Internet Identity Workshop 2007: Day Two

IIW2007A Agenda Wall
IIW2007A Agenda Wall
(click to enlarge)

The second day at IIW started in the traditional way: building the agenda. I was surprised that almost half to rooms stood up to propose a session. The wall is pretty full and there are lots of interesting sessions. If you click through on the thumbnail at the right (two clicks), you should be able to read the details.

One of the sessions I attended this morning was on the OpenID 2.0 spec and what's left to be done. There seems to be some feeling among potential users that there is an opportunity lost here and momentum could drop if the new spec isn't available soon. On the other hand, there are a few issues that people would like to address.

I think this is a maturity problem in the OpenID community more than anything else. Not that the people in it are immature, but the community hasn't developed the governance yet that will allow these decisions to be made systematically. My own feeling is that getting things solidified is more important than any problems that aren't regressions (i.e. worse than in OpenID 1.0) or will require significant retrenchment on the part of IdPs or RPs.

Doc Searls and Mike Jones
Doc Searls and Mike Jones
(click to enlarge)

A couple of identity related announcements today. First, via Mike Jones, Microsoft has completed the process of putting the Identity Selector Interoperability Profile V1.0 under the Open Specification Promise.

Similarly, Sun announced a "non-assertion convenant" for OpenID. From Gerald Beuchelt's blog:

[T]he NAC is a short (three paragraphs) legally binding document that licenses all of Sun's patents (and not only necessary claims) to anybody implementing OpenID 1.1 Auth and Simple Reg 1.0 ... in perpetuity ... royalty-free. This license will only be withdrawn, if someone decides to sue Sun over this technology.As far as I know, this is the first covenant like this around OpenID.
From Web Services Contraptions - Pre-Announcement: OpenID Non Assertion Covenant
Referenced Tue May 15 2007 13:30:52 GMT-0700 (PDT)
The Barrista
The Barrista
(click to enlarge)

Speaking of governance,\t over lunch, we had a discussion about Identity Commons. This is the Identity Commons purpose (from the wiki):

The purpose of Identity Commons is to support, facilitate, and promote the creation of an open identity layer for the Internet, one that maximizes control, convenience, and privacy for the individual while encouraging the development of healthy, interoperable communities.

Does that speak to you? Do you feel included in that? Are those ideals your ideals? That's a critical question for Identity Commons as we try to move people's feelings about from Identity Commons from "they" to "we."

Bryant Cutler and Devlin Daley, two of my students, gave a presentation on their SimplePermissions project. SimplePermissions is a delegation scheme (in the classic, not the OpenID sense) for OpenID that allows a user to authorize another user to act for them for specific activities. They gave a demo of SimplePermissions and discussed the idea. Full delegation requires no changes to OpenID, but doing permission-based delegation would require an extension. Further relying parties would need to specify the delegatable actions on their site using that extension.

There is some controversy whether delegation (in this sense) is a good idea or not, but the fact is that people "delegate" all the time by giving someone else their password. This idea would eliminate the need for password sharing. With OpenID, that's especially useful since an OpenID password is more valuable than a site-specific password since it can be used anywhere the OpenID is accepted.

Some use cases: delegating an eCommerce account to a subordinate. Mashups are another. You might even want to self-delegate to create one-time or short time accounts for use in low-security environments.

The OSIS interop code session seemed to go well. I'm anxious to get a report from some of the people involved. We had a problem with the wireless (go figure) that caused some headaches at first, but we worked around that eventually.

OSIS Interop Event
More interop testing
Presenting at IIW
Chatting in the reading are

I spent some time in Doc's VRM session. I think people were finally getting to some real idea about how vendor relationship management might work. I heard a few sentences that started with "once...then we'll..." where the assumption that followed the "once" were not necessarily something I thought was realistic, but that's true in many sessions, not just this one.