Day: May 31, 2006

We now have bits that make it easy to try out InfoCard from Windows XP.  You can download them here.  In other words, we've moved beyond the problems of conflicting versions that plagued us earlier.

UPDATE:  Thanks to Rick for pointing out that when you follow the link, you'll see a button allowing you to download  Microsoft Pre-Release Software WinFX Runtime Components – Beta2.  Click on that button.  InfoCard is part of that Beta.  Sorry I didn't make this clearer.

This is still not the final UI – which is continuing to evolve.  There are also some known “issues”.  One is that when you export your cards and reimport them, the keys change.  Another is that there is an incompatibility with tablet PC meaning that, on tablet, you can only use InfoCard once and then need to reboot. 

None the less, you will get self-asserted cards out of the box (though there is no box).  I'll also be posting links to some managed cards so you can try that out.

For those who are interested in building relying parties and identity providers on the Windows platform, you'll get everything you need here.

Once you've got an infocard, go to “Login” or “Dashboard” at the top right of identityblog and leave a comment…  Let me know wht you think.  There's no moderation – with an InfoCard you can publish directly to the blog.

Adam, at emergent chaos, has found a great image to help communicate the concept of compartmentalization of identity.  He begins by relaying one of my recent posts:

My central “aha” in studying the British government’s proposal was that the natural contextual specialization of everyday life is healthy and protective of the structure of our social systems, and this should be reflected in our technical systems. A technology proposal that aims to eliminate compartmentalization rejects one of the fundamental protective mechanisms society has evolved. The resulting central database, where everything is connected and visible to everything else, is as vulnerable as a steel ship with no compartments – one perforation, and the whole thing goes down.

Then he goes on to add:

It's a tremendously important point. Our lives are naturally, usefully, and importantly segmented. In 1959, Erving Goffman discussed this in the (still important) “Presentation of Self In Everyday Life.” (Wikipedia article, or some excerpts… I know. Books. Get over it, there's some useful stuff stored that way.)

His basic thesis is that we play roles: “school principal” or “mother” or “doctor” or “bribe-accepting Congressman,” and that each of these roles has its own quirks and presentations, and it is useful and important to separate them. An identity system that doesn't support that in powerful ways is far less likely to be adopted.

Paul Squires at Here, Now responds by starting to offer concrete examples of things we might expect of an identity card system that was designed to be maximally secure and protective of the privacy of its citizens. 

This is great.  We need to take it further and continue to brainstorm what is actually possible in the realm of identification, rather than remain mired in a framework defined by outmoded notions representing lowest-common-denominator technology and the minimal privacy/security bar. 

This is in effect what I was trying to say here and it’s a very important part of why an ID Card system on the scale the Government is attempting to force through will be doomed to failure. I had a very similar discussion IRL a few days ago with someone who is favour of ID cards (in principal) and I don’t think the scale of this is fully appreciated.

Quite simply – the data revealed by a scan of my ID should be different, depending on what I’m doing at the time AND who the reader is. Obviously my doctor should be able to read different information from that of my local policeman, which will be completely different from the barman who needs only to verify my age (this is law 2 of Kim Cameron’s laws of identity). The fact that the police should also be limited in what they can read under any situation is also going to be vital… Additionally if I’m operating in the course of my business then personal information shouldn’t be revealed, but my business details could be. The context HAS to work two ways to form a minimum subset of data that can be revealed in a situation.

Why does all this seem so obvious to me?

Paul McNamara brings us a heart-warming tale of deserved retribution in Sony settlement and Mr. Rootkit over at Network World.

Unless he's been fired already — a not-unlikely scenario — someone is walking around Sony today known as The Rootkit Guy (we'll use Guy in the non-gender-specific sense here). I mean that code didn't simply leap onto those CDs; someone thought it was a clever idea and made sure it got there. Has to be one of the classic “What the (bleep) were you thinking?” moments in modern history.
 
And you can't help but wonder how that someone is doing today as news emerges that Sony has settled a class-action lawsuit — three, actually, combined into one — that looks as though its going to cause Sony bean counters to pull their hair out by the rootkits. The agreement calls for those who purchased the CDs in question to receive their choice of a cash payment of $7.50 plus a free album download, or three album downloads.
 
We're talking about 15 million CD buyers.
 
If he is still at Sony, something tells me Rootkit Guy is eating lunch alone.

It's funny. I know pretty much everyone in this bizarre thread by Tom Raftery, and can't actually believe my eyes as I read it.   I wonder if, when we get all the other licensing issues worked out in the identity sphere, we'll find out Dick Hardt has trademarked Identity 2.0? (just joking, I think!)

Marc Canter called Cory Doctorow out yesterday. He said:

Cory Doctorow is one of the leading critics of DRMs, DMCA, copyright laws and the status quo – which often pits lawyers vs us. He’s worked for the EFF for years and helped found the #1 blog – Boing Boing. 

But he’s also a close buddy of Tim O’Reilly and Rael Dornfest and helps create the Etech conference every year – which is the cornerstone of the O’Reilly Web 2.0 empire.

So I’ve gone be back and scanned BoingBoing over the last 36 hours – and guess what?

I can’t find a statement from Cory on his good buddy Tim – suing Tom Raftery – who is now MY good buddy, since I did a podcast with him, met him in Dublin at a Web 2.0 event and will be going to Cork – in November to speak.

I take shit like this personally.

So this is a public all out to Cory “hey Cory – wassup dude? Which side are you on?”

Cory has subsequently come out of the woodwork with as biased a piece on this Web 2.0 furore as I have seen outside of the O’Reilly blog.

At first glance the article seems even-handed, reasonable even, until you realise that Cory has only linked to two articles in his post: 1) the O’Reilly response and 2) John Battelle’s response (John Battelle has a working relationship both with Cory and O’Reilly).

Then consider Cory’s language, he says that the dispute has been resolved amicably and that O’Reilly’s

has granted the con[ference] permission to use “Web 2.0″ in its name

I’m sorry, what? They have granted us permission to use the phrase Web 2.0 in our conference? Wow, that was really generous of them, NOT. Should we also apply to them for permission to use the word “conference” in our conference title?

What if I trademarked the name Cory Doctorow here in Ireland. It wouldn’t be that hard, there can’t be that many Cory Doctorow’s here. Then say I got my legal team to send threatening cease and desist letters to Cory Doctorow saying I had trademarked that name in Ireland and that he had better refrain from using the name in the US. Then say I finally relented, called off the legal dogs, and said “Ok Cory, you can use the name Cory Doctorow – I will give you my permission to use it”. Would Cory feel I had been particularly generous to ‘allow’ him to use the name?

Of course not. Similarly, a trademark issued in the US has no jurisdiction whatsoever in Ireland. O’Reilly’s have no trademark for the term “Web 2.0″ in Ireland. O’Reilly’s did not grant us permission to use the term – they had no authority over our use of the term in the first place.

Cory, if you are going to write a biased post that’s fine, everyone is entitled to that but you should really disclose your relationships with the parties you blog about (and link to the relevant posts rather than only linking to your friends).

UPDATE – Robert Hyndman has a fabulous post on the selfishness of trying to trade mark a term as generic as Web 2.0.
 

I promise I didn't mean to chide Paul Masden, as he puts it in YACCP – Yet Another Conor Cahill Post 

Kim Cameron chides me for what he believes to be inappropriately cast aspersions on Conor Cahill.

I think if Paul had been present at the session he would actually have appreciated what Conor had to say. Objectivity and realism in sizing up deployment blockers, and transparency in setting expectations, is what will lead to success.

A couple of points in my defense:

1. Conor and I have a long established tradition of casting aspersions on each other. When I think of my involvement with Liberty, I divide it 2 periods – that initial period during which I was too intimidated by Conor's expertise and strongly voiced opinions to challenge him, and then the last couple of weeks.
2. As quoted by Phil, Conor's statement about non-enterprise deployments could be misinterpreted. Conor doesn't blog so I thought I would give him an opportunity to clarify/expand by commenting on a post of mine. I chose sarcasm and satire in order to goad him over the pain barrier of making such a comment.
3. This was part of a new marketing campaign by Liberty to put a more human face on the organization. New logo soon.
4. The end result of an individual so strongly linked with Microsoft's identity strategy defending a Liberty-proponent (rather than laughing with delight over what might appear to be LAP-internal squabbling) and what this might imply for the future (or even just for the sake of irony) must surely justify some small artistic excess in my original post?

I'll be seeing Conor at a Liberty meeting in Washington tomorrow. Can't wait.

Actually, I'm the last person who would want to stop good natured banter between friends – or others.

Along that line, I guess Paul's point 3) above meansI fell for yet more marketing gloop? 

Well, I can console myself with the realization that I've fallen for worse things in my life.  Anyway, getting the identity conversation as close as possible to reality is a good thing.

In terms of laughing with delight at the squabling of others, I see you Liberty folks as allies in getting an identity metasystem done.  That's just where the dynamics of virtual reality will lead us.

Here is a piece Jon Callas (CTO and CSO of the PGP Corporation) sent to the “idworkshop” list recently.  I am often asked to speak about “identity management”, but the truth is, I don't actually know what people want me to discuss when they make such a request.  My working hypothesis has become that there are different aspects of identity management, rather than different definitions of it, and that people tend to concentrate on some aspect central to their current concerns.  Having a formal definition of these aspects, along the lines suggested by Jon, would help a lot.  This would be especially true if they had names we could agree on, numeric identifiers probably not being adequate in the long run…

When I first started hearing the term “identity management” show up at security conferences, I made a habit of going up to anyone offering products or services that they called “identity management”  and asking them what identity management is.  I found that there were two different things called identity management. I also started ending up at various fora where “identity management” was discussed.  I pointed out that identity management was not one thing, but two.  Then I found a third. Then a fourth.

At Financial Cryptography 2006, I was on a panel on identity management. I opened up the discussion with level-setting. Part of that level-setting was to describe these different types of identity management that are often related, but are still distinct.

At the last IIW, I found that the vagueness was all over there. At Monday's first session, E.E. Kim told us first that identity management is what I call IM(4), but then Paul Trevethic talked explicitly about what I call IM(2), and IM(1). My notes say that he was most emphatic that IM *is* IM(1). At various times in the workshop I heard people unknowingly talking about IM(i) and IM(j) at each other. Others would start with one and slide into another in a paragraph.

This week, I was at another security conference and one of the keynotes was by Ken Watson of Cisco and he spoke at length about the need for good identity management, but he was talking mostly about IM (3), with IM(2) being secondary and IM(1) being implied. We're not using the same language, even though we're all talking about more or less the same thing.

I think it's important to know that there are at least four things that are identity management, and maybe more. Here's my four, taken from my March slides at FC2006, with some added commentary:

    * Identity Management (1)
    – Traditional security notions of identification, authentication,
    authorization, reputation, etc. Oftentimes a “PKI.” Often times
    “AAA” systems.

The very first IM systems I played my little Socratic game with were PKIs and AAA systems re-labeled as “IM.” There was, in fact, no change in what the product was from the previous year. It was merely marketing spin.

    * Identity Management (2)
    – Mechanisms to reduce the annoyance factor of the above.
    Oftentimes a “Single Sign-On” system or password
    reduction/elimination system.

I consider these distinct, because at the same time I started seeing PKIs relabeled as IM, there were SSO systems relabeling themselves as IM. While the *concepts* are related, as I note, the *systems* were distinct. Also, when I interviewed people, some people would say, “Oh, IM is really PKI” and others would say, “Oh, IM is really SSO.” 
Furthermore, the systems they were building were distinct.

    * Identity Management (3)
    – Database management systems to facilitate accurate, speedy
    updates. Oftentimes, a human-resources system that keeps track of
    phone numbers, titles, building access, parking places,
    conference room reservation, “metadirectories” etc.

This is the most recent addition to my taxonomy, but I number it 3 here, because it is taxonomically related. I know of a couple of places in which a security company that did not call its PKI or AAA system IM acquired or built the entity management systems and started calling that addition “identity management.”

    * Identity Management (4)
    – Marketing systems that keep track of preferences, buying
    habits, loyalty programs, and so on so as to effectively send
    people ads that won’t annoy them. Much.

    – Note that this is the most different of the types, but still
    abuts them.
       – Also note that in this form, Alice does not own her
       identity

    – Important because it is closest to the colloquial definition of
    identity
       – It is the outside world's perception of who you are.

This is the type of IM that first got me to make a taxonomy. I had noted that IM1 and IM2 are not the same thing, but because the companies that do each are across the aisle at the RSA or CSI trade show, I just rolled my eyes at the sloppy language use.

When I was at an early spam-fighting conference in 2002, I detected groups of us not communicating. That turned out to be because there were the security people all talking about IM1, and the direct marketing people talking about IM4. We had to have a reset when I finally realized that what they talked about solving spam through IM, they did not mean what we meant. They wanted to make sure you never got an unwanted advertisement, and thus there would be no spam. Argue if you want, but not with me, please.

The very definitions of “identity” were different. If I take the definitions Paul Trevethick gave us on Monday, my group, the security group were talking about what he talked about as “identity” (claims about oneself) and the marketing people were talking about “reputation” (clams others make about you). This doesn't exactly follow, because they wanted you to make claims about yourself that they will then tune. Nonetheless, it's important to understand both the imprecise language and that the terms have somewhat separated out, but are not exact.

However, I believe that it's important for us to be able to make these distinctions. We're not going to get anywhere without recognizing that IM1 != IM2 != IM3 != IM4, despite them forming a smear. I numbered them the way I did because fortunately, IM3 is related to IM2 and IM4, but not much to IM1. IM4 is somewhat close to IM3 but not much at all to IM1 and IM2. They do, thank heavens, form a spectrum.