There was a subtle theme permeating my discussions with identity vendors at last week's RSA Conference. It didn't come up in every discussion, but it was present more often than not. The "identity of things" - stuff that isn't a person, such as devices, services, applications, etc. - surfaced for public discussion at last year's Catalyst conference when Burton Group CEO Jamie Lewis gave it prominence during his opening remarks, and was the main topic of Chris Stone's (then, Novell vice-chairman) keynote address.

After Catalyst, though, there wasn't the full-blown public discussion of this topic that I expected. Instead, we got caught up in trying to define "identity" itself. But two seemingly quite different technology drivers brought us back to the identity of things as a major discussion topic at the RSA Conference.

It's a given in the identity business that Web services are architected on an identity foundation. It's also fairly evident to all that identity is the basis of regulatory compliance. But it's becoming more apparent all the time that it's not just the "who" identity that is important, but also the "what" and the "where" (i.e., the platform that the "who" uses to do the "what").

In order to deliver Web services properly, the provider needs to know the user, the user's permissions, the user's capabilities and the user's needs. The "needs" include precise data on the service, its version and its optional components. The "capabilities" reflect the hardware platform the user will use the service on.

In order to correctly log and audit activity for regulatory purposes, the compliance service needs to know precisely who is doing what to which information and where that activity is occurring. All of this requires that we can easily, automatically and uniquely identify the services, applications, and platforms that are being used as well as the attributes of each that are necessary to make a decision (for Web services) or satisfy a policy (for regulatory compliance).

Identifying devices is an outgrowth of both manufacturing and inventory control. A manufacturing bill of materials could be considered an identity document (with a serial number as a unique identifier) containing a list of attributes (the parts specifications) for an identified "thing." Inventory control, carried to its limits, uniquely identifies not only each desk in an organization but each drawer in each desk - and possibly each pencil in each drawer.

Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.