BBAuth and OpenID

From, here's a thoughtful piece by Verisign's Hans Granqvist on Yahoo's BBAuth:

Yahoo! released its Browser-based authentication (BBAuth) mechanism yesterday. It can be used to authenticate 3rd party webapp users to Yahoo!’s services, for example, photo sharing, email sharing.

Big deal, huh?

The kicker is this though. You can use BBAuth for simple single sign-on (SSO). Most 3rd party web app developers would love to have someone deal with the username and password issues. Not storing users’ passwords mean much less liability, much less programming, much less problem.

Now Yahoo! gives you a REST-based API to do just that.

It will be interesting to see how this plays out against OpenID.They are both very similar. Granted there is some skew: OpenID is completely open, both for consumers and providers of identity.

However, from my own experience, OpenID consumers (a.k.a. relying parties) seem to want only one thing, perhaps two or three:

  • have someone deal with your users’ passwords,
  • retrieve name and email address for a user

And now Yahoo! does the first, and the second is available. At the same time they’re making your app reachable to 257 million+ users. Here’s an example.

Seems a pretty big reason to implement it for the web app developer, especially since it is such an easy API you can integrate it in an hour or two.

And yet someone has added a sobering comment to Hans’ blog:

It will be interesting to see how long it takes for adoption to reach the point that no one thinks twice when a yahoo login pops up on another site. They'll be nice and ripe for password harvesting via fake yahoo login forms then. 🙂

Sadly, if I had written this comment I would not have included the happy face. Until the security concerns are addressed, despite Yahoo's very laudible openness, this is not a happy face moment.

But through Yahoo-issued InfoCards BBauth would avoid the loss of context that will otherwise lead to password harvesting.  It's a good concrete example of how the various things we're all working on are synergistic if we combine them.


Everyone's coming to the party

New marketing “inspirational speaker” (did I say the right thing?) Deborah Schultz bridges us into a marketing world waking up to the fact that the consumer is indeed in control.  I find the confluence of user centrism really amazing – it lets us move up a level and see our identity work in light of related social trends:

msacrossedfingers.jpgSo while the blogosphere was speculating on the now confirmed Google/YouTube deal over the weekend, the annual ANA Masters of Marketing conference took place in Florida.  As reported in the NY Times today as well as on various marketing blogs, it seems that the big advertisers and marketers are waking up to the fact that the consumer is indeed in control. This probably has a lot to do with visions of dollar signs dancing in their heads.   

So, the big guys now know the buzzwords and are ‘talking the talk’.  My fingers are crossed that they can indeed ‘walk the walk’.

Page Views and Banner Ads alone will not cut it in the new marketing universe and there really are no shortcuts.  New metrics and a new cultural shift is needed. As per Pete Blackshaw's recent posts here, here and here (yes, I love Pete's stuff) and Steve Rubel's column in Adage discuss – engagement is more than ‘asking your customer's to create content for you.

Until the INTENT of the customer is addressed (i.e. engaging with me when and how I want and need you to) I fear we will just be creating ever more Dove real beauty ads and derivative Mastercard Priceless commercials.  Hey, I am happy the big guys are taking note, but true change will only happen when CRM changes to VRM (I remain and am always a Doc protege).  As Kim Cameron eloquently put it:

The way I read Doc’s ideas, he’s talking about a real inversion of what advertising is and means.  Instead of suppliers advertising what they want us to buy (by spamming our attention), we’ll advertise what WE want to buy, and suppliers will make us offers.  Sounds a lot more efficient to me.  What am I missing?  Why doesn’t everyone want to do this?

Maybe because a lot of what advertising is about is getting us to want things we don’t know we want.  But even that can be done in other better ways too.  Like by producing cool things and having them explode into discussion.  Doc said this too, didn’t he:  Markets are conversations.

Let's see if the big guys have the patience required to ‘get it’.  I remain hopeful yet skeptical. 

It sounds to me like the timing is right to get the geeks and the marketers together for an old fashioned “throwdown” on getting past jargon and discussing how to get this done to the benefit of BOTH sides..  Stay tuned!

They once just loved me for my credit card…

Doc's Vendor Relationship Management concept is getting clearer and stronger all the time.  And now I see how and why it ties in to his “Markets are relationships” mantra, eclipsing his tremendously influential, “Markets are conversations”.

For me it's an aha moment.  Sort of like figuring out that you are part of a relationship problem, and not simply a victim of it.  Maybe we really can use technology to move even large companies towards rich relationships with individual customers, responding to an expression of their needs that they own and control. 

In the old world, only corporations and governments had computers to help sort out their problems.  That created a transient situation I have called historically upside down

In the new world, individual people can have their own computerized systems helping them just as enterprises do.  And most interesting, these systems can potentially interwork with those run by enterprises.

Doc's VRM proposal is an example of this.  And what's great about his explanation is that we can see how both sides of the relationship end up benefiting.  Have my robot do lunch with your robot – they'll come up with something.  Here's Doc's piece:

Responding to what what says here (which enlarges on what I said here) Kim Cameron replies, “This is exciting stuff – I'm talking Identity Big Bang content.” He adds,

The way I read Doc¹s ideas, he's talking about a real inversion of what advertising is and means. Instead of suppliers advertising what they want us to buy (by spamming our attention), we'll advertise what WE want to buy, and suppliers will make us offers. Sounds a lot more efficient to me. What am I missing? Why doesn't everyone want to do this?

Yes, except I also think it's important not to understand VRM (Vendor Relationship Management — the reciprocal of CRM, or Customer Relationship Management) as the reciprocal of advertising. Or the opposite of advertising. Or even the opposite of marketing. I don't think it helps to frame it in terms of any of those things. 

It's something new. Rather than advertise, we notify. We assert. We express. I don't care what we call it, as long as what we do doesn't come across as individuals being just as bad-mannered as advertising has been for the duration.

Kim also says,

Maybe because a lot of what advertising is about is getting us to want things we don¹t know we want. But even that can be done in other better ways too. Like by producing cool things and having them explode into discussion. Doc said this too, didn¹t he: Markets are conversations.

Also true. But VRM isn't just about conversation. It's about relationships. And transactions.
We've always understood markets in terms of transactions. We wouldn't have markets (or economics, or business schools), without them. And lately we've begun to understand markets in terms of conversations as well. But relationships remain a wild frontier.
On the vendor side we've talked and coded ourselves into assuming we have relationships with customers. But CRMs don't relate. Worse, they are delusional about relating. Here's how Wikipedia currently puts it:

Customer relationship management (CRM) covers methods and technologies used by companies to manage their relationships with clients. Information stored on existing customers (and potential customers) is analyzed and used to this end. Automated CRM processes are often used to generate automatic personalized marketing based on the customer information stored in the system.

Wow. Can't wait to make love to that.
When you read down through that whole Wikipedia entry, you see how CRMs actually mean to be nice, to respect the customer, yada yada. The problem is, they bear the full burden of a relationship that doesn't exist, because there is nothing much to relate to on the other side. Or worse, the only mechanism for relationship is the one that facilitates the transaction: the credit card.
We need to equip the customer with something that facilitates relating to vendors — and takes some of the relationship burden off the vendors as well. 
The relating may be enduring or transitory. It may involve disclosing some identity information; or it may keep us anonymous (while disclosing other information that's useful). It must, however, be useful to both sides. We don't have that with advertising (which, aside from all the waste it involves, brings the wrong perspective and sets of assumptions to the problem).
I like Dave's prototype idea for “a movie review system where I own and control my data”, because it's a great first step. It's says to Vendor CRMs, “This is my data, and it's independent of your silo. And that makes it more valuable to both of us than it would be if it lived in your silo alone.”
We need to discover some what VRM can do before the rest of it can become clear. Which it will. Inevitably.
Bonus link.

Very strong stuff – and has such a nice balance.

Move over, Jeopardy! Watch out, Vegas!

Anyone who has heard Citigroup's Hilary Ward speaking at identity conferences knows Citi has the understanding and experience needed to launch a major league identity team.  And it looks like it's happening.  They have some very interesting new technology, and will be issuing high assurance certificates.

Beyond that, these folks have a sense of humor.

My friend Francis just sent me Citi's new Vegas Quiz game based around Identity and Digital Certificates.  

It will be played by visitors to the Citigroup booth at the upcoming Assoication of Financial Professionals (AFP) conference in Las Vegas.


You must present a high-assurance digital certificate to win, so get ready!

The quiz is a real achievement in integration.  It's built with Windows Presentation Foundation – and uses digital certificate information read from Smart Cards or USB tokens.

The player's score is then written out to a Word document which in turn is signed using the digital certificate from the store. 

All joking aside, one can see that the real-world version of this will be a dynamite application in this world of SOX and increasing quality of process.

I'm also willing to bet this is the first application that combines high-assurance digital certificates with the Windows Presentation Foundation (formerly Avalon).

I can just imagine all this stuff integrated with InfoCards.


The database state?

Britain's Ian Brown (author of Blogzilla) is inviting people to a conference at University College London on the first of November:

The UK government is pushing ahead with an ambitious programme to re-engineer the processes of public administration, based on wide-spread sharing of personal data between previously isolated departments and agencies. This is being backed up by proposals for the weakening of data protection law and the building of massive national databases on both adults and children.  

Is widespread data sharing a panacea for effective 21st century government? Is it legal within the European privacy framework? Or, as Tony Blair has claimed, are we living in an entirely new world in which we should leave behind “outdated” notions of human rights?

This workshop will bring together lawyers, technologists, regulators and activists with a shared interest in the development of effective and privacy-friendly government. It will feature expert speakers on two major UK databases: the children's Information Sharing Index (which will hold details on every UK child) and the NHS Care Records Service (which will eventually hold all medical records electronically within the National Health Service). But most importantly, it will give all participants the chance to discuss their views on the privacy principles that should lie behind public administration in the information age.

Places are limited, so please RSVP to I.Brown[at] if you wish to attend.

Gee.  I wish I were able to attend, because I would like to add some questions that interest me more than the political ones: 
  • Where are the actual goals defined for the databases?
  • What other mechanisms have been examined as alternative ways of achieving those goals?
  • Where are the studies in which alternative technologies were compared and large central databases selected as the safest answer?
  • Where are the security threat analyses of these databases published for public review?

It sounds fascinating – I hope it will be podcast.


Rob Richards and a new WS-Security / InfoCard code base

Over the last while I've been lucky enough to have some conversations with a php web services guru from the northeast called Rob Richards.  He asked some very good questions about self-issued identities, which I wrote up and will be posting, and also answered a number of my questions about PHP. 

Besides being prolific and modest he kind of won my heart through a posting called I asked for a beer,  The photo at right shows what he got instead – city people, that is a bear, not a dog – and the story reminds me of all kinds of personal episodes too crazy for me to even think about at this stage.

But that's not the point.  He's been quietly doing amazing work that again shows how close we are to getting ubiquity with progressively more robust identity technology. 

Here is a posting that refers to slides from some talks he did at PHP|2006 in Montreal. 

The first was called Advanced XML and Web Services (with accompanying code), while the second was a good overview of XML Security that is so up to date it even covers Information Cards in excellent detail.

But wait, folks.  That's not all.  There's also the code base.  And the fact that he has InfoCard-enabled his Serendipity blog.

For the XML Security session, what people are probably most interested is the code used to implement WS-Security and possibly Infocards using PHP.

Security Library – Base XML Security library implementing XMLENC and XMLDSig functionality.
WS-Security library – WS-Security library for use with SOAP. Currently only implements client functionality and is missing the ability to encrypt SOAP data.
Example Usage of WS-Security – An example of interacting with the Amazon Elastic Compute Cloud (Amazon EC2) SOAP Service. Easily re-factored for use with other services requiring WS-Security.
Infocard Library – Base library for processing infocards.
Infocard demonstration – Demonstration of processing a submitted Infocard. The result is a SAML token along with a function to view submitted assertions. The form has NOT been updated to work with the recent namespace change, so modify the requiredClaims for use with IE7 RC1, Vista RC1 or .NET 3.0 RC1.

These libraries and examples contain unmaintained, yet useable code. They were developed only for testing while designing an API for C based code and most likely any extensions developed to perform the functionality will differ from the code provided here. There are many optimizations that can be made to provide better performance, so feel free to make any modifications you like. I may provide updates in the way of bug fixes if needed and might extend them a bit more if so inspired (such as adding encryption to the soap client or possibly handling of ws-security on the server side), but if anyone wants to take the code and run with it, please let me know as I would gladly provide help (time permitting).

It's really interesting to hear Rob is working on ‘C’ code as well.

Whobar identity 2.0 technology now available as open source

Not only does Whobar support InfoCards and related identity technology, but check this out:

Sxip is pleased to release the Whobar code to the community.

Whobar makes it easy for users to register and login to a website using their choice of emerging identity protocols such as InfoCard, i-names, and OpenID. It enables developers to easily add support of all these emerging Identity 2.0 technologies to their site. The benefits of this for users is a common website login experience. For web developers, to streamline their user registration and login process so that they don’t need to store user passwords, nor users needing to remember yet another password, thereby improving site conversion ratios. Future releases will also allow users if they so choose, release data about themselves with a single click.

Given the interest shown at the recent DIDW and Future of Web Apps conferences from Phil Windley, Rafe Needleman, and others in the community, we’ve made the Whobar technology available as open source. Whobar is written in PHP, but works like a proxy, so that the web application can be in any language. However, we’ve also been contacted by several developers interested in contributing a port to C#/.NET so stay tuned for additional modules. If you’re interested in getting involved, please check out our contributing page.

Congratulations to the SXIP team.  When I saw this at the DIDW conference I thought it was amazing.  I'll do a video capture over the next few days so those who haven't downloaded Cardspace or a Chuck Mortimer / Ian Brown identity selector can see what it's all about.

New features added to Safari InfoCard plugin

Ian Brown continues to add features to his proof of concept InfoCards for Safari, and has software that will definitely get you into my blog to leave comments.  He points out that his identity selector still needs a number of features, but as Jon Udell has said, Ian's work is absolutely cool.  It's not taking anything away from Ian's accomplishment to say it should inform everyone's thinking about the fact that there is not a huge barrier to entry for this technology.  It can be deployed cross platform, and is eminently buildable.  To quote Ian: 

For the faint of heart, or for those running those other operating systems, here's a short screencast of the selector in action, authN'ing against Kim Cameron's RP

click to download movie


Download the plugin for the Power PC here.

Download the intel version here.


What a silo used to be…

Dave Winer at Scripting News brings us this.  The funny thing is, I actually had to cheat and read the HTML IMG tag to figure out that the tall cylinder in Dave's picture is a silo! 

I just saw it as a graphic of a barn, and wondered, “Why is Dave Winer putting a barn on his blog?  Has he run out of pictures?”

In my shrinking mind, the word “silo” had been totally disconnected from its original meaning, and usurped by the very notion of segregated technology realms that Dave is telling us about.  So the farm thing didn't register.

Doc talks about a Vendor Management Systems, to balance the other side’s Customer Management Systems. I, of course, like. A prototype for this is a movie review system where I own and control my data. Today, I rate movies on Netflix and Yahoo, but I can’t get them to share the data with each other, so they make recommendations without info the other one has. If I had a place where I kept my movie ratings and gave each of them a pointer to it, they could read it and I would control the data. It would be very easy to set up, the technology is no trick at all. The hard part is getting enough users to do it this way to gain critical mass. This is also the idea behind Edgeio and Marc Canter’s People Aggregator. Open systems, users own the data, silos smell of sulfur.

This is exciting stuff – I'm talking Identity Big Bang content.

The way I read Doc's ideas, he's talking about a real inversion of what advertising is and means.  Instead of suppliers advertising what they want us to buy (by spamming our attention), we'll advertise what WE want to buy, and suppliers will make us offers.  Sounds a lot more efficient to me.  What am I missing?  Why doesn't everyone want to do this?

Maybe because a lot of what advertising is about is getting us to want things we don't know we want.  But even that can be done in other better ways too.  Like by producing cool things and having them explode into discussion.  Doc said this too, didn't he:  Markets are conversations.