Where have we come from? Where are we going?

Michael Barrett, PayPal’s CSIO started speaking about how early times (‘60s and ‘70s) Multics, RACF etc., (‘80s) Kerberos , some of us still use this, (‘90s) Netegrity, Securant (acq RSA), etc., and (‘90s, ‘00s) MS Passport. So although there is a long digital Identity history it’s been a bit muddled and not really clear as to what is the way to go.

Then there came the rise of federation (i.e. I know and trust person A, and Person A knows and trust person B, so I know and trust person B.) During this time there is a series of people who are jumping on this bandwagon, (i.e., SAML 1.0, Liberty ID-FF, SAML 2.0, Liberty WSF, Shibboleth, WS-*, CardSpace, Higgins, OpenID) but how many standards do we need.

Now there are open standards forums such as Liberty Alliance, OASIS (WS-*, SAML), Open ID Foundation, Eclipse (Higgins), COIN, Identity Open Source, Internet Identity Workshop, ID Commons (well he missed Concordia?). But he did make a point that it is getting harder and harder to stir the Identity ship and since there are soo many standards.

Pay Pal’s CSIO said: “It personally scares the hell out of me, to know that Open ID will be widely adopted.”

Then on a funnier note, he mentioned about attending cocktail parties and hearing that people get numerous emails per day from PayPal and how they wish the emails would stop. But the point here being, do not click on links that come in emails. But that is easier said than done, since there are millions of first time computer and internet users coming on line every day. He also mentioned the best way to communicate safety online just didn’t work well with text, so PayPal launched a video on YouTube which takes people step by step and helps them learn about security online and not clicking on malicious links.

So does it make sense to block these spam mails in the future? It has become so painful, that Michael said: “We are looking for ways to have these ISP’s look to see if the email is not digitally signed by PayPal, then they have the right to drop the email and block it from getting into the recipients inbox. So therefore emailing signing and email blocking become a better strategy for blocking 50% of spam. But how about the other 50%?

He then mentioned the EV (Extended Validation) Certificates. Microsoft has gone to great lengths with IE 7.0, where the address bar will turn green telling users it’s a “good” site rather then it turning red if it’s a malicious site.

PayPal has looked into the VeriSign Security key which changes every few seconds and provides a key which you can user to log in. So when you log on, it is providing: login, password, and then the code showing on the Security Key (Most big companies have been using this already, but it has never been available for consumers). But how do you gain ubiquity for it? Well Michael said it can’t be free, because people won’t believe it or use it. So they are charging $5 for it. PayPal expects to have millions deployed in the field, which will make them the biggest commercial implementations of these keys. So now they see people would get one or maximum 2 of these keys. And he put a plug in for announcements to come in the coming months.

So where is this Identity thing going? Well stronger authentication is clear, but it’s really unclear about OTP tokens. But there is a strong trend toward a more holistic authentication aka Single Sign On idea (sign in once or just a couple times and be able to gain access to many things).

So will identity networks emerge on their own? or work together and be bound together for a strong authentication? Michael said, he thinks it will be the ladder, that most identity networks will be bound together for a stronger authentication.

On a personal note I was really hoping for a revolutionary talk, something where Michael would take a stand and say where he thinks identity should go, not where he thinks it might go. After all from PayPal who is so well known I was hoping to hear, a stronger answer. But the talk was overall good and informative and a good plug to keep eyes on what is to come from PayPal.