There's an interesting new identity blog on the scene by Pete Rowley.  He's an open source kind of guy – positive too – and picked up on my recent InfoCard token tutorial:

“I have been pretty busy recently, which is why Kim Cameron managed to sneak by a tutorial and demo of InfoCard that also revealed the WordPress relying party PHP code for the LAMP stack. It includes a short demo video which walks through how InfoCard works when logging in to a site that is useful to review before actually reading the tutorial. Excellent!

“Now if I might be so bold Kim, could we have the code released under an open source license.”

Thanks, Pete.  In terms of releasing code, I truly hope the industry hasn't arrived at the point where you need licensing for a tutorial. 

The bottom line?  I put my ideas out there and invited everyone to use them in any way that would advance identity on the web.  I hope that's straightforward enough. 

Anyway, I like Pete's pragmatic and multi-sided approach.  Here's another example:

User-centric != user asserted

Johannes Ernst says “If user-centricity is really what we are after, it follows that I am my own identity provider in many circumstances, doesn’t it?” I think the answer to that is, to begin with. Digital identity for the internet is a bootstrap problem. Not much can be demanded or expected to begin with, and third party asserted claims are definitely a lot to ask right now.

However given a generally accepted system of identity claims assertion for the internet, I would expect that over time many of those claims would be expected to be backed up by a third party. For sure, some things will never require that: my favourite movie and other such trivia. But a lot of claims are generally self asserted now because they have to be, like my nationality, my employer, my professional affiliations, people I know, and many others may well naturally become third party claims about me, and expected to be.

User-centric identity does not imply user asserted identity, that is merely the initial expected state in order to garner adoption. Nothing more. I fully expect there to be higher level of trust in the identity claims asserted in the future, not merely the status quo.

  I totally agree.


Published by

Kim Cameron

Work on identity.


  1. Hey Kim, nice tutorial and glad to see the code finally up. One thing I still don't grok and perhaps I'm missing something is the notion of semantics. To give an example: Imagine a relying party requires the claim “firstname” and “lastname” and has these defined in it's policy. The user has an infocard which has metadata to provide “fullname” from an IP. In this case the claims don't match despite the obvious semantical match.

    So I raise two questions
    a) Is there a mechanism or provision to define the semantics of claims?
    b) Is there any provision to allow the COMBINATION of claims (e.g. firstname + lastname = fullname) to form new claims?

    Not sure if this is more of an infocard problem than an identity meta-system problem. Might be solved in any number of ways but I was wondering if you and your team had already considered this?

  2. Pingback: Paul Mooney
  3. Hi Kim –

    I took Pete's question to be more about the code of InfoCard, not the tutorial about InfoCard. As I understand it, InfoCard is still built upon the WS-* stack, which is encumbered by Intellectual Property laws….

    Along those lines, one year ago today I blogged Four More “Laws of Identity”, including Freedom (as in Free and Open Source). Care to comment on any of those additional laws?

Comments are closed.