Background

In the promised land of Connected Systems, we will be able to build a service using our favorite tools and technologies without introducing constraints as to who might be able to consume that service. It follows that in this WS-* world, where my service can be accessed by anyone or anything with an Internet connection, who that caller is and what he can access becomes rather important.

Unfortunately, as I write, at the dawn of 2006, Information Technology is suffering from an identity crisis that threatens the evolution of Connected Systems and "Web 2.0." What is at stake here? Well, to quote Ray Ozzie:

"The environment has changed yet againthis time around services. Computing and communications technologies have dramatically and progressively improved to enable the viability of a services-based model. The ubiquity of broadband and wireless networking has changed the nature of how people interact, and they're increasingly drawn toward the simplicity of services and service-enabled software that "just works." Businesses are increasingly considering what services-based economics of scale might do to help them reduce infrastructure costs or deploy solutions as-needed and on [a] subscription basis."

The environment has changed but we are missing one major piece: There is no identity layer for the Internet. The Internet was built without a way to know who you are dealing with. The consequences of this omission are evident: Users are beset by the perils of identity theft, "phishing," and "pharming." Day to day, we face either struggling with a growing list of usernames and passwords or compromising our security by reusing them. To add insult to injury, every time we register with a new site we are made to type in the same information we've supplied to every other site whilecoincidentally or notwe endure nauseating quantities of spam in our in-boxes and blogs!

Businesses, on the other hand, are blessed with a veritable busload of identity technologiesa number exceeded only by the profusion of identity integration products that promise to help bring order out of the chaos of identity balkanization. Single Sign-On (SSO) is an elusive goal and Identity Management is a complex process. When you add the challenges of regulatory compliance to the mix, you can almost hear the cries of pain and frustration. It's no wonder the idea of outsourcing has become so attractive!

The banks are facing losses from online fraud. A directive from the Federal Financial Institutions Examination Council (FFIEC)comprising the United States' five federal banking regulatorsrecommends that financial institutions deploy security measures such as multifactor authentication to authenticate their online banking customers by the end of 2006.

Many governments, notably in Belgium, the U.K. and Ireland, plan to introduce smartcard-based identity cards, augmenting existing eGovernment systems such as online tax returns. In the realm of healthcare, the obvious potential of electronic patient records is undermined by the challenges around patient privacy and access control.

How on earth can we hope to make progress in this complex minefield?

Well, there is hope. Some people, both talented and experienced, have been thinking hard about these issues. Crucially, there has been a continual open discussion and feedback from experts across the industry.

What are the requirements of an open and inclusive "user-centric" identity system? What are its properties? What might it look like? Given the diverse backgrounds, interests, and goals of the participating parties, there has been a remarkable degree of consensus.

There is even a technology (the chapter title gives it away somewhat) that helps us build an identity infrastructure for the Web. But before we get to that, let's take a step back and look at what identity is in the context of IT systems.