Category: Identity Metasystem

Ping unveils Managed Card IP written in Java

Ashish Jain of Ping Identity seems to have broken another barrier by demonstrating a “managed card” identity provider written in Java.

In the world of InfoCards, we talk about two kinds of “identity provider”.  One is a “self-issued” card provider, through which individuals can make claims about themselves.  The other is a “managed” card provider, which supports claims made by one party about another party. 

Examples of managed card providers could include claims made by an employer about its employees; a financial institution about its customers; an enterprise about its customers; or a reputation service making claims about its users.  While the technology for posting tokens from an identity selector like Cardspace to a web site can be very light weight (RESTful), that for building managed card providers is more challenging.

Here's how Ashish puts it:

The Managed Card IdP as well as the RP server that we demonstrated at DIDW is now available for a test run. It’s still early access…so expect some issues. But if you do want to try early, give it a go. It should give you an idea of the things to come.

baby_beer400x299.jpeg

Please do the following (you need to have RC1 client installed on your machine).

  • Access the IdP Demo here.
  • Enter your information and click ‘Get Card’.
  • When the popup happens, click “open” to save it to the CardSpace Client. Alternatively, you can save it to the disk and double-click to install it. (You can change the extension from .crd to .xml if you are interested in looking at the contents).
  • Close the CardSpace Client.
  • Next go to the RP site here.
  • Click on the Managed Infocard Image.
  • Your CardSpace client should pop-up at this time and only the relevant card should be available for selection.
  • Select the card and it will challenge you to enter your IdP credentials. The server doesn’t perform any password validation at this time (as long as the username is correct).

And you should be logged in to the Relying party. The relying party page also displays the IdP as well as the RP message flow.

I tried it and it definitely worked for me.  I'll do a screen capture.

I don't know if the picture in Ashish's piece shows something he drank as a baby, but if so, a lot of other programmers may want to try some. 

 

Privacy characteristics of the Identity Metasystem

Microsoft has just completed a whitepaper that looks systematically at how the proposal for an Identity Metasystem advances privacy.  

The document offers a useful general overview of how the Metasystem is intended to work – in a form I think will be accessible to those concentrating on policy.  It also contains an instructive analysis of how the Metasystem embodies the principles articulated in the European Uniion data protection directives. 

I will run some exerpts that I think will be of general interest.  But I suspect all those interested in policy and identity technology will want to download the document, so I've added it to the roster of Identityblog white papers. 

  1. Privacy & MetasystemIntroduction
  2. Existing ID Card Schemes
  3. Anonymity, Privacy, and Security
  4. The Identity Metasystem
  5. The Seven Laws of Identity
  6. Roles
  7. Microsoft’s InformationCard Technology: Windows CardSpace
  8. Scenario One: Basic Protocol Flow
  9. Scenario Two: Protocol Flow with Relying Party STS
  10. User Experience
  11. Creating an Information Card
  12. Logging In with an Information Card
  13. Submitting an Information Card
  14. Example of InformationCard Interaction
  15. Privacy Benefits of Windows CardSpace and the Information Card Model
  16. Protection of Users Against Identity Attacks
  17. Information Card Technology and EU Data Privacy
  18. Overview of EU Data Privacy Law
  19. Data Controllers and Their Legal Obligations
  20. EU Data Privacy Laws and Information Cards
  21. Legitimate Processing
  22. Proportionate Processing
  23. Security
  24. Limits on Secondary Use
  25. Conclusion
  26. Acknowledgments 

From the Executive Summary:

Just as individual identity is fundamental to our face-to-face interactions, digital identity is fundamental to our interactions in the online world. Unfortunately, many of the challenges associated with the Internet stem from the lack of widely deployed, easily understood, and secure identity solutions. This should come as no surprise. After all, the Internet was designed for sharing information, not for securely identifying users and protecting personal data. However, the rapid proliferation of online theft and deception and the widespread misuse of personal information are threatening to erode public trust in the Internet and thus limit its growth and potential.      

Microsoft believes that no single identity management system will emerge and that efforts should instead be directed toward developing an overarching framework that connects different identity systems and sets out standards and protocols for ensuring the privacy and security of online interactions. Microsoft calls this concept the Identity Metasystem. The Identity Metasystem is not a specific product or solution, but rather an interoperable architecture that allows Internet users to use context-specific identities in their various online interactions.

This paper describes the Identity Metasystem and shows how it can meaningfully advance Internet user privacy. In particular, it will show how Microsoft’s contribution to the engineering of the Identity Metasystem—the Information Card technology—promotes privacy in three primary ways:

  • First, it helps users stay safe and in control of their online identity interactions by allowing them to select among a portfolio of digital identities and use them at Internet services of their choice. These digital identities may range from those containing no or very little personal information (perhaps nothing more than proof of an attribute such as age or gender) to those with highly sensitive personal information needed for interacting with financial, health institutions, or obtaining government benefits. The key point is that a web site or service only receives the information it needs rather than all of the personal information an individual possesses.
  • Second, it helps empower users to make informed and reasonable decisions about disclosing their identity information by enabling the use of a consistent, comprehensive, and easily understood user interface. Moreover, this technology implements a number of advanced security features that help safeguard users against identity theft by reliably authenticating sites to users and users to sites.
  • Third, and more generally, Information Card technology is hardwired to comply with data privacy laws and conforms to key requirements in the European Union’s privacy regime, including legitimate and proportionate processing, security, and restraints on secondary use.

In short, this new framework and new technology offer a cutting-edge solution to the digital identity debacle that is stifling the growth of online services and systems.

I want to congratulate Ira Rubinstein, Internet Policy Counsel for Microsoft, and Tom Daemen, a senior attorney in his group, for writing this analysis.  Other contributors include our Chief Privacy Stragegist, Peter Cullen, and Caspar Bowden, Chief Security and Privacy Officer for Europe.  Not to mention the inimitable Mike Jones, well known for his contribution to Identity Metasystem thinking.

Although the document uses the Cardspace implementation in illustrating its points, it's my hope that everyone working on the Identity Metasystem across the industry benefits from this work, since the notions apply to all of us.

Privacy czar pushing for better ID protection

Anne Cavoukian's remarkable speech to the International Association of Privacy Professionals is available here  in MP3 (total time: 23 minutes) .  

It's a ground-breaking speech.  It defines a new intersection between the privacy community and those of us who've been working in the blogosphere to understand and advance identity. 

It represents a substantial widening of the discussion we've been having in these pages. 

Dr. Cavoukian and her team have come up with a version of the Laws of Identity that teases out the privacy implications and articulates them with reference to the privacy discourse that has emerged over the last decade. 

I'll be publishing Anne's version so everyone can ponder the implications.

Here's how the CTV national televison network described Anne's initiative:

Ontario's information and privacy commissioner says she supports a new global online identity system to protect consumers.

Dr. Anne Cavoukian said there are currently few ways for online consumers to tell the good guys from the bad guys.

“The existing identity infrastructure of the Internet is no longer sustainable,” she said. “Something must be done now before consumer confidence and trust in online activities are so diminished as to lead to its demise.”

The solution lies in the global online identity system based on seven “privacy-embedded” laws, she said.

“The Internet was built without a way to know who and what individuals are connecting to. This limits what people can do and exposes computer users to potential fraud,” said the release.

As a result, people are subject to new crimes like “phishing,” in which people are fooled into sending key information to what they think is a trustworthy business, but is actually an identity theft criminal.

The seven laws would create an “identity layer” for the Internet that would guard against such acts.

The “laws,” or principles, are:

  1. Personal control and consent
  2. Minimal disclosure for limited use: data minimization
  3. Justifiable parties: “need to know” access
  4. Directed identity: Protection and accountability
  5. Pluralism of operators and technologies: minimize surveillance
  6. The human face: Understanding is key
  7. Consistent experience across contexts: Enhanced user empowerment and control

The benefit of law 1 would be that an Internet user would store their identity credentials rather than in a centralized online database.

Law 2 would help by minimizing the amount of information given out for a given transaction — and that only the right information be given.

“In the privacy world, a cardinal rule is that the identification provided should be proportional to the sensitivity of the transaction and its purpose. Why should a credit card number ever be used to verify one's age?” Cavoukian said.

These laws grew out of a global, blog-based dialogue amongst security and privacy experts, she said.

With the next generation of Web-based services (“Web 2.0”) emerging, more identity credentials and more trust will be required to make it work, she said.

Microsoft — proprietor of the Windows operating system, the fundamental software that allows a computer to run — is obviously a major player in personal computing security.

Cavoukian said Microsoft's next-generation operating system, called Vista, has some features that will help protect identity.

Vista, which is set for release in January, will introduce a technology called Cardspace. The system will use “infocards,” which will allow websites to verify a customer's identity without receiving or keeping personal or financial information.

Banks could function as middlemen in online purchases, sending payment confirmation to a retailer without sending the person's credit card number.

There would also be different infocards for different applications, much as people have different cards in real life for different purposes.

At a news conference on Wednesday, Kim Cameron, Microsoft's chief identity architect, said Cardspace is a start. He also said it can't just be a Microsoft thing.

“It has to work across Microsoft, Linux, Apple, every possible permutation and combination. It has to work on computers, it has to work on cellphones so it's really a very all embracing thing.”

Some companies have agreed to start accepting infocards, but Cameron wouldn't name the firms.

Both Cameron and Peter Cullen, Microsoft's chief privacy strategist, said another advantage of this coming system is it will allow users to avoid “password fatigue.”

Currently, people need to pick a user name and password when they register at an Internet website.

Because it's difficult to remember a large number of passwords, some use the same password for all websites, which creates a security risk.

 

Ontario Privacy Commissioner extends the Laws of Identity

Here is a post from the Toronto Globe and Mail's Jack Kapica on a development I'll be writing about over the next couple of days – the Ontario Privacy Commissioner's active support for those of us in the industry building an identity metasystem with “embedded” privacy.  This is a remarkable turn of events.

Dr. Cavoukian is one of the preeminent voices for privacy world-wide, and her early and active involvement will help ensure we technologists continue to go in the right direction.  I'll be podcasting her press conference and address to the International Association of Privacy Professionals (IAPP) Conference being held this week in Toronto, Canada.  She has also agreed to share the remarkable documents she and her colleagues have produced to tease out the privacy implications of the Laws of Identity.

Anne Cavoukian's work extends the conversation into a whole new milieu.  And what could be a more auspicious beginning than the vote of support from Jack Kapica, widely known and respected for his careful vetting of all things technological.

Ann Cavoukian, Ontario’s clear-eyed Information and Privacy Commissioner, is onto something very big after endorsing the Seven Laws of Identity, developed under an initiative headed by Microsoft, which she did at a press conference this morning. Using a form of Microsoft’s own strategy, she has embraced and extended those laws in a way that might change tame Internet forever, and maybe even help stop spam.

The seven laws of identity were formulated through a global dialogue among security and privacy experts, headed by Kim Cameron, Microsoft’s Chief Identity Architect. With Cavoukian’s spin, they describe a system in which a set of digital identity cards would keep personal information distinct from information needed for verification.

And no, the seven laws are not Microsoft’s property — anyone can use them. But a form of them will ship with Microsoft’s Vista, its next version of Windows, due for release in January.

Cavoukian and Cameron hint that the system ought to provide the best defence against spam I’ve yet seen. The idea is that while on-line, users can control their personal information, minimize the amount of identifying data they reveal, minimize the links between different identities and actions and detect fraudulent messages and websites, thereby minimizing the incidence of phishing and pharming.

While Cavoukian’s proposal, called Seven  Laws of Identity: The Case for Privacy-Embedded Laws of Identity in the Digital Age, is primarily intended to protect privacy and make on-line commerce safer, it could also kill e-mail from those villains who sell snake oil and pump penny stocks by sending you e-mail from  fraudulent return addresses.

Cavoukian was one of the first non-technologists to grasp the link between on-line identity management and privacy, and has a better understanding of technology than most people do. Kim Cameron, a former Torontonian who has been a personal friend for almost 30 years (he wrote the software that ran the original Globe and Mail books bestseller list), is another great visionary. The combination of the two should make an enormous impact on  technology and commerce if the world takes notice.

With uncharacteristic overstatement, Cavoukian says that once a universal method to connect identity systems and ensure user privacy is developed, there will be an “Identity Big Bang.”

I wish them both the best of luck.

Reading Jack's piece I remember the old days we spent together – and how hard we worked to make sure the Bestseller List was scrupulously scientific and objective.  That's the kind of guy Jack is.  There's real honor there.

 

Rob Richards and a new WS-Security / InfoCard code base

Over the last while I've been lucky enough to have some conversations with a php web services guru from the northeast called Rob Richards.  He asked some very good questions about self-issued identities, which I wrote up and will be posting, and also answered a number of my questions about PHP. 

Besides being prolific and modest he kind of won my heart through a posting called I asked for a beer,  The photo at right shows what he got instead – city people, that is a bear, not a dog – and the story reminds me of all kinds of personal episodes too crazy for me to even think about at this stage.

But that's not the point.  He's been quietly doing amazing work that again shows how close we are to getting ubiquity with progressively more robust identity technology. 

Here is a posting that refers to slides from some talks he did at PHP|2006 in Montreal. 

The first was called Advanced XML and Web Services (with accompanying code), while the second was a good overview of XML Security that is so up to date it even covers Information Cards in excellent detail.

But wait, folks.  That's not all.  There's also the code base.  And the fact that he has InfoCard-enabled his Serendipity blog.

For the XML Security session, what people are probably most interested is the code used to implement WS-Security and possibly Infocards using PHP.

Security Library – Base XML Security library implementing XMLENC and XMLDSig functionality.
WS-Security library – WS-Security library for use with SOAP. Currently only implements client functionality and is missing the ability to encrypt SOAP data.
Example Usage of WS-Security – An example of interacting with the Amazon Elastic Compute Cloud (Amazon EC2) SOAP Service. Easily re-factored for use with other services requiring WS-Security.
Infocard Library – Base library for processing infocards.
Infocard demonstration – Demonstration of processing a submitted Infocard. The result is a SAML token along with a function to view submitted assertions. The form has NOT been updated to work with the recent namespace change, so modify the requiredClaims for use with IE7 RC1, Vista RC1 or .NET 3.0 RC1.

These libraries and examples contain unmaintained, yet useable code. They were developed only for testing while designing an API for C based code and most likely any extensions developed to perform the functionality will differ from the code provided here. There are many optimizations that can be made to provide better performance, so feel free to make any modifications you like. I may provide updates in the way of bug fixes if needed and might extend them a bit more if so inspired (such as adding encryption to the soap client or possibly handling of ws-security on the server side), but if anyone wants to take the code and run with it, please let me know as I would gladly provide help (time permitting).

It's really interesting to hear Rob is working on ‘C’ code as well.

Where is the digital you?

I don't think anyone could have expressed the big metasystem issues better than Red Hat's Pete Rowley does here:

There has been a lot of focus on user-centric identity in recent months, but let us not forget about the identity metasystem. The identity metasystem concept is important because it recognizes that even if it is desirable for there to be one protocol that everyone speaks, to get there from here requires a pragmatic acceptance that there will be more than one protocol in the meantime. While choice is a marvelous thing in many situations, it isn’t something that the vendor relishes at the protocol level. When the customer comes calling must you turn them away because they speak OpenID and your software speaks SAML? Recalling my blog regarding the Microsoft Open Specification Promise, multiple standards mean your bolts don’t fit your nuts unless you buy them both from the same vendor. The identity metasystem must provide the necessary adapters so that different systems produced by different vendors on different platforms can at least understand each other, even if they don’t speak the same language.

One might ask who will be building the parts that make the system a metasystem. Clearly, one vendor who is doing that is Microsoft with CardSpace. However, one vendor a metasystem doesn’t make. To make the identity metasystem a reality it must come from multiple vendors, it must be ubiquitous, and it must be in the DNA of the platform. This is why open source efforts such as the Higgins project are so important, because they provide the means to make the identity metasystem cross-platform, cross-vendor, and cross-identity context. This might be considered the primary focus of the OSIS project as a whole – to make the identity metasystem happen. Red Hat supports the efforts of these projects and any project that works to make the identity metasystem a reality.

The correct answer to the question “where is the digital you?”

Everywhere.

It brings us back to Craig Burton's reggae tune: “I cry Ubiquity”.

A blog on application-centric IdM

Nishant Kaushik is Architect For Identity Management Products at Oracle.  I meant to write about him when I read his interesting discussion of my piece on Enterprise and Individual Identity.  Somehow I got distracted, but recently he's been talking about Appication-Centric IdM, certainly an interesting way to frame the problems, particularly because he doesn't position this against user-centricity.

“One of the most common questions I encountered at the Catalyst conference this year was “what is application-centric IdM”. The second most common question (did not lose by a lot) was “how does this compete with user-centric identity”. It has taken a while, but I wanted to make an attempt at answering those questions in a broader forum. 

What is “application-centric identity management”?

“Application-Centric IdM is one of 3 pillars around which we are building our IdM offerings. It is an offshoot of the broader application-centric security concept being woven into everything coming out of our middleware group. The application-centric philosophy is about understanding the needs of applications and application developers. A lot of the problems we face today in identity management stem from the fact that when it comes to identity, each application is on its own. Every time an application is being developed or deployed, the ones responsible for it – the architects, the developers, the project managers and the administrators – are forced to tackle the same old issues over and over again. How do I deal with authentication? Where do I get the user's identity information from? What identity information do I need based on the problems I have to solve? How do I make sure it is correct? The answer to these questions is often so hard, that the development teams deal with it in the way they know best – they build their own identity infrastructure. They create user tables, login screens and processes, permission and authorization modules, account registration procedures, and profile management tools. And they do it again and again. The result is what we see today – multiple identity silos in the organization that require complex management software, tools and processes as add-on layers to try and give the enterprise some semblance (illusion maybe?) of control; poor application security with no real mechanism for consistent, centralized enforcement of enterprise-wide policies like SoD and RBAC; and users having to deal with multiple passwords, multiple authentication schemes, multiple profiles to manage…the list goes on and on. 

“Enterprise IdM solved this somewhat by adding an additional layer of abstraction on top that solves some of these issues. Centralized profile and password management, SSO tools and Audit & Compliance solutions took away some of these issues. But this added additional challenges into the mix in the form of complex integration problems, and the need for complex tooling and processes. 

“As long as IdM follows the bolt-on systems management approach, these challenges will only be mildly alleviated, and never truly cured. This is where application-centric IdM tries to provide a new way of solving this age-old problem. The idea is that instead of each application having to build these infrastructures as part of their functionality, they can just avail of them as ready made, standards-based services. Application-centric IdM moves away from the traditional system management style of IdM, focusing instead on the creation of an IdM infrastructure that customers deploy to expose these services for their applications to plug into their own business processes. It makes identity (and security) an integral, yet abstracted part of the development process. This separation is critical, because often the people defining the security policies are not the same as those defining application behavior – similar to how the role of deployers and developers is separated in J2EE. At the end of it all, users get a consistent experience, the enterprise gets better control of security, audit and policy enforcement, the IT department avoids massive data and process management problems, and developers can better focus on the business functionality of their applications.

“How does this compete with user-centric identity?

“The simple answer is that it doesn't! Application-centric IdM is completely compatible with user-centric identity. In fact, it can help with the introduction of user-centric identity into the IdM equation. As user-centric identity gets incorporated into the operational environment, applications that have plugged into an application-centric IdM framework will be able to immediately take advantage of it, because it will become available as an underlying service in the infrastructure. The same identity retrieval service that the application was using to retrieve identity data from the corporate directory can also retrieve identity data from the identity tokens that the user provided during their session initiation. Without having to change anything, the application can now consume user-centric identity tokens. The basic value proposition is that applications no longer worry about how they retrieve the identity data they need. They have a common service to get it from, which allows it to plug into the wider identity world underneath in a transparent manner.”

White papers and the like are available here.

Jamie Lewis on Open Specification Promise

The Burton Group's CEO, Jamie Lewis, discusses the OSP and what it means for the identity community: 

As has been widely reported, Microsoft announced its Open Specification Promise last week. A lot of folks have already posted about it (see here, here, and here ). But, given the overall importance of the announcement to the identity community, I wanted to make our thoughts on the subject known, and to give credit where it’s due. (Note: This entry is cross posted at both my blog and our new Identity and Privacy Strategies blog.)
In summary, Microsoft has decided to offer the Open Specification Promise (OSP) for the Web services protocols that support CardSpace in particular, and the InfoCards architecture in general. The OSP provides an alternative to Microsoft’s “reasonable and non discriminatory/royalty free” (RAND/RF) licensing agreement, which most open source developers didn’t like. As I understand it, the OSP essentially provides an assurance that Microsoft won’t sue anyone implementing the specifications covered by the document. So developers don’t even have to agree to a license; they can implement the covered specifications without fear of being sued. (With certain, mostly comprehensible exceptions.)

Before I comment on the OSP, however, let me first provide the disclaimer almost every technologist I talk with about licensing issues gives me: I’m not a lawyer, and so my comments should in no way be construed as having legal weight. (If you’d like to see an analysis of the OSP document from a legal perspective, see Andy Updegrove’s excellent post from last week.) But Microsoft’s announcement has more than legal ramifications. Microsoft’s move could have a significant impact on the market, and that’s where we come in.

In short, the OSP is a significant, positive step forward for both Microsoft and the community working to create a better identity infrastructure for the Internet. The people who have been tirelessly advocating the move within Microsoft deserve an enormous amount of credit for making it happen. (Kim Cameron deserves some special recognition at this point in what has been a long process.) At this, point, one of the most significant obstacles to widespread development around the InfoCard architecture has been removed, and that’s good news for everyone involved.

Some Background

I’ve been following the InfoCard effort for a long time with a great deal of interest, primarily because I’ve always thought it was a great idea. But I also had some concerns about how it would be received in the market, at least early on. Circa 2002, it was fair to say that, given Microsoft’s history, any idea the company put forward for addressing the identity problem—regardless of its merit—would likely meet large amounts of skepticism and, at least in some cases, outright resistance from many market players.

From the first time he ever spoke with me about the functionality we now know as CardSpace, for example, Kim has been consistently insistent about the need for and importance of cross-platform support. I certainly agree that a consistent user experience—regardless of the operating system and device a person chooses to use—is profoundly important to addressing the identity problem. But I’ll have to admit that I wondered many times if Microsoft would really let Kim do what he thought needed to be done. And as I talked with other folks about InfoCard as the concept began to take shape, I heard more than a few people express varying degrees of skepticism about Microsoft’s true intentions or Kim’s ability to convince the powers that be to move in a more open direction.

But by decidedly atypical and relentless means, Microsoft has done a great deal of what seemed nearly impossible only a few years ago, overcoming the skepticism and building good will. Consequently, there is a palpable and sincere desire on the part of a lot of people to implement the InfoCard technologies. And three or four years ago, many of these people wouldn’t have even considered working with Microsoft on a beer run, much less an identity system.

Still, licensing was a huge obstacle to seeing that good will and intention translated into demonstrable action and working code. With only a few exceptions, everyone I talked to over the last six months or so—from open source developers to commercial software companies—indicated that until the licensing issue had been put to bed, they really couldn’t (or wouldn’t) build anything. And they had a point. Were I in their shoes, I would insist on clear licensing terms as well.

Enter the OSP

With the OSP, then, Microsoft has taken what is for it a bold step, removing one of the most significant obstacles to widespread InfoCard development. The OSP makes it clear that Microsoft isn’t laying some elaborate and sinister trap for everyone, that it truly is offering something of significant value to the industry and a huge opportunity to developers looking to build better identity management systems.

Yes, there are still some details to work out (I’ll get to those in a moment). And yes, neither CardSpace nor InfoCard’s supporting system are slam dunks in today’s transitional market place. But the OSP is concrete evidence that even those with valid reasons to doubt Microsoft’s sincerity are running out of excuses for ignoring InfoCard. Without it, the overall InfoCard effort was stymied. With it, the InfoCard effort can move forward in the way Kim has always intended. And for that both Kim and Microsoft deserve recognition and gratitude.

About Those Remaining Issues Several folks have commented that it’s not just the specifications that matter, but the implementation details. And they’re right. (While I’ve heard similar things from a few people, most of these issues are summarized in the Higgins project’s draft response to the OSP.)

Microsoft has published an implementation guide for CardSpace, but the details it includes on how to implement the specifications covered by the OSP aren’t covered by the OSP. (You can find the guide, as well as other details on implementation, on MSDN.) In particular, there are schema and meta-data models that are crucial to getting what Paul Trevithick calls “functional equivalence” with CardSpace on other platforms. The CardSpace user interface is an equally important issue. While efforts like the Higgins Trust Framework may not copy the CardSpace UI down to every pixel, interoperable implementations must emulate the basic sequence of events in the CardSpace interface (what Kim Cameron has called “ceremony”) if we’re to get the common user experience to which Kim aspires. These implementation details must be covered by the same kind of promise.

But if Microsoft can accomplish what’s embodied in the OSP as it now stands, then it seems reasonable to assume that what remains is haggling over details, that the licensing issue is finally on a downhill path. In other words, the fat lady has sung, and we’re just waiting for the coda. And now the onus has shifted to those who have professed a willingness to implement InfoCard technologies and interoperate with Microsoft if the licensing details could be favorably resolved. Microsoft is living up to its end of the bargain, and now it’s your turn. Those who’ve already started development, without waiting on the licensing issues, have some advantage. My advice to those who have been waiting? Get busy.

First Information Cards for Safari

click to download movie One of the best moments of the DIDW show, for me, came when Ian Brown, an old friend of Chuck Mortimore, showed us his Identity Selector for Safari.

If you don't know Chuck, he single-handedly wrote a Java-based InfoCard Identity Selector that runs inside Firefox on almost any platform.  He gave me a copy, helped me install it on my computer, and it all just works.

Later I'll do a screen capture of Chuck's work since i can run it on my own machine. 

But I don't currently have a Mac – so Ian succumbed to my goading and put together a little video so you could see what he's working on.

That's such good news.  As he says, “For the faint of heart, or for those running those other operating systems, here's a short screencast of the Safari identity selector in action, authN'ing against Kim Cameron's RP…”

Meanwhile, here's what he says about the actual plugin:

This is currently still at the proof of concept stage, and is lacking most of the features found in the official CardSpace selector from Microsoft. At present, only a single self-asserted card can be selected. The “selector” will currently pull the logged in account's personal information from the AddressBook application, and allow you to use that AddressBook entry as a self-asserted InfoCard with various RPs. It should work with existing installs of Safari, and with most relying parties.

The plug-in itself is a wrapper around Chuck Mortimore‘s Java implementation of an InfoCard token generator. For those of you out there using Firefox, check out Chuck's cross-platform Firefox InfoCard selector.

So download the Safari Plug-In below and give it a spin. Send me any feedback at igb at hccp.org

I'll post new releases here as features are added and bugs are fixed.

Downloads

Currently there are two versions, one for the new Intel-based Apple's, and one for the PowerPC-based machiines. At some point I'll figure out how to get XCode to generate a Universal Binary. (I suppose the PowerPC build might work on the Intel Macs, that's what Rosetta is all about right? But it hasn't been tested on the Intel arch, so YMMV.)

Intel version
http://www.hccp.org/InfocardPlugin.bundle.zip
PowerPC version
http://www.hccp.org/InfocardPluginPPC.bundle.zip

Installation

Installation is pretty simple. After downloading the ZIP file, extract the archive. You should now have a file called InfocardPlugin.bundle. Just copy that to the Library/Internet Plug-Ins directory under your home directory. restart Safari, and off you go.

Despite Ian's self-depricating style I think what he and Chuck are doing is amazing.  And it shows what can and will be done.  Meanwhile, Apple People, download Ian's plugin and leave comments on my blog.

JP Rangaswami on how the OSP “feels”

A number of people have been writing good things about the Open Specification Promise.  The expression of good will speaks volumes about why I continue to love this milieu, and the people in it.

Your personal support in moving our work forward means a lot to Mike Jones and me.

I'm certain it will influence the way events unfold in the future.

Take a look at this piece by JP Rangaswami, author of Confused of Calcutta. I think he expresses what a lot of people are feeling. 

Ambrose Bierce, in The Devil’s Dictionary, defined a cynic as follows:

A blackguard whose faulty vision sees things as they are, not as they ought to be. Hence the custom among the Scythians of plucking out a cynic’s eyes to improve his vision.

Many years later, Albert Einstein defined common sense as “the collection of prejudices acquired by age eighteen”.

As I grow older, I realise that however hard I try to keep an open mind, and to learn, I land up with anchors and frames and perspective-biases that I don’t always know I have. Which means that sometimes I have to work hard to ensure that I don’t lapse insidiously into cynicism.

So you can understand why I had to work very hard indeed when analysing the Microsoft Open Specification Promise that was published yesterday. If you’re interested in the subject, then please do check out Kim Cameron’s blog hereDoc’s piece at IT Garage (where he asks for your opinion as well) and Phil Windley’s blog here, along with Becker and Norlin’s Digital ID World blog at ZDNet.

Microsoft are not known for their pioneering approaches in the opensource world. Identity is one of the three big issues that affects our ability to deliver the promise of today’s technology (the other two are Intellectual Property/Digital Rights and the “internet”, with or without Stevens’ Tubes). A valid solution for identity pretty much needs Microsoft’s support and that of its legions of lawyers.

And so we come to the Open Specification Promise. My early reactions? I think Kim Cameron and his team have done a brilliant job at pulling this off and getting something workable past the lawyers’ cynosure.

If you want to understand it, and don’t particularly feel like wading through “implication, exhaustion, estoppel or otherwise” (and who could blame you?), then skip the legalese and go straight to the Frequently Asked Questions section. I quote from the FAQs:

  • The Open Specification Promise is a simple and clear way to assure that the broadest audience of developers and customers working with commercial or open source software can implement specifications through a simplified method of sharing of technical assets, while recognizing the legitimacy of intellectual property.
  • We listened to feedback from community representatives who made positive comments regarding the acceptability of this approach.
  • Q: Why did Microsoft take this approach?
  • A: It was a simple, clear way, after looking at many different licensing approaches, to reassure a broad audience of developers and customers that the specification(s) could be used for free, easily, now and forever.
  • Q: How does the Open Specification Promise work? Do I have to do anything in order to get the benefit of this OSP?
  • A: No one needs to sign anything or even reference anything. Anyone is free to implement the specification(s), as they wish and do not need to make any mention of or reference to Microsoft. Anyone can use or implement these specification(s) with their technology, code, solution, etc. You must agree to the terms in order to benefit from the promise; however, you do not need to sign a license agreement, or otherwise communicate your agreement to Microsoft.
  • Q: What is covered and what is not covered by the Open Specification Promise?
  • A: The OSP covers each individual specification designated on the public list posted at http://www.microsoft.com/interop/osp/. The OSP applies to anyone who is building software and or hardware to implement one or more of those specification(s). You can choose to implement all or part of the specification(s). The OSP does not apply to any work that you do beyond the scope of the covered specification(s).

We have a long way to go before we can solve all this. We’re not going to solve all this unless we stop acting like cynics. So let’s get behind Kim Cameron on this and see what happens. That’s what I’m going to do.

An aside: Why can’t legal agreements be written like FAQ sections? Is there a law against it?

That's very generous, JP – although in fairness, I want to give the lawyers – from Microsoft as well as the open source world – full credit for getting behind this and making it real.

Friends, let's not stop until we get to the identity big bang.  Let's all keep our concentration.  Let's knock down the wall between us and the coming virtual reality.  Let's make it possible to know who we're dealing with on the Internet – when that is appropriate.  And let's do all this in a way that cradles our privacy.