web sites who are building rich, user-centric services.”
For each of these audiences, Arbogast says, Microsoft must deliver a strategy that answers many questions:
Industry-wide Technology Standards: “The industry needs to get behind some key technology standards that can allow us to connect all of the disparate islands of identity out there,”
“Working with industry leaders like IBM and VeriSign, Microsoft has already published and submitted WS-Security to the OASIS standards organization. Working with IBM, we published a broader security and identity roadmap for all of Web services.”
(See Related Links at right for the white paper,
“Security in a Web Services World: A Proposed Architecture and Roadmap.”
Robust Enterprise Infrastructure: “Windows and Active Directory are the technologies we provide to customers today to manage identities inside the enterprise,”
“We need to evolve and embrace new standards and new architectures being developed around digital identity management. The forthcoming Windows .NET Server 2002 makes important advances toward interoperable identity systems, and lays the foundation for more progress in the months to come.”
In the spring, Microsoft announced plans for a technology, codenamed
designed specifically to serve as an integration point for enterprises to hook up their identity systems based on common industry standards.
An Online Authentication System for Consumers and Partners: “Microsofts Passport authentication service has been live since 1999,”
“With over 200 million accounts, it is the largest multi-site authentication service live on the internet today. Organized around the principle that users should be in control of their own information, Passport will evolve over the coming months to give users more control, and to embrace the standards and protocols to enable Passport to interoperate with other identity systems on the internet to enable even more interesting customer centric experiences.”
Addressing the Policy Challenges: Microsoft has been an active participant in the industry discussion and policy debates around digital identity.
“We will continue to play a leadership role engaging the industry and policy communities to address the important challenges we face,”
“Engaging in important discussions around privacy, the business issues around trust and identity, the issuance and acceptance of digital identity to enable a more connected world for consumers and for businesses will be crucial to advance the state of the industry and solve the digital identity issue for consumers and organizations.”
The technology industry must meet these challenges as it moves into the next wave of computing on the Internet, according to Arbogast.
“Working through the industry and encouraging a productive dialog is an important step, along with continued product innovation, to help move the industry to a point where digital identity is ubiquitous, under the control of the user, and helps power more useful and compelling experiences for consumers and business users alike.”