Demo libraries fix

Keith Grennan has a fix to the PHP sample code I published a while back.  He notes he “hasn't heard back”…  My mail system is extremely aggressive about putting things in the Junk Mail folder, so if you ever “don't hear back” don't be afraid to ping me again. 

I was hacking on Kim Cameron’s demo PHP InfoCard libraries recently, and sometimes found I got the error “SignedInfo digest doesn’t match calculated digest”.

It turns out the XML canonicalization in infocard-post-get-claims.php was breaking when character data in the token contained entity references (e.g. &), because the characterData handler gets only the decoded data.

Here’s a patch that fixes it. The patch re-encodes ‘< ’, ‘>’, and ‘&’ characters back to ‘<’, ‘>’ and ‘&’ respectively before adding them to $canonicalTokenBuffer. There are some edge cases that may not be solved by this patch, but it’s a quick fix that should make the token processing code more robust for many possible cases. I sent it to Kim but have not heard back.

Happy infocarding.

Check out the fix here.  I'll incorporate it into my code, which is intended to help people master infocard and can be used in whatever way is deemed helpful.  I'll post an updated ZIP this comng week.

Thanks, Keith.


How old are you? Are you single?

From Business News, here is a nice article by Jessica E. Vascellaro of The Wall Street Journal on identity-proofing.  It's amazing how well she understands the emerging options:

Rob Barbour has found a new way of enhancing his reputation online: showcasing his newly verified identity. When he put up an eBay Inc. listing a few weeks ago, the Ashburn, Va., technology consultant embedded a link to his new online profile on verification service Trufina Inc.

He soon will paste the link in his emails and on a Web site where he sells software and offers programming advice. “I needed a tool that will prove to somebody that this is who I am,” says Mr. Barbour, 39 years old.

Proving who you are is increasingly important on the Web, amid growing concern that pervasive Internet fraud is making it difficult to know whom to trust. In response, companies are developing a slew of new tools to help people confirm their identities. The new services allow consumers to create and share verified personal profiles with people they meet or do business with online.

In recent weeks, many of these services have announced new partnerships with popular social-networking, shopping and dating sites, which face particular pressure to keep out cyber crooks. Trufina, which has recently joined up with dating sites like and, relaunched last week with a wider menu of verification tools. Opinity Inc., a new profile-sharing service that verifies a user's age, hometown and, in coming weeks, education and employment history, has recently announced partnerships with social-networking sites like, classified site and technology-news site IDology Inc., which performs age and identity checks on customers for high-end online merchants, will this week announce a deal with Zoey's Room, a networking site for girls, marking the first time its age and identity-verification technology will be part of a social-networking site.

Whether they're shopping, chatting, doing business or looking for dates, consumers are increasingly on edge about online safety. In 2005, 59 percent of Americans “completely or strongly” agreed that Internet-based financial transactions were secure, down from 70 percent in 2003 according to Informa Research Services. A recent report from the Pew Internet & American Life Project found that 66 percent of Internet users believe online dating is dangerous because it puts personal information online.

Concerns about the safety of minors, in particular, have exposed the need for more effective ways to confirm a person's identity than a user name and a password. Social-networking sites attempt to protect their members by imposing minimum age restrictions but can't easily enforce them. News Corp.’s, which requires members to be at least 14 years old, told Congress in June that it is looking at age-verification technology but hasn't yet found any effective options.

Proposed solutions for protecting children from online predators are controversial. Last week the House of Representatives passed a bill that bans social-networking sites and chat rooms from schools and libraries that receive certain federal funding. The bill, which has been criticized as too broad and blunt by some online-privacy groups, has been referred to a Senate committee.

A growing number of businesses, too, are using online verification services to check out their customers. Wine company Kendall-Jackson uses IDology's age-verification technology to confirm that new customers on two of its e-commerce sites are at least 21 years old, and it plans to implement more-comprehensive identity verification soon to help combat credit-card fraud., an online jeweler, uses IDology's tools to authenticate buyers whom it flags as high-risk, which include those with particularly high transaction volumes or mismatched addresses.

Microsoft Corp. is addressing online-safety concerns by constructing its own identity technology from scratch. The technology, called Windows CardSpace, is in a very early stage but will be built into its upcoming Windows Vista operating system. CardSpace allows users to log into Web sites by clicking on different digital credentials, or information cards. Users could create their own information cards or they could get the credentials issued to them by a trusted party, like a bank. (Microsoft doesn't host or store the identity information; it just provides the technology for its transfer.) CardSpace is meant to be more secure and useful than passwords because information cards can hold more information, like an address or a credit-card number, and can be backed by a third party.

International Business Machines Corp., Novell Inc. and various other academics and vendors are working together on a similar project. Their technology, dubbed “Project Higgins,” would be open-source.

But radically new tools like these won't be rolled out widely before next year. In the meantime, current services tend to focus on creating a trusted profile that can be used across sites or shared. The services, which collaborate with background-checking companies of the sort corporations use to research future hires, often check attributes like age, address, gender, education, employment and whether a person has a criminal record. Most services provide a basic verification of name, email, and sometimes address free of charge. Anything more can cost up to around $15 a year. The information is typically checked against credit-bureau records and other publicly available data, like property listings and databases of known criminals and sex offenders.

To sign up, users enter their personal data and are sometimes asked to answer a series of tricky multiple-choice questions no one else will likely be able to answer, such as the size of their last mortgage payment. Some details are confirmed automatically; others take time. On Trufina, a basic verification takes two to three minutes, with a background check usually taking less than 10 minutes, says Christian Madsen, chief executive of the College Park, Md., company.

Users can sign up through the services’ own home pages or through a partner site, where some of the costs are absorbed into other membership fees., an online-dating site with two million members, charges customers $145 for a year of its premium service, which requires a Trufina background check.

Currently, the services aren't in widespread use. Indeed, some consumers complain that their verified profiles aren't yet particularly helpful. Max Markidan, a 26-year-old management consultant in Arlington, Va., says he doesn't find it useful for professional networking because few users beyond dating sites appear to have adopted it. “I am married, so I can't really use Trufina at this point,” he says.

The companies’ partnerships with popular sites will make or break their adoption, analysts say, by providing them with necessary revenue and more users.

While many of the services aim to assuage privacy concerns, they may run up against them, too. Briana Doyle, a 24-year-old from New Westminster, British Columbia, joined Opinity last month hoping it would help her aggregate personal information about herself she wished to share with other people online. But she stopped short at divulging details like her address, verifying instead her user names on other Web services like Yahoo's photo-sharing site Flickr, which the service also verifies. “I didn't see any reason to put my address front and center,” says the Web editor.

The companies stress that they don't store personal information about their users. But consumers may still shrink from a service they think knows too much about them. “The minute you aggregate identity information you aggregate risk,” says Jamie Lewis, the chief executive of the Burton Group, a Salt Lake City research firm. With hackers out looking for financial information, “you create a target,” he says.

The Verification Chain

How new identity-verification services work.

  • Users sign up for a new account on a classified, social-networking or dating site and are prompted to click through to the site of an identity verifier.
  • Verification service prompts users to create profiles with details such as their age, address, and occupation.
  • Verification services — or a separate company — electronically check data in public-record databases to verify assertions.

Once it supports Information Cards, a company like Opinity might offer a card that would assert an age or marital status and yet ensure no personally identifying information is communicated.  The most important aspect of this is that users won't need to reveal secret or identifying information to anyone but the Identity Provider (Opinity for example).

Get over to Craig Burton's blog

Craig Burton is blogging up a Perfect Storm at  In fact he's posting so many nice little nuggets that you only see about a day and half's worth when you go to his site with a browser.  Make sure you navigate back using the calendar.

Since a couple of the recent pieces concern things I'm involved with, I'll pick up on those.

Let's start with the discreetly named Vendor Lock in Sucks:

Microsoft plans link between directory, Live services: ”

Microsoft is planning to sync its Active Directory with its Live Web-based services to give users single sign-on for applications and services both inside a company network and on the Web.

Technically a good idea. Fewer namespaces and fewer administration models. Reality is, customers are loathe to get roped into Msft centrism. Msft has yet to make the cut to OS inpdependent Internet services.

Trust me, that is the future. The longer they put it off, the worse it is for everybody.

The open source community isn't much better. Politics is winning over common sense.

It will be interesting to see how Ozzie guides the company towards this end. Gates hasn't, won't. Ballmer is worse, Allchin…I have no more to say about that.

Let me talk to Craig directly for a minute.

Craig, take a look at the Windows Live ID whitepaper and let me know what you think of it. 

In my view it is consistent with a number of the ideas you've brought to the industry for a long time now. 

As far as I can see, there won't be anything proprietary about the way Windows Live ID federates with Active Directory or anything else – it will just use the WS-Federation and WS-Trust specifications, which are being implemented more widely, by more vendors, every day – and can be used on a royalty-free basis.

So then how does this initiative lock anyone in? I'm a non-lockin sort of guy.  We need to win customer support by producing products that are cool to use and manage; that have superior reliability and integration with dev tools; and that are open to other implementations.

As for your comments on Bill (and his friends), you just can't produce the kinds of technologies we are about to deliver in fifteen minutes.  Our work has been going on for a while (!) and involved a lot of patient investment.  The truth is, Bill has been a great supporter of ubiquitous Internet identity and I want to stand up for all he's done to help, just as I would do for you.  This said, Ray also brings a lot to the table.

Craig also has a recent post on Cardspace:

A Sandbox to Play In:

Pamela Dingle, who always has the intestinal fortitude to ask the best darn questions at Catalyst (and other conferences), has posted a good “quick start” guide for anyone wanting to play around with Windows CardSpace. Via that post, I found this CardSpace “sandbox” site, which has some interesting pointers on it.”

Jamie Lewis points to some Cardspace resources. I opened my control panel the other day, and there was a new control panel named “Digital Identities.” It let me create an infocard. I have no idea what to do with it, but I know it came from Kim's group. I will try to find out more about this.

This is getting exciting.  So Craig, now, while you are on identityblog, choose Login.  When you get to the login page, click on my Information Card icon (a placeholder while we all agree on a real icon).  Let me know how that goes too.

UPDATE:  The original link for the Live ID Whitepaper was broken – I have fixed it.

O2’s FREE monthly handset teaches how to be phished

The relationships between enterprises and their “designated agents” are often pretty murky from a customer point of view.  In the old days, few people cared.  But in the world of phishing, we need a lot more clarity about who is representing whom – we need to know if an offer originates from a someone legitimate or not.

In this postBen Laurie shows just how hard the current identity patchwork (read “architectural black hole”) makes it to know what is going on – even if you're one of the top Internet security people in the world. 

Ben tells us, “O2 like phishing…”:   

They must do, or they wouldn’t do stupid things like this.

I got an email, looking just like this:

We’d like to say ‘thanks’ for being a great customer by offering you either a FREE Pay Monthly handset upgrade OR £100 credit added to your account – provided you haven’t recently upgraded.†   

And it couldn’t be easier. All you have to do is renew your contract with O2 before 31st August 2006.

If you choose to renew your contract for 18 months, rather than 12 then there’s even more on offer:

If you prefer to talk we have a range of Talker plans with Double Minutes each month*. For example, on an Online 500 Talker plan you’ll get 1000 minutes and 150 messages each month for £35.

If you prefer to text we also have a range of Texter plans which offer 50% Extra Minutes and Texts each month*.

For example, on an Online 500 Texter plan you’ll get 750 mins and 750 messages each month for £35.

To see our full range of handsets and offers and to renew your contract, click here.

And thanks again for choosing O2 .

† The information used in this mailing is based on your contract status as at 30th April 2006. Unfortunately, if you upgraded after this date your new contract means you won’t be eligible for these offers. Terms and conditions apply.

*Offer subject to ongoing connection to eligible tariff see letter for details. Promotional allowances must be used within the month. Unused allowances cannot be carried over into subsequent months.

OK, I removed some maybe-identifying data from the link, but you’ll notice the link goes to “Oho”, says I, being a suspicious sort, “that’s not O2’s website, I wonder who managed to register it?”

$ whois   

Domain name:


Registrant type:
UK Individual

Registrant’s address:
The registrant is a non-trading individual who has opted to have their
address omitted from the WHOIS service.

Registrant’s agent:
MCI Worldcom Ltd [Tag = UUNETPIPEX]

Relevant dates:
Registered on: 01-Aug-2003
Renewal date: 01-Aug-2007
Last updated: 04-Aug-2003

Registration status:
Registered until renewal date.

Name servers:

Hmmm, a non-trading individual who wants to renew my phone contract, eh? Think I’d better check that out – but what a shame, doesn’t actually resolve, so looks like I’m not talking to them. And, oh dear, Nominet are closed until Monday, so that avenue is out, too.

The mail itself, incidentally, purports to come from, a domain which they didn’t even bother to register.

So, fearing nothing, I clicked on the link – which redirects me to Here we go again.

$ whois   

Domain name:

AIS Group Ltd

Registrant type:
UK Limited Company, (Company number: 3561278)

Registrant’s address:
Berners House
47-48 Berners St

Registrant’s agent:
Global Registration Services Ltd [Tag = GRS]

Relevant dates:
Registered on: 14-Apr-2005
Renewal date: 14-Apr-2007
Last updated: 27-Jul-2005

Registration status:
Registered until renewal date.

Name servers:

At least this has an address, if I could be bothered to follow up, which I can’t, but this all looks a bit fishy. To compound the fun, I also got a text on my mobile with the same offer, but anyway, I phone O2 customer services. They explain that this cannot possibly be O2, it must be one of their “marketing partners” who will, if I fill in the form, renew my contract with O2, but via them. And, presumably, or maybe not, give me a new phone. I ask where they got my email address and phone number, and the answer is that at some point I left a box ticked that said it was OK for partners to send me stuff.

So, do O2 condone this practice, I ask? The answer is, apparently, that they do. They don’t even mind, it seems, that the website has O2 branding on it.

If O2 is going to allow people they have contractual relationships with to do this kind of thing, how on Earth do they expect consumers to learn what is phishing and what is not?

Ben's aproach is the only one you can take with today's web technology.  Basically, you need to know how to analyse subdomains and understand DNS paths.  Given this, one wonders why O2 condones the use of URLs worthy of the best phisher.  It is cutting the last safety line we have been able to clutch between our fingers in trying to achieve even the most marginal Internet safety.

Still, I find myself choking on the idea that for people to understand they are being phished, they need to understand subdomains and the intricacies of DNS.

One of the great advantages of the way Information Cards work is that the site the user is visiting (in this case can specify its designated agents in a cryptographically secure fashion.  In this case, O2 could specifify as the entity the user should exchange identity information with.  The user would be guaranteed that this was an extension of her relationship with O2, with O2renew acting as an agent of


Soothing music all around

Google's Ben Laurie continues with a post I'd call “Cogent with cloudy periods”:

Not surprispingly, my post “Google Account Authentication” attracted some pretty instant responses, as well as comments on the post itself.

On further reflection, comparing Live ID with Google’s authentication is comparing apples and oranges. Live ID may allow people to choose who they accept authentication from, but where does it say that anyone is planning to accept anyone’s word other than their own? In particular, where do Microsoft say they’re going to grant access to Microsoft properties using identity tokens issued by anyone other than Microsoft?

Interesting. Let me explain how I see it. The Windows Live ID whitepaper is about the technical architecture of Windows Live ID, and new capabilities allowing it to be part of a standardized, multi-centered, federated identity fabric. This includes support for Information Cards. Reading the paper, it's easy to see how enterprises or groups of users could gain access to Windows Live services using their native systems federating with Windows Live ID, rather than requiring separate accounts. The business model for this would be totally straightforward.

Now, in terms of how the protocols work, a similar federation relationship could be established between a Windows Live and a Yahoo or a Google. But the business models there are way harder to figure out. You need multiple players to buy in – it needs to be a win/win/win. I don't think anyone has figured this stuff out. Basically, it's a lot easier to change technologies than to change business models.

Still, to me, it makes sense to put a safer, more flexible technical infrastructure in place that offers advantages within current business models while simultaneously laying the groundwork for new approaches as they arise. But let's try to see the two as relatively autonomous.

Ben continues:

Eric Norlin says: “Lots of people inside of Microsoft now understand *why* they must open the silo, and that learning is precisely because of their experience with Passport.” But is this actually true? What Microsoft appears to have learnt is that it can’t get everyone to accept its credentials. So, what’s the next best thing? Get everyone to use MS technology for accepting credentials. Perhaps that’ll even lead to Passport Mark II where the default is to trust Microsoft. Where does Microsoft’s work on Infocard or Live ID or whatever-the-passport-nom-de-jour is show that Microsoft has any intention whatsoever of opening their silo? What it shows is that they think everyone else should open their silo.

This mish-mashes so many orthogonal ideas together that it gets a wee bit looney. If the following sounds disconnected, it's because the way Ben connected things doesn't make any sense to me:

  • It's true that a lot of us at Microsoft want to “open the silo”. That doesn't make it easy, or make it obvious what to do.
  • WS-Trust is not Microsoft Technology, unless IBM is now part of Microsoft – not to mention the hundred or so other companies who have worked on the WS specifications.
  • Information Cards are not Microsoft proprietary for two reasons: first, the protocols are in OASIS standardization and available royalty-free; and, second, because there is a consortium building real open-source implementations today (OSIS).
  • I don't understand why Ben wants to confuse a service offering like Windows Live ID with a cross platform technology initiative like the Identity Metasystem.
  • I'm even more mystified at the implication that our Cardspace implementation of Information Cards is a plot. It doesn't offer special advantages to Windows Live ID. Services like those offered by Google get equal billing with services that might come from Microsoft. What is the sin here?
  • Given the difference between services and open cross platform technology, why call Cardspace “the-passport-nom-de-jour” – except to be naughty?

Anyway, I'm just going to assume Ben had a bad hair day, which everyone has a right to.

Parhaps the flurry of postings made it look like people were ganging up on Google – not at all my intention – I still think that on identity our interests converge and we're all in similar places.

At any rate, Ben concludes thus:

Fred asks: “could you explain why Google shouldn’t allow their accounts system to be accessed by Yahoo credentials?”

All I can say is what I already said: there isn’t a widely used, mature, reliable, secure identity federation mechanism available today. Whether Google wants to do this or not, in practice, they can’t. Such decisions have to wait for standardised mechanisms to emerge, in my view.

Dick is “suprised to see this post given conversations we had”. Well, Dick, if the fact that I don’t always agree with you is surprising, then you’d better stock up on soothing music or something.

I think the situation calls for soothing music all around. How about Iggy Pop?

Personal Identity Mesh

Identity Open Spaces are always interesting – uninterrupted hallway conversations that let you get to the nub of things – but this week's was different from the others because it was held in conjunction with a meeting of the Liberty Alliance.  This threw us all together with a bunch of people we hadn't met before, and frankly I think it was very useful.  We all got to present and discuss our work, interests and concerns.

It's hard to explain – or even imagine – what these meetings are like, because people are coming from such different places that their take-aways differ dramatically.  I'm sure a number of people will blog about this, but I'll just start by quoting Marc Canter of Macromedia fame.  One of the interesting things about Marc is that he just wants results – identity he can use in his products.

As I sit here in the blazing heat, periodically jumping into my pool – I’m feeling good about the last few days I spent in Vancouver.  It was great for me to get away from answering sales calls, improving user interfaces and dealing with Angel investors.  I found myself right back smack dab in the middle of an evolution of technology, where enterprise, mil spec encryption, security and privacy technology was being deployed for the purposes of each and every one of us to be able to control our content and meta-data.

Moving and controlling profile data is important, but we ALSO gotta control access to our content – based upon our relationships to the viewer.  Apparently Vox does this pretty well – but I haven’t checked it out – yet.

A lot of time and energy was spent up in Vancouver trying to define and speak clearly of all the different platforms and their nuances.  It was an Open Space effort, designed to correspond with a Liberty Alliance meeting, so lots of loosely structured meetings occurred where real work was accomplished.

One on hand you had all these academic and enterprise researchers and experts who are managing bank accounts, mutual fund accounts and health records, debating on details like ‘is it THIS or really THAT.  Then a bunch of the open folks – like Neustar and Cordence were there – more or less hawking their goods.

So in other words this was the “open user-centric folks” meet the SAML/Federated trust enterprise wonks fest.

I’d say it came off pretty well – espeially with Kaliya Hamlin leading the organization, facilitating the conversations and keeping things lively. I did my best to also “keep folks awake” – while only dosiing off a few times myself, during those insipid debates on “do you mean WHAT you mean or is that a semblence of meaning in your declaration?”  It was that bad.

As a vendor I went to this meeting knowing that I was a downstream participant, some one who’s issues are allot different from the folks who are tryign to stake our real estate around ’standards’.  You see – we (by defintion) have to support ALL the standards, so my only real motivation is to get as many of them to work together and adhere to each other’s standards.

And that’s what I did.  There was a whole session on ‘Protocols Converging’ (led by Dick Hardt) and that led to a few private meetings out in the hallwway, which is where al the real work gets done. I myself am excited about what Dick is gonna show and unveil at OSCON next week,but I can’t tell yah about it.

Or else I’d have to kill you……

Anyway – based upon what I heard at this meeting, here are some issues that are pretty easy for me to make:

  • At best we’ll get 2% of the populace using this stuff – even within the next few years
  • But many more people WOULD/COULD use it if it was readily accesssible, easy to use and they understand what the fuck it meant
  • Doesn’t really matter if it implements authentication, if that’s ALL it does
  • I agree with Kim Cameron – there will be two approaches to this area – card based and address based

And that’s the best way we can describe it to the humans.

The Identity space is really complicated, and our clients expect me to be an expert at it.  So I nerded out over the past few days and have the next generation acrhiutecture for PeopleAggregator designed with it in mind. 

It’ll make sure that real value can be delivered to humans – real soon now- regardless of whether or not they’re (the humans) willing to jump through all the hoops and grok all the nuances of the Identity puzzle.

There’s one inherent tradeoff for this.  If you don’t want to jump through all the hoops of getting a card or sigining up for an address (of just hacking one yourself) then you CAN’T COMPLAIN if you don’t get a phishing proofed, crypto encoded, secruity tight, hacker proof, scalable, long term, persistent unique identifier.

But if all that really gets you off, then you won’t mind jupning through all the hoops.  Those hoops require opting in, sharing, moving and adhering to all these rules – about Personal Identity Mesh. 

Getting a info card to be compatible with Kim Cameron’s Info Cards system, which will be built into Vista and is available for XP – right now – will be about getting something called a .crd fileKim showed using Info Cards to log into WordPress – just to prove that it works on a LAMP stack, open source platform.

David Recordan (of Verisign) led an excellent session on OpenID and talked about its status.  Drummond Reed was there to talk about XRI and and inames.  All the major players in this space were there and talking to each other.

Dick Hardt had a session on coming up with a name for the unique thing we’re doing.  Its not a traditional federation, or circle of trust – its recognizing that inviiduals rely upon portals (or fancy webapp) software to get their services and that they’re probably dealing with LOTS of these services.  Each o these portals have all sorts of assertions, backend technology, web services, aliance partners and otehr infrastructure.  But what we SEE is the portal or NetVibes or PageFlakes or MySpace or Vox.

The human is then supposed to confer and rely upon (what’s known as) an identity provider or identity broker – which is usually an objective 3rd party – to verify their claims, assertions and transactions. We debated upon what to call it – but we all agreed that its something new and unique. I call this the “Personal Identity Mesh” – cause anybody can use any Identity broker – yet we’re all supposed to trust and believe in these ‘reputation systems (especially is Auren Hoffman has his way – with Rapleaf.)

Whatever the term is – its the universe that PeopleAggregator is going to support and help make happen. But we need LOTS of vendors to participate and the big boys – too.

I really like the term “Personal Identity Mesh” that came out of the “naming” discussion led by Dick Hardt.  It sums up what a lot of us are trying to do. 

I should also make it clear that I don't think there are very many who see information cards and URL-based identities as being opposed to each other.  A card can represent a URL-based identity, and a URL can be used, in a number of use cases, to represent the identity that would be conveyed through a card.  This doesn't work in all cases, but it works in enough important cases that it is very useful.

Finally, I think Marc's estimate of 2% over three years is overly pessimistic.  The big sites and big players can accelerate adoption a whole lot with the flick of the switch.  I've already had people tell me they are going to enable hundreds of millions of accounts with Information Card support.  If they do what they are saying they'll do, and if people like the experience as much as I think they will, there can be a serious network effect here.

Marcus Lasance on Information Cards

Identity heavyweight Marcus Lasance is Managing Director of U.K.-based MaXware.  He wrote this piece on E-commerce and User-Centric identity management in ITSM Watch

New ID schemas are emerging that will, hopefully, ease IT's management burden while fueling e-commerce, writes ITSM Watch guest columnist Marcus Lasance of MaXware.

Enterprise organizations and governments view customer relationship information as a key asset and are fiercely protective of this asset. Fortunes are spent on maintaining customer’s personal information and protecting this information from prying eyes as mandated by data protection legislation.

CIOs are relying on meta directory technology to solve one of the industry’s thorniest problems: how to maintain information about the same individual scattered over different databases and directories nevertheless perfectly synchronized. Corporate-managed updates are effectively replicated using standards based connectors and schema mapping between systems.

However, what this technology cannot solve is the ability to provide updates we don’t know about. In the real world, our customer’s circumstances are constantly changing, yet businesses and (most) government agencies are not automatically alerted. This is an ongoing problem, because no matter how good we are at synchronizing data across platforms and applications, it doesn’t matter when the data becomes rapidly obsolete.

No call center can solve this problem. As an industry, we need to find a more logical way to manage this; namely through user-centric computing which puts individuals back in charge of their own identities.

Today, CIOs are watching two different user-centric solutions rise in popularity: InfoCard from Microsoft and Project Higgins from the open source community.

Conventional wisdom indicates that, with the advent of Vista on countless PC desktops, InfoCard will become the de-facto way users will manage their identity information. CIOs need to take note: On a global scale, employers are expected to issue InfoCards to their employees, governments to their citizens, etc.

Greater acceptance to InfoCard is due, in part, to InfoCard’s being based on WS-Trust and providing a much more “open” solution than Microsoft’s previous and suspiciously received Passport offering. InfoCard is not designed to run exclusively on Microsoft servers or Microsoft owned networks, which means that, in principle, every home PC connected to the Internet can become an identity provider.

What will be the business implications of a huge uptake of InfoCards as a mechanism to replace good old username-password logins to most e-commerce websites? Is it another expensive hype that hasn’t lived up to its expectations like PKI, which was predicted to fuel e-commerce like a out-back fire storm?

Well-known companies like eBay and Amazon are most likely to be early adopters of user-centric computing and other e-commerce sites will soon follow suit or be left behind. Cost savings combined with better security should follow naturally.

I can see a future in which most users will have between three-and-six InfoCards that can regularly used for different types of public or private transactions. The chore of maintaining personal information relating to those cards now resides with the individual, making it easier for organizations and consumers both.

With user consent and by subscribing to change alerts from identity providers companies don’t have to waste tremendous financial and human resources managing data with a rapidly deteriorating life span. Individuals don’t have to worry about maintaining endless silos of personal data.

When consumers can assign preferred identities to trusted vendors and more anonymous identities to things like chat rooms we will eliminate the need to enter reams of personal information on webpages we don’t necessarily trust; organizations will reap the financial rewards by cost savings and better quality of information.

However, in my opinion, the really big money will be made by a few, select organizations with the financial clout and public-trusted brand names to become the default public identity providers. Remember an InfoCard does not store the actual information, just the links to it. The information itself has to be stored and secured and backed up somewhere. Some kind of identity meta system will emerge, backed by a few powerful players. Organizations will emerge with similar roles that Swift, BACS, MasterCard and VISA now perform for financial services network.

It’s possible that giants like AT&T, Nokia or BT might be able to make a few pennies every time a user selects their InfoCard (from a stash of many InfoCards) stored on a desktop or IMS mobile terminal. Imagine the total world wide economic value of such e-commerce mediators.

With the individual in control and new technologies that will soon take the pain out of logging on the new services, user-centric computing could once more revitalize the e-commerce industry, and the market opportunity to become an identity service provider might mean even bigger business for a lucky few.

Interesting thoughts, though I actually think, in the fullness of time, Information Cards will convey subtle aspects of identity like reputation in various contexts, and be much more bottoms-up than Marcus suspects.


Brad Judy, from the IT Security Office at the University of Colorado at Boulder, attended one of the recent conferences where I discussed the Information Card as a way of reifying identity, and where I went on to characterize the identity metasystem as an “abstraction layer” above existing identity systems. The fact that I referred to the same thing as being a reification from one point of view and an abstraction from another captured his interest. Later he shared these comments:

During a presentation on Infocard and Cardspace, Kim Cameron made a comment about the reification of identity. During a question, I noted that it was interesting to hear a layer of abstraction being referred to as reification. Kim noted that he was mixing contexts and that Infocard/Cardspace was reification for the end-user and abstraction for the IT personnel.

One human's abstraction is another human's reification.

If abstraction can be considered indirection, the old computing saying from David Wheeler may apply: “Any problem in computer science can be solved with another layer of indirection. But that usually will create another problem.” The benefit of abstraction as reification is that the additional problems created might be ones that we are already adept at addressing (we know driver's licenses quite well).

There has long been a gap between technology and humanity that many have worked to bridge. I would argue that for most of the history of computing, the user has had to meet the computer more than half-way – was it ever the natural inclination of humans to punch holes in cards to accomplish a task? Kim gave the example of sending people off for extended periods of word processor training in the early days of word processors, and the virtually non-existent training needed now (a combination of greater ease and early exposure). He also gave the example of explaining command line file management to users and how the visual file folder reified digital file management for the end user. Such GUI concepts certainly opened up the PC to a much broader audience as the bridge between technology and humans passed the half-way point.

Not having been a software architect over the past twenty years, I can't say if the ongoing gap has been the result of the limitations of technology or a mindset that users must meet the computers half-way. The lesson of the PC is that true accessibility by the general population requires technology to meet them 90-95% of the way. (Perhaps this should have always been expected, after all, we never expect This seems to be occurring through the adoption of existing human models/paradigms/methods of use and interaction to software and hardware. While it wasn't the focus of this recent event, two presentations brought this home: tablet PC's and Cardspace.

Tablet PC's, particularly software like OneNote represent the adoption of a long standing human activity to a digital medium. It isn't the first tech to tackle the note-taking and handwriting space, but it reifies and extends in a way that may complete the bridge between the personal computer and the person. A direct representation of paper and pen (a method institutionalized over hundreds of years), extended with the ability to categorize, search, transmit and more. I'm reminded of a statement by a co-worker (not directed at me), “Stop giving me #$&@ing hardcopies, you can't grep paper.” The platform has a lot of possibility with interesting software like MagicPaper/Physics Illustrator. The limited success of “true” tablets (aka. Slates) indicates that decades of computer use with a keyboard, and sometimes mouse, have developed an institutionalize method of use that must be hybridized with traditional methods for the greatest progress.

CardSpace exists to reify the experience of digital identity in a way that links it to an existing model for identity familiar to most users: an identity card. From the visual representation to the concept of identity providers and multiple ID's. The identification “card” is also hundreds of years old, although they have evolved greatly from hand-written letters authenticated by signature or stamp, to the modern passport and drivers license, authenticated by physical attributes and electronic validation. The InfoCard will also likely be a hybrid of this old paradigm and a common computing experience: the password. Although the concept of a password predates modern technology, its use has truly exploded in the past several years. Because InfoCards aren't single, physical objects that can be tightly controlled, they will largely rely on the ubiquitous password for protection (perhaps other techniques will be used, but I expect passwords will protect most InfoCards).

So the IT industry continues to build the largely one-sided bridge, abstracting their way across the gorge. Years of software and hardware have provided the proverbial water under the bridge (not to mention a landscape scattered with half-started and falling bridges). For their part, many people have stretched far from their side to make contact and have found a combination of productivity and frustration. Hopefully not many have fallen into the gorge. Perhaps the golden age of computing is truly just around the bend as the bridge is completed and proven stout (an important point raised by Scott Charney, also at the event).

I'm struck by Brad's perception of Information Cards as a bridge between user perception on the one hand and a technological abstraction (metasystem) on the other.  That's completely right, and it's important to put it in the wider context of other attempts to do the same thing.


Here is a piece by Eric Norlin over at Windows Live ID is the identity backbone used by Microsoft's web properties and services – for example, by hotmail. For those who haven't followed the bouncing ball, Windows Live ID is the latest evolution of Passport, which has undergone a name change to convey its focus within Window Live services – as well as its ability to federate in a multi-centered identity landscape.

Recent announcements of Google's authentication service have prompted comparisons to Passport, and even gotten to Dick Hardt (of “Identity 2.0” fame) to call it the, “deepening of the identity silo.” I'd like to contrast Google's work with Microsoft's recent work around Live ID.

Microsoft's Live ID *is* the old Passport — with a few key changes. Kim Cameron's work around the identity metasystem has driven the concept of InfoCards (now called CardSpace) deep inside of Microsoft. In essence, Kim's idea is that there is a “metasystem” which utilizes WS-Trust to translate tokens, so that all identity systems can interact with each other.

Of extreme importance is the fact that Windows Live ID will support WS-Trust, WS-Federation, CardSpace and ADFS (active directory federation server). This means that A) Windows Live ID can interact with other identity metasystem implementations (Open Source versions, for example); B) that your corporate active directory environment can be federated into Windows Live ID; and C) the closed system that was Passport has now effectively been transformed into an open (standards-based) and transparent system that is Live ID.

Contrast all of this with Google's announcement: create Google account, store user information at Google, get authentication from Google — are we sensing a trend? While Microsoft is now making it easy to interact with other (competing) identity systems, Google is making it nearly impossible. All of which leads one to ask – why?

I honestly believe that Microsoft is ahead of Google on this one for a very simple reason: Passport taught Microsoft some very painful, first-hand lessons. Passport forced Microsoft (over a period of years) to re-examine their fundamental approach to identity. Further, it forced them to figure out how to monetize the idea of identity applications — and not simply the aggregation of identity itself. Conversely, Google's business is now built on the aggregation of identity data, and they have yet to walk the painful Passport path.

Will the market force Google to learn the same lesson? I don't know. On the other hand, one company is clearly advancing the cause of “identity 2.0”, “web 2.0”, “Net 2.0” — call it what you will — and that company is Microsoft. The other company is deepening the silo and building the walled garden — and that is *so* late 90s.

While I love being in the software olympics as much as the next guy, I personally hope that Google embraces federation, Information Cards and the identity metasystem. They have enough smart people who understand these issues that I expect they will.



More from Pete Rowley at Red Hat:

Kim Cameron has blogged about a conversation we have been having recently about the OSIS (Open Source Identity Selector) project. Negotiations have been underway for many months in order to get to a point where all parties are comfortable that legal and other issues are in order. I am happy to say that Red Hat has been involved with this process from the beginning.

I agree with Kim on the importance of the participation of Red Hat. As the leading Linux distribution it provides a platform for the project and a significant distribution channel, all things required for ubiquity. Ubiquity and cross platform support is a major goal for OSIS and the identity meta-system in general.

When I met with Paul Trevithick and Mary Ruddy some months ago to discuss Higgins it was clear to me that there was an alignment in project goals. Architecturally Higgins represents an uncannily good fit so I am very pleased to see the client effort folded into the Higgins project. Perhaps Higgins suitability is not so surprising given the exchange of ideas and collaboration that has been going on in the identity gang.

In the coming months I hope to be in a position to enable support for information cards on this site with end to end open source software. Watch this space.

That's very cool.  Which reminds me that someone asked me to start an I-roll for early sites that support Information Cards.