The Identity Metasystem and its Identity Selectors

Paul Madsen at ConnectID makes a good point in his “Could someone hand me that hammer please?

I have a dead horse here that needs some beating.

Does  ‘identity metasystem’ not imply “a pluralism of operators and technologies”? Isn't this even almost a law?

If so, should a TC focused on a single (albeit important) identity technology claim within its name the ‘meta’ scope?

The OASIS Identity Metasystem Interoperability (IMI) Technical Committee will work to increase the quality and number of interoperable implementations of Information Cards

The IMI TC's mandate respects the ‘pluralism of operators’ required by the metasystem definition, but not the other piece.

NB: Any comment that includes any combination of  ‘forgot SAML token’ will be summarily rejected.

 

Metasystem and Identity Selector

Paul is completely right that the Identity Metasystem is a unifying model intended to bring together many contributing technologies – including Kerberos, PKI, browser-only federation protocols like SAML, WS-Security, WS-Trust and lightweight protocols like OpenID.  And in fact, reaching across this diversity is the most important thing about it.  Breadth is what allows us, as an industry, to create “one identity model” in terms of application development, deployment and most important, user experience.

To make this vision a reality, we need a component of the metasystem that has been missing: a common ”Identity Selector”  (early examples being CardSpace and DigitalMe). 

Clearly such an important component needs to evolve in the context of an international standards body, so the announcement of the new OASIS Technical Committee dedicated to Information Cards and their interoperability is an important milestone:

Boston, MA, USA; 23 September 2008 — OASIS, the international open standards consortium, has formed a new group to enable the use of Information Cards to universally manage personal digital identities. The OASIS Identity Metasystem Interoperability (IMI) Technical Committee will work to increase the quality and number of interoperable implementations of Information Cards. A rapidly-developing, Web 2.0-friendly method for shared light authentication, Information Cards let people authenticate themselves on multiple web sites without maintaining passwords for each site.

But back to the name 

While I think Information Cards are beneficial to the whole metasystem, they are not themselves the metasytem, and don't encompass all aspects of its interoperability. 

For this reason, I don't personally think the OASIS committee's name is currently quite right.

I've never personally participated in OASIS or any other standards body (I have great respect for those who do.)  So I have no idea whether it is possible to tweak a name once a committee is formed.  If it didn't turn into a major time-waster, I think doing so would show everyone's respect for all the other contributions being made to the metasystem.  I would prefer a name that is more technically specific, like the OASIS Identity Selector Interoperability Technical Committee (ISI).

The people who put in the effort to set up the committee and come up with a name will rightly say, “I wish you had given us that feedback earlier” – and I accept that criticism.  Maybe I have missed my opportunity to provide feedback.  Basically, I was sufficiently excited about the emergence of the committee, and convinced that the Identity Selector did contribute to Metasystem Interoperability, that the potential issues with the name didn't jump out at me. 

And now to Occam

And now for something completely different.  In a recent post Paul also reveals the origins of the third law of identity, and makes a great connection:

“William of Occam was a 14th century English philosopher, best know for his ‘principle of parsimony‘ in comparing different explanations for some phenomena.

entia non sunt multiplicanda praeter necessitatem

“When translated and applied to identity, it's clear that Kim's Law 3 was preempted by some 700 years

entities must not be multiplied beyond necessity

Paul Madsen's Identerati greeting cards

Paul Madsen has submitted the following card set for standardization with the ITU. 

Ashish Jain has already asked if the various options will light up according to the policy requirements of the person to whom they are sent.

Paul has assured all those concerned that the preference URLs will be standardized through the UN.

Hunky-Dory

 Paul Madsen at ConnectID writes:

Kim defends CardSpace on the issue of the Display Token.

Personally, I think it's a UI issue. The concern would be mitigated if the identity selector were to simply preface the display token with a caveat:

The following attributes are what the IDP claims to be sending. If you do not trust your IdP, do not click on “Send”.

If the UI doesn't misrepresent the reality of what the DisplayToken is (and isn't), then we're hunky-dory.

And of course, CardSpace is not the only WS-Trust based identity selector in town. The other selectors are presumably under no constraints to deal with DisplayToken in the same way as does CardSpace? 

Paul has a good point and I buy the “general idea”.  I guess my question would be, should this warning be presented each time an Information Card is used, or just when making the initial decision to depend on a new card? 

I think the answer should come from ”user studies”:  let's find out what approach is more effective.  I hear a lot of user interface experts telling us to reduce user communication to what is essential at any specific point in time so that what is communicated is effectively conveyed.

Despite this notion, identity providers should be held accountable for ensuring that the contents of information tokens correspond to the contents of their associated display tokens.  This should be mandated in the digital world.

By the way, I love Paul's recollection of the word ”Hunky-Dory”.  He gives a nice reference.  Funny – I always thought it referred to a “certain beverage“.

What if we fail?

As innovators we need to think about what happens if our systems fail.  I've argued, for example, that the starting point for designing a secure system is to recognize it will be breached.

So I took Ben Laurie's recent piece on CardSpace as an invitation to review one more time what can go wrong with Information Cards and CardSpace. 

For those who don't know him, Ben has been a leading innovator in terms of open source SSL, and currently works at Google.  In his piece he writes that OpenID isn't gaining much traction.  Then he turns to CardSpace, which he says “appears to be supported only by Microsoft products.”

A number of people gagged on this, including Dale Olds of Novell (who none the less retained his unflappable charm).  Dale had just released his new DigitalMe product providing Information Card support for Mac and Linux.  In fact, at Digital ID World, the open source Bandit Project had launched a “Control Your Identity” campaign to promote awareness and use of information card technology. Hmmm.  I wonder if Linux is a Microsoft product? 
Continue reading

MSN and Windows Live hook up InfoCard Beta

Video of Hotmail Beta of Information Cards

In this video of the Windows Live ID beta (1:20) we use Bandit's DigitalMe to register and log into Hotmail from a Mac.  If anyone has been concerned that Information Cards won't scale to handle large sites, they can relax now.  To see another version of the demo, this time using CardSpace, watch this (2:20). 

MSN and Windows Live CardSpace Beta

You can now use Information Cards at Hotmail and all the other MSN/Windows Live sites. 

Just go here to associate an Information Card with your existing account.   I found that both Windows CardSpace and the Mac DigitalMe information card selectors worked beautifully with the system.  Check out this video to see what it was like registering and logging in from my Mac using DigitalMe. 

It's worth taking a step back to think about what can go wrong when you add a feature of this importance to a site with 300 million accounts.  If things don't work, you don't have a software bug – you have a trainwreck.  So the Windows Live people have done a lot of thinking, planning and testing in order both to create a cool experience and keep from confusing their users.   

There are still some anomolies.  In the words of the Beta announcement: Continue reading

Start using DigitalMe for Mac

Over the weekend I installed “Digital Me for Mac” on my MacBook Pro and started using it with identityblog and other sites.  It's fast and totally does the trick.  I've made a micro video demo that gives you an idea of what it's like.

The install worked just as it should.  I ended up with a Bandit managed card - then went on to create a self-issued one so I wouldn't have to enter a password.  So now I can work on my site both from my Mac and my PCs.  I'm not sure if it works with Safari – I was using it with Firefox. Continue reading

DigitalMe for Mac passed the Interoperathon

Bandit's contribution to the emerging identity metasystem is exceptional – we're talking about the DigitalMe Identity Selector for Mac and Linux , as well as relying party components.  I will post a download link as soon as one becomes available.  Novell's Dale Olds wrote about the Catalyst Conference and OSIS Interopathon here Continue reading