Now and again, I google for my social security number, hoping that the number of hits will be zero but fearing that it won't be. So far, so good. In case you've never tried it, here's an interesting experiment. Search for the first digit, then the first two digits, and so on until you build up the string of all nine digits. Here's the pattern for me:

digits    Google
of SS#     hits

1      952,000,000
2      182,000,000
3        5,900,000
4       14,700,000 (Because it spells a year in the last century.)
5           13,300
6              683
7               22
8                3
9                0

The decision-making process, Hodgman says, has five stages:

Hodgman: Subject A begins as they all do, with stage one: gut reaction.

Subject A: Initially I would think, perhaps, invisibility...

Hodgman: Next comes stage two, practical consideration.

Subject A: You can walk around at work, turn invisible, listen to what they say about you, you have the power to spy on your exes, and that would all be enlightening, and fun, and in fact a little bit perverted...

Hodgman: You hear that doubt in his voice? That's the beginning of stage three, philosophical reconsideration.

Subject A: I believe it would immediately turn into a life of complete depression, you wouldn't be able to share with anyone, I know there would be problems.

Hodgman: Stage four, self-recrimination.

Subject A: Invisibility leads you, leads me as an invisible person, down a dark path...

Hodgman: Finally, stage five, acceptance.

Subject A: Yeah, I'd have to go with flight.

Another interviewee concludes:

I think a lot of people will tell you they'll choose flight, and I think they're lying. I think they'll say that in order to sound mythic and heroic, because the better angels of our nature would tell us that we should strive for flight. But I think if everybody were being perfectly honest, they'd tell you the truth, which is that they all want to be invisible so that they can shoplift, go to movies for free, go to exotic places without paying for airline tickets, and watch celebrities have sex.

In cyberspace we really can have both superpowers. Nothing compels us to choose between them, but I think we will. Although our wings have been clipped slightly by firewalls and NATs, our power of flight -- the ability to go anywhere, instantly -- remains essentially intact. The Internet was designed to enable us to fly. It wasn't designed to help us hide. We just happened to get that for free, in the beginning, because it was way easier to punt on identity.

Privacy, yes, to the fullest extent possible. Invisibility, no. I don't want to live in a world where "our every click is tracked, our every purchase becomes a datum to be turned against us." But neither do I want to become a cloaked and anonymous skulker in order to avoid that. We shouldn't have to make that choice.

Update: Patrick Logan writes:

I think in normal American society (where normal to me means the society I've been a part of for the past 42 years) I would also choose the ability to fly.

But what if I were living in a more tyrannical society? Like Iraq? I certainly would choose to disappear for any number of reasons.

Excellent point.

As with standards, the problem with convergences is that there are so many to choose from. When the subject is digital convergence we often start with devices and media, which leads to a barrage of questions: Can I watch movies on my notebook PC? Can my Bluetooth cell phone double as a modem? Can my Internet connection replace my long-distance phone service? Increasingly, the answer to these questions is yes. But it's often hard to see the forest for the trees. There is an organizing principle here, identity, but it too is plural. Users, devices, networks, and services all have identities. More than convergence of devices and data types, it is a convergence of identity that we seek. [Full story at InfoWorld.com.]

Note: I made the diagram shown here, which ended up not fitting into the magazine, for two reasons. First, I wanted to try to think visually about various aspects of convergence. Second, I wanted to test-drive the OmniGraffle diagramming software that was bundled with the TiBook I am using. It turned out to be a useful way to conceptualize the story, but I was disappointed with OmniGraffle. It's no Visio in terms of power and flexibility. And the text handling is really buggy; I had to repeatedly save and restart.

Phil Windley reprises his Digital ID World talk in this excellent article which argues that "serving as the foundation for identity is a proper role for government."

I've long thought so too. When I met Phil at the identity conference, I asked how he thought this would play out. He suspects that the national ID card will prove to have been a stalking horse. We'll never get it, but we won't need it -- because state-issued credentials, specifically driver's licences, will carry certs, and will for all practical purposes federate.

I understand and sympathize with the concerns raised by that notion. But where there is risk, there is also opportunity. And one of the opportunities is to get to the point where we have translucency and selective disclosure -- so that, for example, your ID proves only your age to the liquor store clerk, without revealing anything else he doesn't need to know.

2003 is shaping up to be the year of anti-spam initiatives. When thinking about these issues, I keep coming back to Larry Lessig's four regulatory constraints: architecture, law, social norms, and the market:

Some constraints will support others; some may undermine others. A complete view, however, should consider them together.

We of the geek tribe tend to focus on architectural constraints. Filtering is the first line of defense, but there are others. I've advocated digital IDs as one technique. Another was recently brought to my attention by David Magda, who alerted me to the hashcash idea -- a clever scheme that proposes to make email senders invest CPU cycles to produce "proof-of-work" tokens attached to email.

On the legal front, the drumbeat for anti-spam legislation is becoming incessant, and we may see real action on that front in 2003. The issues surrounding such legislation are not very clear to me, so I look forward to more education on the subject in the coming year.

You might think that the spammer's cloak of anonymity would make social norms an unworkable constraint. But as Alan Spam King Ralsky recently discovered, that cloak can be summarily yanked away. The slashdotters who sent truckloads of junk snailmail to Ralsky's home were, I'd say, acting in the realm of social norms.

Market forces, at the moment, are all in the favor of spammers. Interaction with the other constraints could change that, though. The hashcash idea, in particular, targets the economics of spam. It won't cost you or me much to spend a few seconds generating per-message proof-of-work tokens, but the time or CPU horsepower required to create billions of tokens could put the big-time spammers out of business.

In general, it seems useful to think about anti-spam strategies in terms of multiple constraints. Whitelisting, in and of itself, concerns me for reasons I've mentioned. It's an architectural constraint that also establishes a social norm -- but, I think, a pernicious one, namely the idea that no spontaneous association is acceptable. However, in combination with other strategies, it seems more interesting. Another excellent article that David Magda pointed me to, by François-René Rideau, suggest that whitelisting and hashcash can work nicely together:

As a matter of standard, polite procedure, someone initiating conversation would have to pay some relatively high postage value, with the recipient returning postage and both participants including each other in a whitelist.

Architecture, social norms, and market forces are working together in that example. Likewise in the case of strong digital identity. I've long argued that use of digital IDs should be a social norm: serious correspondents should be willing to identify themselves in verifiable ways, and should expect others to do the same. Architectural and social constraints are woven together in that scenario.

On the whole, I'm impressed with the quality of discussion I'm seeing. I hope it continues. Arriving at a workable balance of constraints is going to be a subtle process, and it's going to require all of us to think out of our usual boxes.

The whitelisting begins. I haven't communicated with x@y.com in quite some time. Yesterday I sent him (and a number of others) a message that likely would have interested him. Here's the reply:

From: x@y.com
Subject: --------------------
To: jon_udell@infoworld.com
Date: Wed, 4 Dec 2002 15:39:58 -0800
X-Priority: 3 (Normal)
X-ChoiceMail-Registration-Request: ChoiceMail registration request

Hello, you recently sent a message to me at x@y.com.

My mailbox is protected from junk mail by ChoiceMail - a
permission-based email system that requires senders to be granted
permission to contact the recipient. Please click on the link below
to verify your identity.

[Click here to request approval]

When your browser opens, fill in your name and a short reason for
wanting to send e-mail to me. If your reason is acceptable, your
first email and all subsequent e-mails from you will be delivered to
me normally.

There is no need to send your original mail again.

Please visit DigiPortal Software's web site at
http://www.digiportal.com to find out how ChoiceMail can help prevent
your in-box overflowing with junk e-mail!

Please note that if you don't register within 4 day(s), all the
messages you sent will be automatically deleted.

The email thread that provoked this message will soon dissolve. Including x@y.com might have been useful, but the moment has passed. If I urgently need to contact x@y.com, I may have to grit my teeth and register to do so. But no ad-hoc communication is going to make it over that activation threshold.

From the DigiPortal homepage:

ChoiceMail is a spam-blocking system based on the premise that all incoming email is assumed to be spam until senders have obtained permission (called registering) to send you email.

Works like a champ, too. "In my tests, it cut my spam to zero," the site quotes Wall Street Journal columnist Walt Mossberg as saying. Well, sure. Who in their right mind would register to talk to you without a compelling reason?

This is another assault on the Internet's end-to-end architecture. It also illustrates the endgame of personalization -- a scenario aptly described somewhere as "the daily me": my news, my weather, my buddies.

If we rule out spontaneous association then we will not have defeated the spammers. They will have defeated us.

Yesterday's item on digital IDs and spam drew mixed responses.

Wes Felter:

Then the spammers will just get certificates. Wait, let me guess: The CAs will revoke certificates if anyone complains, ending in mutually assured identity destruction. No thanks. [ Hack the Planet]

Spammers operate in the shadows. To identify themselves is to risk being held accountable.

One way or another, we're in for a privacy/identity arms race. Managing cert revocation in any practical way will be a huge challenge, for sure. It might also be a huge business opportunity. The mathematics of n-way whitelisting just won't work. There will have to be some way to invest third parties with the power to mediate trust.

Howard Greenstein:

I wish more people had digital sigs and that we could filter as [Jon] suggests. Is there a way to make this an easier process? I had to go to Thawte's site, get forms, have them signed by a bank manager and a lawyer who asserted my identity (which was easier than finding others in their 'Web of Trust'). Web of Trust is an interesting concept but it involves you trusting copies of your identity to a complete stranger instead of a banker/lawyer you deal with regularly. [ Howard Greenstein]

This was of course a major topic of discussion at the recent digital identity conference. State government is one leading candidate, banks are another.

Kevin Werbach is predicting the end of email as we know it. The spam plague, he sugggests, will force us to abandon the notion that anybody can contact anybody by email. We'll use "whitelists" to enumerate those folks we are willing to receive mail from.

Other, unknown senders receive an automated reply, asking them to take further action, such as explain who they are...

Like it or not, the only way to kill spam is for an element of e-mail to die as well. There's always been something charming and casual about e-mail. The informality comes through in the style people use to write messages, but also in where they send them. You've probably sent an e-mail to someone you'd never call on the phone, approach in person, or even write a letter to. Losing this aspect of e-mail is a shame, but it's inevitable. E-mail will become more like instant messaging, with its defined "buddy lists." [ Slate]

I wonder. For a very long time, I've thought that digital identity is the solution to spam. That's one of the reasons I attach S/MIME signatures to my email messages. As a standard practice, this could divide the world into two camps: those serious enough about email communication to acquire and use digital certificates issued by (and revocable by) some well-known third party, and everybody else. Client-side filters would begin by splitting inbound mail into two piles. If you wanted to land in the first pile, you'd assert your identity.

This has been, so far, one of those theoretical network-effect benefits that hasn't been compelling enough to motivate people to jump through the hoops that now complicate the acquisition of a digital ID -- or to spur vendors to simplify that process. I've often wondered what it would take to get us over the activation threshold. Maybe whitelists are it. When everyone has to register on everyone else's whitelist, PKI's core value proposition -- trusted communication without prearrangement -- will finally start to make sense.

Phil Windley is reading David Brin's amazing book, The Transparent Society. When I first read it a couple of years ago, I posted Brin's "accountability matrix" to my newsgroup for discussion. Phil had exactly the same reaction:

1. Tools that help me see what others are up to.	2. Tools that prevent others from seeing what I am up to.
3. Tools that help others see what I am up to.	4. Tools that prevent me from seeing what others are up to.

His contention is that people see boxes (1) and (2) and good and boxes (3) and (4) as bad.  What what society needs is boxes (1) and (3) since that creates accountability.  Further, society should eschew boxes (2) and (4) since that pits citizens against each other in "an arms race of masks, secrets, and indignation.  [ Windley's Enterprise Computing Weblog ]

Back in February, Matthew Blair wrote:

There is tremendous power in his [Brin's] fundamental idea  of 'freedom through accountability' instead of 'freedom through secrecy'...This is the most important idea I've come across so far this year. [ Throb ]

I think so too. It will be fascinating to see what such a prominent thinker and pragmatic doer as Phil Windley will make of it.

David Weinberger reports another undocumented Google trick: a quoted phone number (without hyphens) yields name, address, and maps. Although this is not really any different from what Switchboard.com has been doing for some time, we nevertheless find these demonstrations -- as David says -- scary.

Back in August, there was a flap when it was discovered that voter registration records in New York, which are public information, were accessible on the web. The term "public" turns out to be highly loaded:

"Historically, court records have been presumptively open to the public," said Judge John W. Lungstrum, chief judge of the Federal District Court in Kansas, who headed the judges' committee. "On the other hand, because most people didn't bother to go down to the courthouse to rifle through the files to see what allegations might have been made against their neighbors, the result was only people with a true interest in the matter ever bothered to access the material. We had to wrestle with the loss of practical obscurity." [ ACLU Newswire]

It's tempting to say that practical obscurity is a necessary casualty of the evolving Internet architecture. On the other hand, as Lawrence Lessig likes to point out, that architecture can express differing sets of values. I'm not sure practical obscurity is a value, on balance, because then the right to access information is skewed in favor of those with the means (time, money, influence) to overcome the barrier of obscurity. But assume a consensus that it is an important value. How would you engineer for practical obscurity?

The link between phone numbers and other personal data is an especially interesting test case. Consider the ENUM initiative, for example, which seeks a mapping between telephone numbers and the DNS. Some argue that this is another flawed top-down X.500-style effort. Of course, as Google and Switchboard demonstrate, the convergence of telephone directories and Internet directories is going to happen, one way or another. If we were to decide that values such as "practical obscurity" ought to be woven into the infrastructure, it strikes me that a DNS-oriented approach might make sense.

On the last day of the digital identity conference I spent an hour with Phil Becker, co-founder (with Andre Durand) of Digital ID World. By the end I felt like Peter Finch in Network, whose skull was pried open by Ned Beatty in order to receive the cosmology of money:

"There are no nations! There are no peoples! There are no Russians. There are no Arabs! There are no third worlds! There is no West! There is only one holistic system of systems, one vast and immane, interwoven, interacting, multi-variate, multi-national dominion of dollars! petro-dollars, electro-dollars, multi-dollars!, Reichmarks, rubles, rin, pounds and shekels! It is the international system of currency that determines the totality of life on this planet! That is the natural order of things today! That is the atomic, subatomic and galactic structure of things today! And you have meddled with the primal forces of nature, and you will atone! Am I getting through to you, Mr. Beale?"

Yes :-)

Phil believes (as do I) that we are at the end of an evolutionary phase. The connected computer is fast approaching ubiquity. We've created cyberspace, but we haven't yet really colonized it because we lack the organizing principle to do so. Having abolished time and space, nothing remains but identity. How we project our identities into cyberspace is the central riddle. Until we solve that, we can't move on.

By now we've all had an epiphany about connected computers and digital identity. Phil's was a real attention-getter. Many years ago, when remote terminals were still an amazing novelty, Phil -- then a military ¹ guy -- says he accidentally modemed into the console of a Titan missile. He didn't have the launch codes, but you can imagine how this kind of thing would frame your perspective on cyber-identity.

Phil also believes that intellectual property is the basis of all economic value, and that the value of all IP that touches the Net tends toward zero. Here we part ways, but it is a serious argument that I do not lightly dismiss, and it goes to the heart of the DRM controversy that was one of the many themes woven through this fascinating conference. For Phil, the IP at risk is not only the packaged content (music, videos, books) that is the immediate focus of the DRM industry, but more generally the human capital that is the wellspring of all goods and services. I suggested that this latter form of IP doesn't yet touch the Net and is only marginally at risk. Phil countered that leakage at the edge has already cost businesses billions of dollars ² and that, sooner or later, this adds up to real money.

I wonder what kinds of human capital can, in fact, leak in this way. I'm reminded of the book Noble Obsession, Charles Slack's history of Charles Goodyear, who discovered how to vulcanize rubber. Sulfur was a key ingredient in the process, a discovery made not by Goodyear but by Nathaniel Hayward. Goodyear partnered with Hayward, urged him to patent the use of sulfur in rubber, and then bought the patent from Hayward. But it took endless frustrating experimentation before Goodyear finally nailed down the process. Along the way, Goodyear's nemesis, Horace Day, bribed another Goodyear associate, Horace Cutler, to reveal Goodyear's know-how:

"If you tell me the process, and if it works as you say, fifty dollars plus expenses for your trip here and back to Springfield," Day offered. Cutler agreed. Over the course of the next day or two, for fifty dollars, plus sixteen and change for boat fare and board at Widow Hall's, Horace Cutler systematically passed on to Horace Day secrets that had cost Charles Goodyear eight years of his life, his health, thousands of dollars, untold suffering, humiliation, ridicule, and poverty."

Despite this leak, Day could not reproduce the process. Goodyear's know-how transferred imperfectly to Cutler, and even more imperfectly to Day. Goodyear's lab had, in fact, pretty good physical security. If we project him into our near future, he might also have had pretty good DRM protection on his lab notebooks. Even so, unless we turn Cutler into a Palladiumized cyborg, Goodyear is still vulnerable to a social engineering attack like Day's. Should Cutler's DRM somehow fail, we must further posit high-fidelity transfer of consciousness -- from Goodyear to Cutler to Day -- for the IP leak to be fatal to Goodyear.

The relationship between protected IP and innovation is, of course, deeply complex. In Regional Advantage: Culture and Competition in Silicon Valley and Route 128, AnnaLee Saxenian argues that fraternization among competitors helped Silicon Valley surpass Route 128. At a 1998 conference in Stockholm she said:

I describe Silicon Valley as a network system, a decentralized industrial system in which production is organized by networks of specialized firms that compete intensely while also collaborating in both formal and informal ways with each other and with local institutions like universities.

What matters in this network system is relationships. The rich social, technical and productive relationships in the region foster entrepreneurship, experimentation, and collective learning. As a result, the region's social, technical and productive infrastructure is as critical to the successes of local firms as their own individual activities. What I argue in Regional Advantage is that it is this network-based system that has allowed firms in Silicon Valley to surpass their leading domestic competitors, those located in Boston's Route 128 region, as well as to remain competitive with the Japanese.

Those Silicon Valley engineers, fraternizing with their counterparts in bars after work, had to negotiate the fuzzy public/private boundary with a subtlety that I cannot imagine describing in an XML grammar or implementing in a computer.

In today's NY Times, Steve Lohr discusses how weak IP protection has been an engine of economic development:

Indeed, the economies that were shining success stories of development, from the United States in the 19th century to Japan and its East Asian neighbors like Taiwan and South Korea in the 20th, took off under systems of weak intellectual property protection. Technology transfer came easily and inexpensively until domestic skills and local industries were advanced enough that stronger intellectual property protections became a matter of self-interest.

But according to the recent report, this kind of economic-development tactic -- copying to jump-start an industry -- is endangered by the United States-led push for stronger intellectual property rights worldwide.

In the bar at the digital identity conference, David Weinberger said a remarkable thing. The two of us were chatting with Eric Norlin, Bryan Field-Elliot, and Nat Torkington. Eric, who once worked for the NSA, believes like Scott McNealy (and me, a lot of the time): You have no privacy, get over it. The subject of gays in the military came up. Somebody asked whether, in the transparent world of the NSA where "don't ask, don't tell" is irrelevant, gay employees are not tolerated.

Eric: "There were guys who were gay. But they were good, so people looked the other way."

David: "That's the problem with DRM. Computers are too stupid to look the other way."

I can't think of a better touchstone for the subject of digital identity. We have to have it. We're going to get it. But we're a long way from knowing how to use it. Phil, I should add, agrees with that. I want to thank him and the whole Digital ID World team for pulling together such a diverse and stimulating event. Let the conversations continue!

¹ Digital identity has deep military roots. I suppose it's no accident that Eric Norlin was with the NSA. At the conference I also met Tom Carty, founder of GTE CyberTrust, who told me about a fully functional PKI implementation he helped build for the NSA, circa 1987. I'm also reminded that a lot of the most interesting applications of Groove live in the shadows of the "public sector" where most of us can't see them.

² I'd like to see this documented.

At the digital ID conference, I met for the first time, or got to know better, a whole bunch of folks whose identities were formerly, to me, mainly digital, including:

AKMA
Bryan Field-Elliot
David Weinberger
Doc Searls
Drummond Reed
Eric Norlin
Nat Torkington
Nikolaj Nyholm
Phil Becker
Phil Windley
Phil Wolff

Most of us have weblogs into which we project a lot of ourselves. As a result, face-time is different than it otherwise would be. Our digital identities precede us, and create a rich context for live discourse.

One of the questions arising from this conference was: "Why do people, as opposed to governments and corporations, care about digital identity?" The positive social effects of reputation awareness are surely part of the answer.

Dick Hardt, founder and now CTO of ActiveState, was prowling around the digital ID conference asking a deceptively simple question: "Why do I need a key pair?"

Those of us who have long assumed that giving people key pairs and certificates is an inevitable and necessary basis for identity-aware computing were, of course, shocked by this naive-sounding question. Dick's not naive by any means, though, and he raises a very serious matter. Let's review the things I can do with my Thawte Freemail Cert:

• Sign email.

• Assure the bitwise integrity of email.

• Encrypt email.

• Authenticate to sites and services equipped to read attributes of certs (currently none that I frequent).

Now let's review the fine print:

• I have to authenticate to my certificate database to use my private key.

• The cert is portable, but not easily. I have retrieved versions of it for Mozilla and MSIE on my desktop PC and my ThinkPad. I tried to do the same on my loaner PowerBook, but the Mozilla cert didn't take, and neither Entourage nor Apple's Mail are cert-aware.

• Acquisition of client digital IDs is an obscure procedure that hardly anybody knows about.

• Smartcards that will simplify all this are (at least in the US) making little headway.

Passport, Liberty, Shibboleth, and PingID are all examples of cert-agnostic identity providers. You could use a cert to authenticate; equally you could use name/password, biometrics, or something else. So why do people need key pairs? Answer: to do crypto. We can't remember keys, and we can't do crypto in our heads, so we need to store keys somewhere.

Now Dick draws a distinction between my key, issued to me, managed in my certificate database by my software on my device, and a key that lives on a device (phone, PDA, computer) to which I can authenticate. "Crypto happens between machines, not people," notes Dick. If you're going to trust my signature then you already trust some authentication process, namely, my authentication to my cert database. So why not trust my authentication to the device, and accept its keys as a proxy for my keys?

In this scenario, the device's cert presumably tracks to an issuer that other devices could trust, just as we now accept VeriSign-backed websites. How does the device represent the user, and how do users decide whether or not to trust one another? I'm not sure how to solve this equation, but it seems worth thinking about. We have been pushing the boulder up the hill of PKI for a long time, and we're no closer to putting crypto keys into the hands of users than we were a decade ago. Meanwhile identity providers that are not crypto-based -- Passport/Liberty/Shibboleth/PingID -- are proliferating. Users of these kinds of services could, over time, build up reservoirs of trust based on credit history, peer reputation, or other factors.

Because it conflates cryptography with identity and trust, PKI winds up being a real brain-melter. If we can tease these issues apart, maybe we should.

Here are some belated notes from the digital ID conference. I couldn't post from there because there was no FTP connection to the outside world.

I'm at the digital ID conference. InfoWorld's special report this week on identity management and provisioning was nicely timed! Unfortunately I missed Phil Windley's talk, while the airport shuttle was giving me a scenic tour of the Denver metro area. He's blogging up a storm, by the way. Apparently Phil can listen, think, and write all at once. Astonishing. Here's the conference's aggregated weblog.

Shibboleth

Ken Klingenstein, who is project director for the Internet2 Middleware Initiative and Chief Technologist at the University of Colorado at Boulder, is a firehose of information about, and enthusiasm for, Shibboleth. It is, first of all, a scheme for federated Web SSO -- or as Ken says, ISO, for Initial Sign On. OpenSAML is the format used to share authentication assertions within a federation. It's therefore Liberty-like, but with a privacy twist that Liberty hasn't (yet) addressed. In Shibboleth there's strong accounting of which items of personal info are released. That, as much as the SSO effect, is what makes Ken think this system could have commercial legs.

Ken notes that while we have certification authorities (sort of), we lack attribute authorities. From the Shibboleth FAQ:

Often, a set of attributes about a user are what is actually needed rather than name with respect to giving the user access to a resource. For example, pubs and bars don't register their customers by name, but rather ensure that each customer is at least the minimum drinking age.

(See "Translucency and selective disclosure")

Identity, in and of itself, isn't incredibly hard. Wrapping useful context around identity is the trick.

Shibboleth is an open source project, with a major release due shortly. How long does it take to implement the system? "Between 4 hours and 3 years," Klingenstein joked. Translation: if you've done your homework, built directories, defined users and roles, then you can layer Shibboleth on top. Otherwise, roll up your sleeves and get busy. No shortcuts.

Enterprise identity roadmap

Jamie Lewis, CEO of the Burton Group, sang the same tune from an enterprise rather than a higher-ed perspective. An identity at its core can be anything, a random number even. Building a context around it -- managing the attributes, not the identity -- is the strategic business issue. And it's really strategic. Do it well, you enable new business models. Screw it up, you'll regret it.

Jamie's roadmap for identity management:

• It's technology and process
• enabling the enterprise to create a manageable life cycle
• to meet business needs for rapid registration, use, and termination
• that scales from internal to external apps and processes.

It starts with a directory, which can be an LDAP or other repository, and can be virtual -- for example, your mail system is authoritative for email addresses, the HR system for family info. What identity products and services do, then, is help you build out more attributes. Enterprises need help to define users, groups, and roles. And they need even more help when it comes time to undefine them. Reliably shutting down all of a terminated employee's accounts within 24 hours is a critical, but today almost unattainable, requirement. Solutions to that problem will not have a hard time demonstrating ROI.

On the subject of federated identity vis a vis XML Web services standards, Jamie is optimistic. He sees SOAP, WS-Security, and SAML as the basis of an emerging consensus which, in his view, creates a new role for PKI. His example: rather than issue certs to every employee, a company certifies itself, and then signs SAML assertions on behalf of its employees. Nice point! As confusing as the XML Web services stack may appear, it is not recapitulating X.500's monolithic architecture. SOAP, WS-Security, and SAML are well-scoped to support organic growth. Since that's the only way forward, I'm encouranged by Jamie's hopeful outlook.

Utah CIO Phil Windley will be speaking at the digital identity conference next week in Denver. Excellent! On his weblog, Phil has been gathering his thoughts for the talk. I would be especially interested to hear his perspective on the PKI lessons Utah has learned, and the prospects going forward.

As I discussed a couple of years ago, in a column on digital signature laws, Utah was way out ahead of the rest of the nation on this issue. When the E-Sign bill came out, I was initially dismayed to see no prescriptive guidance about keys, certification authorities, and so on. As the discussion in that column shows, I yielded to arguments that government ought not prescribe such things. But I keep flip-flopping on the issue.

Phil writes:

Like it or not, states are in the identity business. We like to claim that we're just in the licensing business, but the truth is that, for better or worse, the state issued driver's license is the gold standard for identification in the physical world.

Indeed. I've long wondered if government could, and perhaps should, issue digital IDs as part of that licensing process. We've seen that the e-commerce industry has no stomach for it. Digital IDs remain a stillborn technology because nobody wanted to slow down the e-commerce juggernaut by burdening consumers with another licensing and registration procedure. So we prop up all of e-commerce with the $50 cap on credit-card liability, and write off the fraud as a cost of doing business. In truth, that may be an acceptable cost. But what about the lost opportunity cost? A digital-ID-equipped citizenry can sign electronic documents, encrypt messages, and authenticate to Web services. These are consumer-empowering capabilities. As Phil points out, "Liberty Alliance and Microsoft Passport are more about helping businesses than consumers."

Lord knows PKI is a can of worms. But with every turn of the wheel, most recently in the areas of Web services security and digital rights management, we're reminded that the issues tackled by PKI -- identity and trust -- will not go away. Few people can have a better real-world view of all this than Utah's CIO. It will be a fascinating talk, I'm sure.

I always wish I could read Neuromancer for the first time again, because nothing before or since has given me the rush that it did. What I did come across, recently, was True Names: And The Opening of the Cyberspace Frontier . It's a combination of Vernor Vinge's True Names, which was published in 1981 and presaged Neuromancer, and a collection of mid-90's essays on crypto, identity, digital rights management, and related themes.

The protagonist of Vinge's story is Roger Pollack, but his True Name in "the Other Plane" (aka cyberspace) is Mr. Slippery. Strong pseudonymity is what protects and empowers Vinge's proto-hackers, and when Mr. Slippery's True Name becomes known to the authorities, he falls under their control.

Several of the accompanying essays amplify the theme, including Timothy May's 1996 True Nyms and Crypto Anarchy which says in part:

In the language of chaos theory, there are two "attractors." Each major terrorist or criminal "incident" -- Oklahoma City, TWA flight 800, pedophile rings on the Net, etc. -- jumps us forward toward a totalitarian surveillance state. However, each new anonymous remailer, each new Web site, each new T1 link, etc., moves us forward in the direction of crypto anarchy. Which side will win is unclear at this time, though my hunch is that we passed the point of no return some years ago and are now irreversibly on the road to crypto anarchy.

I wouldn't have said that in 1996. By then I had already concluded that we should in most cases strongly assert the binding between realworld identities (True Names) and cyberspace identities, rather than try to hide the connection. We should ensure that pseudonymity is available to whistle-blowers, abuse victims, or political dissidents who cannot publicly own their words, but in general, we should encourage and support transparency and accountability.

After 9/11 I'm even more convinced this is the correct approach, but the devil is always in the details. Identity is a slippery thing indeed. It is, writes Phil Becker, "different":

The level of concern people have about controlling their identity information has been repeatedly underestimated by many in the industry as they focus on technology. Microsoft is not alone in failing to realize that if you make an agreement to store identity data, everything you say about what you are doing with it and how you are protecting it will be examined under a microscope. What are sufficient best practices regarding data security, backup, etc. with sensitive company data are simply not good enough for identity data. [ Digital ID World ]

Those who would implement services that revolve around digital identity face a steep learning curve. Learning to manage this data in reliable, transparent, and accountable ways is one part of the challenge. Learning to decompose it into multiple facets used selectively for different purposes is another.

Users too will confront slippery new concepts. We'll need to learn how to project different facets of identity into different situations. In Groove, for example, your account is a container of identities, one (or more) of which represents you in a shared space. That's an idea that takes some getting used to.

We'll also need to learn, through trial and error, about the strange behaviors that digital identity can exhibit. For example, I've signed my email messages for years, but it wasn't until this week that I learned of a subtle "semantic attack" on this method of identity assertion. Mark O'Neill, writing in his blog about the UI problems that plague security software, comes to the tongue-in-cheek conclusion:

If a governmental wished to limit the use of strong encryption, a good approach would be to plant lousy UI engineers in the security departments of messaging companies, to ensure that the process of setting up encrypted and signed email is as confusing as possible. [ Mark O'Neill ]

Sadly that's not as facetious as Mark says, but here's the really interesting twist: sometimes, he notes, "signing everything is not a good idea." Here's why:

Don't sign a vague message like this:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The deal's off

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2

iQA/AwUBOzOb9HwuAgBhK7KNEQLRSwCeMNxIiaf04ZejMbk
mcxjhTX7R/10AoJKsLbL3yWM4BrjmfvOYCGIdl0YG=h7ZQ
-----END PGP SIGNATURE-----

because you'll be subject to retargeting. There is nothing a cryptographer
or engineer can do to protect such an easily misunderstood message.

The Cryptography Mailing List

In other words, lacking any reference in the signed message body to the sender, the recipient, or the subject, this message can be hijacked into an unintended context.

Slippery stuff indeed. But it's a greased pig that we will all, sooner or later, have to wrestle with.