Carspace Sandbox

If you want to try out Cardspace, you should go to Cardspace Sandbox and follow the install instructions there.

Pamela Dingle has written about the site here.  Her description of Cardspace is great, although I really do recommend following the installation instructions.  In fact, if you don't follow them you will likely have problems.

Remember that if you have installed previous versions of various components, they probably won't work properly for login until you put in the new versions.  The reason is that in response to customers and other vendors, we have had to introduce “breaking changes”.  People tell us about things that can be improved, and we try to do so.  We've chosen not to become enmired in “premature backward compatibility” given that we are still in beta.

So I'll review some of what it tells you at the Sandbox:

Install Internet Explorer 7.0
  The Sandbox site currently requires Internet Explorer 7.0 Beta 3 when using Windows CardSpace.
Install the .NET Framework 3.0 Runtime Componetns July CTP
  The Sandbox site requires the .NET Framework 3.0 Runtime Components July CTP to be installed on your local Windows XP or Windows Server 2003 computer in order to use Windows CardSpace.
Start using Windows CardSpace!
  Create a new user account or login using your Information Card.  

Log into the Sandbox, and log into my site using the “Login” button.  You won't need to create an account.  Just answer the email my system sends you and you will be registered and able to comment.

Remember, if you have previous beta versions of .NET framework or IE 7 components above you need to go to the Control Panel->Add or Remove Programs, and delete them.  You'll find detailed instructions if you follow the install links.  I did it myself and didn't find it onerous at all, though I needed help removing the earlier version of IE 7.

Craig Burton writes:

Cardspace Sandox looks like a good place to have some guidance for Infocards and Cardspace. However, I have tried some of the stuff they recommend and got stopped because of the requirements.

In the mean time, I have issued myself an infocard but I have yet to find a place that accepts it–including Kim Cameron's identityweblog.

Waiting for Kim to respond. I would make a comment on his blog about all of this but I can't because I haven't figured out how to create an account.

This is ridiculous.

Indeed – there is a bit of Catch 22 since to put a comment on my blog, you need to log in with an infocard.

More and more people are getting Cardspace runing.  For example, while I was writing this, in came a comment posted by Bavo De Ridder, who wrote:

Ok, I have installed .NET 3.0 July CTP and since I already had IE7 Beta 3, it took only a few minutes, no reboot required. This stuff seems to be of good quality already! 

Bavo was able to add his comment without going through “moderation” – contributing to the identity silo thing.

Bavo was able to add his comment without going through “moderation” – contributing to .So courage my friends, and please follow the instructions posted at the Sandbox.  Like Bavo, I think the quality is getting quite good – the hard part is making sure your versions are right.

Get over to Craig Burton's blog

Craig Burton is blogging up a Perfect Storm at craigburton.com.  In fact he's posting so many nice little nuggets that you only see about a day and half's worth when you go to his site with a browser.  Make sure you navigate back using the calendar.

Since a couple of the recent pieces concern things I'm involved with, I'll pick up on those.

Let's start with the discreetly named Vendor Lock in Sucks:

Microsoft plans link between directory, Live services: ”

Microsoft is planning to sync its Active Directory with its Live Web-based services to give users single sign-on for applications and services both inside a company network and on the Web.

Technically a good idea. Fewer namespaces and fewer administration models. Reality is, customers are loathe to get roped into Msft centrism. Msft has yet to make the cut to OS inpdependent Internet services.

Trust me, that is the future. The longer they put it off, the worse it is for everybody.

The open source community isn't much better. Politics is winning over common sense.

It will be interesting to see how Ozzie guides the company towards this end. Gates hasn't, won't. Ballmer is worse, Allchin…I have no more to say about that.

Let me talk to Craig directly for a minute.

Craig, take a look at the Windows Live ID whitepaper and let me know what you think of it. 

In my view it is consistent with a number of the ideas you've brought to the industry for a long time now. 

As far as I can see, there won't be anything proprietary about the way Windows Live ID federates with Active Directory or anything else – it will just use the WS-Federation and WS-Trust specifications, which are being implemented more widely, by more vendors, every day – and can be used on a royalty-free basis.

So then how does this initiative lock anyone in? I'm a non-lockin sort of guy.  We need to win customer support by producing products that are cool to use and manage; that have superior reliability and integration with dev tools; and that are open to other implementations.

As for your comments on Bill (and his friends), you just can't produce the kinds of technologies we are about to deliver in fifteen minutes.  Our work has been going on for a while (!) and involved a lot of patient investment.  The truth is, Bill has been a great supporter of ubiquitous Internet identity and I want to stand up for all he's done to help, just as I would do for you.  This said, Ray also brings a lot to the table.

Craig also has a recent post on Cardspace:

A Sandbox to Play In:

Pamela Dingle, who always has the intestinal fortitude to ask the best darn questions at Catalyst (and other conferences), has posted a good “quick start” guide for anyone wanting to play around with Windows CardSpace. Via that post, I found this CardSpace “sandbox” site, which has some interesting pointers on it.”

Jamie Lewis points to some Cardspace resources. I opened my control panel the other day, and there was a new control panel named “Digital Identities.” It let me create an infocard. I have no idea what to do with it, but I know it came from Kim's group. I will try to find out more about this.

This is getting exciting.  So Craig, now, while you are on identityblog, choose Login.  When you get to the login page, click on my Information Card icon (a placeholder while we all agree on a real icon).  Let me know how that goes too.

UPDATE:  The original link for the Live ID Whitepaper was broken – I have fixed it.

Liberty, Open Space and Information Cards for Apple

Red Hat's Pete Rowley on the recent adjoining Liberty Alliance and Open Space events in Vancouver – and Apple support for Information Cards:  

The Liberty Alliance made a bold statement in Vancouver last week when it opened its doors for the first time to the hoi polloi. Now this was something interesting enough to demand a visit in of itself, but with the addition of an Open Space after the Liberty meeting, well, you knew I was going to be there right?

The first two days consisted of the regular business of the Liberty Alliance where visitors were allowed to attend any session except for the super secret board stuff. I attended many of the technical sessions which were interesting, though sometimes hard to follow as an outsider without access to the documents under consideration. I also took part in a session around privacy concerns that not only assured me that Liberty has them but that they are serious about dealing with the issues. The conversation turned at one point to outside perceptions of Liberty itself and its lack of openess to its internal process and draft documents. Somewhat ironic was the point made that nowhere was there to be found any information regarding the location of the Liberty conference, at least not to those without access to internal websites. A consequence of this being the first open meeting no doubt. In all, an interesting and worthy meeting.

The final two days were spent on the Open Space which was run in unconference format by Kaliya Hamlin and was excellent as usual. Topics ranged from SAML to Liberty People Service to how should we rename this user centric identity thing? Kim Cameron wrapped up with a lunchtime introduction to CardSpace that by popular demand lasted for nearly two hours. At one point Kim was asked whether Apple would have an identity selector like CardSpace and Kim redirected the question to me in my capacity as OSIS representative. As the newly appointed unofficial spokesman for Apple I suggested that if Steve Jobs would call me I’d hook him up.

So Steve, call me.

Gee.  That's an interesting idea.

Like Pete I took Liberty's Open Space collaboration as being a very positive step in increasing dialog and understanding in the identity community.  It was great to speak with a number of the Liberty people who have been leaders in moving identity technology forward over the last few years.  It strengthens my conviction that we are on the road to an Identity Metasystem reaching across platforms and underlying technologies.

Learning from experience in eGovernment

The Oxford Internet Institute (OII) has posted the Webcast of Jerry Fishenden‘s talk “myGovernment.com – government the way you want it”.

This looks at how new technologies, the emergence of Web 2.0 and the citizen/consumer as creator enable a whole new model of government services and interactions, with the citizen at their center. It was part of a day's workshop themed around “Learning from Experience in eGovernment: Why Projects Fail and Why They Succeed“.

You can find both a streaming media version (which requires Realplayer), or the downloadable version (which requires an MP4 player – I had to download Quicktime 7.1) at http://webcast.oii.ox.ac.uk/?view=Webcast&ID=20060705_151.

Jerry is Microsoft's National Technology Officer in the United Kingdom, and a person I deeply respect for his wisdom and willingness to tell it like it is.

Some recent podcasts

Cardspace screenFor those new to Identityblog and looking for an introduction, here is a short interview I did recently with PTS-TV in England:

 

If you are ready for something more challenging, William Heath of Ideal Government got me thinking about the problems of overly-centralized identity technology in a podcast he described as follows:

Here's an exclusive interview with Kim Cameron, speaking with Jerry Fishenden to me and my colleague Ruth Kennedy. Famous as the Identity law-maker, Kim delivered Microsoft's Damascene conversion on identity matters and has become the catalyst for a new-found cross-industry sense of purpose about what it'll take to get digital identity and authenication that works for all of us.

He speaks exclusively to Ideal Government about the UK's ID developments in the context of state-of-the-art industry developments such as the Laws of Identity, Information Cards and the imminent ID big bang.

Note from administrator: (This was a 40 minute interview – the key sections are linked to the text below.

The whole podcast is available here.

This is the first Ideal Government audioblog/podcast so please forgive any clunkiness and background noise – it was a hot day and we were glad of the aircon.) Best way to hear the audio extracts

Firefox users: right click and “Open Link in New Tab”
IE users: I dont know. But when you find out tell me.
Also, anyone can insert inline audio to Expression Engine please tell me!

He sets out what he means by “Identity” (and there are many different meanings). He explains what Information Cards are, and how Microsoft has implemented them under the brand name Cardspace. He explains why for all its regrettable clunkiness the ageing UK Government Gateway is more secure and privacy-friendly than the proposed Home Office ID system, and it's revealed that there is a working version of Information Cards showing UK Government Gateway transactions. But this isnt Passport/Hailstorm revisited: it's as clear to Microsoft as to anyone that this has to work for everyone. We need a cross-industry big Momma identity backplane, and then the identity big bang can happen. But no one entity, country or authority can be in control.

He sets out where his work stands in relation to a user requirement for the ID we need for e-enabled services in the UK. Users decide, he says. If the system isn't widely adopted, it fails. As an architect, he expresses his concerns about the Home Office's ID card system. Too much information is in the same place. It's a colossal blackmail-generation machine. Every system will be breached, he says. If you dont understand that, you don't understand security and should not be talking about it.

He's pretty frustrated about the prospect of a lugubrious ID system which will inevitably damage trust in e-services. But a combination of the difficulty of the undertaking and the common sense of the British public means it will fail. The Brits are sensible, he finds. Tall as he and I are, we all recognise there's a limit: you can't survive if you're much over 11′. “They're trying to build a 60′ man here,” he says. All the technology people he knows feel the same way.

Yet he's very optimisic: UK identity systems can be efficient, secure, privacy-friendly and cheap, he says. The example of an ideal ID architecture he offers is pretty close to home: it's the Scottish Executive. How pleased will the Scots be to have an expensive and ill-conceived UK-wide system forced upon them, in a new West Lothian twist?

Baby, you can watch my car

If you aren't following Tom Maddox's Opinity Weblog, now is a good time to start.  This piece made me wonder what will become of us all:

License plate recognition technology is going into the private sector, says Wired:

Watch this carIn recent years, police around the country have started to use powerful infrared cameras to read plates and catch carjackers and ticket scofflaws. But the technology will soon migrate into the private sector, and morph into a tool for tracking individual motorists’ movements, says former policeman Andy Bucholz, who's on the board of Virginia-based G2 Tactics, a manufacturer of the technology…   

Giant data-tracking firms such as ChoicePoint, Accurint and Acxiom already collect detailed personal and financial information on millions of Americans. Once they discover how lucrative it is to know where a person goes between the supermarket, for example, and the strip club, the LPR industry could explode, says Bucholz.

Private detectives would want the information. So would repo men or bail bondsmen. And the government, which often contracts out personal data collection — in part, so it doesn't have to deal with Freedom of Information Act requests — might encourage it.

So if you don't want to be under surveillance, I guess you'll just have to move out to the hinterlands, off the grid, and out of automobiles–at the very least.

You know, this whole pervasive surveillance thing is getting depressing, especially when you combine it with RFIDs and ubicomp and similar technologies. It's Big Brother, Little Brother, Uncle Private Eye, Little Snoopy Sister, and every other nosy parker you can think of.

If you're interested in these sorts of things, my old buddy Bruce Sterling, who surfaces in the blog from time to time, writes pretty often about them in his Wired blog, Beyond the Beyond, which I highly recommend anyway on the grounds that Bruce is about as on top of things as anyone can be without having his head explode.

For more samples try this piece on the recent Eric Norlin / Ben Laurie exchange (my attempted joke that Ben must have had a “bad-hair day” is qualified as incendiary).  And there is a beyond the fringe story on the targeting of Craigslist users for violent crime (hmmm, seems like we might want to know who we're dealing with before an in-person meeting – which happens to be Opinity's forte).

Finally, there is news of what Tom calls an “OpenID Bounty”.  He puts it this way:

Cool open source news from OSCON: The OpenID folks have announced a $5,000 bounty to be awarded to the first ten software projects that implement OpenID as an identity provider or relying party.

I'm delighted to say that Opinity is one of the sponsors of the project. (There is a full list of sponsors on the OpenID site.)

To qualify for the bounty, the projects must also be distributed under an OSI approved license and have at least 200,000 internet users of currently installed public instances and 5,000 downloads a month. (There are other technical requirements; those interested should check OpenID's site.)

This is a really innovative way of encouraging development of both open-source development and adoption. If someone develops OpenID implementations for WordPress or MediaWiki–both of which would qualify for the award–doing so would open the door for desktop identity management for users. And, of course, all sorts of cascade effects will likely follow. I can see, for instance, developers creating OpenID implementations for a wide range of other blog and wiki platforms.

At this point, user-centric identity management needs, above all, users. The technical guys are working like speed freak beavers to create protocols and systems, so it's time to get this stuff on the desktop and into operation.

 

O2’s FREE monthly handset teaches how to be phished

The relationships between enterprises and their “designated agents” are often pretty murky from a customer point of view.  In the old days, few people cared.  But in the world of phishing, we need a lot more clarity about who is representing whom – we need to know if an offer originates from a someone legitimate or not.

In this postBen Laurie shows just how hard the current identity patchwork (read “architectural black hole”) makes it to know what is going on – even if you're one of the top Internet security people in the world. 

Ben tells us, “O2 like phishing…”:   

They must do, or they wouldn’t do stupid things like this.

I got an email, looking just like this:

We’d like to say ‘thanks’ for being a great customer by offering you either a FREE Pay Monthly handset upgrade OR £100 credit added to your account – provided you haven’t recently upgraded.†   

And it couldn’t be easier. All you have to do is renew your contract with O2 before 31st August 2006.

If you choose to renew your contract for 18 months, rather than 12 then there’s even more on offer:

If you prefer to talk we have a range of Talker plans with Double Minutes each month*. For example, on an Online 500 Talker plan you’ll get 1000 minutes and 150 messages each month for £35.

If you prefer to text we also have a range of Texter plans which offer 50% Extra Minutes and Texts each month*.

For example, on an Online 500 Texter plan you’ll get 750 mins and 750 messages each month for £35.

To see our full range of handsets and offers and to renew your contract, click here.

And thanks again for choosing O2 .

† The information used in this mailing is based on your contract status as at 30th April 2006. Unfortunately, if you upgraded after this date your new contract means you won’t be eligible for these offers. Terms and conditions apply.

*Offer subject to ongoing connection to eligible tariff see letter for details. Promotional allowances must be used within the month. Unused allowances cannot be carried over into subsequent months.

OK, I removed some maybe-identifying data from the link, but you’ll notice the link goes to http://www.o2-mail.co.uk/. “Oho”, says I, being a suspicious sort, “that’s not O2’s website, I wonder who managed to register it?”

$ whois o2-mail.co.uk   

Domain name:
o2-mail.co.uk

Registrant:
Vertis

Registrant type:
UK Individual

Registrant’s address:
The registrant is a non-trading individual who has opted to have their
address omitted from the WHOIS service.

Registrant’s agent:
MCI Worldcom Ltd [Tag = UUNETPIPEX]
URL: http://www.uk.uu.net/

Relevant dates:
Registered on: 01-Aug-2003
Renewal date: 01-Aug-2007
Last updated: 04-Aug-2003

Registration status:
Registered until renewal date.

Name servers:
ns0-o.dns.pipex.net
ns1-o.dns.pipex.net

Hmmm, a non-trading individual who wants to renew my phone contract, eh? Think I’d better check that out – but what a shame, http://www.uk.uu.net/ doesn’t actually resolve, so looks like I’m not talking to them. And, oh dear, Nominet are closed until Monday, so that avenue is out, too.

The mail itself, incidentally, purports to come from o2-email.com, a domain which they didn’t even bother to register.

So, fearing nothing, I clicked on the link – which redirects me to http://www.o2renew.co.uk/. Here we go again.

$ whois o2renew.co.uk   

Domain name:
o2renew.co.uk

Registrant:
AIS Group Ltd

Registrant type:
UK Limited Company, (Company number: 3561278)

Registrant’s address:
Berners House
47-48 Berners St
London
W1T 3NF
GB

Registrant’s agent:
Global Registration Services Ltd [Tag = GRS]
URL: http://www.globalregistrationservices.com/

Relevant dates:
Registered on: 14-Apr-2005
Renewal date: 14-Apr-2007
Last updated: 27-Jul-2005

Registration status:
Registered until renewal date.

Name servers:
ns25.worldnic.com
ns26.worldnic.com

At least this has an address, if I could be bothered to follow up, which I can’t, but this all looks a bit fishy. To compound the fun, I also got a text on my mobile with the same offer, but anyway, I phone O2 customer services. They explain that this cannot possibly be O2, it must be one of their “marketing partners” who will, if I fill in the form, renew my contract with O2, but via them. And, presumably, or maybe not, give me a new phone. I ask where they got my email address and phone number, and the answer is that at some point I left a box ticked that said it was OK for partners to send me stuff.

So, do O2 condone this practice, I ask? The answer is, apparently, that they do. They don’t even mind, it seems, that the website has O2 branding on it.

If O2 is going to allow people they have contractual relationships with to do this kind of thing, how on Earth do they expect consumers to learn what is phishing and what is not?

Ben's aproach is the only one you can take with today's web technology.  Basically, you need to know how to analyse subdomains and understand DNS paths.  Given this, one wonders why O2 condones the use of URLs worthy of the best phisher.  It is cutting the last safety line we have been able to clutch between our fingers in trying to achieve even the most marginal Internet safety.

Still, I find myself choking on the idea that for people to understand they are being phished, they need to understand subdomains and the intricacies of DNS.

One of the great advantages of the way Information Cards work is that the site the user is visiting (in this case O2.co.uk) can specify its designated agents in a cryptographically secure fashion.  In this case, O2 could specifify O2renew.co.uk as the entity the user should exchange identity information with.  The user would be guaranteed that this was an extension of her relationship with O2, with O2renew acting as an agent of O2.co.uk.

 

The House of Lords on Pervasive Computing

Britain's Parliamentary Office of Science and Technology recently issued a briefing on Pervasive Computing that is well worth reading.  In the words of the report, “Pervasive computing has many potential applications, from health and home care to environmental monitoring and intelligent transport systems. This briefing provides an overview of pervasive computing and discusses the growing debate over privacy, safety and environmental implications.”

A few days ago, the marvellous Baroness Gardner of Parkes led a discussion of pervasive computing issues in the British House of Lords, of which she is a member.  To some, the unelected House of Lords has seemed like an anachronism.  But as a simple observer, I am struck by the facility of some of its members in understanding the transformational force of technology on our society.  I wish more political thinkers shared their cogency and interest when examining these matters.

So let's listen in as Baroness Gardner of Parkes, in the company of the Countess of Mar, Lord Avebury, the Earl of Northesk, and Lord Campbell of Alloway, question Lord Sainsbury of Turville about the issues of pervasive computing:

Baroness Gardner of Parkes asked Her Majesty’s Government:  Whether they will introduce legislation to protect privacy in response to the growth of pervasive computing.

The Parliamentary Under-Secretary of State, Department of Trade and Industry (Lord Sainsbury of Turville): My Lords, there are already in place regulations to protect privacy in the electronic communications field. The Privacy and Electronic Communications (EC Directive) Regulations 2003 and the Data Protection Act 1998 implement the relevant EC directives in this respect. The Government will keep this legislation under review as the use of technology develops over time.

Baroness Gardner of Parkes: My Lords, I thank the Minister for that reply. I am sure that he will know that 8 billion embedded microprocessors are produced each year, which is an alarming number. The Parliamentary Office of Science and Technology states in its POST note that it is important that the volume of transmitted data should be kept to a minimum, that transmissions should be encrypted and sent anonymously without reference to the owner and that security should be treated as ongoing. The Minister has said that security will be treated as ongoing. Evidently, there is some concern about whether manufacturers should be encouraged to build in safeguards from the very earliest stage. Will the Minister comment on that?

Lord Sainsbury of Turville: My Lords, I do not know whether trying to keep the amount of information to a minimum is a realistic strategy. This will clearly be a huge and developing trend in the future; now that microprocessors have in-built communications, this will be a growing field. The Privacy and Electronic Communications Regulations were introduced to address just these questions. They require, for example, a system of consents for processing location-based data. Service providers are required to take appropriate technical and organisational measures to safeguard the security of services. For the moment, that seems to be appropriate legislation but, as I said, we will need to keep it under review as the technology develops.

The Countess of Mar: My Lords, what is Her Majesty's Government’s view on the report of the Leeds NHS trust, which stated that there were 70,000 instances of illegal access to patient data in one month?

Lord Sainsbury of Turville: My Lords, patient data would be covered by the Data Protection Act. Clearly, if there is that number of instances of illegal access to data, there is something wrong with the systems in that place. That should be taken up in the light of the Data Protection Act.

Lord Avebury: My Lords, is the Minister aware that the British Computer Society has appointed an expert committee to look into the implications of pervasive computing? If any legislative changes are required, it would be sensible to wait until that committee had reported. On medical applications, does the Minister agree that the use of devices for sending data from within a patient’s body to outside recorders has proved to be an enormously valuable diagnostic tool, with no privacy implications for the patients?

Lord Sainsbury of Turville: My Lords, we must wait and see how the technology develops before we rush into any kind of regulation to control it. There have, as yet, been no complaints to the Information Commissioner on this area of location-based services. Information taken out of people’s bodies by such technology can clearly be enormously helpful medically.

The Earl of Northesk: My Lords, does the Minister agree that the issue is as much about ownership of the huge amount of data routinely collected about all of us as it is about privacy? If so, what stance do the Government take on the questionable legality of the Home Office authorising the DNA database to be used by the Forensic Science Service to research whether race and ethnicity can be determined from DNA samples?

Lord Sainsbury of Turville: My Lords, the Question was about pervasive computing, which is a specific area. The whole area of data protection is covered by the Data Protection Act 1998. Pervasive computing is a completely different subject.

Baroness Gardner of Parkes: My Lords, does not the Minister agree that there is—according to this POST note, for example—debate about whether the Data Protection Act covers the matter? The National Consumer Council is concerned about whether people could have all their information transmitted from, say, their home—or even their body, as was described in relation to medical things—and not know that it was being obtained or what use it was likely to be put to. That could be a bad use.

Lord Sainsbury of Turville: My Lords, as I said, there are two pieces of legislation: the Data Protection Act 1998 and the Privacy and Electronic Communications Regulations. The second obviously covers the security of data communication from one place to another. As I said, that involves issues of consent and security, which are well covered in that legislation. Of course, it may turn out that the legislation does not properly cover the subject and that there are issues to be considered. As I said, however, there have been no complaints on that point as yet.

Lord Campbell of Alloway: My Lords, will the Minister explain what pervasive computing is?

Lord Sainsbury of Turville: Yes, my Lords. This is an interesting subject. Some microprocessors now have in-built communication facilities. The most obvious example of that is radio identification. I do not suppose that the noble Lord ever goes to the back of his local supermarket, but if he did he would see that packages that are brought in have an identification code that can be read electronically without taking the goods off the pallet. That is done by radio communication and is an enormous step forward in efficiency. The same principle applies to smart keys; one can open a car door from a range of three feet with a smart key, using the same technology.

 

Soothing music all around

Google's Ben Laurie continues with a post I'd call “Cogent with cloudy periods”:

Not surprispingly, my post “Google Account Authentication” attracted some pretty instant responses, as well as comments on the post itself.

On further reflection, comparing Live ID with Google’s authentication is comparing apples and oranges. Live ID may allow people to choose who they accept authentication from, but where does it say that anyone is planning to accept anyone’s word other than their own? In particular, where do Microsoft say they’re going to grant access to Microsoft properties using identity tokens issued by anyone other than Microsoft?

Interesting. Let me explain how I see it. The Windows Live ID whitepaper is about the technical architecture of Windows Live ID, and new capabilities allowing it to be part of a standardized, multi-centered, federated identity fabric. This includes support for Information Cards. Reading the paper, it's easy to see how enterprises or groups of users could gain access to Windows Live services using their native systems federating with Windows Live ID, rather than requiring separate accounts. The business model for this would be totally straightforward.

Now, in terms of how the protocols work, a similar federation relationship could be established between a Windows Live and a Yahoo or a Google. But the business models there are way harder to figure out. You need multiple players to buy in – it needs to be a win/win/win. I don't think anyone has figured this stuff out. Basically, it's a lot easier to change technologies than to change business models.

Still, to me, it makes sense to put a safer, more flexible technical infrastructure in place that offers advantages within current business models while simultaneously laying the groundwork for new approaches as they arise. But let's try to see the two as relatively autonomous.

Ben continues:

Eric Norlin says: “Lots of people inside of Microsoft now understand *why* they must open the silo, and that learning is precisely because of their experience with Passport.” But is this actually true? What Microsoft appears to have learnt is that it can’t get everyone to accept its credentials. So, what’s the next best thing? Get everyone to use MS technology for accepting credentials. Perhaps that’ll even lead to Passport Mark II where the default is to trust Microsoft. Where does Microsoft’s work on Infocard or Live ID or whatever-the-passport-nom-de-jour is show that Microsoft has any intention whatsoever of opening their silo? What it shows is that they think everyone else should open their silo.

This mish-mashes so many orthogonal ideas together that it gets a wee bit looney. If the following sounds disconnected, it's because the way Ben connected things doesn't make any sense to me:

  • It's true that a lot of us at Microsoft want to “open the silo”. That doesn't make it easy, or make it obvious what to do.
  • WS-Trust is not Microsoft Technology, unless IBM is now part of Microsoft – not to mention the hundred or so other companies who have worked on the WS specifications.
  • Information Cards are not Microsoft proprietary for two reasons: first, the protocols are in OASIS standardization and available royalty-free; and, second, because there is a consortium building real open-source implementations today (OSIS).
  • I don't understand why Ben wants to confuse a service offering like Windows Live ID with a cross platform technology initiative like the Identity Metasystem.
  • I'm even more mystified at the implication that our Cardspace implementation of Information Cards is a plot. It doesn't offer special advantages to Windows Live ID. Services like those offered by Google get equal billing with services that might come from Microsoft. What is the sin here?
  • Given the difference between services and open cross platform technology, why call Cardspace “the-passport-nom-de-jour” – except to be naughty?

Anyway, I'm just going to assume Ben had a bad hair day, which everyone has a right to.

Parhaps the flurry of postings made it look like people were ganging up on Google – not at all my intention – I still think that on identity our interests converge and we're all in similar places.

At any rate, Ben concludes thus:

Fred asks: “could you explain why Google shouldn’t allow their accounts system to be accessed by Yahoo credentials?”

All I can say is what I already said: there isn’t a widely used, mature, reliable, secure identity federation mechanism available today. Whether Google wants to do this or not, in practice, they can’t. Such decisions have to wait for standardised mechanisms to emerge, in my view.

Dick is “suprised to see this post given conversations we had”. Well, Dick, if the fact that I don’t always agree with you is surprising, then you’d better stock up on soothing music or something.

I think the situation calls for soothing music all around. How about Iggy Pop?

Eric Norlin and Dick Hardt hold firm

Eric Norlin responds to the Ben Laurie post I addressed here

Ben Laurie, an employee of Google who is quite clear about the fact that he does not represent Google itself, is responding to my earlier post contrasting Google and Microsoft. Ben's pushing back on my contrasting of Google's Account Authentication versus Microsoft's Live ID, and my treatment therein. Specifically:

1. Ben states that “everyone knows” that Google only annnounces what they've already done (as opposed to what he sees as Microsoft's urge to announce what its going to do).

2. There is no “mature, reliable, secure identity federation mechanism” that's widely used (thus, implying that there's nothing for Google to use).

3. That the release of Google Account Authentication does NOT deepen the existing internet identity silo.

4. That I have (somehow) fallen into the “newspaper trend” of writing articles that are “critical regardless of facts.” (ouch)

Let me try to respond:

1. I guess that subconsciously I knew that Google only announced what it had already done, but that really wasn't the point of my piece. My piece was a contrast meant to highlight an observation that I was making — namely, that Microsoft had learned a lot of important lessons from Passport; lessons that companies like Google may not have learned. Now, at the end of the day, I'm dependent upon my ability to observe based upon my available information. Since Google's PR department is — shall we say — a little opaque, most of us journalist-blogger types are left to discern what we can from what Google has done or is doing (precisely as Ben says). Furthermore, since no one from Google contacted me to correct me about my observations regarding Google's Account Authentication (I'd be glad to be officially corrected), and since Google has not changed what they're doing in any significant way, then I have no new information to change my mind.

2. Ben's right that there is no “internet scale” identity federation mechanism. SAML has gained widespread adoption, but is not suited for “internet scale.” Same goes for Liberty. There are, of course, a TON of people working on this problem — OSIS, YADIS, Sxip, the identity gang, Microsoft, etc., but I won't argue with Ben on this — there isn't a mechanism that's widely used.

3. We disagree on point number 3 — and Dick Hardt presents why. In response to Ben's statement – “What kind of credential did you expect to present? Your Yahoo login?” – Dick responds, “Uh, actually, yes.” This points out the fundamental problem at the heart of all of this “identity 2.0” stuff that I've been talking about: the existing silos (Google, Yahoo!, eBay, etc.) have *no* immediate business reason for opening their identity silos (at least, not that they can see). Lots of people inside of Microsoft now understand *why* they must open the silo, and that learning is precisely because of their experience with Passport. At the end of the day, Google is reinforcing its identity silo. That was the ultimate point of my post – and the one that I wish Google would respond to openly and directly.

4. I actually don't think I have fallen into some “newspaper trend.” If anything I am (and Digital ID World is) a member of the larger identity community. My post relied solely on the facts that Google has given me. If they change the facts (i.e., correct me), then I'll change my observation. At the end of the day, this is a communal exercise, and if I somehow have a misperception of what's going on (from Google's or Ben's point of view), then I'd bet that *lots* of people in identity have the same misperception. And if that is true, then its Google's PR department's job to change it.

Let me close with this: I'm not trying to start some “vendor war,” or make Google “evil,” or take shots at the big kid on the block, or anything. We started Digital ID World because we knew that identity was a huge problem that crossed all boundaries, and we wanted it to turn out okay. It could go badly. It could not turn out okay. Its quite possible that the silos only get deeper, the walled gardens return, identity never has its “browser moment” (where it explodes into common usage). Do I want to see identity succeed? You bet I do. I don't think I've ever hidden that. As such, I try to call things as I see them.

Bottom line: I'd love for someone who does represent Google publicly to correct my horrible misperception of what they're doing in identity. In fact, they can come be on the Digital ID World keynote panel — “What do the largest internet sites think about identity?” –and make sure the entire identity community understands them (that's an open invite). Google, will you join us and set us straight?

Meanwhile, Dick Hardt says:

Ben Laurie from Google responded to my post on Google Account Authentication: two steps forward, one step back. A few comments that I’d like to respond to:

Duh, of course you have to provide a Google credential, you’re going to access a Google service. What kind of credential did you expect to present? Your Yahoo login?

Uh, actually, yes. That is the idea behind Identity 2.0, that I could use my Yahoo login to authenticate to Google and to access Google services.

How does allowing applications to access a user’s Google services deepen anything? Did Dick actually read what these services do?

Yes, I did read with great interest what the services do. As for why this deepens the identity silo, these new identity APIs make it easy for non-Google applications to consume Google services, but it is tied to the user’s Google credential, increasing the value of that Google credential, but creating a bigger barrier to services similar to Google’s, and increasing the users reliance on the Google credentials. Good for Google, but starts to reduce user’s options.

As of right now, what are the options? Is there any mature, reliable, secure identity federation mechanism that’s widely used?

Ben is correct, there is no mature, reliable, secure identity federation mechanism that’s widely used. But that has not stopped Microsoft from working to create one and announcing that they will be using it in their products in the future. Google could participate in defining Identity 2.0 architectures and make them widely used because they are Google.