I am currently in San Francisco where I'm attending my first RSA Conference. I'm here to learn more about security as it relates to identity management, cloud computing, and the financial industry in general. To this end, I kicked off my day by attending the Liberty Alliance and Information Card Foundation workshop. I was only able to stay for the first hour of the day-long meeting, but, during that time, I talked with Paul Trevithick, CEO of Azigo and founder of the Information Card Foundation as well as his colleague, Jack Connors. They helped me understand the constituent parts within the Higgins project and their relationship to Azigo and Novel. Through many architectural iterations, he told me that the Higgins community has come to realize that the problem is best solved by a S+S solution which includes a thick-client able to do crypto and a hosted card store. This cloud-based service acts as a rendezvous point and replicates cards between devices. Azigo is hosting this SaaS offering since Higgins, as an OSS project, has no means to provide on-demand, cloud-based software. He also stressed the community's desire to innovate in addition to interoperating with CardSpace; this is leading, he said, to competition with Microsoft which benefits everyone as the vendors sharpen, inspire, and one up each other. Trevithick said that through a lot of hard work and evangelism, he feels that Higgins and Information Cards are finally at the starting line and the big race is about to begin. This jives with the finding of a Gartner report on the matter that I was recently told about. I was very happy to meet Trevithick and Connors, and hope to collaborate more with them in the future.
During the workshop, I also had a brief chance to talk with Christie Bacchus and her associates at PingIdentity about their PingFederate product. It was really helpful because I learned that this product of theirs is what I would call a passive STS or a Federation Provider STS (FP-STS). I was hoping to hook up with them more in the evening to learn if they support browser POST and/or browser artifact (two things I'm just now learning about honestly). I'm guessing both, but it would have been cool to talk to them about bearer tokens, holder-of-key tokens, and their new active STS product. Too bad they didn't have a booth at the convention (which really shocked me).
After this first hour, I spent the day in a 8-hour-long lecture given by Erik Heidt and Dan Houser. It was a really good talk, but it wasn't what I expected. The room seemed to be made up of a lot of CIOs, CTOs, enterprise architects, and other big wigs. I felt (perhaps incorrectly) that I was the only engineer in the room. Though a bit out of my league perhaps, I really benefited from the big-picture perspective that Heidt and Houser shared. I learned that enterprise identity management is really hard and really complex. From my little vantage point where I write my code all day, it doesn't seem that monstrous. But, as Heidt pointed out, building an identity management system is not a technology project. 1/5 of it is, but 20% of it is product management and 60% is all politics. Of that, he advised that most of the engineering effort should be limited to acquiring COTS products and integrating them rather than building such things yourself, especially when it comes to federated identity management. (Ironically, that's exactly what my team and I are building ATM.)
They talked at length about the components of an identity infrastructure:
I could go on and on about the details of their talk, but, alas, I've burnt all of the midnight oil and must call it quits for now. Come back tomorrow for more about my time at the RSA Conference, follow me on Twitter, and check out my other post on day one of the conference.