What's behind open-source ID push?

IBM, Novell support Higgins, a previously obscure ID management effort. Why?

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
6 min read
Big guns IBM and Novell threw their weight behind a previously obscure open-source identity management project this week, leading analysts to wonder: What's in it for those companies?

The two technology heavyweights are backing an initiative code-named Higgins Project, which the companies pitch as an open-source response to Microsoft's forthcoming InfoCard technology. Both Higgins and InfoCard are being presented as ways to give people more control of their personal data when doing business online. The systems also promise to work with the multiple authentication systems on the Net, making it easier for people to manage Internet logins and passwords.

Microsoft has been talking about InfoCard for some time now, and Chairman Bill Gates demonstrated it for the first time at last month's RSA Conference. The technology is to be built into Windows Vista, the next version of Microsoft's flagship operating system, and will also be available for Windows XP.

But Higgins is in the very early stages, and analysts have been left scratching their heads about IBM and Novell's involvement in it and about why an announcement was made. There are no clear examples of where Higgins would be used, the timelines are sketchy and there are no actual products or workable code, analysts said.

"It is too amorphous--the picture is cloudy. It looks like it might develop into a very interesting picture, but what are the odds (of that happening)? We don't know," Forrester Research analyst Michael Gavin said.

Both IBM and Novell have products that could benefit from Higgins. These are products for managing identity and access, a market IDC predicts will grow to almost $4 billion by 2009. Typically, the software identifies users in a system and controls their access to resources within that system by associating user rights and restrictions with an identity.

Higgins should ultimately provide a framework that allows identity management products from various vendors to interoperate, representatives for IBM and Novell said.

Like Microsoft with InfoCard, Higgins can provide technology for use in developing software for PCs, said Anthony Nadalin, the chief security architect at IBM. On top of that, it should enable existing identity management products, such as IBM's Tivoli software, to work with InfoCard and other technologies, he said--a point that's perhaps more important to Big Blue.

Pseudomys higginsi
Pseudomys higginsi, the Tasmanian
mouse whose name inspired the
project, emerges from obscurity.

"Our involvement in Higgins was a direct result of customers contacting IBM. They had heard about the Microsoft InfoCard project...and wanted to know how IBM was going to interoperate with InfoCard," Nadalin said. "There are many different identity systems out there today...Higgins is the glue that allows us to tie these various systems together."

Novell is backing the project for the same reason, said Dale Olds, a distinguished engineer at the software maker, which sells products such as Novell Identity Manager.

"A lot of times, businesses have already chosen a particular identity source, a directory service or any number of backend systems that control the information for their employees or customers," he said. "We see it as being in our best interest, and in the consumer's best interest, to have a system that works with any identity system--and that's what Higgins seeks to provide."

Interoperability could be a boon for organizations that use identity management products. Also, consumers could benefit, because they may have to enter fewer details when making transactions online. IBM plans to support Higgins in its products next year.

Big Blue appears to have a pretty clear concept of what it wants to do with Higgins, Burton Group analyst Mike Neuenschwander said. "They haven't told us everything that is going on, but I don't think this is a PR stunt. They have real engineers on it who have architected what they have been doing in identity management," he said.

Spot the difference

InfoCard and Higgins both promise to give people more control of their personal data when doing business online. The systems also should work with the multiple authentication systems on the Net, making it easier for people to manage Web logins and passwords.

But there are differences.

InfoCard is a Windows component that provides a user interface on PCs and services that allow the user to transact with service providers (such as online stores) and identity providers (such as credit card companies).

Higgins is broader in scope. It is a software framework designed to interconnect the various identity systems, and to help InfoCard and other existing identity management products interoperate. As such, it could lead to alternatives to InfoCard being created.

However, Neuenschwander did point out that there isn't much concrete information about the project or what it seeks to achieve. Furthermore, it is an open-source effort--IBM and Novell do not own or control the project, he noted.

"All IBM and Novell have really done is stated support for Higgins, and they want to take it in some direction that is beneficial to them. It leaves us to speculate," he said.

IBM and Novell conceded that there isn't much tangible about the effort. Indeed, the announcement was made to draw attention to the previously low-key open-source project, managed by the Eclipse Foundation and named after a long-tailed Tasmanian mouse. "It is early, and we want to kick-start it," Nadalin said.

Work will be done on timelines and specific usage examples, Olds said. "We're going to do some work on use case scenarios and are in the process of reworking the road map for what comes next," he said. "But traditionally, for open-source projects the road map is developed as the code evolves."

Background to InfoCard
Microsoft has described InfoCard as a technology that gives people a single place to manage authentication and payment information, in the same way a wallet holds multiple credit cards. An InfoCard client on a PC will connect with Web sites that need information for authentication or transactions.

Both InfoCard and Higgins take into account criticism of Microsoft's largely failed efforts with Passport, a single sign-on service unveiled in 1999. In the Passport system, people's information was managed by Microsoft instead of by the users themselves and the businesses they dealt with. This centralization of data is generally seen as the reason for the system's lack of popularity.

Microsoft is planning to update Passport and rename it Windows Live ID by next year. The service will make use of new InfoCard technology, a Microsoft representative said. Announced in November, "Windows Live" is the umbrella brand for a number of online services, including Windows Live Mail and Windows Live Messenger.

For now, Higgins is only real for software developers. IBM and Novell would like other vendors to participate, including identity management leaders such as Computer Associates, Sun Microsystems, Hewlett-Packard, Oracle and BMC Software.

"I think that a framework like this is the next logical step in the identity market and participation from a large number of vendors would be very valuable," Olds said. "However, I don't think it is required before this is a valuable step in and of itself."

While IBM and Novell see a clear future for Higgins, Burton Group's Neuenschwander is uncertain.

"To say where is this project going to be 12 months from now and what is it going to do--it is like predicting the weather a year from now," he said.