PC Forum 2005

I just spent a few epochs at Ester Dyson's Release 1.0 Conference.

Between the Lines did a great job of covering the event. Veteran Dan Farber captures it in this piece:

“Esther Dyson's PC Forum is one of those events where you can feel the pulse of the industry (at least the top of the pyramid, judging by the number of corporate jets) and get a sense of what is fashionable, if not profound or disruptive (buzzword from last year). The award for the most frequently bandied about term must go to the longtail, which has risen, in my book, to the status of one word. It all started with Wired Editor Chris Anderson's article in his magazine last year. “

In case anyone just woke up after a long sleep, Dan quotes ” a kind of description from a posting on Chris’ blog“:

The Long Tail, on the other hand, is about nicheification. Rather than finding ways to create an even lower lowest common denominator, the Long Tail is about finding economically efficient ways to capitalize on the infinite diversity of taste and demand that has tailheretofore been overshadowed by mass markets. The millions who find themselves in the tail in some aspect of their life (and that includes all of us) are no poorer than those in the head. Indeed, they are often drawn down the tail by their refined taste, in pursuit of qualities that are not afforded by one-size-fits-all. And they are often willing to pay a premium for those goods and services that suit them better. The Long Tail is, indeed, the very opposite of commodification

Of course I like “longtail” thinking because it makes writing a blog like this one seem rational. When certain people ask me how many readers I expect to get with a subject like this, I can just say, “Hey man – I'm longtail. Get hip.”

And in fact, at PC Forum identity conversations were going on everywhere, from morning to night, day after day. Doc Searls and Marc Canter, who I now realize know everyone in the world on a first-name basis, did a fantastic job of introducing, facilitating, and bringing people together – the proverbial “herding of cats”. The conversations ranged all the way from discussions of protocols to brainstorming on how to find ways for technologists to get input, feedback and validation from those thinking deeply about issues of governance and cyberspace.

I expect these discussions will continue to build until everyone gets together at the next big identity event – the Digital Identity World (DIDW) Conference coming up in May. If you are interested in identity – which you must be since you are reading this – try and get there.

Between the Lines’ David Berlind, who has serious depth in the identity area, did a podcast with me about the laws and their implications. He's very good at concretizing things and I enjoyed getting to know him. He and Dan are podcasting like crazy! Give it a try. Look for the Podcast buttons on their site. And don't forget Doug Kaye's IT Conversations as well (just saw Doug has posted an interview with Marc Canter that I have to download ASAP).

Is it ‘insipid’ to not require uniqueness??

Dave Kearns likely speaks for several in his response to my proposed definition of digital identity:

According to Cameron:

A digital identity is a set of claims made by one digital subject about itself or another digital subject.

That may well be true, but it's so insipid as to serve as a definition of nothing. Kim goes on to prove this by excerpting others’ definitions and alleging that his definition can stretch to cover.

Being able to “stretch to cover” doesn't have any value in itself. I was making the deeper point that we need a definition of digital identity which is suitable for more than a closed system. It needs to work for a metasystem embracing multiple implementations and ways of doing things. One way to explore this was by seeing whether our proposal embraced the definitions employed by some existing implementations.

To be sure, a rigorous definition of digital identity is going to conflict with some of the definitions used in existing systems. That is because many such definitions purposely or inadvertently limit the scenarios to which they apply. Such is the case for the example put forward by Dave:

Even in a single digital context (one instance of a web site, say) an identity also needs to be unique.


What does it mean to say a digital identity needs to be unique? Is Dave saying that each digital subject always requires a unique identifier?

Many systems have been built with that assumption, and identity based on unique identifiers is an important model. But that doesn't mean such systems are the only ones required in the emerging world of identity!

Non-unique digital identity

Let me take the case, for example, of a relationship between a company like Microsoft and an analyst service that we will call the Kearn Corporation. Let's suppose Microsoft pays the Kearn Corporation K dollars so anyone from Microsoft can read its reports on industry trends. Let's say also that Microsoft doesn't want the Kearn Corporation to know exactly who at Microsoft has what interests or reads what reports.

In this scenario we actually do not want to employ unique individual identifiers for the digital identities of Microsoft users consuming the service. Kearn Corporation still needs a way to ensure that only valid customers get to its reports. But in this example, digital identity would best be expressed by a claim – the claim that the digital subject currently accessing the site is a Microsoft employee. A forward-looking definition needs to address this requirement.

Our definition succeeds in this regard. It defines the claim made by one digital subject (Microsoft Corporation) about another digital subject (the particular unidentified and non-unique employee accessing the site at a moment in time).

Is this unidentified subject in need of a unique identifier? No.

Is his or her identity unique? Not in the sense Dave intended. There is a whole set of users about which the claim may be made. Such subjects have a digital identity defined by the claim.

Non-uniqueness reduces complexity in many scenarios

I know Dave is one of the first to embrace reduction of complexity, and I hope to win him over by showing how this applies. I can give many examples of scenarios in which non-unique claims reduce complexity because so many customers have talked about their needs in this regard.

Let me choose one at random. To protect the innocient I'll concoct a specific example based on the Navy, which I choose because its size, dynamics and distribution around the globe make the argument unassailable.

Let's suppose there is a site containing information which should be viewable by members of the Navy but no one else. Does that mean everyone in the Navy must present their individual identifier to that site in order to gain access, and that the site then has to look it up and determine the identity's current validity? This is what current systems require, and people running them don't like it one bit.

To make things more real-world, let's also suppose there are various sites, on different continents and at sea, each offering access to the same information. Do all of them need to be provisioned with complete and up-to-date directories of every member of the Navy (as well as those who have left or may be unaccounted for or even in enemy hands)? Experience has shown this isn't possible – and that if it were, it would inadvertently leak important information.

I argue that we must allow for scenarios like these, in which a user could just go to a Navy identity provider to get a claim that she is a member of the Navy, and then present this claim – along with cryptographic proof that she is the legitimate bearer – to the site being accessed. This is very much an example of both increased simplicity, and reduced risk. These benefits accrue through application of the second law, dramatically reducing disclosure of information about the composition of the Navy to all the relying sites.

I can say with total confidence that the architecture of an encompassing identity metasystem should allow the subject to be unique – or not – depending on the requirements of the scenario, and that there is nothing insipid about making this a requirement.

MIIS Alliance

I've spent the last couple of days at the Netpro Directory Experts Conference in Vancouver. I'm not sure if the sessions will be made available as podcasts but I hope so. It's an ultra-focussed conference dealing with Active Directory (AD), Microsoft Identity Integration Services (MIIS) and Active Directory Federation Services (ADFS) – as well as the set of interesting products that live in the same ecology, offered by independent vendors.

The main buzz at the conference was about the MIIS Alliance – a consortium of independent vendors who are building and marketing a synergistic suite of products and solutions that use MIIS as their underlying identity management engine and glue. It is another important milestone in metadirectory's transition from being a kind of “specialty product for the rich and complex” to one of the key underlying technologies of distributed computing. I am impressed by the vision of the Alliance and very encouraged by the things they are doing. Currently the Alliance consists of NetPro, Oblix, Oxford Computer Group, PointBridge, and Vintela. There are many other top drawer vendors building on MIIS as well. For example, Centrify showed a demo of their Linux product, which includes management agents for Linux/Unix, and does WS-Federation with ADFS – incredible.

Most of the sessions were detailed technical ones given by people with lots of hands-on experience and savvy. As a product architect I tend to see software architecture as being about how things are built. This includes decomposing the functional and structural elements to produce a layered or modular design with clean interfaces allowing for extensibility, maximum reuse and simplicity, the proper operational characteristics, usability and provable quality. But the Netpro conference is clearly for people who inhabit our products. Products really are environments and as architects we had better look at them that way. I'm not sure we do a good enough job at that.

There was an analyst session with a distinguished panel: we heard from Thomas Mendel of Forester Research, Earl Perkins of the Meta Group and Nick Nikols and Dan Beckett from the Burton Group. Thomas had interesting things to say about what it means for AD to have passed what he called “the 50% threshhold” on an international level. It is pretty clear that there is a kind of “tipping point” phenomenon happening. A lot of the discussion turned on ways of leveraging the AD information asset for immediate business value. Earl put it this way: “Active Directory is playing a more and more important role in identity management, becoming above all an enabler.”

Thomas mentioned a study of twenty-five companies who had put password self-management in place – achieving on average a 3 month return on investment… Nick talked about the impact ADFS would have by making it easy and inexpensive to leverage directory information to drive federation and single-signon. He said it will put federation within easy reach of pretty well any enterprise. Earl pointed to the paradox that network administrators are so focussed on their day-to-day work that they don't see (or can't influence) the big picture – so that in many cases, enterprises don't understand the information asset that they have. Dan Beckett gave many good examples

One interesting exchaege was between Thomas, who characterized enterprises as still being in “incident management” mode, and Nick Nichols who argued many had crossed over into “proactive solutions” mode. The market obviously consists of both groups, and the discussion was about what comprises the mainstream. Whatever the current situation, this evolution in understanding will be crucial to the future of identity management technologies like MIIS, and developments like the emergence of MIIS Alliance show that ISVs think the market is there.

There was a lot of talk about the effect compliance legislation will have in improving infrastrcture practices. But Earl cautioned we had to be careful to see there would be no silver bullet – that any attempts to put policy into practice would run smack into the problem that policies and reality need to have some relation to each other – and that this will initially not be the case!

I also saw Dave Kearns at the conference – back from his “leave of absence” – and we had some good times. His quill really does sharpen the discussion, and I'm grateful for it. So on to the next item.

Doc says Yes

Doc Searls answers “Yes” to my question:

So just as blogging transforms who is involved in journalism, might it not also transform who is involved in marketing?

Doc, who after all invented he word “authorators”, then adds:

Here “Searlsist” appears for the first time. (I'm not even sure I'm one of those.)

Doc has the good sense not to ‘join a club that would have me as a member…”

Anyway, I define ‘Searlsist’ as “one who believes markets are conversations.” So I'm afraid he is one of those – unless I've fallen behind.

Tales from the crypt

Thanks to Michael Specht, author of My Blog of HR and Technology Stuff, for pointing me to another identity horror story which is right up there with the ChoicePoint Saga and other tales from the identity crypt.

You can read the about the whole affair in a really clear whitepaper from Think Computer.

Yes, my hearties, prepare to shiver and twist as you learn how…

PayMaxx has unwittingly created a perfect example of how a security breach is possible over a connection that is technically secure.

And that:

Upon discovering the vulnerabilities in PayMaxx’s system and their extent on February 7, 2005, Think immediately notified PayMaxx that the problems were of a serious nature, and recommended that the company hire a security consultant to remedy them if it was unable to fix them on its own. After more than two weeks, PayMaxx issued no formal response and took no action, leaving the security holes wide open.

More ghoulish details:

Any employee, whether terminated, presently working, on leave, or even affiliated with a company that was no longer a PayMaxx customer, could therefore look up the supposedly confidential W-2 of any other onetime PayMaxx customer.

And again:

By simply changing one number in a hyperlink on PayMaxx’s “secure” web site, it was possible to scan through PayMaxx’s entire W-2 database for the year 2004. PayMaxx stored each employee’s data record sequentially in a table—a perfectly normal and acceptable practice, and one that Think uses frequently in its own software, but also one which made it possible to always guess the ID of the next record by simply adding 1.

But meanwhile…

Statements remained on its corporate site such as, “At PayMaxx, we are committed to maintaining your privacy and data security.” Interestingly enough, as recently as February 18, 2005, Attorneys General in thirty-eight states signed an open letter to ChoicePoint, Inc. protesting that company’s inaction after it was notified of a remarkably similar problem.

It shocks that PayMaxx apparently didn't react “full speed ahead” to rectify the situation it had created.

But then there are also deep technical implications to consider. Have you heard my audio interview with Carl Ellison? This is the perfect example of what he means when he says that security can't be done in layers, but needs a “diagonal” across all the layers to provide a holistic solution.

Markets and engineering

A while ago Eric Norlin of Ping provoked a lot of discussion with a piece called “Why the hateration towards marketers?” I found the ensuing commotion fascinating because the story painted the “Searlists” (that's pronounced like ‘surrealists’ but without the ‘real’ part…) as being gnawed at by growling engineers, themselves reacting as mindless victims of shameful abuse by pre-Searlist “marketing bullies’.

In the ensuing aha! I could see that the key to getting past this lies at least partly in explaining the “markets are conversations” message to engineers.

As engineers, if we are any good, we have already come to have a deep engagement with the people who use our software. And to the extent we have had a problem with marketing people, I think it was often because we didn't perceive them as having done the same. Many times it was our customers who told us this.

But Searlist marketing is an advanced form of this same engagement. So really it's marketing that can make sense to engineers. By the way, I don't mean to paint engineers as saints, or deny, in all fairness to marketers, that there are a great many weird dynamics that can skew our vision!!!

In a recent posting Eric says of Microsoft's Robert Scoble:

Scoble asks a question (re: RSS, “markets are relationships”, etc):

“Here's my thesis: companies that have lots of bloggers will end up making better products, will end up having better marketing and PR, will end up making more profit at the end of the day, and will be more likely to have more than one “hit product” and will be more likely to last 100s of years.

“Do you agree? Why or why not?”

Eric answers this way:

Yes, i do agree — though not because blogging is some revolutionary method of interaction, or because the world wide web lives by axioms of open-ness, or anything else like that. I agree because “markets are relationships” as a principle has held true since the bazaar, and still holds true (yes, i'm admitting to a belief in a fundamental – oh god, i'll say it – “human nature” )……RSS is an *evolutionary* step in that conversational relationship.

BTW- under scoble's lexicon, RSS sounds like it falls squarely in the realm of the product marketer/manager — someone that tries to facilitate a feedback loop around the voice of the customer back into product development. THAT is what A)ensures better products B) results in better marketing and pr C)results in more profitability and D) gives a company a *chance* to last 100s of years….

…and i think that holds true for ALL companies all of the time – and analyst relations, core messaging, positioning, product marketing, rss, a sense of humor, etc – they ALL play into that.

….so, yes, i'm agreeing w/ Scoble – i'm just hinting that its time that we place blogging in a larger context (in terms of the “marketing” discussion)…..

Well that's all pretty cool. But I think blogging changes more than this. It lets a product architect like me have a more direct relationship with the people for whom I am building products – with no interpreters in the middle. It lets me add a new conversation – one focussed around the scientific aspects of what we are doing. And allows (once we get things moving at the right clip) for deep discussions with people from other teams who are building complementary or potentially competing technologies. And with people like Craig Burton and Jamie Lewis who can help us all situate and theorize what we are doing.

So just as blogging transforms who is involved in journalism, might it not also transform who is involved in marketing? Not by marginalizing people like Eric who really understand it, but by allowing more of us to participate, such that the relationship between customers and product development becomes more unmediated?

I'll pause here for a moment, because I can hear people saying that we really need a division of labor. “If engineers spend their time talking with customers, they won't be able to get any work done.” And I don't deny that there is truth to this.

But I'm suddenly transported back maybe fifteen years, to a customer called Burks Smith from Sprint. I actually see him periodically and to this day he remains one of my favorite people. He had bought an email router I had designed, and was a wonderful customer who appreciated all its great features. But one day, it basically “blew up”, having unexpectedly encountered a particularly defective inbound message.

We worked through the technical support. As tens of thousands of messages queued up hour after hour, Burks never lost his focus or demeanor. But when things were back to normal, and we were doing the post mortem, he told me, “You know, that wasn't a software error – it was a train wreck.” That sunk pretty far into my head – and I have never done an “optimistic” design since.

The point here is that the conversation must touch all of us who work to create product. Not just marketing.

Eric concludes:

ps: heard through the grapevine that Wag-Ed – or at least some folks inside Wag-Ed – (msft's pr firm) finds microsoft blogs to be very hard to deal with…

I guess my blog could be one of the harder ones to deal with, because (except for pieces like this one) I try to go beyond opinion and concentrate on exploring new boundaries and approaches in computer science. Furthermore, it's well know that I'm a product architect for – what else – identity and access products, and that I'm not likely to leave my notions about what works and doesn't work at the door when I walk into my office. How do you fit that into a traditional marketing agenda?

I don't think you can. I think the agenda grows. And I think that will happen all over our industry – fast.

Gradient of trust

Commenting on a piece by Phil Windley which proposes a “law of symmetry“, Robin Wilton of Sun makes some points which I think are both very important and beautifully expressed:

Well, I have to say, with all due respect to Phil, that I absolutely disagree with the views he expresses about the nature of these relationships. In my view:

1 – Trust is far more frequently an asymmetric relationship than a symmetric one – and the retail example is never going to support his argument. A retail shop deliberately exposes itself and its wares to public access (pretty hard to sell stuff if it doesn't!); it's in the store's interest to encourage Kim to say “I shop at Phil's!”. A retail customer has a long-standing (and, if s/he pays with cash, generally well-founded) expectation of anonymity, and it is not usually in the retail customer's interest to have their preferences and behaviour disclosed to third parties.

2 – Trust is very often not only directional (Law 4), but also transitive and subject to ‘gradients’. On the strength of your birth certificate, you can get a passport; you can use that to get an airline ticket; you can use that to get a boarding pass. You can't use your boarding pass as a substitute for a birth certificate, because at each step in this cycle you have (maybe unwittingly) been sliding downhill in the trust stakes.

Robin has started a blog which will have an identity theme. He has a wide reputation as a thoughtful person so I appreciate his comments on our conversation here, which encourage me in thinking the identity big bang is moving closer.

Just a quick post to link to Kim Cameron‘s excellent Identity-related blog.
There is a wealth of good thought here, as well as many links to other
relevant info.

It‘s invidious to single out one entry – so browse around while you are
there. However, this post on the UK identity debate is particularly timely.

Kim‘s blog has gained a lot of air-time (rightly) because of his
forumlation of the “Seven Laws of Identity”.

A particularly useful quality of the Laws of Identity is the
way in which they take technology specifics out of the discussion
to enable an objective and pragmatic discussion of the issues
and success factors. There‘s benefit in that for all…

In today's post, Robin gives us a good link to this paper on the British ID Card situation: Justice/Clifford-Chance ID Card paper. He says, “It‘s very readable, and some of the stats on technology like facial recognition may surprise you…”, and gives some examples:

“For top systems, where the length of time between acquisition of the images
and the presentation of the new images increases, performance degraded at around 5% per year.“
Where the elapsed time is up to 60 days, the top identification rate is around 80%.“

“Older people are easier to recognise than younger people. For every ten years increase in age,
performance increases by approximately 5% until age 63.”

I suspected there were advantages to being young.

The fungibility requirement and digital identity

Here's an interesting comment from Ian Grigg on how fungibility requirements impact representation in the digital realm:

Bank notes: payment systems (which is the general class in which bank notes fall) desire a thing called fungibility – the ability for one note of $10 to be equivalent to another. This is far more important than issues such as traceability or privacy.

Because of this, the tendency in the digital world is to use straightforward accounting systems that simply count up the numbers and allocate them in accounts. If we are digital, we don't need to use the clumsy token method, as that is more work for little gain. We simply say “pass 10 from Alice to Bob.” Obviously, we may want to wrap that up in strong crypto, and we may want to worry about privacy, etc, if that's what is called for. But these are separate, derivative issues.

One big question however is (as intimated) what the note or accounts represent. The set of claims that makes up a note is varied and complex. Skipping forward, what these claims reduce to is a contract between the issuer and the holder. And, it so happens we have an easy way to issue digital contracts and even identify them: the issuer writes a document, signs it digitally, and hashes it. The hash becomes the identifier, and thereonafter, the accounts are in that hash.

This works as well for token money like eCash coins. For more info on this, see the Ricardian Contract.

Ian has published a lot of fascinating stuff, including a number of papers and a blog on Financial Cryptography.

An irrefutable argument

Scott Cantor from Ohio State University posted this comment to my recent piece on claims:

The question of whether a SAML assertion should have been named a claim has come up before, and I always felt the real problem was that the likely pronunciation of SCML doesn't suggest confidence in the speaker. ;-)

Now who can argue with this?

Scott is a great engineer and is not only the architect of Shibboleth (which is a very forward thinking system I want to write about going forward) but also one of the main editors of the SAML 2.0 spec.

Anyway, I want everyone to know that my use of the word claim is NOT an attack on SAML's name or documents. I myself, having long worked with X.500 and LDAP, used the words “Attribute Value Assertion” for many years and don't intend to write any letters of apology about it. It's just that I now think a word meaning “an assertion about which there is doubt” goes right to the center of issues I hope everyone will think about. So I'll be employing the “claim” word for a while as an adjunt to “assertion”.

By the way, Scott also shared news about some very hush hush futures: A forthcoming XSLT transformation is planned to transform SAML assertions into 18th century proclamations.