Liberty Alliance

Kim Cameron's Panel about Identity @ SD Forum

Kaliya Young · January 31, 2006 · Leave a Comment

This is from the SD Forum on Interoperability January 31, 2006.
Prateek Mishra – Oracle
What is the identity problem?
It is stuck in a few places at employwer, bank and you want to
how does your identity get from your identity provider – the places were you have defined your identity to all these business processes and services.
We want to do this across the internet. There is the protocol piece – we know how to transmit identity from point a to point b this is solved…
Governence models how to transfer identity in trusted ways from point a to point b. Folks like Liberty Alliance have white papers and frameworks for this. This is a non-trivial problem. How you maintain and create governance?
How do you have normal folks sitting at their computers manage their identities in intuitive ways. How do they have a tool
Identity is stuck it wants to be free.
Protocol – Token Representaiton – solved
Governence and Infrastructure – somewhat solved
How does a person leverage these multiple identities?
Kim Cameron – fan of SAML and Liberty
As we move to more interconnected set of systems we need an identity layer. When you have an architectural whole of this magnitude you have a huge number of kludges.
Meta System
Users have no way of predicting how they should work – knowing when they are in danger.
old days fighting over token rings vs. ethernet – we got TCP/IP that encapsulated both.
We need a metasystem (I got a tiny bit distracted here, sorry. So the transcription is not perfect)
Karen Wendel, Identrus
Metasystem – single interface from an identity perspective.
Everyone has a visa card – that folks each having a card for each store. The industry would be stuck without interoperable.
Rules used consistently throughout the world.
VISA would take responsibility for legal, technical and policy issues.
Identrus was owned by the banks. Your identity will be given to you. It takes responsibility around the policy stuff. Legal aspects of your identity – dispute resolution. Liability of relying party who maintains it and lifecycle. We run this network and commonality on global basis.

(from there website) Identrus provides the global standard for identity authentication.
As communications expand and the world shrinks, knowing who’s who in the electronic universe becomes vital.
Identrus offers a full range of technology and services that support every aspect of safe eTransactions.

Rena Mears, Deloitte
Access – from a privacy point of view is different from access from a security point of view
Assertions and Claims are different
Kim Cameron..
Claims are assertions which are in doubt
everything being claimed has to be doubted so we can establish trust.
They considered using Claims but it would have become SCML (scammel)
It is to the benefit to the SAML make things secure in the browser. Shibboleth the hardest thing is home site discovery – infocards visual representation and
pick one of the 5000 higher education institutions…
or pick ‘your’ university identity.
Identrus: This is what we would call an identity provider.
Kim:
SAML is the transport language
SAML is used between a portal and services to the portal.
I propose we have new ways of the user authenticating to the portal.
The systems still exist.
Karen:
What constitutes and identity and the needs for security.
How does language play in this space – there are a lot of different models – identity is not the same as authentication or security.
problem blending identity and security – PKI
you get these people
Kim:
anyone who works with a protocol they get infected by the protocol and their vision blurs and and narrows.
We need more fanatics about protocols
Identrus:
one of the challenges for us as a community – identity does more then authenticate – sign things and create legal contracts – engage in business transactions, incur liability and regulatory transactions.
you can’t look at the papers and not see an inherent relationship between identity and security.
Rena:
Who has stepped up to be the binder of identity to the individual.
Prateek:
there is not such thing as single monlithic identity
there are multiple notions of identity useful for different contexts
Shibolith context higher education
Identrus is a context and a governance model
We like Infocards if we could use it when we get to the line in the spec it says Identity provider discovery – out of band
authentication is out of band for SAML
Karen:
everyone is bound by
the bank that issues the identity to the person
the bank binds to the person – labile to up to 10 million dollars
issued within all the legal requirements
there all these pockets of identity – the level of binding – between issuer and relying party – it does not transfer through the bridge structure.
A lot of the federated model you don’t have that level of binding between the parties.
We will work with the bridges and it is a different element.
Kim:
The government – thinking of itself as the ‘binding’ authority – reasons for relative autonomy.
Belgium a national identity card – but no card readers
One group was the association of mayors – they were now being asked to sign their legal documents with their individual citizen identity – they used to sign their documents with a stamp of their office – we must think of roles.
Kim:
The issue is PRIVACY.
the characteristics that really respects privacy are the characteristics of a system that really is difficult to penetrate.
All of the identity issues – any initiative that takes this forward we should all applaud.

Identity Workshop Informational Morning – Success!

Kaliya Young · December 13, 2005 · Leave a Comment

So we have a great time at the workshop yesterday. Eugene gave a great over view of “the problem” and why pinging a third party identity broker/provider would be a good evolution.
Johannes gave a great overview of the space URL based identifiers (YADIS – currently looking for a new name), WS* (Microsoft) and Liberty Alliance.
Dave presented about OpenID,
John presented about SXIP 2.0,
Drummond on XRI and
Eugene again about Yoke – the I-broker for the masses.
Mary Hodder shared here use of identity for her video community.
Tom from Opinity shared how they are using identity for their reputation network.
Marc Canter shared his use of identity (specifically SXIP) in GoingOn across networks and communities.
Chirs Allen shared some use cases for networks where he needs identity.
I closed out by talking about the new identity commons ‘clear focus.
the developers who attended expressed their interest in being there and we broke for lunch.
All had a good time and much networking happened.

Passel: identity. remixed.

Kaliya Young · August 4, 2005 · Leave a Comment

DizzyD presented on Passel and The Identity Gang is in the HOUSE! Johanes, Doc, Phil, Mary and Mary – wow three identity women.
He also didn’t really approach it right he didn’t get all the different systems and how they worked and we were all in the audience correcting him. It really highlighted the need for the workshop we are hosting in October.
Here is the summary:
How do I as user my identity on the web?
The ‘story that started it all’
Wife’s machine got Trojan. I had to change all passwords everywhere.
What is Identity?!
Identity is just another class of information we manage.
It’s a second-order problem. When I get on the net I get on it to do Identity Management other tasks.
What is Identity [Italicized] ?
Depends on the setting
Bottom line two fundamental types
third party vouch for and self asserted
His summary of the other stuff..
What are the options:
Passport
All others are not inherently evil.
everyone is throwing protocols against the wall and seeing which ones stick.
who do you trust to host you identity?
SAML
SAML/Liberty
trust relatinoship between two entities on your behalf
“asserting” used a lot in this world….and I will use it a lot

Standards are well documented and widely deployed. Lots of infrastructure required for trust relationships. Conditionals and trust relationships not viable from an open source stand point. Took a lot of time for a second order problem.
SXIP
Identity is locked into who the identity provider. You can change home sites. not locked in. Run on own machine. Powerful for users with centralized for user to move.
LID
Send information back and forth and urls based.
OpenID
No dynamic scripting needed. You have your identity URL tell via meta tag where identity server is. enter URL – blog URL. LiveJournal do you allow it to authenticate?

Can’t i-names do this?
He asserted wrongly that there was not reputation (global services launch will embed reputation in the messaging/contact system.
For Internet-scale Identity needs

Aggregate IDentity
Decentralized and open
Divers programming Language/environments
Interoperable implementations
Bootstrap off existing trust models

PASSEL
Gives you more control over data
Aggregates your identity via user-centric three-piece architechure
implemntations already started Perl, PHP, Java and C#
Pluggable trust models.
Generalized model for proving any DNS-based identifier
Trust Model

how you prove the signer
person x
Moving identity information proving that a
protocol how move around
plug in how you trust information

PIECES:
Agent (principle’s computer)

aggregates into portfolio
public private key and fingerprint
natively if not
Zip file on key – use on different locations

Signer (site that makes assertions)

signer issues token with for example 4 hour life span
agent must retrieve new token from dizzyd.com

Target (relying party)

how does the
retrieval of public key.

Technorati Tags: identity, OSCON05, Passel, puppy

Announcing the Internet Identity Workshop (IIW2005)

Kaliya Young · August 1, 2005 · Leave a Comment

There’s been considerable conversation around identity on the Internet, or what some would call grassroots identity. Providing identity services between people, websites, and organizations that may or may not have any kind of formalized relationship is a different problem than providing authentication and authorization services within a single organization. Many have argued that the lack of a credible identity infrastructure will eventually result in the Internet being so overrun with fraud as to make it useless for many interesting uses.
To solve this problem, or pieces of it, companies and individuals have made a variety of architectural and governance proposals. Some of these include:

The Liberty Alliance
Microsoft’sInfoCardsystem
Identity Commons
SXIP
OpenID
LID
XRI/XDI(i-names)
Passel

Myself, Phil Windley, Drummond Reed, and Doc Searls are hosting the Internet Identity Workshop in Berkeley on October 25 and 26th to provide a forum to disucss these and other architectural and governance proposals for Internet-wide identity services and their underlying philosophies. The workshop will comprise a day of presentations on Internet-scale identity architectures followed by a day of structured open space to accommodate the range of topics and issues that will emerge from day one and other issues and identity services that do not fit into the scope of the formal presentations. We’re hoping that adding a little more formality to the conversation will aid in digesting some of the various proposals.
We’re inviting presentations for the first day on the following topics:

Problems, issues, politics, and economics or Internet-scale identity systems.
Architectures for Internet-scale identity systems
Philosophies that drive architectural decisions in these systems (see Kim Cameron’s Laws of Identity for an example of such a philosophy

If you’d like to present on some other topic, drop one of us a line first and weâ€™ll see how it fits in. Prospective presenters will be asked to submit a 250-300 word abstract. We hope to accomodate everyone, but we may end up picking from the abstracts.
I’m excited about this and looking forward to it. I hope we can have a good set of presentations the first day and a solid day of discussion the second. If you’re interested in this sort of thing, I hope to see you there. Please read the full announcement for some other details and register if you’re coming. There is a $75 charge to cover the cost of the venue, administrative expenses, and the cost of snacks and lunch both dats.