Yes, I know – Information Cards (or Infocards) and their incarnation in Microsoft Windows CardSpace have been around for a while. But it was mainly the inner circle of Identity Management (and especially of user-centric Identity Management) who was really aware of this. With the recent announcement of the Information Card Foundation (ICF), Microsoft and others are trying to improve the visibility of Information Cards as a core element of Identity Management in the so called cloud.

There has been some discussion around the announcement in blogs and forums in the Internet. One of the most interesting aspects discussed is the necessity to educate the broader public about the concepts and value of Information Cards and the entire “Identity Management for the cloud” (aka user-centric Identity Management, aka Identity 2.0). That must be a main target of ICF, but as well of all the other players in this emerging market.

First of all, I’m convinced that Information Cards as well as OpenID will become central standards in the Internet and for Identity Management. Given that at least OpenID isn’t that far away from reaching the critical mass and that Microsoft Vista adoption (which makes it easier to use CardSpace) is happening pretty fast, as well as some important Open Source initiatives working on these topics, that might happen earlier than most expect today.

Nevertheless it is important to explain the concepts for everyone – and to address the privacy and security concerns many will have. There are so many things which can be done using these technologies, from Single Sign-On and Profile Management in the web up to Corporate Business Cards. But they require an accepted concept.

Thus, the idea of ICF is great, when it goes beyond technical discussions around use cases and implementations issues and really focuses on education as well. On the other hand the member list of ICF proves that there is strong interest and support in the industry for Information Cards. You can bet that no one is in there who doesn’t expect that the use of Information Cards won’t support his business – otherwise they wouldn’t invest time and money into ICF.

ICF is a great thing from my perspective. It will drive Information Cards forward – and thus the Identity Management for the cloud.

I have a personal history in the areas of personalization and profiling. And there might be some good chance for these ideas to become reality now - in the context of Infocards and to the sake of VRM (Vendor Relationship Management).

The threat in personalization and profiling is to know what the person really wants (personalization) or is/has (profiling). The one who knows best is the person itself.

(Managed) infocards can transport virtually everything. They might provide profile information for personalization. A trusted identity provider might offer a service which stores profile information it retrieves from the users and provides it in a controlled way (the basic idea of user-centrism) to web sites which shall provide a personalized experience to the user.

Bring in things like U-prove and that site doesn’t need to know the exact data but can “ask” the Identity Provider about relevant aspects and retrieve a yes/no decision. For sure the service provider/relying party in that equation will know some things but the amount of this knowledge can be limited - and thus privacy can be maximized.

I’m convinced that there is a business model for Identity Providers. Users might pay for a trustworthy handling of privacy information. Relying parties might pay for the ability to personalize information. There might also be approaches where the service is for free but the privacy is limited - the relying party might pay more if she learns more about the user. Both approaches might work.

VRM fits perfectly into this. It is the use of these approaches for vendor relationships, providing information for buying decisions via Infocards. For me, VRM, infocards and technologies like U-Prove are the pieces of a puzzle which, when ready, shows personalization and profiling as the picture.

Yes, I know - it is a little redundant talking about “corporate” and “business” in the context of virtual cards. But it is one of the most obvious, interesting and feasible business cases around Identity 2.0.

What do I mean by that term? My idea is about applying the ideas of Identity 2.0 and especially of InfoCard to the business. Provide every employee with an InfoCard or even some of them and you are better suited to solve many of today’s open issues.

How to issue these cards

I have this in mind for a pretty long time. I remember that I had asked Don Schmidt from Microsoft about the interface between Active Directory and CardSpace some time before EIC 2007. Active Directory might be one source of these cards. Just provide an interface between AD and an Identity Provider for InfoCards and you are able to issue and manage these cards based on information which still exits in the Active Directory. For sure, any other corporate directory or meta directory might work as well.

Today these technical interfaces are still missing, at least in an easy-to-use implementations. But it won’t take that long until we will see them. Thus, it is time to start thinking about the use cases.

How to use these cards

There are at least three types of cards I have in mind:

• Virtual business cards: They are used when someone represents his company. How do you ensure today that every employee provides current and correct information when he registers with other web sites? How do you ensure that he acts in the web like you expect him to do? How do you ensure that he enters the correct title or the correct information about the size of your business when registering? InfoCards are the counterpart to your paper-based business cards today, but they can contain more information. And there might be different ones for different purposes.
• Virtual corporate cards: They are used for B2B transactions and interactions. Add information like business roles to the cards and you can provide all these claims or assertions which are required for B2B business. These cards can be an important element in Federation, providing current information on the role of an employee or other data required. For sure there can be as well several cards, depending on the details which are required for interaction with different types of business partners.
• Virtual employee cards: They are used internally, for example to identify users in business processes. Again, there might be a lot of information on them, like current business roles. You might use them as well to improve internal order processes, identifying the users who request new PCs, paper, or what ever else.

With these three types I might even have to extend the name for the cards, I assume. But I will stick with the term I have in the title of this post. The interesting aspect is the flexibility which (managed) InfoCards provide and the ability to manage them in context with a leading directory you have.

Due to the fact that you are the Identity Provider when applying these concepts you can ensure that no one uses these cards after leaving the company. You can ensure as well that the data is always up-to-date. That’s by far easier than with some of today’s equivalents for these future type of cards.

I will blog these days about two other ideas I have in mind in this context: The way the concept of claims Microsoft’s Kim Cameron is evangelizing will affect end-to-end security in business processes and SOA applications in general and the idea of using InfoCards for all these personalization and profiling ideas which have been discussed many years ago. I’m convinced that Identity 2.0 concepts like InfoCards and claims are a key element to solve these threats and bring these things to live.

There is a lot of business value in these concepts. And they will affect the way businesses cooperate, because they are much easier to implement and use than many other approaches.

With the recent announcements of Yahoo to fully and Google to partially support OpenID and the now official engagement of IBM, Microsoft, Verisign, and other key players of the market in the OpenID Foundation it seems obvious that OpenID is now THE standard for user centric identity management.

I agree - partially. OpenID is A standard for user centric identity management which definitely will, with some advancements, will influence the way people act in the internet. But I’m, for example, convinced that it won’t replace Microsoft’s Infocards (as the technical basis). These two things are two different as well from the use cases as from their capabilities. There might be an OpenID 3.0 or something which in fact is sort of a combination of both. But there will be many things from the outside which influence today’s OpenID.

That’s, by the way, no surprise. Virtually any new standard started small and with limited capabilities and grew over time to a more complete, more sophisticated solution. While the original creator’s of OpenID will focus on ease of use, the new supporters will focus more on “sophistication”.

And the end there will be some OpenID which is much more secure and supports many more use cases than today’s standard - but which is as well a little more complex. But I’m convinced that it will be a major pillar for user-centric identity management over the next years. Together with CardSpace and it’s incarnations. By the way: We support Infocards at our website right now and OpenID and CardSpace will, for sure, be major topics at the European Identity Conference 2008, with speakers like Kim Cameron.

There is a broad discussion around the use of identity information at StudiVZ these days. They have changed their agreements with their users and will present personalized adverts. That has lead to an intensive discussion in their user community. Another interesting change can be found at Xing since some two weeks: At the starting page you can now directly see not only the number of new contacts of your contacts (like at LinkedIn) but the names of the new contacts.

I personally found that change a little bit to open. For sure you can look up the contact lists of your contacts as long as they aren’t hidden. But there is a difference between acting actively and this new situation where you are passive. I’m not sure whether I like that – and I doubt that other users are convinced of the value of this change.

But, more important than the question whether I will hide my contacts at Xing as a consequence of this change there is another aspect which is common for both described situations: Social networks are at a critical point. And their next steps will influence the future not only of some single social networks but of the approach in general.

Read the rest of this entry »

I still remember some tough discussions I had with eBay in 2004 when we had just started KCP around there missing investments in secure, strong authentication. Interestingly eBay and PayPal are amongst the first now to use VeriSign Identity Protection, abbreviated as VIP. And they start in the German market to roll out this technology.

Basically VIP is sort of a combination of strong authentication with a user-centric identity which can be used with different vendors and other companies in the market. The user requires a token which provides an OTP (one time password) which is used for authentication. Nothing new, so far. But: The VIP network is designed to support multiple partners and it uses only one token. Thus it addresses two of the biggest obstacles of OTPs as a means for strong authentication:

1. The cost of deploying tokens is shared and thus lower.
2. The user has one token instead of a collection of tokens from different providers.

I really like this approach because it’s a pragmatic one. And I will, for sure, test my VIP card today with my eBay account. Best of all, the token is in credit card form factor and thus very comfortable to take with me, in contrast to some other token I own.

Combine this approach with OpenID and CardSpace and you end up with a solution which isn’t perfect but far more secure and usable than most of the other approaches in the market. Interestingly I had discussing about that approach with VeriSign some 18 months ago the first time. Seems, that today the market is ripe for it.