Category: Windows Cardspace

One more Paul on the federation and user centrism demo

Incredibly, I just came across a comment by another Paul.  I guess I spoke to soon about my success communicating with Pauls, since Paul Madsen seems to be a doubting Thomas – which in this case adds some variety, so I'm pleased to see it: 

Kim Cameron has a screen cap movie of a demo created by Ping ID.

Kim asserts that the demo illustrates (paraphrasing) “user-centric technologies like Information Cards are not in any way counterposed to federation technologies”.

I completely agree with the sentiment, but question whether the scenario portrayed by the demo actually demonstrates it.

In the demo, a user authenticates to a portal using CardSpace. Once authenticated, they are presented with a list of applications available to them for which SSO is possible (this presumably dependent n which I-Card they selected). For Kim, the user-centric piece (CardSpace) somehow ends at the portal, and from then on federation (SAML etc) takes over.

So, user-centric and federated technologies are shown as working together – but not at the same time. The user-centric piece hands off to the the federation piece. Federation is presented as a lower-level piece of infrastructure (which it can be) that doesn't seem to touch the user.

Hmmm.  What I'm really saying is that in the demo being shown, the user has a relationship with the portal, which offers a nice array of services.  So in terms of technology, the identity relationship is user-to-portal, not user-to-individual-service.  One could also say the “services” can be “outsourced” by the portal – and are dealing with users as proxies for the portal.  Once the user has entered the portal, there is a “magic carpet” that takes her from service to service. 

But note:  The portal could also take the user to a service with which she would have a completely independent identity relationship.  In this case, the user would again see the Cardspace interface and select her identity through it.

Paul (three) continues:

This interpretation is reinforced by Kim:

To my way of thinking, you have two more or less orthogonal technology efforts – that oriented around federation issues, and that oriented around the user’s experience.

This ignores the possibility for SAML-based technologies to provide the very same user-experience (i.e. real-time identity sharing control, IDP selection etc) that I-Cards enables. Is SAML's Enhanced Client or Proxy (ECP), as it enables similar control mechanisms, then user-centric?

Probably not, as Kim also hilites the common UI of Cardspace and its relevance

Should my experience therefore be totally discontinuous as I move from one portal to another, being organized by the portal rather than by my own system

Exactly.  Maybe I was more successful at communicating with Paul Masden than I initially thought – I think he sees my point. 

The portal just cannot know all my identity relationships (unless I were to find myself in some hiddeous “total environment” where everyone knows everything). 

So the portal, simply by virtue of the role it plays in the system, cannot organize my perception and use of identities across the board.  This is one of the key points I'm trying to make, and explains why you need user centric technologies and they are orthogonal to federation technologies even though in both cases you have claims being asserted and relied upon.

Finally, Paul asks:

If the phone manufacturers (or those of set top boxes) were to come together and agree on user-interface standards – would that be user-centric?

If they allow users and relying parties to represent and select between their multiple identities then yes, sure, exactly.  But it's not just a question of user interface (UI), it's a question of capabilities that are represented through UI.  I don't know why people reduce this to UI.

The fact that phones could deliver these new capabilities is why it makes perfect sense to put Information Cards on phones, music players, and other devices.  I first proposed putting them on computers because I happen to work in that industry.  But I know a lot of people who are interested in getting the same identity relationships to appear across all kinds of devices.

Federation and user-centricity

Conor Cahill picked up on a discussion I recently relayed to identityblog readers – part of an ongoing dialog between Brett McDowell and Dick Hardt.  Conor says:

I think the issue causing the disagreements here is the interpretation of the term “federation” when discussed in an identity context.

Certainly federation can mean groups of businesses working together and this is the traditional meaning of the term in the business community. This meaning would fit with Kim's statement above.

However, in an identity context (as in “identity federation” — the stuff the Liberty Alliance has been working on since its founding) the term federation was used to describe the sharing of identity information from party A to party B. Party A is usually some party representing the user (acting on the user's behalf) such as an Identity Provider or an Attribute Provider. There is nothing that says whether Party A is an entity operated by the user or by some 3rd party.

In fact, in the Cardspace solution, the process of sending data through an Infocard instance to a relying party would be considered taking place under identity federation, whether the infocard instance was rooted in a local data source or a remote data source.

Ultimately, I would say that federation can be used in both user centric and non-user centric solutions. Federation is a technology/protocol and user centric is an implementation philosophy. When designing a user centric solution, you almost always have to include some form of identity federation, but give the user great control over its use. The converse is not required to be true (although I wouldn't object to it if it was true in any environments in which I played).

I like a lot of Conor's thinking.  I agree that use of a managed card in Cardspace should be considered a form of “federation” between the relying party and the identity provider – federation approved by the user.

But I don't quite buy that “federation is a technology/protocol” wherease “user-centric is an implementation philosophy”.  I doesn't compute given a great deal of work I've been doing lately.

It's clear to me that good “user-centric” experience isn't just an automatic or natural by-product of some other “technology/protocol”.  In fact, it requires just as much study, just as much thought, just as much coding, and just as much experimentation as protocols do – probably more. 

What I'm try to say here is that it requires technology.   In the past we've had a lot of technology that failed miserably at organizing, integrating and rationalizing the user's experience.  I've been working on software that I think does a lot better job at this.  Why wouldn't Conor call that a technology?

To my way of thinking, you have two more or less orthogonal technology efforts – that oriented around federation issues, and that oriented around the user's experience.

As a user, when I go from portal to portal to portal, it's likely they will have relationships with different identity providers.  Should my experience therefore be totally discontinuous as I move from one portal to another, being organized by the portal rather than by my own system?

In Cardspace (and with Information Cards running on other devices and platforms) we postulate that the user can benefit from computerization of his or her own identity experience – just as enterprises benefit from computerization of theirs.

Through Information Cards users can benefit, to the extent the technology is adopted, from the same well-understood experience as they move between unrelated portals which do not share identity relationships.   

I see Cardspace as providing a palette of identity relationships (Information Cards) that work for me as a user and make sense from my point of view as an individual with a complicated life. 

I think Dick Hardt, and others like Paul Trevithick at Higgins, share a number of the same notions as I do, though each of us is concentrating on different aspects of the problem.

So that's why I'm saying that there are two legitimate technology areas, orthogonal in the sense that you can have either one without the other, but synergistic in that together you get a number of critical new scenarios.

To make this more concrete, my next post will be  a demo of Andre Durand and Ashish Jain's work in showing how this can look in practice.

Adventures in Cardspace

Industry guru Craig Burton's Cardspace is working now (thank goodness).

The bad news is that he's had a pretty miserable time getting it going.  Mainly, it seems in retrospect, because his computer was set up with a FAT32 file system.  If you have this configuration, no error message is displayed to you as a user – you have to read through a cryptic note in the system-wide error log.  This has to be fixed.

The good news is that once he got Cardspace working, Craig really liked it.  That's really important to me:

I have been trying to get CardSpace to work on my machine for several weeks. (Seems much longer.)

I have downloaded tons of upgrades, deleted apps and services, and so on.

Pamela Dingle and Kim Cameron have been very helpful in trying to help me make things work.

Pamela studied the error log –created by the CardSpace control panel–I posted and suggested that the problem was that my c: drive was using the FAT32 file system. She explained that her resources tell her that CardSpace only supports NTFS.

Turns out this is true. Kim subsequently fessed up that FAT32 isn't secure enough so they decided to set the bar at NTFS. They just didn't bother to tell anybody. (Good thinking.)

I decided–against my better judgement–to convert my FAT32 file system to NTFS. I haven't done that until now because I haven't been successful in creating an NTFS compatible boot CD. If something happens to my system, I'm in trouble. I am working on resolving this. (There is a DOS-based utility that will access NTFS for recovering critical data. I don't like that prospect.)

Anyway, to convert from FAT32 to NTFS you do the following. Open a command line window:

start>run>cmd

Run the convert utility:

convert c: /fs:ntfs

Reboot, and the convert utility–assuming you have enough empty storage–will convert FAT32 to NTFS with no loss of data.

I tried it. It worked. Whew! Getting this far has been no simple task.

I was then able to create an Infocard with the CardSpace control panel and login  to the Idendity web log and to the NetFX Sandbox.

I also tried the Ping site . It was slow–not sure why–but it worked. A page came up with four other sites that support Ping Federation that I can sign into with my Infocard. The sites aren't all the useful to me, Java, Verisign, Computer Associates, and another one I can't remember. That was cool.

The Ping site–unlike the other two sites–gave me three options for signin:
Traditional (yuch) name and password, self issued Infocard or Managed Infocard. Not sure why ping distingshes between self-issued and managed Infocards as the Infocard selector lets you do that, but I will find out.

Caveats.

If you convert to NTFS, you cannot go back to FAT32 without repartioning and formatting your disk.

I love being able to register and login to a website with an Infocard…SWEET!

I hate how complicated it is and that it only works with BETA code. Infocard simplicity comes at a complicated uphill price. At least it isn't Msft-silo-centric. Apple, Mozilla, RedHat and others have commited to support Infocards.

Things will have to get significantly easier–and supported by other browsers and OSs–before we see any kind of adoption.

Despite all of that. Not having to use name-password mechanisms for secure interaction is very significant to the industry and people. This has been a long time coming and I can't emphasize its importance enough.Thanks to all that have made it happen. 

Many thanks to Pamela, who has become a Cardspace savante, for figuring this out – I've been in Australia and couldn't keep up with the troubleshooting.

Cardspace + FAT32 = Unhappiness

Pamela Dingle has posted some information we need to get out more broadly: 

Important installation note for people wanting to play with CardSpace: CardSpace only works when installed on an NTFS filesystem. If you are planning on setting up the July CTP and playing with CardSpace, make sure your C: drive is not FAT32. (more…)

We can't get the same kind of access control protection  with FAT as we can with NTFS – for example the ability to set permissions at the directory and file level –  so we set the bar at NTFS.

 

Carspace Sandbox

If you want to try out Cardspace, you should go to Cardspace Sandbox and follow the install instructions there.

Pamela Dingle has written about the site here.  Her description of Cardspace is great, although I really do recommend following the installation instructions.  In fact, if you don't follow them you will likely have problems.

Remember that if you have installed previous versions of various components, they probably won't work properly for login until you put in the new versions.  The reason is that in response to customers and other vendors, we have had to introduce “breaking changes”.  People tell us about things that can be improved, and we try to do so.  We've chosen not to become enmired in “premature backward compatibility” given that we are still in beta.

So I'll review some of what it tells you at the Sandbox:

Install Internet Explorer 7.0
  The Sandbox site currently requires Internet Explorer 7.0 Beta 3 when using Windows CardSpace.
Install the .NET Framework 3.0 Runtime Componetns July CTP
  The Sandbox site requires the .NET Framework 3.0 Runtime Components July CTP to be installed on your local Windows XP or Windows Server 2003 computer in order to use Windows CardSpace.
Start using Windows CardSpace!
  Create a new user account or login using your Information Card.  

Log into the Sandbox, and log into my site using the “Login” button.  You won't need to create an account.  Just answer the email my system sends you and you will be registered and able to comment.

Remember, if you have previous beta versions of .NET framework or IE 7 components above you need to go to the Control Panel->Add or Remove Programs, and delete them.  You'll find detailed instructions if you follow the install links.  I did it myself and didn't find it onerous at all, though I needed help removing the earlier version of IE 7.

Craig Burton writes:

Cardspace Sandox looks like a good place to have some guidance for Infocards and Cardspace. However, I have tried some of the stuff they recommend and got stopped because of the requirements.

In the mean time, I have issued myself an infocard but I have yet to find a place that accepts it–including Kim Cameron's identityweblog.

Waiting for Kim to respond. I would make a comment on his blog about all of this but I can't because I haven't figured out how to create an account.

This is ridiculous.

Indeed – there is a bit of Catch 22 since to put a comment on my blog, you need to log in with an infocard.

More and more people are getting Cardspace runing.  For example, while I was writing this, in came a comment posted by Bavo De Ridder, who wrote:

Ok, I have installed .NET 3.0 July CTP and since I already had IE7 Beta 3, it took only a few minutes, no reboot required. This stuff seems to be of good quality already! 

Bavo was able to add his comment without going through “moderation” – contributing to the identity silo thing.

Bavo was able to add his comment without going through “moderation” – contributing to .So courage my friends, and please follow the instructions posted at the Sandbox.  Like Bavo, I think the quality is getting quite good – the hard part is making sure your versions are right.

Get over to Craig Burton's blog

Craig Burton is blogging up a Perfect Storm at craigburton.com.  In fact he's posting so many nice little nuggets that you only see about a day and half's worth when you go to his site with a browser.  Make sure you navigate back using the calendar.

Since a couple of the recent pieces concern things I'm involved with, I'll pick up on those.

Let's start with the discreetly named Vendor Lock in Sucks:

Microsoft plans link between directory, Live services: ”

Microsoft is planning to sync its Active Directory with its Live Web-based services to give users single sign-on for applications and services both inside a company network and on the Web.

Technically a good idea. Fewer namespaces and fewer administration models. Reality is, customers are loathe to get roped into Msft centrism. Msft has yet to make the cut to OS inpdependent Internet services.

Trust me, that is the future. The longer they put it off, the worse it is for everybody.

The open source community isn't much better. Politics is winning over common sense.

It will be interesting to see how Ozzie guides the company towards this end. Gates hasn't, won't. Ballmer is worse, Allchin…I have no more to say about that.

Let me talk to Craig directly for a minute.

Craig, take a look at the Windows Live ID whitepaper and let me know what you think of it. 

In my view it is consistent with a number of the ideas you've brought to the industry for a long time now. 

As far as I can see, there won't be anything proprietary about the way Windows Live ID federates with Active Directory or anything else – it will just use the WS-Federation and WS-Trust specifications, which are being implemented more widely, by more vendors, every day – and can be used on a royalty-free basis.

So then how does this initiative lock anyone in? I'm a non-lockin sort of guy.  We need to win customer support by producing products that are cool to use and manage; that have superior reliability and integration with dev tools; and that are open to other implementations.

As for your comments on Bill (and his friends), you just can't produce the kinds of technologies we are about to deliver in fifteen minutes.  Our work has been going on for a while (!) and involved a lot of patient investment.  The truth is, Bill has been a great supporter of ubiquitous Internet identity and I want to stand up for all he's done to help, just as I would do for you.  This said, Ray also brings a lot to the table.

Craig also has a recent post on Cardspace:

A Sandbox to Play In:

Pamela Dingle, who always has the intestinal fortitude to ask the best darn questions at Catalyst (and other conferences), has posted a good “quick start” guide for anyone wanting to play around with Windows CardSpace. Via that post, I found this CardSpace “sandbox” site, which has some interesting pointers on it.”

Jamie Lewis points to some Cardspace resources. I opened my control panel the other day, and there was a new control panel named “Digital Identities.” It let me create an infocard. I have no idea what to do with it, but I know it came from Kim's group. I will try to find out more about this.

This is getting exciting.  So Craig, now, while you are on identityblog, choose Login.  When you get to the login page, click on my Information Card icon (a placeholder while we all agree on a real icon).  Let me know how that goes too.

UPDATE:  The original link for the Live ID Whitepaper was broken – I have fixed it.

Liberty, Open Space and Information Cards for Apple

Red Hat's Pete Rowley on the recent adjoining Liberty Alliance and Open Space events in Vancouver – and Apple support for Information Cards:  

The Liberty Alliance made a bold statement in Vancouver last week when it opened its doors for the first time to the hoi polloi. Now this was something interesting enough to demand a visit in of itself, but with the addition of an Open Space after the Liberty meeting, well, you knew I was going to be there right?

The first two days consisted of the regular business of the Liberty Alliance where visitors were allowed to attend any session except for the super secret board stuff. I attended many of the technical sessions which were interesting, though sometimes hard to follow as an outsider without access to the documents under consideration. I also took part in a session around privacy concerns that not only assured me that Liberty has them but that they are serious about dealing with the issues. The conversation turned at one point to outside perceptions of Liberty itself and its lack of openess to its internal process and draft documents. Somewhat ironic was the point made that nowhere was there to be found any information regarding the location of the Liberty conference, at least not to those without access to internal websites. A consequence of this being the first open meeting no doubt. In all, an interesting and worthy meeting.

The final two days were spent on the Open Space which was run in unconference format by Kaliya Hamlin and was excellent as usual. Topics ranged from SAML to Liberty People Service to how should we rename this user centric identity thing? Kim Cameron wrapped up with a lunchtime introduction to CardSpace that by popular demand lasted for nearly two hours. At one point Kim was asked whether Apple would have an identity selector like CardSpace and Kim redirected the question to me in my capacity as OSIS representative. As the newly appointed unofficial spokesman for Apple I suggested that if Steve Jobs would call me I’d hook him up.

So Steve, call me.

Gee.  That's an interesting idea.

Like Pete I took Liberty's Open Space collaboration as being a very positive step in increasing dialog and understanding in the identity community.  It was great to speak with a number of the Liberty people who have been leaders in moving identity technology forward over the last few years.  It strengthens my conviction that we are on the road to an Identity Metasystem reaching across platforms and underlying technologies.

Some recent podcasts

Cardspace screenFor those new to Identityblog and looking for an introduction, here is a short interview I did recently with PTS-TV in England:

 

If you are ready for something more challenging, William Heath of Ideal Government got me thinking about the problems of overly-centralized identity technology in a podcast he described as follows:

Here's an exclusive interview with Kim Cameron, speaking with Jerry Fishenden to me and my colleague Ruth Kennedy. Famous as the Identity law-maker, Kim delivered Microsoft's Damascene conversion on identity matters and has become the catalyst for a new-found cross-industry sense of purpose about what it'll take to get digital identity and authenication that works for all of us.

He speaks exclusively to Ideal Government about the UK's ID developments in the context of state-of-the-art industry developments such as the Laws of Identity, Information Cards and the imminent ID big bang.

Note from administrator: (This was a 40 minute interview – the key sections are linked to the text below.

The whole podcast is available here.

This is the first Ideal Government audioblog/podcast so please forgive any clunkiness and background noise – it was a hot day and we were glad of the aircon.) Best way to hear the audio extracts

Firefox users: right click and “Open Link in New Tab”
IE users: I dont know. But when you find out tell me.
Also, anyone can insert inline audio to Expression Engine please tell me!

He sets out what he means by “Identity” (and there are many different meanings). He explains what Information Cards are, and how Microsoft has implemented them under the brand name Cardspace. He explains why for all its regrettable clunkiness the ageing UK Government Gateway is more secure and privacy-friendly than the proposed Home Office ID system, and it's revealed that there is a working version of Information Cards showing UK Government Gateway transactions. But this isnt Passport/Hailstorm revisited: it's as clear to Microsoft as to anyone that this has to work for everyone. We need a cross-industry big Momma identity backplane, and then the identity big bang can happen. But no one entity, country or authority can be in control.

He sets out where his work stands in relation to a user requirement for the ID we need for e-enabled services in the UK. Users decide, he says. If the system isn't widely adopted, it fails. As an architect, he expresses his concerns about the Home Office's ID card system. Too much information is in the same place. It's a colossal blackmail-generation machine. Every system will be breached, he says. If you dont understand that, you don't understand security and should not be talking about it.

He's pretty frustrated about the prospect of a lugubrious ID system which will inevitably damage trust in e-services. But a combination of the difficulty of the undertaking and the common sense of the British public means it will fail. The Brits are sensible, he finds. Tall as he and I are, we all recognise there's a limit: you can't survive if you're much over 11′. “They're trying to build a 60′ man here,” he says. All the technology people he knows feel the same way.

Yet he's very optimisic: UK identity systems can be efficient, secure, privacy-friendly and cheap, he says. The example of an ideal ID architecture he offers is pretty close to home: it's the Scottish Executive. How pleased will the Scots be to have an expensive and ill-conceived UK-wide system forced upon them, in a new West Lothian twist?

O2’s FREE monthly handset teaches how to be phished

The relationships between enterprises and their “designated agents” are often pretty murky from a customer point of view.  In the old days, few people cared.  But in the world of phishing, we need a lot more clarity about who is representing whom – we need to know if an offer originates from a someone legitimate or not.

In this postBen Laurie shows just how hard the current identity patchwork (read “architectural black hole”) makes it to know what is going on – even if you're one of the top Internet security people in the world. 

Ben tells us, “O2 like phishing…”:   

They must do, or they wouldn’t do stupid things like this.

I got an email, looking just like this:

We’d like to say ‘thanks’ for being a great customer by offering you either a FREE Pay Monthly handset upgrade OR £100 credit added to your account – provided you haven’t recently upgraded.†   

And it couldn’t be easier. All you have to do is renew your contract with O2 before 31st August 2006.

If you choose to renew your contract for 18 months, rather than 12 then there’s even more on offer:

If you prefer to talk we have a range of Talker plans with Double Minutes each month*. For example, on an Online 500 Talker plan you’ll get 1000 minutes and 150 messages each month for £35.

If you prefer to text we also have a range of Texter plans which offer 50% Extra Minutes and Texts each month*.

For example, on an Online 500 Texter plan you’ll get 750 mins and 750 messages each month for £35.

To see our full range of handsets and offers and to renew your contract, click here.

And thanks again for choosing O2 .

† The information used in this mailing is based on your contract status as at 30th April 2006. Unfortunately, if you upgraded after this date your new contract means you won’t be eligible for these offers. Terms and conditions apply.

*Offer subject to ongoing connection to eligible tariff see letter for details. Promotional allowances must be used within the month. Unused allowances cannot be carried over into subsequent months.

OK, I removed some maybe-identifying data from the link, but you’ll notice the link goes to http://www.o2-mail.co.uk/. “Oho”, says I, being a suspicious sort, “that’s not O2’s website, I wonder who managed to register it?”

$ whois o2-mail.co.uk   

Domain name:
o2-mail.co.uk

Registrant:
Vertis

Registrant type:
UK Individual

Registrant’s address:
The registrant is a non-trading individual who has opted to have their
address omitted from the WHOIS service.

Registrant’s agent:
MCI Worldcom Ltd [Tag = UUNETPIPEX]
URL: http://www.uk.uu.net/

Relevant dates:
Registered on: 01-Aug-2003
Renewal date: 01-Aug-2007
Last updated: 04-Aug-2003

Registration status:
Registered until renewal date.

Name servers:
ns0-o.dns.pipex.net
ns1-o.dns.pipex.net

Hmmm, a non-trading individual who wants to renew my phone contract, eh? Think I’d better check that out – but what a shame, http://www.uk.uu.net/ doesn’t actually resolve, so looks like I’m not talking to them. And, oh dear, Nominet are closed until Monday, so that avenue is out, too.

The mail itself, incidentally, purports to come from o2-email.com, a domain which they didn’t even bother to register.

So, fearing nothing, I clicked on the link – which redirects me to http://www.o2renew.co.uk/. Here we go again.

$ whois o2renew.co.uk   

Domain name:
o2renew.co.uk

Registrant:
AIS Group Ltd

Registrant type:
UK Limited Company, (Company number: 3561278)

Registrant’s address:
Berners House
47-48 Berners St
London
W1T 3NF
GB

Registrant’s agent:
Global Registration Services Ltd [Tag = GRS]
URL: http://www.globalregistrationservices.com/

Relevant dates:
Registered on: 14-Apr-2005
Renewal date: 14-Apr-2007
Last updated: 27-Jul-2005

Registration status:
Registered until renewal date.

Name servers:
ns25.worldnic.com
ns26.worldnic.com

At least this has an address, if I could be bothered to follow up, which I can’t, but this all looks a bit fishy. To compound the fun, I also got a text on my mobile with the same offer, but anyway, I phone O2 customer services. They explain that this cannot possibly be O2, it must be one of their “marketing partners” who will, if I fill in the form, renew my contract with O2, but via them. And, presumably, or maybe not, give me a new phone. I ask where they got my email address and phone number, and the answer is that at some point I left a box ticked that said it was OK for partners to send me stuff.

So, do O2 condone this practice, I ask? The answer is, apparently, that they do. They don’t even mind, it seems, that the website has O2 branding on it.

If O2 is going to allow people they have contractual relationships with to do this kind of thing, how on Earth do they expect consumers to learn what is phishing and what is not?

Ben's aproach is the only one you can take with today's web technology.  Basically, you need to know how to analyse subdomains and understand DNS paths.  Given this, one wonders why O2 condones the use of URLs worthy of the best phisher.  It is cutting the last safety line we have been able to clutch between our fingers in trying to achieve even the most marginal Internet safety.

Still, I find myself choking on the idea that for people to understand they are being phished, they need to understand subdomains and the intricacies of DNS.

One of the great advantages of the way Information Cards work is that the site the user is visiting (in this case O2.co.uk) can specify its designated agents in a cryptographically secure fashion.  In this case, O2 could specifify O2renew.co.uk as the entity the user should exchange identity information with.  The user would be guaranteed that this was an extension of her relationship with O2, with O2renew acting as an agent of O2.co.uk.

 

Personal Identity Mesh

Identity Open Spaces are always interesting – uninterrupted hallway conversations that let you get to the nub of things – but this week's was different from the others because it was held in conjunction with a meeting of the Liberty Alliance.  This threw us all together with a bunch of people we hadn't met before, and frankly I think it was very useful.  We all got to present and discuss our work, interests and concerns.

It's hard to explain – or even imagine – what these meetings are like, because people are coming from such different places that their take-aways differ dramatically.  I'm sure a number of people will blog about this, but I'll just start by quoting Marc Canter of Macromedia fame.  One of the interesting things about Marc is that he just wants results – identity he can use in his products.

As I sit here in the blazing heat, periodically jumping into my pool – I’m feeling good about the last few days I spent in Vancouver.  It was great for me to get away from answering sales calls, improving user interfaces and dealing with Angel investors.  I found myself right back smack dab in the middle of an evolution of technology, where enterprise, mil spec encryption, security and privacy technology was being deployed for the purposes of each and every one of us to be able to control our content and meta-data.

Moving and controlling profile data is important, but we ALSO gotta control access to our content – based upon our relationships to the viewer.  Apparently Vox does this pretty well – but I haven’t checked it out – yet.

A lot of time and energy was spent up in Vancouver trying to define and speak clearly of all the different platforms and their nuances.  It was an Open Space effort, designed to correspond with a Liberty Alliance meeting, so lots of loosely structured meetings occurred where real work was accomplished.

One on hand you had all these academic and enterprise researchers and experts who are managing bank accounts, mutual fund accounts and health records, debating on details like ‘is it THIS or really THAT.  Then a bunch of the open folks – like Neustar and Cordence were there – more or less hawking their goods.

So in other words this was the “open user-centric folks” meet the SAML/Federated trust enterprise wonks fest.

I’d say it came off pretty well – espeially with Kaliya Hamlin leading the organization, facilitating the conversations and keeping things lively. I did my best to also “keep folks awake” – while only dosiing off a few times myself, during those insipid debates on “do you mean WHAT you mean or is that a semblence of meaning in your declaration?”  It was that bad.

As a vendor I went to this meeting knowing that I was a downstream participant, some one who’s issues are allot different from the folks who are tryign to stake our real estate around ’standards’.  You see – we (by defintion) have to support ALL the standards, so my only real motivation is to get as many of them to work together and adhere to each other’s standards.

And that’s what I did.  There was a whole session on ‘Protocols Converging’ (led by Dick Hardt) and that led to a few private meetings out in the hallwway, which is where al the real work gets done. I myself am excited about what Dick is gonna show and unveil at OSCON next week,but I can’t tell yah about it.

Or else I’d have to kill you……

Anyway – based upon what I heard at this meeting, here are some issues that are pretty easy for me to make:

  • At best we’ll get 2% of the populace using this stuff – even within the next few years
  • But many more people WOULD/COULD use it if it was readily accesssible, easy to use and they understand what the fuck it meant
  • Doesn’t really matter if it implements authentication, if that’s ALL it does
  • I agree with Kim Cameron – there will be two approaches to this area – card based and address based

And that’s the best way we can describe it to the humans.

The Identity space is really complicated, and our clients expect me to be an expert at it.  So I nerded out over the past few days and have the next generation acrhiutecture for PeopleAggregator designed with it in mind. 

It’ll make sure that real value can be delivered to humans – real soon now- regardless of whether or not they’re (the humans) willing to jump through all the hoops and grok all the nuances of the Identity puzzle.

There’s one inherent tradeoff for this.  If you don’t want to jump through all the hoops of getting a card or sigining up for an address (of just hacking one yourself) then you CAN’T COMPLAIN if you don’t get a phishing proofed, crypto encoded, secruity tight, hacker proof, scalable, long term, persistent unique identifier.

But if all that really gets you off, then you won’t mind jupning through all the hoops.  Those hoops require opting in, sharing, moving and adhering to all these rules – about Personal Identity Mesh. 

Getting a info card to be compatible with Kim Cameron’s Info Cards system, which will be built into Vista and is available for XP – right now – will be about getting something called a .crd fileKim showed using Info Cards to log into WordPress – just to prove that it works on a LAMP stack, open source platform.

David Recordan (of Verisign) led an excellent session on OpenID and talked about its status.  Drummond Reed was there to talk about XRI and XDI.org and inames.  All the major players in this space were there and talking to each other.

Dick Hardt had a session on coming up with a name for the unique thing we’re doing.  Its not a traditional federation, or circle of trust – its recognizing that inviiduals rely upon portals (or fancy webapp) software to get their services and that they’re probably dealing with LOTS of these services.  Each o these portals have all sorts of assertions, backend technology, web services, aliance partners and otehr infrastructure.  But what we SEE is the portal or NetVibes or PageFlakes or MySpace or Vox.

The human is then supposed to confer and rely upon (what’s known as) an identity provider or identity broker – which is usually an objective 3rd party – to verify their claims, assertions and transactions. We debated upon what to call it – but we all agreed that its something new and unique. I call this the “Personal Identity Mesh” – cause anybody can use any Identity broker – yet we’re all supposed to trust and believe in these ‘reputation systems (especially is Auren Hoffman has his way – with Rapleaf.)

Whatever the term is – its the universe that PeopleAggregator is going to support and help make happen. But we need LOTS of vendors to participate and the big boys – too.

I really like the term “Personal Identity Mesh” that came out of the “naming” discussion led by Dick Hardt.  It sums up what a lot of us are trying to do. 

I should also make it clear that I don't think there are very many who see information cards and URL-based identities as being opposed to each other.  A card can represent a URL-based identity, and a URL can be used, in a number of use cases, to represent the identity that would be conveyed through a card.  This doesn't work in all cases, but it works in enough important cases that it is very useful.

Finally, I think Marc's estimate of 2% over three years is overly pessimistic.  The big sites and big players can accelerate adoption a whole lot with the flick of the switch.  I've already had people tell me they are going to enable hundreds of millions of accounts with Information Card support.  If they do what they are saying they'll do, and if people like the experience as much as I think they will, there can be a serious network effect here.