Tuesday, November 15, 2005

Interesting article about Digital ID World & Web 2.0

The following article is a repost from Eric Norlin about the Web 2.0 conference.

What is interesting about this whole Identity thing on any number of fronts is a key question of control. Who controls Identity? It's technically the user's, but without validation/authentication, what good is it? It makes me think of the movie - Catch Me If You Can which was about Frank Abignale's life. Great story, but it points out that someone can be whomever they say they are in real life, and that's even more true online as proven by several organizations, including PervertedJustice.com to name an interesting one.

Anyway the recent flap by other contries over the exclusive US control of the Internet via domain naming makes me think - Here we go again...



Does Identity bring about Web 3.0?

By: Eric Norlin
Topic: Context & Perspective
Posted: Tuesday, October 11, 2005 (05:14 AM MDT)

Summary: Last week saw the Web 2.0 conference become the epicenter of technology buzz. In this article, Eric tells us what he learned and how identity might bring about Web 3.0.


What I Learned at Web 2.0
In case you spent last week in a small country with no news outlets, the epicenter of Bay Area technology buzz was the Web 2.0 conference. I've covered previously why I thought I was heading to this conference (and what I thought it was). However, the light of experience always brings new perspective, so relaying what I actually learned seemed appropriate.

What is Web 2.0?
My original cliff-notes definition of "web 2.0" was that it saw that web as platform, and my attendance at the conference didn't change that assumption in any significant way. However, what I did see was that the attendees saw several attached characteristics of web 2.0:

1. Open: the word "open" was ubiquitous. Everything is "open." An important note is that this does not mean that everything is based on standards - that's not it at all (if anything there is a distinct anti-standard stance). It doesn't even necessarily mean that everything is "open source." Rather it carries a vague connotation that because the web is the platform being leveraged, the web 2.0 companies will have "open" application programming interfaces (and things like this) that other companies can freely use for things like "mash-ups." (Note: "mash-up is a trendy term for taking information extracted from two APIs and "mashing" them together to create some new thing.)

2. Community: whether it was "end-users," "communities," or "user-generated content," it was all the same thing. In the Web 2.0 world, gathering a user base for whatever you're building is vitally important. Indeed, the vast majority of Web 2.0 companies are not aimed at the enterprise. Normally, they are "end-user facing," or at the very least, helping to build "rich internet applications" that are end-user facing. As we mentioned in the newsletter last week, the community conversation brought heavy talk of "reputation" - a term we're identifying as a relic from the Dot com days, and replacing with "credibility."

3. Architecture of Participation: I head this idea repeated multiple times. Simply put, the user base that is accumulated must be participants in the web app that you've built. Think Flickr, the online photo site that was acquired by Yahoo!. Flickr is a web application that built a huge user base of people that were intimately involved in building the site via open APIs that could be mashed together with other APIs (like Google maps) in interesting ways.

Where is Identity in Web 2.0?
In one word, everywhere. The workshop sessions on the first day of the conference highlighted one thing -- nearly ALL of the emerging web 2.0 companies (the startups) had user sign-up, reputation management, and de-provisioning problems. More importantly, nearly all of these companies were either A) building a one-off solution themselves, or - more likely - B) hacking around the problem and talking with other web 2.0 companies (some identity-based ones) about how to solve it.

The underlying reason that identity is so prevalent (and so ignored) in the web 2.0 world is based upon the web's underlying architecture. As we've outlined many times, the web was built with physical location as a proxy for identity. Accordingly, the functions of identity (authentication, authorization, provisioning, de-provisioning, account linking, repuation building and sharing, etc) were firmly grounded in being in the right *place* to access the web. That model, of course, is no longer even close to true -- and the web, as seen in its main problem sets (phishing, pharming, spam) is racing to catch up.

When the web is the platform for building companies, its like applying leverage to the above problem -- with each new application on top of the platform, the problem magnifies.

What does Identity in Web 2.0 look like?
The people trying to solve the identity problem under the light of web 2.0 (be they big companies or small startups) seem to be taking a very unique approach with distinct characteristics:

1. Standards, Schmandards.
Here are some words that I *didn't* hear used at the show: Liberty Alliance, OASIS, SAML, WS-Federation, or Infocards. In fact, if you look at the big companies that are predominantly involved in the web 2.0 meme (Google, Amazon, eBay, and Yahoo!) they have a history of specifically *not* implementing formally blessed standards (and by "formally blessed" I mean standards coming out of standards bodies). Rather, these companies seem much more content to adopt emerging, grass-roots based formats that have garnered some level of community adoption.

The answer to the "what about standards?" question is a common one: we provide open, freely-usable APIs. In other words, in the web 2.0 world (unlike the enterprise identity management world) standards-based solutions are not important; open APIs and a base of users is.

2. Solving a business what?
In the web 2.0 world, identity is not being pitched as a solution that solves a business problem. In fact, solving business problems (i.e., the problems of enterprise IT departments) is rarely even considered in the web 2.0 world. Rather what is solved is a user problem, and normally a very niche-driven user problem.

Two of the identity-driven announcements last week illustrate this. Sxip released Sxore, an "identity and reputation system for blog authors, readers and commenters," and AttentTrust released an alpha of their attention recorder, a beginning step toward individuals being able to control how their attention is utilized and stored. In both cases what you find is a solution that utilizes identity (in the AttentionTrust example, very low-level identity attributes) to attempt to solve a very specific problem.

The interesting thing about these two examples and the way that other web 2.0 companies are using identity is that the companies tend to seek rapid iterations of specific identity solutions, but they are not losing sight of the bigger picture -- a picture that shows a fracture in the web 2.0 companies.

3. The Great Divide.
Start-ups in the web 2.0 space seem united around the idea that identity should be made open, portable and user-controlled. They are not seeking to create yet another identity silo with their companies and applications. This view is much less clear among the big companies.

The bigger companies in the web 2.0 space - and by this I mean Google, Yahoo!, Amazon, and IAC - are a lot fuzzier on their views of what identity in the web 2.0 context should be. Many well-intentioned folks inside of these companies understand the altruistic urge toward open, portable and user-controlled identity, but all too often their existing business models are at least partially built on utilzing an identity silo. Ironically, the one semi-web 2.0 company that really can't be thrown into this list (yet) is Microsoft. Microsoft's "identity metasystem" effort is a bit of a middle ground between the start-up stance and the typical big company stance.

What we have, then, is a great divide - and its actually a three way divide.

On one side we have the emergent participants in the Web 2.0 space. These are normally smaller companies, but in some cases pieces of larger companies can be included here. These folks are adamant in wanting open, portable (non-silo'd), user-controlled identity. They also are not motivated by standards-based solutions, but care deeply about open APIs and user-bases.

On the second side, we have the big Web 2.0 companies (though this is a bit of an oversimplication). These companies are also (typically) not concerned about standards-based solutions, rather they want to find a solution with a large user-base and an open API -- as long as its *their* open API, and they're able to maintain some level of identity "silo'ing."

On the third side, we have the folks that weren't present at this show -- the enterprise solution providers and enterprises that have been working away on standards-based solutions. The near total absence of this world was disturbing if only because it feel as if we're in danger of ending up with two very different identity universes. Again.

What's it all mean?
Simply put, the Web 2.0 movement (a bubble or not) is one that will result in a lot of development over the next several years. Many of these companies will seek identity-solutions, and I suspect we'll see several companies emerge in this space that solve very specific identity-based problems with applications that will garner huge user bases. I also suspect that these companies will not be "standards-based" in their approach.

I would argue that this development places an additional burden on the already burdened enterprise IT department. The world of the enterprise architect needs to (at the very least) begin to understand how the more end-user facing web 2.0 world thinks and acts.

Its quite possible that the future will find vibrant user-bases of identity-based applications asking enterprises to use open APIs and "mash-ups" to make their already portable and open identity attribute useful in a more traditional enterprise system.

And suddenly, the standards-based enterprise architect might find himself living in a web 3.0 world.