A unique demonstration showed user-centric identity software from major vendors, start-ups, one-woman projects and open source hackers all working in concert to replace passwords with validated identity-card access to Web-based resources.

The two-hour interoperability demonstration hosted at the annual Burton Group Catalyst conference was co-sponsored by the Open Source Identity System (OSIS), which is a working group within the Identity Commons project to unite the leaders of open source efforts around digital identity.

The OSIS steering committee includes CA, Cordance, IBM, Microsoft, NetMesh, Novell, Nulli Secundus, Oracle, Parity Communications, Ping Identity, Sxip Identity and VeriSign.

The demo's intent was to show that emerging user-centric identity systems -- which put users in control of their own identity information -- can be federated and act as a universal identity mechanism for access to Web-based resources.

This identity layer is commonly known as the "identity metasystem" a term coined by Microsoft identity architect Kim Cameron.

But while the lofty goal of user-centric identity is still in the distance, Wednesday's demonstration showed that it is obtainable.

The demonstration focused on technology that uses identity protocols OpenID, WS-*, and the Security Assertion Markup Language (SAML). While the user-centric identity model today is more closely aligned with consumer needs, corporate users see the technology as a potential means for handling some of their own federated identity issues.

"This seems to address a number of enterprise needs that we have," said an IT architect for a Fortune 50 company he asked not be identified. "It could provide our community of company retirees with credentials that are better than a user name and password and that are more cost effective to manage and that are going to be more user friendly. It seems like a perfect model, so I am excited about that."

But he said the key will be that all the different protocols interoperate -- or better yet, get boiled down to one -- because if they don't, it will necessitate integration middleware that he said would make the technology less attractive because of added costs and management headaches.

The OSIS demonstration began to wash away some of those fears.

Participants included such groups as the Bandit Project, the Eclipse Foundation's Higgins Project, Internet2 Shibboleth Project, the Pamela Project, XMLDAP and SocialPhysics; and vendors BMC Software, CA, FuGen Solutions, IBM, Microsoft, NetMesh, Novell, Nulli Secundus, Oracle, Ping Identity, Sxip, VeriSign, and WSO2.

The room included 42 separate user-centric identity applications or projects sharing credentials and identity infrastructure to sign users into a photo-sharing Web site.

Independent developers Chuck Mortimore and Ian Brown were in the back of the room showing off their OpenInfoCard and Safari InfoCard browser plug-ins, respectively, in what they jokingly termed the "hippy section."

"It's hard to tell if all this succeeds, what we need now is real users to be involved," said Mortimore, whose open source project is a reverse-engineered implementation of Microsoft's CardSpace technology.

CardSpace is an identity card technology included in Windows Vista.

"I'm a big believer that there has to be a common experience across all these platforms so someone like my mom can walk in and start using it," said Brown.

The two developers, who work on their projects in their spare time, were set up within yards of IBM, Novell, Oracle and Microsoft, which was using Windows to send an InfoCard, based on Mortimore's technology, to access a Web site using open source technology to request the credential.

Microsoft also was demonstrating a new version of CardSpace that will ship with Windows Vista SP1 at the end of this year.

"This milestone [the interoperability demo] represents the fact that it is in all our best interests to make this identity layer for the Internet happen," said Mike Jones, director of identity partnerships for Microsoft. He said user-centric identity can provide much more phishing-resistant logons that also can include data about the user, such as age, that can be used to personalize and control access to services.

"All the previous fear and doubt about, is it safe to build software that interoperates with CardSpace, is something I'm not hearing now," said Jones.

In September 2006, Microsoft introduced the Open Specification Promise (OSP) and cut intellectual property and patent claims to 35 Web-services protocols, many of which form the foundation for its CardSpace technology. The move opened the floodgates for open source developers and others, such as Novell and IBM, to develop and integrate identity card interfaces and infrastructure technology for issuing and requesting credentials.

Now corporate users are taking notice of the results.

"This demo shows that a tremendous amount has been accomplished and is a strong statement about how fast this concept is maturing," said Gerry Gabel, an analyst with the Burton Group. "The enterprise has to start thinking about how to apply this technology. Based on what we are seeing in this room, they have to ask if they will use it and where. There are multiple opportunities here."

Earlier last week at the Catalyst Conference, the Concordia Group, which focuses on driving interoperability across identity protocols, explored those opportunities with major users including AOL, Boeing, General Motors, the Government of British Columbia, and the U.S. General Services Administration (GSA).

The participants discussed such issues as authentication, personalization, privacy, access control, secure outsourcing, implementation costs and regulatory impact.

"The fact that GM and Boeing are thinking about this is good, because those guys are serious enterprises," said Burton's Gabel.

But he and others caution the technology still presents many questions, including appropriate use for high-value and low-value transactions based on dollar values or privacy concerns, commonality of the identity selector among the user interfaces, and formatting of identity data.

"The identity selector is probably the most fragile piece, and it does the most work," said Tony Nadalin, IBM's chief security architect. "And how do we get the same look and feel across all the user interfaces?" Nadalin said similar interoperability events need to be repeated over and over again until everything is right. "We're not done."

In addition, Mark Wahl, CEO of Informed Control, said the identity schema, or data formats, used today are hard-coded but need to be consolidated into a metadata model to provide flexibility and the easy addition of new data types. He is working on a model called Schemat with the Higgins Project, which includes IBM, Novell and identity vendor Sxip.

"One problem we had when developing [the Lightweight Directory Access Protocol] LDAP was that when you extended the schema with a new attribute, you had to go to each vendor and have them put in the new schema," said Wahl. He said that model did not scale. "We want to make it easier to extend the [identity] schema, easier to make changes and add attributes and that will take a common metadata model."

The goal is to add to the promise of user-centric identity systems enhancing federation of identities and improving everything from access control to privacy.

"I'm not sure what I'm looking at yet," said one IT architect from a major bank he did not want identified. "But there are enough interesting things going on here that it's time to come take a look."