Posted 3:57 PM (0) comments

Cardspace context UPDATE

Good post today ("No User Context Decisions in your Enterprise?") from Pam Dingle summarizing her panel at Brainshare (which I'm now sorry I missed). Cardspace and other user-centric ID schemes have a definite place in the enterprise, if only for the context-switching that Pamela outlines.

UPDATE: A video of the session ( with Pam Dingle, Patrick Harding, Kim Cameron and Dale Olds) has now been posted at the Bandit Project site.

We'll be exploring this same topic at the European Identity Conference when I host a panel of Dale olds (Bandit Project), Johannes Ernst (OpenID) and Robin Wilton (Liberty Alliance) called "Putting Context in Identity: User-Centric Context." It's an area that will heat up in the near future...

Labels: cardspace, context, EIC, enterprise, openid, user centric

Posted 8:11 AM (0) comments

Off Course-On Target

Wayne Hodgins blog is called "Off Course-On Target" and subtitled "Where unexpected paths lead to great discoveries." Today he took a look at digital identity and fretted over the lack of uniform standards. But it's the analogy and stories Wayne tells - especially about how the shape of screw threads could have lost World War II for the allies - that make it such fascinating reading.

And the moral - perhaps best stated as "the perfect is the enemy of the good" - is something the entire IdM community should take to heart. Consensus and compromise should be our watchwords.

Labels: cardspace, digital identity, liberty alliance, openid, standards

Posted 9:52 AM (0) comments

The Peter Principle of Protocols

A good Post today from Eve Maler reminding us that it's not just people, and it's especially not just on-line people, that have identity issues.

"I realize that the description I’m after is more like 'human-centric identity'. It comes with both online and offline scenarios and still needs to allow for (real-time or not) informed consent and attribute exchange."

This might be a good time to, once again, plump for "persona" as the term for what many call "on-line identity" so that we can keep straight what a real identity is.

She also alludes to the fact that not all identity protocols need to be able to do everything.
There's still room for lightweight, on-line digital person identity systems (vide OpenID) to be used within limited situations. It's not a criticism of OpenID to suggest that it only be used in low-value transactions. What is wrong is to apply a sort of "Peter Principle of Protocols" to OpenID, extending the original Peter Principle (formulated by Laurence J. Peter almost 40 years ago) thru the "Generalized Peter Principle" promulgated by Dr. William R. Corcoran: "anything that works will be used in progressively more challenging applications until it causes a disaster." Let's keep, and improve, OpenID for the things it does best. Let's not try to teach that pig to sing.

Labels: attribute exchange, digital identity, liberty alliance, openid, persona

Posted 8:52 AM (1) comments

Sanity check for OpenID

Bob Blakley offers a wisp of sanity for the, often cantankerous, debate over the formats, uses, security and usefulness of OpenID. As it puts it, there are all sorts of answers flying about - but it might be best to first form the appropriate question! In his own words:

"What I’d really like to see, as a security guy, is a problem statement and a risk analysis. Specifically, before we start arguing about whether OpenID 2.0 is the answer, I’d like to know the following things about the question..."

In particular, Bob wants answers to these questions (and he goes on to elaborate on them):

1. What are the assets to be protected?
2. What are the services to be offered?
3. What quality of protection is claimed for these services?
4. What is the threat model?
5. What is the trust model?

Perhaps, before Digital ID World at the end of this month (and the accompanying Identity Open Space meeting), some folks will be prepared with cogent answers.

Labels: DIDW, digital identity, openid

Posted 8:44 AM (1) comments

Brands as medicine man

Stefan Brands recently did a hatchet job on OpenID which garnered quite a bit of comment. Now I'm not a big fan of OpenID, but somehow whenever Stefan makes that much effort to attack something I almost instinctively react to defend the thing he savages. In this case, though, his half-truths, omissions and over-simplifications are best handled by David Recordon in his response to the diatribe.

I only wish to point out Stefan's answer to Scott Kveton's posting which pointed to David's:

"OpenID to me is Web 2.0’s equivalent of green tea. I have nothing against green tea (I drink it from time to time), and in fact it is widely believed to have various positive health effects Where things get dangerous is when green tea is seen as (let alone hyped as) the cure for all kinds of serious health conditions where people _really_ should visit a doctor. While green tea might have a positive effect for, say, cardiovascular disease, it would be irresponsible if not immoral if patients were lead to believe that there is no need anymore for medication or surgery.

OpenID is currently being seen by various parties as a healthy foundation for much more serious identity and access management applications where a lot more is at stake than someone impersonating or tracking your blog comments. The recent announcement by Estonia IT folks that they are experimenting with tying OpenID into a national ID card scheme for Estonia is an example of this. Personally I find that a very worrisome trend. My colleagues and I have looked into OpenID, to see if we can combine our 'medical equipment' with your 'green tea,' but the two simply don’t mix."

The sarcasm here doesn't drip, it flows. But all it does is to paint Stefan (and his 'colleagues') as 18th century psuedo-scientific quacks railing against the "primitive" folk medicines brought back from the South American jungles, such as Quinine. Stefan firmly believes that, no matter what the question may be, the answer is PKI. That is very dangerous thinking.

Labels: openid

Posted 4:27 PM (0) comments

Yenta, the "social graph"

Brad Fitzpatrick & David Recordon have issued a manifesto called "Thoughts on the Social Graph," where that is defined as the global mapping of everybody and how they're related (see this Wikipedia entry for more detail).

Brad & David decry the effort needed to involve your friends, family, acquaintances, etc. in the activities presented by the Next Big Thing in social networks - whether that's aggregating current thoughts, current locations, current activities, etc. As they say, not only do you have to fill in all of your personal details at each new site:

"You also have to have usernames, passwords (or hopefully you use OpenID instead), a way to invite friends, add/remove friends, and the list goes on. So generally you have to ask for email addresses too, requiring you to send out address verification emails, etc. Then lost username/password emails. etc, etc. If I had to declare the problem statement succinctly, it'd be: People are getting sick of registering and re-declaring their friends on every site."

What they're proposing is a service (open source, at that):

"...which collects, merges, and redistributes the graphs from all other social network sites into one global aggregated graph. This is then made available to other sites (or users) via both public APIs (for small/casual users) and downloadable data dumps, with an update stream / APIs, to get iterative updates to the graph (for larger users)".

But, as I've said before, I don't want to aggregate every relationship I have. I especially don't want to aggregate them where the whole world (or even just that part I'm "related" to, i.e. all the members of my 'social graph') can see all of my relationships!

There's a reason why people create different personas for different on-line communities - they really do wish to keep parts of their life seperate from other parts. Do I really want my children to know how I interact with my work-related friends? Do I want all of my clients to figure out who my other clients are? Do I really want the feds to be able to easily create a dossier of all my contacts? No. No. And, um, definitely no.

The portable relationship graph is a nice idea, but only when all parties to each relationship agree to the port.

Labels: openid, social networks

Posted 8:52 AM (1) comments

Same old AOL

AOL finally delivered on their promise to support OpenID for authentication when they announced (on their developer's blog) a so-called "Status Update" on Tuesday. What the announcement did mostly, though, was to re-enforce the belief that AOL hasn't changed since it's America On-Line days - it still "doesn't get" the internet, and it still believes its customers are dumber than toast.

Evidently we're supposed to believe that AOL is some huge, decentralized group of fiefdoms which only give the nod to each other. Or, as the announcement put it: "We did finish the infrastructure work on the AOL login side, required to support 3rd party OpenID users to login into AOL, but being a pretty big company, we are struggling to get our Product teams to support it." Maybe, like any good ID management project, you should have gotten executive buy-in from the beginning! That's the best way to be sure priorities are set properly.

OpenID is intended to be ubiquitous, also. Just prove you control a URL and it becomes your identifier. Doesn't matter what the URL actually is. Unless you're AOL, of course. They will only accept OpenID's from a "white list" of 10 providers. But, officially, "OpenID allows anyone who can run a web server to run an identity server. Your identity server is separate from your identity, so you are free to use any identity server that has some ability to validate your identity and you can change between them at will." There are over 100 listed at openid.net. Evidently AOL just doesn't get it.

But evidently AOL does feel it's customer base will only use an OpenID provider that gets its seal of approval by being included in the white list.

Ping Identity's Ashish Jain brought up the very real problem of scalability for white lists: "Given the distributed nature of the protocol, it doesn’t seem right for IdP/OPs and RPs to individually contact each other to maintain this list." He goes on to suggest that a reputation service would be a much better idea. It certainly deserves some further discussion.

On balance, I'd guess that AOL supporting at least some form of OpenID in at least a limited context is better than nothing, as long as it doesn't end there.

Labels: AOL, openid

Posted 10:38 AM (2) comments

Uniqueness

The Burton Group's Mike Neuenschwander has posted a mild rant touched off by trying to bag memorable, unique - but recognizable as his - OpenID's on various sites. He tells a good story before getting to his point, which he summarizes as: "There are no identifiers, only attributes."

Mike falls into the trap of the absolutist generalization (there's a lot of that going around, isn't there?). But he concentrates on your given name as an "identity":

"Names are slippery. Most people have many more than one legal name, none of which are unique. They also have several dozen nicknames. There’s no practical way to get any of these every-day-use names onto a global namespace. And what’s a name after all but a synthetic attribute—a foreign key that we hope the receiving party stores somewhere so we can remember them later? "

An "identifier" does need to be unique within a particular namespace. In a family, this is done thru a combination of given names and nicknames. e.g., while my son was at home growing up, I was known as "Dave" and he was called "David". Outside of our immediate family, of course, ambiguity quickly cropped up. There's my nephew (his cousin) David Kearns , for example.

But we are all familiar with unique identifiers within the digital world. Your email address - every single one of them - is a unique identifier within the entire world of the internet. There's also your ip address, but in a DHCP world, that can change without warning. It would still be unique, but tying it solely to you would be a more difficult task.

OpenIDs are unique. A little judicious shopping for an OpenID provider (OP) should get you one who has available an identifier that associates well with you, and that you wouldn't be ashamed to share with others.

Labels: attributes, openid, uniqueness

Posted 4:37 PM (0) comments

Someone else wants a personal directory!

RedMonk posts about a service he'd like to see: "We could imagine that in Theory-land ... everyone’s identity and data is federated and queryable in a secure fashion." He goes on to mention two (of many) things he'd like to be able to do:

"1. I want to stop entering the same profile information over-and-over again. I probably create a user account 2-3 times a week (this morning it was Dishola.com), adding in the same email, username, picture, and “about me” info.
2. I’m sick of entering in my “friends” into every damn site I create a profile on. For social networking sites, this second item is one of those counter-intutive differentiators that most (all?) sites are missing out on."

He even thinks that OpenID might provide the answer: "OpenID has been a promising bundle of technology and standards over the past year as well. I’ve been delighted to see sites of like LiveJournal and claimID adopting OpenID and I’m waiting to see the attribute (or “profile sharing”) parts evolve and get more use by other sites."

It could, but I'm not holding my breathe. For that matter, Liberty Alliance Attribute Provider (An attribute provider (AP) provides Identity Personal Profile (ID-PP) information. Sometimes referred to as an ID-PP provider) would also fill the bill. But I'm not holding my breathe there, either.

Maybe it's time to revisit the universal, self-published, loosely-coupled Personal Directory (Part 1, 2, 3, and 4) - the time is ripe!

Labels: liberty alliance, openid, personal directory