As the Gurus of User-Centric ID Management have discussed here and here, the idea of using CardSpace and special “Managed Cards”, issued through the use of the Microsoft Acrtive Directory, InfoCards could actually become sort of an authentication token not only for your self, but for you being am employee of said issuer of the respective InfoCard. As managed Infocards are designed to be used as sort of community/customer ID, why not use it to verify if somebody IS actually working for the company he claims to work for.

Impersonation still is a threat today. I experienced this during the Microsoft Security Tour that I recently attended in Hanau, Germany. One of the main reasons was, that my successor with the position as Chief Security Advisor, Michael Kranawetter, was about to present CardSpace to the mainly developer-oriented audience. After sharing a coffee or two, Michael stepped up to the stage and prepared for his presentation.

The big surprise came without a single bit of a warning: Michael greeted the audience and said: “Welcome to this session, my name is Sebastian Rohr, and I am the Chief Security Advisor for Microsoft Germany!” Well, there was only one guy in the audience who got puzzled besides myself, my friend Stefan, sitting right next to me! Michael easily showed, that in todays business you should not trust everybody who is wearing a “speaker” badge one should ask for proof of the claims stated.

Anyway, back to the point: using a “Business InfoCard” issued by your employer does not only make it easier to access, say, the company online-store and authenticate yourself. It can also be used in B2B situations, where you hand over your card and your communication partner can easily check that your name, title and affiliation are, in fact, valid. In addition, corporate information such as tax ID, location of the company and the official (and pretty up-to-date!) info on board members and the Chairman could be included. Nice!

Sitting over a nice glass of wine, one could drift off and, as thoughts come and go, get creative. Be it the impact of the heavy Merlot or too much sunshine: IF we have an established technology that offers easy issuing and management of credentials, spiced with corporate information and used in an interoperable environment that supports easy “online check” if the information presented is still valid… and all this cross-company…with an extensible range of re-use… wouldn`t THAT be the dream of all those PKI guys?

Lets face it: PKI has been struggeling all these years to become and remain an important part of the IT infrastructure of all large organziation. Sometimes the struggeling lead to the “near-death”, sometimes PKI managers still hunt for the killer-app that will put their technology investment to use. Even IF the PKI was put to good internal use, leveraging it outside the company was rarely successful. Now, using the above mentioned managed Business Cards, we would really be able to do all the things we failed to achieve with using x509 certificates - well, besides encrypted email maybe!

I am really looking forward to your replies, either to be sure that it WAS too much sun and Merlot, or to kick-off a new thread on mis-using user-centric ID management in the enterprise ID management space!

Have you ever been to SAPPHIRE?

No?

You should!

Despite my young age, I guess here is where you find how the spirit of the IT industry might have been in “those days”, where multi-million dollar Mainframe deals were made. At least, that is the impression you get when you stroll around.
I have been to quite some trade fairs, special meetings and vendor events - all with a rather impressive set of “supporting events” and executive receptions. But recent years have shown a decrease in the investments vendors were willing to spend on these little extras. Looks like SAP still has got some budget to spend…

But let us get back to business - executive business, this is!
When it comes to providing strategic business perspective, coming here as manager or executive you get what you expect: visionary statements, large audience keynotes and a nice overall setup. From a technology perspective though, it is quite surprising that one can only get their hands on a small number of technically versed representatives who are able to show a little more than flashing slides and animated demo screen-shots. Well, one could argue that this is not TechEd, which will take place in autumn here in Berlin and were I will definitly attend also, and one must consider the “business oriented” approach of SAPPHIRE. Point taken, rest assured! But I was NOT talking about a nuts&bolts session on how to configure x and get y out of that interface. I was merely looking for people to tell me just a little bit more about what became of MaxWare, were GRC overall will be going and what the combined strategy for managing identities within (and beyond) SAP will be. I will take those questions home with me, unfortunately…

Given that, I made best out of a session with one of the solution marketing guys, who assured to me that the IP as well as the human resources of the MaxWare acquisition were secured and the now joint teams from Netweaver IdM and MaxWare are working hard to push the integration depth. Nice - and from my point of view obvious - information: SAP will not push their newly acquired IAM technology as an independent offering but will concentrate on delivering added value to existing SAP-centric customers. I will definitly catch up him to extend our late-evening discussions at the Hamburger Bahnhof. Thanks again for the insights!

On a completely different note, the RIM partnership seems to kick-in pretty nicely with a “mobilized” SAP CRM and Blackberry integration, which the RIM representative dared to demonstrate live during the keynote (something which I would not have dared, given my recent experience with reliability of the 3G network connectivity - especially with a few thousand people around you all carrying a mobile phone!)

I will get back to you all with more gossip tomorrow, with news on the Zucchero live perfomance (see budget joking above!) and a special feedback from the Business Objects keynote of CEO, Mr. Schwartz!