Your users today are burdened
with password fatigue and afraid of having their accounts compromised
by phishers. By accepting Information Cards, you can give your users
an easier way to communicate identity data while also helping protect
that data through the use of standardized, industry-leading protocols.
Information Cards allow you to reduce the friction that can stand in
the way of a new user choosing to join your site or application. With
an easy, graphical one-click registration and login procedure,
Information Cards allow you to request the data you need without
worrying that users will prematurely exit your site due to frustration
with an in-depth registration process. You also won't have to worry
about users forgetting their passwords and either dropping out or
re-registering needlessly; the user's own Identity Selector acts as the
users' guide, helping them to remember what credentials are valid for
your application.
Information Card toolkits and libraries exist in most programming
languages, allowing developers to use Information Cards without needing
any previous background in Identity Management, Security or
Cryptography. Developers must choose what data to ask for and write
code to store or modify the data but the heavy lifting around
validation of a token and generation of the web services messages are
taken care of. As security best practices change, your developers can
simply update their toolkits and libraries, leaving the fixes for
security issues to those who specialize in such things.
Information Cards use WS-Trust and other tried-and-tested security
protocols already in use by organizations around the world with diverse
security needs. Information Card transactions can be constructed to
have the right level of security for your needs - strong enough for a
bank, lightweight enough for a blog, or anywhere in between. You can
also choose the privacy level that matches the needs of your community,
by requiring that the identity of your site be included or excluded
from the knowledge of the Identity Providers issuing the cards you
accept. You can also control the strength of authentication needed to
access your site by choosing which Identity Providers have the option
that suit you.
In adopting a user-centric Internet identity protocol, you are
sending a message to your users that their identities are not an
afterthought. You give them the ability to be an active party in the
distribution and protection of their identity data. You are also
choosing to participate in a community of vendors who are similarly
dedicated to giving users have a better, safer user experience
online.
--Andrew
+1 to all of Andrew’s points. My personal opinion is that the “few billionths of a second after the Identity Big Bang” issue (otherwise known as the bootstrap problem or chicken-and-egg problem) is, in fact, the big whopper issue facing the ICF as a whole, and RP Evangelism WG specifically.
Other identity technologies like OpenID face the same challenge, but OpenID’s strength is its lightweight nature, so it is trying to beat the chicken-and-egg problem by organic adoption, plus it’s now starting to be pushed (and I believe soon will be pushed even more) by the really big sites because – and this is how it always works – they have come to understand their business incentives for doing so.
So I put the question very directly to the group: what are the REAL business incentives for adoption of Information Cards by sites? Because once we understand what they are, we can: a) make sure the deployed solutions (selectors, IP code, RP code, docs) support them, and b) make that the core of our messaging to IPs and RPs.
I must confess that I don’t know the answer to that question. And it’s possible that we collectively don’t yet know the answer. Or that the answer varies dramatically by market segment (a possibility Andrew mentions).
In which case that suggests our real priority is to figure out the answer as fast as we can, and in the meantime, have our messaging take the “best stab” we can.
Thoughts?
I’m cc’ing Craig Burton (who should really be on this list) because one answer is to focus on strategies that drive user adoption of selectors, which is the core idea of the “Relying Party Awareness Spectrum” introduced in Craig’s Strategic Messaging document, and discussed in greater detail in the white paper we’re preparing. But even so, how should we message about the Relying Party Awareness Spectrum to a business audience? Craig, perhaps you could join us on the RP Evangelism WG telecon tomorrow (11AM PT/noon MT) to discuss your thoughts on that?
=Drummond
<BR
+1.
More data, fresher data, verified data or at minimum data with a second factor, trusted (privileged data)
No virus
found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.5.287 / Virus Database: 270.11.54/2056 - Release Date: 04/14/09
14:52:00
--Andrew
+1 to all points Andrew makes here – this is exactly how I feel about what is /really and truly/ a hard question.
But +++1 to undertaking our deepest dialog on this with “appropriate levels of alcoholic lubrication” at RSA. Let’s start at the proposed RP Evangelism WG/OSIS dinner Sunday night.
=Drummond
<BR
--Andrew
Ah, this was discussed on the last two RP Evangelism WG telecons but apparently not yet on the list. Ron suggested that the RP Evangelism WG members who were going to be at RSA on Sunday (some of us are arriving Sunday morning for the OSIS interop session that runs 1-5 Sunday afternoon) should have dinner Sunday night before the Monday seminar.
Since the OSIS folks (which include a number of us RP Evangelism WG members anyway) were also talking about dinner, we said let’s do it. Pam took the action item to make a reservation someplace in the nearby area.
We’d love to have you join us of course.
Pam, anything concrete yet?
(BTW, Andrew, if you have any interest in the OSIS interop workshop, you must be on the security list to attend – Sunday is not a regular RSA day. Just let me know and I can get them to add you.)
=Drummond
<BR