^^^Identity Federation for Social Networks and Online
Andre Durand, Ping Identity
Eric Norlin, Ping Identity
*Doc Searls, Linux Journal

Federated Identity is based upon the idea that distributed digital identity pieces can be linked in such a way as to create more functional utility and value. Likewise, Social Networking links a distributed system of social pieces. Do these two realms converge? Does RSS play a role?

^^^Notes

David Weinberger, link:

Andre Durand of PingID says that there are three tiers of ID:

Tier 1: Personal identity: Me. Myself. Possibly I.
Tier 2: Corporate identity: An ID issued to let me into their space
Tier 3: My marketing identity: The buckets companies sort us into for marketing purposes, e.g., a Platinum Frequent Flyer.

We have lots of IDs. "Identity inflation." Most of our identities are T2. Andre himself has over 100 identities. He's given up on keeping track. The trajectory isn't sustainable. Already we generally only have a few passwords. The idea behind federation is that identity in one domain should be transferable across domains. E.g., if I have an account at Company A and click through to Company B, my identity automatically gets transferred, with permission. I could have one place for my address book, I could make it my address authority and it would transfer data to other domains and apps.

There are three protocols: SAML (Security Assertion Markup Language), Liberty Alliance, WS Federation (IBM and Microsoft).

Nikolaj Nyholm has a problem with federation. People here are thinking about a perfectly engineered, IT world. Federation is part of the equation but not the way it looks today. The way it stands, if federation were in place, if you put a new SMTP on the Net, it wouldn't be able to send email to anyone.

Dick (Panelist): The web of trust won't extend very far. It'll work if it's United talking to Hertz, but not more widely...

Eric Norlin: Liberty Alliance sits between authentication servers.

Dave Sifry: It's software we run on our sites that says that we trust, say, LinkedIn, etc. From a business perspective, it means that there's some subset of these companies that agree to trust one another's authentication systems and will use the same middleware to accomplish this.

Andre: Why can't I use the protocols to link to my social connections? We should be talking about this.

Nikolaj: I have no sense of "home" in the Liberty Alliance...

Ted: Nikolaj is right. The nerve Microsoft hit with Passport was: Who's going to control my ID?

Andre: Here's one possible outcome of federation. In large enterprises, they have created ways to handle the redundant ID's in multiple directories. They create a virtual directory. Now, if you add up all the account info with all the companies you interact with, that's your useful digital ID today. Suppose I had a dashboard running on my PC, like the enterprise's virtual directory. It's likely a p2p client will exist on my PC or cellphone that gives me control. I don't have to move all the information onto my own computer.

Doc (moderator): Do the protocols for enabling that exist today?

Andrew: Yes, I think they do. I'm describing an application layer on top of the protocols.

Steve Pelletier (Sun): The consumer vision is great, although it's early. But the world is full of ID systems that will never merge. You need something that enables all those identity repositories to be integrated if only for business reasons. And you need protocols to extend this to customers. That's what federation does: cross repositories and cross schemas.

Doc: I hate the word "consumer." I'm a customer.

AOL guy: Before we can do federated ID for social networks, the social networks have to figure out what their business model is.

Isabel Walcott (The Research Board): We've discussed ID federation with F100 companies. The way I see it, this is about access control. Companies haven't figured it out. If social networks could solve this problem, it could go into the corporations. There is no "god" at these big companies saying who can have access to this or that part of the DB. It happens on a peer-to-peer basis: Someone's boss says which field or part of the DB you have access to. How do you manage access control at the object level? It has to be in some sort of p2p fashion.

Someone: There are legacy solutions that won't be displaced. You have to layer on top of them, like PingID.

Jeremy: It's not just the pain of sign-on. It's also the pain of registering for a new service. A few cases: Company B allows customers of Company A to become registered customers, dynamically, moving my profile. The social networks could be a home base for relevant attributes about me. A federation of those in which my attributes could be relied upon by other online services would be appealing to me. I.e., I can dynamically become a cars.com user using my social network ID and profile. You could do that now with the existing standards.

Nikolaj: Today we have an ID where we can reach other: email. But it has no other attributes. You can't authenticate itself. Or, your credit card uniquely identifies you. You can even use it to exchange info through a proxy like PayPal. And that's what we're looking for.

Someone: Do we have a schema for the info that we think is useful? No, we don't. The metadata around my demographics and psychographics. Will people create a common tool across social networks so I have a single user experience?

Andre: Jeremy's comment may have uncovered a business model. If the social networks glommed onto these protocols and built a service for users that allowed them to store the info...

Brian Dear: How about FOAF?

Nikolaj: There's no layer of authentication.

Jeremy: It's an attribute.

Someone: We may not want to connect social networks. E.g., one's for business and the other is personal.

Reid Hoffman of LinkedIn: I'd only do federation if I had a business case justifying it.

^^^Conversation
My $0.02:
Federated identity allows cooperating organizations to share a subset of the identity information concerning a given individual to improve a set of business processes. So a consulting firm may participate in a federated identity scheme with a major client to allow the consultants appropriate levels of access to some of the client's systems without having to explicitly provision each consultant. A workflow could handle it. OR (the more common example) a travel agency participates in a federated identity environment with airlines, car rental agencies, hotels, etc. to mininmize the amount of data concerning vacationeers that has to be explicitly passed around.
Note that it's not a complete sharing; the client company doesn't get access to the consultant's benefits package, Hertz doesn't see my AAdvantage account balance.
Now social networking allows cooperating individuals to establish trust relationships among selected peers within the network. The first difference is that in federated identity the objects being partially shared are subsets of identity information required for explicit business processes, and the subjects doing the sharing are entities requiring cooperation regarding their individual and collective treatment of that individual. In the social network, the objects being shared are elements of the individual's persona in an unstructured and ad hoc fashion, and the subjects doing the sharing are the individuals. The largest distinction is whether there is a preexisting structure of rules and prcesses: yes for federated identity, no for social networking (as far as I can see).
To the extend that I understand RSS it facilitates aggregation of time-varying content. So in a social network it migh tbe useful to thread togehter the evolution of an individual's persona/ae; but in a federated identity context there are already (or there better be!) some well-structured rules to provision the individual's identity within the partnering companies.
Or so it seems to me ...
Bill Malik

Harry Max: I would add that once you can assign a 'probability of identity' based on such a federated model, not only can you set up an RSS-enabled triggered alerts and notification system for businesses and consumers, but it becomes feasible to offer 'digital persona insurance' to fight identiy theft. Think of it as LoJack for your digital personas. I'd buy that. The consumer and business extensions for a persona manager with federated identity behind it could be truly amazing...and profitable.

eric norlin: saw an email flying around about hooking up conversations between LinkedIn, Tribe, Spoke, Meetup, and SourceID (my company's federated identity open source project)....i'd invite all of those interested parties to be at the panel to make your voices heard ;-)

Simon Grice: not there in person this year :( - but in spirit and here. If someone is blogging this roundtable as it happens - let me know. Midentity is moving towards this space as some of you know.

I like Andre's take at http://www.andredurand.com/ - I agree totally with your take on this.