An observation: SSO's are consolidating and/or collaborating more
This email notice prompted me to share an observation with this community list. CEN and CENELEC are essentially consolidating. FSTC & BITS have essentially consolidated (or are somewhere along in the process). Liberty Alliance & Concordia Project are consolidating into Kantara Initiative. Electronic Authentication Partnership & Raddichio consolidated with Liberty Alliance before that. OpenID Foundation & Information Card Foundation seem to be consolidating their trust framework activities into the OIF/OIE project/organization. OASIS is more directly involved with various "non-accredited industry consortia" than I've ever seen before. ISOC is investing time and dollars into Kantara Initiative and W3C (among others no doubt). There are probably other moves like this in the identity, security, and privacy space that I'm forgetting to mention or haven't actually stumbled upon yet. For discussion: why is this happening, and is it a good thing for standards development and/or adoption? It's no secret that standards setting organizations are feeling the impact of the economic downturn and consolidation is one of several options each group faces. Many of you subscribed to this mailing list are pretty close to several of these consolidation/cooperation projects. I hoping some of you will share your personal observations about how this strategy is working and where you think this is all headed -- is this trend going to reverse or continue? -- Brett Begin forwarded message:
From: Penny Sarah [mailto:spenny@cencenelec.eu] Sent: 11 February 2010 18:03 To: Coop_all; CGF_Email List Subject: CEN and CENELEC new email addresses
Dear Madam, Dear Sir,
The close collaboration between CEN and CENELEC, which was consolidated by the creation of a common CEN-CENELEC Management Centre (CCMC) at the beginning of this year, is now further reflected in our new e-mail address: flastname@cencenelec.eu.
For example, if you wish to contact CCMC Communication Unit Manager, Elisabeth Brodthagen use ebrodthagen@cencenelec.eu
Please make a note of our new email addresses and amend your contact lists accordingly.
In attachment you will find the organization chart of the CEN-CENELEC Management Centre as well as a telephone and e-mail directory of all CCMC staff.
Our postal address is:
CEN-CENELEC Management Centre Avenue Marnix 17 B-1000 Brussels
We would appreciate if you could distribute this email in your organisation.
Should you have any enquiries, please send an e-mail to communication@cencenelec.eu.
Best regards,
Sarah PENNY Director – External Relations
In the spirit of being candid here are my points: . Consolidation occurs typically when in a that market cannot bear room for diversity, and in most cases this obeys to market maturity and or simple supply/demand rules. I will attribute the consolidation trend we are seeing as being expedited or accelerated due to the economic conditions - the supply/demand side (note that even the analyst communities that focus on identity are consolidating) . But in my mind, this was bound to happen over time due to maturity, much like what happen with SAML 2.0 in the pre-recession days (converging all the different identity federation variants). At some point in time, the market reaches a maturity point in which there is no real value in having parallel standards to solve a common business problem, particularly if the business problem is considered business critical. . My take is that we will see this trend in "SSO" take place, and then we will see new work streams spawning (authorization, attributes, privacy), some will not be technical (legal and policy frameworks) in a diverse ecosystem. More so as the economy recovers (and demand increases again). My 2 cents. Frank Villavicencio Executive Vice President Identropy, Inc frank@identropy.com | (m) 646.229.3031 | http://www.identropy.com/blog From: community-bounces@kantarainitiative.org [mailto:community-bounces@kantarainitiative.org] On Behalf Of Brett McDowell Sent: Friday, February 12, 2010 10:28 AM To: community@kantarainitiative.org Subject: [Kantara - Community] An observation: SSO's are consolidating and/or collaborating more This email notice prompted me to share an observation with this community list. CEN and CENELEC are essentially consolidating. FSTC & BITS have essentially consolidated (or are somewhere along in the process). Liberty Alliance & Concordia Project are consolidating into Kantara Initiative. Electronic Authentication Partnership & Raddichio consolidated with Liberty Alliance before that. OpenID Foundation & Information Card Foundation seem to be consolidating their trust framework activities into the OIF/OIE project/organization. OASIS is more directly involved with various "non-accredited industry consortia" than I've ever seen before. ISOC is investing time and dollars into Kantara Initiative and W3C (among others no doubt). There are probably other moves like this in the identity, security, and privacy space that I'm forgetting to mention or haven't actually stumbled upon yet. For discussion: why is this happening, and is it a good thing for standards development and/or adoption? It's no secret that standards setting organizations are feeling the impact of the economic downturn and consolidation is one of several options each group faces. Many of you subscribed to this mailing list are pretty close to several of these consolidation/cooperation projects. I hoping some of you will share your personal observations about how this strategy is working and where you think this is all headed -- is this trend going to reverse or continue? -- Brett Begin forwarded message: From: Penny Sarah [mailto:spenny@cencenelec.eu] Sent: 11 February 2010 18:03 To: Coop_all; CGF_Email List Subject: CEN and CENELEC new email addresses Email.gif Dear Madam, Dear Sir, The close collaboration between CEN and CENELEC, which was consolidated by the creation of a common CEN-CENELEC Management Centre (CCMC) at the beginning of this year, is now further reflected in our new e-mail address: flastname@cencenelec.eu. For example, if you wish to contact CCMC Communication Unit Manager, Elisabeth Brodthagen use ebrodthagen@cencenelec.eu Please make a note of our new email addresses and amend your contact lists accordingly. In attachment you will find the organization chart of the CEN-CENELEC Management Centre as well as a telephone and e-mail directory of all CCMC staff. Our postal address is: CEN-CENELEC Management Centre Avenue Marnix 17 B-1000 Brussels We would appreciate if you could distribute this email in your organisation. Should you have any enquiries, please send an e-mail to communication@cencenelec.eu. Best regards, Sarah PENNY Director - External Relations
Hi Brett, My apologies for my ignorance, but I was wondering if anyone in the industry is making any money with SSO or Web-SSO? If SSO is a facilitator towards "something", its not clear (to me) what that something is. If the business model (for that "something") is to save the user from memorizing passwords for various sites, then a software only solution exist today (and some browsers already do this (eg. Safari/MacOS key chain)). Smartcards (as in gov CAC cards) can also do the same thing. My limited understanding of the SSO vision is that a community of trust is supposed to be the foundation for creating IdP-to-SP and SP-to-SP trust. (In the PKI world a similar community of CAs (identrust?) was started a few years ago, but not sure what happened). However, even this community of trust thing can be seen just a facilitator/facility towards that "something". Thoughts? /thomas/ From: community-bounces@kantarainitiative.org [mailto:community-bounces@kantarainitiative.org] On Behalf Of Brett McDowell Sent: Friday, February 12, 2010 10:28 AM To: community@kantarainitiative.org Subject: [Kantara - Community] An observation: SSO's are consolidating and/or collaborating more This email notice prompted me to share an observation with this community list. CEN and CENELEC are essentially consolidating. FSTC & BITS have essentially consolidated (or are somewhere along in the process). Liberty Alliance & Concordia Project are consolidating into Kantara Initiative. Electronic Authentication Partnership & Raddichio consolidated with Liberty Alliance before that. OpenID Foundation & Information Card Foundation seem to be consolidating their trust framework activities into the OIF/OIE project/organization. OASIS is more directly involved with various "non-accredited industry consortia" than I've ever seen before. ISOC is investing time and dollars into Kantara Initiative and W3C (among others no doubt). There are probably other moves like this in the identity, security, and privacy space that I'm forgetting to mention or haven't actually stumbled upon yet. For discussion: why is this happening, and is it a good thing for standards development and/or adoption? It's no secret that standards setting organizations are feeling the impact of the economic downturn and consolidation is one of several options each group faces. Many of you subscribed to this mailing list are pretty close to several of these consolidation/cooperation projects. I hoping some of you will share your personal observations about how this strategy is working and where you think this is all headed -- is this trend going to reverse or continue? -- Brett Begin forwarded message: From: Penny Sarah [mailto:spenny@cencenelec.eu] Sent: 11 February 2010 18:03 To: Coop_all; CGF_Email List Subject: CEN and CENELEC new email addresses Email.gif Dear Madam, Dear Sir, The close collaboration between CEN and CENELEC, which was consolidated by the creation of a common CEN-CENELEC Management Centre (CCMC) at the beginning of this year, is now further reflected in our new e-mail address: flastname@cencenelec.eu. For example, if you wish to contact CCMC Communication Unit Manager, Elisabeth Brodthagen use ebrodthagen@cencenelec.eu Please make a note of our new email addresses and amend your contact lists accordingly. In attachment you will find the organization chart of the CEN-CENELEC Management Centre as well as a telephone and e-mail directory of all CCMC staff. Our postal address is: CEN-CENELEC Management Centre Avenue Marnix 17 B-1000 Brussels We would appreciate if you could distribute this email in your organisation. Should you have any enquiries, please send an e-mail to communication@cencenelec.eu. Best regards, Sarah PENNY Director - External Relations
At 11:44 AM -0500 2/12/10, Thomas Hardjono wrote:
My apologies for my ignorance, but I was wondering if anyone in the industry is making any money with SSO or Web-SSO? If SSO is a facilitator towards "something", its not clear (to me) what that something is.
Service Providers are saving money, by reducing the info they are responsible for (userids, etc) and reducing the costs associated with providing that service. As campuses (and other businesses) move to outsource more and more of their utility-like business services, Federated Identity becomes part of the equation. For instance, Brown is in the process of outsourcing check printing to a big IT company. They want to offer online access to pay stubs and W2's, rather than actually printing checks and stubs. This company asked us "have you ever heard of the Shibboleth software?". The big companies that manage retirement funds for faculty and staff offer Federated access. The list goes on -- including athletic ticketing (varying discounts based on type of campus affiliation), support for career services, parking spots, etc. And the usual assortment of services supporting instruction. Clearly, tho, some of these services require protocols and credentials that are at the LoA 2 level.
The ability of service providers / relying parties to save money is only half the equation. It's easy to think of ways that SPs/RPs can save money. But for federated identity to work, there's got to be a way for identity providers to make money. That's the part that's missing. The US government is making a big push for adoption of open identity technologies with their Identity, Credential, and Access Management (ICAM) initiative. The government saves money by not having to issue and manage credentials for citizens wanting to access online government services. A number of big players (Paypal, Yahoo, Verisign, Google, AOL) have stepped up to the plate to act as OpenID providers, so that people with credentials from these identity providers can use them to access government services. But these initial ICAM services are low assurance, LOA-1, services, meaning that these identity providers will not need to verify the identities of those to whom it issues OpenIDs, and those OpenIDs are usable with only a username and password. For higher assurance services, stronger authentication methods and technologies will be needed, and some degree of identity proofing prior to issuance of the credentials will also be required. The costs of these things will not be zero, and presumably identity providers will want to recoup their costs and earn a profit by providing these identity services. The missing piece of the puzzle is what business model(s) will support higher assurance identity services. Will relying parties pay identity providers for identity assertions? Will consumers pay something if the use of high assurance identity credentials can help protect them against identity theft? Or will identity providers eat the costs of providing high assurance identity services if it can help them to attract customers for other services they provide? It would be interesting to hear from others who might have some better insight.......... On 2/12/2010 12:37 PM, Steven_Carmody@brown.edu wrote:
At 11:44 AM -0500 2/12/10, Thomas Hardjono wrote:
My apologies for my ignorance, but I was wondering if anyone in the industry is making any money with SSO or Web-SSO? If SSO is a facilitator towards "something", its not clear (to me) what that something is.
Service Providers are saving money, by reducing the info they are responsible for (userids, etc) and reducing the costs associated with providing that service.
As campuses (and other businesses) move to outsource more and more of their utility-like business services, Federated Identity becomes part of the equation. For instance, Brown is in the process of outsourcing check printing to a big IT company. They want to offer online access to pay stubs and W2's, rather than actually printing checks and stubs. This company asked us "have you ever heard of the Shibboleth software?". The big companies that manage retirement funds for faculty and staff offer Federated access. The list goes on -- including athletic ticketing (varying discounts based on type of campus affiliation), support for career services, parking spots, etc. And the usual assortment of services supporting instruction.
Clearly, tho, some of these services require protocols and credentials that are at the LoA 2 level. _______________________________________________ Community mailing list Community@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/community
I think there might be some confusion on this thread. I believe that SSO in Brett's email referred to Standards Setting Organizations whereas it appears that it's being interpreted as Single Sign On in other parts of this discussion. Brett - would you please weigh in? -----Original Message----- From: community-bounces@kantarainitiative.org [mailto:community-bounces@kantarainitiative.org] On Behalf Of Bob Pinheiro Sent: Friday, February 12, 2010 1:42 PM To: community@kantarainitiative.org Subject: Re: [Kantara - Community] An observation: SSO's are consolidating and/or collaborating more The ability of service providers / relying parties to save money is only half the equation. It's easy to think of ways that SPs/RPs can save money. But for federated identity to work, there's got to be a way for identity providers to make money. That's the part that's missing. The US government is making a big push for adoption of open identity technologies with their Identity, Credential, and Access Management (ICAM) initiative. The government saves money by not having to issue and manage credentials for citizens wanting to access online government services. A number of big players (Paypal, Yahoo, Verisign, Google, AOL) have stepped up to the plate to act as OpenID providers, so that people with credentials from these identity providers can use them to access government services. But these initial ICAM services are low assurance, LOA-1, services, meaning that these identity providers will not need to verify the identities of those to whom it issues OpenIDs, and those OpenIDs are usable with only a username and password. For higher assurance services, stronger authentication methods and technologies will be needed, and some degree of identity proofing prior to issuance of the credentials will also be required. The costs of these things will not be zero, and presumably identity providers will want to recoup their costs and earn a profit by providing these identity services. The missing piece of the puzzle is what business model(s) will support higher assurance identity services. Will relying parties pay identity providers for identity assertions? Will consumers pay something if the use of high assurance identity credentials can help protect them against identity theft? Or will identity providers eat the costs of providing high assurance identity services if it can help them to attract customers for other services they provide? It would be interesting to hear from others who might have some better insight.......... On 2/12/2010 12:37 PM, Steven_Carmody@brown.edu wrote:
At 11:44 AM -0500 2/12/10, Thomas Hardjono wrote:
My apologies for my ignorance, but I was wondering if anyone in the industry is making any money with SSO or Web-SSO? If SSO is a facilitator towards "something", its not clear (to me) what that something is.
Service Providers are saving money, by reducing the info they are responsible for (userids, etc) and reducing the costs associated with providing that service.
As campuses (and other businesses) move to outsource more and more of their utility-like business services, Federated Identity becomes part of the equation. For instance, Brown is in the process of outsourcing check printing to a big IT company. They want to offer online access to pay stubs and W2's, rather than actually printing checks and stubs. This company asked us "have you ever heard of the Shibboleth software?". The big companies that manage retirement funds for faculty and staff offer Federated access. The list goes on -- including athletic ticketing (varying discounts based on type of campus affiliation), support for career services, parking spots, etc. And the usual assortment of services supporting instruction.
Clearly, tho, some of these services require protocols and credentials that are at the LoA 2 level. _______________________________________________ Community mailing list Community@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/community
_______________________________________________ Community mailing list Community@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/community
Thanks Alex -- my bad. I guess I should've paid closer attention (and also read the Kantara acronyms/terminologies list :) cheers, /thomas/
-----Original Message----- From: community-bounces@kantarainitiative.org [mailto:community- bounces@kantarainitiative.org] On Behalf Of Popowycz, Alex Sent: Friday, February 12, 2010 1:56 PM To: community@kantarainitiative.org Subject: Re: [Kantara - Community] An observation: SSO's are consolidating and/or collaborating more
I think there might be some confusion on this thread. I believe that SSO in Brett's email referred to Standards Setting Organizations whereas it appears that it's being interpreted as Single Sign On in other parts of this discussion.
Brett - would you please weigh in?
-----Original Message----- From: community-bounces@kantarainitiative.org [mailto:community-bounces@kantarainitiative.org] On Behalf Of Bob Pinheiro Sent: Friday, February 12, 2010 1:42 PM To: community@kantarainitiative.org Subject: Re: [Kantara - Community] An observation: SSO's are consolidating and/or collaborating more
The ability of service providers / relying parties to save money is only
half the equation. It's easy to think of ways that SPs/RPs can save money. But for federated identity to work, there's got to be a way for identity providers to make money. That's the part that's missing.
The US government is making a big push for adoption of open identity technologies with their Identity, Credential, and Access Management (ICAM) initiative. The government saves money by not having to issue and manage credentials for citizens wanting to access online government services. A number of big players (Paypal, Yahoo, Verisign, Google, AOL) have stepped up to the plate to act as OpenID providers, so that people with credentials from these identity providers can use them to access government services. But these initial ICAM services are low assurance, LOA-1, services, meaning that these identity providers will not need to verify the identities of those to whom it issues OpenIDs, and those OpenIDs are usable with only a username and password.
For higher assurance services, stronger authentication methods and technologies will be needed, and some degree of identity proofing prior to issuance of the credentials will also be required. The costs of these things will not be zero, and presumably identity providers will want to recoup their costs and earn a profit by providing these identity
services. The missing piece of the puzzle is what business model(s) will support higher assurance identity services. Will relying parties pay identity providers for identity assertions? Will consumers pay something if the use of high assurance identity credentials can help protect them against identity theft? Or will identity providers eat the costs of providing high assurance identity services if it can help them to attract customers for other services they provide?
It would be interesting to hear from others who might have some better insight..........
On 2/12/2010 12:37 PM, Steven_Carmody@brown.edu wrote:
At 11:44 AM -0500 2/12/10, Thomas Hardjono wrote:
My apologies for my ignorance, but I was wondering if anyone in the industry is making any money with SSO or Web-SSO? If SSO is a facilitator towards "something", its not clear (to me) what that something is.
Service Providers are saving money, by reducing the info they are responsible for (userids, etc) and reducing the costs associated with providing that service.
As campuses (and other businesses) move to outsource more and more of their utility-like business services, Federated Identity becomes part of the equation. For instance, Brown is in the process of outsourcing check printing to a big IT company. They want to offer online access to pay stubs and W2's, rather than actually printing checks and stubs. This company asked us "have you ever heard of the Shibboleth software?". The big companies that manage retirement funds for faculty and staff offer Federated access. The list goes on -- including athletic ticketing (varying discounts based on type of campus affiliation), support for career services, parking spots, etc. And the usual assortment of services supporting instruction.
Clearly, tho, some of these services require protocols and credentials that are at the LoA 2 level. _______________________________________________ Community mailing list Community@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/community
_______________________________________________ Community mailing list Community@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/community
_______________________________________________ Community mailing list Community@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/community
On Feb 12, 2010, at 1:55 PM, Popowycz, Alex wrote:
The US government is making a big push for adoption of open identity technologies with their Identity, Credential, and Access Management (ICAM) initiative. The government saves money by not having to issue and manage credentials for citizens wanting to access online government services.
Yes.
A number of big players (Paypal, Yahoo, Verisign, Google, AOL) have stepped up to the plate to act as OpenID providers, so that people with credentials from these identity providers can use them to access government services. But these initial ICAM services are low assurance, LOA-1, services, meaning that these identity providers will not need to verify the identities of those to whom it issues OpenIDs, and those OpenIDs are usable with only a username and password.
Yes OpenID will be certified for LOA-1. And that's the level that the first pilots will operate at.
For higher assurance services, stronger authentication methods and technologies will be needed, and some degree of identity proofing prior to issuance of the credentials will also be required. The costs of these things will not be zero, and presumably identity providers will want to recoup their costs and earn a profit by providing these identity services.
Agreed. For LOA-2+ other (non-OpenID) methods (e.g. InfoCard) will be certified. A number of vendors (Equifax, PayPal, etc. ) announced they will be infocard IdPs. I expect there'll be demos by the GSA (and other) folks at RSA of this kind of thing.
The missing piece of the puzzle is what business model(s) will support higher assurance identity services.
Actually the missing piece turned out not to be tech, nor business. It is the lack of the right kind of trust frameworks (white lists, certification, auditing, etc.) that the US government is waiting for. WRT business models, the higher the assurance level, the more money this stuff costs. And thus the better the business case for "outsourcing" especially if a competitive market emerges. Or at least that's the theory.
Will relying parties pay identity providers for identity assertions?
I sure hope so. If we generalize a bit from "identity assertions" to "personal data", we see a robust, competitive market wherein "relying parties" (merchants, advertisers, etc.) pay IdPs. They just do it using closed, proprietary "protocols" and APIs (behind the user's back). But money and data do flow.
Will consumers pay something if the use of high assurance identity credentials can help protect them against identity theft?
Consumers don't pay for anything. At least in the US.
Or will identity providers eat the costs of providing high assurance identity services if it can help them to attract customers for other services they provide?
-----Original Message----- From: community-bounces@kantarainitiative.org [mailto:community- bounces@kantarainitiative.org] On Behalf Of Paul Trevithick Sent: Monday, February 15, 2010 10:34 AM To: Popowycz, Alex Cc: community@kantarainitiative.org Subject: Re: [Kantara - Community] An observation: SSO's are consolidating and/or collaborating more
On Feb 12, 2010, at 1:55 PM, Popowycz, Alex wrote:
The US government is making a big push for adoption of open identity technologies with their Identity, Credential, and Access Management (ICAM) initiative. The government saves money by not having to issue and manage credentials for citizens wanting to access online government services.
Yes.
A number of big players (Paypal, Yahoo, Verisign, Google, AOL) have stepped up to the plate to act as OpenID providers, so that people with credentials from these identity providers can use them to access government services. But these initial ICAM services are low assurance, LOA-1, services, meaning that these identity providers will not need to verify the identities of those to whom it issues OpenIDs, and those OpenIDs are usable with only a username and password.
Yes OpenID will be certified for LOA-1. And that's the level that the first pilots will operate at.
For higher assurance services, stronger authentication methods and technologies will be needed, and some degree of identity proofing prior to issuance of the credentials will also be required. The costs of these things will not be zero, and presumably identity providers will want to recoup their costs and earn a profit by providing these identity services.
Agreed. For LOA-2+ other (non-OpenID) methods (e.g. InfoCard) will be certified. A number of vendors (Equifax, PayPal, etc. ) announced they will be infocard IdPs. I expect there'll be demos by the GSA (and other) folks at RSA of this kind of thing.
The missing piece of the puzzle is what business model(s) will support higher assurance identity services.
Actually the missing piece turned out not to be tech, nor business. It is
Thanks Paul, My comments in-line. the
lack of the right kind of trust frameworks (white lists, certification, auditing, etc.) that the US government is waiting for.
WRT business models, the higher the assurance level, the more money this stuff costs. And thus the better the business case for "outsourcing" especially if a competitive market emerges. Or at least that's the theory.
Again, I point to the PKI world as an old example. Certain CAs charge over $700 for an SSL server cert, yet very few companies/organizations who pay for such an SSL cert actually make use of it. At best, it's a tick off the list for their security auditors. And the PKI world already has some degree of "trust framework" in the form of the Certificate Practices Statement (CPS). But you are right, just the complexity of operating a trust infrastructure makes it attractive to outsource it.
Will relying parties pay identity providers for identity assertions?
I sure hope so. If we generalize a bit from "identity assertions" to "personal data", we see a robust, competitive market wherein "relying parties" (merchants, advertisers, etc.) pay IdPs. They just do it using closed, proprietary "protocols" and APIs (behind the user's back). But
money
and data do flow.
Will consumers pay something if the use of high assurance identity credentials can help protect them against identity theft?
Consumers don't pay for anything. At least in the US.
Hmm, being a US consumer I kinda think I have to pay for everything -- directly or indirectly :) Think of credit cards and its financial infrastructure behind it. Either I pay the $$ annual fee to the bank or Issuer, or the merchant will simply pass the cost to me as a consumer. It will be difficult for the Gov to say to citizens: hey, in order to access your records (eg. tax, medical, etc) you will have to pay $$ annually for strong authentication to an IdP. PS. Another example is the smartcards built into the new US passports (in the middle pages)). I believe that does not come free -- we have to pay for that "feature". Regards. /thomas/ hardjono[at]mit.edu
You are correct Alex. I was referring to Standard Setting Organizations, not Single Sign-On. On Feb 12, 2010, at 10:55 AM, Popowycz, Alex wrote:
I think there might be some confusion on this thread. I believe that SSO in Brett's email referred to Standards Setting Organizations whereas it appears that it's being interpreted as Single Sign On in other parts of this discussion.
Brett - would you please weigh in?
-----Original Message----- From: community-bounces@kantarainitiative.org [mailto:community-bounces@kantarainitiative.org] On Behalf Of Bob Pinheiro Sent: Friday, February 12, 2010 1:42 PM To: community@kantarainitiative.org Subject: Re: [Kantara - Community] An observation: SSO's are consolidating and/or collaborating more
The ability of service providers / relying parties to save money is only
half the equation. It's easy to think of ways that SPs/RPs can save money. But for federated identity to work, there's got to be a way for identity providers to make money. That's the part that's missing.
The US government is making a big push for adoption of open identity technologies with their Identity, Credential, and Access Management (ICAM) initiative. The government saves money by not having to issue and manage credentials for citizens wanting to access online government services. A number of big players (Paypal, Yahoo, Verisign, Google, AOL) have stepped up to the plate to act as OpenID providers, so that people with credentials from these identity providers can use them to access government services. But these initial ICAM services are low assurance, LOA-1, services, meaning that these identity providers will not need to verify the identities of those to whom it issues OpenIDs, and those OpenIDs are usable with only a username and password.
For higher assurance services, stronger authentication methods and technologies will be needed, and some degree of identity proofing prior to issuance of the credentials will also be required. The costs of these things will not be zero, and presumably identity providers will want to recoup their costs and earn a profit by providing these identity
services. The missing piece of the puzzle is what business model(s) will support higher assurance identity services. Will relying parties pay identity providers for identity assertions? Will consumers pay something if the use of high assurance identity credentials can help protect them against identity theft? Or will identity providers eat the costs of providing high assurance identity services if it can help them to attract customers for other services they provide?
It would be interesting to hear from others who might have some better insight..........
On 2/12/2010 12:37 PM, Steven_Carmody@brown.edu wrote:
At 11:44 AM -0500 2/12/10, Thomas Hardjono wrote:
My apologies for my ignorance, but I was wondering if anyone in the industry is making any money with SSO or Web-SSO? If SSO is a facilitator towards "something", its not clear (to me) what that something is.
Service Providers are saving money, by reducing the info they are responsible for (userids, etc) and reducing the costs associated with providing that service.
As campuses (and other businesses) move to outsource more and more of their utility-like business services, Federated Identity becomes part of the equation. For instance, Brown is in the process of outsourcing check printing to a big IT company. They want to offer online access to pay stubs and W2's, rather than actually printing checks and stubs. This company asked us "have you ever heard of the Shibboleth software?". The big companies that manage retirement funds for faculty and staff offer Federated access. The list goes on -- including athletic ticketing (varying discounts based on type of campus affiliation), support for career services, parking spots, etc. And the usual assortment of services supporting instruction.
Clearly, tho, some of these services require protocols and credentials that are at the LoA 2 level. _______________________________________________ Community mailing list Community@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/community
_______________________________________________ Community mailing list Community@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/community
_______________________________________________ Community mailing list Community@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/community
Regarding "Standard Setting Organizations" there is interesting work afoot as noted in an intro to the International Standard Name Identifier (ISO Draft standard) posted on the "Technology Watch Report: Standards in Metadata and Interoperability" blog at: http://metadaten-twr.org/2010/02/03/international-standard-name-identifier-a... Juha Hakala, a member of the ISNI working group, has published a short introduction to the "International Standard Name Identifier" (ISO 27729) effort, its status, background, syntax, name metadata, governance and potential implementation challenges. Hal Warren OpenID Society On Feb 15, 2010, at 12:39 PM, Brett McDowell wrote:
You are correct Alex. I was referring to Standard Setting Organizations, not Single Sign-On.
On Feb 12, 2010, at 10:55 AM, Popowycz, Alex wrote:
I think there might be some confusion on this thread. I believe that SSO in Brett's email referred to Standards Setting Organizations whereas it appears that it's being interpreted as Single Sign On in other parts of this discussion.
Brett - would you please weigh in?
-----Original Message----- From: community-bounces@kantarainitiative.org [mailto:community-bounces@kantarainitiative.org] On Behalf Of Bob Pinheiro Sent: Friday, February 12, 2010 1:42 PM To: community@kantarainitiative.org Subject: Re: [Kantara - Community] An observation: SSO's are consolidating and/or collaborating more
The ability of service providers / relying parties to save money is only
half the equation. It's easy to think of ways that SPs/RPs can save money. But for federated identity to work, there's got to be a way for identity providers to make money. That's the part that's missing.
The US government is making a big push for adoption of open identity technologies with their Identity, Credential, and Access Management (ICAM) initiative. The government saves money by not having to issue and manage credentials for citizens wanting to access online government services. A number of big players (Paypal, Yahoo, Verisign, Google, AOL) have stepped up to the plate to act as OpenID providers, so that people with credentials from these identity providers can use them to access government services. But these initial ICAM services are low assurance, LOA-1, services, meaning that these identity providers will not need to verify the identities of those to whom it issues OpenIDs, and those OpenIDs are usable with only a username and password.
For higher assurance services, stronger authentication methods and technologies will be needed, and some degree of identity proofing prior to issuance of the credentials will also be required. The costs of these things will not be zero, and presumably identity providers will want to recoup their costs and earn a profit by providing these identity
services. The missing piece of the puzzle is what business model(s) will support higher assurance identity services. Will relying parties pay identity providers for identity assertions? Will consumers pay something if the use of high assurance identity credentials can help protect them against identity theft? Or will identity providers eat the costs of providing high assurance identity services if it can help them to attract customers for other services they provide?
It would be interesting to hear from others who might have some better insight..........
On 2/12/2010 12:37 PM, Steven_Carmody@brown.edu wrote:
At 11:44 AM -0500 2/12/10, Thomas Hardjono wrote:
My apologies for my ignorance, but I was wondering if anyone in the industry is making any money with SSO or Web-SSO? If SSO is a facilitator towards "something", its not clear (to me) what that something is.
Service Providers are saving money, by reducing the info they are responsible for (userids, etc) and reducing the costs associated with providing that service.
As campuses (and other businesses) move to outsource more and more of their utility-like business services, Federated Identity becomes part of the equation. For instance, Brown is in the process of outsourcing check printing to a big IT company. They want to offer online access to pay stubs and W2's, rather than actually printing checks and stubs. This company asked us "have you ever heard of the Shibboleth software?". The big companies that manage retirement funds for faculty and staff offer Federated access. The list goes on -- including athletic ticketing (varying discounts based on type of campus affiliation), support for career services, parking spots, etc. And the usual assortment of services supporting instruction.
Clearly, tho, some of these services require protocols and credentials that are at the LoA 2 level. _______________________________________________ Community mailing list Community@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/community
_______________________________________________ Community mailing list Community@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/community
_______________________________________________ Community mailing list Community@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/community
_______________________________________________ Community mailing list Community@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/community
Apologies Brett -- I read your email too quickly. In my mind this consolidation of standards efforts is related closely to the viability (businesswise) of the IdP proposition. Which is why I was asking about the business model. If the industry and consumers are seeing too many "standards" efforts then it discourages adoption (ie. wait on the sidelines until the winner emerges - which may take years). As they say, the best thing about standards is that there are so many to choose from :) Apologies again. /thomas/
-----Original Message----- From: community-bounces@kantarainitiative.org [mailto:community- bounces@kantarainitiative.org] On Behalf Of Brett McDowell Sent: Monday, February 15, 2010 12:39 PM To: Popowycz, Alex Cc: community@kantarainitiative.org Subject: Re: [Kantara - Community] An observation: SSO's are consolidating and/or collaborating more
You are correct Alex. I was referring to Standard Setting Organizations, not Single Sign-On.
On Feb 12, 2010, at 10:55 AM, Popowycz, Alex wrote:
I think there might be some confusion on this thread. I believe that SSO in Brett's email referred to Standards Setting Organizations whereas it appears that it's being interpreted as Single Sign On in other parts of this discussion.
Brett - would you please weigh in?
-----Original Message----- From: community-bounces@kantarainitiative.org [mailto:community-bounces@kantarainitiative.org] On Behalf Of Bob Pinheiro Sent: Friday, February 12, 2010 1:42 PM To: community@kantarainitiative.org Subject: Re: [Kantara - Community] An observation: SSO's are consolidating and/or collaborating more
The ability of service providers / relying parties to save money is only
half the equation. It's easy to think of ways that SPs/RPs can save money. But for federated identity to work, there's got to be a way for identity providers to make money. That's the part that's missing.
The US government is making a big push for adoption of open identity technologies with their Identity, Credential, and Access Management (ICAM) initiative. The government saves money by not having to issue and manage credentials for citizens wanting to access online government services. A number of big players (Paypal, Yahoo, Verisign, Google, AOL) have stepped up to the plate to act as OpenID providers, so that people with credentials from these identity providers can use them to access government services. But these initial ICAM services are low assurance, LOA-1, services, meaning that these identity providers will not need to verify the identities of those to whom it issues OpenIDs, and those OpenIDs are usable with only a username and password.
For higher assurance services, stronger authentication methods and technologies will be needed, and some degree of identity proofing prior to issuance of the credentials will also be required. The costs of these things will not be zero, and presumably identity providers will want to recoup their costs and earn a profit by providing these identity
services. The missing piece of the puzzle is what business model(s) will support higher assurance identity services. Will relying parties pay identity providers for identity assertions? Will consumers pay something if the use of high assurance identity credentials can help protect them against identity theft? Or will identity providers eat the costs of providing high assurance identity services if it can help them to attract customers for other services they provide?
It would be interesting to hear from others who might have some better insight..........
On 2/12/2010 12:37 PM, Steven_Carmody@brown.edu wrote:
At 11:44 AM -0500 2/12/10, Thomas Hardjono wrote:
My apologies for my ignorance, but I was wondering if anyone in the industry is making any money with SSO or Web-SSO? If SSO is a facilitator towards "something", its not clear (to me) what that something is.
Service Providers are saving money, by reducing the info they are responsible for (userids, etc) and reducing the costs associated with providing that service.
As campuses (and other businesses) move to outsource more and more of their utility-like business services, Federated Identity becomes part of the equation. For instance, Brown is in the process of outsourcing check printing to a big IT company. They want to offer online access to pay stubs and W2's, rather than actually printing checks and stubs. This company asked us "have you ever heard of the Shibboleth software?". The big companies that manage retirement funds for faculty and staff offer Federated access. The list goes on -- including athletic ticketing (varying discounts based on type of campus affiliation), support for career services, parking spots, etc. And the usual assortment of services supporting instruction.
Clearly, tho, some of these services require protocols and credentials that are at the LoA 2 level. _______________________________________________ Community mailing list Community@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/community
_______________________________________________ Community mailing list Community@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/community
_______________________________________________ Community mailing list Community@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/community
_______________________________________________ Community mailing list Community@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/community
Thanks Bob, my comments inline.
-----Original Message----- From: community-bounces@kantarainitiative.org [mailto:community- bounces@kantarainitiative.org] On Behalf Of Bob Pinheiro Sent: Friday, February 12, 2010 1:42 PM To: community@kantarainitiative.org Subject: Re: [Kantara - Community] An observation: SSO's are consolidating and/or collaborating more
The ability of service providers / relying parties to save money is only half the equation. It's easy to think of ways that SPs/RPs can save money. But for federated identity to work, there's got to be a way for identity providers to make money. That's the part that's missing.
Yes, absolutely. In my last email, I did mean that Identity Providers (as "authentication authorities") needing a way to make money. And what I meant to say is that what PKI has taught us over the last 10 years is that security-alone may not be sufficient for an Identity Provider to make enough money to survive.
The US government is making a big push for adoption of open identity technologies with their Identity, Credential, and Access Management (ICAM) initiative. The government saves money by not having to issue and manage credentials for citizens wanting to access online government services. A number of big players (Paypal, Yahoo, Verisign, Google, AOL) have stepped up to the plate to act as OpenID providers, so that people with credentials from these identity providers can use them to access government services. But these initial ICAM services are low assurance, LOA-1, services, meaning that these identity providers will not need to verify the identities of those to whom it issues OpenIDs, and those OpenIDs are usable with only a username and password.
In this case the business model seems to be a combination of (a) Government mandate (and money) and (b) expected outsourcing by the Government. However, with just LOA-1 its still kind of difficult to see true adoption (ie. any person & his/her dog could open an IdP offering LOA-1 services :)
For higher assurance services, stronger authentication methods and technologies will be needed, and some degree of identity proofing prior to issuance of the credentials will also be required. The costs of these things will not be zero, and presumably identity providers will want to recoup their costs and earn a profit by providing these identity services. The missing piece of the puzzle is what business model(s) will support higher assurance identity services. Will relying parties pay identity providers for identity assertions? Will consumers pay something if the use of high assurance identity credentials can help protect them against identity theft? Or will identity providers eat the costs of providing high assurance identity services if it can help them to attract customers for other services they provide?
Yep, agree with all the above :) /thomas/ hardjono[at]mit.edu
It would be interesting to hear from others who might have some better insight..........
On 2/12/2010 12:37 PM, Steven_Carmody@brown.edu wrote:
At 11:44 AM -0500 2/12/10, Thomas Hardjono wrote:
My apologies for my ignorance, but I was wondering if anyone in the industry is making any money with SSO or Web-SSO? If SSO is a facilitator towards "something", its not clear (to me) what that something is.
Service Providers are saving money, by reducing the info they are responsible for (userids, etc) and reducing the costs associated with providing that service.
As campuses (and other businesses) move to outsource more and more of their utility-like business services, Federated Identity becomes part of the equation. For instance, Brown is in the process of outsourcing check printing to a big IT company. They want to offer online access to pay stubs and W2's, rather than actually printing checks and stubs. This company asked us "have you ever heard of the Shibboleth software?". The big companies that manage retirement funds for faculty and staff offer Federated access. The list goes on -- including athletic ticketing (varying discounts based on type of campus affiliation), support for career services, parking spots, etc. And the usual assortment of services supporting instruction.
Clearly, tho, some of these services require protocols and credentials that are at the LoA 2 level. _______________________________________________ Community mailing list Community@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/community
_______________________________________________ Community mailing list Community@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/community
Aetna's customers ASK for it all the time. -----Original Message----- From: community-bounces@kantarainitiative.org [mailto:community-bounces@kantarainitiative.org] On Behalf Of Bob Pinheiro Sent: Friday, February 12, 2010 1:42 PM To: community@kantarainitiative.org Subject: Re: [Kantara - Community] An observation: SSO's are consolidating and/or collaborating more The ability of service providers / relying parties to save money is only half the equation. It's easy to think of ways that SPs/RPs can save money. But for federated identity to work, there's got to be a way for identity providers to make money. That's the part that's missing. The US government is making a big push for adoption of open identity technologies with their Identity, Credential, and Access Management (ICAM) initiative. The government saves money by not having to issue and manage credentials for citizens wanting to access online government services. A number of big players (Paypal, Yahoo, Verisign, Google, AOL) have stepped up to the plate to act as OpenID providers, so that people with credentials from these identity providers can use them to access government services. But these initial ICAM services are low assurance, LOA-1, services, meaning that these identity providers will not need to verify the identities of those to whom it issues OpenIDs, and those OpenIDs are usable with only a username and password. For higher assurance services, stronger authentication methods and technologies will be needed, and some degree of identity proofing prior to issuance of the credentials will also be required. The costs of these things will not be zero, and presumably identity providers will want to recoup their costs and earn a profit by providing these identity services. The missing piece of the puzzle is what business model(s) will support higher assurance identity services. Will relying parties pay identity providers for identity assertions? Will consumers pay something if the use of high assurance identity credentials can help protect them against identity theft? Or will identity providers eat the costs of providing high assurance identity services if it can help them to attract customers for other services they provide? It would be interesting to hear from others who might have some better insight.......... On 2/12/2010 12:37 PM, Steven_Carmody@brown.edu wrote:
At 11:44 AM -0500 2/12/10, Thomas Hardjono wrote:
My apologies for my ignorance, but I was wondering if anyone in the industry is making any money with SSO or Web-SSO? If SSO is a facilitator towards "something", its not clear (to me) what that something is.
Service Providers are saving money, by reducing the info they are responsible for (userids, etc) and reducing the costs associated with providing that service.
As campuses (and other businesses) move to outsource more and more of their utility-like business services, Federated Identity becomes part of the equation. For instance, Brown is in the process of outsourcing check printing to a big IT company. They want to offer online access to pay stubs and W2's, rather than actually printing checks and stubs. This company asked us "have you ever heard of the Shibboleth software?". The big companies that manage retirement funds for faculty and staff offer Federated access. The list goes on -- including athletic ticketing (varying discounts based on type of campus affiliation), support for career services, parking spots, etc. And the usual assortment of services supporting instruction.
Clearly, tho, some of these services require protocols and credentials that are at the LoA 2 level. _______________________________________________ Community mailing list Community@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/community
_______________________________________________ Community mailing list Community@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/community This e-mail may contain confidential or privileged information. If you think you have received this e-mail in error, please advise the sender by reply e-mail and then delete this e-mail immediately. Thank you. Aetna
-----Original Message----- From: Steven_Carmody@brown.edu [mailto:Steven_Carmody@brown.edu] Sent: Friday, February 12, 2010 12:37 PM To: Thomas Hardjono; 'Brett McDowell'; community@kantarainitiative.org Subject: Re: [Kantara - Community] An observation: SSO's are consolidating and/or collaborating more
At 11:44 AM -0500 2/12/10, Thomas Hardjono wrote:
My apologies for my ignorance, but I was wondering if anyone in the industry is making any money with SSO or Web-SSO? If SSO is a facilitator towards "something", its not clear (to me) what that something is.
Service Providers are saving money, by reducing the info they are responsible for (userids, etc) and reducing the costs associated with providing that service.
As campuses (and other businesses) move to outsource more and more of their utility-like business services, Federated Identity becomes part of the equation. For instance, Brown is in the process of outsourcing check printing to a big IT company. They want to offer online access to pay stubs and W2's, rather than actually printing checks and stubs. This company asked us "have you ever heard of the Shibboleth software?". The big companies that manage retirement funds for faculty and staff offer Federated access. The list goes on -- including athletic ticketing (varying discounts based on type of campus affiliation), support for career services, parking spots, etc. And the usual assortment of services supporting instruction.
Clearly, tho, some of these services require protocols and credentials that are at the LoA 2 level.
Thanks Steve. I was driving at the seemingly historical fact that making money out of security *only* is pretty tough (unless you make your own viruses and sell the cure :) So for IdP's to succeed, perhaps SSO need to be tied to the other services that the IdP offers. Maybe is payment services, maybe cloud-based services, etc). And yes, I'm learning that Shibb and the Identity Commons(?) seem to be the largest deployment of IdPs and SSO today (though the higher-education systems/networks typically do not handle value-carrying $$$ traffic). cheers, /thomas/ hardjono[at]mit.edu
participants (9)
-
Bob Pinheiro -
Brett McDowell -
Coderre, Mark -
Frank Villavicencio -
Hal Warren -
Paul Trevithick -
Popowycz, Alex -
Steven_Carmody@brown.edu -
Thomas Hardjono