Category: Identity

Get over to Craig Burton's blog

Craig Burton is blogging up a Perfect Storm at craigburton.com.  In fact he's posting so many nice little nuggets that you only see about a day and half's worth when you go to his site with a browser.  Make sure you navigate back using the calendar.

Since a couple of the recent pieces concern things I'm involved with, I'll pick up on those.

Let's start with the discreetly named Vendor Lock in Sucks:

Microsoft plans link between directory, Live services: ”

Microsoft is planning to sync its Active Directory with its Live Web-based services to give users single sign-on for applications and services both inside a company network and on the Web.

Technically a good idea. Fewer namespaces and fewer administration models. Reality is, customers are loathe to get roped into Msft centrism. Msft has yet to make the cut to OS inpdependent Internet services.

Trust me, that is the future. The longer they put it off, the worse it is for everybody.

The open source community isn't much better. Politics is winning over common sense.

It will be interesting to see how Ozzie guides the company towards this end. Gates hasn't, won't. Ballmer is worse, Allchin…I have no more to say about that.

Let me talk to Craig directly for a minute.

Craig, take a look at the Windows Live ID whitepaper and let me know what you think of it. 

In my view it is consistent with a number of the ideas you've brought to the industry for a long time now. 

As far as I can see, there won't be anything proprietary about the way Windows Live ID federates with Active Directory or anything else – it will just use the WS-Federation and WS-Trust specifications, which are being implemented more widely, by more vendors, every day – and can be used on a royalty-free basis.

So then how does this initiative lock anyone in? I'm a non-lockin sort of guy.  We need to win customer support by producing products that are cool to use and manage; that have superior reliability and integration with dev tools; and that are open to other implementations.

As for your comments on Bill (and his friends), you just can't produce the kinds of technologies we are about to deliver in fifteen minutes.  Our work has been going on for a while (!) and involved a lot of patient investment.  The truth is, Bill has been a great supporter of ubiquitous Internet identity and I want to stand up for all he's done to help, just as I would do for you.  This said, Ray also brings a lot to the table.

Craig also has a recent post on Cardspace:

A Sandbox to Play In:

Pamela Dingle, who always has the intestinal fortitude to ask the best darn questions at Catalyst (and other conferences), has posted a good “quick start” guide for anyone wanting to play around with Windows CardSpace. Via that post, I found this CardSpace “sandbox” site, which has some interesting pointers on it.”

Jamie Lewis points to some Cardspace resources. I opened my control panel the other day, and there was a new control panel named “Digital Identities.” It let me create an infocard. I have no idea what to do with it, but I know it came from Kim's group. I will try to find out more about this.

This is getting exciting.  So Craig, now, while you are on identityblog, choose Login.  When you get to the login page, click on my Information Card icon (a placeholder while we all agree on a real icon).  Let me know how that goes too.

UPDATE:  The original link for the Live ID Whitepaper was broken – I have fixed it.

Liberty, Open Space and Information Cards for Apple

Red Hat's Pete Rowley on the recent adjoining Liberty Alliance and Open Space events in Vancouver – and Apple support for Information Cards:  

The Liberty Alliance made a bold statement in Vancouver last week when it opened its doors for the first time to the hoi polloi. Now this was something interesting enough to demand a visit in of itself, but with the addition of an Open Space after the Liberty meeting, well, you knew I was going to be there right?

The first two days consisted of the regular business of the Liberty Alliance where visitors were allowed to attend any session except for the super secret board stuff. I attended many of the technical sessions which were interesting, though sometimes hard to follow as an outsider without access to the documents under consideration. I also took part in a session around privacy concerns that not only assured me that Liberty has them but that they are serious about dealing with the issues. The conversation turned at one point to outside perceptions of Liberty itself and its lack of openess to its internal process and draft documents. Somewhat ironic was the point made that nowhere was there to be found any information regarding the location of the Liberty conference, at least not to those without access to internal websites. A consequence of this being the first open meeting no doubt. In all, an interesting and worthy meeting.

The final two days were spent on the Open Space which was run in unconference format by Kaliya Hamlin and was excellent as usual. Topics ranged from SAML to Liberty People Service to how should we rename this user centric identity thing? Kim Cameron wrapped up with a lunchtime introduction to CardSpace that by popular demand lasted for nearly two hours. At one point Kim was asked whether Apple would have an identity selector like CardSpace and Kim redirected the question to me in my capacity as OSIS representative. As the newly appointed unofficial spokesman for Apple I suggested that if Steve Jobs would call me I’d hook him up.

So Steve, call me.

Gee.  That's an interesting idea.

Like Pete I took Liberty's Open Space collaboration as being a very positive step in increasing dialog and understanding in the identity community.  It was great to speak with a number of the Liberty people who have been leaders in moving identity technology forward over the last few years.  It strengthens my conviction that we are on the road to an Identity Metasystem reaching across platforms and underlying technologies.

Learning from experience in eGovernment

The Oxford Internet Institute (OII) has posted the Webcast of Jerry Fishenden‘s talk “myGovernment.com – government the way you want it”.

This looks at how new technologies, the emergence of Web 2.0 and the citizen/consumer as creator enable a whole new model of government services and interactions, with the citizen at their center. It was part of a day's workshop themed around “Learning from Experience in eGovernment: Why Projects Fail and Why They Succeed“.

You can find both a streaming media version (which requires Realplayer), or the downloadable version (which requires an MP4 player – I had to download Quicktime 7.1) at http://webcast.oii.ox.ac.uk/?view=Webcast&ID=20060705_151.

Jerry is Microsoft's National Technology Officer in the United Kingdom, and a person I deeply respect for his wisdom and willingness to tell it like it is.

Some recent podcasts

Cardspace screenFor those new to Identityblog and looking for an introduction, here is a short interview I did recently with PTS-TV in England:

 

If you are ready for something more challenging, William Heath of Ideal Government got me thinking about the problems of overly-centralized identity technology in a podcast he described as follows:

Here's an exclusive interview with Kim Cameron, speaking with Jerry Fishenden to me and my colleague Ruth Kennedy. Famous as the Identity law-maker, Kim delivered Microsoft's Damascene conversion on identity matters and has become the catalyst for a new-found cross-industry sense of purpose about what it'll take to get digital identity and authenication that works for all of us.

He speaks exclusively to Ideal Government about the UK's ID developments in the context of state-of-the-art industry developments such as the Laws of Identity, Information Cards and the imminent ID big bang.

Note from administrator: (This was a 40 minute interview – the key sections are linked to the text below.

The whole podcast is available here.

This is the first Ideal Government audioblog/podcast so please forgive any clunkiness and background noise – it was a hot day and we were glad of the aircon.) Best way to hear the audio extracts

Firefox users: right click and “Open Link in New Tab”
IE users: I dont know. But when you find out tell me.
Also, anyone can insert inline audio to Expression Engine please tell me!

He sets out what he means by “Identity” (and there are many different meanings). He explains what Information Cards are, and how Microsoft has implemented them under the brand name Cardspace. He explains why for all its regrettable clunkiness the ageing UK Government Gateway is more secure and privacy-friendly than the proposed Home Office ID system, and it's revealed that there is a working version of Information Cards showing UK Government Gateway transactions. But this isnt Passport/Hailstorm revisited: it's as clear to Microsoft as to anyone that this has to work for everyone. We need a cross-industry big Momma identity backplane, and then the identity big bang can happen. But no one entity, country or authority can be in control.

He sets out where his work stands in relation to a user requirement for the ID we need for e-enabled services in the UK. Users decide, he says. If the system isn't widely adopted, it fails. As an architect, he expresses his concerns about the Home Office's ID card system. Too much information is in the same place. It's a colossal blackmail-generation machine. Every system will be breached, he says. If you dont understand that, you don't understand security and should not be talking about it.

He's pretty frustrated about the prospect of a lugubrious ID system which will inevitably damage trust in e-services. But a combination of the difficulty of the undertaking and the common sense of the British public means it will fail. The Brits are sensible, he finds. Tall as he and I are, we all recognise there's a limit: you can't survive if you're much over 11′. “They're trying to build a 60′ man here,” he says. All the technology people he knows feel the same way.

Yet he's very optimisic: UK identity systems can be efficient, secure, privacy-friendly and cheap, he says. The example of an ideal ID architecture he offers is pretty close to home: it's the Scottish Executive. How pleased will the Scots be to have an expensive and ill-conceived UK-wide system forced upon them, in a new West Lothian twist?

Baby, you can watch my car

If you aren't following Tom Maddox's Opinity Weblog, now is a good time to start.  This piece made me wonder what will become of us all:

License plate recognition technology is going into the private sector, says Wired:

Watch this carIn recent years, police around the country have started to use powerful infrared cameras to read plates and catch carjackers and ticket scofflaws. But the technology will soon migrate into the private sector, and morph into a tool for tracking individual motorists’ movements, says former policeman Andy Bucholz, who's on the board of Virginia-based G2 Tactics, a manufacturer of the technology…   

Giant data-tracking firms such as ChoicePoint, Accurint and Acxiom already collect detailed personal and financial information on millions of Americans. Once they discover how lucrative it is to know where a person goes between the supermarket, for example, and the strip club, the LPR industry could explode, says Bucholz.

Private detectives would want the information. So would repo men or bail bondsmen. And the government, which often contracts out personal data collection — in part, so it doesn't have to deal with Freedom of Information Act requests — might encourage it.

So if you don't want to be under surveillance, I guess you'll just have to move out to the hinterlands, off the grid, and out of automobiles–at the very least.

You know, this whole pervasive surveillance thing is getting depressing, especially when you combine it with RFIDs and ubicomp and similar technologies. It's Big Brother, Little Brother, Uncle Private Eye, Little Snoopy Sister, and every other nosy parker you can think of.

If you're interested in these sorts of things, my old buddy Bruce Sterling, who surfaces in the blog from time to time, writes pretty often about them in his Wired blog, Beyond the Beyond, which I highly recommend anyway on the grounds that Bruce is about as on top of things as anyone can be without having his head explode.

For more samples try this piece on the recent Eric Norlin / Ben Laurie exchange (my attempted joke that Ben must have had a “bad-hair day” is qualified as incendiary).  And there is a beyond the fringe story on the targeting of Craigslist users for violent crime (hmmm, seems like we might want to know who we're dealing with before an in-person meeting – which happens to be Opinity's forte).

Finally, there is news of what Tom calls an “OpenID Bounty”.  He puts it this way:

Cool open source news from OSCON: The OpenID folks have announced a $5,000 bounty to be awarded to the first ten software projects that implement OpenID as an identity provider or relying party.

I'm delighted to say that Opinity is one of the sponsors of the project. (There is a full list of sponsors on the OpenID site.)

To qualify for the bounty, the projects must also be distributed under an OSI approved license and have at least 200,000 internet users of currently installed public instances and 5,000 downloads a month. (There are other technical requirements; those interested should check OpenID's site.)

This is a really innovative way of encouraging development of both open-source development and adoption. If someone develops OpenID implementations for WordPress or MediaWiki–both of which would qualify for the award–doing so would open the door for desktop identity management for users. And, of course, all sorts of cascade effects will likely follow. I can see, for instance, developers creating OpenID implementations for a wide range of other blog and wiki platforms.

At this point, user-centric identity management needs, above all, users. The technical guys are working like speed freak beavers to create protocols and systems, so it's time to get this stuff on the desktop and into operation.

 

O2’s FREE monthly handset teaches how to be phished

The relationships between enterprises and their “designated agents” are often pretty murky from a customer point of view.  In the old days, few people cared.  But in the world of phishing, we need a lot more clarity about who is representing whom – we need to know if an offer originates from a someone legitimate or not.

In this postBen Laurie shows just how hard the current identity patchwork (read “architectural black hole”) makes it to know what is going on – even if you're one of the top Internet security people in the world. 

Ben tells us, “O2 like phishing…”:   

They must do, or they wouldn’t do stupid things like this.

I got an email, looking just like this:

We’d like to say ‘thanks’ for being a great customer by offering you either a FREE Pay Monthly handset upgrade OR £100 credit added to your account – provided you haven’t recently upgraded.†   

And it couldn’t be easier. All you have to do is renew your contract with O2 before 31st August 2006.

If you choose to renew your contract for 18 months, rather than 12 then there’s even more on offer:

If you prefer to talk we have a range of Talker plans with Double Minutes each month*. For example, on an Online 500 Talker plan you’ll get 1000 minutes and 150 messages each month for £35.

If you prefer to text we also have a range of Texter plans which offer 50% Extra Minutes and Texts each month*.

For example, on an Online 500 Texter plan you’ll get 750 mins and 750 messages each month for £35.

To see our full range of handsets and offers and to renew your contract, click here.

And thanks again for choosing O2 .

† The information used in this mailing is based on your contract status as at 30th April 2006. Unfortunately, if you upgraded after this date your new contract means you won’t be eligible for these offers. Terms and conditions apply.

*Offer subject to ongoing connection to eligible tariff see letter for details. Promotional allowances must be used within the month. Unused allowances cannot be carried over into subsequent months.

OK, I removed some maybe-identifying data from the link, but you’ll notice the link goes to http://www.o2-mail.co.uk/. “Oho”, says I, being a suspicious sort, “that’s not O2’s website, I wonder who managed to register it?”

$ whois o2-mail.co.uk   

Domain name:
o2-mail.co.uk

Registrant:
Vertis

Registrant type:
UK Individual

Registrant’s address:
The registrant is a non-trading individual who has opted to have their
address omitted from the WHOIS service.

Registrant’s agent:
MCI Worldcom Ltd [Tag = UUNETPIPEX]
URL: http://www.uk.uu.net/

Relevant dates:
Registered on: 01-Aug-2003
Renewal date: 01-Aug-2007
Last updated: 04-Aug-2003

Registration status:
Registered until renewal date.

Name servers:
ns0-o.dns.pipex.net
ns1-o.dns.pipex.net

Hmmm, a non-trading individual who wants to renew my phone contract, eh? Think I’d better check that out – but what a shame, http://www.uk.uu.net/ doesn’t actually resolve, so looks like I’m not talking to them. And, oh dear, Nominet are closed until Monday, so that avenue is out, too.

The mail itself, incidentally, purports to come from o2-email.com, a domain which they didn’t even bother to register.

So, fearing nothing, I clicked on the link – which redirects me to http://www.o2renew.co.uk/. Here we go again.

$ whois o2renew.co.uk   

Domain name:
o2renew.co.uk

Registrant:
AIS Group Ltd

Registrant type:
UK Limited Company, (Company number: 3561278)

Registrant’s address:
Berners House
47-48 Berners St
London
W1T 3NF
GB

Registrant’s agent:
Global Registration Services Ltd [Tag = GRS]
URL: http://www.globalregistrationservices.com/

Relevant dates:
Registered on: 14-Apr-2005
Renewal date: 14-Apr-2007
Last updated: 27-Jul-2005

Registration status:
Registered until renewal date.

Name servers:
ns25.worldnic.com
ns26.worldnic.com

At least this has an address, if I could be bothered to follow up, which I can’t, but this all looks a bit fishy. To compound the fun, I also got a text on my mobile with the same offer, but anyway, I phone O2 customer services. They explain that this cannot possibly be O2, it must be one of their “marketing partners” who will, if I fill in the form, renew my contract with O2, but via them. And, presumably, or maybe not, give me a new phone. I ask where they got my email address and phone number, and the answer is that at some point I left a box ticked that said it was OK for partners to send me stuff.

So, do O2 condone this practice, I ask? The answer is, apparently, that they do. They don’t even mind, it seems, that the website has O2 branding on it.

If O2 is going to allow people they have contractual relationships with to do this kind of thing, how on Earth do they expect consumers to learn what is phishing and what is not?

Ben's aproach is the only one you can take with today's web technology.  Basically, you need to know how to analyse subdomains and understand DNS paths.  Given this, one wonders why O2 condones the use of URLs worthy of the best phisher.  It is cutting the last safety line we have been able to clutch between our fingers in trying to achieve even the most marginal Internet safety.

Still, I find myself choking on the idea that for people to understand they are being phished, they need to understand subdomains and the intricacies of DNS.

One of the great advantages of the way Information Cards work is that the site the user is visiting (in this case O2.co.uk) can specify its designated agents in a cryptographically secure fashion.  In this case, O2 could specifify O2renew.co.uk as the entity the user should exchange identity information with.  The user would be guaranteed that this was an extension of her relationship with O2, with O2renew acting as an agent of O2.co.uk.

 

The House of Lords on Pervasive Computing

Britain's Parliamentary Office of Science and Technology recently issued a briefing on Pervasive Computing that is well worth reading.  In the words of the report, “Pervasive computing has many potential applications, from health and home care to environmental monitoring and intelligent transport systems. This briefing provides an overview of pervasive computing and discusses the growing debate over privacy, safety and environmental implications.”

A few days ago, the marvellous Baroness Gardner of Parkes led a discussion of pervasive computing issues in the British House of Lords, of which she is a member.  To some, the unelected House of Lords has seemed like an anachronism.  But as a simple observer, I am struck by the facility of some of its members in understanding the transformational force of technology on our society.  I wish more political thinkers shared their cogency and interest when examining these matters.

So let's listen in as Baroness Gardner of Parkes, in the company of the Countess of Mar, Lord Avebury, the Earl of Northesk, and Lord Campbell of Alloway, question Lord Sainsbury of Turville about the issues of pervasive computing:

Baroness Gardner of Parkes asked Her Majesty’s Government:  Whether they will introduce legislation to protect privacy in response to the growth of pervasive computing.

The Parliamentary Under-Secretary of State, Department of Trade and Industry (Lord Sainsbury of Turville): My Lords, there are already in place regulations to protect privacy in the electronic communications field. The Privacy and Electronic Communications (EC Directive) Regulations 2003 and the Data Protection Act 1998 implement the relevant EC directives in this respect. The Government will keep this legislation under review as the use of technology develops over time.

Baroness Gardner of Parkes: My Lords, I thank the Minister for that reply. I am sure that he will know that 8 billion embedded microprocessors are produced each year, which is an alarming number. The Parliamentary Office of Science and Technology states in its POST note that it is important that the volume of transmitted data should be kept to a minimum, that transmissions should be encrypted and sent anonymously without reference to the owner and that security should be treated as ongoing. The Minister has said that security will be treated as ongoing. Evidently, there is some concern about whether manufacturers should be encouraged to build in safeguards from the very earliest stage. Will the Minister comment on that?

Lord Sainsbury of Turville: My Lords, I do not know whether trying to keep the amount of information to a minimum is a realistic strategy. This will clearly be a huge and developing trend in the future; now that microprocessors have in-built communications, this will be a growing field. The Privacy and Electronic Communications Regulations were introduced to address just these questions. They require, for example, a system of consents for processing location-based data. Service providers are required to take appropriate technical and organisational measures to safeguard the security of services. For the moment, that seems to be appropriate legislation but, as I said, we will need to keep it under review as the technology develops.

The Countess of Mar: My Lords, what is Her Majesty's Government’s view on the report of the Leeds NHS trust, which stated that there were 70,000 instances of illegal access to patient data in one month?

Lord Sainsbury of Turville: My Lords, patient data would be covered by the Data Protection Act. Clearly, if there is that number of instances of illegal access to data, there is something wrong with the systems in that place. That should be taken up in the light of the Data Protection Act.

Lord Avebury: My Lords, is the Minister aware that the British Computer Society has appointed an expert committee to look into the implications of pervasive computing? If any legislative changes are required, it would be sensible to wait until that committee had reported. On medical applications, does the Minister agree that the use of devices for sending data from within a patient’s body to outside recorders has proved to be an enormously valuable diagnostic tool, with no privacy implications for the patients?

Lord Sainsbury of Turville: My Lords, we must wait and see how the technology develops before we rush into any kind of regulation to control it. There have, as yet, been no complaints to the Information Commissioner on this area of location-based services. Information taken out of people’s bodies by such technology can clearly be enormously helpful medically.

The Earl of Northesk: My Lords, does the Minister agree that the issue is as much about ownership of the huge amount of data routinely collected about all of us as it is about privacy? If so, what stance do the Government take on the questionable legality of the Home Office authorising the DNA database to be used by the Forensic Science Service to research whether race and ethnicity can be determined from DNA samples?

Lord Sainsbury of Turville: My Lords, the Question was about pervasive computing, which is a specific area. The whole area of data protection is covered by the Data Protection Act 1998. Pervasive computing is a completely different subject.

Baroness Gardner of Parkes: My Lords, does not the Minister agree that there is—according to this POST note, for example—debate about whether the Data Protection Act covers the matter? The National Consumer Council is concerned about whether people could have all their information transmitted from, say, their home—or even their body, as was described in relation to medical things—and not know that it was being obtained or what use it was likely to be put to. That could be a bad use.

Lord Sainsbury of Turville: My Lords, as I said, there are two pieces of legislation: the Data Protection Act 1998 and the Privacy and Electronic Communications Regulations. The second obviously covers the security of data communication from one place to another. As I said, that involves issues of consent and security, which are well covered in that legislation. Of course, it may turn out that the legislation does not properly cover the subject and that there are issues to be considered. As I said, however, there have been no complaints on that point as yet.

Lord Campbell of Alloway: My Lords, will the Minister explain what pervasive computing is?

Lord Sainsbury of Turville: Yes, my Lords. This is an interesting subject. Some microprocessors now have in-built communication facilities. The most obvious example of that is radio identification. I do not suppose that the noble Lord ever goes to the back of his local supermarket, but if he did he would see that packages that are brought in have an identification code that can be read electronically without taking the goods off the pallet. That is done by radio communication and is an enormous step forward in efficiency. The same principle applies to smart keys; one can open a car door from a range of three feet with a smart key, using the same technology.

 

Soothing music all around

Google's Ben Laurie continues with a post I'd call “Cogent with cloudy periods”:

Not surprispingly, my post “Google Account Authentication” attracted some pretty instant responses, as well as comments on the post itself.

On further reflection, comparing Live ID with Google’s authentication is comparing apples and oranges. Live ID may allow people to choose who they accept authentication from, but where does it say that anyone is planning to accept anyone’s word other than their own? In particular, where do Microsoft say they’re going to grant access to Microsoft properties using identity tokens issued by anyone other than Microsoft?

Interesting. Let me explain how I see it. The Windows Live ID whitepaper is about the technical architecture of Windows Live ID, and new capabilities allowing it to be part of a standardized, multi-centered, federated identity fabric. This includes support for Information Cards. Reading the paper, it's easy to see how enterprises or groups of users could gain access to Windows Live services using their native systems federating with Windows Live ID, rather than requiring separate accounts. The business model for this would be totally straightforward.

Now, in terms of how the protocols work, a similar federation relationship could be established between a Windows Live and a Yahoo or a Google. But the business models there are way harder to figure out. You need multiple players to buy in – it needs to be a win/win/win. I don't think anyone has figured this stuff out. Basically, it's a lot easier to change technologies than to change business models.

Still, to me, it makes sense to put a safer, more flexible technical infrastructure in place that offers advantages within current business models while simultaneously laying the groundwork for new approaches as they arise. But let's try to see the two as relatively autonomous.

Ben continues:

Eric Norlin says: “Lots of people inside of Microsoft now understand *why* they must open the silo, and that learning is precisely because of their experience with Passport.” But is this actually true? What Microsoft appears to have learnt is that it can’t get everyone to accept its credentials. So, what’s the next best thing? Get everyone to use MS technology for accepting credentials. Perhaps that’ll even lead to Passport Mark II where the default is to trust Microsoft. Where does Microsoft’s work on Infocard or Live ID or whatever-the-passport-nom-de-jour is show that Microsoft has any intention whatsoever of opening their silo? What it shows is that they think everyone else should open their silo.

This mish-mashes so many orthogonal ideas together that it gets a wee bit looney. If the following sounds disconnected, it's because the way Ben connected things doesn't make any sense to me:

  • It's true that a lot of us at Microsoft want to “open the silo”. That doesn't make it easy, or make it obvious what to do.
  • WS-Trust is not Microsoft Technology, unless IBM is now part of Microsoft – not to mention the hundred or so other companies who have worked on the WS specifications.
  • Information Cards are not Microsoft proprietary for two reasons: first, the protocols are in OASIS standardization and available royalty-free; and, second, because there is a consortium building real open-source implementations today (OSIS).
  • I don't understand why Ben wants to confuse a service offering like Windows Live ID with a cross platform technology initiative like the Identity Metasystem.
  • I'm even more mystified at the implication that our Cardspace implementation of Information Cards is a plot. It doesn't offer special advantages to Windows Live ID. Services like those offered by Google get equal billing with services that might come from Microsoft. What is the sin here?
  • Given the difference between services and open cross platform technology, why call Cardspace “the-passport-nom-de-jour” – except to be naughty?

Anyway, I'm just going to assume Ben had a bad hair day, which everyone has a right to.

Parhaps the flurry of postings made it look like people were ganging up on Google – not at all my intention – I still think that on identity our interests converge and we're all in similar places.

At any rate, Ben concludes thus:

Fred asks: “could you explain why Google shouldn’t allow their accounts system to be accessed by Yahoo credentials?”

All I can say is what I already said: there isn’t a widely used, mature, reliable, secure identity federation mechanism available today. Whether Google wants to do this or not, in practice, they can’t. Such decisions have to wait for standardised mechanisms to emerge, in my view.

Dick is “suprised to see this post given conversations we had”. Well, Dick, if the fact that I don’t always agree with you is surprising, then you’d better stock up on soothing music or something.

I think the situation calls for soothing music all around. How about Iggy Pop?

Eric Norlin and Dick Hardt hold firm

Eric Norlin responds to the Ben Laurie post I addressed here

Ben Laurie, an employee of Google who is quite clear about the fact that he does not represent Google itself, is responding to my earlier post contrasting Google and Microsoft. Ben's pushing back on my contrasting of Google's Account Authentication versus Microsoft's Live ID, and my treatment therein. Specifically:

1. Ben states that “everyone knows” that Google only annnounces what they've already done (as opposed to what he sees as Microsoft's urge to announce what its going to do).

2. There is no “mature, reliable, secure identity federation mechanism” that's widely used (thus, implying that there's nothing for Google to use).

3. That the release of Google Account Authentication does NOT deepen the existing internet identity silo.

4. That I have (somehow) fallen into the “newspaper trend” of writing articles that are “critical regardless of facts.” (ouch)

Let me try to respond:

1. I guess that subconsciously I knew that Google only announced what it had already done, but that really wasn't the point of my piece. My piece was a contrast meant to highlight an observation that I was making — namely, that Microsoft had learned a lot of important lessons from Passport; lessons that companies like Google may not have learned. Now, at the end of the day, I'm dependent upon my ability to observe based upon my available information. Since Google's PR department is — shall we say — a little opaque, most of us journalist-blogger types are left to discern what we can from what Google has done or is doing (precisely as Ben says). Furthermore, since no one from Google contacted me to correct me about my observations regarding Google's Account Authentication (I'd be glad to be officially corrected), and since Google has not changed what they're doing in any significant way, then I have no new information to change my mind.

2. Ben's right that there is no “internet scale” identity federation mechanism. SAML has gained widespread adoption, but is not suited for “internet scale.” Same goes for Liberty. There are, of course, a TON of people working on this problem — OSIS, YADIS, Sxip, the identity gang, Microsoft, etc., but I won't argue with Ben on this — there isn't a mechanism that's widely used.

3. We disagree on point number 3 — and Dick Hardt presents why. In response to Ben's statement – “What kind of credential did you expect to present? Your Yahoo login?” – Dick responds, “Uh, actually, yes.” This points out the fundamental problem at the heart of all of this “identity 2.0” stuff that I've been talking about: the existing silos (Google, Yahoo!, eBay, etc.) have *no* immediate business reason for opening their identity silos (at least, not that they can see). Lots of people inside of Microsoft now understand *why* they must open the silo, and that learning is precisely because of their experience with Passport. At the end of the day, Google is reinforcing its identity silo. That was the ultimate point of my post – and the one that I wish Google would respond to openly and directly.

4. I actually don't think I have fallen into some “newspaper trend.” If anything I am (and Digital ID World is) a member of the larger identity community. My post relied solely on the facts that Google has given me. If they change the facts (i.e., correct me), then I'll change my observation. At the end of the day, this is a communal exercise, and if I somehow have a misperception of what's going on (from Google's or Ben's point of view), then I'd bet that *lots* of people in identity have the same misperception. And if that is true, then its Google's PR department's job to change it.

Let me close with this: I'm not trying to start some “vendor war,” or make Google “evil,” or take shots at the big kid on the block, or anything. We started Digital ID World because we knew that identity was a huge problem that crossed all boundaries, and we wanted it to turn out okay. It could go badly. It could not turn out okay. Its quite possible that the silos only get deeper, the walled gardens return, identity never has its “browser moment” (where it explodes into common usage). Do I want to see identity succeed? You bet I do. I don't think I've ever hidden that. As such, I try to call things as I see them.

Bottom line: I'd love for someone who does represent Google publicly to correct my horrible misperception of what they're doing in identity. In fact, they can come be on the Digital ID World keynote panel — “What do the largest internet sites think about identity?” –and make sure the entire identity community understands them (that's an open invite). Google, will you join us and set us straight?

Meanwhile, Dick Hardt says:

Ben Laurie from Google responded to my post on Google Account Authentication: two steps forward, one step back. A few comments that I’d like to respond to:

Duh, of course you have to provide a Google credential, you’re going to access a Google service. What kind of credential did you expect to present? Your Yahoo login?

Uh, actually, yes. That is the idea behind Identity 2.0, that I could use my Yahoo login to authenticate to Google and to access Google services.

How does allowing applications to access a user’s Google services deepen anything? Did Dick actually read what these services do?

Yes, I did read with great interest what the services do. As for why this deepens the identity silo, these new identity APIs make it easy for non-Google applications to consume Google services, but it is tied to the user’s Google credential, increasing the value of that Google credential, but creating a bigger barrier to services similar to Google’s, and increasing the users reliance on the Google credentials. Good for Google, but starts to reduce user’s options.

As of right now, what are the options? Is there any mature, reliable, secure identity federation mechanism that’s widely used?

Ben is correct, there is no mature, reliable, secure identity federation mechanism that’s widely used. But that has not stopped Microsoft from working to create one and announcing that they will be using it in their products in the future. Google could participate in defining Identity 2.0 architectures and make them widely used because they are Google.

Personal Identity Mesh

Identity Open Spaces are always interesting – uninterrupted hallway conversations that let you get to the nub of things – but this week's was different from the others because it was held in conjunction with a meeting of the Liberty Alliance.  This threw us all together with a bunch of people we hadn't met before, and frankly I think it was very useful.  We all got to present and discuss our work, interests and concerns.

It's hard to explain – or even imagine – what these meetings are like, because people are coming from such different places that their take-aways differ dramatically.  I'm sure a number of people will blog about this, but I'll just start by quoting Marc Canter of Macromedia fame.  One of the interesting things about Marc is that he just wants results – identity he can use in his products.

As I sit here in the blazing heat, periodically jumping into my pool – I’m feeling good about the last few days I spent in Vancouver.  It was great for me to get away from answering sales calls, improving user interfaces and dealing with Angel investors.  I found myself right back smack dab in the middle of an evolution of technology, where enterprise, mil spec encryption, security and privacy technology was being deployed for the purposes of each and every one of us to be able to control our content and meta-data.

Moving and controlling profile data is important, but we ALSO gotta control access to our content – based upon our relationships to the viewer.  Apparently Vox does this pretty well – but I haven’t checked it out – yet.

A lot of time and energy was spent up in Vancouver trying to define and speak clearly of all the different platforms and their nuances.  It was an Open Space effort, designed to correspond with a Liberty Alliance meeting, so lots of loosely structured meetings occurred where real work was accomplished.

One on hand you had all these academic and enterprise researchers and experts who are managing bank accounts, mutual fund accounts and health records, debating on details like ‘is it THIS or really THAT.  Then a bunch of the open folks – like Neustar and Cordence were there – more or less hawking their goods.

So in other words this was the “open user-centric folks” meet the SAML/Federated trust enterprise wonks fest.

I’d say it came off pretty well – espeially with Kaliya Hamlin leading the organization, facilitating the conversations and keeping things lively. I did my best to also “keep folks awake” – while only dosiing off a few times myself, during those insipid debates on “do you mean WHAT you mean or is that a semblence of meaning in your declaration?”  It was that bad.

As a vendor I went to this meeting knowing that I was a downstream participant, some one who’s issues are allot different from the folks who are tryign to stake our real estate around ’standards’.  You see – we (by defintion) have to support ALL the standards, so my only real motivation is to get as many of them to work together and adhere to each other’s standards.

And that’s what I did.  There was a whole session on ‘Protocols Converging’ (led by Dick Hardt) and that led to a few private meetings out in the hallwway, which is where al the real work gets done. I myself am excited about what Dick is gonna show and unveil at OSCON next week,but I can’t tell yah about it.

Or else I’d have to kill you……

Anyway – based upon what I heard at this meeting, here are some issues that are pretty easy for me to make:

  • At best we’ll get 2% of the populace using this stuff – even within the next few years
  • But many more people WOULD/COULD use it if it was readily accesssible, easy to use and they understand what the fuck it meant
  • Doesn’t really matter if it implements authentication, if that’s ALL it does
  • I agree with Kim Cameron – there will be two approaches to this area – card based and address based

And that’s the best way we can describe it to the humans.

The Identity space is really complicated, and our clients expect me to be an expert at it.  So I nerded out over the past few days and have the next generation acrhiutecture for PeopleAggregator designed with it in mind. 

It’ll make sure that real value can be delivered to humans – real soon now- regardless of whether or not they’re (the humans) willing to jump through all the hoops and grok all the nuances of the Identity puzzle.

There’s one inherent tradeoff for this.  If you don’t want to jump through all the hoops of getting a card or sigining up for an address (of just hacking one yourself) then you CAN’T COMPLAIN if you don’t get a phishing proofed, crypto encoded, secruity tight, hacker proof, scalable, long term, persistent unique identifier.

But if all that really gets you off, then you won’t mind jupning through all the hoops.  Those hoops require opting in, sharing, moving and adhering to all these rules – about Personal Identity Mesh. 

Getting a info card to be compatible with Kim Cameron’s Info Cards system, which will be built into Vista and is available for XP – right now – will be about getting something called a .crd fileKim showed using Info Cards to log into WordPress – just to prove that it works on a LAMP stack, open source platform.

David Recordan (of Verisign) led an excellent session on OpenID and talked about its status.  Drummond Reed was there to talk about XRI and XDI.org and inames.  All the major players in this space were there and talking to each other.

Dick Hardt had a session on coming up with a name for the unique thing we’re doing.  Its not a traditional federation, or circle of trust – its recognizing that inviiduals rely upon portals (or fancy webapp) software to get their services and that they’re probably dealing with LOTS of these services.  Each o these portals have all sorts of assertions, backend technology, web services, aliance partners and otehr infrastructure.  But what we SEE is the portal or NetVibes or PageFlakes or MySpace or Vox.

The human is then supposed to confer and rely upon (what’s known as) an identity provider or identity broker – which is usually an objective 3rd party – to verify their claims, assertions and transactions. We debated upon what to call it – but we all agreed that its something new and unique. I call this the “Personal Identity Mesh” – cause anybody can use any Identity broker – yet we’re all supposed to trust and believe in these ‘reputation systems (especially is Auren Hoffman has his way – with Rapleaf.)

Whatever the term is – its the universe that PeopleAggregator is going to support and help make happen. But we need LOTS of vendors to participate and the big boys – too.

I really like the term “Personal Identity Mesh” that came out of the “naming” discussion led by Dick Hardt.  It sums up what a lot of us are trying to do. 

I should also make it clear that I don't think there are very many who see information cards and URL-based identities as being opposed to each other.  A card can represent a URL-based identity, and a URL can be used, in a number of use cases, to represent the identity that would be conveyed through a card.  This doesn't work in all cases, but it works in enough important cases that it is very useful.

Finally, I think Marc's estimate of 2% over three years is overly pessimistic.  The big sites and big players can accelerate adoption a whole lot with the flick of the switch.  I've already had people tell me they are going to enable hundreds of millions of accounts with Information Card support.  If they do what they are saying they'll do, and if people like the experience as much as I think they will, there can be a serious network effect here.