Thursday, June 26, 2008

Information Card Foundation discussion with Uppili Srinivasan

Today I had the chance to catch up with Uppili Srinivasan, who is a security architect for Fusion Middleware at Oracle. We were chatting about the Information Card Foundation.

Eric Leach: Hi Uppili, thanks for chatting with me today. What is the Information Card Foundation (ICF)?

Uppili Srinivasan: The Information Card Foundation is an independent, not-for-profit organization formed to advance the adoption and use of Information Cards across the Internet.
The Information Card Foundation is being formed to consolidate dozens of private and corporate online identity management and protection initiatives pertaining to Information Card Technology. The main motivations are to promote interoperability, heterogeneity and openness in underlying architecture, standards and specifications.

Eric: Sounds useful. For the uninitiated out there, what are Information Cards?

Uppili: Information Cards are the digital, online equivalents of your physical identification credentials such as a drivers license, passport, credit card, club card, business card or a social greeting card. Users control the distribution of their personal information through each Information Card. Information Cards are stored in a user’s own online wallet (called a “selector”) and “handed out” with a mouse click just like a physical ID card.

Information Cards can be issued to users by organizations for general or specific use. Users can also create their own Information Cards as a shortcut to avoid the endless process of filling out web forms. But more importantly, the infastructure behind the cards allows for trusted sources (a bank, a credit union, a government office, etc.) to verify specific information (“claims”) made by a user. In other words, Information Cards give users the ability to make claims about themselves, verified by qualified 3rd parties, while using the Internet.

Eric: So why is the Information Card Foundation important?

Uppili: Internet is ripe with Identity related security risks such as phishing and other identity frauds resulting from lack of user control over identity release that accompanies online transactions. Information Card is an emerging “user-centric identity” solution aimed at mitigating these issues.

No single company can succeed in building a vendor-independent, platform-neutral and user-centric identity framework by itself. The goal of the ICF is to help create the infastructure components that enable our complex economic and social networks to support at least the same level of identity capabilities online as they have offline. Doing this requires collaboration among a community of dedicated individuals—architects, designers, developers, users—together with businesses that cross technological, financial and commercial fields.

Eric: There are other web authentication initiatives out there. How does the Information Card Foundation relate to other initiatives like the Higgins Project or OpenID?

Uppili: OpenID is a web SSO standard for the Internet users. It aims to provide an infrastructure for re-usable and persistent Identity across the Internet. It supports the familiar URI based name identifiers and also allows user mediation of trust between OpenID relying web sites and OpenID providers. OpenID is also referred to as an “user-centric” Identity system, but as you can see, Information Cards and OpenID have different but complementary design-centers. For instance, OpenID solutions are not phishing resistent, but OpenID defines a protocol mechanism to integrate with Informaton Card solutions to mitigate this risk.

Higgins Project
is an Eclipse open source project with the goal of delivering platform-neutral and standards based Identity layers that can serve as a foundation to foster Identity solutions that span multiple protocols and provide necessary transparency for end-users accessing the Internet. One of the main components developed under Project Higgins is a platform independent implementation of Information Card. Information Card Foundation will promote open source projects expanding the reach of Information Cards. The Higgins Project is a prominent candidate in that category.

Eric: So how is Oracle involved in the Information Card Foundation?

Uppili: Oracle has joined the Information Card Foundation as a corporate steering member. This includes a seat in the ICF board.

User-centric Identity solutions, of which Information Card is one, carry the potential to address some common problems of safety and usability faced by users on the Internet today. Many standards (such as HTTP, SMTP etc.), and technologies (instant messaging, Wiki etc.) that originated on the Internet have also become pervasive within enterprises. Considering this history and also driven by the benefits of a consistent and safe user experience, it is very likely that user-centric Identity solutions, as they emerge within the Internet, are likely to morph into enterprise deployments as well.

Customers want to incorporate the benefits of user-centric Identity as a complementary component of their overall IAM solution strategy and are concerned about the prospect of fragmented infrastructure and identity silos.

With these considerations, Oracle, through its steering membership in Information Card Foundation (ICF), intends to actively promote the following:

* Openness, platform independence,
* Seamless interoperability with and leverage of established standards
* Flexible architecture to permit ongoing innovations

Eric: What can Oracle's Identity and Access Management customers expect from our participation with the Information Card Foundation?

Uppili: This announcement about Oracle joining Information Card Foundation is a key component of Oracle’s position on “User-centric Identity” (UCI). At the heart of Oracle’s strategy is Oracle’s vision to deliver the benefits of user-centric Identity to its customers as a complementary solution layer that leverages existing Identity infrastructure, solutions and roadmap.

Consistent with the above vision, Oracle’s product roadmap will include both incremental integration of user-centric featuers within existing IAM products as well as focused turnkey solutions for this market, as this evolves and emerges.

Eric: Thanks very much for your time Uppili. This was very informative.

Uppili: No problem. You are welcome.

No comments: