Perhaps it's because we're in the run up to the holiday season or because the press release came from the UK that accounts for the lack of commentary on the announcement that Experian has developed a CardSpace proof of concept with Microsoft. This is notable for a couple of reasons.

First it's another of what is still a comparatively rare breed of "real-world" adoptions of CardSpace (Otto in Germany, which I commented on back in September, being another).

Second it sees Experian exploiting the wealth of information it has gathered about individuals, together with its relationships with commerce service providers due to its position as the largest credit checking agency in the UK (it claims to process over 70% of all UK credit applications), to position itself as an identity provider.

In a nutshell Experian plans to issue individuals with a 'Experian Card' information card. When the individual visits a CardSpace-enabled site, they will be able to present the 'Experian Card' when challenged to provide credentials and other identity-related data. CardSpace (and presumably non-Microsoft identity selector alternatives, such as the Bandit Project's DigitalMe) would then send a request to Experian to validate the identity and return a signed token to be used by the site to determine whether the individual is who they claim to be.

Having a proof-of-concept is one thing but Experian is in a similar position to the first person to invest in a fax machine. They need others to participate if the technology isn't to languish as just an interesting experiment. Experian, because it is already trusted by service providers, is well positioned to get the identity selector ball rolling and according to the press release is

already in discussion with a number of organisations

and

will be in a position to demonstrate it to organisations, with the ultimate intention of launching an Identity Management Service in the near future.

That's only half the story though. The customers of those service providers also need to come on board. Whilst the wallet metaphor of CardSpace is intuitive, we have all grown too accustomed to the username/password/PIN/mother's maiden name ... approach to authentication and I am not convinced by Experian's claims that

there will be enormous demand for such a service from ... consumers

Rather, I think Experian is going to have to encourage service providers to actively promote the identity selector approach, not least because individuals (unless they are using Windows Vista) are going to have to install CardSpace or a non-Microsoft alternative.

I definitely don't want to pour cold water on the announcement. It's encouraging to see the adoption of "user-centric" (a term that I think is going to bandied about less in 2008) alternatives to traditional authentication mechanisms, given the enhanced usability and security, and I hope we do see a launch with a healthy group of service providers in the near future. Definitely something to watch.

Ben Laurie of The Bunker Secure Hosting has a provocative post about the two emerging (and that's important) leaders in user-centric identity: OpenID and CardSpace. He quite rightly points out that at present OpenID's:

popularity is entirely on the provider side. There are no consumers of note.

and that CardSpace:

appears to live in its own little world, supported only by Microsoft products

I think this is to be expected given that we are still in the early stages of both.

Where I find myself disagreeing with Ben, however, is with his conclusion about CardSpace:

So why does this make Cardspace like Passport? Well, the fear with Passport was that Microsoft would control all your identity. The end result was that Microsoft was the only serious consumer of Passport. When Cardspace is deployed such that all providers and consumers of identity are really the same entity, then all its alleged privacy advantages evaporate. As I have pointed out many times before, when consumers and providers collude, nothing is secret in Cardspace (and all other standard signature-based schemes). So, there?s no practical difference between Cardspace and Passport right now.

Ben's right about the implications for privacy when the those consuming identity information collude with those providing it but that's not an issue peculiar to CardSpace.

Even Microsoft would (and indeed does) agree that Passport was a failure due to the company's control of identity data, I think Ben doesn't tell the whole story. It wasn't just down to control of an individual's identity data. It was also due to the fact that Passport and Hailstorm were designed from the outset to wrest control of identity data from Microsoft's business partners and customers. The same can not be said of CardSpace and that's why I believe there is a difference between CardSpace and Passport. There are already examples, Otto in Germany springs to mind, of organisations other than Microsoft using CardSpace and, as I said, it's still early days.

Microsoft agrees to participate in ID project ... For the first time representatives of Liberty Alliance and Microsoft are going to sit down together ... Microsoft is to meet this month with vendors and organisations that are backing several different identity management systems. The Microsoft meeting suggests that cooperation between the software giant and its peers is improving.

These are just a few examples of press excitement resulting from the formal announcement of the Liberty Alliance's Concordia project and the news that Burton Group's Catalyst 2007 conference will host a panel discussion between representatives from Liberty, Microsoft and OpenID about identity interoperability. Perhaps it's because I have been following identity so closely over the last few years but I can't say that this really justifies the implication of the headlines that this represents a significant change of heart for Microsoft. Microsoft has been an active participant (and arguably leading) the charge towards interoperable identity solutions for a number of years.

Far more interesting, as far as I am concerned, is what the panel will be discussing. Concordia is initially focusing on gathering real-world use cases some of which will be presented to the panel. With effective identity management so critical to many of the strategic challenges and opportunities that organisations are faced with today, it's time to move away from "vendor sports" and address the needs of those organisations.

I have just returned from a couple of days in Orlando, where I attended a Microsoft Server and Tools Business analyst summit which coincided with the company's TechEd conference. The RedMonkers James and Coté did a great job of live blogging the event (here, here, here, here, here and here) - and there was even some Twittering - but I needed the joys of a 9 hour transatlantic flight to collect my thoughts.

The big news at TechEd and the focus of the analyst summit was Microsoft's Dynamic IT for the People-Ready Business (Dynamic IT) strategy, which the company describes as building

on the company?s Dynamic Systems Initiative and ongoing Application Platform efforts to provide customers with the key areas of technical innovation necessary to make their IT and development organizations more strategic to the business

In other words it's a framework which builds on a number of Microsoft's most significant, but historically largely disconnected, initiatives which is designed to help customers understand how they can be combined to increase the business value of IT. This is long overdue, for a couple of reasons.

First, whilst Microsoft has used language in the past which implies linkage between the different initiatives and associated products, such as 'design for operations' for DSI and .NET, it's not always been clear how the implication becomes reality. For example, how do the System Center management tools exploit operational policy requirements defined in Visual Studio and how do those requirements map to policies defined in Windows Communication Foundation? Dynamic IT sets out to make the linkage explicit.

Second, Microsoft has lacked a cross-company vision for enterprise IT (for want of a better term) within which to frame discussions with customers and around which it can rally the troops. I'm thinking here of things like IBM's On Demand, HP's Business Technology, Oracle's Fusion etc. There's People-Ready of course but I think that's about more than Enterprise IT. Dynamic IT provides Microsoft with a competitive alternative and one that is more reflective of current reality than future aspiration.

There are four aspects to Dynamic IT where Microsoft plans to focus innovation:

• unified and virtualized
• process-led, model-driven
• service-enabled
• user-focused

built on a federated, interoperable and secure foundation. Obviously, it's still very early days but I do think Microsoft has a lot of work to do if it's going to achieve what I believe it hopes to with Dynamic IT.

For example, in his keynote when Bob Muglia talked about process-led, model-driven he discussed process-led in terms of the application lifecycle, BizTalk, Windows Workflow Foundation and Office Business Applications and model-driven in terms of System Center and IT management models (based on Service Modelling Language and the Common Model Library). What he didn't do was explain the relationship between the two. When describing service-enabled, he focussed on .NET, SOA, web services and software plus services, primarily from the bottom-up, developer perspective (consistent with Microsoft's initial foray into SOA) but failed to tie that into the end-to-end service lifecycle - Big SOA - and thus process-led, model-driven. (As an aside, I think Microsoft is also missing a trick when it comes to information and data as a service but that's for another day).

As well as explaining the relationships between the different aspects of Dynamic IT, Microsoft also has to be very careful that it doesn't fall back into the trap of using it simply as a framework for categorising its products. Increasingly, the key concerns of the people it is trying to reach with Dynamic IT don't fall into neat product categories and Microsoft has struggled in the past to articulate the joined-up propositions required to address these concerns because of its focus on product stovepipes (as I discussed here).

What I think Microsoft needs, as I explained during various meetings at the summit, are scenarios and associated case studies to bridge between the framework and the products and emphasise the linkage. This will also serve to highlight the importance of the three foundational aspects - federated, interoperable and secure - which might otherwise be lost and to tie into Core, Application Platform and Business Productivity Infrastructure Optimization roadmaps which Microsoft is using to help customers understand how they move forward from where they are today.

For Microsoft's customers and potential customers Dynamic IT is a positive sign that company is beginning to recognise that you are more concerned with the outcomes from deploying the company's technologies than you are about the technologies themselves or the way that Microsoft chooses to structure itself to develop and sell them. Over the coming months you should be looking to Microsoft to fill out the framework and seek explanations for how the pieces fit together today and how the company plans to enhance that integration going forward.

The ever-vigilant Redmond watcher Mary Jo Foley over at ZDNet reports that Microsoft's Server and Tools unit (but not the P&L - Microsoft will still report server and tools financials), which is responsible for Microsoft Windows Server, SQL Server, Visual Studio, System Center management products and Forefront security products, is now part of the Business Division, the home of Office and Dynamics.

Mary Jo finds this move 'curious' but I can see the logic. It's hinted at (if you get past the marketing speak) in the company's official statement that it made the move to:

sharpen leadership focus on the company?s top priorities and align its organization for innovation, ultimately enabling it to deliver even more value to its customers.

I think this is all about making it easier for Microsoft to articulate propositions which resonate with the key concerns of senior business and IT people. The reality is that key strategic business and IT initiatives - SOA, BPM, compliance ... - increasingly depend on multiple technologies and associated competencies, which cross traditional stovepipes. Big SOA, for example, is about managing IT work across the entire service lifecycle and so touches project and portfolio management, software development and integration, IT service management. BPM, as the other Neil pointed out, is about Office as much as it is BizTalk and Workflow Foundation.

In the past, the way that Microsoft has been organised has worked against the articulation of such joined-up propositions (that's in part why it took the company so long to talk about SOA). Customers would get different answers to the same cross-cutting requirement depending on which Microsoft stovepipe they were talking to: you need BizTalk and SQL Server; you need OBA and SharePoint. [As an aside, I said much of this in an interview with Microsoft PR earlier in the week].

Obviously, shifting branches of the org chart is comparatively easy (even it is very big). The hard part is going to be changing behaviour, joining up the marketing etc. The creation of the Connected Systems Division back in 2005 shows that the company can pull this sort of thing off (albeit on a smaller scale in the Server and Tools Business as was) and Jeff Raikes, who now owns the combined entity, has the influence and power to drive things through at this larger scale.

I am off to a Server and Tools Business analyst event in just over a week so I will hopefully learn more then.

Yesterday, the General Manager of Microsoft's virtualization strategy Mike Neil used his blog to announce that a number of features would be missing from the initial release of Windows Server Virtualization (aka Viridian):

• Live migration of virtual machines between physical servers
• Online addition of storage, network, memory and processor resources
• Support for more than 16 processor cores

No doubt Microsoft's competitors will see this announcement as an opportunity to raise FUD regarding Microsoft's virtualisation credentials ("We already do live migration and Microsoft's years behind").

It's certainly true that this does weaken Microsoft's credibility. However, it's important not to lose sight of the fact that these capabilities are not required for mainstream use cases such as server consolidation - and it's the mainstream that Microsoft is targeting.

Sun yesterday announced:

a new initiative around support for OpenID, a decentralized, web-friendly single sign-on mechanism that allows consumers to reuse a single login across different websites, tackling the "login explosion" problem. OpenID is currently limited to facilitating low-risk transactions such as blog comments. Through its new initiative, Sun is exploring what changes and practices are needed to make OpenID applicable to a broader spectrum of business and IT challenges. The company will actively encourage participation from customers and technology partners through a series of activities and real-life implementations that are initially driven by Sun's Chief Technologist's Office.

It would be all too easy to focus on vendor sports and discuss this announcement in the context of Microsoft's embracing of OpenID at the RSA Conference in February. But I will avoid the temptation (not least because I think the sport wouldn't be much of a spectacle).

I also don't want to join the ongoing debate (at least over at the Identity Gang) sparked by this statement in the press release:

People using Sun- based OpenID identifiers at an OpenID-accepting website can convey in this simple and secure manner that they are indeed Sun employees, a piece of information that can enable access to employee discounts and unlock other special services all across the web.

which confuses authentication with authorisation - contractors may be given OpenID identifiers to access particular services but they are not Sun employees; what happens in the future if Sun provides OpenID identifiers to partners in the future but a service provider is working on the assumption that OpenID identifiers have only been issued to employees?

No. It's this statement which captures my particular interest:

As enterprises increasingly open up access to data and services to wider audiences and improve usability, the use of a decentralized technology like OpenID will be an appealing way to manage account proliferation. Integration with existing deployments, which often involve enterprise-ready technologies like SAML and the Liberty Alliance's Identity Web Services Framework will become an essential consideration. Sun is working with customers and partners to combine and converge these technologies to maximize effectiveness.

I discussed the importance of convergence of user-centric and enterprise-centric approaches to identity in our report on identity management. Although there have been some very valuable discussions in the identity community, this has not resulted in much pragmatic guidance for enterprises assessing the implications of OpenID and other user-centric identity technologies behind the firewall. Sun's experiment should hopefully provide some valuable insight. I for one look forward to hearing more.