Identity Matters

We've recently been involved in some technology demonstrations that I think have a lot to say about how the future of security and trust in mobile networks is taking shape. As everyone can now see, a new breed of mobile applications is emerging that extend the Web 2.0 social networking and mashup metaphors into a pervasive space that users will tailor to serve them in the context activities that involve dynamic communities of their daily lives. Some good examples are coming into focus, and one in particular that we participated in took the prize at Orange's API and Widget contest in Portugal this April.

Most people are regular users of various mapping and location services on their desktop, and now a lot of folks use location services on their mobile phones as well. When coupled with GPS-enabled phones, these familiar applications take on a new usefulness by reacting to changes in the user's environment. Similarly most people have established communities that shape their online activities according to relationships and interests. While for some it's still email and IM that manage their communication with those communities, for many it's rapidly evolving from a combination of those plus Web 2.0 tools on the desktop to mobile interfaces that give them rich interaction with their friends, families, business associates, interests, and urges whenever and wherever they choose. And it's becoming clear to many of us that this is a sweet spot for mobile applications - not just what media can I access, but how can I utilize it now, who can I share it with now, where can we meet to experience it now, and what can make accomplishing that easy for me ... now.

The application that most recently prompted me to write about this is Wizi. Wizi is the free location sharing and traffic information application that won first prize in the Orange API and Widget contest. (You can get it at www.wizi.com.) It has obvious uses for families or business people who are coordinating a schedule because it combines some key attributes of daily life in a dynamic, real-time way - where relevant people are, their destinations or meeting places, how they'll get there, and what's in the way. It can do similar duty for groups with other interests, such as when you want to choose between attending an after-work party, joining some friends for a dinner and a movie, or going a football game where you'll see lots of acquaintances who cheer your club. And, these are the obvious uses - only the collective imagination of a Web 2.0 enabled world can tell how it goes from there.

So, what does a company that specializes in Identity Management, Virtual Directories, and LDAP have to do with any of this? I'll suggest an answer to that by posing a different question: how much of the information that needs to be shared in the scenarios above would YOU like to have cross all groups? While you may want your family members to have your location at any moment in time, is that something you'd like visible to all the members of the football club? And for that matter, would you be pleased if your preferences such as football club or other affiliations was open to all your business colleagues? For most people, their real-time location and their affiliations are things they want to share very selectively. And, after you give it some thought, you'll probably agree that we're only scratching the surface in conceptualizing the schemes we'll really want to have for managing information that discloses our real-time, activity-centric, choice-driven self as it becomes a dynamic attribute in our daily lives. It's about TRUST - who and what gets it, when, and where.

In the collection of networks and applications that support delivering this vision on mobile phones, there needs to be an infrastructure that allows this identity information to be accessed and moved quickly, shared securely, managed actively, delivered flexibly, and operated on automatically in order for the end-user experience to be powerful, satisfying, and easy-to-use. And, if it isn't, then there won't be a sweet spot, after all. This, of course, is where Symlabs specializes - in that infrastructure and in the sharing and management of that information. That's why we've been working with Wizi on APIs, with BT and Intel on Identity Capable Platform (more on that later), and with Liberty Alliance on Advanced Client and Trusted Modules. Sound complex? It is, but in Part 2 I'll talk a little bit about how those technologies come together and how they work to deliver an efficient, trust-enabled platform that hits the sweet spot.

Pablo Sánchez

The idea of Authentication Context, as defined by Liberty Alliance and SAML 2.0, has been a subject of some interest lately. As a way for Service Providers and Identity Providers to add additional meaning to an authentication dialogue, it has great practical value to businesses.  Dave Kearns recently wrote an interesting article about it in his newsletter, and he was inspired by a post on Paul Madsen's blog that touched on the subtle power of context.  Dave asked to see more examples from the vendor community, and that was inspiration enough for me.

At Symlabs, we see our customers using AuthnContext for information about how a user was provisioned in the first place, and also how the user was authenticated for the current session. This requirement came originally from our customers who are wireless operators, but it makes a lot of sense for other service providers as well.

Remember that it is possible to buy mobile phone service through a subscription (post-paid, with a contract), or anonymously (pre-paid, without a contract). It all comes down to liability - the type of "trust" that you would want to extend to an anonymous user who paid cash for a mobile phone from the local drug store versus a user that you know and have had a business relationship with for years.

There are times when the context can have liability implications, therefore it is important to set this context appropriately and based on the business relationship. For example, a company may have tiered partnerships (i.e., "platinum", "gold" and "silver") with other companies. The tier could then be one of the factors used to determine the maximum liability allowed for different ID assertions.

Symlabs was instrumental in getting the mobile authentication contexts defined, because our wireless operator customers requested our participation in this area. Generalizing what we learned from the mobile world, the Symlabs Federated Identity Suite can be configured with any business logic, factoring in any number of data sources to determine the appropriate authentication context to issue.

The SAML and Liberty specifications are silent regarding an aspect of authentication contexts that has practical value to a business: what their ranking should be, or rather, which one is better. Therefore, in Symlabs Federated Identity Suite we chose not to hardwire any ranking, but instead allow for the insertion of customized business logic to evaluate the ranking.

Last (but not least), through the use of flexible business logic, customers can create an implementation that delivers complete control by defining contexts and assigning semantics of their own, in any way they please. Symlabs Federated Identity Suite provides this powerful capability by allowing configuration of custom contexts that can participate in the ranking and business rules just like any official context.

Hi, it's Felix again. I'm writing another entry to talk about provisioning, and I think it will be about as long as the last one on identity management by the time I'm done. While I'm finishing it up, I'd like to post just a few words about what we are doing here at Symlabs to turn some of these concepts into practical benefits for users. You see, we think this is not only an interesting field of technology to work in, but we really believe that once the infrastructure for identity management is rolled out so that everyone has access to it, the positive results for end users and providers will be tremendous.

It's our feeling that the picture of "what could be" is not widely appreciated yet (maybe because underlying technologies like LDAP, virtual directory, SAML, etc. are complex, or because a lot of different companies need to cooperate to deploy it), so getting the word out and proving that the solutions work in real world situations are high priorities if we want to lead the parade that delivers these benefits. And, we do.

With that in mind, I'd like to call your attention to a few events happening right now that Sampo Kellomaki, my colleague and Symlabs' Chief Identity Architect, is participating in for us. First up is ePortfolio 2006 in Oxford, England from October 11-13. This show is a huge international forum for the exchange of ideas about how to use electronic portfolio solutions in education, government and corporate infrastructures, and Symlabs is participating in the PlugFest on October 11 where we will demonstrate a solution for automated resume processing based on Human Resources XML interoperating with Liberty Alliance ID Web Services Framework (HR-XML and ID-WSF for those of you already familiar with the terminology). When this capability becomes routinely available it will let the HR industry incorporate a set of tools for identity-based and role-based access authorization to improve the security and operation of their online processes, while, from the user perspective, identity web services ensure the privacy of their information and simplify access to services with features like single sign-on. I'll talk more about these applications and individual pieces like single sign-on in upcoming posts, but if you can take advantage of a couple of industry shows that are right around the corner, Sampo will be delivering some very informative talks that we hope will give you a nice view of the picture ("what could be"), show you something about how it works, and maybe even get you to join the parade.

Sampo will be speaking at the ISSE 2006 Conference in Rome, Italy on October 12 about how to use the Liberty Alliance People Service in eGovernment applications, covering document submission in particular, such as corporate tax returns. At RSA 2006 Europe in Nice, France on October 25 he will be talking about Liberty People Service, but this time with a focus on consumer applications. Liberty People Service is the industry's first platform for managing social applications centrally, providing consumers (and enterprise users) with a single view of social relationships in a secure and privacy-respecting federated social network. Sampo will also demonstrate Liberty People Service at RSA 2006 Europe, by the way.

So, go look or listen if you can, and it would be nice if the parade gets bigger.