Scoble Knows

In response to my question about how Future Salon's Identity Meeting had gone, Robert Scoble just sent me a link to Niall Kenedy‘s amazing full report. The blogsphere still blows my mind.

Last night I attended a Future Salon presentation about digital and online identities. The event was hosted at SAP in Palo Alto.

Eric Sachs of Google spoke about Google's relatively new entry into the digital identity realm with services such as Orkut and Gmail. Jeff Hodges of Liberty Alliance talked about identity systems in the enterprise marketplace. Fen Labalme of Identity Commons talked about identity systems built at the grassroots level for non-governmental organizations.

I recorded all three speeches as well as the question and answer period using a directional microphone from my seat in the front row.

Eric Sachs

MP3 audio

19:14, 8.7 MB

Jeff Hodges

MP3 audio

15:40, 7.1 MB

Fen Labalme

MP3 audio

22:49, 10.3 MB

Questions & Answers

MP3 audio

36:34, 16.6 MB

Just in passing, Scoble's recent piece on geek jewlery was right on target. Coming back from Open Group I sat beside a cat who was flying the full shuffle regalia and did he ever look cool. And happy.

Brilliant writing on the wall..

Click 'video clip' at left While perusing the Future Salon, I came across something which I have to call a must-see. To quote the futurists:

ACLU has an excellent video clip out that beautifully crystallizes what is at stake with you and your Identity

This is a brilliant communications work by Micah Laaker of Sedapa, who founded his agency “with the express goal of making content understandable through the use of solid information design.” He's worked for clients ranging from Def Jam Recordings to the Partnership for a Drug Free America, and here he has hit a home run in terms of clarity.

In two minutes, Micah conjures up, with sardonic humor that freezes in mid laugh, a world in which the laws of identity are all broken simultaneously. This is a battering ram for knocking over any system embodying disrespect for identity's laws. That might prompt some to just take it “as propaganda”. But anyone who did that would be missing the point. Micah's piece is a harbinger of what is to come should we, technologists, not succeed in understanding our own subject matter.

One can argue that ACLU has an agenda, and created this piece in keeping with that agenda. Certainly it intends to use the video to influence legislation. But ACLU too is a predictable entity responding to and creating objective phenomena. Another indication that, if we want a unifying identity system, the laws of identity must be taken as laws, not simply architectural principles.

Bay Area Future Salon Does Identity

A group of Bay Area futurists had a meeting on Identity this week called, “Who am I? Your identity online and beyond.” (Details here). The organizers were familiar with the Laws of Identity.

It featured Eric Sachs from Google, Jeff Hodges from Liberty Alliance, and Fen Labalme from Identity Commons. Does anyone who attended want to tell us how it went?

I've never belonged to a futurist organization, but it sure must be fun. Imagine an environment where you have to say, “Will you people stop thinking about the future for a moment, and just think about today?” Yikes.

Taking the Id out of Identity

Doc Searls, Editor of Linux Journal, has written a note pointing people to this conversation.

Kim's work would be remarkable in any case. The fact that he does it for Microsoft is especially portentious — in a positive way. Kim has always been a tireless advocate for heterogeneity, inclusiveness and interoperability. Given that fact, plus his genius, it's fun to watch the back-and forth between him and other important voices in the Identity Conversation.

I admire Doc as a man who understands a whole lot about our society and sees with super clarity that everything is in motion, in a process of continuous renewal. He always surprises me and that keeps me coming back to the fount.

And he's big enough to allow renewal to encompass all of us, instead of just those of us on “this side of the barrier”. He's one of the main reasons I wanted to blog.

James Kobielus

Now that I have FeedDemon, I've been able to catch up on what's happening in some more blogs. Where should I start?

James Kobielus has been doing some interesting stuff. You may remember we had a little spat where he bonked me for my “cypherpunk ways”. Is there such a thing as a “bad blog day”? Anyway, the truth is we agree on a lot more than we disagree on – and he has written very cogently about the issues I am passionate about.

There's a lot of ground to cover, but today I'll talk about his recent post on email as federation. He says:

Internet e-mail has been a federated messaging environment for quite some time: that’s been key to its success. I define “federated messaging” as “messaging domains that establish trust relationships under which they can choose to accept each other’s messaging assertions and honor each other’s messaging decisions – or reject them – subject to local policies.

I like this, though I would add that the key to early success seems in retrospect to have been that everyone chose a policy of “whatever” – or “no policy“. Who configured a security policy in SMTP back in the eighties or even the nineties?

Then he points out – and I really like this – how the essence of the messaging problem is the identity problem:

Federated messaging depends on a constrained variety of federated identity—in this case, each mail domain being able to register, vouch for, and manage its own mail identities (e.g., username@maildomain1.com).

So I like the framework James proposes, though as far as I can tell, we are only beginning to move toward email relationships based on proactive policies employing federated identity. In fact we've only gone a few inches (or maybe centimeters) in the right direction.

An example of progress? Well, some corporate SPAM filters are now designed to accept mail from known partners and servers – those with whom there is an established pattern of communication. Meanwhile they may apply extremely stringent controls to mail from unknown parties. And more recently people have begun working on designing and deploying “edge servers” that use cryptography and more formal trust relations.

But aside from these late initiatives, made necessary by goops of SPAM clogging our communications channels, hasn't SMTP messaging basically been a free-for-all with an identity system drastically weakened by its lack of authentication?

It's not as if we didn't know better. The 1988 X.400 specification had thoroughly captured all the issues (except, er… usability) and responded with a rigorous (some might say authoritarian) design. A bunch of people, like me, had even implemented systems based on it that worked. But in practice, the very necessity of establishing relationships between domains (federation) and the business models of the federators (e.g. – at the time – various telecom players) made X.400 look lugubrious and heavy-handed in comparison to the bottoms-up do-your-own-thing of SMTP.

I sure saw the writing on the wall. The score was to be Simplicity 98, Security 2. And we need to learn from this outcome, because the factors shaping it continue to apply even as we come, at the social level, to understand more about the need for privacy (of which protection from SPAM is an aspect).

So I'm not quite as pessimistic as James when he says:

Messaging federation, it seems, hasn’t deterred identity thieves in their efforts to grab identities scattered all over kingdom come. Instead, it’s made them more ingenious, creating a widespread directory-harvest-attack infrastructure. Lots of machines throughout the cybershmear are trained to raid the many mail-directory honeypots for unprotected spammunition.

I think the attacks he enumerates result from the lack of authenticated federation, rather than being caused by it. And I think our Unifying Identity System will in the end be the most significant contributor to solving these problems (there will also be short-term tactics that play a role as we get from “here” to “there”).

It was predictable that SMTP would triumph over X.400 in the early days of electronic mail because of its ease of deployment and use. It was predictable that this very ease of deployment would lead to the ravages of email SPAM. And it is now predictable that new identity-based technologies will arise to solve the problems of which SPAM is actually a mere symptom. Again, these are all examples of objective dynamics – from which superior architectural principles did not shield us.

James closes with two darn good questions about the inevitable attacks on the emerging identity infrastructure – questions which should not leave our minds for one second:

What form will they take? How can we nip them in the bud?

FeedDemon Is Just Too Cool

Thanks to Jamie Lewis, who recommended it highly, I've started to use FeedDemon by Nick Bradbury. Probably everyone in the world knows about this product except me, but I thought I would mention it because it has made my life so much easier (yes, my friends, and better!).

I had a wierd experience installing it – it just didn't function even though I rebooted, confessed all the bugs I had shipped in earlier lives, did some mea culpas and everything. Maybe I should admit that I attract bugs like a light attracts moths. Anyway, the next morining FeedDemon worked like a real good demon, and has done so perfectly ever since.

In my moment of failure I had written to FeedDemon technical support with my sad story. Who do you think answered but creator Nick Bradbury himself. I love that connectedness between creator and user. And surprise. He subscribes to this weblog. Nick said he had never heard of these symptoms before, so I suspect my problems have to do with some of the more “experimental” software I have installed on my machine.

Feedster gives you the ability to stay on top of a lot of feeds. It collects RSS feeds (called channels) into channel groups (e.g. “Identity”). It serves up a newspaper for what's new in a channel group. Or lets you peruse the headlines in an email metaphor. And you can opt completely out of the email metaphor as Nick himself does.

Some of my friends use products that display RSS feeds within Outlook. That's a great option, but I like the fact that I can keep my email distinct from my RSS feeds. I already have more than enough to archive and organize in Outlook.

I also look forward to playing with some of the new FeedDemon features like support for podcasting (present in the shipping product). I listen to podcasts by keeping a collection on my 1 gigabyte mobile phone. It looks like FeedDemon already has enough integration with Media Player that I'll be able to automatically get my podcasts onto my phone. I'll keep you posted.

Let's watch our connotations

Again, I need to quote Jamie verbatim:

Since Kim Cameron now has me “hovering” over the laws of identity, I figure I better get busy and find some new hairs to split. (I’ve never been compared to a starship before, and I'm not sure exactly what it means, but it's the best compliment I've had in weeks.)

And that's how it was meant. I was trying to conjure up the beautiful many-sidedness of Jamie's mind… Not to mention his teleportation beams and forcefields.

Once again, I have a general comment regarding semantics and the terms Kim’s using to describe the principles (or laws, if you prefer).

As you may have noticed, Kim has used the term “universal identity system” several times in defining the laws, and I’ve seen it crop up in a bunch of other blog postings. As I said in my previous post about architecture principles, terms (and connotation) are crucial. Loaded terms make it harder to understand and communicate how any complex system will evolve. And I’d be hard-pressed to come up with a more loaded term than “universal.” Maybe it’s just the way I’m hearing it. I’m certain that my reaction is due to some weariness over revisiting the same arguments so many times over so many years. But for my part, when anyone talks about a “universal identity system,” my first instinct is to put my money in my shoe.

Your shoe, Jamie?

The fifth, er, principle (the Law of Pluralism), demonstrates that Kim isn’t advocating one globally unique identifier, one single “uber” identity system. In fact, he's advocating just the opposite. (His thoughts on centralization are clear as well.) When Kim uses the term “universal identity system,” he means “universal” in the sense of a widely accepted, highly scalable approach, applicable and usable across the diverse and wide-ranging Internet. He’s talking about enabling a truly distributed system that can bind many different applications, use cases, and identity systems into a more meaningful (but logical) whole.

I whole-heartedly agree with the principle Kim has outlined in the fifth law. It’s crucial that we get this one right. If we can’t agree on the fifth law, we’ll forever be arguing over how to make the others work.

Because it is so crucial, I’m concerned that some folks will interpret “universal” to mean “uber,” as in one single identity system operating on a single standard, in spite of Kim’s intention. That’s precisely what X.500, X.509, and other attempts to solve this problem are and were about. And there are some folks who just seem genetically pre-disposed to approach the problem from a top-down, if-we-can-all-just-agree-on-one-single-identifier perspective.

That's right, and this is the very opposite of what we are trying to achieve.

The multiple previous attempts to build “global” and “universal” identity systems failed for multiple reasons. But if one thing seems clear, it’s that top-down, fully centralized systems don’t seem to work for identity, at least not on an Internet scale. We’ve been there, done that, and found that it didn’t work. Hopefully, we’ve learned these lessons and won’t have to re-learn them repeatedly.

To ensure clear agreement on this important principle, then, we need to do one of two things: either define more clearly what we mean by “universal” in this context, or create an alternative term that doesn’t connote the “uber” system.

You're right, Jamie.

In defining the fifth law, Kim also uses the term “metasystem.” On one hand, I like “metasystem” better because it connotes more of what we’re shooting for. On the other hand, the “meta” prefix has its own baggage (some of which I helped create). Some people may think the term “metasystem” implies the stateful synchronization that meta-directories strive for, which isn’t the case. Clearly, Kim based the laws on his extensive experience with meta-directories. So maybe we can reclaim the “meta” prefix, re-define it based on what we’ve learned. In any case, “metasystem” is better than “universal identity system,” at least for me, and for now. In my next post, I’ll drill down a little more on why.

I agree with everything you say (except the part about the shoe). For the time being, in my recent post on the developments in the UK, I used the word “unifying”. But sure. We should take back the term “Meta”.

I'm looking forward to the next chapter. And doing version 1.1 of the Laws.

Break The Law and Unification Goes Down The Drain

Late-breaking news from William Heath of Ideal Government:

That list of companies you cite is serious evidence of the growing political risk in the UK of making the wrong choice on identity architecture. The list comes from an activist group whose brainstorm of ideas includes card burnings, occupations, targeting companies, electronic disruption / hacking, graffiti etc. It's called “Defy ID” and proposes a day of action today (28 Jan) so perhaps it's keeping police busy at this very moment.

It joins an established UK ID opposition group called No2ID. Both groups are antis.

The initial opposition is to a card, but on closer inspection it's the register that offends. I dont yet see either putting effort into proposing a better alternative. Personally I'm hardcore non-violent and against damage to property, but otherwise entirely in sympathy with the antis.

My “Ideal Government” blog is of course not ID focussed; it is about WIBBIs (=”wouldn't it be better if..”s)

Here we are seeing how disregard for the Laws of Identity leads to the unnecessary fracturing of social agreement. If this agreement cannot be reached, the system no longer embraces “the whole”. The ideological say they don't care. But those of us seeking to build a unifying internet identity system cover our eyes and wonder, much as we would if our neighbor were building an inverted pyramid with no structural support.

This whole situation is also an example of why the underlying dynamics we have been examining appear to me as laws, not simply design principles.

UK ID cards…

Here (thanks to Ideal Government) is a piece from the UK where Sarah Arnott advises forgetting about the proposed brick and mortar ID Card and instead concentrating on a government-issued electronic identity. Sarah thinks a single identity is sufficient for everything. She also says:

It is unlikely that ‘function creep’ will inaugurate a Big Brother state.

More probable is that the government will spend fantastic amounts of money on an inflexible and ineffective plan, conceived out of political expediency, achieving nothing more than a vague notion of improved security.

And a useless piece of plastic.

And another fiasco to be added to the already battered reputation of public sector IT.

Ideal Government has also published a list of companies which have announced their intentions to bid. A lot of smart people there – it will be interesting to see if the plan evolves to take advantage of advanced identity technology more in conformance with the Laws.