...making Linux just a little more fun!

Away Mission: About IdMgt, Higgins, RSA, Catalyst, and ITxpo

By Howard Dyckoff

Lately, there have been a lot of conferences focusing on the role of digital identity and the role of Identity Management [IdMgt or IdM] technology. This is a strong indicator of the level of interest by a broad group of stakeholders: government, enterprise IT, SaaS and mobility service providers, security firms, Internet merchants and Web 2.0 site operators, privacy advocates, and large user communities.

The issues are still being scoped - but innovative and potentially disruptive technical solutions are already being developed by startups and niche players, and you'd need a scorecard to sort out the players and the issues. Opportunities for doing just that abound at conferences and interop events such as the annual RSA conference, the annual Digital ID conference, IT and government security events, and events put on by ACM and USENIX among others, and the pundit platforms provided by the Gartner Group and the Burton Group.

What we learn at these events is that under the newly enhanced regulatory environment, identity policy, provisioning, management, and lifecycle are critical for both security needs on the one hand and also for meeting legal and compliance requirements on the other. Government and industry alike know they have to address these points, but the ink hasn't dried on the standards or the expectations. Figuring out what to do is at least as important as how, but both areas are still being defined so there's a place for both the technical conferences addressed at implementers, and the conferences focusing on governance and management. Bring on the pundits, please.

It's also hard to ignore the David and Goliath comparisons. But maybe that's why you're reading this Away Mission. OK, let's get to it.

Featured Below:

RSA Confererence
Burton Catalyst vs. Gartner ITxpo

Higgins and OpenID

The complexities of Digital ID management have been the focus of many IT and security technology conferences over the past year. All have had to touch on ID federation and the relations between ID providers, ID authenticators and those relying on this information in digital transactions. All the major conferences have paid attention to the demands of user-centric ID mechanisms that afford a large measure of selection and control to the persons represented by these digital IDs.

Two trends have clearly emerged in the last year. First, user-centric ID is better understood and better supported by Web businesses, as shown by the acceptance of OpenID and other user-centric ID management technologies. Second, the Higgins framework for digital ID Federation and interoperability has also gained significant mind share and support and is now used in several shipping products.

OpenID has had a lot interoperability wins this last year and some 10,000 Web sites now allow login via OpenID. Although OpenID has many options, usually a URL associated with the user is accepted as an identity credential. Typically, this is a person's blog address. If a person blogs on multiple subjects, each URL is relevant to its particular subject.

Identity guru Kim Cameron said this about OpenID: "OpenID gives us common identifiers for public personas that we can use across multiple Web sites - and a way to prove that we really own them." Cameron goes on to call this a huge win compared with random screen names and a hodge-podge of passwords.

OpenID 'news' is discussed further in the RSA section below.

Higgins, which began in 2003 and became an Eclipse incubator project in 2004, released its 1.0 version in February. Products from Serena and Novell (Bandit) now use Higgins code and abstractions and a larger community of developers is coalescing around it. Why? Because it provides a lot of needed functionality for transactions between ID providers and ID consumers and because of its broad, agnostic any-to-any approach.

Higgins has support for straight SAML protocols and also the SOA supported WS-Trust protocols. Higgins has plugins written in both C++ and Java, and Higgins supports the InfoCard concepts derived from (but not limited to) Microsoft's CardSpace. In short, Higgins is the right intermediary framework for this IdMgt epoch.

Higgins is currently in use by ALF, CloudTripper.org and the Community Dictionary Service. The Novell DigitalMe product is over 90% Higgins-based.

The Higgins community is also working on notation for graphing ID relationships and correlations of the same person, something very important to usefulness of social and business networks. Higgins borrows here from Semantic Technology, using descriptive tuples in a manner like RDF and OWL. This is currently called Higgins OWL or H-OWL. Discussions on this and the data model should appear here:


The Higgins Project will be demonstrating Release 1.0 at the user-centric identity interoperability event at RSA2008. The last major use interop event in the US took place at the June 2007 Burton Catalst conference.

IBM, Novell, Parity and other vendors will all be showing interoperable applications based on the Higgins framework. This event will feature interoperability between identity providers, card selectors, browsers and Web sites. When users 'click-in' to sites via managed information cards, or i-cards, components from Open ID, Higgins Identity Framework, Microsoft CardSpace, SAML, WS-Trust, Kerberos and X.509 will hopefully interoperate within an identity layer built from both open-source and commercial components. Card selectors can be embedded in Mozilla browsers, or based on the GTK/Cocoa selector for BSD and Linux.

The less ambitious demo in 2007 worked well after all the servers were up and initialized.

The Burton Catalyst conference, reviewed below, analyzed emerging trends in IdMgt and heavily featured user-centric ID solutions like OpenID and Higgins. With Higgin's leap from incubator status to production software, it will a lot more pervasive.

Do you know the way to RSA?

The Goliath conference in the security realm would be the RSA conference. This Godfather of the modern security conference was originally a specialty conference for cryptographers and mathematicians 17 years back. Now, the conference is broadly focused on security issues and security products, and features big tech company CEO keynotes along with occasional keynotes by researchers and a huge vendor expo. For a while, the RSA conference was held in San Jose, but more recently has been resident in San Francisco.

I recall attending when it was an insider's conference, a kind of united white hats parley to discuss cutting edge research. When enterprises realized that multiple layers of security were de rigueur, the big dollars started to be made in security, and the RSA conference became a necessary venue for security firms and the big software houses. Then they were bought by EMC, which broadened the conference to include secure storage. They still call the big conference party "The Cryptographers Ball" and host a separate researchers track that requires serious credentials to join.

The company behind the initials - and the crypto algorithm that also bears the same initials - has stood for cryptographically secure products for the same time period. Arguably, the RSA algorithm, now in the public domain, has been instrumental in allowing allowing secure Web traffic and internet commerce to occur. (The initials stand for Ron Rivest, Adi Shamir and Len Adleman, who invented the RSA algorithm in 1977 (RIVE78)).

This is where a lot of security products - and partnerships - get announced and where the big companies try to explain initiatives they are only just starting. In 2007, attendess heard from Intel, Cisco and Oracle, as well as EMC. Futurist Ray Kurzweil gave the closing keynote on technological progress and evolution. For the RSA 2008 conference, there will be speakers from CA, IBM, Microsoft, and smaller ISVs like TippingPoint and Websense. There will also be a special keynote by Al Gore on "Emerging Green Technologies" on April 11th. Here's a list of all the RSA 2008 keynotes: http://www.rsaconference.com/2008/US/Conference_Program/Keynote_Speakers.aspx

All the keynote presentations from RSA 2007 are available here: http://media.omediaweb.com/rsa2007/index.htm

One of the most far-reaching announcements at RSA 2007 was Bill Gates's keynote, where he said that Microsoft would support and collaborate with the OpenID project. This led to Microsoft, IBM, Google, Yahoo, and Verisign joining the OpenID Foundation as corporate board members this past February. The OpenID Foundation was formed in June 2007 to support and promote the technology developed by the OpenID community.

OpenID enables individuals to convert one of their already existing digital identifiers -- such as their personal blog's URL -- into an OpenID account, which then can be used as a login at any Web site supporting OpenID.

Most of the content for RSA 2007 is accessible only with the conference CD. However, a very nice selection of "Expert Tracks" were videoed and are available publicly online. I would recommend the sessions on ID federation and also session 202 - "Deeper Injections: Command Injection Attacks Beyond SQL". Find that material here: http://media.omediaweb.com/rsa2007/tracks/index.htm

Another item available on the Web is Pat Peterson's presentation on "Deconstructing a 20-billion Message Spam Attack" from 100,000 zombie bots. (Patrick Peterson is Vice President of Technology at IronPort Systems.) That's available here: https://www.eventbuilder.com/event_desc.asp?p_event=w5b6g9q1

Although an Expo/Keynote pass to RSA 2008 is not free, many participating vendors email discount codes for free expo admission. You can contact the ones you are familiar with or, if you have contact with Applied Identity, or would like to, use code EXP08APP before April 4, 2008.

If you are interested in my conference review of RSA 2005, just click here: http://linuxgazette.net/112/dyckoff.html

Gartner and Burton IT Conferences

Gartner is subscribed to by almost all of the Fortune 1000. It bought out META Group a couple of years back, and the Cambridge Group as well as other small fish in the consulting business. It's the 800-pound, or maybe 8000-pound, consultancy. Its researchers maintain over 20 distinct advisory services and each of those holds annual conferences. If your company subscribes to Gartner services, some annointed co-workers get to go to some of these. It's also hard to ignore Gartner pronouncements, especially since they have the ear of many C-Level executives.

Gartner does a lot of research so it's wise to pay attention. Gartner, and its competitors, are good at spotting and analyzing industry trends early. They tend to follow the major vendors in each sector closely, and may ignore an upstart, particularly in the open source arena, due to this focus. However, Gartner also tries to link in their other services and there is a bit of cross-selling going on.

The major challengers to Gartner are the Burton Group and Forrester Research. Both offer significant access to webinars and white papers on-line, a substantial number of these for free. The Burton Catalyst conference is aimed at IT innovators and bleeding edge adopters, as well as those trying to gauge the velocity of change. The purpose of the conference is to make sense of leading IT issues and trends both individually and as a group, and this conference - unlike the more narrow focus of the Gartner events - often draws experts from all of their research services, and high value guests from outside institutions and communities. Many of the key Burton presenters blog regularly on their research areas and also use reader comments to prepare the prepare for upcoming events.

I like both events but I have to express a preference for the size, the mix, and the medley of Burton Catalyst. Because the events are smaller, it's easier to find people interested in networking; and because of the interlinking, one gets more of a 3D view of issues and architectural approaches. Bottom line: I feel like I learned and understood more at the end of the Catalyst Conference than after a Gartner Group IT Security conference in 2007.

Having said that, I note that both organizations make getting the conference materials difficult if your company does not subscribe to a consulting service. Burton was better here, with most materials going up 2-3 weeks after the conference for a download window of about 6 weeks. I had trouble for the 2006 Catalyst Conference since the materials were unavailable for the first 10 days after the conference and I checked back about 60 days afterward, only to find out the download window had closed. (They did provide some individual presentations on request.) Communications from Burton was much better in 2007 and it was easier to know when the window would open and close. Burton also provided live downloads during the conference but most of the last day's presentations were not available on that day. No conference CD was available, but some vendors provided USB drives. All that was required was a conference login, with an online option for forgotten passwords.

Gartner, in contrast, did provide a conference CD, but many of the sessions were either missing or had only a short text outline. The missing or incomplete presentations were not available during the conference. Getting the materials afterward required the conference CD and a Gartner account key, which attendees did get but had to be hunted for. I think Gartner should have kept conference attendees better informed about the availability of late posted presentations, but I also know that this is a general problem for IT, developer, and other technical conferences. Since both Gartner and Burton are in the business of selling their research, the extra barriers are understandable but can more than a little annoying.

On the swag and party level, Burton also wins but only by a nose. Gartner gave attendees a real day backpack with a pocket for laptops while Burton handed out small padded zipper bags that are great for slipping inside other bags (like the Gartner bag).That's a point for GGrp. And Gartner had a real vendor expo, which partly conflicted with the schedule of presentations. Burton Catalyst has a tradition of evening vendor soirees along two corridors of hotel ballrooms and meeting rooms. Every room has a theme or game and each has either food or drink or both plus marketing swag. Some contests included iPods or LCD TVs; for example SAP gave out 2 GB USB jump drives for asking technical questions about their IdMgt products. But the major point here is that the vendor presentations were evening affairs, outside of conference hours, and easily accessible. (One vendor couldn't get the space needed one night, so their event was held directly across the street and started half and hour before the other events - see, very easy.)

GG and BG summaries....

The main thrust of the 2007 GGrp IT Xpo was the need to innovate and provide greater value for the enterprise. This meant assembling a creative mix of available technologies and allowing individual workgroups and departments to experiment. Corporate attitudes toward consumer tech entering the enterprise must shift from "unavoidable nuisance" to "opportunity for additional innovation". It also means rethinking the IT Fortress mentality. One of the key ways to achieving this more open state is to begin to use ID provisioning, ID federation, and ID management.

"Most IT organizations simply cannot deliver new value, new processes, new markets, and new channels because their DNA is fundamentally about control, which is the opposite of what you need for innovation and growth," said Jennifer Beck, group vice president at Gartner.

Gartner also said that about 30 percent of IT funding is not going to centralized functions, but into the business units, such as sales and marketing, for their own research and development. In June of 2007, Jackie Fenn, vice president and Gartner fellow, said, "By embracing and leveraging employee experimentation and experience with consumer technologies, enterprises can enjoy a significant addition to the resources they can apply to evaluating innovation."

A recent Gartner survey found that most organizations have work underway to develop a strategy for Web 2.0, but few are prepared for, or executing on that strategy. Gartner predicted that by year-end 2007, about 30 percent of large companies will have some form of Web-2.0-enabled business initiative under way.

The internal challenge for companies experimenting with Web 2.0 is characterized by inbound risks, such as malicious code in RSS feeds, and outbound risks, such as information leakage through inappropriate blogging or use of collaboration tools. The external challenge is threats generated by enterprise usage and participation in Web 2.0 technologies, such as use of third-party content (mashups) and engaging in open user communities.

At Burton Catalyst, I kept mostly to the IdMgt and Security tracks, which occassionally conflicted. There were other tracks on Networks, SOA, Computer OSes, and Data Center Operations. One of the key takeaways was that current IdM products actually reinforce the traditions of centralized control to achieve provisioning, federation, and de-provisioning. This counters and undermines distributed processing, departmental independence, user-centricism, etc., and also runs counter to the Web 2.0 trend.

Although a lot was said about ID management and federation, about credentials and role-based security, a Feb 15 entry at identityblog.burton.com by analyst Gerry Gebel provides a good summary of how Burton understands the current era:

"Technologies like federation help us make incremental advancements beyond the command and control approach. If we permit authentication to occur outside our domain and project this information through a federation exchange, that's a sign of progress. However, federation products, as they are currently constructed, still require considerable coordination between parties in order to establish the connection: we focused on this issue at Catalyst last year.

"So, it was interesting to see the recent video sparring between Sun and Ping Identity regarding what they've done to address this from a technology perspective. To follow up, we recorded a podcast this week with Sun, Ping Identity, and Covisint - which will be available soon on the podcast site .

"More incremental change is what we can expect in the near term until different identity business models emerge. Similarly, the introduction of OpenID and information card systems purport to change the dynamic by providing more user control over identity data, but this is in name only - business still determine what attributes are required to complete an e-commerce transaction and the user can select an information card that matches the business' criteria. Real change happens when third party identity agencies and intermediaries proliferate and are utilized by Internet properties. Identity oracles, as described here, are examples of intermediaries that are beginning to appear in the marketplace."

Don't forget to visit Burton's analyst's blogs home page to get the Burton skinny on all their major research areas:

Upcoming Conferences

From the October IT Xpo in Orlando, here are the top 10 trends as GGrp see it between now and 2010:
The Gartner Emerging Trends Symposium/ITxpo 2008 will be held April 6-10, in Las Vegas. Gartner Group will host their main IT Security conference in Washington DC, June 2-4, 2008: Gartner IT Security Summit

Here's a link to their Web site on Security topics:

This year, Burton Catalyst will be held over 5 days in June in San Diego, instead of San Francisco. Information is here. [http://www.catalyst.burtongroup.com/na08/ ]

Forrester's IT Forum 2008 will lead both GGrp and Burton by taking place May 20-23 in Las Vegas:

Next time we will discuss the annual Digital ID World conference.

Talkback: Discuss this article with The Answer Gang

Bio picture

Howard Dyckoff is a long term IT professional with primary experience at Fortune 100 and 200 firms. Before his IT career, he worked for Aviation Week and Space Technology magazine and before that used to edit SkyCom, a newsletter for astronomers and rocketeers. He hails from the Republic of Brooklyn [and Polytechnic Institute] and now, after several trips to Himalayan mountain tops, resides in the SF Bay Area with a large book collection and several pet rocks.

Howard maintains the Technology-Events blog at blogspot.com from which he contributes the Events listing for Linux Gazette. Visit the blog to preview some of the next month's NewsBytes Events.

Copyright © 2008, Howard Dyckoff. Released under the Open Publication License unless otherwise noted in the body of the article. Linux Gazette is not produced, sponsored, or endorsed by its prior host, SSC, Inc.

Published in Issue 149 of Linux Gazette, April 2008