The Virtual Quill

This blog has moved

2010-04-27T22:34:00.001-07:00

This blog is now located at http://newvquill.blogspot.com/.
You will be automatically redirected in 30 seconds, or you may click here.

For feed subscribers, please update your feed subscriptions to
http://newvquill.blogspot.com/feeds/posts/default.

European Identity Conference 2010

2010-03-08T10:58:00.000-08:00

Less than two months to go until the 4th annual European Identity Conference, and registration is now open! Once again, as last year, I'll be delivering an opening keynote as well as hosting two session tracks.

On Tuesday (5/4/10), I'll keynote on "Convergence: Better Control, Lower Cost". Since it's the keynote between a break and Kim Cameron, I should at least get those who want to come early to get a good seat for Kim!

On Wednesday (5/5/10), I'll continue the "convergence" theme with a track called "Value Through Convergence - Consolidate for Better Value, Efficiency and Security".This will feature a conversation with Martin Kuppinger ("5 Quick-Wins to Leverage your Existing Identity Infrastructure through Convergence"), a conversation with Kim Cameron ("Converging User-centric & Enterprise-centric IDs") and two panel discussions: "Converging Data Governance and Access Governance," and "Establishing an Advanced Level of Enterprise Identity Maturity."

Then, on Thursday (5/6/10) I'll tackle "Cloud Platforms & Data Portability". This track will feature an intro talk ("Data Statelessness and the Continuum of Individuals' Data Portability on the Web") by XMLgrrl herself, Eve Maler. We'll follow this up with two great panels: "Social Data Portability," and "Business/Cloud portability."

There'll be other great sessions, also - there always are. Plus, the Deutsches Museum in Munich is a fabulous venue. I hope to see you there.

IIW spring 2010

2010-01-28T23:02:00.001-08:00

Time to register for the spring Internet Identity Workshop. Do it now.

Which ox are you goring?

2010-01-22T09:27:00.000-08:00

ProjectVRM's Joe Andrieu has a long, but not necessarily rambling, post today buttressing his (and the project's) stand on data sharing.

He makes some great points, such as that many people confuse privacy with secrecy. And that transactional data is owned by all parties to the transaction separately and mutually. He totally misses some points, such as confounding Digital Rights Management with meat space copyrights.

But where he really got me was right near the very end of his screed where he says:

"Because the fact is, we want to share information. We want Google to know what we are searching for. We want Orbitz to know where we want to fly. We want Cars.com to know the kind of car we are looking for.
We just don�t want that information to be abused. We don�t want to be spammed, telemarketed, and adverblasted to death."

But the reality is that we will be "spammed," telemarketed and adverblasted whether or not the party doing the marketing knows what we want or not. Advertising should be about letting me know the possibilities that might interest me. And the only way that can happen is if the advertiser knows my likes and dislikes, wants and needs. Isn't that the premise of VRM, that we (the users) tell the vendors what we want and they then compete to fill our need? How can they do that without telling us of their offers, and isn't that advertising? Targeted advertising, targeted directly at the person(s) who are looking to buy.

Rework the post, Joe. There are too many good points to be spoiled by such a bad ending.

Google, OpenID and Chris Messina

2010-01-07T12:37:00.001-08:00

Today's announcement that Chris Messina is joining Google is certainly good for Chris, probably good for Google - but what about the openID Foundation?

As of today, Google has 3 members of the Board of Directors, their corporate rep (Eric Sachs), and "community" reps Messina and Joseph Smarr. That's 3 out of the 19 board members.

I should note that Yahoo has two members, a corporate one (Raj Mata) and a community one (Allen Tom), as does Microsoft (Mike Jones and Dick Hardt).

I do think that any corporate member should be prohibited from also having employees hold community seats. Not that I have any indications that messrs. Messina, Smarr, Hardt or Tom would vote against their own principles, but people's principles are influenced by those of the culture in which the perform their daily employment tasks.

Over and above that consideration, though, should be the desire to avoid even the appearance of a conflict of interest.

Maybe it's time the Foundation adopted a rule prohibiting such perceived conflict.

Burtner or Garton?

2010-01-05T09:05:00.000-08:00

Huge news this morning as it was announced that Gartner had purchased the Burton Group in a straight cash transaction (reportedly $56 million). WTF?

These are groups addressing two different constituencies. As the Wall Street Journal reported: "Gartner has typically focused on advising companies' chief information officers and senior IT executives, while Burton has built its business by advising 'front-line IT professionals,' said Gartner Chief Executive Gene Hall."

Even though I don't always see eye-to-eye with the Burton Analysts, I consideer them to be the finest group of minds available on IdM questions. Bob Blakley, Gerry Gebel, Ian Glazer, Kevin Kampman, Lori Rowland, and Mark Diodati are an Identity brain trust , almost a national treasure. Add in the brilliant minds of Phil Shacter, Dan Blum and - of course - Jamie Lewis and you have an irreplaceable resource.

Gartner also has some good minds in IdM, just not as many. I could easily sit and chat with Earl Perkins all day, for example. But Gartner's IdM practice isn't something I want to listen to. As I said last year, about Gartner's IdM Summit: "It isn�t a conference that you, the identity management expert, should go to � at least not alone. This is really geared more to the line-of-business (LOB) manager who needs to get a handle on this 'identity stuff'.� And Perkins agreed with me.

This acquisition could put Gartner in the forefront of IdM thinking, or end up with all of Burton's heavy hitters on the back burner. Time will tell.

God's personas

2009-12-21T11:36:00.000-08:00

I was contemplating the Christmas season and what it means to those of a religious bent when it occurred to me that the idea of �persona� � different facets of a single identity � is thousands of years older than our digital world.

A few years ago I defined persona as �an aspect of identity in a specific situation: office persona, parenting persona and so on. � Since then, I�ve refined it to be a collection of related attribute-value pairs, a subset of all of the attributes that make up an entity�s identity.

Over 1500 years ago, Roman Catholicism�s St. Patrick was attempting to convert Ireland�s Druids to Roman Catholicism. One tool he used was the shamrock, a sacred plant to the Druids. Patrick illustrated the doctrine of the Holy Trinity (one God, three aspects: the father, the son and the holy spirit) by noting that the plant has three leaves but only one stem. Today we could say that the entity, God, has three personae: the Father, the Son and the Holy Spirit. Each persona emphasizes a particular set of God�s attributes yet each persona is still the entity, God.

That led me to take another look at the God of the Old Testament � God the Father in the Christian tradition. But also Yahweh to the Jews and Allah to the Muslims. Each of these is merely a persona of the entity God with a mildly differing set of attributes interpreted by those humans known, collectively, as prophets. One God, multiple personae.

But, in looking farther afield, we find it isn�t only the near-Eastern monotheistic religions which offer us a God-entity with multiple personae. Hinduism is also based on this concept. As Hindu Wisdom (http://www.hinduwisdom.info/Symbolism_in_Hinduism.htm) puts it:

�Hinduism is often labeled as a religion of 330 million gods. This misunderstanding arises when people fail to grasp the symbolism of the Hindu pantheon. Hindus worship the nameless and formless Supreme Reality (Bramh) by various names and forms. These different aspects of one reality are symbolized by the many gods and goddesses of Hinduism. For example, Brahma (not to be confused with the over-arching Bramh) is that reality in its role as creator of the universe; in Vishnu it is seen as the preserver and the upholder of the universe; and Shiva is that same reality viewed as the principle of transcendence which will one day 'destroy' the universe. These are the Trimurti, the ' three forms,' and they are not so much different gods as different ways of looking at the same God. Each emphasizes a particular aspect or function of the one reality. The forms are many, the reality is one. It is the same with all the gods and goddesses: they are not rivals but aspects of a single principle. Hindus have represented God in innumerable forms. Each is but a symbol that points to something beyond; and as none exhausts God's actual nature, the entire array is needed to complete the picture of God's aspects and manifestations. It has been said that images are to the Hindu worshipper what diagrams are to the geometrician.�

Explaining the concept of persona is never easy, but at least this might give you an edge with the practicing religious folks in your organization.

[reprinted from Network World]

Microsoft strengthens Healthcare IdM Portfolio

2009-12-10T09:35:00.000-08:00

Microsoft announced today the acquisition of Sentillion, Inc., an acknowledged leader in IdM for the Healthcare industry.

Earlier this year, the Gartner Group placed Sentillion in the "Visionaries" quadrant of their Magic Quandrant for User Provisioning, saying:

"Sentillion's singular focus is on meeting the identity management needs of healthcare entities. It remains in the Visionaries quadrant due to its continuing innovation in healthcare provisioning needs, continued customer growth, its increasing name recognition within healthcare, and its expanding partner network for resale and system integration."

So why did Microsoft pick this particular company? Let's go back a couple of years to an interview I did with Sentillion CEO Rob Seliger. I tried to get him to admit an interest in branching out beyond healthcare. Nothing too exotic; perhaps an allied market like pharmaceuticals? But he wouldn�t be baited. He claimed Sentillion knows the market well � the company was spun-off from HP�s Medical Products Group nine years ago - and wants to leverage its expertise to do healthcare identity better than anyone else.

Some say they were doing just that. And now they have Redmond's deep pockets behind them - the sky's the limit. At a time when the US is about to undergo a healthcare revolution, Microsoft shows remarkably agility in getting out in front.

Does anyone understand privacy?

2009-10-29T14:05:00.000-07:00

Good post today from Sun's Michelle Dennedy on the whole privacy issue. She's commenting on a Gov't security official's quote: "We have a saying in this business: 'Privacy and security are a zero-sum game.'" and responds:

"I'm sure they have that saying in their business. And it's precisely why, when people in their business are in charge of government, it becomes a police state. If privacy and security really were a zero-sum game, we would have seen mass immigration into the former East Germany and
modern-day China. While it's true that police states like those have less street crime, no one argues that their citizens are fundamentally more secure."

It simply amazes me how many different ways people can misunderstand privacy!

He who steals my identity steals - not very much?

2009-10-13T12:46:00.000-07:00

Good article in the Wall Street Journal today ("The Fallacy of Identity Theft") by Julia Angwin. She starts off:

"As far as I know, no one can steal my identity. Even if my bank account number, my credit card number and all my passwords are stolen, I am fairly confident that I will still be me and the thief will be a different person.

Yes, the criminal will be masquerading as me. But anyone who knows me � my husband, my children, my colleagues, my doorman, my employer � will not be fooled. If 'I' was actually stolen, I believe that would be called a kidnapping."

She goes on to show that the problem is really fraud, the people who have their identity "stolen" don't lose much and, in truth, the amount of fraud is dropping. Her conclusion?

"It turns out that 'identity theft' is one of the most brilliant linguistic constructs ever, with its terrifying specter of losing not just your money � but your soul. Maybe it's time that we renamed it what it is: a fear campaign designed to get us to buy expensive services that we don't need."

Excellent!

Is there a future for OpenID?

2009-10-06T10:51:00.000-07:00

Johannes Ernst, one of the founders of OpenID (and the OpenID Foundation) has just posted a thought provoking piece about the present state - and the future - of that protocol ("Is OpenID Still User-Centric?")

I've pointed out before the problems between the OpenID evangelists (typically folks who do their own implementations, support open source projects and bemoan corporate or commercial involvement) and the major web organizations (Google, Yahoo!, Microsoft, Facebook, et al) who have adapted OpenID to their own purposes.

This is the often unspoken but nevertheless almost inevitable path that any successful open source project follows.

Perhaps it's time to truly fork the project. Let the "big boys" continue on with their "NASCAR billboards", PKI and whatever other baggage they want to heap on top of the simple protocol. Let the open source evangelists take the simplicity that was OpenID 1.1 and re-style it to it's original purpose - locking in the development stream so that the aggrandizement can't happen again. It's not too late, and the upcoming IIW would be a good place to talk about it.

Getting Privacy Right

2009-10-05T12:33:00.000-07:00

The Burton Group's Bob Blakley writes ("Gartner Gets Privacy Dead Wrong") a seminal piece on privacy - what it is, what it isn't and how to protect it. In the course of his blog entry he manages to pretty much dismiss most of the work that's been done under the rubric of "privacy" (which, as he notes, is really about secrecy) over the past dozen years.

As he writes: "That's how privacy works; it's not about secrecy, and it's not about control: it's about sociability. Privacy is a social good which we give to one another, not a social order in which we control one another."

It's an issue I've brought up a number of times in the past. Last year, for example, I discussed where many "...have gone wrong is to equate privacy with anonymity. You don�t have to be anonymous to maintain the privacy of your data. Again going back 100 years when you went into the bar and everybody knew your name there was also much about you that wasn�t known. Most things about you, in fact, weren�t known. Those things we want to keep private - our medical data, financial data, legal situation, etc. - were kept private. But people did know who you were, and perhaps where you lived, or worked, who your family was - and no one thought that was strange."

Secrecy and anonymity are not privacy, and the quicker we all understand that the quicker we can move to protect privacy.

Tell us what you really feel...

2009-10-01T09:43:00.000-07:00

In an Open Letter to Steve Ballmer, Craig Burton rants about the ridiculous policy Microsoft has for controlling updates and enhancements:

As we drove further down to path to understand why, we were told the following unbelievable conversation. (The following is not an exact quote, but close.)

Changes like you are requesting can only happen in an �in-band� release of Windows. These sort of changes are prohibited from going out in the Tuesday updates. What goes out with in-band releases the Tuesday updates is controlled by�Steve Ballmer.

Well F*&% me. Dude, after all of these years, you are still micro managing the Windows release! Now I know why Microsoft is now been relegated to insignificance in the identity market. The reason is simple. Internal policy, managed by you, prohibits product mangers from keeping up with trends and innovation.

And what was the momentous change Burton was asking about?

In our meeting, we discussed how many man hours it would take to modify CardSpace to support context-automation. The answer is a few days of work at the most. When asked how long before such a simple change would find its way into CardSpace, the answer came back as two years at best, maybe.

Unfortunately, Ballmer has never understood the importance of identity to the fabric of computing, so he's never going to permit what he would perceive as "feature creep" in the regular monthly updates. That's good news for Microsoft's competitors, and bad news for it's customers.

Novell Support goes off the deep end.

2009-09-23T08:44:00.000-07:00

Novell Sr. VP Colleen O'Keefe justifies their current support money grab with claim that "We absolutely believe there is tremendous value in Novell's patches, service packs and other intellectual property and that the cost of providing these services should not be solely born by current maintenance customers."

What's the brouhaha about? This Novell announcement:

"To further encourage more customers to take advantage of the comprehensive benefits a maintenance contract provides, Novell is announcing that as of November 15, 2009, maintenance or subscription authorization will be required to access service packs and patches (excluding stand-alone security patches) for most Novell products. In early 2010, we will extend this initiative to include Technical Information Documents (TIDs) in the Novell Support Knowledgebase for products in the general support phase of the product lifecycle."

That's right, Novell is asking you to pay for its mistakes.

Maybe there's a business plan here for me - are you willing to pay $10/month to get the errata pointing out the corrections to stuff in the newsletter? Do I have to start making more mistakes before you'll pay up?

The blogger's lament (Revised)

2009-09-06T09:17:00.000-07:00

Where have all the bloggers gone, long time passing.
Where have all the bloggers gone, long time ago.
Where have all the bloggers gone, gone to twitter every one
When will they ever learn, when will they ever learn.

with a tip o'the hat to xmlgrrl

The blogger's lament

2009-09-05T16:33:00.000-07:00

Where have all the bloggers gone
Long time passing
Where have all the bloggers gone
Long time ago
Where have all the bloggers gone
Gone to facebook every one
When will they ever learn
When will they ever learn.

The dearth of blogging

2009-07-28T09:44:00.000-07:00

I'm skipping the first couple of days (the "workshop" days) at this year's Catalyst Conference in San Diego. In the past, I'd relied on others blogs for the nitty-gritty of what's going on in those sessions. This year, though, it appears that Twitter has become the reporting tool of choice (and yeoman work is being done by @paulmadsen, @NishantK, @xmlgrrl and especially @brettmcdowell) but there's simply no way to get the full flavor of a presentation in a disjointed series of ~140 character semi-cryptic notes.

Please people, write up those blog entries! Tweet the URL of the posting, but give us as much verbiage as necessary to convey actual meaning.

Facebook can't tell a friend from a hole in the ground

2009-07-27T10:20:00.000-07:00

Burton Group's Ian Glazer has done some follow-up on his "Privacy Mirror" Facebook application with more shocking results. Evidently, if you and one of your friends both add the same application then the application treats your personal data as if it were also a friend - ignoring your "application privacy" settings. And it does this without informing you in any way.

Not good. Not good at all.

Write a caption - win some bucks

2009-07-24T10:58:00.000-07:00

NetVision is holding a contest - write a caption for their cartoon and you could win $1000.

Piece of cake, you say. You doodle cartoons and captions all through the weekly staff meeting anyway - why not got money for it? Well, there are some qualifications:

"Entrants must be actively employed as an Active Directory administrator by a company with more than 100 employees at the time of submission."

Think of that, though, as limiting the competition. Go for it!

Mirror, mirror on my screen tell me what PII is seen...

2009-07-22T10:03:00.000-07:00

The Burton Group's Ian Glazer just created "Privacy Mirror", a "...Facebook application to see what #FB tells 3rd party developers ." If you're on Facebook you might want to check this out. Do you really want to "share" all that info (and all your friends' info) with some nameless, faceless app developer?

Who knew Hospitality suites could do that?

2009-07-15T16:30:00.000-07:00

In a posting on the Burton Group Catalyst website, Mountain View's Centrify says:

Visit Centrify in our Hospitality Suite in Aqua 311 on Wednesday, July 29!
More than 1000 enterprise customers, including 38% of the Fortune 50, have selected the Centrify Suite to improve IT efficiency, strengthen regulatory compliance initiatives, and centrally secure their heterogeneous computing environment.

I usually visit the suite to eat, drink and play games. Who knew you could also "improve IT efficiency, strengthen regulatory compliance initiatives, and centrally secure [your] heterogeneous computing environment"! I'm gonna be first in line...

Geneva was better

2009-07-13T09:11:00.000-07:00

At it's Worldwide Partners Conference today, Microsoft announced the formal names for the products and services that had been going under the code name "Geneva":

Active Directory Federation Services � formerly known as �Geneva� Server(and a name in use since at least 2005. See this press release )

Windows Identity Foundation � formerly known as �Geneva� Framework (this name was suggested back in 2006, but for a slightly different product).

Windows Cardspace � same as current version (also around since 2006).

Not nearly as catchy as "Vista", but that name has too much baggage. My preference would have been for Geneva Federation Services, Geneva Identity Foundation and GenevaCards. But, then, I don't make the big bucks!

CALL FOR PAPERS

2009-07-09T12:25:00.000-07:00

Last chance (deadline is July 11) to submit for Net-ID '09 coming in October in Berlin.

The European Conference on Digital Identities �Net-ID � Identity, Trust, Privacy and Security� will come back to Berlin, Germany, in the fifth year of its history. It will take place on October 1-2, 2009, in the Steigenberger Hotel Berlin. Net-ID 2009 contains 4 tracks with the following
headlines:
� Enterprise Applications, Best Practices and Case Studies
� eIDs in the Focus of E-Government
� Data Protection and Privacy
� Trends and Future

- Please submit to: stg@computas.de
or by fax to: +49-221-5907480

Snoopy Sears

2009-07-02T13:53:00.000-07:00

World +dog seems to be cock-a-hoop over the new authentication that Sears has enabled, claiming OpenID is now accepted. Well, it is, but you'll only see it if you know it's there and go looking for it. First you'll be presented with a NASCAR box showing badges for Facebook, Yahoo, Google, Twitter, AOL and MySpace. Clicking on the [more] link gets you a choice of OpenID or Windows Live. But it isn't just authentication that Sears wants.

Click on the Facebook link, for example, and you see "Allowing Signin.mysears.com access will let it pull your profile information, photos, your friends' info, and other content that it requires to work."

Click on the Twitter link and get: "The application Signin.mysears.com by Sears would like the ability to access and update your data on Twitter."

Do I really want Sears to know who my friends are (and how to contact them)? Do I really want Sears to be able to update my Twitter data (whatever that is)?

Decidely and emphatically, NO!

Some may think this is a step forward for OpenID, but it's not. It's a step back for privacy.

Targeting targeted advertising

2009-06-29T11:35:00.000-07:00

There's a strong movement afoot to set targeted advertising as the antithesis to privacy. See, for example, this sententious blathering from that normally reliable publication, The Register.

Advertising is what's paying for the internet. There are two types of advertising, targeted and non-targeted. Non-targeted ads means I have to wade through ads for feminine hygiene, pet flea collars, securities traders, mortgage lenders and dozens of others that I not only have no interest in, but will never have an interest in because I'm the wrong gender or don't have the item (pet, need to trade stock, re-financing quandary, etc.) that they are aiming for.

On the other hand, I am interested in travel, slow food, blues music, comfortable clothing, and other topics whose ads I'll gladly read and often click on. Occasionally I'll even make the purchase. I don't feel they intrude on my time (certainly not as much as PR types who call me early in the AM) nor do I feel that my "privacy" has been violated.

The article I pointed to above includes the usual diatribe about Google and Gmail: "Gmail scans your personal communication for keywords - there is no opt-out, and using a secure tunnel is no protection." But of course there's an opt-out: DON'T USE GMAIL! (and, I must ask, protection from what?) Use some other "free" service, or pay for one. Google has no obligation to provide you with free email, photoposting (Picassa), newspapers (Google News), telephone accessories (Google Voice) or any of the other ad-supported services from the Mountain View search giant.

I like my Gmail. If you don't, that's fine. Just leave me alone to enjoy it and I'll leave you alone to enjoy whichever mail service you choose.