Business Case Strawman

28 views
Skip to first unread message

Pamela Dingle

unread,
Apr 13, 2009, 5:01:42 PM4/13/09
to icf-wg-rp-...@googlegroups.com
Hi folks,

As per our discussion on the call last week, I've come up with a starting point for  a page on the ICF Website entitled "The Business Case for Accepting Information Cards".   I've included the text below in this email, and we/you can workshop the text as you see fit.  

Thanks,

Pamela

The Business Case for Accepting Information Cards

Your users today are burdened with password fatigue and afraid of having their accounts compromised by phishers.  By accepting Information Cards, you can give your users an easier way to communicate identity data while also helping protect that data through the use of standardized, industry-leading protocols.

Simplicity for your Users

Information Cards allow you to reduce the friction that can stand in the way of a new user choosing to join your site or application.  With an easy, graphical one-click registration and login procedure, Information Cards allow you to request the data you need without worrying that users will prematurely exit your site due to frustration with an in-depth registration process. You also won't have to worry about users forgetting their passwords and either dropping out or re-registering needlessly; the user's own Identity Selector acts as the users' guide, helping them to remember what credentials are valid for your application.

Simplicity for your Developers

Information Card toolkits and libraries exist in most programming languages, allowing developers to use Information Cards without needing any previous background in Identity Management, Security or Cryptography.  Developers must choose what data to ask for and write code to store or modify the data but the heavy lifting around validation of a token and generation of the web services messages are taken care of.  As security best practices change, your developers can simply update their toolkits and libraries, leaving the fixes for security issues to those who specialize in such things.

Strong, Flexible Standards-based Protection

Information Cards use WS-Trust and other tried-and-tested security protocols already in use by organizations around the world with diverse security needs.   Information Card transactions can be constructed to have the right level of security for your needs - strong enough for a bank, lightweight enough for a blog, or anywhere in between.  You can also choose the privacy level that matches the needs of your community, by requiring that the identity of your site be included or excluded from the knowledge of the Identity Providers issuing the cards you accept.  You can also control the strength of authentication needed to access your site by choosing which Identity Providers have the option that suit you.

Respect for your Community

In adopting a user-centric Internet identity protocol, you are sending a message to your users that their identities are not an afterthought.  You give them the ability to be an active party in the distribution and protection of their identity data. You are also choosing to participate in a community of vendors who are similarly dedicated to giving users have a better, safer user experience online.  




Nash, Andrew

unread,
Apr 15, 2009, 2:13:11 PM4/15/09
to icf-wg-rp-...@googlegroups.com
Hi Pamela,
 
it looks as if a conflict will preclude my interaction on the call this week, so I wanted to throw out some thoughts (no conclusions) on this topic.
 
All of the value propositions here are sensible and are worth describing. The problem is that these values fall into what I call the "Steady State of the Identity Universe Theory", and we a a few billionths of a second after the Identity Big Bang.
 
If I am a merchant or service provider I would agree that the values are interesting. If am smart though, my first question is "How many consumers will be using my site that will have these information cards?" Getting most merchants to make a change is hard at the best of times - even with PayPal we can show a direct benefit to top line revenue of around 7%, and getting merchants to make changes is hard. In our case for some time we are going to be claiming that something less that 1% of the internet consumers may turn up at their site. Reduction in the various forms of friction is worth identifying, as is cost savings and reduction in pain around password resets - the trouble is it is tough to draw a straight line to expected ROI (or more importantly at least for merchants - revenue)
 
There are several ways to tackle this bootstrapping problem - the best of which tends to seek leveraging the consumer base by limiting the population in some way (geographic, special interest, social graph, ...) - this way there is a better percentage chance that visitors to your site will be utilizing the cards.
 
One other way we could look at this is to increase that value proposition for relying parties by increasing the value of the consumers that visit their site. All the following assumes the user permissioning and buy-in inherent in Information Cards. If you can identify that these consumers could be carrying fraud/risk or marketing/demographic information then that could be an additional traction point. The fraud/risk data that I may be able to have attested by a third party deals with the basis points of loss that a merchant, service provider or financial institution has to carry and addresses bottom line value. The marketing/demographic information allows for better focused and targeted user experiences and has a better top line revenue opportunity.
 
Obviously the challenge is leveraging still emerging providers of such content, but we already have a few in wings and just come on stage.
 
So, I am interested in discussion from any of the folks on the DL about these thoughts. Just to reiterate - the value props described have always made sense - just in this bootstrapping phase they are are often weak.

--Andrew

 


From: icf-wg-rp-...@googlegroups.com [mailto:icf-wg-rp-...@googlegroups.com] On Behalf Of Pamela Dingle
Sent: Monday, April 13, 2009 2:02 PM
To: icf-wg-rp-...@googlegroups.com
Subject: [ICF.WG.RP-Evangelists] Business Case Strawman

Drummond Reed

unread,
Apr 15, 2009, 4:14:31 PM4/15/09
to icf-wg-rp-...@googlegroups.com, Craig Burton, Andrew Nash

+1 to all of Andrew’s points. My personal opinion is that the “few billionths of a second after the Identity Big Bang” issue (otherwise known as the bootstrap problem or chicken-and-egg problem) is, in fact, the big whopper issue facing the ICF as a whole, and RP Evangelism WG specifically.

 

Other identity technologies like OpenID face the same challenge, but OpenID’s strength is its lightweight nature, so it is trying to beat the chicken-and-egg problem by organic adoption, plus it’s now starting to be pushed (and I believe soon will be pushed even more) by the really big sites because – and this is how it always works – they have come to understand their business incentives for doing so.

 

So I put the question very directly to the group: what are the REAL business incentives for adoption of Information Cards by sites? Because once we understand what they are, we can: a) make sure the deployed solutions (selectors, IP code, RP code, docs) support them, and b) make that the core of our messaging to IPs and RPs.

 

I must confess that I don’t know the answer to that question. And it’s possible that we collectively don’t yet know the answer. Or that the answer varies dramatically by market segment (a possibility Andrew mentions).

 

In which case that suggests our real priority is to figure out the answer as fast as we can, and in the meantime, have our messaging take the “best stab” we can.

 

Thoughts?

 

I’m cc’ing Craig Burton (who should really be on this list) because one answer is to focus on strategies that drive user adoption of selectors, which is the core idea of the “Relying Party Awareness Spectrum” introduced in Craig’s Strategic Messaging document, and discussed in greater detail in the white paper we’re preparing. But even so, how should we message about the Relying Party Awareness Spectrum to a business audience? Craig, perhaps you could join us on the RP Evangelism WG telecon tomorrow (11AM PT/noon MT) to discuss your thoughts on that?

 

=Drummond

 





<BR

Pamela Dingle

unread,
Apr 15, 2009, 5:14:08 PM4/15/09
to icf-wg-rp-...@googlegroups.com, Craig Burton, Andrew Nash
Hmmm,  very interesting - so really what we would be talking about is balancing the idea that there would be a small quantity of information card users initially against the fact that these users are greatly improved in quality --  a greater wealth of data,  a safer bet in in the case of account compromise, and possibly a MUCH better bet for transactions with privacy or financial implications, because the transactions are underwritten by a third party Identity Provider.

I'm not sure this was where you were going Andrew, but I do like the idea of evangelizing information card users as more valuable than regular users.   There is a lot you could do with that general direction, and it counteracts an undesirable possible impression that information card infrastructure is just a different way to get the same data.

Cheers,

Pam

Mary Ruddy

unread,
Apr 15, 2009, 5:24:52 PM4/15/09
to icf-wg-rp-...@googlegroups.com

+1.

 

More data, fresher data, verified data or at minimum data with a second factor,  trusted (privileged data)



No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.5.287 / Virus Database: 270.11.54/2056 - Release Date: 04/14/09 14:52:00

Nash, Andrew

unread,
Apr 15, 2009, 7:21:13 PM4/15/09
to Pamela Dingle, icf-wg-rp-...@googlegroups.com, Craig Burton
Pamela,
 
you have grabbed at least one of the shades of meaning there. This is a really hard question, one I have been picking away at for over a year now (of course that may merely mean that I am not very bright - much like the joke about the Australian and the Texan :) )
 
Value propositions for the consumer and merchant are really different, but this often does not come to light until you think about who gets the value as opposed to who has to bear the cost. Any value prop for merchants that shows good leverage from cards - particularly as it impacts their revenue opportunity or reduces other very significant costs such as fraud loss. So I will happily entertain anything (the simpler form the better) that fits those goals.
 
Realistically, we won't have a complete slam dunk in all potential areas.
 
The faster we can get consumer adoption, the easier this equation looks. The most significant key for me is decoupling as much as possible the value prop for the consumer from the merchant. Specifically, if the user values are not realized until we have enough relying parties, but higher value relying parties will not expend resources until there are enough users ... the key is breaking the Gordian Knott - show as much value to the consumer in a stand alone form as we can in the early bootstrapping phases.
 
This seems to me a conversation that may best occur with appropriate levels of alcoholic lubrication :) maybe we can get a better pass after the RSA Conference libations :)

--Andrew

 


From: Pamela Dingle [mailto:pam...@bonsaiidentity.com]
Sent: Wednesday, April 15, 2009 2:14 PM
To: icf-wg-rp-...@googlegroups.com
Cc: Craig Burton; Nash, Andrew
Subject: Re: [ICF.WG.RP-Evangelists] Re: Business Case Strawman

Drummond Reed

unread,
Apr 15, 2009, 7:52:36 PM4/15/09
to icf-wg-rp-...@googlegroups.com, Pamela Dingle, Craig Burton

+1 to all points Andrew makes here – this is exactly how I feel about what is /really and truly/ a hard question.

 

But +++1 to undertaking our deepest dialog on this with “appropriate levels of alcoholic lubrication” at RSA. Let’s start at the proposed RP Evangelism WG/OSIS dinner Sunday night.

 

=Drummond

 

<BR

Nash, Andrew

unread,
Apr 15, 2009, 7:59:08 PM4/15/09
to icf-wg-rp-...@googlegroups.com, Pamela Dingle, Craig Burton
Drummond I am learning to appreciate your active engagement :)
 
However, I appear to have missed this invitation - when and where do we start drinking?

--Andrew

 


From: icf-wg-rp-...@googlegroups.com [mailto:icf-wg-rp-...@googlegroups.com] On Behalf Of Drummond Reed
Sent: Wednesday, April 15, 2009 4:53 PM
To: icf-wg-rp-...@googlegroups.com; 'Pamela Dingle'

Drummond Reed

unread,
Apr 15, 2009, 10:48:38 PM4/15/09
to icf-wg-rp-...@googlegroups.com, Pamela Dingle, Craig Burton

Ah, this was discussed on the last two RP Evangelism WG telecons but apparently not yet on the list. Ron suggested that the RP Evangelism WG members who were going to be at RSA on Sunday (some of us are arriving Sunday morning for the OSIS interop session that runs 1-5 Sunday afternoon) should have dinner Sunday night before the Monday seminar.

 

Since the OSIS folks (which include a number of us RP Evangelism WG members anyway) were also talking about dinner, we said let’s do it. Pam took the action item to make a reservation someplace in the nearby area.

 

We’d love to have you join us of course.

 

Pam, anything concrete yet?

 

(BTW, Andrew, if you have any interest in the OSIS interop workshop, you must be on the security list to attend – Sunday is not a regular RSA day. Just let me know and I can get them to add you.)

 

=Drummond

 

<BR

Reply all
Reply to author
Forward
0 new messages