Hang on to your eyeballs! Epic 2015

A picture named googlezon.jpg Here is a must-see video clip called Epic 2015 that extrapolates current events and practices forward into a disturbing identity future. I doubt many will be able to stop themselves from laughing while they watch this, but not many will walk away thinking they have just seen a comedy!

I need to thank Lena Kannappan of France Telecom for sending me the link to this. Lena is a visionary – a founder of the Liberty Alliance – and the person who is now in charge of the OMA's Mobile Web Services group. (That's not him shown in the identity card clip from the video, by the way! )

I chatted with Lena at the OMA (Open Mobile Alliance) meeting in Montreal recently, where I was doing an informational presentation on InfoCards and the concept of an Identity Metasystem.

Lena is one of those people who is always “really interesting”. I hope to record some of my ongoing conversation with him so others, who follow this blog, can share firsthand his perceptions and ideas about how the telecom industry differs from (and intersects with) the internet-based software industry in this age of increasing convergence. I hope we can also explore what all this this means for identity.

[tags: , , , , ]

Hacker taps into US military database

If you want proof that protecting personal information is a hard thing and that Data Rejection is a key technology, read this report from the Washington Post:

A suspected hacker tapped into a US military database containing social security numbers and other personal information for 33,000 Air Force officers and some enlisted staff.

That figure represents about half of the officers in the USAF but no identity theft had been reported as of early today, said Tech Sgt James Brabenec, a spokesman at Randolph Air Force Base in Texas.

“We are doing everything we can to catch and prosecute those responsible,” Maj Gen Tony Przybyslawski said.

Social security numbers, birth dates and other information was accessed some time in May or June, apparently by someone with the password to the air force computer system, Brabenec said.

On Friday, the people affected were notified of steps they could take to protect their identity, he said.

The military, while protecting classified information, has had trouble protecting data about its people, a computer expert told The Washington Post, which first reported the incident.

“They have historically done much better at protecting operational systems than at protecting administrative systems,” said John Pike, director of GlobalSecurity.org.

In my view this is an excellent example of how even organizations well aware of security issues tend to excel at their core competencies – and proper handling of personal information is likely not the key driver in their approach to information, system desgin and operations.

This is why we can expect that those who specialize in and build their reputations by protecting personal identifying information are likely to do the best job at it.

A technology that allows relying parties to “request and then forget” personal information – this on a “need to know” basis and only when explicitly permitted by the user – is in my view the only sensible path forward. All information that is retained, for example for auditing purposes, should be encrypted under keys limited to the authorized off-line usage of appropriate personnel.

I like the use of “suspected hacker” in the article. Maybe it wasn't really a hacker who broke in – just someone who accidently ended up on the site, and traipsed on the social security numbers through sheer bad luck.

[tags: , , , ]

Trying to understand technorati tags

A picture named weird.gifI've been playing with technorati tags so I could develop the practical understanding necessary to at least follow the discussion about how they relate to directory.

I think tags have interesting possibilities as a technology – more on this when I understand them better. But there are aspects of the way technorati works which still mystify me.

At the right, for example, is a screenshot of what technorati displayed yesterday when I searched for the Identity Metasystem Tag (a new tag I threw into the “tag pool”).

There seems to be a certain amount of randomness here. For example, why do some of my entries show up with a picture while others do not.

Why does Linux Journal Does The Identity Metasystem have no picture? Why does it have zero links when the URL is the same one other entries peg at 181 links? Why does the first entry have a title of HASH?

Are these bugs or am I doing something wrong? Who can I connect with at technorati to understand these issues?

Anyone know?

Mozilla's Mike Shaver

A few months ago, Marc Canter, Craig Burton and Doc Searls introduced me to Mitchell Baker of the Mozilla Foundation. We had a good discussion, and following up on that, I've been able to get together with the Foundation's Mike Shaver to talk about the identity metasystem. He is focusing on how to drive identity forward at Mozilla; he's got a strong background for this, including, amongst other things, his work at Zero-Knowledge. Even better, he blogs:

I was outed as a new member of the Mozilla Foundation team by a press release about a now-long-past keynote address, so there isn’t really much to announce here. My contract has me working primarily as a technology strategist, a necessarily-vague position that has been described pretty well by Mitchell’s post about new people and roles in the Mozilla Foundation world. I continue to help with release management, organizational governance, and even advising the intrepid devmo squad, but I try to spend most of my time with my sights on the technology strategy issues that are of significant interest to our community and products. (Which is not to say that I do spend most of my time there, but I’m learning how to do so better every day, and with every gentle nudge from my wicked-awesome manager.)

The primary area of technology strategy that I’ve been working on so far has centred around “identity”, which is of course a topic broad enough to consume several lifetimes. I count myself lucky to have developed a grounding in identity and privacy issues while at Zero-Knowledge, as it’s allowed me to get up to speed more quickly than I might otherwise have been able to.

The biggest strength of the current identity climate is also the biggest weakness: there are a number of identity systems that provide different capabilities, are built to emphasize different values, and require different amounts of infrastructure support. As the Mozilla Foundation is chartered to promote choice and innovation on the Internet, it would seem that we’re in good shape on at least half of our primary concern: choice.

I don’t think it’s really the case, unfortunately, because the sort of choice that the user faces is not one that empowers them at all: in many ways, it forces the user to pick a winner, and it forces similarly unpleasant choices on developers that want to take advantage of “Identity 2.0” capabilities in order to build interesting services, technologies, and experiences. Choice competes with innovation here, and while that’s a tension that arises in many contexts, it’s of even more concern when we’re talking about something this central to the web experience — and, I feel I can say without gross overstatement, to the social fabric of modern life, as mediated by all this computer nonsense.

(I should point out that all of the interesting proposals for modern identity infrastructure permit users to exert control over what organizations actually hold their private information, which is a huge step forward from the Passport nightmare we faced not that long ago. I still think that having to choose an identity system is a bad scene, but it could certainly be worse.)

Being the technology strategist for the Mozilla Foundation has its perks, and chief among them is that I get to work with a truly amazing team on a project that really is at the center of the modern web. Right after that, though, is that a lot (lot) of people want to talk to me, and while it can be a mixed blessing in terms of time management, it’s tremendously helpful in making sense of something as complex as the identity landscape. I had good, if preliminary, discussions with folks from the Passel and SXIP camps, while I was at OSCON, and I’ve since been setting up meetings with other identity-system boosters to get other perspectives. (If you are with an identity system group and you haven’t made contact with me yet, please do send mail and some information about your system, because I’m by no means done with that part of the process.)

Most recently, I had the pleasure of meeting with Kim Cameron, Microsoft’s Architect of Identity and Access and the father of InfoCard.

He came to spend some time with me in Toronto this week, and I was delighted to discover that we share many of the same positions on the key obstacles to having viable identity infrastructure on the web today. The InfoCard work looks to be pretty good from philosophical and architectural perspectives, and I’m trying to learn enough about the whole bloody WS-* stack to really grok the details. We had a very good conversation about a wide range of technical and social issues, and I look forward to more of them in the future. I’m pretty confident that Kim genuinely wants to do the Right Thing, and even more importantly he seems to have the Right Idea about what the Right Thing is — which is to say, in other words, that we agree about many things, much to his credit.

I hope to write more in the coming days about the identity systems I’ve looked at, and what I think the general form of Mozilla’s identity strategy should be, but I wanted to break my blogging fast and talk a little bit about what I’m working on these days. It’s really too exciting to keep to myself!

I was struck by the clarity of Mike's thinking about the impact of choice: at its worst, it means each participant must “bet on a winner.” This is a significant problem for individual users. But it represents an actual risk for developers and relying parties – since they have to bet on something which is very hard to predict. No wonder people have “run for the hills” when faced by proponents of emerging identity systems.

Mike sees the main advantage of an identity metasystem as being that instead of betting on “winners”, you bet on a “playing field”. Developers don't have to worry which particular participating systems turn out to be popular – their investment in the identity “playing field” will still pay off. By removing the need for people to place bets – reducing everyones’ risk – we make it possible for a lot more people to embrace the concepts – and thus improve the chances of all the players.

The day after our meeting, we both got “stuck” in a “small downpour”. The photo above shows “Lake Steeles” and was taken by Mike's friend madhava

[tags: , , , ]

Toby Stevens launches Enterprise Privacy Group

When I was in Britain earlier this summer, I met Toby Stevens. How should I describe him? Can we invent the category of privacy entrepreneur?

Toby understands privacy issues deeply, and works in conjunction with veterans and visionaries like Simon Davies. He talks with wit and matter-of-factness about privacy as an opportunity for better relationships with customers – and potential for competitive wins. Not a whiff of odius obligation! Calm and relaxed, Toby easily convinces us that the new privacy era will be as hard to take as a pint of beer on a muggy day.

Now he has launched “a corporate membership body with the objective of identifying, developing and propagating best practice in privacy management. The forum (called Enterprise Privacy Group) will consider a broad spectrum of privacy and freedom of information issues.” A number of companies have joined already (including Microsoft, if I understand right).

He's also started a blog – and if this intelligent piece is any indication, it's a must-subscribe:

“Over recent weeks I've been talking with quite a number of potential member organisations, and one of the challenges has been explaining how we intend to cover a range of privacy issues, from very basic data protection through to some advanced identity management concepts. I had some difficulty explaining this spread, and from this I got round to thinking about the concept of a maturity model for privacy.

“My first ideas are in the diagram below:

“As the organisation develops through the maturity scale, it goes the following stages:

  • Data Protection: at the earliest stages, the organisation understands that it has valuable personal information, and that there is a legal requirement to protect it in certain ways. However, there is no executive recognition that legal compliance does not necessarily protect the organisation from the consequences of misuse of that data.
  • Privacy: the organisation recognises the moral imperative for ethical use of personal data, and that a proper usage policy – that applies greater controls than necessarily required by law – may reduce information risks and lead to better relationships with the individuals whose data is being stored and processed.
  • Identity / Data Sharing: these issues are two sides of the same coin. In the private sector, organisations begin to recognise that data needs to be linked to an individual, rather than an asset. For example, a bank may start to link multiple accounts to the same account holder, and treat that holder as an individual in accordance with their privacy wishes. Data Sharing is the equivalent issue in public sector, where (contrary to common perception) most civil servants know that they already respect privacy of the citizen, and are seeking mechanisms to share data with other government departments without compromising that respect. Identity is crucial here if data is to be shared accurately and efficiently.
  • ‘Data Rejection’: The top of the scale is Anonymity – an understanding that much of the personal data held by the organisation is simply unnecessary, and could in fact be more of a liability than an asset. For example, a bank does not (in theory, ignoring financial regulations) need to know who an account is, but simply how to check their credit score and how to contact them if necessary. The same bank faces heavy costs for compliance and risks of misuse whilst it holds that personal data. This has worked perfectly well for the Swiss banking industry for a very long time. When organisations start to minimise their personal data assets, then they are pushing to the top of the maturity model.

“Of course, ‘Data Rejection’ should be the goal of any true federated identity scheme. Once organisations and their clients realise the value of anonymised credentials, and the opportunities for new revenue streams based upon the trust that can be created this way, we should finally see someone reach this level in the maturity model (or maybe there's an organisation out there that's already done it?)

“I'd welcome comments on this idea, since it clearly needs lots of work before I start to back it up with hard survey data. Please feel free to let me know what you think.”

Toby's concept of Data Rejection bowls me over – I'll use it from now on. I think the continuum he has set up is tremendously useful. We haven't had a shorthand or sound bite – or even a word, really – to represent the practice of consistently using “just-in-time” information rather than taking on an unnecessary information retention liability. Now we have one.

At some point in the InfoCard research I realized that by associating the identity with a set of claims – under the control of the user – we do more than just give the user a way to conceptualize a digital identity that can be proven through use of a key. We also give her the ability to release claims as part of any identity negotiation process. By remembering what claims we have released where, the identity provider can make the same claims available to the same site next time they are asked for (assuming, of course, they have not changed, and the user hasn't decided to annul the relationship).

This means the relying party no longer has to remember them – even if they are essential to the business of the site – and data rejection becomes technologically feasable. The site just obtains the requisite information as convenient during its interaction with the user, and need not assume any information storage liability. Put another way, the information is stored in one place (the identity provider) rather than a hundred places (the sites a user visits). This reduces the probability of compromise by at least two orders of magnitude. We can probably expect that the difference could be closer to three orders of magnitude because maintaining the confidentiality of identity data would be the Identity Provider's core competency, not some burden it takes on in spite of itself.

If the relying party does need to audit and remember some information beyond its realtime usage, it should encrypt it under an asymmetric key guarded by special procedures within the glass house. None of the machinery of business needs to decrypt this information in realtime or on the network, greatly reducing the risk of vulnerability.

Maybe we should have a separate name for this, too.

Piggly Wiggly leads the way!

Today Barry McPeake sent me this five-star eye-popper from Baseline Magazine – “The Project Management Center”. This is for “mature” audiences only – reader discretion advised:

A picture named baseline.gif

“Are you ready for your warehouse to become a privacy battlefront?

“If not, keep your eye on the United Kingdom. One of the largest trade unions there, GMB, is up in arms about radio frequency identification technology—and is trying to put its foot down.

“The 700,000-member General, Municipal, Boiler makers and Allied Trade Union is demanding the European Commission outlaw radio tags in ware houses. Not on merchandise, but on workers.

“They fear that identification tags and computing devices they're asked to use to move goods for such big British retailers as Tesco, Marks & Spencer, Sainsbury, Boots and Homebase will turn them into “factory robots,” according to London's Guardian newspaper.

“The fear?

“The stated fear is they'll be tracked every time they take a break or head for the rest room. The unstated fear: Every movement becomes trackable. Employers, using the information gathered by ever-present radio waves, could see which warehouse worker really is most efficient and prioritize hiring, firing and overtime accordingly.

“Sure, tags can be turned into policing tools. But even without embedding tags in uniforms or armbands, efficiency already can be monitored with video cameras. Allowing workers to take off armbands when on private time doesn't really change the calculus, either. You can still figure out when a time–out is being taken.

“Besides, productivity is indeed the name of the capitalistic enterprise. It's hard for an employee to argue with performance monitoring. Still, it's clear that if you don't inform workers of how you're going to use tagging technology, what information you're going to collect and how you're going to use that data—and stick to it—you're very likely to get resistance and reduced productivity.

“Tagging a person is not necessarily putting the ‘mark of the beast’ on the individual or Orwellian Big Brother act. John Halamka, the chief information officer of health services provider CareGroup in Boston, has had an ID chip put in his arm, to help him understand whether that might be useful when doctors need to find the medical records of nonverbal, unconscious or mentally ill patients. That's a worthwhile use. Even Andy Rooney has suggested he'd be willing to have a chip implant, if that would make it easier to differentiate him from a terrorist. Another good use.

“But we don't even need tags for that. Your body already can act as your personal identification card. Just take a fingerprint or look someone in the eye (with the right kind of scanner).

“In fact, on this side of the Atlantic, grocers are taking the lead on this. And customers don't seem to mind.

“At four Albertson's stores in Portland, Ore., and a pilot set of Piggly Wiggly stores in Charleston, S.C., customers can register their fingerprint and credit card information. Then, when they come through the checkout lane with their carrots and beef, all they have to swipe is … their fingertip.

“So far, about 20% of Albertson's customers who typically pay by check or plastic have now begun to pay by finger. And no one's lost their biological “card” yet.

“Which makes our bodies still our best identification system. If you were motivated enough, after all, you could theoretically extract Andy Rooney's chip. Or even hack into it.

“What makes the customers at Albertson's happy about being identified personally is they get something in return for it: a more convenient method of paying for their purchases.

“What makes the union workers in the U.K. unhappy about being identified is: They can't see what they get out of it.

“Here's a capitalistic thought: Share the wealth. If you can keep track of what each warehouse worker does, whether by tags or by fingertips, reward the most productive with bonuses.

Your costs will still go down, even if those workers’ total pay goes up.

“Perish the thought? No. Cherish it. It's the magic of productivity—whether it's the customer or employee delivering it.

“Battle over.”

This is a novel approach to user consent and should test several of the laws nicely.

O.K! Ciao for Now! I just remembered that I have to drop in at Piggly Wiggly and have a chip implanted in my thigh – just in case I lose consciousness while shopping at Albertons’ and can't sign for my medication.

[tags: , , , ]

Identity: Golf and Life

Here's a great identity lesson from Gunnar Peterson's wonderful 1 Raindrop blog.

Identity in a system is like the grip in this story:

“I used to watch you sometimes when you weren't looking. What struck me particularly was your interest in the grip. You knew, like every real expert, that a true player can be recognized by his grip alone. The way a man sets his hands on a club will inform you infallibly as to how deeply he's thought about the game, how profoundly he's entered into its mysteries.

“The grip, a remarkable fellow named Bagger Vance once told, when I was about the age as you were then, is a man's connection to the world outside himself. the hands, he said, are where the subjective meets the objective. Where we ‘in here’ meet the world ‘out there.’ True intelligence, Vance declared, does not reside in the brain, but in the hands.”

Steven Pressfield, The Legend of Bagger Vance: A Novel of Golf and the Game of Life

When systems are mapped from development to production, all of the design assumptions meet physical reality including users, administrators, machines, performance, QoS, and so on. The binding of identity onto claims is the individual's grip on the system. The composeable nature of the emerging identity and security standards and protocols are essential to empower architects and developers with flexibility and power to design and build identity services in a way that suits their risk management goals.

[tags: , , , ]

More Details on Ping's InfoCard Toolkit

Here's some info hot of the press – or rather, hot off the Ping Toolkit's readme.

The SourceID InfoCard STS Toolkit for Java is a library and simple framework for writing server-side applications which interact with the Microsoft InfoCard identity system (InfoCard is itself also still a work-in-progress as of this writing).

Microsoft InfoCard is an identity system scheduled for inclusion in Windows Vista (a.k.a. Longhorn), with a possible release for Windows XP to follow. It allows users to create identity information cards (“InfoCards”)–and/or collect signed cards from third-party Identity Providers–and use them to provision accounts and/or instantly sign in to web applications(via browser) and web services (via SOAP clients)…


Currently, the SourceID Java library is a work in progress and is not fully
functional, in an interoperability sense, with any published Microsoft software.

It represents early work done privately with Microsoft in advance of the Digital ID World demonstration (May, 2005), and further work into trying to interoperate with the Indigo Beta for Windows XP (which contains some InfoCard code as well).

SourceID will be targeting another release of the InfoCard STS Toolkit after the Beta 2 release of Windows Vista (a.k.a. Longhorn), which we assume will be in Q4 2005. The InfoCard backplane in Vista will be more mature by that time and more ready to interoperate with non-Windows implementations such as this toolkit.

In the meantime, please treat this release as an “early preview” demonstrating some concepts and code on the path to a full InfoCard STS for Java.

Toolkit and Architecture

Thorough architecture and usage documentation will be ready for the next release of this toolkit. In the meantime, the following will serve as a quick guide.

Microsoft InfoCard makes heavy use of the WS-* family of Web Services specifications, including:

WS-Security SAML Token Profile

The goal of this toolkit is to be able to build a Web Service (and ultimately browser-based applications as well) that is capable of requesting and receiving InfoCards from an InfoCard-enabled client.

To achieve this, the framework leans upon existing work done by the Apache foundation. In particular, the following tools and systems are used in this project:

– Apache Tomcat v5.5.7
– Apache Axis for Java v1.2
– Apache XMLBeans v2.0.0
– Apache WSS4J

With the complete InfoCard STS Toolkit for Java, developers will eventually be able to create Web Services (on top of Axis) and/or web applications (servlet-based) which can seamlessly and automatically request and handle InfoCards (of any variant) from InfoCard-enabled clients.


Please check this project again for updates to this toolkit, with a more complete (and documented) API and the ability to interact in a useful manner with published Microsoft software (though we assume that Microsoft's InfoCard implementation will likely still be in beta form at least into 2006).

[tags: , , , ]

Ping Identity Releases InfoCard Toolkit

ping toolkitIt's hard to believe my eyes but the Ping People seem to be right out there on the forward edge of the innovation heat wave…

They've just released a toolkit through which you can build applications that support InfoCards wherever you can run Java. You can download it here. Unfortunately the download page still requires a username and password. I wonder how long it will be before you can use an InfoCard there?

I'm trying to come up to speed with the capabilities in this version of the toolkit, and will want to try it out. Ping calls it a “work in progress”.

Anyway – it's great stuff… I'm stoked.

[tags: , , , ]

New Identity Incubation Project at Apache

There is a new Apache Software Foundation (ASF) site run by Hans Granqvist and dedicated to a project that is intended as an incubator for thinking and innovation around Identity 2.0. The project is known as TSIK (Trust Services Integration Toolkit) and joins the WSS4J initiative as a possible foundation for Apache's identity solutions.

Hans’ first posting says:

Some of the initial ideas of TSIK is to implement WS-* standards as they are developed, in particular the ones related to implementation of a federated ID protocol such as Microsoft's InfoCard, but also other federated ID protocols could be of interest, for example, Liberty Alliance, Sxip networks, Identity Commons, LID NetMesh, Passel.org.

This is wonderful. To put it slightly differently, it is my hope that by implementing the Infocard Identity Metasystem components Apache would effectively build in support for the whole gamut of identity tokens, including those used by Liberty, Sxip, Identity Commons, LID and Passel. In other words, I see InfoCards and the Metasystem as a platform, not a competitor, for these other systems.

Hans goes on to say:

“The Apache TSIK is an incubation subproject of the Apache Web Services Project to develop a Java class library for implementations of various W3C and OASIS specifications related to XML and Web services security.

“For more information on current APIs and usage patterns, check out the javadoc TSIK API.


“TSIK was originally developed as closed source by VeriSign over a period of five years before being opened up and incubated at Apache in August, 2005. TSIK today is comercially used in several software products and appliances.

“Comparison to WSS4J

“Apache currently have another project, WSS4J, that implements WS-Security 1.0 from OASIS Web Services Security TC.

“WSS4J's functionality overlaps TSIK's, but there are some differences. WSS4J uses Apache Axis as SOAP engine, and builds on the Apache XML-Security project. TSIK contains its own XML security engine as well as its own SOAP stack implementation.


“Initially, there is room for both WSS4J and TSIK since they serve somewhat different target audiences. Over time, depending on the desire of TSIK developers, TSIK XML security layers may be re-architected to use Apache XML-Security libraries. WSS4J and TSIK may also assimilate into a single project using the best parts of both…

“Incubation Disclaimer

“The Apache TSIK project is an effort undergoing incubation at the Apache Software Foundation (ASF). As such, it is not yet a full ASF project. While incubation status is not necessarily a reflection of the completeness or stability of the code, it does indicate that the project has yet to be fully endorsed by the ASF.

“The initial proposal for Apache TSIK is here.

“Mailing lists

There is a TSIK developer mailing list set up. Please join in to discusss current implementation and future direction of TSIK.

I've met with excellent people from the WSS4J project as well as from TSIK, and it would be silly for me to comment on the overlap between these initiatives – even if I understood the implications. All I know is that Apache's identity people are good news for the whole industry – and a harbinger of what Doc Searls is talking about here.

Clearly this type of involvement at Apache starts to answer some of the very legitimate questions posed to me by Julian Bond. More on this going forward.

[tags: , , , , ]