On this week’s ITConversations show1 I chatted with Dick Hardt about that project. According to Kim’s Information Card thermometer, 10 percent of desktops are now running CardSpace or an equivalent identity selector technology such as DigitalMe. I’m not sure where the tipping point will be, but even if you’re in that 10 percent it’s hard to find concrete examples of how the technology will simplify your life.
The BC program should prove to be a nice example. It will provide roaming access to WiFi hotspots for people who work in government agencies and also in public-sector organizations. The managed cards issued to these folks will identify them as members of those agencies and organizations.
From the user’s perspective, this will in many cases be the first real hands-on experience with the identity selector that’s built into Vista, available for XP, and emerging in other forms.
From the government’s perspective, it will provide another kind of experience. The identity metasystem that Kim Cameron has been birthing is really about network effects. In this kind of network, the packets are identity claims, and you want them to be able to flow frictionlessly.
I asked Dick to compare this architecture to other kinds of “trust bridges” — like the Higher Education Bridge Certification Authority and the Federal Bridge Certification Authority — and here’s what he said:
The architectural advantage of this model is that you have a URI representing each claim in a transaction. So that makes it wide open. You don’t have a single schema, you have a set of URIs and anybody can define a new one. That enables an organization to set up their own claims. They can say, our people have these attributes, and this is what those attributes mean.
The advantage of this approach is that once you’ve got some parts of it working, it’s very easy for someone else to join in and become part of the whole network. So once we’ve got this WiFi thing set up and running, another public sector organization comes along and wants to use it, and we just say, OK, you just need to turn something up to issue them managed cards. Then someone says, well, I’ve got a service I’d like someone to access if they’re members of one of these organizations. They can just turn it up, and their people already have the cards they can use to access it.
The equivalence between URIs and identity claims seems crucial here. Although I hadn’t made this connection before, I suspect it will enable a compositional approach to identity management which has much in common with the principles of RESTful web services.
Of course it’s challenging for experts, and impossible for civilians, to discuss this stuff in the abstract. But when somebody receives a managed card, uses it to access a service, finds that the claims carried by the card can be used to access another service, and can see which claims are being sent to which parties for which purposes, it’ll all start to make sense. It’s been a long time coming, but it feels like the puzzle pieces are finally fitting into place.
1 An audio glitch injected some annoying static into this particular episode, for which I apologize to Dick and to my listeners. Grumble. I wish it were easier to be a happy caster.