19 November 2005

Webmaster's note: This blog post is a verbatim reprint of a post which originally appeared over 12 years ago, on November 19th, 2005. You can view the original post here.

By: Nelson M. Nones CPIM, Founder, Chairman and President, Geoprise Technologies Corporation

In Part 2 of this post, I demonstrated that none of the authentication standards in use today are appropriate ways to implement a bilateral trust model for “on-demand” software. These standards include the public key infrastructure (PKI) for digital certificates and also universally unique identifiers (UUID), globally unique identifiers (GUID), personal Internet names (PIN) and individual assets (including people) identified within the EPCglobal Network.

I am aware of two proprietary identity frameworks (America Online’s Screen Name and Microsoft Passport) and 3 federated identity networks -- The Liberty Alliance, Shibboleth and the Universal Private Address.

The proprietary identity frameworks require users to be federated with an organization. Today’s versions, therefore, rely on the unilateral trust model that would clearly limit the market potential for “on-demand” software. As I wrote earlier in connection with Hailstorm, one of Microsoft’s ambitious Passport plans:

Trouble is, Microsoft got the fragmentation part backwards. Credit card numbers may be ‘public’ in the sense that both parties to a transaction need to know the same number, but passwords most definitely are not.

In response to the widespread privacy concerns that doomed Hailstorm, Microsoft in 2002 announced new Web services (WS) technologies which, according to Microsoft:

... embrace WS-Security and other WS standards, and enable applications to use credentials created on a wide range of systems, including Active Directory, Microsoft .NET Passport, and other products that support WS-Security (for example, IBM middleware products).

This technology, code-named TrustBridge, was supposed to ship in 2003 but I can find nothing on Microsoft's web site announcing its general availability, so it seems to be 2 years late and counting. Nevertheless, it relies on a set of open source WS standards such as Security Assertion Markup Language (SAML) from organizations like the Organization for the Advancement of Structured Information Standards (OASIS), the World Wide Web Consortium (W3C) and the Internet Engineering Task Force (IETF). These are the same standards that underlie the W3C’s XML Key Management Specification (XKMS 2.0) which integrates the PKI with many kinds of application software. I strongly suspect that the reason why TrustBridge is not available yet has everything to do with the conclusion I reached in Part 2 of this post.

The Liberty Alliance is a consortium of 150 companies initiated by Microsoft’s archrival Sun to provide an open source alternative to Microsoft Passport. Its specification relies on the same open source standards as TrustBridge, including SAML. An infrastructure that complies with this specification would allow users to directly control their own information using local identities, which are pseudonyms assigned by a home identity provider that link to individual service provider relationships through a unique random identifier. The home identifier, in turn, is a registration authority (RA) or certificate authority (CA) as described in Part 1 of this post. Given Sun’s track record competing against Microsoft, I don't think The Liberty Alliance is going anywhere soon.

Shibboleth is an initiative sponsored by numerous universities “to develop an open, standards-based solution to the needs for organizations to exchange information about their users in a secure, and privacy-preserving manner.” Like TrustBridge and The Liberty Alliance, it relies on SAML but it is specifically not intended for electronic commerce.

This leads me to the Universal Private Address, the third federated identity framework put forward by OASIS and Advanced Micro Devices (AMD). It is a new type of abstract address that uses an OASIS XRI (Extensible Resource Identifier) and protocol known as XRI Data Interchange (XDI). According to OASIS, its XDI Technical Committee was created:

... to define a generalized, extensible, location-, application-, and transport-independent service for sharing, linking, and synchronizing data over the Internet and other data networks using XML documents and XRIs ... With XDI, data from any data source can be identified, described, linked, and synchronized into an active, machine-readable ‘dataweb’ just as content from any content source can be identified and linked into the human-readable Web today.

What intrigues me most about the Universal Private Address is that it specifically targets the need for bilateral trust that I believe is key to future marketplace acceptance of “on-demand” software. This is because the link between any two Dataweb pages is a pipe for pushing or pulling data in either direction, under the control of automatic “valves” at either end known as“XDI line contracts.”

XDI proponents believe that this technology will allow an open social network to evolve that links people and organizations—precisely what the bilateral trust model requires. The infrastructure for this social network would comprise “I-Brokers,” trust federations, global registries and Dataweb dictionaries. Examples of social web applications include:

  • Personal contact gateways hosted by I-Brokers.
  • Trust filters; i.e. Web services, such as XKMS-compliant applications, that establish “probative evidence of identity.”
  • Intelligent e-mail management according to XDI link contracts, not just e-mail header and content analysis.
  • Auto-address books and auto-calendars that allow disparate groupware systems to share information with one another; i.e. allow me to confidently share information in my Salesforce.com account with my partner's sales force automation system (which may or may not be Salesforce.com) according to our XDI link contract.
  • Auto-registration, auto-login and auto-personalization capabilities.
  • Auto-privacy negotiation and digital identity theft protection applications.
  • Auto-forms and one-click transactions.
  • Auto-lists and auto-groups.
  • Social search applications.
  • Reputation network services.

You can register your own i-name at 2idi, the first Dataweb services provider (DSP) to implement XDI. What's an i-name? For organizations, it's backwards-compatible with their existing URL; for example, "@WhiteHouse" is the i-name for www.WhiteHouse.gov. For individuals, it's a Universal Private Address. I've already registered mine; it's “=Nelson.Mitchell.Nones” and you can already use it to contact me. You can tell the difference between an organization and an individual because organizational i-names start with “@” and individual i-names start with “=”.

Will Universal Private Addresses take off?

Although the XDI specification enjoys AMD’s strong support, neither Microsoft nor IBM have adopted it and neither of these giants has ever indicated their willingness to do so. Further, XDI is not a standard; it remains an OASIS technical committee proposal but, unlike XKMS 2.0, it's not enshrined as a W3C recommendation so it doesn’t qualify as an international standard yet.

Shortly before Microsoft announced Windows Live, its much-ballyhooed foray into “on-demand” computing, Bill Gates warned on October 30th 2005 that the shift to Internet-based software and services represents a massive and disruptive “sea change.” He's right. And I believe this is why TrustBridge is so late in coming, and also why Microsoft hasn’t placed any bets on the Universal Private Address. They know they don’t get it yet, but they are powerful enough to freeze the market until they figure out a way to dominate it while protecting as many of their imperiled cash cows as they can. This is how Microsoft killed Netscape to become the king of browsing, and it’s how they’ll try to become the king of “on-demand” computing as well. Gates’s e-mail to his top executives urged them to “act quickly and decisively” so there's no doubt in my mind that Microsoft will place its bets soon.

Link:  The Social Web: Creating An Open Social Network with XDI (Drummond Reed, Marc Le Maitre, Bill Barnhill, Owen Davis and Fen Labalme, Planetwork Journal)

In traditional networking terms, what are being linked are devices or objects: phones, fax machines, computers, documents. The term ‘social network’ implies moving to the next level, where what are being linked are people and organizations ... Like the development of the Internet and the Web before it, the evolution of an open, interoperable, global social network seems all but inevitable.