Digital Identity is maturing — into three sets of distinct standards that serve the needs of three distinct stakeholders. I’m writing this to give some context to the O’Reilly Etel conference sessions on "User-controlled Identity" (BOF Tuesday night) and "Identity Crisis: Namespaces out of control" (my talk Thursday morning).

Just a few years ago, identity was largely fragmented into many proprietary, single-application or single-purpose stovepipes. There were only two exceptions: Microsoft’s Passport and the then-new Liberty Alliance effort to build a rival to Passport that was not dominated by Microsoft.

Since, Liberty has been quite successful within enterprises and at the boundaries of enterprises with some of their business partners, such as 401k providers inside corporate portals; I recently heard a prediction that Liberty is on track to have 1 billion (!) identities by the end of 2006. Passport has largely been discontinued for non-Microsoft sites, and will be superseded by Microsoft’s new InfoCard initiative, built on WS-Trust and a number of Microsoft technologies. InfoCard is expected to be bundled with each copy of Windows Vista.

But two major things happened in this evolution that, in a way, few expected:

• An entire new branch of identity emerged almost overnight: user-controlled identity, or as some people call it, "independent identity". At its heart was the realization that "we are the people", that identity should emanate from the people whose identity it is, rather from outside organizations — whether government or business. In hind-sight, we shouldn’t have been surprised: this is a direct reflection of the societal mega-trend of the democratization of technology and information that seems unstoppable and that is very disruptive.
• There is now almost universal agreement that for identity to matter as a technology, and to become a real enabler for business, it must be universal, and therefore universally interoperable. Nobody has been more relentless in evangelizing this vision (he calls it the identity "meta-system") than Kim Cameron at the very same Microsoft that only a few years ago wanted to take over the world with Passport.

So as 2006 dawns and the identity conversation continues, it is becoming clear that identity is rapidly consolidating around three architectural pillars, shown in the following diagram:

This diagram does not show technologies that remain effectively proprietary — whether account management systema of large websitea, or protocols whose evolution is controlled by a single company. The labels on the diagram indicate the primary ideas and proponents.

1. The Liberty identity pillar. This pillar is ready-made for corporate adoption: identity is “given” to the individual by the corporation (e.g. the employer), and it is the corporation that decides which identity attributes are managed and shared with whom. Even if the corporation gives the individual many choices, it is ultimately the corporation who decides whether or not to give those choices to the individual. Typically, Liberty implementation projects are between companies; the individual does not participate directly.
2. The WS-*-based identity pillar, which, at this juncture, is largely driven by Microsoft. InfoCards is a new "Identity Selector" application that will be bundled, we are told, with every copy of Windows Vista when it ships. It is based on a number of WS-* standards, some WS-* specifications that are expected to become standards at some point, and some Microsoft extensions. As Vista has not shipped yet, there are still many open questions, such as whether it will ever be seriously supported on non-Microsoft operating systems or non-PC devices, or how it could interoperate with non-WS-* based architectures and protocols.
3. The URL-based identity pillar, which is largely an open-source, grassroots effort. It aims to put the individual fully in control: over identity providers, over attributes, over whether or not to have an identity or how many, over which software to run from which vendor, and over the feature set associated with their identity. Its most visible sign is the use of URLs to point to people, just like we use URLs to point to companies or documents. This pillar is rapidly coming together in the YADIS community, which essentially facilitates an open marketplace of interoperable identity-related features from which the individual may pick as many or as few as they like.

As we go into 2006, at least two of these pillars are still in flux: Microsoft Vista/InfoCard is not on the market yet, and YADIS is only at version 0.83 (although OpenID and LID, from which YADIS emerged, have been stable for some time) The current focus of work is within those pillars: get Vista/InfoCard out the door, make it interoperable with, say, IBM’s web services implementations, as well as working hard to make the URL-based identity implementations interoperable.

However, by the end of 2006, chances are that the pillars are solid and working well, and that construction has moved on to making the three pillars interoperable. Questions like the following ones will move up to the top of the agenda:

• “Given we have a broad Liberty infrastructure and given that we are upgrading our PCs to Vista, how can we use InfoCard on the PC with Liberty on the backend?”
• “Given that so many blogs are already a form of URL-based identity (bloggers talk about themselves, list their contact info, addresses, social network etc.), how can we use that together with InfoCard?”
• “Given that our customers want to bring their own, user-controlled identity when they interact with our website, how can we connect user-controlled identity with company-controlled identity?” (example).

People today sometimes still ask "But won’t pillar X (depending on who is doing the asking, X is a different pillar) take over the world and become the one and only way of doing identity?" I hope that this discussion makes it clear that such an outcome is quite unlikely. We have those three pillars, they have evolved and exist for good reasons, and each of them will remain compelling to its stakeholders for its own reasons. But the good news is that it’s just three of them, and so there is a good chance we can connect all three of them over the next so many years and make them interoperable.

Which means, that going into 2006, it looks quite possible that we’ll be getting universal, interoperable identity after all. Yes! One thing is sure: it will disrupt many businesses, and create a range of novel business opportunities. I hope this article will help you navigate the currents.

[P.S. I have updated this post based on feedback I have received, mostly on terminology; the major message is the same, however.