Pete Rowley

Yes, it’s that time again. If you have any interest in seeing what has been going on, what is going on, and what is about to go on in digital identity I suggest you sign up for IIW2007 to be held in May at the Computer History Museum in Mountain View, CA. You won’t be sorry, but you might get caffeine shakes.

I finally got around to checking out the support for information cards at Opinity. So off I go to grab Chuck Mortimore’s excellent proof of concept identity selector, install it on Firefox (an obscure browser used by long haired beardy folk) on Linux (ditto), create myself an information card and go acruising over to Opinity, click on the registration screen information card graphic, select my information card and I am greeted with:

Thanks for the heads up. Oh wait, Microsoft haven’t gotten around to releasing Internet Explorer 7.0 on Linux yet - I’m still waiting for the update. Did I get warped back to the 90’s? This had better not be taken as an exemplar for the first wave of implementation of information card support for the web 2.0 crowd. Or the web 2.0 crowd might find the first movers not movin because they can’t get in.

I suggest an alternative method of making sure the user does the right thing for themselves, upon receipt of an information card, use it, otherwise remain calm and ajax in Bob to explain what’s up. But whatever you do, don’t ever require a certain browser, browser version, or by extension, operating system.

Hopefully this example won’t last long.

I’ve been waiting a while for Phil Becker to complete his series of the top five identity fallacies so that I can blog them in one go. The series is very insightful and I would urge anyone interested in digital identity to read them. So here they are:

1. We’ll Add It In Later

2. Enterprise Identity is Hierarchical

3. Centralized Management Means Centralized Data

4. Identity is Monolithic

5. Net 2.0 Can Happen Without Solving Identity

Enjoy.

I have been pretty busy recently, which is why Kim Cameron managed to sneak by a tutorial and demo of InfoCard that also revealed the WordPress relying party PHP code for the LAMP stack. It includes a short demo video which walks through how InfoCard works when logging in to a site that is useful to review before actually reading the tutorial. Excellent!

Now if I might be so bold Kim, could we have the code released under an open source license?

A while back I got a Linkedin invitation to link up with someone who I didn’t know who claimed to be from Google. At the same time the same person sent me inmail about opportunities in Google. Sure enough, the person’s (who shall remain nameless) Linkedin page showed that they did indeed claim that they currently work for Google. Smashing. Just one little niggle - they used a hotmail email address… Far be it from me to doubt the trustworthiness of this person, after all, I am sure they are quite honest and just slipped while choosing their email account provider for work related activities. Yes, that must be it.

I wonder how many people imbue some level of elevated trust in the self asserted claims of Linkedin pages? It would be cool to have a trust mechanism for the web, where claims on static pages can be verified in a decentralized, scalable manner. To be able to be assured of the accuracy of claims right on the web page that is making them without having to interact with some trusted third party. As far as I am aware, nothing currently in use achieves this.

In user-centric identity most of the thinking has been about user presentation of identity data in an interactive fashion, but this isn’t the whole story. Sometimes one would like to make a claim that is persistent and non-interactive that out lives our brief time on line. For example, our friend at Google could have their claim of employment by Google signed by Google, thereby validating the claim if you trust Google not to lie about who it employs. Perhaps that is sufficient for some applications.

It seems to me that this ought to be possible in an internet scale fashion using current technology. It is just a matter of everyone agreeing on which technology pieces are to be used and stitching them together. Given that services like Linkedin are becoming more important to how business is conducted, I expect to see something like this happen in the not too distant future. I bet it ends up being a SAML profile too.

I just recieved this from Kaliya Hamlin a.k.a. Identity Woman

We want to invite you all to the Internet Identity Workshop in May. It will be a great opportunity to move the whole field of user-centric identity forward. Please forward this invitation far and wide to anyone who could learn from and contribute to the conversation.

May 1-3, 2006 at Computer History Museum in Mountainview CA

Link to Registration Page http://www.windley.com/events/iiw2006a/register.shtml

Link to this annoucement http://www.windley.com/events/iiw2006a/announcement

The Internet Identity Workshop focuses on user-centric identity and identity in the large. Providing identity services between people, websites, and organizations that don’t necessarily have a formalized relationship is a different problem than providing authentication and authorization services within a single organization.

The goal of the Internet Identity Workshop is to support the continued development of several open efforts in the user-centric identity community. These include the following:

Technical systems and proposal like Yadis (LID, OpenID, Inames), Identity metasystem, InfoCards, and the Higgins Project

Legal and social issues like Identity Commons, identity rights agreements, and service providers reputation.

Use cases for emerging markets such as user generated video (e.g. dabble.com), innovative economic networks (e.g. interraproject.org), attention brokering and lead generation (e.g. root.net), consumer preferences (e.g. permission based marketing), and civil society networking.

The workshop will take place May 2 and 3, 2006 at the Computer History Museum. We will also have a 1/2 day on the first of May for newbies who want to get oriented to the protocols and issues before diving into the community. If you are new to the discussion, we encourage your attendance on May 1st because of the open format we’ll be using to organize the conference.

Format and Process
At the last identity workshop we did open space for a day. It was so successful and energizing that we will be using this format for both days. If you have a presentation that you would like to make or a topic that you know needs discussion in the community you can propose it here on the wiki.

We will make the schedule when we are face to face at 9AM on May 2nd. We do this in part because the ‘field’ is moving so rapidly that we your organizing team are in no position to ‘know’ what needs to be talked about. We do know great people who will be there and it is the attendees who have a passion to learn and contribute to the event that will make it.

Part of the reason for moving to the Computer History Museum is to have better space for running this kind of effort with an expanding community. We expect a large and energized community to attend and are counting on plenty of participation. Don’t be put off by that, however, if you’re just getting into this. Come and learn. You won’t be disappointed.

Cost
We are committed to keeping this conference open and accessible. Having a venue that will support our doubling in size also means that it costs a bit more.

We decided to have a tiered cost structure to support accessibility as well as inviting those who are more able to pay to contribute. If you want to come we want you there. If cost is an issue please contact us and we can discuss how to make it work.

Students - $75
Independents - $150
Corporate - $250

The fees are used to cover the cost of the venue, organization, snacks and lunch both days. We encourage you to pre-register since we will limit attendance at the event to 200 people. The IIW workshop in October sold out and we expect strong interest in this one as well.

Sponsorships
Our goal is to keep the workshop vendor neutral, but we will be accepting limited sponsorships for the following:

Morning Break, May 2, and 3 ($800 each)
Afternoon Break, May 1, 2, and 3 ($800 each)
Lunch on May 2 and 3 ($2400 each)
Conference Dinner, May 2 ($4000)

If you or your company would like to sponsor one of these workshop activities, or have ideas about other activities contact me. You will not get any extra speaking time for sponsoring but you will get thank-yous and community ‘love.’

Organizers for IIW2006:
Kaliya Hamlin
Doc Searls
Phil Windley

Logistical Support
The Brigham Young University Enterprise Computing Laboratory is providing logistical support and backing for this workshop.

See you there.

How can I prove that I own this blog? Or for that matter any web page? Jeremie Miller of Jabber fame blogs about his new MicroID scheme that provides a simple way to assert ownership of web pages. I have just spent 2 minutes adding a MicroID to this blog. I now have the power to assert my ownership and have that automatically verified by anybody I choose without further changes. Cool.

Jeremie has really earned some extra bonus points for coming up with something so elegantly simple, as he describes it:

There is no new or deep technology involved, simply take a current communication id such as an email address and hash it with the name of the site it will be published on via the following pseudo-code:

MicroID = sha1_hex( sha1_hex( "mailto:user@email.com" ) + sha1_hex( "http://website.com" ) );

It really doesn’t get much simpler than that.

Robin Wilton raises the question: Is “user-centricity” the answer to identity fraud?

Which is of course an intriguing question. To which he answers with another question “can you envisage a case where the user has that degree of control, and yet businesses still shoulder 90% of the cost of identity theft?”, and an answer with conclusion:

“I can‘t. This suggests two factors which weigh heavily in favour of the status quo

- the lack of incentive for users to bear added responsibility, as long as someone else is picking up the cost of the current approach;

- the difficulty of raising the awareness and competence of every user and citizen, as data custodians, relative to achieving the equivalent rise in awareness and competence among existing data custodians. Not that I‘m suggesting the latter is ‘easy‘ either!”

Well that is good news for the status quo I suppose if you believe the reasoning. I don’t. Before we get to users shouldering anything, let us step back and look at the problem, the real problem. First, when we talk of identity theft, are we really talking about identity theft, or are we referring to that old chestnut fraud. I posit that stealing my identity is close to impossible, but impersonating me might be a whole lot easier. That is an important distinction, because the line of reasoning that starts with identity theft invariably ends with some kind of responsibility being placed on the person whose identity has, supposedly, been stolen. However, replacing the term “identity theft” with the word “impersonation” makes that whole line of reasoning much harder to make. The reason is that impersonation is an interaction that takes place wholly between a fraudster and a victim without any interaction with the person being impersonated - they are in fact an innocent bystander in the process. There is no theft but the fruits of the successful fraud.

And what of that fruit? Current reasoning du jour says that the “identity theft” victim’s account has been compromised, and the “identity theft” victims money has been stolen. Again, this is simply smoke and mirrors. The account compromised is an administrative convenience of the financial entity, and the money that is stolen has clearly been stolen from that financial entity. With the current protections and identity solutions in place this is already the case. This may go some way to explaining the generosity of these businesses who “shoulder 90% of the cost of identity theft.”

It is not the consumer that creates the security procedures, and therefore they cannot be held liable for their failings. So, it really does not matter where identity information is stored, it is a problem for the enterprise alone to protect its own assets. It is the responsibility of the enterprise alone to put in place adequate protections to ensure that those assets are not easily compromised. This is orthoganal to where identity data is stored. The fact is, security for financial transactions is currently lacking across the board because there is an inherent reliance on relatively easily obtainable data. That is, easily obtainable at the point of transaction. A replay attack is trivial since any one transaction gives sufficient information to make another!

I’d say the current situation might indicate that the status quo isn’t adequate, perhaps in both the financial and identity spaces.