OpenID. They look like the good guys and they have momentum. However the purchase of Credentica by Microsoft in March was below most people's radar screens. You would need a keen interest in Identity/Privacy and Cryptography to have taken notice, and you're already rooting for OpenID, so why even look at what the Beast of Redmond is doing? This must be an evil plan to suck us all into Hailstorm 2.0, right? Maybe not.Anybody following Identity/Privacy today is rooting for
It might be worth giving Microsoft some benefit of doubt for a while. First, my CliffsNotes on why Identity/Privacy matters:
- To Publishers: You need to show Advertisers/Marketers that your audience/community has some spending power. And you need to personalize the content to make it more useful to your audience/community. You need to do both without giving out any private information that would annoy your audience/community and put them at risk of spammers and bad guys.
- To Advertisers/Marketers: You need to know whether the people reading/watching/listening to content have budgets to spend money. Without getting any private information that you might just possibly be tempted to use for some nefarious spamming campaign.
- To Users. There are things about you that you want to shout from the rooftops. And things you want to keep away from the eyes of people who might use it to harm you. But you also need to move around online from site to site without any registration hassle.
That was easy enough to write, but it is much more difficult to deliver. Squaring the privacy vs. personalization circle is hard. That's why nothing has yet hit the spot.
The privacy backlash has predictably got the politicians and regulators into the act. Yet, they might just make it worse. A ham-fisted regulation - most regulation related to technology is ham-fisted - would ruin the business for publishers and advertisers and probably be quite easy for the really bad guys to hack.
On top of that, some governments just love to know what all their citizens are doing and that is not always in the citizens' interests. Would you want your government as the repository of all citizen private data? ... That's what I thought!
So who would you trust? Microsoft? Hmm, they tried that with Hailstorm and had their heads handed to them. Maybe Google? After all they already know all your searches and you have to trust them not to use that to identify anything about you personally. And Google said "don't be evil" and we mostly think they included themselves in that injunction. But who knows, even good guys can be tempted or get bored and let the bad guys take over.
So the answer for most people would be "None Of The Above." Which implies that nothing will happen, the status quo will remain. But that is clearly not ideal. It means that your personal information is scattered across lots of sites, most of which will have relatively weak security, so that hackers can easily get it. Just like they did recently at Facebook.
Ok, lets test that. Who would you trust to store all your private information? Please vote in the poll below.
That's why Credentica is important. Look at this 5 minute video to understand the technology. I don't know anything about cryptography, but it appears that the people who do understand it believe that Credentica is technically secure.
So then it is a question of trust. What will Microsoft do with Credentica? Which is a question that nobody has the answer to. Although I am sure many people have opinions -- and feel free to leave them in the comments. Steve Ballmer, what's the deal? What do you have planned?
Quite possibly, Microsoft is still figuring it all out. They do have somebody called Kim Cameron who has been thinking about online identity longer and deeper than most. His bio says:
"Kim Cameron is Chief Architect of Identity in the Connected Systems Division at Microsoft, where he works on the evolution of Active Directory, Federation Services, Identity Lifecycle Manager, CardSpace and Microsoft's other Identity Metasystem products.
Kim joined Microsoft in 1999 when it bought the ZOOMIT Corporation. As VP of Technology at ZOOMIT, he had invented metadirectory technology and built the first shipping product. Before that he led ZOOMIT's development team in producing a range of SMTP, X.400, X.500, and PKI products.
Kim grew up in Canada, attending King's College at Dalhousie University and l'Université de Montréal. He has won a number of industry awards, including Digital Identity World's Innovation Award (2005), Network Computing's Top 25 Technology Drivers Award (1996) and MVP (Most Valuable Player) Award (2005), Network World's 50 Most Powerful People in Networking (2005), Microsoft's Trustworthy Computing Privacy Award (2007) and Silicon.com's Agenda Setters 2007.
He's Canadian, so he can't be evil... and he says he is a "strong proponent of OpenID." (As you can hear/see here.)
So it doesn't look like Microsoft is planning to replace OpenID. Perhaps they just plan to make it secure.
OpenID has the right approach with multiple providers, but as Cameron points out, it is open to abuse by hackers and ID phishers. That is where the OpenID's multiple providers have a branding/trust problem. Out in the wild, who knows the difference between MyVidoop, ClickPass, and EvilPhisher? (I made that last one up).
Credentica had/has a Java SDK. I hope Microsoft keeps this, while also offering a .Net equivalent. For many entrepreneurs the Java vs .Net decision is pretty immaterial, the decision comes down to skill availability. Keeping the Java SDK would increase trust a bit.
Microsoft will have to work hard to forge developer trust in this area. If they can win over developers they have a strong story to tell. The game will shift from just being an ID Provider to offering "secure ID" as a feature of your service. In other words, they will shift this "up the stack," which will be a threat to an ID Provider that plans to use that one feature to build a business, but maybe great for other entrepreneurs.