Thanks to both Kevin Hammond, Cardspace guru of Casa de Hambone fame, as well as Delbert Murphey, former Architect Evangelist, former managing/chief architect at General Motors, and now Biztalk wunderkind, for their critical insights on this topic!  This post follows up an earlier post on the possible use of human identity management techniques to reduce some of the $500 Billion of industrial counterfeiting in the world today.   

While the need to address counterfeiting is certainly real, Cardspace in its current form is primarily a client-side mechanism for letting users select and transport identity credentials  On the server side, it's SAML tokens.  Net: Cardspace in present form may not be the right approach. 

Thanks also to Jon Brusseau, Technology Strategist for Microsoft's Manufacturing Vertical and Atanu Banerjee, an Architect and supply chain expert on Microsoft's Architecture Strategy Team for suggesting that Aerospace and Defense industries may be ahead of the rest of industry on this, perhaps due to high individual part values?  (I wonder if the need to reconstruct airline crashes might play a role here, too...?) 

If anyone can share some insight into how airlines, aerospace, and defense industries manage something similar to a "part identity", please let me know.  :-) 

In light of the feedback I've gotten so far, here's a high level process description to illustrate a way to potentially help combat part counterfeiting by using human identity as model.    Please let me know what you think. 

1. Manufacturers of goods (or of tags) would purchase unique, random numbers from a trusted third party

2. Each RFID tag would be assigned a unique code

3. The unique RFID code and product-type code (part number?) and the manufacturers digital signature would be matched together to create an Identity Triplet

4. The Identity Triplet would be registered with the trusted third party

5. The trusted third party would guarantee that:

  • The unique RFID code is truly unique (or the random, unique code could be assigned at this point???)
  • The manufacturer pairing the identity triplet is who they say they are

6. The manufacturer would ship goods to a buyer

7. As part of receiving goods, the buyer would read RFID tags

8. The buyer would send the Identity Triplet to the trusted third party

9. The trusted third party would evaluate each part of the Identity Triplet: the unique code, part number, and digital signature

10. If the actual Identity Triplet values match expected values stored at the trusted third party:

  • The trusted third party provider would return a “Pass” or  “Part Authentic” message

Else:

  • Return a “Fail” or maybe a “Part Suspect” message

Would this give buyers a robust way to guarantee that the product they receive was created by a known manufacturer, and that the product in front of them is that product?  

For simple parts that change hands in the value chain but are not built up into more complex parts, it seems like this process would also give subsequent buyers a way to guarantee that the original manufacturer identity is known and that the part received is indeed a part from that original manufacturer. 

For parts that get built up into more complex parts, the story is probably, well, more complex.  For example, a "built up" part might get a new tag with a new Identity Triplet. (Which might also then require a way to deactivate the first tag -- yuck....)

The build up process might also open up the door to a notion of Compound Identities.  This could get computationally and storage intensive for RFID tags if there are many parts that make up a larger part.  In that case, perhaps a separate (from the RFID tag) manifest should include the Compound Identity information instead of attaching the data physically to the part itself?  This gets closer to the ePedigree aproach. 

Despite these difficulties, the concept of a Compound Identity might benefit from a complementary identity selector (like a Cardspace).  Perhaps this would let each tier select what to send to the next tier?  Or let each receiving tier select which elements of a Compound Identity to validate?  This would probably need to be happen programmatically, rather than as part of a human selection process.... 

Well, one thing is abundantly clear:  the details are definitely NOT all worked out here!  :) 

Please let me know what you think: 

  • Is this idea getting closer or farther away? 
  • Is this idea evolving on the right track? 
  • Does human identity management offer useful inspiration as a way to combat counterfeiting in discrete manufacturing? 
  • Is there a better approach to reigning in industrial counterfeiting? 

Thanks to everyone who's share their thoughts so far!  :-)