We now have bits that make it easy to try out InfoCard from Windows XP.  You can download them here.  In other words, we've moved beyond the problems of conflicting versions that plagued us earlier.

UPDATE:  Thanks to Rick for pointing out that when you follow the link, you'll see a button allowing you to download  Microsoft Pre-Release Software WinFX Runtime Components – Beta2.  Click on that button.  InfoCard is part of that Beta.  Sorry I didn't make this clearer.

This is still not the final UI – which is continuing to evolve.  There are also some known “issues”.  One is that when you export your cards and reimport them, the keys change.  Another is that there is an incompatibility with tablet PC meaning that, on tablet, you can only use InfoCard once and then need to reboot. 

None the less, you will get self-asserted cards out of the box (though there is no box).  I'll also be posting links to some managed cards so you can try that out.

For those who are interested in building relying parties and identity providers on the Windows platform, you'll get everything you need here.

Once you've got an infocard, go to “Login” or “Dashboard” at the top right of identityblog and leave a comment…  Let me know wht you think.  There's no moderation – with an InfoCard you can publish directly to the blog.


Adam, at emergent chaos, has found a great image to help communicate the concept of compartmentalization of identity.  He begins by relaying one of my recent posts:

My central “aha” in studying the British government’s proposal was that the natural contextual specialization of everyday life is healthy and protective of the structure of our social systems, and this should be reflected in our technical systems. A technology proposal that aims to eliminate compartmentalization rejects one of the fundamental protective mechanisms society has evolved. The resulting central database, where everything is connected and visible to everything else, is as vulnerable as a steel ship with no compartments – one perforation, and the whole thing goes down.

Then he goes on to add:

It's a tremendously important point. Our lives are naturally, usefully, and importantly segmented. In 1959, Erving Goffman discussed this in the (still important) “Presentation of Self In Everyday Life.” (Wikipedia article, or some excerpts… I know. Books. Get over it, there's some useful stuff stored that way.)

His basic thesis is that we play roles: “school principal” or “mother” or “doctor” or “bribe-accepting Congressman,” and that each of these roles has its own quirks and presentations, and it is useful and important to separate them. An identity system that doesn't support that in powerful ways is far less likely to be adopted.

Paul Squires at Here, Now responds by starting to offer concrete examples of things we might expect of an identity card system that was designed to be maximally secure and protective of the privacy of its citizens. 

This is great.  We need to take it further and continue to brainstorm what is actually possible in the realm of identification, rather than remain mired in a framework defined by outmoded notions representing lowest-common-denominator technology and the minimal privacy/security bar. 

This is in effect what I was trying to say here and it’s a very important part of why an ID Card system on the scale the Government is attempting to force through will be doomed to failure. I had a very similar discussion IRL a few days ago with someone who is favour of ID cards (in principal) and I don’t think the scale of this is fully appreciated.

Quite simply – the data revealed by a scan of my ID should be different, depending on what I’m doing at the time AND who the reader is. Obviously my doctor should be able to read different information from that of my local policeman, which will be completely different from the barman who needs only to verify my age (this is law 2 of Kim Cameron’s laws of identity). The fact that the police should also be limited in what they can read under any situation is also going to be vital… Additionally if I’m operating in the course of my business then personal information shouldn’t be revealed, but my business details could be. The context HAS to work two ways to form a minimum subset of data that can be revealed in a situation.

Why does all this seem so obvious to me?


Paul McNamara brings us a heart-warming tale of deserved retribution in Sony settlement and Mr. Rootkit over at Network World.

Unless he's been fired already — a not-unlikely scenario — someone is walking around Sony today known as The Rootkit Guy (we'll use Guy in the non-gender-specific sense here). I mean that code didn't simply leap onto those CDs; someone thought it was a clever idea and made sure it got there. Has to be one of the classic “What the (bleep) were you thinking?” moments in modern history.
And you can't help but wonder how that someone is doing today as news emerges that Sony has settled a class-action lawsuit — three, actually, combined into one — that looks as though its going to cause Sony bean counters to pull their hair out by the rootkits. The agreement calls for those who purchased the CDs in question to receive their choice of a cash payment of $7.50 plus a free album download, or three album downloads.
We're talking about 15 million CD buyers.
If he is still at Sony, something tells me Rootkit Guy is eating lunch alone.


It's funny. I know pretty much everyone in this bizarre thread by Tom Raftery, and can't actually believe my eyes as I read it.   I wonder if, when we get all the other licensing issues worked out in the identity sphere, we'll find out Dick Hardt has trademarked Identity 2.0? (just joking, I think!)

Marc Canter called Cory Doctorow out yesterday. He said:

Cory Doctorow is one of the leading critics of DRMs, DMCA, copyright laws and the status quo – which often pits lawyers vs us. He’s worked for the EFF for years and helped found the #1 blog – Boing Boing. 

But he’s also a close buddy of Tim O’Reilly and Rael Dornfest and helps create the Etech conference every year – which is the cornerstone of the O’Reilly Web 2.0 empire.

So I’ve gone be back and scanned BoingBoing over the last 36 hours – and guess what?

I can’t find a statement from Cory on his good buddy Tim – suing Tom Raftery – who is now MY good buddy, since I did a podcast with him, met him in Dublin at a Web 2.0 event and will be going to Cork – in November to speak.

I take shit like this personally.

So this is a public all out to Cory “hey Cory – wassup dude? Which side are you on?”

Cory has subsequently come out of the woodwork with as biased a piece on this Web 2.0 furore as I have seen outside of the O’Reilly blog.

At first glance the article seems even-handed, reasonable even, until you realise that Cory has only linked to two articles in his post: 1) the O’Reilly response and 2) John Battelle’s response (John Battelle has a working relationship both with Cory and O’Reilly).

Then consider Cory’s language, he says that the dispute has been resolved amicably and that O’Reilly’s

has granted the con[ference] permission to use “Web 2.0″ in its name

I’m sorry, what? They have granted us permission to use the phrase Web 2.0 in our conference? Wow, that was really generous of them, NOT. Should we also apply to them for permission to use the word “conference” in our conference title?

What if I trademarked the name Cory Doctorow here in Ireland. It wouldn’t be that hard, there can’t be that many Cory Doctorow’s here. Then say I got my legal team to send threatening cease and desist letters to Cory Doctorow saying I had trademarked that name in Ireland and that he had better refrain from using the name in the US. Then say I finally relented, called off the legal dogs, and said “Ok Cory, you can use the name Cory Doctorow – I will give you my permission to use it”. Would Cory feel I had been particularly generous to ‘allow’ him to use the name?

Of course not. Similarly, a trademark issued in the US has no jurisdiction whatsoever in Ireland. O’Reilly’s have no trademark for the term “Web 2.0″ in Ireland. O’Reilly’s did not grant us permission to use the term – they had no authority over our use of the term in the first place.

Cory, if you are going to write a biased post that’s fine, everyone is entitled to that but you should really disclose your relationships with the parties you blog about (and link to the relevant posts rather than only linking to your friends).

UPDATE – Robert Hyndman has a fabulous post on the selfishness of trying to trade mark a term as generic as Web 2.0.


I promise I didn't mean to chide Paul Masden, as he puts it in YACCP – Yet Another Conor Cahill Post 

Kim Cameron chides me for what he believes to be inappropriately cast aspersions on Conor Cahill.

I think if Paul had been present at the session he would actually have appreciated what Conor had to say. Objectivity and realism in sizing up deployment blockers, and transparency in setting expectations, is what will lead to success.

A couple of points in my defense:

  1. Conor and I have a long established tradition of casting aspersions on each other. When I think of my involvement with Liberty, I divide it 2 periods – that initial period during which I was too intimidated by Conor's expertise and strongly voiced opinions to challenge him, and then the last couple of weeks.
  2. As quoted by Phil, Conor's statement about non-enterprise deployments could be misinterpreted. Conor doesn't blog so I thought I would give him an opportunity to clarify/expand by commenting on a post of mine. I chose sarcasm and satire in order to goad him over the pain barrier of making such a comment.
  3. This was part of a new marketing campaign by Liberty to put a more human face on the organization. New logo soon.
  4. The end result of an individual so strongly linked with Microsoft's identity strategy defending a Liberty-proponent (rather than laughing with delight over what might appear to be LAP-internal squabbling) and what this might imply for the future (or even just for the sake of irony) must surely justify some small artistic excess in my original post?

I'll be seeing Conor at a Liberty meeting in Washington tomorrow. Can't wait.

Actually, I'm the last person who would want to stop good natured banter between friends – or others.

Along that line, I guess Paul's point 3) above meansI fell for yet more marketing gloop? 

Well, I can console myself with the realization that I've fallen for worse things in my life.  Anyway, getting the identity conversation as close as possible to reality is a good thing.

In terms of laughing with delight at the squabling of others, I see you Liberty folks as allies in getting an identity metasystem done.  That's just where the dynamics of virtual reality will lead us.



Here is a piece Jon Callas (CTO and CSO of the PGP Corporation) sent to the “idworkshop” list recently.  I am often asked to speak about “identity management”, but the truth is, I don't actually know what people want me to discuss when they make such a request.  My working hypothesis has become that there are different aspects of identity management, rather than different definitions of it, and that people tend to concentrate on some aspect central to their current concerns.  Having a formal definition of these aspects, along the lines suggested by Jon, would help a lot.  This would be especially true if they had names we could agree on, numeric identifiers probably not being adequate in the long run…

When I first started hearing the term “identity management” show up at security conferences, I made a habit of going up to anyone offering products or services that they called “identity management”  and asking them what identity management is.  I found that there were two different things called identity management. I also started ending up at various fora where “identity management” was discussed.  I pointed out that identity management was not one thing, but two.  Then I found a third. Then a fourth.

At Financial Cryptography 2006, I was on a panel on identity management. I opened up the discussion with level-setting. Part of that level-setting was to describe these different types of identity management that are often related, but are still distinct.

At the last IIW, I found that the vagueness was all over there. At Monday's first session, E.E. Kim told us first that identity management is what I call IM(4), but then Paul Trevethic talked explicitly about what I call IM(2), and IM(1). My notes say that he was most emphatic that IM *is* IM(1). At various times in the workshop I heard people unknowingly talking about IM(i) and IM(j) at each other. Others would start with one and slide into another in a paragraph.

This week, I was at another security conference and one of the keynotes was by Ken Watson of Cisco and he spoke at length about the need for good identity management, but he was talking mostly about IM (3), with IM(2) being secondary and IM(1) being implied. We're not using the same language, even though we're all talking about more or less the same thing.

I think it's important to know that there are at least four things that are identity management, and maybe more. Here's my four, taken from my March slides at FC2006, with some added commentary:

    * Identity Management (1)
    – Traditional security notions of identification, authentication,
    authorization, reputation, etc. Oftentimes a “PKI.” Often times
    “AAA” systems.

The very first IM systems I played my little Socratic game with were PKIs and AAA systems re-labeled as “IM.” There was, in fact, no change in what the product was from the previous year. It was merely marketing spin.

    * Identity Management (2)
    – Mechanisms to reduce the annoyance factor of the above.
    Oftentimes a “Single Sign-On” system or password
    reduction/elimination system.

I consider these distinct, because at the same time I started seeing PKIs relabeled as IM, there were SSO systems relabeling themselves as IM. While the *concepts* are related, as I note, the *systems* were distinct. Also, when I interviewed people, some people would say, “Oh, IM is really PKI” and others would say, “Oh, IM is really SSO.” 
Furthermore, the systems they were building were distinct.

    * Identity Management (3)
    – Database management systems to facilitate accurate, speedy
    updates. Oftentimes, a human-resources system that keeps track of
    phone numbers, titles, building access, parking places,
    conference room reservation, “metadirectories” etc.

This is the most recent addition to my taxonomy, but I number it 3 here, because it is taxonomically related. I know of a couple of places in which a security company that did not call its PKI or AAA system IM acquired or built the entity management systems and started calling that addition “identity management.”

    * Identity Management (4)
    – Marketing systems that keep track of preferences, buying
    habits, loyalty programs, and so on so as to effectively send
    people ads that won’t annoy them. Much.

    – Note that this is the most different of the types, but still
    abuts them.
       – Also note that in this form, Alice does not own her

    – Important because it is closest to the colloquial definition of
       – It is the outside world's perception of who you are.

This is the type of IM that first got me to make a taxonomy. I had noted that IM1 and IM2 are not the same thing, but because the companies that do each are across the aisle at the RSA or CSI trade show, I just rolled my eyes at the sloppy language use.

When I was at an early spam-fighting conference in 2002, I detected groups of us not communicating. That turned out to be because there were the security people all talking about IM1, and the direct marketing people talking about IM4. We had to have a reset when I finally realized that what they talked about solving spam through IM, they did not mean what we meant. They wanted to make sure you never got an unwanted advertisement, and thus there would be no spam. Argue if you want, but not with me, please.

The very definitions of “identity” were different. If I take the definitions Paul Trevethick gave us on Monday, my group, the security group were talking about what he talked about as “identity” (claims about oneself) and the marketing people were talking about “reputation” (clams others make about you). This doesn't exactly follow, because they wanted you to make claims about yourself that they will then tune. Nonetheless, it's important to understand both the imprecise language and that the terms have somewhat separated out, but are not exact.

However, I believe that it's important for us to be able to make these distinctions. We're not going to get anywhere without recognizing that IM1 != IM2 != IM3 != IM4, despite them forming a smear. I numbered them the way I did because fortunately, IM3 is related to IM2 and IM4, but not much to IM1. IM4 is somewhat close to IM3 but not much at all to IM1 and IM2. They do, thank heavens, form a spectrum.


Arriving back in North America after the World Wide Web WWW2006 conference in Edinburgh, I stumbled onto Paul Masden‘s recent tiff with Conor Cahill about one of the panels I participated in.  Connor is a key Liberty activist who represented AOL since the inception of Liberty and has now moved on to Intel.  Paul's rant goes like this:      

I like and greatly respect Intel's Conor Cahill.

That's why it is so &#*^%$@*& sweet to be able to point out whenever he makes a mistake.

Phil Windley describes an identity panel on which Conor (and other identifiable luminaries) sat.

Conor is quoted (loosely) as saying:

“there’s no large eCommerce implementation of Liberty. SSO hasn’t been adopted outside the enterprise”

Au contraire my Irish friend.  

There are ‘millions and millions‘ of Liberty-enabled commerce identities.

I could give Conor the benefit of the doubt and choose to believe that his comments were misinterpreted. But that's not how friendship works is it?

Connor responds as follows:

That wasn't an exact quote, but pretty close. The point I was trying to make was in response to a question along the lines of “why don't we see liberty everywhere since it's been around like forever (4 years)”.My answer was along the lines of “while you don't see Liberty implemented all over the place in an ecommerce type environment you do see it in a large number of enterprise environments, especially enterprise reaching out to relying parties” (again, not a direct quote as I can't remember exactly what I said minutes ago, much less hours ago).  

I also went on to explan that in my opinion the reason that you don't see it (or any other SSO solution including MS's Passport or AOL's SNS) everwhere is that SPs didn't see a significant benefit from it and were afraid to let someone else (the IdP) potentially get in the middle of their relationship with the customer.

This is changing now because of the need for strong authentication and anti-phishing/IDentity Theft. SPs are much more interested in this stuff nowadays then they were 3 or 4 years ago. 

It was the first time I had met a number of the people on the panel, including Conor, and though Phil Windley describes the event as being  “tutorial in nature”, I thought it was more than that.  Arnaud Sahuguet, formerly of Bell Research Labs and now at Google, laid the groundwork by posing a number of wickedly insightful questions to intensify the discussion. One of them asked why Liberty hasn't caught on more since it has been around for almost five years.

Not knowing Conor I might have imagined he would sidestep the issue with marketing gloop.  I've seen more than one presentation equating deployment of a federation service somewhere on a network with delivery of the whole network, all of its resources and all of its users into the brave new world of federation…  If only this were true!  And my suspicion is that such claims engender false expectations which lead inevitably to the question Arnaud poses.

But Conor didn't go there.  He spoke very thoughtfully about what the real issues are. He talked about the problem of intermediation – the reluctance of many relying parties to lose their “sticky” relationship to customers – an example of the Third Law of Identity rearing its club.  He spoke also about concerns of liability on the part of identity providers.  He called on us, without saying so explicitly, to look beyond our aspirations as technologists, to understanding that technological progress is driven by business decision points.

Conor and Arnaud also talked about the role in which Liberty has been prototyped or adopted – connecting a portal to its wholesalers and partners.  Indeed, this is the “circle of trust” scenario – refering essentially to a circle in which the portal is at the center.

Meanwhile, I spoke about (surprise!) InfoCard – largely in a tutorial way since it was new to the audience.  But I think it was fairly clear to all that the central problem addressed by InfoCard, of allowing users to manage their identities and connections with portals, and the problems addressed by federation, as discussed by Conor, are basically orthogonal.  This is the nub of my thinking when I say InfoCard is not positioned against federation, but solves related but complementary problems.

I think if Paul had been present at the session he would actually have appreciated what Conor had to say.  Objectivity and realism in sizing up deployment blockers, and transparency in setting expectations, is what will lead to success.


Arun Gupta, who works on Web Services at Sun, recently wrote about a remarkable demo at Java One showing interoperability between GlassFish and InfoCard.

We, at Sun Microsystems, have been working with Microsoft for past several months on achieving interoperability between Java EE and .NET technologies. Web Services Interoperability Technology (WSIT, a.k.a Project Tango) is Sun's Web services interoperability portal and provides all information on that effort. Earlier yesterday, we gave a demonstration of our work so far in JavaOne 2006 keynote. The main points from the talk is that Project GlassFish community and Windows Communication Foundation make Interoperability a Reality TODAY.

A video clip of the keynote demo is available HERE. This clip starts with our keynote presentation where Nick Kassem explains the business scenario which shows how Web services technologies enables integration within and across business boundaries. Watch me explaining the development environment to Jeff Jackson from 3:46 to 4:48. All the tools and technologies used in the demo are available today. And then Kirill Gavrylyuk shows an interoperability demo between Infocard and Sun's Secure Token Service. A picture is worth thousand words, here is a graphical representation of the scenario.

On the right, a Retail Quote Service (RQS), running in Sun-managed environment, uses Wholesale Quote Service (WQS) to serve car quotes to Java and WCF consumers shown on the bottom left. RQS also gets competitive bids from a WQS running in a Microsoft managed environment. The clients talk to the RQS secure MTOM, RQS talks to WQS using a Secure and Reliable Connection. Each managed environment has it's own identity provider, also known as Secure Token Service or STS in short. A trust relationship between the two environments is enabled by a trust relationship between a priori trust relationship between STS.

We also plan to share the demo code in the near future and I'll post another blog when it's available.

Check out some of the pictures I took at JavaOne on Tuesday. This picture shows me, Nick and Kirill.

More information on the GlassFish interoperability project is available here.  Arun gives a number of other download links in the full posting.

I'm sure I'm not alone in applauding Sun's work towards identity interoperability and their readiness to collaborate with others of us in the industry to get to an identity metasystem.  As an industry we've come a long way in the last year or two.  All will benefit.  This really represents progress in getting to the Identity Big Bang and the intelligent environment.  Kudos to all those at Sun and Microsoft who made this happen.



Paul Toal, Principal Architect for a UK based IT security company, has posted one that makes the mind churn: 

Not long ago I was on a night out with some work friends. As is customary on these nights out, we ended up at a casino. Don't get me wrong, I aren't a hardened gambler. I only go to eat the free sandwiches and spend my £20 spending money :-)

However, back to the story. This particular casino was not one that I had been to before and as a result I wasn't a member. “No problem” I was told by the lady behind the counter. Your friend who is a member can sign you in as a guest. I was asked if I wanted to join and politely (and drunkenly) declined. “We need some identification. Can I have your driving licence?” said the lady. Dutifully I handed it over expecting her to have a quick glance and pass it back.

However, instead of the courteous check, off she trotted to the back room with my licence. A few minutes later, back she came and gave me my licence back with absolutely no explanation of where she had been. Upon asking her, I was told that she had taken a scan of my licence and would retain it on record.

In my slightly inebriated state I thought nothing of it. However, the next day, after the hangover had subsided, this started to bother me.

1) How do I know what they are going to do with that?

2) How long are they going to retain my information?

3) Who within their organisation has access to that information?

Since my licence is a trusted proof of identity, it worries me that it is kept on file at some casino. In the UK we have the Data Protection Act 1998 which protects against misuse of personal data but how do I know that this is adhered to within this casino.

At one time or another I think we have all been guilty of handing over our personal information without too much regard as to what the person requesting it is going to do with it. In that one transaction alone, I broke at least the first 3 laws of Kim Cameron's 7 laws of Identity!!

I don't want to give anything away by appearing to be too much of an expert on European casinos, but the experience Paul describes is not wholly unknown to me – except it was my Passport that was whisked away.  From conversations I have had during some quintessentially bizarre and momentary winning streaks, I think Paul would be surprised at the kind of international databases that are maintained. And it would be really fascinating to see how, for example, the European privacy legislation has impacted the Casino Royale – or the local hotel.  Can anyone tell us?

Meanwhile, I wonder if there is some blood alcohol level after which informed consent no longer applies? 


From Gunnar Peterson at 1 raindrop… 

This is ridiculous. Yahoo:

“Thieves took sensitive personal information on 26.5 million U.S. veterans, including Social Security numbers and birth dates, after a Veterans Affairs employee improperly brought the material home, the government said Monday.

“Nicholson said there was no evidence the thieves had used the data for identity theft, and an investigation was continuing.”

Sure they are probably just using it as a test bed for arbitarily large data sets for a charitable open source projectRamona Joyce, spokeswoman for the American Legion, agreed that the theft was a concern. “In the information age, we're constantly told to protect our information. We would ask no less of the VA,” she said.

Nicholson declined to comment on the specifics of the incident, which involved a midlevel data analyst who had taken the information home to suburban Maryland on a laptop to work on a department project.

“I want to emphasize there was no medical records of any veteran and no financial information of any veteran that's been compromised,” Nicholson said, although he added later that some information on the veterans’ disabilities may have been taken.

Sen. John Kerry, D-Mass., who is a Vietnam veteran, said he would introduce legislation to require the VA to provide credit reports to the veterans affected by the theft.

“This is no way to treat those who have worn the uniform of our country,” Kerry said. “Someone needs to be fired.”

Sorry, but firing people is not going to fix this problem. Instead, maybe GWB could increase his popularity by adopting Pete Lindstrom's modest plan to Eliminate the SSN Facade. And while we are at it, why not write the Laws of Identity into the Constitution? Ok, maybe not on that last one, but how about we use the Laws in the systems we build?

Regular readers know I am a great fan of the “there was no evidence the thieves had used the data for identity theft” line.  Oh.  And just one more thing.  Please refrain from taking the munitions home with you for the weekend.