Move over, Jeopardy! Watch out, Vegas!

Anyone who has heard Citigroup's Hilary Ward speaking at identity conferences knows Citi has the understanding and experience needed to launch a major league identity team.  And it looks like it's happening.  They have some very interesting new technology, and will be issuing high assurance certificates.

Beyond that, these folks have a sense of humor.

My friend Francis just sent me Citi's new Vegas Quiz game based around Identity and Digital Certificates.  

It will be played by visitors to the Citigroup booth at the upcoming Assoication of Financial Professionals (AFP) conference in Las Vegas.

Citi-id-challenge 

You must present a high-assurance digital certificate to win, so get ready!

The quiz is a real achievement in integration.  It's built with Windows Presentation Foundation – and uses digital certificate information read from Smart Cards or USB tokens.

The player's score is then written out to a Word document which in turn is signed using the digital certificate from the store. 

All joking aside, one can see that the real-world version of this will be a dynamite application in this world of SOX and increasing quality of process.

I'm also willing to bet this is the first application that combines high-assurance digital certificates with the Windows Presentation Foundation (formerly Avalon).

I can just imagine all this stuff integrated with InfoCards.

 

Doc Searls on OSP

Doc Searls – true wit, luminary and marketing guru – not to mention Editor of the Linux Journal, on the OSP:

It isn't entirely a joke (or a fair statement) that Microsoft has become a legal department traveling as a software company. Yet there are some upsides. One is that some very smart lawyers at a very large company have had to engage Reality through company technologists brave and determined enough to engage the open source community in constructive collaboration.

With positive results.

That's what has been going on with the corner of Microsoft that has been involved in the Identity Space.

I'm writing this from a room where Microsoft technologists are meeting with friends — and that's what they are now — with Red Hat, Novell, Higgins, XRI/XDI/i-Names and other open source efforts — as well as others from the customer side. They're talking right now about the Microsoft Open Specification Promise. The intention of the promise is to make Microsoft-developed (and -co-developed) technolgies completely useful by open source projects. Or maybe by anybody.

I don't have time to write more at the moment. But I'd like to hear what you think. This is original and well-intended work by honorable people who really want the whole market to work, and not just for one company to muscle everybody else.

It's also a beginning. Times are a-changing. Everybody can help with that.

Check out Kim Cameron's IdentityBlog. Follow links there and at Johannes Ernst's blog.

JP Rangaswami on how the OSP “feels”

A number of people have been writing good things about the Open Specification Promise.  The expression of good will speaks volumes about why I continue to love this milieu, and the people in it.

Your personal support in moving our work forward means a lot to Mike Jones and me.

I'm certain it will influence the way events unfold in the future.

Take a look at this piece by JP Rangaswami, author of Confused of Calcutta. I think he expresses what a lot of people are feeling. 

Ambrose Bierce, in The Devil’s Dictionary, defined a cynic as follows:

A blackguard whose faulty vision sees things as they are, not as they ought to be. Hence the custom among the Scythians of plucking out a cynic’s eyes to improve his vision.

Many years later, Albert Einstein defined common sense as “the collection of prejudices acquired by age eighteen”.

As I grow older, I realise that however hard I try to keep an open mind, and to learn, I land up with anchors and frames and perspective-biases that I don’t always know I have. Which means that sometimes I have to work hard to ensure that I don’t lapse insidiously into cynicism.

So you can understand why I had to work very hard indeed when analysing the Microsoft Open Specification Promise that was published yesterday. If you’re interested in the subject, then please do check out Kim Cameron’s blog hereDoc’s piece at IT Garage (where he asks for your opinion as well) and Phil Windley’s blog here, along with Becker and Norlin’s Digital ID World blog at ZDNet.

Microsoft are not known for their pioneering approaches in the opensource world. Identity is one of the three big issues that affects our ability to deliver the promise of today’s technology (the other two are Intellectual Property/Digital Rights and the “internet”, with or without Stevens’ Tubes). A valid solution for identity pretty much needs Microsoft’s support and that of its legions of lawyers.

And so we come to the Open Specification Promise. My early reactions? I think Kim Cameron and his team have done a brilliant job at pulling this off and getting something workable past the lawyers’ cynosure.

If you want to understand it, and don’t particularly feel like wading through “implication, exhaustion, estoppel or otherwise” (and who could blame you?), then skip the legalese and go straight to the Frequently Asked Questions section. I quote from the FAQs:

  • The Open Specification Promise is a simple and clear way to assure that the broadest audience of developers and customers working with commercial or open source software can implement specifications through a simplified method of sharing of technical assets, while recognizing the legitimacy of intellectual property.
  • We listened to feedback from community representatives who made positive comments regarding the acceptability of this approach.
  • Q: Why did Microsoft take this approach?
  • A: It was a simple, clear way, after looking at many different licensing approaches, to reassure a broad audience of developers and customers that the specification(s) could be used for free, easily, now and forever.
  • Q: How does the Open Specification Promise work? Do I have to do anything in order to get the benefit of this OSP?
  • A: No one needs to sign anything or even reference anything. Anyone is free to implement the specification(s), as they wish and do not need to make any mention of or reference to Microsoft. Anyone can use or implement these specification(s) with their technology, code, solution, etc. You must agree to the terms in order to benefit from the promise; however, you do not need to sign a license agreement, or otherwise communicate your agreement to Microsoft.
  • Q: What is covered and what is not covered by the Open Specification Promise?
  • A: The OSP covers each individual specification designated on the public list posted at http://www.microsoft.com/interop/osp/. The OSP applies to anyone who is building software and or hardware to implement one or more of those specification(s). You can choose to implement all or part of the specification(s). The OSP does not apply to any work that you do beyond the scope of the covered specification(s).

We have a long way to go before we can solve all this. We’re not going to solve all this unless we stop acting like cynics. So let’s get behind Kim Cameron on this and see what happens. That’s what I’m going to do.

An aside: Why can’t legal agreements be written like FAQ sections? Is there a law against it?

That's very generous, JP – although in fairness, I want to give the lawyers – from Microsoft as well as the open source world – full credit for getting behind this and making it real.

Friends, let's not stop until we get to the identity big bang.  Let's all keep our concentration.  Let's knock down the wall between us and the coming virtual reality.  Let's make it possible to know who we're dealing with on the Internet – when that is appropriate.  And let's do all this in a way that cradles our privacy.

WordPress InfoCard integration code

Update:  There are now excellent community-based and commercial implementations of Information Card code for WordPress, php, ruby, “C” and other languages.  I've left this zip here for documentary and pedagogical purposes only.

 I've been wanting to share my experiences adding Information Card support to identityblog for quite a while now.  I just haven't had the time.

I started by publishing my work on building the necessary code for handling secure identity tokens.  But then I got interrupted with the necessities of life – like shipping Cardspace.

Anyway, now I'm ready to present my integration code.  Very little of it is unique to WordPress – it is really code that would in general apply just as much to any other piece of software.  Someone could easily factor my code so the interface is a little cleaner than is currently the case. 

When I had to actually alter wordpress files (only 3 of them), I just show the changes that are necessary.  You'll have to download the original files from wordpress to see what I'm talking about (version 2.0.4) in context (usually not necessary unless you are making the changes in your own version.)

Download my contribution here.  My assumption is that the root of this download is the same as the root of the wordpress directory. 

[WARNING:  DO NOT INSTALL THE WORDPRESS FILES  FROM MY ZIP INTO YOUR OPERATIONAL WORDPRESS DIRECTORY!  IF YOU WANTED TO USE THIS CODE, YOU WOULD NEED TO MANUALLY INTEGRATE THE CHANGES I HAVE MADE TO MY VERSION OF THE WORDPRESS FILES INTO YOUR VERSION OF THE SAME FILES..  THIS NO LONGER MAKES SENSE SINCE THERE ARE EXCELLENT (SUPPORTED!!) VERSIONS AVAILABLE. ]

The files all begin with “infocard” so they're easy to delete if you want to.

I'll be publishing a number of pieces explaining why I took the approaches it did.  I hope this will get some good, concrete conversation going.  The first in this series is uncharacteristically wordpress specific – don't get discouraged if you're looking for something more general.  It talks about how I approached changing the wp-login page.  I'm pretty sure that even people thinking about infocard-enabling other products will find some ideas here that help them out.

Like my previous work, you can use this code in whatever way you want.  My goal is to help as many people as possible understand, use and deploy information cards.

UPDATE:  Thanks to Samuel Rinnetmäki for pointing out the need to warn readers not to install “as is” in an operational directory – it had never occured to me they might do this…  I've edited the  ZIP to make this impossible (09-02-2008).

Upcoming DIDW

I hope everyone's going to Digital ID World (DIDW) next week. We'll start on Monday with an Identity Open Space Unconference (don't worry, Virgos, they're unstructured, but not without shape and self-revealing purpose). Once this gives rise to the main event, there are a number of sessions that look fascinating for identity afficionados – like “What Do the Internet's Largest Sites Think About Identity?”, a panel moderated by Dan Farber and featuring representatives of the large sites and a new presentation by Dick Hardt. There will also be an OSIS meeting – and of course, the endless hallway conversation.

I'm pairing up with Patrick Harding (from Ping Identity) on a Wednesday session called “Understanding InfoCards in an Enterprise Setting“. It will include a demo that I think will really help show the concrete benefits of InfoCards inside the enterprise. What can you expect? 

First, you'll see the latest version of Ping's InfoCard server, now featuring both Managed IdP as well as Service Provider capabilities. Ping's goal is to show how to seamlessly chain passive and active federation – allowing for on-the-fly privacy context switching.  They'll use real-world use-cases where passive federation gives way to active and vice-versa.

According to Andre Durand, Ping Identity's CEO:

“The Digital ID World demo will show two scenarios to depict how passive federation (via SAML 2.0 Web SSO Profiles or WS-Federation) and active federation (via CardSpace) can both play a role in enabling a seamless user experience for accessing outsourced applications. The plan is to demonstrate how passive and active federation work together to enable a myriad of different business use cases when chained together in different situations

“Scenario 1:

“An enterprise employee leverages her internal employee portal to access applications that are hosted externally. In the first case we show how SAML 2.0 Web SSO (passive federation) is used to enable seamless access into the SF.com web site. The user accepts this as part of her employment contract – the employer has deemed that the use of SF.com is critical to their business and they want no friction for their sales force in entering information for forecasting purposes.

“In the second case we'll show how CardSpace is used to ‘optionally’ enable seamless access into the employees Employee Benefits web site. As the Employee Benefits web site is made up of a mixture of personal and corporate information (i.e. 401k, health and payroll) the employee is given the choice of whether to enable SSO via the use of CardSpace. The Employee Benefits web site is enabled with CardSpace. After the user clicks on the ‘Benefits’ link in their corporate portal, she is prompted with different Cards (Employer and Benefits) which she can then choose between for accessing the Benefits web site. If she chooses ‘Employer’ then she will be enabled with SSO from the Corporate Portal in future interactions.”

By the way, Andre, please tell me there's some way for her to change her mind later!

“Scenario 2:

“An enterprise employee is traveling and loses her cell phone. She uses her laptop to access her corporate cell phone provider in an effort to have the phone replaced immediately. The employee would normally access this web site via SSO from her corporate portal. The cell phone provider web site is enabled with Card Space to simplify the IdP discovery and selection process. The employee is prompted to use her Employer card to authenticate to her employer's authentication service. The cell phone provider web site leverages CardSpace to handle IdP Selection rather than having to discover this themselves. Once the user has authenticated to her employer the returned security token contains the relevant information to service the employee's request for a new cell phone.”

It all sounds very interesting – amongst the first examples of what it means to have a full palette of identity options.  Ping is emblematic of an emerging ecology – many of us, across the industry, moving us towards the Identity Big Bang.

Doc Searls will be doing the closing Keynote.  I'm really looking forward to that and to seeing you in Santa Clara.

One more Paul on the federation and user centrism demo

Incredibly, I just came across a comment by another Paul.  I guess I spoke to soon about my success communicating with Pauls, since Paul Madsen seems to be a doubting Thomas – which in this case adds some variety, so I'm pleased to see it: 

Kim Cameron has a screen cap movie of a demo created by Ping ID.

Kim asserts that the demo illustrates (paraphrasing) “user-centric technologies like Information Cards are not in any way counterposed to federation technologies”.

I completely agree with the sentiment, but question whether the scenario portrayed by the demo actually demonstrates it.

In the demo, a user authenticates to a portal using CardSpace. Once authenticated, they are presented with a list of applications available to them for which SSO is possible (this presumably dependent n which I-Card they selected). For Kim, the user-centric piece (CardSpace) somehow ends at the portal, and from then on federation (SAML etc) takes over.

So, user-centric and federated technologies are shown as working together – but not at the same time. The user-centric piece hands off to the the federation piece. Federation is presented as a lower-level piece of infrastructure (which it can be) that doesn't seem to touch the user.

Hmmm.  What I'm really saying is that in the demo being shown, the user has a relationship with the portal, which offers a nice array of services.  So in terms of technology, the identity relationship is user-to-portal, not user-to-individual-service.  One could also say the “services” can be “outsourced” by the portal – and are dealing with users as proxies for the portal.  Once the user has entered the portal, there is a “magic carpet” that takes her from service to service. 

But note:  The portal could also take the user to a service with which she would have a completely independent identity relationship.  In this case, the user would again see the Cardspace interface and select her identity through it.

Paul (three) continues:

This interpretation is reinforced by Kim:

To my way of thinking, you have two more or less orthogonal technology efforts – that oriented around federation issues, and that oriented around the user’s experience.

This ignores the possibility for SAML-based technologies to provide the very same user-experience (i.e. real-time identity sharing control, IDP selection etc) that I-Cards enables. Is SAML's Enhanced Client or Proxy (ECP), as it enables similar control mechanisms, then user-centric?

Probably not, as Kim also hilites the common UI of Cardspace and its relevance

Should my experience therefore be totally discontinuous as I move from one portal to another, being organized by the portal rather than by my own system

Exactly.  Maybe I was more successful at communicating with Paul Masden than I initially thought – I think he sees my point. 

The portal just cannot know all my identity relationships (unless I were to find myself in some hiddeous “total environment” where everyone knows everything). 

So the portal, simply by virtue of the role it plays in the system, cannot organize my perception and use of identities across the board.  This is one of the key points I'm trying to make, and explains why you need user centric technologies and they are orthogonal to federation technologies even though in both cases you have claims being asserted and relied upon.

Finally, Paul asks:

If the phone manufacturers (or those of set top boxes) were to come together and agree on user-interface standards – would that be user-centric?

If they allow users and relying parties to represent and select between their multiple identities then yes, sure, exactly.  But it's not just a question of user interface (UI), it's a question of capabilities that are represented through UI.  I don't know why people reduce this to UI.

The fact that phones could deliver these new capabilities is why it makes perfect sense to put Information Cards on phones, music players, and other devices.  I first proposed putting them on computers because I happen to work in that industry.  But I know a lot of people who are interested in getting the same identity relationships to appear across all kinds of devices.

Dave Kearns takes on anonymity

 Dave Kearns of The Virtual Quill (and many other venues) has joined the anonymity scrum (even though he was already in it) :

“Anonymity as default,” which I mentioned in the previous post, is taking on a life of it's own. Now Tom Maddox has posted in his Opinity weblog, commenting on Ben Laurie's commentary about Kim Cameron's mention of Eric Norlin's post concerning David Weinberger's original thought that “Anonymity should be the default.”

(I'll just sit here and whistle for a moment while you follow that set of links)

The point I wanted to mention was Maddox’ statement:

We need to begin with anonymity/pseudonymity as the default, Laurie's ‘substrate choice’. Otherwise, whatever identity system we employ, we'll always be trying to get the cat back in the bag (or the scrambled egg back in the shell)

The fallacy here is that he seems to believe that there can be an “identity system” in which anonymity is a choice! And not only a choice, but the default choice. But without a unique identifier for each object in the system, there is no identity system. And with a unique identifier there is no anonymity within the system. Rather, the default should be PRIVACY for all objects, with any dispersal or publishing of identity attributes only done with the consent of the entity if it's sentient, and the entity's controller if it isn't.

Maddox is correct that once the data is published you can't unpublish it completely. That argument shouldn't be overlooked. But it's equally as important to realize that the “anonymity bandwagon” is out of control and headed for the cliff. Privacy is the key, and privacy should be the issue.

I have trouble with Dave's use of the phrase, “within the system”.  What is “the system” in a multi-centered world with an interpenetrating mesh of domains?  Put another way, just because an object has a unique identifier, do entities dealing with the object have to know that?

Things may have unique identifiers that are known to some identity authority / domain (even infinitesimilly small ones) but these authorities don't have to release them when identifying things to other parties. 

Would an example help? 

Suppose some company – let's call it Contoso.com – runs Active Directory as its local identity infrastructure.  Active Directory identifies all of the machines and people in Contoso's “domain” with a Security IDentifier (SID) – basically a unique id/domain pair.  But when I am dealing with someone from Contoso.com, I probably don't give a darn about their SID, no matter how useful it may be to their local AD system.  Dave, do you care about my SID? Knowing you and loving you, I think you've got better things to worry about!

In the world of web services, which will be a vast mesh where identity reaches beyond domain boundaries, the definition of what is “within the system” becomes very ambiguous. 

The SID makes sense “within the system” thought of a narrow domain manager.  It normally doesn't make sense “within the system” thought of as a connecting mesh of entities that happen to interact with many domains. 

In this bigger world, I may be interested in the fact that someone is an employee of Contoso, byt totally uninterested in anything that uniquely identifiers them as an employee – even if such unique identification is necessary for some other purpose.

For example, if I call 411, I speak with a representative of the phone company.  I don't know her or his name, or number, or location, or anything else.  I just know the person I'm talking with works on behalf of Verizon – and that is all I really want to know.

Yet knowing they are an official employee is still a matter of identity! 

Is this anonymous?  I would say so.  It “has an unknown or unacknowledged name”, as my pathetic online dictionary puts it (I'm travelling).  So it is anonymous, but it is identity.

This is all part of the notion that an authority can make claims about a subject – and that this is done through a set of assertions.  Given this, we need a name for the “empty set” of assertions. 

So far, we call it anonymity.  We believe this will ring a bell in more peoples’ heads than “empty set of assertions”.

If we now combine this thinking with the second law (minimal disclosure) – we come to the notion that if more is not needed, the identity set should be the empty set.  This is what I think people are talking about when they say the default should be anonymous.

Demo gets good reviews

Paul Toal over at Identity, Security and Me posted this to encourage you to check out the demo I put up recently.  (Just in case any of you are busy, it's only 3 minutes long!)

Picture of Britian's Paul ToalKim Cameron has posted a really good video here explaining how user-centric identity and federation can work together. His blog and associated demonstration is shown using Microsoft CardSpace and Ping Federate from Ping Identity.

I have worked with Ping Identity for some time and was happy with the product and how it, and federation works generally. However, like Paul Squires here, I was struggling to see how it fitted within a user-centric architecture. Whilst I saw the two as complimentary, I didn’t see the link.

This video has clarified this for me and shown that there is a clear interaction between the two.

As usual Kim, thanks for a great demo! If you haven’t seem the demo yet, you HAVE to view it.

Then, following Paul Toal's link to Paul Squires at Here, Now, I came across his additional comment:

This [demo…] is well worth seeing for anyone with an interest in where digital identity is going. The demo itself shows cardspace (if there’s anyone who hasn’t seen it yet!) along with interoperability between a number of applications. The guys at Ping have done a great job with this and I’d hope this brings together these various strands of identity management (it’s certainly helped me, not least from an architectural point of view). Things are starting to look very exciting!

Update: Never one to miss out on a bit of vanity, the second open tab in the browser during the demo looks very familiar!

Gee, I'm on a roll.  Just like my horoscope said, I seem to be communicating well with people named Paul.

As for Paul two's “update”, looking closely I also can see that I had been reading one of his posts the day I captured the demo.  Just think.  Some people are worried there will be no fingerprints in the digital world.  It ain't true.

Ping's Identity Metasystem demo

Ping Federate with InfoCardEarlier this summer, just before the Burton Group Catalyst conference, Andre Durand and Ashish Jain of Ping Identity really surprised me with a lovely Identity Metasystem demo that combined use of Information Cards and federation technology.

I don't think anything I've seen demonstrates more concretely why “federation” and “user centricity” are different and yet complementary.

The demo is built around Ping Federate, which speaks four protocols for transporting SAML tokens around:  SAML 1.0, SAML 1.1, SAML 2.0, and WS-Federation.  Since it speaks all these federation dialects, it can talk to any federating system regardless of its dialect – for example WebSphere, Presentation Server, Windows 2003 and .NET, Tomcat, SAP, Web Logic, Salesforce.com, SiteMinder, CoreID, etc.

But even better, the user has a rational experience as well – just seeing this circle of trust as being accessed through an Information Card.

To play the demo:

Use Windows Media Player.  (You will need the Techsmith Screen Capture Codec (TSCC).  If your system complains it doesn't have the right codec, pick it up here.)  If you want to watch this and don't have any way to see it with Windows Media Player, let me know and I'll make a version for Quicktime.

The demo lasts 3 minutes and takes up 4 megs.  Download here.

As always I sound a little earnest as I rush you towards the finale.  But I think you'll like what these guys have done anyway.

User Centric is here to stay

I came across the following exchange on the ID Workshop discussion list.

First up was Brett McDowell of the Liberty Alliance:

I've just started looking for the follow-on thread I was expecting out of the “User Centric” session Dick led in Vancouver. I don't see it. Has that happened yet?

I was expecting an email that captured the consensus we had and a list of new “titles” for what I call “the identity management architecture formerly labeled ‘user-centric’ which is to be renamed in acknowledgement that at least two architectural models are appropriately labeled ‘user-centric'” (one model being a “user-centric deployment of Federation” and the other model being “TBD”… but it is what SXIP does).

That was our consensus view at the well-attended Vancouver session and I'm keen to participate on the naming exercise for the other architecture.

For more background read the wiki notes here. (note I'm not sure attendees are done tweaking these notes yet so they may not yet represent a true consensus but they are helpful now nonetheless):

So, Dick… are you going to kick this off? (or did I just miss it?)

Brett's challenge was directed at Dick Hardt, the amiable CEO of SXIP who understands better than any of us how to explain digital identity to a broad audience. (If you don't know him or forget how powerful his message is, make sure you look at this.)

After reviewing the meeting and looking at the graphics that were drawn, I think that user-centric might be the right term. The term has a fair amount of market awareness already and is being used to convey a model that is different from Federation.

I think User-centric means that each site trusts the user, and the user is free to choose any identity agent that provides the appropriate technical functionality. Federations are where a set of sites have decided to trust each other and the user has a relationship with one of those sites, which can then be communicated to the other sites.

This does NOT mean that “federation technologies” cannot be deployed in a user-centric manner.

Hopefully being August, the signal to noise ratio on any ensuing discussion will be high, but that may be wishful thinking.

I agree with Dick on this one, and don't really understand why Brett wants to fold user-centricity and federation into a single axis.  They are orthogonal. 

Federation technologies aim at helping internet portals, their suppliers, and their enterprise customers (businesses or government) to digitally identity the subjects of their business transactions.  This might or might not involve “users” in the conventional sense.

User-centric technology aims at helping individual people organize their relationships with many different and unrelated portals and internet sites – contact relationship management for individuals, as Doc Searls once said.

So in my view we are likely to have individuals employing user-centric technology to organize their relationships with federations.  There is no contradiction here, and no need to get rid either of the notion of the user-centric, or of the idea of federation.

The individual needs – and has a right to – technology that represents her.  The individual hasn't really been a factor in the identity equation until recently – she has simply been whatever some domain says she is.  That's changing.  User-centric technology delivers those changes.