Technometria

Home
Why Technometria?
RSS
Atom
Podcast Feed
Add to Google

Recommend This Site

About Phil

Brief Bio
Contact Info
Phil on Twitter
Speaking
InfoWorld
Photo Albums
Video Favorites
CTO Breakfast

Essays

2006
2005
2004
2003
CIO White Papers

Software

Packages

Topic Guides

Digital ID Policies
Internet Application Performance
Setting Up a Linux Server
Public Service Tips

Categories

Blog TagCloud

Archives

February 2010
January 2010
December 2009
November 2009
October 2009
September 2009
August 2009
July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
October 2006
September 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004
September 2004
August 2004
July 2004
June 2004
May 2004
April 2004
March 2004
February 2004
January 2004
December 2003
November 2003
October 2003
September 2003
August 2003
July 2003
June 2003
May 2003
April 2003
March 2003
February 2003
January 2003
December 2002
November 2002
October 2002
September 2002
August 2002
July 2002
June 2002
May 2002

Utah Tech Organizations

BYU Unix User's Group
Provo Linux User's Group
Utah Valley Linux User's Group
Ubuntu Utah
Salt Lake LUG
USU Free Software and Linux Club
Greater Utah BSD User Group
Utah PHP Users Group
Utah Python User Group
Utah Ruby Users Group
Ogden Area LUG
Southern Utah Unix Users Group
UtahSAINT

Copyright

Copyright © 2002-2009 PJW LC. Some rights reserved. Technometria is a trademark of PJW LC in the United States and other countries.

Identity

May 06, 2006

IIW Identity Space Map

Kaliya created a wall hanging from butcher paper and lots of little colored construction paper icons to hang on it. This was hanging on the wall the entire workshop and people were free to add to it. The “map” was designed to represent the evolution of Internet or user-centric identity over the last 2 years or so and look into the future about a year. Kaliya had already pre-populated it and I took a picture to represent the intial state.

The above picture is the final state, at the end of the conference and reflects everyone’s additions. Steve carter created this high resolution image if you’d like to read it

12:01 PM | Comments (0) | Recommend This | Print This

May 05, 2006

IIW2006 Wrap

After a day of decompressing from Internet Identity Workshop, I’ve had a few random thoughts that I thought I’d record. I was very pleased with how things turned out, that participation, the venue, the food, everything. Here are some specific things:

  • First, Kaliya (aka Identity Woman) did an amazing job of putting the program together. She does this professionally, so if you’re running a workshop that you’d like to do in a “unconference” format—she’s someone you have to hire to do it for you. You won’t be sorry.
  • The Computer History Museum was a great venue for this sort of workshop and served our purposes perfectly. I highly recommend it.
  • Steve Williams did a great job with the audio. We have some MP3’s of the open and closing session for day 2 and day 3. We unfortunately we’re set up to capture audio on the first day—my fault for not thinking about it ahead of time.
  • The Hotel Avante was one of the best hotel stays I’ve had in a long time. Kudos to them. I’ll stay there again next time I’m in the area.

I put up a piece at Between the Lines on the value of the unconference format. I have to admit that when Kaliya suggested it before last October’s IIW, I was skeptical. I’ve been converted. Read the entire BTL piece for my thoughts on that.

We’re planning two more events in 2006. The first will be a half day intro to Internet identity in conjunction with Digital ID World in September. I’d like to do a parallel series of session with some structured sessions for people new to the space and open format sessions for veterans who need to talk. The second will be another workshop like the one we just did. We’re toying with the idea of doing on the East coast in November, but nothing’s been cast in stone yet. If you have opinions, let me know.

04:42 PM | Comments (0) | Recommend This | Print This

IIW2006 Kudos for Unconferences

Kim Cameron has some very nice words for IIW2006 and the unconference format on his blog:

Everyone in attendance was awe-struck by the IIW 2006 that just took place in Mountainview. It was incredible.

With Doc Searls and Phil Windely navigating at the macro-level, the amazing Identity Woman Kaliya orchestrated an ”unconference” that was one of the most effective events I’ve ever attended. It’s clear that creating synergy out of chaos is an art that these three have mastered, and participants floated in and out of sessions that self-organized around an ongoing three-day hallway conversation - the hallway actually being the main conference room and event! So we got to engage in all kinds of one-on-one (and few) conversations, meet new people, work out concerns and above all work on convergence. Many people told me they felt history was being made, and I did too.

People showed amazing new demos of identity metasystem software from many different approaches and on many platforms. People, we are achieving orbit.
From Kim Cameron’s Identity Weblog
Referenced Fri May 05 2006 08:07:17 GMT-0600 (MDT)

08:07 AM | Comments (0) | Recommend This | Print This

May 04, 2006

Speaking at Yahoo! on Reputation

DSC_0007.JPG
Yahoo!
(click to enlarge)

I gave a presentation on identity and reputation at Yahoo! today as Chad Dickerson’s guest. The talk (slides) introduced user-centric identity and then introduced the reputation framework that my students built. I hope we’ll have releasable code and a paper available soon. I’m looking for funding to support further development of the framework. If reputation is interesting to you or your organization, contact me. I’d be happy to talk to you about what we’ve done and how you might be able to participate.

05:31 PM | Comments (0) | Recommend This | Print This

May 03, 2006

IIW2006: Wednesday Sessions

Randy Farmer leads the skeptic session
Randy Farmer leads the skeptic session
(click to enlarge)

Kaliya started the day with a call for anyone else who wanted to create new sessions and then did a “spectrogram.” She put a long piece of tape on the floor and asked questions where people arrayed themselves along the spectrum represented by the tape. She interviewed people at spots on the tape. A good way to get a feel for how the group is thinking about some things.

I did my session on reputation and showed off the reputation system we built in my 601 class last semester. Generally well received and good comments.

Chris Allen led a session on the notions of reputation and collective choice.

Chris Allen
Chris Allen
(click to enlarge)

In collective choice, there are three primary actions: selection, opinion, and comparison. Selection happens by voting, deliberation (Robert’s Rules), and consensus. Opinion systems mainly rely on polling. Comparison happens by ranking, rating, markets, and reputation.

Which bring us to reputation. Reputation can be used for collaborative filtering, collaborative sanctioning, and threshold maintenance. Negative reputation can be problematic. Altruistic punishment is a way of getting around that.

Reputation changes over time. Reputation accumulates. Timestamps on transaction are important. Disassociating from past choices is important. Who’s not my friend any more?

Chris has been looking at attack categories for reputation.

  • Shilling attacks (using a shill) can add to a reputation with no substance, yielding high positive ratings. Called “astroturf” in some circles—fake grassroots.
  • Spamming attacks can lead to excess bad results. Also called “griefing.”
  • Whoring (as in “karma whoring” on Slashdot). You do things right right for a time in order to build up a reputation which you exploit later. Sell a bunch of cheap books on Amazon and then use the good reputation to rip someone off on a single large transaction. A better word for this might be “Stinging.”
  • Collusion (Chris called this “faking”) is people working together to build a false reputation.
  • Coercion & retaliation
  • ID attacks
  • Flooding attacks

There’s a mailing list for people who are interested in reputation.

Drummond, Paul Trevethick, and Andy Dale discuss Higgins and XRI
Drummond, Paul Trevethick, and Andy Dale discuss Higgins and XRI
(click to enlarge)

There were some great sessions and the workshop seemed to have given most people some new things to talk about. We’re contemplating what to do for the next workshop in the Fall. We’ll be doing a short event just before DIDW on September 11. THat will be a 6 hour event and attendees will get a break on DIDW entrance fees.

We also want to do a longer event later in the fall. We’ve contemplated doing an event on the East coast in November, but I’m inclined to stick with the West Coast because of the energy that’s being generated in the events that we’ve had so far. If you have ideas, contact me or Kaliya and let us know.

12:53 PM | Comments (0) | Recommend This | Print This

May 02, 2006

IIW2006: Tuesday Afternoon Sessions

Doc, Dave Winer, and Don Park
Doc, Dave Winer, and Don Park
(click to enlarge)

The afternoon started for me with a session that Dave Winer led on identity in OPML and RSS. There’s a need to identify owners and authors in OPML and RSS without creating email addresses that can harvested by spammers. This is a good time to have this discussion because OPML 2.0 is being spec’d.

The <head> section in the spec includes a <ownerId> that is defined thusly:

[T]he http address of a web page that contains an HTML a form that allows a human reader to communicate with the author of the document via email or other means.
The line was long
The line was long
(click to enlarge)

The is a “contact me” form like the ones 2idi provides for i-names and NetMesh provides for LIDs. I think Dave is anticipating some identity infrastructure that doesn’t necessarily exist in a standard way yet. Since OPML 2.0 will freeze the OPML spec, this is a good time for people in the identity space to offer some input.

So, an i-name or LID contact form foots the bill for what Dave is after. We got into an interesting discussion, however, about what’s missing in the current schemes. I used myself as an example. I use my i-name contact form in different contexts. I frequently get contacts from people who don’t give me enough context in their message and I don’t know what context they clicked on the link in and have to guess.

Dave needs the <ownerId> form so that people who collaborate on OPML can be connected through a contact form in an automatic way (that is, from the information in the OPML file). The URL of the document that the contact is linking from and the title of that document (or node in OPML) would work here.

Dale Olds (Novell) works on the map
Dale Olds (Novell) works on the map
(click to enlarge)

Dale Olds from Novell ran a session aimed at creating a map of the open source identity space. There are notes from the session on the wiki.

This turned out to be a useful exercise in gathering information and it generated a lot of discussion. Here’s a hi-res version of the whiteboard at the end of the discussion. It interesting to me how talks like this one educate people in ways that are far removed from the stated goal of the discussion.

We convened another discussion of Identity Rights Agreements. Drummond led and the interaction turned to the most concrete discussion of terms and ideas we’ve had yet. We mostly determined that there were two concepts duration and party (or maybe purpose) that break out like this:

Duration Party
use once yourself/stated purpose
relationship yourself/related purposes
forever affiliates
others so bound
anyone

The key thing is to be simple and have the right defaults. We need to get a strawman proposal on the wiki and start hacking it out.

The closing circle (another open space thing) let people summarize the day and say things to the entire group that they might not have wanted or been able to say in the smaller gatherings. Some were encouragement, others were more like anouncements.

03:36 PM | Comments (0) | Recommend This | Print This

IIW2006: Tuesday Morning Sessions

Monday Dinner
Monday Dinner
(click to enlarge)

Last night’s conference dinner was very well attended and very good.

We started the morning in true unconference fashion by putting together the agenda. This happens by having anyone who wants to lead a session write it down on an 8.5x11 inch piece of paper and post it on a time grid on the wall. Everyone who posts something gets an opportunity to say something about their session. the agenda is fairly full and there are some good topics.

Putting together the agenda
Putting together the agenda
(click to enlarge)

Kaliya said that the guy who invented open space spent a year planning a conference and then had someone tell him that the breaks were the best part of the conference. So, he decided to create a conference that was less structured. You might say that the theme of open space is “all breaks, all the time.” After everyone had introduced and posted their session, there was 30 minutes or so before they were set to begin. There was some jockeying to get things in the right place and not opposite potentially conflicting topics. All in all, pretty good.

The first session I went to was Gail-Joon Ahn from Univ. of North Carolina. Gail-Joon and his students built an open source implementation of InfoCards. They’re interested in creating potable, interoperable, and multi-modal identity card selectors (part of InfoCard).

Gail-Joon Ahn and students
Gail-Joon Ahn and students
(click to enlarge)

Gail-Joon’s students demo’d a Java version of the InfoCard selector. The demo included logging into a site using a selected InfoCard, creating cards, and interacting with identity providers and relying parties in a couple of scenarios. All of the code is in Java. This is an impressive effort, but also illustrative of the fact that InfoCard

  1. doesn’t have to be just a .Net/Microsoft thing and
  2. is simple enough to allow multiple implementations.

Part of their work involves moving InfoCard beyond the desktop and to mobile devices. They demo’d what’s called an “i-button” that contains a secure token. The i-button could be on a ring or key fob. There was also a demo showing an InfoCard selector on a mobile phone.

Chuck Mortimore did a 5-minute demo of a Firefox plugin he’s done for InfoCards. He created a card and then logged into Kim Cameron’s blog using the card. Pretty cool.

Kim Cameron took over to show the code that Chuck was hitting on his blog. The relying party stuff he’s using is all written in PHP. Kim showed various debugging tools for seeing what’s going back and forth and demo’d the use of various InfoCard pieces from various players together.

In the second session of the morning, I dropped into a discussion led by Yan Cheng (AOL) on making identity systems work together. He came up with a three-axis diagram that he used to classify identity systems. Each axis represented a context that the identity system supported. One axis was “business,” another was “private,” and the third was “public.”

To give some examples, Yan saw things like InfoCard, AOL, and other similar systems as more in the private context. LID, OpenID, SXIP with along the public access. Liberty was associated with the business axis. As you can imagine, this engendered considerable discussion—that’s good.

11:31 AM | Comments (0) | Recommend This | Print This

May 01, 2006

IIW2006: SXIP, InfoCard, XRI, and Doc

The new
The new “just right” room
(click to enlarge)

We moved upstairs to accommodate the crowd and ended up with a lot more elbow room. Dick Hardt was the first speaker after the break. he gave a new version of his famous Identity 2.0 talk.

Dick mentions BCeID, a government identity service that forms a basis for digital identity in BC. I’ve long argued that governments have abdicated the responsibility for provide commerce supporting infrastructure online. (By “infrastructure” I mean legal frameworks more than hardware and software.) BCeID looks to be mostly about government online services, but Dick points out that he’s interested in seeing how it can be used by other places, like BC Hydro (power company).

Dick quotes Larry Wall’s dictum about Perl, “Easy things are easy and hard things are possible,” as a good basis for evaluating identity schemes. He lists a number of ideas that fall into the “hard things” category: agency, compartmentalization, notification, and granularity.

Mike Jones and the demo
Mike Jones and the demo
(click to enlarge)

Mike Jones from Microsoft was given the task of introducing the Laws of Identity and InfoCard. As a way of introducing InfoCard, Mike talks about claims and credentials in the physical world and how we use them. Mike spent a good deal of time talking about the laws. I think that was time well spent—they form a good basis for many of the conversations we want to have at IIW.

The identity metasystem concept is aimed at not inventing a new identity system, but inventing a system that can unify different identity systems. InfoCard confuses people because it seems like an identity system and has to be, in some sense, but it’s open because of the standards involved, so other identity systems can be adapted to work with it. The fact that there will be at least one open source and one commercial InfoCard system up before Microsoft releases it is testament to this.

InfoCard is an attempt to provide a simple user abstraction for digital identities that’s grounded in a physical world metaphor of credentials. The success of InfoCard is dependent on others implementing InfoCard.

Eve Maler from Sun was charged with discussing the Liberty Alliance Project. She quotes H.H. Monroe as “a little inaccuracy sometimes saves lots of explanation” by way of saying that in 20 minutes, she’s going to have to wave her hands a bit to get it all in.

About half the audience was familiar with SAML. Eve went through some high-level use cases as a way of introducing concepts and then moved into SAML and Liberty specific use cases.

DSC_0002.JPG
DSC_0002.JPG
(click to enlarge)

Drummond Reed spoke about XRIs. XRIs are a way of using a URL-like syntax, that is backwards compatible with the Web, to represent identifier authorities. On the IRC backchannel (#identity on freenode.net), someone said “isn’t an email address a URI?” when Johannes was talking and URL-based identity. XRI, as a Yadis compatible identity syntax, makes it clear that email addresses are part of URI-based identity.

So why a new addressing scheme? There are many different devices and different addressing schemes for each one. Even though each (like phone numbers and email) are controlled by a single entity, they each have a different syntax and controlling authority. A unified identifier can make managing these various addresses more convenient and add new services.

Drummond yielded some of his time to Andy Dale to speak a little about XDI. I wrote extensively about this last December when I was at the XDI workshop that Andy put on.

DSC_0004.JPG
DSC_0004.JPG
(click to enlarge)

Doc Searls got here right before the break and I asked him to redo his talk to set some things up for tomorrow. Doc brings up the Cluetrain Manifesto and how he realized over time that identity was critical to that vision. He recounts the history of “how we got here” (see Kaliya’s Map).

Moving from history, Doc starts talking about attention, intention, and marketplaces. These all get down to relationships. Doc has blogged about this at the IT Garage under the banner Starring in Your Own Constellation: Independent Identity in Networked Markets.

05:54 PM | Comments (1) | Recommend This | Print This

IIW2006: Identity, Lexicon, and URLs

The identity map
The identity map
(click to enlarge)

One of the nice things about an informal workshop is the freedom to rearrange things as necessary. Doc, who was opening, was running a little late, so we re-did some of the schedule.

Eugene Kim was first up at IIW. Eugene’s job was to introduce the ideas behind user-centric identity. He introduces the concepts of identity by introducing himself. User centric identity is about users controlling their own identity. Where does that lead us?

Eugene Kim
Eugene Kim
(click to enlarge)

Eugene contrasts the idea of single sign on with portable identity. While many people use a single ID and password for most Internet sites, that’s not really the point. Most identities on the ‘Net aren’t portable. Users would get choice; businesses would get more accurate information (how many people lie on registration forms to avoid this very problem?).

Eugene brings up the Yahoo/Flickr story as an example of how attached people get user names. When people thought they were losing their Flickr user names, they got angry.

Paul Trevithick was next, speaking about the community around user-centric identity and the lexicon that’s being developed.

The lexicon project is aimed at coming up with common definitions for identity related terms. He went through a number of these. I won’t record them here, but recommend you go over to the lexicon and look through them.

He works through the concepts of “entities,” “subjects,” and finally to “digital identity.” Paul distinguishes subjects as things that have attributes and identities as sets of claims. The claims are about attributes and may or may not be true. A question raises the point that claims are not first class—you can’t make a claim about a claim—at least not in the definition that exists now.

Johannes Ernst was the next speaker. The topic as URL-based identities. URLs are empowering because they can be bookmarked, tagged, linked to, subscribed to, explored, and customized. We already do these activities for lots of things. URL-based identities allow us to to do them for people. Simplicity is an important attribute of URL-based identity. “Light-weight” identity is an architectural statement.

The original
The original “too small” room
(click to enlarge)

URL-based identities are engendering innovation in the identity space. He points to Yadis, a protocol for discovering the capabilities of identity URL. Based on that foundation, you can build authentication in various forms, profile queries, registration, messaging, and so on. This is what’s we’ve done with the reputation framework that my lab is building: we’re building functionality on top of URL based identities.

We’ve got a lot more people here than we planned so we’re going to break early and move to a bigger room upstairs. That’s good news. There are probably 25 more people here today than wed planned on.

03:03 PM | Comments (0) | Recommend This | Print This

IIW2006: Getting Started

The Internet Identity Workshop starts today. I’m actually sitting in the Computer History Museum right now, getting things set up. It’s not too late to come, if you’re interested. I’ve added a one day option to the registration page. That includes snacks, lunch, and dinner (on Tuesday).

I’ll be live blogging, as will others. Instead of doing some kind of Planet aggregator like I did last time, I figured we could just advertise that we were using iiw2006 as the tag and then count on others, like Technorati to pull them all together.

12:20 PM | Comments (1) | Recommend This | Print This

April 28, 2006

IIW2006: Monday Activities

It would be helpful for us to get a count of people who are planning on attending Monday’s afternoon session, the dinner that evening, or both. If you’re planning on being at either of those activities, please visit this page on the wiki and add you name to the appropriate list.

12:56 AM | Comments (0) | Recommend This | Print This

Story of Digital Identity

Kaliya was on Aldo Castaneda’s Story of Digital Identity podcast this week talking about the Internet Identity Workshop. We’re expecting a good crowd.

12:37 AM | Comments (0) | Recommend This | Print This

April 25, 2006

How Does OpenID Work?

I’ve been trying to dissect OpenID and make sure I really understand what’s happening. The spec is the ultimate source, but obviously covers all the bases. What I wanted was a picture, but I couldn’t find one. So, I made one.

Part of the problem with understanding the spec is that the text tells what has to happen, but there are some implementation details which, while variable, as still helpful for decoding the ins and outs of the most common scenarios. For implementation details, I turned to a Web proxy to help capture the HTTP request/response pairs. The one I used was called Charles Web Debugging Proxy. It’s quite good and runs on all the major platforms. As shareware goes, it’s a little steep for what it does: $50. Half that would be more like it. Still it did the job admirably.

So, from the spec and my poking around, I came up with the following scenario for what I deem to be the most common use case. Note that in OpenID parlance, the relying party is called the “consumer” and the identity provider is called the “OpenID server.” I’ve tried to stick to the OpenID terminology where I can.

  1. User is presented with OpenID login form by the Consumer
  2. User responds with the URL that represents their OpenID
  3. Consumer canonicalizes the OpenID URL and uses the canonical version to request (GET) a document from the Identity Server.
  4. Identity Server returns the HTML document named by the OpenID URL
  5. Consumer inspects the HTML document header for <link/> tags with the attribute rel set to openid.server and, optionally, openid.delegate. The Consumer uses the values in these tags to construct a URL with mode checkid_setup for the Identity Server and redirects the User Agent. This checkid_setup URL encodes, among other things, a URL to return to in case of success and one to return to in the case of failure or cancellation of the request
  6. The OpenID Server returns a login screen.
  7. User sends (POST) a login ID and password to OpenID Server.
  8. OpenID Server returns a trust form asking the User if they want to trust Consumer (identified by URL) with their Identity
  9. User POSTs response to OpenID Server.
  10. User is redirected to either the success URL or the failure URL returned in (5) depending on the User response
  11. Consumer returns appropriate page to User depending on the action encoded in the URL in (10)

This scenario assumes that you are not already logged into the OpenID server. Normally, you’d stay logged in there and so steps (6) and (7) would be unnecessary.

While this looks like a lot of back and forth, assuming you’re already logged in, the user actually only sees one page in addition to the original login page. This page, which I call the trust form (I’m not sure it has an official name) asks the User if they want to trust the Consumer site (identifying it by URL).

This scenario also does nothing to address security in OpenID. For that, you’d better read the spec. There are some nuances to be understood.

If you’re familiar with OpenID, I’d appreciate any feedback on the picture and scenario. I’d like to make it as correct and understandable as possible.

02:57 PM | Comments (3) | Recommend This | Print This

April 21, 2006

IRAs Reduce Risk

I was speaking with Aldo Castaneda this morning about Identity Rights Agreements. Aldo was one of the co-authors, along with Kaliya Hamlin and myself of a position paper on IRAs.

We had a good time talking and there were some good thoughts, but one in particular that I wanted to record dealt with getting business to accept IRAs. The problem, of course, is that if IRAs are seen to come from “privacy nuts” then business will perceive a lot of risk for not much reward. IRAs will be seen as creating a liability where none existed before.

There’s an alternate view of IRAs as a technology that reduces risk. If IRAs are seen as a codification of a site’s privacy policy and tools exist to use IRAs to allow a business to automatically assess and monitor its own site’s compliance with it’s IRAs, then this reduces risk. Privacy compliance now becomes an operational issue that can be monitored.

Of course, such tools would have to be built, but the pre-cursor to building tools is developing the standard and that’s what IRAs are. I think Identity Commons, if it wants to champion IRAs ought to consider putting together an industry advisory board for them and getting industry players to see IRAs as a way to help them manage what is now unmanageable.

04:00 PM | Comments (2) | Recommend This | Print This

DIM Workshop 2006

I’ve been asked to be on the program committee for the ACM CCS2006 Workshop on Digital Identity Management, which will be held November 3, 2006 at George Mason University in Fairfax, VA. The tagline for the workshop is “Exploring User-Centric Identity Management.” Papers are being solicited on the following topics:

  • Basic principles — what makes an identity system user-centric?
  • Client-hosted identity
  • Consistent UI for identity transactions
  • Identity lifecycle management
  • Identity Metasystem
  • Identity theft prevention
  • Privacy-enhancing identity management
  • Private Credentials
  • Social networks
  • Strong authentication
  • Unlinkability of Transactions
  • URI-based identity systems

Papers are due on July 7, 2006. This should be fun.

03:24 PM | Recommend This | Print This

April 18, 2006

IIW Gear Available at CafePress

Shirts and other stuff with the cool Internet Identity Workshop logo are available now at CafePress. All this is at cost—there’s no markup.

If you’re planning on coming to IIW May 1-3, I’d really appreciate you registering as soon as possible so that we can use reasonably good numbers for planning food for breaks, etc.

04:08 PM | Comments (1) | Recommend This | Print This

April 14, 2006

Navigating User Centric ID Systems

If you’ve been following along, you’ll remember that I set up a OpenID enabled MediaWiki for the Internet Identity Workshop. Yesterday, Johannes Ernst told me that you can use MyLID to sign in as well. Cool.

This works because MyLID not only understands LID, but OpenID as well. I’ve been wondering how to make the wiki accessible to LID, OpenID, i-names, InfoCard and others, but may have had it backwards. Because MyLID (the identity provider) is multiprotocol, the IIW wiki (the relying party) doesn’t have to be. That is, if MyLID, MyOpenID, 2idi (an i-name broker), and other identity providers spoke not only the Yadis protocols, but also understood SXIP, InfoCard, and what have you, I’d be set. As a relying party, I can pick my protocol and expect your identity provider to understand.

I asked Johannes in an email if this is how he thought it ought to work. He thinks it’s still such a new concept that not many people have given it much thought. I don’t have many conclusions myself, but I’ve got a few random thoughts:

  • There will be hundreds of identity providers and I’ll have accounts at dozens of them. Still, I don’t want to pick which identity provider I choose to use for a particular task according to what protocol they speak (that should be below the radar) but rather according to other “business” criteria. I may choose to use my Amazon account sometimes and my BYU account other times.
  • As a relying party, I don’t want to have to worry about which scheme to use. In fact, I care more about what conclusions I can draw from the authentication protocol used and the data it provides than I care about the specific protocol. OpenID is great for wikis and blog comments, but maybe not for logging into my online backing.
  • The distinction between what the user cares about and what the relying party cares about is what Phil Becker was talking about in the piece he did on Higgins. InfoCard is all about the user’s view whereas Higgins is all about the developer. Very different audiences.
  • Relying parties will want to support multiple authentication schemes and need software and systems to do it.
  • Identity providers will compete to support as many as possible in order to be as “full service” as possible.

I’d love to see some discussion around these issues at IIW.

04:43 PM | Comments (2) | Recommend This | Print This

April 12, 2006

InfoCard and MediaWiki

A few days ago, I mentioned that we’d put up a version of MediaWiki that supports OpenID for the Internet Identity Workshop. I know that Johannes Ernst and others trying to get it all working with Yadis generally. A month or so ago, Kim Cameron InfoCard-enabled his Wordpress blog. I’d love to see this all working together. Is there any MediaWiki code that does InfoCard yet? If so, can these things co-exist?

02:59 PM | Recommend This | Print This

April 11, 2006

Identity Privacy Contracts

I had a nice chat with Jeremie Miller this morning and he pointed me at a post I’d missed from Peter St. Andre on what he calls Identity Privacy Contracts. This is a well though out discussion on the levels of protection one would want in identity rights agreements. I think there will be a lot of discussion on this at IIW in May. Identity Commons is being reborn and hopefully this can be a mainstay in it’s mission. To work, IRAs or IDPCs need organizational muscle, legal work, etc. Identity Commons, reconstituted, is probably the right place to do that.

09:30 AM | Comments (1) | Recommend This | Print This

April 07, 2006

Separating Authentication and Authorization

Yesterday I was talking to Kelly Flanagan, BYU’s CIO about the OpenID enabled wiki we have for the Internet Identity Workshop. I’d love to see BYU put an OpenID server on top of their directory. That way I could easily have my students authenticating on my wikis and blogs. Of course, BYU has all kinds of APIs for doing this, but I have use certain development environments, have permission, etc. Solutions like OpenID are much more loosely coupled.

Our discussion ultimately got down the distinction between authentication and authorization. OpenID is a pure authentication system. It doesn’t even support attributes in the spec (although they could be contained at the OpenID URL). The problem is that most enterprise system conflate authentication and authorization—probably because authorization is what most people are ultimately after. As a result, most commercial access management systems are mostly about authorization and do authentication as an afterthought.

This morning I was talking to Andre Durrand, CEO of Ping Identity (disclaimer, I’m on their advisory board). We got into the same discussion. Authentication is underrated. What’s more, you get some great benefits from the separation. One of the most important is being able to control access based on the type of authentication used. If you’re integrating authentication and authorization, you can’t easily offer simple services to folks who authenticated with OpenID or LID and higher risk services to folks who authenticate with a multi-factor authentication—unless the integrated system supports all of these.

The reality is that most people use access management systems like SiteMinder as authentication systems since many applications have authorization built-in. So, ironically, while access management systems focus 80% of their functionality on authorization, most of their uses are ignoring it. By disintegrating authentication from authorization functions, you can buy the right amount of what you need and even swap them out independently of each other as your needs change.

01:44 PM | Comments (1) | Recommend This | Print This