About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion



  • Add to
Technorati Favorites


  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« Is this the world's biggest identity fraud? | Main | Population-scale PKI »

Federation is about trust

By Dave Birch posted Jan 29 2008 at 1:40 PM

[Dave Birch] A conversation today set me thinking (yet again) about why things are not getting better. Once again, I must ask why is it that the identity management situation does not seem to be improving much? In particular, surprisingly little seems to be happening in federated identity. Not because the standards needed to do it don't exist, or exist but don't work, but because they don't overcome the trust barrier. Why should a company trust another company's credentials? Or, at least, why should a company trust another company's credentials unless the both belong to a "gang"? Businesses want certainty in these matters, they want to see that liabilities are distributed in a known and understood way, so that everyone knows where they stand. Thus, in a scheme such as MasterCard or IdenTrust, each of the participants can assess risk and reward properly. But if I'm FaceBook, should I accept a MySpace identity? What if the MySpace identity claims to be under or over 18 and I'm going to rely on that credential in some way?

Oddly, while nothing much is happening in federation in the mass market -- I'm no nearer being able to log on to one bank with another bank's credential than I was a decade ago -- there has been some progress in government systems. An example of something that has actually been working in the U.S. is FiXs, or the Federation for Identity Cross Credentialing Systems. The FiXs are a network of government agencies and private sector institutions that have assembled the federally-mandated interoperable authentication between the Department of Defense and contractors. They have created a bridge between government and companies doing business with the government, ensuring that trusted credentials are issued and given appropriate access. Javelin point to this as a prime example of an effective public/private partnership and I wonder if we shouldn't look at this more bottom-up approach as a way forward. If we somehow facilitate the growth of the interoperability in limited (but potentially large) domains and then look to perhaps interconnect those domains, we may begin to assemble the kind of digital identity infrastructure that was being envisaged in earlier days.

So what domains could we look at for evidence that this might, in fact, be the way the world is going. Well, so far the vast majority of real-world federation roll-outs have been internal or enterprise type deployments: organisations authenticating users to an outsourced service provider (such as a Fidelity 401K, or AOL's Radio Service). Connor says in that piece that

the time has come for federation and Single-Sign-On to be adopted in a more general fashion.
I think this too, both because as a consumer and citizen I am fed up with managing multiple passwords (the traditional SSO justification) but also because our clients want to do more online, want to move services online, want to deliver more efficiently online but can't in the absence of an infrastructure. Now, that infrastructure isn't just about managing passwords: it's about managing identities, credentials and reputation. This is where it is getting bogged down, since no consensus is emerging about how any of these things should be organised and managed in a mass market.

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]


TrackBack URL for this entry:

Listed below are links to weblogs that reference Federation is about trust:


I have a smart card "issued" by the United States Government (really Lockheed Martin and Senture), a Transportation Workers Identity Credential. It actually got accepted instead of my driver's license at an airport (with some cajoling). It follows FIPS 201, has an identity certificate, PIN, finger biometric, and digital photo (though less useful for SSO) it could be chained to the Federal Bridge (separate story), so why can't I use this for logging onto web sites (I know the technical reasons but humor me).

The problem is that each of the schemes I have run across really seem to be the case where some is trying to own the Federation, aka "just trust me with your data, I'm the most benign, altruistic clearinghouse you will ever run into".

Am I just too juiced on the kool-aid but jeez, shouldn't some Federation start looking at what's out there instead of trying to reinvent the credential wheel.

The comments to this entry are closed.