OPEN SOURCE IDENTITY SELECTOR ANNOUNCED

From ZDNET, a post by Phil Windley from the Berkman ID Mashup held over the last few days at Harvard Law School:

David Berlind's not the only member of the Between the Lines team at the ID Mashup this week.  I've been here as well, watching the identity happenings.  The first two days were traditional conference style, but the third day of the workshop was done open space style.  That's a great format for generating discussion and this example was no exception.  I went to a session on reputation first thing that resulted in some very good ideas and principles on that important subject.

The second session I attended was a discussion of OSIS, the open source identity selector project. This project has server and client pieces as well as a security token service (STS). The server side pieces of OSIS will be part of the proposed Heraldry project at Apache. The primary purpose of Heraldry is to provide a home for open source identity projects, like OpenID. The client code and STS pieces will be part of the Eclipse Higgins project.

OSIS is more than just a small project to build open source identity selectors for Microsoft's CardSpace (formerly InfoCard); after all, that's been done. OSIS will support interoperability between the addressable identity systems (OpenID, LID, XRI) and card (or token) based identity systems (more notably CardSpace and Higgins). OSIS has the support of all of the major players (including Microsoft, Novell, IBM, SXIP, XRI, and Verisign).

This is really a historic development in the Internet identity space. Microsoft, before their own implementation of CardSpace even ships, is linking up with the larger identity community, including OpenID, LID, i-Names, and Higgins. Make no mistake, they've been participating and giving leadership to that community for a long time, but until now, it wasn't clear that all the various systems would be interoperable. OSIS aims to change that.

I don't actually agree with Phil's notion that “this has already been done”.  But I agree it will be.  The list of individuals and companies participating in OSIS is a who's who of important contributors. 

Why not? The conference was full of remarkable milestones.  I'll talk about some of the high level issues in subsequent posts.

But in terms of concrete and immediate progress, Michael McIntosh of IBM showed how he could use a Higgins “i-Card” to log in to my identityblog site.  I know Michael and Paul Trevethick (from Social Physics) worked really hard to show skeptics that we throughout the industry are really coming together to make identity work across platforms. 

In another demo, we saw more of Paul's work around an “information broker” – I”ll try to find a detailed writeup somewhere.

And to top it off, we got an eye-opening presentation by Montreal's Louise Guay.  Her My Virtual Model is a must-see. Louise is a real visionary.  Doc was reeling.  For example, she offers us a personal avatar – you set it up with your measurements and characteristics and use it to find outfits with the look you want.  And guess what?  People are actually using it.  And I'm just brushing the surface of her thinking.

Beyond the “cool factor” is the fact that she is turning marketing upside down.  She's fully aware of the relationship between her avatars, the people who use them, and the great identity issues of our age.  These are social artifacts people can share with their friends, but are also respectful of privacy – allowing us to get access to unprecedented personalization without sharing any identifying information.     

PEOPLE IN THE PROTOCOL

A nice post from identity guru Pete Rowley of Red Hat: 

I have been at the Burton Catalyst this week. At the reception I was discussing with Paul Trevithick about how I define user-centric identity. The phrase I use is “the people are in the protocol.” Though I wasn’t expecting it, the next day Paul was on a panel when he was asked what user-centric identity was and he quoted me. Cool, but then the next day another panel was asked about the quote and whether having people in the protocol was just a way of excluding other protocols and groups. Well since I wasn’t on the panel to answer that I thought I would take the opportunity to do so here.

When I say protocol I mean it in its broadest sense, in the sense that showing my driving license to a cop at a traffic stop and the cop returning it to me is a protocol. In that transaction I am in possession of the information, I have full knowledge of what information I would pass along to the cop, and I also have the choice of saying no – even if that might result in bad things happening. So people in the protocol means that rather than being an end node that may begin a transaction and perhaps be the recipient of the end results but with only vague or even no information about the information passed in the transaction, they are rather a conduit for all identity decisions in an environment of informed consent. This necessarily means that the protocol must pass through the user, or in other words appear on the screen and be approved by the user. That is an architectural philosophy that results from Kim Cameron’s laws of identity and it is a necessary one in order to gain user buy in. It is also just the right thing to do.

It turns out that it really isn’t hard to architect identity systems to include freedom and choice, but it might not be what one would create if the issue were never considered. It is also not too difficult to re-architect to take account of the philosophy – some work has already begun in SAML for example. Putting people in the protocol is the first step towards providing a scaleable identity framework that takes account of the requirements of the important part – the person. The first step towards treating the users of identity systems with respect.

NOVELL BANDIT

Here's a piece from Network World about Novell's new open-source identity initiative, called Bandit:

Novell has launched an ambitious open source identity management project, which aims to allow companies to integrate different identity systems and provide a consistent approach to securing and managing identity.

Called “Bandit,” the company quietly initiated the project earlier this year, and has been donating engineering resources and code to get things started.

Novell has a track record in identity management products and some credibility in the open source world, due to its acquisition of SuSE Linux, and is hoping that a freely available integration layer will mean more sales for the whole identity management market.

“Novell's initial sponsorship of the Bandit project is a natural extension of our leadership in both identity and open source, and we are gratified to see the groundswell of community support,” Novell Executive Vice President and CTO Jeff Jaffe said in a statement.

The company has lined up support for Bandit from a number of key industry players, including ActivIdentity, Eclipse, IBM, Liberty Alliance, Microsoft, Novacoast, Red Hat, Sun, Sxip Identity, Symantec and Trusted Network Technologies.

“The Identity Metasystem provides a model for identity interoperability across the industry. We're happy to see Novell playing an active role in helping realize the Identity Metasystem and look forward to working with them to ensure interoperability between our respective products,” said Kim Cameron, architect of Identity and Access for Microsoft, in a statement.

The Bandit services will work with existing industry standards such as the WS-* standards, Liberty Federation and Eclipse Higgins. Indeed Bandit has some overlap with the open-source Higgins effort, Novell has acknowledged, and Bandit's developers are planning a Higgins context provider based on Bandit's Common Identity service. The context provider is the way the Higgins framework accesses different identity repositories.

Ultimately, Bandit aims to provide an easier approach to problems such as secure, role-based access and regulatory compliance reporting, Novell said. The project's four main components are the Common Authentication Services Adapter (CASA), the Common Identity service, the Role Engine service and the Audit Record Framework service.

Industry analysts have said the initiative appears promising, given Novell's background and the apparent willingness of other heavyweights to participate.

“This is not the first open source identity management initiative, but the involvement of identity management heavyweight Novell is significant,” said Neil Macehiter, partner at analyst firm Macehiter Ward-Dutton, in a research note. “The fact that the project is focusing on higher-level identity management issues gives it added significance.”  

Dale Olds, the distinguished engineer behind the initiative, has shown a lot of leadership in the open source community by throwing Novell's support behind Information Cards.  He's a serious guy – serious about interoperabilility.

Dale's belief that identity can't have boundaries or borders is palpable.  We'll all benefit from his work.

LONG LIVE INFORMATION CARDS…

 Progress Bar says:

I have to gently disagree with Kim Cameron about the renaming of InfoCard. Personally, I thought it [InfoCard] was a fine name. Then again I am a Mac user and Keychain just makes sense.

Now, it has the Windows name in it. Why? Second, contains the word space, similar to namespace, which I think of in technical terms like an XML namespace and my unscientific interviews this morning produced much head scratching from regular people. Not a big deal in the grand scheme of things but still irks me.

Let me clarify things a bit. 

InfoCards don't go away – instead they are transformed into “Information Cards”. 

So from now on, I'll be writing about Information Cards.  I hope that one day Apple will have a way to use Information Cards.  Not to mention Linux and Unix and telephones and iPods.  I hope they all behave in a more or less recognizable way, just as we can all get into a car we've never seen before, look at the steering wheel and pedals, and know how to drive it – inspite of every car having its own character.

Our research shows the growing understanding of “InfoCards” will transfer just fine to “Information Cards.” 

In fact if someone kept calling them InfoCards or ICards or Cards the meanings would all still hold together. 

But as a name that reaches across the industry, it is best to have one that no one owns, and that we don't have to debate, because it is just a generic statement of purpose.

Meanwhile, we have the small detail of this implementation on Windows and the fact that it's going to ship soon.  Our implementation is a place where you can put your Information Cards.  So we're calling that your CardSpace.  We don't intend to Windows it to death – I expect it will normally be refered to as CardSpace once you are inside the Windows world.  Of course, I don't work for the Department of Naming and don't have my branding license.

For the last year, my friends and colleagues in other companies and organizations have been hard core about wanting me to better separate between the “Identity Metasystem”, the “cards” that stand for identity relationships, and the Microsoft Implementation of all this.  I think everyone wants to participate in the emerging identity metasystem.  But people don't want their participation to be seen as too closely mixed up with Microsoft's implementation. 

In the early days of the project I didn't understand all these complex issues so we ended up with the same name being used for all three purposes.

Now, we've tried to do what our colleagues have been asking for.  The name of the “big idea” – Information Cards – is generic and belongs to the industry and the world.  The Identity Metasystem is something each of us contributes to in our own way.  Windows CardSpace is Microsoft's implementation of an identity selector on the Windows client. 

I will be working with colleagues from other companies on a common logo that can be displayed wherever Information Cards are accepted.

I should have made all of this clearer when I first blogged about it.  But thanks to the miracle of the Blogosphere it's possible to see when you haven't been clear about what you are doing.  So, I hope this helps.

MIKE BEACH ON FEDERATION AND USER CENTRIC IDENTITY

Here is more fallout from James McGovern's intervention about InfoCard as a “consumer” interest. 

It's a posting from Mike Beach – an identity pioneer all of us in the enterprise world respect, and who was one of the first to get an inter-corporate federation system off the drawing board and into production. 

His thinking has the benefit not only of vision, but of a lot of real experience.  Whatever he says, pro, con or neutral, I always start by assuming he is speaking to us from the future:

I agree with Kim that the Infocard/Identity Metasystem (or some other form of user-centric identity implementation) will find its way into the corporate world and help to solve some interesting problems. I have recently been mulling the potential impacts to both privacy and federation.  

In the privacy space a colleague of my shared an interesting perspective. Most corporations, especially in the B2C space, have considered user/customer identity data to be an asset. Knowledge about their users that could be leveraged for any number of marketing opportunities. With the rising concerns and increasing regulations around privacy this perspective is, or should be, starting to change. This “asset” is now becoming a liability. Data about people (corporate people and consumer people) is always going to be required to do business, but how do we get that while at the same time minimizing liability? Enter the Infocard concept. It would seem we now have a means to establish authoritative data about the user, but give it to the user for safe keeping.

Relative to B2B federation it also appears the Infocard concept can add value.

Today many federations are established by corporations “on behalf” of their employees.

Consider the many corporate benefits providers that are establishing SSO federations with their clients. The employees are at the mercy of their employer and the benefits providers to ensure security and privacy, and typically have no choice in the matter. I realize the federation standards provide for “opt-in” federation, but I don’t see that fleshed out in products and implementations.

Again enter the Infocard concept. The potential for eliminating the magic, invisible, mandatory federation of today. The corporations can issue Infocard credentials to employees that can be used at benefit provider sites – or not. Employees have visibility, control, and choice. I can imagine the Infocard concept becoming the new federation user experience.

This phrase haunts me, and should haunt the industry:  “The magical, invisble, and madatory federation of today.”

I tend to believe that if anyone knows what the gotchas are, it's Mike.  So having him in this conversation is essential.  Hey Mike, it's time to blog…

DEPERIMETERIZATION AT 1 RAINDROP

Seems like Gunnar Peterson of 1 raindrop finds the intersection of InfoCard and Federation as interesting as I do.  And in resonance with my recent post on enterprise identity management, his taxonomy includes the fascinating “deperimeterization” – I see that while I wasn't working he's done a whole much of good work on this.

Ping is set to demo its new Infocard authentication + federated SSO at Catalyst.

A user authenticates to a healthcare portal leveraging a self-asserted InfoCard. The user’s credentials are validated by a Java InfoCard Server built by Ping Identity. PingFederate is then used to enable federated single sign-on to a remote Web site without a redundant user authentication.

Pinginfocarddemo

 

There are a number of interesting aspects here including proving out Identity Law 5, which is, of course, Pluralism of Technologies and Operators, jacking InfoCards assertion into the federation network through the WS-Trust backplane, and the ability of InfoCards to help to strengthen the authentication process, for example through a smart card and then have that assertion carried through the system, Brian Snow:

Consider the use of smartcards, smart badges, or other critical functions. Although more costly than software, when properly implemented the assurance gain is great. The form factor is not as important as the existence of an isolated processor and address space for assured operations – an “Island of Security” if you will.

An island of security in a networked world, now there is a future worth inventing.

Is it really an island?

TIARA.ORG – A MAJOR IDENTITY SITE

O.K.  I've hit a gold mine.  It's called Tiara.org.  Who or what is Tiara?  “A PhD student in the Department of Culture and Communication at NYU, studying social technology from a feminist perspective.”  Go to her “About me” page and it has everything except… a name – at least in a form straightforward enough to come up in a search engine.  So for me she's just Tiara.

Tiara has assembled a spectacular identity bibliography.  I'm going to ask if she'll let me put it up on identityblog – with credit to her, of course.

It turns out Tiara had blogged about the Times’ Facebook story over the weekend.  Somehow through the miracles of ping-backs this floated past my desktop:

Kim Cameron, the architect of MS’ Infocard Identity Metasystem, which I’m not at all a fan of, writes a great post on Facebook and the globalization of identity, based on the NYT article I blogged over the weekend.

Wow.  Such a smart person is not a fan of the identity metasystem.  I need to find out more about this.  None the less, we seem to agree when it comes to some of the issues raised in the Facebook article.  After quoting my piece, she continues:

Beautiful point: Facebook (& MySpace) are extremely performative communities, where the values being espoused– being cool, being “hard”, being sexy, being transgressive, being resistant– are those of mythical teenage worlds. There’s not just a generation gap between teens/young adults and their future possible bosses, there’s a culture gap between the “professional world”, where we’re not really supposed to have any sort of interesting personal lives (witness the furor over academic blogging), and the “online world”, where we’re supposed to be larger-than-life (microcelebrity again!).

I also like Cameron’s point about companies not being “invited” into these worlds. I definitely feel that Facebook is a private community, and I don’t go poke around looking for my undergraduate students, because it’s none of my business what they do in their private lives. But, again, as I said the other day, there are no regulations about searching social networking sites (or even just Google) , and there aren’t likely to be. The justification that it’s public information trumps the contextualization argument.

I talked to someone else recently who said that their local sheriff’s office uses MySpace as a first resource whenever they are looking for something or bringing someone in — of course it’s a young receptionist who does the searching. And universities like UC Santa Barbara are formulating specific policies to discipline students based on their Facebook information. So although I agree with Cameron, it’s really irrelevant. As long as sites like MySpace and Facebook are viewed as public information, they will not enjoy any type of protection from authorities or employers.

It's not really irrelevant.  There are a lot of issues buried here, and I'm not about to give up the ghost on them. 

One question I have is whether it is possible for an operator to provide access to a site for specific reasons – and prevent it for others.  In other words, is it possible to require those entering a site to sign a binding statement of use?  Can liability be associated with breaking such an agreement? 

Let's go further.  Is it possible to prevent usage of a site for commercial purposes, or purposes of employment, or in the interests of an employer? 

I'm going to be at the identity mashup hosted by Berkman Center for Internet and Society at the Harvard Law School next week.  I'll should probably be able to find a few (hundred) lawyers there.  I'll try to find out more about these issues. 

But as Tiara says in her own interesting post on the matter:

So what’s “the solution”? I’ve heard three:
1. Young people should stop putting content online.
2. Recruiters and employers shouldn’t use Google or Facebook to research potential candidates (don’t hear this one very often, although you’d think in a country where it’s illegal to ask people to include a snapshot with their resume, there might be potential room for legislation here).
3. We just have to wait until there’s no longer a divide between your “work” persona and your “life” persona. I know this sounds stupid, but I heard it from the CEO of Facebook.  (Tiara heard it from the CEO of Facebook??? – Kim)

And here’s what’s actually happening: People are obfuscating personal data by using pseudonyms that can only be identified within situated, contextual networks, or by using services which allow them to restrict who can view their personal information. This is really the only one of these solutions which makes any sense.

O.K.  So we totally agree.  Contextual separation is one of the main concepts behind the identity metasystem.  I suspect she has impressions of what we are trying to do that just aren't accurate.

In truth, InfoCards and the metasystem have been designed to enable privacy while still being able to make provable assumptions.  For example, the system can be used to allow you to limit access to your site to full-time students – and recognize them when they return – without actually knowing their names or exposing their identities to the digital grim reaper.  The very problems Tiara worries are not solvable, are actually some of those addressed by this system.

And in truth, they have to be addressed if the resulting infrastructure is to be consistent with the “third law of identity”.  Identity information should only be available to relevant parties.  As an industry we need to think about how the virtual fabric will work and offer people separation of context – or there will be a further and terrible erosion of confidence in cyberspace by those who constitute its future inhabitants.

ENTERPRISE AND INDIVIDUAL IDENTITY

James McGovern over at Enterprise Architecture: Thought Leadership has a nice post where he poses questions for a bunch of his blogrollers.

It's not that the questions are wicked.  He asks Dan Blum:

Would it be possible for you to figure out creative ways for others to observe the client/analyst dialog in a more public fashion? What would it take for you to start blogging more frequently?

Pat Patterson gets this one:

What would it take for you to get Liberty Alliance to embrace the WS-Federation specification? Having federation capabilities built directly into an operating system is liberating…

And for me:

I would love it if you could start talking about identity from a corporate perspective and not stay exclusively focused on consumer-centric identity. You can leave the consumer stuff to Dick Hardt…

It's true I've been dealing a lot with user-centric identity.  But James, the future of the corporation will unfold largely in the virtual world.  What will then be more important to a corporation that its relationships with its “consumers”?  The lack of a reliable grid for dealing with the individual in the digital world is, in the big picture, the most urgent corporate identity issue of our time. That's one of the reasons I was led into the problem area.

The most important thing about the identity metasystem the way it creates a unified infrastructure reaching between the corporation (or organization) and the individual (aka consumer).

What are we going to have?  One set of precepts that faces towards the inside of the corporation, and another completely different set that faces the outside?  That doesn't compute, and my work on this blog applies to both sides of this boundary.

The whole evolution of business is towards a more open mesh of interconnecting organizations in which individual relationships are key.  So empowering the individual within the organization will increasingly become the most important aspect of empowering the corporation.  The dichotomy you propose is a false one.

One of the most interesting trends I've seen is that of enterprises “kicking their employees out of the firewall”.  This isn't a good strategy in all cases, for sure, but I've seen a bunch of studies of companies that have slashed IT expenditures by treating their own employees as external individuals (factors of 10)!  More than one of these just tell their employees to buy their own PCs outfitted with various programs “off the street” and expense them back to the company – and still get order of magnitude savings.  They only keep there line of business apps remain behind the firewall.

I'm not proposing this as a direction forward – simply reporting on trends I see.

Reliable identity-based collaboration between individual users which also integrates with organizational identity will empower them both the users and the organizations.  Making progress on this front is the most important single thing we can do right now to help the corporations we work for benefit from technology.  That is the big picture.

One key takeaway from your request is that I should explain where I'm coming from a lot better.  On a related theme, I'm getting ready to spend more time on the challenges of being “the relying party” in identity transactions, so I'll try to build these notions into what I'm writing.

You probably know that metadirectory, self-management and provisioning of identities all form an interconnected cluster of passionate interests for me.  Note to self:  start writing about these issues too.

GUIDANCE AND TEST PLAN FOR RELYING PARTIES

I got a note recently from federation master Mike Beach – a man with a great deal of experience in terms of how users react to security:

Is it just me or does your site have an invalid cert.  When I attempt to
login using my new Infocard in IE7 I get the infamous “warning, go back, do
not enter, danger ahead” and things go all red (really more pink).

Given the primary drivers of Infocard are to save us from all the web evils
of today it would seem this is contrary reinforcement when I must ignore all
the security warnings to log in.

I thought, “That's weird.  I don't get that problem.”  – you know, the ancestral “That's funny.  It doesn't happen on MY box.”  But of course it really was happening to Mike, so I wrote back and asked if he could send some screenshots.  It turned out this wasn't necessary – he had already figured out the problem.

He had been visiting identityblog using this URL:  https://www.identityblog.com/.  

When he clicked on Login he was redirected to https://identityblog.com/wp-login.php.  

But my certificate is limited to https://www.identityblog.com/.  Therefore IE (correctly) saw Mike's identityblog.com and the certificate's www.identityblog.com as being different – resulting in the redish bar.  It looked like this:

 

That's enough to confuse anyone.  So clearly, redirecting to something that isn't consistent with your certificate is a no-no.  I was setting up an experience that would undermine my user's understanding of what was happening to her, breaking law six.  I should have been checking and redirecting to www.identityblog.com even if the user didn't supply the “www”.  Strangely, I had done the Dashboard link correctly – it was only the Login link that had the error.

All of which goes to show there are a set of gotchas that we have to nail down in terms of establishing prescriptive guidance for how a site should deal with these issues in order to be consistent.  We need a checklist – or better still, a test plan.  A wiki would be a good way to elaborate this.

Another big takeaway is that an identity 2.0 relying party has an obligation to make sure it doesn't do things that send mixed signals (in my case, nice InfoCard experience but big red warning bar in IE).  Everyone has to co-operate with the goal of not confusing the user.

It's worth pointing out that none of this is primarily an InfoCard problem.  The same considerations apply to any use of https.  But in the InfCard case we want to make sure we have the deployment practices nailed down to a higher level than has previously been the case.

PERSONAL INFOCLOUD

Somehow I tumbled into Personal InfoCloud today.  It's a thought provoking site by Thomas Vander Wal, with all kinds of nooks and crannies that lurch off into explorations, from many points of view, of how information and technology could be restructured from the vantage point of the individual.  You should poke around yourself to get a sense for how these ideas hold together;  but here's part of a post on the Come To Me Web:

The improved understanding of the digital realm and its possibilities beyond our metaphors of the physical environment allows us to focus on a “Come to Me” web. What many people are doing today with current technologies is quite different than was done four or five years ago. This is today for some and will be the future for many.

When you talk to people about information and media today they frame it is terms of, “my information”, “my media”, and “my collection”. This label is applied to not only information they created, but information they have found and read/used. The information is with them in their mind and more often than not it is on one or more of their devices drives, either explicitly saved or in cache.

Many of us as designers and developers have embraced “user-centered” or “user experience” design as part of our practice. These mantras place the focus on the people using our tools and information as we have moved to making what we produce “usable”. The “use” in “usable” goes beyond the person just reading the information and to meeting peoples desires and needs for reusing information. Microformats and Structured Blogging are two recent projects (among many) that focus on and provide for reuse of information. People can not only read the information, but can easily drop the information into their appropriate application (date related information gets put in the person's calendar, names and contact information are easily dropped into the address book, etc.). These tools also ease the finding and aggregating of the content types.

As people get more accustomed to reusing information and media as they want and need, they find they are not focussed on just one device (the desktop/laptop), but many devices across their life. They have devices at work, at home, mobile, in their living space and they want to have the information that they desire to remain attracted to them no matter where they are. We see the proliferation of web-based bookmarking sites providing people access their bookmarks/favorites from any web browser on any capable device. We see people working to sync their address books and calendars between devices and using web-based tools to help ensure the information is on the devices near them. People send e-mail and other text/media messages to their various devices and services so information and files are near them. We are seeing people using their web-based or web-connected calendars to program settings on their personal digital video recorders in their living room (or wherever it is located).

Keeping information attracted to one's self or within easy reach, not only requires the information and media be available across devices, but to be in common or open formats. We have moved away from a world where all of our information and media distribution required developing for a proprietary format to one where standards and open formats prevail. Even most current proprietary formats have non-proprietary means of accessing the content or creating the content. We can do this because application protocols interfaces (APIs) are made available for developers or tools based on the APIs can be used to quickly and easily create, recreate, or consume the information or media.

People have moved from finding information and media as being their biggest hurdle, to refinding things in “my collection” being the biggest problem. Managing what people come across and have access to (or had access to) again when they want it and need it is a large problem. In the “come to me” web there is a lot of filtering of information, as we have more avenues to receive information and media.

The metaphor and model in the “I go get” web was navigation and wayfinding. In the “come to me” web a model based on attraction. This is not the push and pull metaphor from the late 1990s (as that was mostly focussed on single devices and applications). Today's usage is truly focussed on the person and how they set their personal information workflow for digital information. The focus is slightly different. Push and pull focussed on technology, today the focus is on person and technology is just the conduit, which could (and should) fade into the background. The conduits can be used to filter information that is not desired so what is of interest is more easily identified.

It's exciting that Thomas has already had the identity aha.  I think a framework like the one he proposes – based on attraction – is probably an early harbinger of the identity big bang.