In Context

Kudos to Kaliya and Phil for another great IIW. There was a great spirit of collaboration and I got the feeling that a lot of important work got done.

Browser Extension Convergence

I led a session on trying to converge towards a single browser extension for these four browsers: IE, FF, Safari, Chrome. Today we’ve got lots of browser extensions for different browsers each of which generally supports a specific protocol (e.g. OpenID or I-Card). What we’d like to get to is having one multi-protocol browser extension for each browser–that is, a total of four extensions. And eventually, we’d like to see these built into the browsers themselves. In the meeting we discovered that there was an opportunity to first agree on the specifications for auth discovery across protocols. This became the next part of the meeting…

Browser Support for RP Auth Discovery

Everyone agreed that creating common specs for this was a good idea, whether or not folks were interested in building implementations. (BTW, Phil was in this session and also blogged about this sub-topic). We saw that we could use XRDS as the basis for both OpenID as well as I-Card RP auth discovery, and perhaps others. Today I-Card tech embeds an HTML <object> tag, but Axel Nennker has put forward here and here a variation where instead of an embedded <object> tag we use a link/rel approach. Meanwhile, various OpenID folks have also been looking at using XRDS to discover RP auth metadata. Phil wrote:

Once the discovery protocol is decided upon, standard plugins could be written for Firefox, IE, Chrome, and Safari that would implement the discovery process for identity enable the browser for whatever identity system(s) the relying party supports. Four open source, community supported plugins could replace the myriad proprietary plugins available today. That would lead to greater penetration and also give browser manufacturers something to code against when the time comes that they want to build the discovery code into their product.

In an otherwise excellent article entitled When will Windows Live stop treating CardSpace as the unwanted stepchild? Simon Bisson and Mary Branscome confuse a technology with an implementation. They refer to CardSpace when they mean Information Card. This undermines the ecosystem and is ultimately not good for Microsoft.

The use of the word “CardSpace” in the article’s title was incorrect. The authors also wrote things like (emphasis added):

So why is Windows Live ID proudly announcing that it’s issuing OpenIDs but not CardSpace IDs?

I don’t even know what a CardSpace ID is. Information Card is the name of an open standard that has multiple competing implementations. One of these implementations is a Selector called Microsoft CardSpace™. Other implementations of Selectors and other components include Novell Bandit’s DigitalMe™, Higgins, OpenInfoCard, CardPress™, Azigo™, and so on. Information Card tech already has the non-profit Information Card Foundation backed by over 50 corporate members including Intel, Deutsche Telekom, Equifax, Novell, Google, and Oracle as well as a growing community of independents, FOSS developers, etc.

I call this icon the purple-i. But this isn’t without its problems. I’ve been on phone conversations where folks think I’m saying “purple eye”.

Whatever the name, this thing occupies a lot of my thinking these days. Why? Because I’d like to see it on every site and application. Every e-merchant, alumni, government, healthcare provider. Every site. Even if the site supports OpenID; more about OpenID/i-card RP user experience simplification story another day. Or SAML.

Today I want to make a case for why I feel this way. I’ll be interested to see what other folks think of my reasoning. Okay, here goes.

Every site should put up the purple-i today because:

1. By proudly displaying the icon you’re taking a stand for a better, safer Internet.
2. It will delight visitors who already have a selector–now they can create accounts and login with a click or two. No more forms to fill; no more passwords to remember.
3. It is really really easy to do (there are even a few rabid i-card folks who’ll do it for you. For nothing).

Standing for a better, safer Internet

By displaying this icon, you take a stand for what the Internet should be and against it’s current hassles and dangers. You align your site with a growing community of software architects, open source developers, and policy makers who are passionate that we should:

• Help give people more control over their online identities.
• Protect people from phishing and other malicious attacks that are daily on the increase.
• Eliminate the hassle of filling in forms, and answering the same questions over and over.
• Allow people to not just to self-assert information, as they do today, but also to reliably convey what other people or authorities (banks, credit agencies, governments, universities, professional associations, etc.) say about them. (Which can even be done preserving your anonymity.)
• Protect children from predators; (Or more precisely, provide a foundation for solutions that can do this).

The purple-i is a promise to deliver these things. Join this force for good.

Delighting the Selector-equipped

Anyone with a Selector knows that the purple-i means that they don’t need to remember a password, they don’t need to fill in forms and they enjoy far more protection from the bad guys (Sarah Palin’s Yahoo password reset hack should give us all pause).

The purple-i on the site acts differently depending on whether you do or don’t have a Selector. If you have one, it just works; your Selector pops up. If you don’t, the site displays a page that explains the wonders of Information Cards and Selectors and gives you a list of downloadable Selectors for your favorite operating system (or soon, smart phone). [Imagine a consumer-friendly version of this page (and with a couple more Selectors!) The RP Best Practices Working Group of the ICF is writing up the guidelines for this stuff.]

It’s Really Easy

I know the site isn’t pretty (we’re in the middle of a redesign), but here’s a page of just some of the resources available to help sites add the purple-i to their login area.

<shameless-plug>My company, Parity, is willing to help you do this–we’ll even do it for free (with some fine print in there :). Email me paul at parity.com )</shameless-plug>

Dave Kearns has written an article explaining that, if solutions are architected correctly, there’s no meaningful difference between the two. He writes:

We start by defining identity as a group of “personas” (see “Defining identity, persona, role”). Any persona can be made up of a group of personas or roles. Each of those personas can be linked, or separated, as the entity identified by them wishes. One of those personas is (or, rather, could be) an “enterprise persona.” That one brings together “…all the activities and attributes of a single entity” performed for or related to that enterprise “into a readily accessible (and reportable and auditable) form.”

So there is no “user-centric” or “enterprise-centric” identity. There is just an entity with AN identity made up of various personas some of which may be controlled or limited in some way by an outside organization – not only by the enterprise but also by governments, social organizations, etc. The ability to keep these personas separate, where legally able to do so, must be a given. Each persona will have different identity needs and requirements, of course, but that’s what will drive the “identity economy” as vendors seek to satisfy those needs and requirements in accordance with the laws. The government’s laws, the enterprise’s “laws”, the fraternal and social organization’s “laws” and the Laws of Identity as laid down by Cameron.

I really didn’t understand this when I started the Higgins project back in 2003. I was trying to scratch a personal itch. I wanted a personal dashboard that would pull together all of my profiles and social relationships. I felt like my various personas and buddy lists were scattered all over the web in hundreds of silos/sites.

Later when my colleague Mary Ruddy described the Higgins project to Jamie Lewis, Jamie suggested that we talk to Tony Nadalin (IBM) and Kim Cameron. My initial reaction was “no,” and “no way” [respectively]. I figured that I was working on a user-centric solution that would work for me, as an individual. So why would we talk to IBM, they sell to enterprises [so surely what we're working on can't be of interest]. And as for talking to Microsoft (I didn’t know Kim at the time)…why would I talk to the folks that brought us Hailstorm and Passport?

As history has shown, I was wrong on both counts. Luckily, Jamie was persuasive and Mary was insistent. We have since joined forces with Tony and Kim. Tony explained to us that the problems facing the enterprise were extremely relevant to Higgins and that there was no conflict. And Kim (and later Mike Jones and others) won us over by showing that Microsoft could be a good actor in this space. [So much so that the Higgins project decided to invest a ton of resources on making sure that its "card-based" metaphor and file formats were a pure super-set conceptually, functionally, and architecturally WRT CardSpace.]

Goodbye, Passwords. You Aren’t a Good Defense written by Randy Stross of the NY Times appeared today. The article starts off well and focuses entirely on the problem of passwords. I particularly like the line:

In short, we need a log-on system that relies on cryptography, not mnemonics.

Very nice. As for the rest of the article, well, everyone knows I’m a fan of Information Cards so I was glad of the mentions (especially of the Information Card Foundation). But I’m also a fan of OpenID, though not in its current form nor how it is being presented as web-scale SSO. The essence of OpenID provides a missing piece of the puzzle that Information Cards don’t. The concept is to provide the user with a web address to a set of services that work (continuously) on behalf of that user. “Pure” i-cards don’t. Pure i-card solutions (e.g. CardSpace) only work when the user is sitting in front of their machine.

Pitting one technology against another and focusing on getting rid of passwords, probably creates a more exciting story. But what we need to do is combine the best ideas from a set of complementary technologies, to create a great solution. With the right combination, you also get synergy. For example, many limitations of “pure” OpenID go away when combined with Information Card’s client architecture.

I really don’t think we’ll get Internet scale adoption with any of the “pure-play,” partial solutions, on their own. Instead, take an “extract” of OpenID, mix in a derivative of Liberty (esp. ID-WSF) services at that endpoint, top it off with i-cards, browser integration, and run it on all platforms (including mobile), and maybe we’ll have a recipe for something that works in enough real world situations to be generally useful.

It’s a common misconception that Information Card technology is proprietary to Microsoft. In the past there there has been some truth to this, and I realize that most people think it remains true, but it isn’t. Quite the contrary.

The design work behind what is now called Information Card technology started about five years ago at Microsoft, IBM (e.g. in the co-development of WS-Trust), Higgins, and a few other places. The pereception that it was a “Microsoft” technology was created by a series of actions and omissions by Microsoft over the intervening years. Some were intentional, some not. Many had unforeseen consequences.

From the beginning Microsoft was focused on shipping a product as soon as possible. Although getting CardSpace to ship in Nov 2006 was in and of itself a good thing, their lack of progress in other areas had consequences that worked against creating a vibrant ecosystem of interoperable, competing implementations based on open standards.

To some extent getting a 1.0 product out the door so far ahead of when others could ship helped create the perception that indeed this was a Microsoft dominated technology. The other projects were held up a combination of IPR issues, resource issues and the difficulty of understanding how CardSpace worked in some cases. Even little things contributed. For a time Microsoft used the term Information Card in Microsoft documents in a way that implied that it was a Microsoft term rather than an open, industry term. Nor did code-naming the product, “InfoCard”. More troublesome was how long it took Microsoft to release the CardSpace-related IP behind under the Microsoft OSP. Worst of all, it has only been in recent weeks that the last few remaining protocol design documents have been submitted to an SDO–in this case the new OASIS IMI TC.

Of course, Kim, Mike, and others always knew that to be successful there had to be open, standard protocols and multiple competing selectors (and other IdP and RP services) running on all platforms and mobile devices. I’ve always felt that they saw the big picture. And I think it’s fair to say that compared to Microsoft’s normal modus operandi there has been unprecedented level of openness, collaboration, and good will.

And in the end, and to Microsoft’s credit, everything did get done. Today there are open source implementations that interoperate with CardSpace, and in various ways go beyond CardSpace, living in open source projects like Higgins, Novell’s Bandit, OpenInfoCard, Pamela and others. The technology has recently gotten its own Information Card Foundation. The ICF and its members, with the addition of IBM, have provided most of the funding and resources for the OSIS series of interop events involving card issuing sites, selectors and relying sites (and relying apps). The one at RSA had 53 companies and open source projects collaborating together. The next and fourth one will be at DIDW.

So today, Information Card, InfoCard, I-Card (or whatever you call it) technology is open, free, and not a Microsoft proprietary technology.

-Paul

PS: Ben Laurie’s voice is echoing in my head right now. How Information Card implementations work interoperably between Microsoft’s Credentica-developed selective disclosure technology and the IBM Zurich Idemix technology has yet to be seen. I’d say there’s reason to be hopeful. Fingers crossed.

I can’t tell you excited I was a few weeks ago to get my hands on a copy of this book. The title pretty much says how the book is positioned. Being I guess what you’d call a “working ontologist” in the identity space, this was just the book I hoped it would be. You see, I wish I did have the time to attend the semweb-related conferences and invest enough time to become an expert, but I really don’t. In practice all I really can do is read a the few of the OWL and RDF books that I can find, buy the best tools that are out there (e.g. TopQuadrant), subscribe to the semweb IRC, and learn by making mistakes. The existing books are either out of date, poorly written or both. The problem with being self-taught is that I’m never quite sure that there isn’t some best practice that I’m not aware of. Here’s an example. In the last 18 months I’d been hearing more an more about SKOS. Being new, it isn’t covered in the existing books, so I sort of have to figure out for myself if it’s useful. It’s a lot more fun instead to read about it as presented by Dean and Jim. I have a lot of respect for both of them, and I was very eager to learn what I could from them. I appreciated the very practical sidebars, e.g. about the common misconceptions that OOP folks have with RDF, because I’ve struggled with these same issues myself. The book was rigorous enough to make me confident that I’m on the straight and narrow, without every lapsing into unnecessary formalism. I have recommended this book to the Higgins team, and highly recommend it to anyone.

I’m very glad I’ve come to Doc’s Vendor Relationship Management (VRM) workshop at the Berkman center this week Among other things, I’ve met some wonderful new fellow travelers in this promising new space. I was particularly interested in the discussions centered on defining the value proposition for the “v” in VRM–the merchants, manufacturers, and so on that would like a better relationship with there customers, members, patients and citizens. I also enjoyed the chance to up with the other startups in this area.

On a tech level, I remain convinced that VRM is an application layer over identity infrastructure. More specifically, it seems that the VRM “rel button” concept blends well with r-cards.

At long last the Information Card Foundation launched on June 24th after spending about a year and a half in the works. Here’s the press release and some coverage of it. Also, Bob Blakley gave Charles and I a few minutes to talk about ICF on one of his panels at the Catalyst conference a couple of weeks ago.

A few words about how we got here. Pretty much the first year was all about discovering new, clever ways to not start the foundation. Probably the biggest mistake was to start by trying to get corporate sponsors. The problem is that when you do it this way, you’re always a supplicant.

About six months ago we decided that since our colleages are the the developers, architects and inventors in the information card space, and since we’ve been working together in one forum or another for years, why not take a page from the OpenID Foundation, and just start the foundation as ourselves–without sponsors! So we did. We incorporated in Febrary, and invited ourselves to the board! We called up Andy, Axel, Ben, Drummond, Kim, Mary, Pamela and Patrick and invited them to the party with Charles Andres as the executive director. Every one of these warm, fun, thoughtful people thought this was a great idea. We figured that now we’d have a forum to work out technical wrinkles and to promote adoption of this tech that we’re all so enthusiastic about. After this, it was much easier to recruit Google, Equifax, Microsoft, Novell, Oracle and PayPal to the board, to attract sponsors like BackgroundChecks.com, Gemalto, IDology, IP Commerce, Parity, Ping Identity, Privo and Wave as well as to create ties with the Liberty Alliance and the Fraunhofer Institute FOKUS.

In closing, I want to thank Charles for his willingness to take a huge leap of faith that the ICF would ultimately get funded. We’re all indebted to him for that.

They said:

The second special prize goes to open source projects Higgins and Bandit, which we consider the most important open source initiatives in the field of Identity Management.