Unified Messaging Wiki

= D R A F T .01 =

Why Identity Commons: - company neutral - wisdom of the crowd - too important not to get this right - systems that control personal data (identity information) is the stickiest of all software.

How do we get to a Common Message?

Best Practices: Emulate Abraham Lincoln. ref. "Team of Rivals" (Doris Kearns Goodwin) Before making a decision, Lincoln insisted on vigorous debate and discussion. His abiity to tolerate dissent was an enormous asset. Any individual expert is likely to be wrong. The average of the experts' predictions often outperforms the individuals from whom the average is derived. See: "The Wisdom of Crowds" (James Surowiecki)."If you have impressive academic credentials and/or an impressive amount of experience, you should be alert to the possibility that you could still be profoundly wrong." Foxes approach problems from multiple viewpoints. Hedgehogs are more ideological, draw conclusions from a single overarching theory, and make more mistakes. "The fox knows many things, but the hedgehog knows one big thing" Isaiah Berlin. Overspecialization leads to a community of hedgehogs.

PROBLEMS - USE CASES

General Principles
 * vast diverse ecosystem:
 * needs are highly varied,
 * no business or government agency can be trusted with a centralized system
 * too much concentration of power leads to,
 * a non-competitive environment,
 * stratified system,
 * unable to cope with various new electronic communications mechanisms,

The fundamental importance of personal data to control citizens, customers, users.
 * Social interactions, politics, economics, and business depend on trust.
 * data protection is necessary for accountability; and accountability is necessary for trust.

Unless law and technology are crafted to respect certain “Properties of Identity”, there is no data protection; and if there is no data protection, there is no accountability; and if there is no accountability, there is no trust.''

Balancing two different notions: - Identity is personal and cannot be centralized - Centralized systems cannot keep up with change - Walled gardens and data silos are necessary for proprietary companies

- digital media is profoundly different from physical media -- it is infinitely malleable, divisible - identity data must be taken within a greater context.

Identity ecosystem (metasystem) is not a system, but a way of ensuring authorization, accountability, and trust in the digital ecosystem.
 * the identity ecosystem needs to handle a broad range of security requirements (from light to heavy)
 * each person (user) has to be involved in decisions within the ecosystem, although they are not always the only decision maker (example of unconscious in a foreign hospital) risk assessment for hospital to protect itself -- all personal claims are controlled by a user. Whenever possible and practical, that user should be the only access control
 * context is essential to identity information.
 * ecosystem includes all business databases (controlled by a business, assigned to a transactor).
 * legal contracts -- liability transfer, deals made between parties, setting up relationship between business entities, between businesses and customers, between government service organizations and citizens.
 * ease of use -- both for consistent ceremonies (to both set expectations and minimize phishing/pharming) is part of the ecosystem
 * security (data protection)  is part of the ecosystem:
 * setting appropriate security and authorization levels for transaction types.
 * encompassing both high and low (security) levels appropriate for the transaction (blogging to money transfer).
 * enough to make verifying claims made to dynamically assess risk

Digital communication and media trends
 * cheaper (move from human-intensive operations to heuristic software, business process routines migrate to automated services -- need to get the automation right -- scheduling, exception handling has to be part of this.
 * ubiquitous
 * improving heuristics, automated condition and exception handling
 * moving toward mutually beneficial relationships between transactors -- B2B (heavy, expensive relationships) moving toward B2C (B2B services priced low enough to provide with all customers)

Market Positioning statements

 * education for customers making buying, deployment, workflow design along with state of the art as the ecosystem matures
 * For 2009, positioning statements on each type of element in the identity metasystem.
 * What they are (link)
 * Their current status
 * State of the art for:
 * security
 * biometrics
 * applicable standards and those in process

Target Audience:
What they need to know:
 * Decision makers. (Advice for making good decisions)

-- What are they trying to solve

-- Their current state of the business

-- What the technical, social, legal, trends are, ''and the factors that govern the rate of change in each ''

So they can assess:
 * What does their business look like in the future
 * What should they do now, what should be done later (and why wait/act now)
 * What products can address their requirements now and the associated architectural decisions for:
 * IT infrastructure
 * Business Processes
 * Integration with legacy systems
 * What to adopt and when to adopt it
 * Specific requirements for any system

RISK ASSESSMENT
 * risk assessment ratio at all points in a transaction
 * who: is asking for access, am I dealing with?
 * how accountable am I to ensure I know?
 * difficulty to crack
 * track record
 * probability factors
 * good data
 * timeliness

Business - type - scale

per communication media type - skype - cell - internet -- amount right / errors

Products - what is interoperable and how they fit togetherItalic text

Philosophy
- Magna Carta - U.S. Constitution - Seven Laws of Identity - OECD international Principles of Identity

= Technology =


 * Interoperable


 * Flexibility
 * Value
 * Transparency
 * Accountability
 * Encumberences (If any) for developers
 * Usability (human factors, user experience)
 * Civil Rights
 * legality (separate from civil rights)
 * regulations


 * for Products
 * support
 * long-term "effects"
 * availability
 * "solution" to specific problem(s)

A consistent easily understood 'umbrella' for marketing

Best uses:


 * User-centric


 * Federated


 * Enterprise Role Management


 * Identity Management Systems


 * Access Manager

Where data should live (and where it shouldn't)


 * Objective statements on the following:
 * relative to strengths/weakenesses
 * ability to interoperate
 * degree of security spectrum coverage
 * ease of use
 * maturity
 * development environment (tools, etc.)
 * certification
 * legal maturity
 * where and how long data lives auditability

platform coverage - operating systems - browsers - mobile devices - PCs - Enterprise systems

Problems addressable

Problems addressed

Check off sheet for specific features, relative issues, state of the art

Successful implementation of (these) use cases
 * common set of terms -- links to wikipedia

Areas of research and development

= Open ID = - primary uses - position on security "scale" - major movers - issues - number of users - number of sites
 * derivatives for specific audiences.
 * features, functions
 * user, enterprise, back door
 * workflows
 * authentication (in or out of spec)
 * implementations related to key terms
 * what's good about it; easier, better, safer,
 * economic incentives
 * immediate and long term benefits

Useful Links

We are talking about different technologies working in the same space -- can we agree on the way to do this? "web identity" -- subtle differences.

Creating common message that everyone uses as is.

= SAML = - primary uses - position on security scale - major movers - issues - number of users - number of sites - = LDAP =

= OpenSSO =

= Information card = * infocard * I-card = Card Selector =
 * Cardspace
 * Bandit
 * Higgins

= Data Portability =

What works with what

Interoperability levels

Claims
- the first 14 - the universe of 2500 - level of common agreement - work on definitions and schemas

Security
- types - Glossary, Tautology, Ontology

Low risk, high probability of being correct credit score