The complaint was that I called my fellow IDESG colleagues Nazi’s. He was unsatisfied with my original statement about the tweet on our public management council mailing list. Some how this led to the Ombudsman taking on the issue and after I spoke with him in Tampa it was followed by a drawn out 5 week “investigation” by the Ombudsman before he issued a recommendation.
Then turns out after all was said and done there was never actually a formal complaint. There was the ombudsman taking action on his own. (its funny how organizations can use Ombudsman to not actually protect people with in institutions but use them as institutional forces to push people out who speak up and ask too many questions)
During the time I was being investigated I experienced intensive trolling about the matter on twitter itself. The trolling was done by someone obviously familiar with the situation who was upset. There were only 5 people familiar with them matter as it was ongoing through this investigation.During my own IIW conference the troll topped off the week by making implicit rape threats. This was very very disruptive and upsetting to me so much so I don’t even remember that IIW.
Here is the tweet that I authored while pondering theories of organizational dynamics in Tampa and without any intent to cause an association in the mind of a reader with IDESG, NSTIC, nor any person or persons in particular note that I did not reference anyone with a @____ or add any signifying hashtags e.g., #idesg or #nstic in this tweeted comment. So unless you were reading everything you would never know I said it.
I own that the tweet was provocative but it was It was not my intent to cause harm to anybody or to the IDESG organization and wider identity community.
We can’t put documents up for community and public input and say “its 40 page document nobody has time to read” and laugh as if it is funny that the process is so bad that there is no ability for the body of the organization let alone the public to have insight. That is how not good things begin to happen no one is looking. I was trying to make a point that the meeting was being badly badly run and that poor process can lead to really bad outcomes.
I am very sorry if the tweet had an emotionally negative impact on people on the management council. I fully acknowledge that referencing anything relative to the Nazi era is triggering. It touches on our collective shame and surfaces vulnerability it is very hard to look at.
I also believe that we have to actually be prepared to do so. If we don’t examine the past we can’t be sure we will not repeat it. [Please click to see my my next post for this to be further expounded upon]
I didn’t choose to say anything along these lines because I was in the middle of a process with the Ombudsman I thought that would be honored and let to run its course.
I also didn’t feel one should feed internet trolls – one was being very aggressive and pestering me for an apology.
I think that we all need to keep in mind our roles as Directors of the IDESG when we interact with the public and with each other.
This includes hiding behind pseudonyms and aggressively trolling to get back at someone you are upset with. Which also happened – either deal with the issue in a formal process or take them out on twitter but do’t do both.
The whole process left my and my attorney puzzled. My attorney wrote a letter to the Management Council/Board of Directors with a whole bunch of questions and now that this is posted we look forward to their answers to those questions.
No one from he IDESG including the ombudsman ever responded or was concerned by the aggressive trolling and implicit rape threats on twitter by someone intimately familiar with the ongoing ombudsman process.
Abusive behavior towards women isn’t just a physical thing it is a psychological as well. I have felt unsafe in the Identity community since this incident. I am now setting it aside though and stepping forth in my full power.
ID Protocol
Resources for HopeX Talk.
I accepted an invitation from Aestetix to present with him at HopeX (10).
It was a follow-on talk to his Hope 9 presentation that was on #nymwars.
He is on the volunteer staff of the HopeX conference and was on the press team that helped handle all the press that came for the Ellsberg – Snowden conversation that happened mid-day Saturday. It was amazing and it went over an hour – so our talk that was already at 11pm (yes) was scheduled to start at midnight.
Here are the slides for it – I modified them enough that they make sense if you just read them. My hope is that we explain NSTIC, how it works and the opportunity to get involved to actively shape the protocols and policies maintained.
[Read more…] about Resources for HopeX Talk.
Recent Travels Pt1: IIW
IIW is always a whirlwind and this one was no exception. The good thing was that even with it being the biggest one yet it was the most organized with the most team members. Phil and I were the executive producers. Doc played is leadership role. Heidi did an amazing job with production coordinating the catering, working with the museum and Kas did a fabulous job leading the notes collection effort and Emma who works of site got things up on the wiki in good order.
We had a session that highlighted all the different standards bodies standards and we are now working on getting the list annotated and plan to maintain it on the Identity Commons wiki that Jamie Clark so aptly called “the switzerland” of identity.
We have a Satellite event for sure in DC January 17th – Registration is Live.
We are working on pulling one together in Toronto Canada in
early February, and Australia in Late March.
ID Collaboration Day is February 27th in SF (we are still Venue hunting).
I am learning that some wonder why I have such strong opinions about standards…the reason being they define the landscape of possibility for any given protocol. When we talk about standards for identity we end up defining how people can express themselves in digital networks and getting it right and making the range of possibility very broad is kinda important. If you are interested in reading more about this I recommend Protocol: and The Exploit. This quote from Bruce Sterling relative to emerging AR [Augmented Reality] Standards.
If Code is Law then Standards are like the Senate.
Authored: National! Identity! Cyberspace! Why we shouldn’t freak out about NSTIC.
This is cross posted on my Fast Company Expert Blog with the same title.
I was very skeptical when I first learned government officials were poking around the identity community to learn from us and work with us. Over the last two and a half years, I have witnessed dozens of dedicated government officials work with the various communities focused on digital identity to really make sure they get it right. Based on what I heard in the announcements Friday at Stanford by Secretary of Commerce Locke and White House Cybersecurity Coordinator Howard Schmidt to put the Program Office in support of NSTIC (National Strategy for Trusted Identities in Cyberspace) within the Department of Commerce. I am optimistic about their efforts and frustrated by the lack of depth and insight displayed in the news cycle with headlines that focus on a few choice phrases to raise hackles about this initiative, like this from CBS News: Obama Eyeing Internet ID for Americans.
I was listening to the announcement with a knowledgeable ear, having spent the last seven years of my life focused on user-centric digital identity. Our main conference Internet Identity Workshop held every 6 months since the fall of 2005 has for a logo the identity dog: an allusion to the famous New Yorker cartoon On the internet, nobody knows you are a dog. To me, this symbolizes the two big threads of our work: 1) maintaining the freedom to be who you want to be on the internet AND 2) having the freedom and ability to share verified information about yourself when you do want to. I believe the intentions of NSTIC align with both of these, and with other core threads of our communities’ efforts: to support identifiers portable from one site to another, to reduce the number of passwords people need, to prevent one centralized identity provider from being the default identity provider for the whole internet, to support verified anonymity (sharing claims about yourself that are verified and true but not giving away “who you are”), support broader diffusion of strong authentication technologies (USB tokens, one-time passwords on cellphones, or smart cards), and mutual authentication, allowing users to see more closely that the site they are intending to do business with is actually that site.
Looking at use cases that government agencies need to solve is the best way to to understand why the government is working with the private sector to catalyze an “Identity Ecosystem”.
The National Institutes of Health is a massive granting institution handing out billions of dollars a year in funding. In the process of doing so, it interacts with 100,000’s of people and does many of those interactions online. Many of those people are based at institutions of higher learning. These professors, researchers, post-docs and graduate students all have identifiers that are issued to them by the institutions they are affiliated with. NIH does not want to have the expense of checking their credentials, verifying their accuracy and enrolling them into its system of accounts, and issuing them an NIH identifier so they can access its systems. It wants to leverage the existing identity infrastructure, to just trust their existing institutional affiliation and let them into their systems. In the United States, higher educational institutions have created a federation (a legal and technical framework) to accept credentials from other institutions. The NIH is partnering with the InCommon Federation to be able to accept, and with that acceptance to trust, identities from its member institutions and thus reduce the cost and expense of managing identities, instead focusing on its real work: helping improve the health of the nation through research.
The NIH also has a vast library of research and information it shares with the general public via the internet. Government sites are prohibited from using cookie technology (putting a unique number in your browser cookie store to remember who you are) and this is a challenge because cookies are part of what helps make Web 2.o interactive experiences. So say that your mom just was diagnosed with breast cancer and you want to do a bunch of in-depth research on breast cancer treatment studies. You go to the NIH and do some research on it, but it really requires more then one sitting, so if you close your browser and come back tomorrow, they don’t have a way to help you get back to the place you were.
The NIH doesn’t want to use a cookie and doesn’t want to know who you are. They would like to be helpful and support your being able to use their library over time, months and years, in a way that serves you, which means you don’t have to start from scratch each time you come to their website. It was fascinating to learn about the great lengths to which government officials were going to adopt existing standards and versions of those standards that didn’t link users of the same account across government websites (see my earlier post on Fast Company). They proactively DID NOT want to know who users of their library were.
One more use case from the NIH involves verified identities from the public. The NIH wants to enroll patients in ongoing clinical trials. It needs to actually know something about these people – to have claims about them verified, what kind of cancer do they have, where are they being treated and by whom, where do they live, etc. It wants to be able to accept claims issued by third parties about the people applying to be part of studies. It does not want to be in the business of verifying all these facts, which would be very time consuming and expensive. It wants to leverage the existing identity infrastructures in the private sector that people interact with all the time in daily life, and accept claims issued by banks, data aggregators, utility companies, employers, hospitals etc.
These three different kinds of use cases are similar to others across different agencies, and those agencies have worked to coordinate efforts through ICAM which was founded in September 2008 (Identity, Credential and Access Management Subcommittee of the Information Security & Identity Management Committee established by the Federal CIO Council). They have made great efforts to work with existing ongoing efforts and work towards interoperability and adopting existing and emerging technical standards developed in established industry bodies.
Let’s continue exploring what an identity ecosystem that really works could mean. The IRS and the Social Security Administration would each like to be able to let each person it has an account for login and interact with it online. We as those account holders would like to do this – it would be more convenient for us – but we want to know that ONLY we can get access to our records, that that they won’t show our record to someone else.
So let’s think about how one might be able to solve this problem.
One option is that each agency that interacts with anywhere from thousands to millions of citizens issues their own access credentials to the population it serves. This is just a massively expensive proposition. With citizens interacting with lots of agencies, they would need to manage and keep straight different IDs from different agencies. This is untenable from a end-user perspective and very expensive for the agencies.
Another option is that the government issues one digital ID card to everyone ,and this one ID could be used at a bunch of different agencies that one might interact with. This is privacy-invasive and not a viable solution politically. No one I have ever talked to in government wants this.
So how to solve this challenge – how to let citizens login to government sites that contain sensitive personal information – whether it be tax records, student loan records, Department of Agriculture subsidies, or any other manner of government services, and be sure that it really is the person via an Identity Ecosystem.
Secretary Locke’s Remarks: The president’s goal is to enable an Identity Ecosystem where Internet users can use strong, interoperable credentials from public and private service providers to authenticate themselves online for various transactions.
What does a private sector service provider use case look like in this ecosystem?
When we open accounts, they are required to check our credentials and verify our identities under know-your-customer laws. People have bank accounts and use them for many years. They know something about us because of their persistent ongoing relationship with us: storing our money. Banks could, in this emerging identity ecosystem, issue their account holders digital identity credentials that would be accepted by the IRS to let them see their tax records.
The private sector, for its own purposes, does a lot to verify the identities of people, because it has to do transactions with them that include everything from opening a bank account, to loaning money for a house, to setting up a phone or cable line, to getting a mobile phone, to a background check before hiring. All of these are potential issuers of identity credentials that might be accepted by government agencies if appropriate levels of assurance are met.
What does is a public service provider look like in this ecosystem?
The Federal Government does identity vetting and verification for its employees. Homeland Security Presidential Directive 12 (HSPD-12), Policy for a Common Identification Standard for Federal Employees and Contractors directs the implementation of a new standardized identity badge designed to enhance security, reduce identity fraud, and protect personal privacy. To date, it has issued these cards to over 4 million employees and contractors.
These government employees should in this emerging ecosystem be able to use this government-issued credential if they need to verify their identities to commercial entities when they want to do business with in the private sector.
There is a wide diversity of use cases and needs to verify identity transactions in cyberspace across the public and private sectors. All those covering this emerging effort would do well to stop just reacting to the words “National” “Identity” and “Cyberspace” being in the title of the strategy document but instead to actually talk to the the agencies to to understand real challenges they are working to address, along with the people in the private sector and civil society that have been consulted over many years and are advising the government on how to do this right.
I am optimistic that forthcoming National Strategy and Program Office for Trusted Identities in Cyberspace will help diverse identity ecosystem come into being one that reduce costs (for governments and the private sector) along with increasing trust and overall help to make the internet a better place.
[Read more…] about Authored: National! Identity! Cyberspace! Why we shouldn’t freak out about NSTIC.Thoughts on the National Strategy for Trusted Identities in Cyberspace
Update: This blog post was written while reading the first draft released in the Summer of 2010. A lot changed from then to the publishing of the document in April 2011.
Here is my answer to the NSTIC Governence Notice of Inquiry.
And an article I wrote on Fast Company: National! Identity! Cyberspace! Why you shouldn’t freak out about NSTIC.
Interestingly in paragraph two on the White House blog it says that NSTIC stands for “National Strategy for Trusted Initiatives in Cyberspace” rather than “National Strategy for Trusted Identities in Cyberspace”.
This first draft of NSTIC was developed in collaboration with key government agencies, business leaders and privacy advocates. What has emerged is a blueprint to reduce cybersecurity vulnerabilities and improve online privacy protections through the use of trusted digital identities.
[Read more…] about Thoughts on the National Strategy for Trusted Identities in Cyberspace
Open Identity for Open Government Explained
Today the United States Government with digital identity industry leaders announced the development of a pilot project with NIH and related agencies using two of the open identity technology standards OpenID and Information Cards.
This is, as a friend said to me, a “jump the shark moment” – these technologies are moving out from their technologists technology cave into mainstream adoption by government agencies. We are seeing the convergence of several trends transform the way citizens participate in and communicate with government:
- Top-down support for open government
- The proliferation of social media
- The availability of open identity technologies
The Obama administration open government memorandum called for transparency participation, collaboration and federal agencies have begun to embrace Web 2.0 technologies like blogs, surveys, social networks, and videocasts.
Today there are over 500 government websites and about 1/3 of them require a user name and password. Users need to be able to register and save information and preferences on government websites the same way they do today with their favorite consumer sites, but without revealing any personally identifiable information to the government.
The challenge is that supporting this kind of citizen interaction with government via the web means that identity needs to be solved. On the one hand you can’t just ask citizens to get a new user-name and password for all the websites across dozens of agencies that they log in to. On the other you also can’t have one universal ID that the government issues to you and works across all government sites. Citizens need a way to interact with their government pseudonymously & in the future in verified ways.
So how will these technologies work?
Those already familiar with OpenID know that typically when users login with it they give their own URL – www.openIDprovider.com/username. (see this slideshare of mine if you want to see OpenID 101) There is a little known part of the OpenID protocol called directed identity – that is a user gives the name of their identity provider – Yahoo!, Google, MSN etc – but not their specific identifier. The are re-directed to their IdP and in choosing to create a directed identity they get an identifier that is unique to the site they are logging into. It will be used by them again and again for that site but is not correlatable across different websites / government agencies. The good news is it is like having a different user-name across all these sites but since the user is using the same IdP with different identifiers (unlinked publicly) but connected to the same account they just have to remember one password.
Information Cards are the new kids on the identity block in a way – this is their first major “coming out party” – I am enthusiastic bout their potential. It requires a client-side tool called a selector that stores the user’s “digital cards”. Cards can be created by the end user OR third parties like an employer, financial institution, or school can also issue them.
In essence, this initiative will help transform government websites from basic “brochureware” into interactive resources, saving individuals time and increasing their direct involvement in governmental decision making. OpenID and Information Card technologies make such interactive access simple and safe. For example, in the coming months the NIH intends to use OpenID and Information Cards to support a number of services including customized library searches, access to training resources, registration for conferences, and use of medical research wikis, all with strong privacy protections.
Dr. Jack Jones, NIH CIO and Acting Director, CIT, notes, “As a world leader in science and research, NIH is pleased to participate in this next step for promoting collaboration among Assurance Level 1 applications. Initially, the NIH Single Sign-on service will accept credentials as part of an “Open For Testing” phase, with full production expected within the next several weeks. At that time, OpenID credentials will join those currently in use from InCommon, the higher education identity management federation, as external credentials trusted by NIH.” In digital identity systems, certification programs that enable a site — such as a government agency — to trust the identity, security, and privacy assurances from an identity provider are called trust frameworks. The OIDF and ICF have worked closely with the federal government to meet the security, privacy, and reliability requirements set forth by the ICAM Trust Framework Adoption Process (TFAP), published on the IDManagement.gov website. By adopting OpenID and Information Card technologies, government agencies can cost effectively serve their constituencies in a more personalized and user friendly way.
“It’s good to see government taking a leadership role in moving identity technology forward. It’s also good to see government working with experts from private sector and especially with the Information Card Foundation and the OpenID Foundation because identity is not a technical phenomenon — it’s a social phenomenon. And technological support for identity requires the participation of a broad community and of representatives of government who define the legal framework within which identity will operate,” said Bob Blakley, Vice President and Research Director, Identity and Privacy Strategies, Burton Group. “Today’s announcement supplies the most important missing ingredient of the open identity infrastructure, mainly the trust framework. Without a trust framework it’s impossible to know whether a received identity is reliable.”
Under the OIDF and ICF’s open trust frameworks, any organization that meets the technical and operational requirements of the framework will be able to apply for certification as an identity provider (IdP). These IdPs can then supply authentication credentials on behalf of their users. For some activities these credentials will enable the user to be completely anonymous; for others they may require personal information such as name, email address, age, gender, and so on. Open trust frameworks enable citizens to choose the identity technology, identity provider, and credential with which they are most comfortable, while enabling government websites to accept and trust these credentials. This approach leads to better innovation and lower costs for both government and citizens.
The government is looking to leverage industry based credentials that citizens already have to provide a scalable model for identity assurance across a broad range of citizen and business needs – doing this requires a trust framework to assess the trustworthiness of the electronic credentials; see Trust Framework Provider Adoption Process (TFPAP). A Trust Framework Provider is an organization that defines or adopts an online identity trust model involving one or more identity schemes, has it approved by a government or community such as ICAM, and certifies identity providers as compliant with that model. The OIDF and ICF will jointly serve as a TFP operating an Open Trust Framework as defined in their joint white paper, Open Trust Frameworks for Open Government.
Both the OpenID and Information Card Foundation have been working very hard on this for many months – last night I was fortunate to their boards at a history first ever joint dinner.
There are two women in particular though who have driven this forward: Judith Spencer of the Federal Identity, Credential, and Access Management Committee on the government side and Mary Ruddy of Meristic Inc on the industry side. Both of them will be speaking about the project at the Gov 2.0 Summit on Thursday.
Personally this announcement shows how far things have come since I facilitated the first Internet Identity Workshop in 2005 with 75 idealistic identity technologies talking about big ideas for use-centric identity. I am really looking forward to discussing these developments at the forthcoming 9th Internet Identity Workshop in November.
Identity for Online Community Managers
I was asked by Bill Johnson of Forum One Networks to kick off the discussion on the next Online Community Research Network call this week with the topic Identity for Online Community Managers – drawing on the presentation that I put together for the Community 2.0 Summit. I cover the basics of how OpenID, OAuth and Information Cards work, who is “in” terms of supporting the projects and what community managers/platforms can do. We will discuss the implications of these new identity and data sharing protocols on the call.
Online Identity for Community Managers: OpenID, OAuth, Information Cards
View more documents from Kaliya Hamlin.
I will also be attending the Online Community Summit in October Sonoma and will be sharing about these and other technologies there.
Web Finger! moving out into world
I love the Internet Identity Workshop! it is where innovative ideas are hatched, answers to hard problems are vetted and standards consensus emerges. This is just the latest in amazing collaborations that have emerged.
Web Finger was covered on Tech Crunch today with this headline – Google Points At WebFinger. Your Gmail Address Could Soon Be Your ID.
At IIW in May they had a session lead by John Panzer. The notes were not filled out that much but (All the Notes from IIW)
but there is a white board of their conversation and a link to what google had up.
Chris Messina spliced it together
XRD the discovery protocol is part of how Web Finger works. This spun out of XRI.
Techcrunch didn’t explicitly pick up on the fact that Eran Hammer-Lahev has been a key collaborator and is at Yahoo! (they did link to the mailing list where he is posting). He has been really driving XRD forward lately.
All exciting stuff.
DiSo ideas are not that new.
Reading these:
A Perfect Storm Forming for Distributed Social Networking– Read Write Web
Evolution of Blogging – GigaOm
The Push Button Web – Anil Dash
The inside Out Social Network – Chris Messina
The Future Social Web – Jeremiah Owyang
I realize how incredibly ahead of the times I was along with many of the people I have been working with on open standards identity and social web standards.
I wrote this describing open standards for distributed social networking online in April of 2004f or the Planetwork Conference (from Archive.org) that I was promoting.
———————— From Archive.org April 2004 ——————
ID Commons: Social Networking For Social Good: Creating Community Trust Infrastructure Through An Identity Commons
In 2003 the Planetwork LinkTank white paper The Augmented Social Network: Building Identity and Trust into the Next-Generation Internet proposed weaving new layers of identity and trust into the fabric of the Internet to facilitate social networking for social good – online citizenship for the information age.
The LinkTank white paper outlined three main objectives:
- Establishing a new kind of persistent online identity that supports the public commons and the values of civil society.
- Enhancing the ability of citizens to form relationships and self-organize around shared interests in communities of practice and engage in democratic governance.
- Creating an Internet-wide system for more efficient and effective knowledge sharing between people across institutional, geographic, and social boundaries.
Currently each site with a login or membership profile is like an island, or at worst a walled castle, as no common inter-operation is possible among large numbers of them. Creating a truly interoperable network will require an explicit social agreement that governs the operation of the trusted network, and implementation of a new software protocol consistent with that agreement.
Identity Commons
[note this is a reference to the “first” Identity Commons – the current Identity Commons shares the values and some of the organizing principles of this first organization but evolved from it]
The Identity Commons is an open distributive membership organization, designed to develop and operate a common digital identity infrastructure standard based on the shared principle of protecting each user’s control of their own identity data. A common identity infrastructure must be embedded within a binding social agreement ensuring that the technology and its institutional users operate in accordance with core principles. In addition to developing this agreement, Identity Commons is managing the development and implementation of the new technology needed to achieve this as a fiscal project of Planetwork, a California 501(c)3 non-profit.
The Identity Commons is based on an implementation of two new OASIS standards:
XRI – a new identity addressing scheme fully compatible with URIs
XDI – specifies link contracts for shared use of data across the Internet
For more technical information see: http://xrixdi.idcommons.net
Once implemented, the Identity Commons infrastructure will:
- Give individuals, organizations, and even ad-hoc groups persistent addresses (digital identities) that can be used in many ways. Each party can decide what their own address links to, and who can follow the links.
- Provide single sign-on, enabling individuals to connect to multiple sites without having to provide a login and password to each.
- Empower user/citizens to manage their own consolidated profiles, which will be likely to stay up to date as everyone maintains only their own master copy.
- Generate network maps that enable communities to more efficiently understand their own membership, make connections, recognize patterns, filter messages, and self-organize around new topics and functions.
- Provide collaborative filtering services based on knowledge and reputation databases where contributors can also control their own level of anonymity.
- Enable group formation around common interests and affinities with reputation attributes for trusted communication, which could be the key to eliminate spam.
How is this different from what is already happening in the private sector?
Currently every web site has a privacy policy, but they vary widely, are rarely read, are only good until they are changed and are thus effectively useless.
The Identity Commons (IC) solves this by (1) replacing thousands of privacy policies with a single institutional membership agreement that simplifies the user experience. Every Identity Commons member site is party to a legally binding commitment that can only be changed by amending the IC membership agreement – which is governed by all IC members. And (2) by using electronic contracts to grant, record, and enforce data sharing across boundaries.
Ultimately there can only be one fully interoperable social network; just as email can travel anywhere on the Internet, your profile must also be able to do so. Microsoft would love to make this possible, and fully control it – their Passport system was designed to do just that. By hosting identity data for nearly everyone who has a computer Microsoft hopes to put themselves in the middle of every transaction they can.
In response to this, a group of large companies formed the Liberty Alliance which developed protocols that will allow institutions to “federate” data across company boundaries. Federation is an improvement over the Microsoft Passport model, however, both of these approaches treat individuals solely as consumers, and neither provide support for civil society, citizen collaboration or for individual citizens to control their own identity data.
The Identity Commons agreement and technical infrastructure is a way to correct this imbalance of power, allowing the Internet to fulfill its great potential as a “commons” in which individual citizens can interact freely and as equals everywhere on Earth.
————- end Identity Commons description from Planetwork’s 2004 site ———
Writing this document was the first work that I did as an evangelist for the proposed open standards for distributed digital identity to enable open distributed social networks.
I wrote it based on reading through all their work and listening to their vision of the founders of Identity Commons and those working together for 2+ years hoped for in the adoption of the open standards they were working on. These protocols are now all ratified in OASIS (one of three standards bodies for the internet the other two being IETF and W3C) – XRI, XDI along with XRD/XRD that spun out of XRI as it became incorporated in OpenIDv2 as a key part of what makes it work.
Identity that is user owned, controlled managed – and this includes the preferences, attention data, uterances, 1/2 of transaction data – is at the heart of what one needs to make this vision of distributed social networking work. I think until recently it has been misunderstood as esoteric and just talk – amazing progress has been made since the early days of the identity gang that community has grown and developed many of the conceptual understandings and protocols that are taken as givens.
Folks from what the identity community (and perhaps should consider “updating” its name to the identity and social web community).…invented – as in used for the first time these two words together Social and Web – SOCIAL WEB – (according to wikipedia)
With the title of this paper: The Social Web: Creating An Open Social Network with XDI
This paper was preceeded by the Augmented Social Network: Building and Trust into the Next Generation Internet
Like the Web or email, the ASN would be available to anyone. It would become a common part of the Internet infrastructure – a person-centered and group-centered service of the net. It will be implemented through the widespread adoption of technical protocols; any online community infrastructure could choose to be part of the ASN by implementing them. Central to its design are fundamental principles of openness, inclusivity, and decentralization — which are necessary for a thriving democracy. At the same time, the ASN would support the highest available forms of security to protect privacy.
The Identity Gang began talking/meeting in the later part 2004 and has continued to meet in the Internet Identity Workshop.
There is much wisdom that these communities have developed that can be useful in moving / re-articulating the vision… to be sure lessons are to be learned from understanding more about why certain approaches/standards/proposed ways of doing things didn’t happen (yet).
I think the market wasn’t ready for what the identity community was saying. As someone who has been evangelizing about this set of issues practically full time since 2004. In the first few years I would talk in a range of communities and at conferences about all these issues, user control, open standards the danger of the potential emergence of large silo’s that locked users in and people just “didn’t get” it was an issue or that there was even a need for these kinds of standards. Now the market is finally ready.
The 9th Internet Identity Workshop is this November – and REGISTRATION IS OPEN!
There is a whole conversation on the DiSo list where I highlighted this context/history. There might be a beer meetup in Berkeley this evening at Triple Rock at 7:30.
Getting OpenID to work – when oh when?
Joseph Boyle who came to our identity panel at sxsw and then joined us for lunch has been sharing with me some of his OpenID challenges. These happen all the time – ALL THE TIME. Thing is – he is a tech guy and he still can’t get any of this to work. I asked him to document his challenges so I could share them with you – he sent this to me and O’Reilly tech folks (that was where he was trying to login)… I am hoping that these UI issues can be resolved soon.
I was going to sign up at:
https://en.oreilly.com/webexsf2009/user/account/signup/attendee#
and saw a Sign up with an OpenID option. Since I’m interested in OpenID, I thought I’d try to use an OpenID associated with one of my Yahoo or Google accounts, but this is proving more difficult than I expected.
I did manage to find Yahoo’s page for turning on OpenID support for my Yahoo account and did this, getting response:Feeling geeky?When you log in to a website that supports OpenID login we’ll send your OpenID identifier to the website so it can identify you.To make things easy, we have generated this identifier for you:https://me.yahoo.com/a/T_HpXDQkssQpI_sR……………………..
You don’t need to save this identifier. While logging in to websites, you can simply look for a Yahoo! button or typeyahoo.com in the OpenID text field. You can also choose additional custom identifiers for your Yahoo! account below.Not geeky enough, apparently, as pasting the Yahoo-provided identifiers into your OpenID box gives errors:
Unable to find OpenID server for ‘https://me.yahoo.com/a/T_HpXDQkssQpI_sR…………………….’Unable to find OpenID server for ‘http://www.flickr.com/photos/josephboyle’
Help! What am I doing wrong? Thanks, Joseph Boyle
The Up's and Down of electronic surveillance litigation
Creapy Creapy from Slashdot:
The US government is seeking unprecedented access to private communications between citizens. ‘On October 8, 2007, the United States Court of Appeals for the Sixth Circuit in Cincinnati granted the government’s request for a full-panel hearing in United States v. Warshak case centering on the right of privacy for stored electronic communications. … the position that the United States government is taking if accepted, may mean that the government can read anybody’s email at any time without a warrant.
On the ‘up side’ from the Washington Post:
The AT&T whistle blower Mark Klein is
in Washington this week to share his story in the hope that it will persuade lawmakers not to grant legal immunity to telecommunications firms that helped the government in its anti-terrorism efforts.
“If they’ve done something massively illegal and unconstitutional — well, they should suffer the consequences,” Klein said. “It’s not my place to feel bad for them. They made their bed, they have to lie in it. The ones who did [anything wrong], you can be sure, are high up in the company. Not the average Joes, who I enjoyed working with.”
His story as articulated by the post is as follows:
The job entailed building a “secret room” in an AT&T office 10 blocks away, he said. By coincidence, in October 2003, Klein was transferred to that office and assigned to the Internet room. He asked a technician there about the secret room on the 6th floor, and the technician told him it was connected to the Internet room a floor above. The technician, who was about to retire, handed him some wiring diagrams.
“That was my ‘aha!’ moment,” Klein said. “They’re sending the entire Internet to the secret room.”
The diagram showed splitters, glass prisms that split signals from each network into two identical copies. One fed into the secret room, the other proceeded to its destination, he said.
“This splitter was sweeping up everything, vacuum-cleaner-style,” he said. “The NSA is getting everything. These are major pipes that carry not just AT&T’s customers but everybody’s.”
One of Klein’s documents listed links to 16 entities, including Global Crossing, a large provider of voice and data services in the United States and abroad; UUNet, a large Internet provider in Northern Virginia now owned by Verizon; Level 3 Communications, which provides local, long-distance and data transmission in the United States and overseas; and more familiar names such as Sprint and Qwest. It also included data exchanges MAE-West and PAIX, or Palo Alto Internet Exchange, facilities where telecom carriers hand off Internet traffic to each other.
“I flipped out,” he said. “They’re copying the whole Internet. There’s no selection going on here. Maybe they select out later, but at the point of handoff to the government, they get everything.”
Qwest has not been sued because of media reports last year that said the company declined to participate in an NSA program to build a database of domestic phone-call records out of concern about its legality. What the documents show, Klein contends, is that the NSA apparently was collecting several carriers’ communications, probably without their consent.
Another document showed that the NSA installed in the room a semantic traffic analyzer made by Narus, which Klein said indicated that the NSA was doing content analysis.
From Slashdot: Most Scary to Least Scary
FBI datamining for more then just terrorists:
“Computerworld reports that the FBI is using data mining programs to track more than just terrorists. The program’s original focus was to identify potential terrorists, but additional patterns have been developed for identity theft rings, fraudulent housing transactions, Internet pharmacy fraud, automobile insurance fraud, and health-care-related fraud. From the article: ‘In a statement, Sen. Patrick Leahy (D-Vt.), chairman of the Senate Judiciary Committee, said the report [on the data mining] was four months late and raised more questions than it answered. The report “demonstrates just how dramatically the Bush administration has expanded the use of [data mining] technology, often in secret, to collect and sift through Americans’ most sensitive personal information,” he said. At the same time, the report provides an “important and all-too-rare ray of sunshine on the department’s data mining activities,” Leahy said. It would give Congress a way to conduct “meaningful oversight” he said.'”
from the just-forward-your-mail-to-homeland-security dept:
“You probably already knew that the FBI was data mining Americans in the “search” for potential terrorists, but did you know that they’re also supposed to be looking for people in the U.S. engaged in criminal activity that is not really supposed to be the province of the federal government? Now the feds are alleged to be data mining for insurance fraudsters, identity thieves, and questionable online pharmacists. That’s what they’re telling us now. What else could they be looking for that they are not telling us about?”
From the is-that-anything-like-the-lime-in-the-coconut dept:
“The kernel meets The Colonel in a just-published Microsoft patent application for an Advertising Services Architecture, which delivers targeted advertising as ‘part of the OS.’ Microsoft, who once teamed with law enforcement to protect consumers from unwanted advertising, goes on to boast that the invention can ‘take steps to verify ad consumption,’ be used to block ads from competitors, and even sneak a peek at ‘user document files, user e-mail files, user music files, downloaded podcasts, computer settings, [and] computer status messages’ to deliver more tightly targeted ads.”
From the how much can you remember department:
The research reveals that the average citizen has to remember five passwords, five pin numbers, two number plates, three security ID numbers and three bank account numbers just to get through day to day life.
Six out of ten people claimed that they suffer from “information overload,” stating that they need to write these numbers down in order to remember them.
However, more than half of the 3000 people surveyed admitted to using the same password across all accounts, leaving them at risk of potentially severe security breaches.
Professor Ian Robertson, a neuropsychology expert based at Trinity College Dublin who carried out the study, said: “People have more to remember these days, and they are relying on technology for their memory.
“But the less you use of your memory, the poorer it becomes. This may be reflected in the survey findings which show that the over 50s who grew up committing more to memory report better performance in many areas than those under 30 who are heavily reliant on technology to act as their day to day aide memoir.”
Who ownes that copy?:
‘Copyfraud is everywhere. False copyright notices appear on modern reprints of Shakespeare’s plays, Beethoven’s piano scores, greeting card versions of Monet’s Water Lilies, and even the US Constitution. Archives claim blanket copyright in everything in their collections. Vendors of microfilmed versions of historical newspapers assert copyright ownership. These false copyright claims, which are often accompanied by threatened litigation for reproducing a work without the owner’s permission, result in users seeking licenses and paying fees to reproduce works that are free for everyone to use…'”
Second Life – the real picture emerges:
The LA Times is running a story today saying that marketers are pulling out of Second Life, primarily because — surprise, surprise — the ‘more than 8 million residents’ figure on the game’s Web site is grossly inflated. Also, as it turns out, the virtual world’s regular visitors — at most 40,000 of them online at any time — are not only disinterested in in-world marketing, but actively hostile to it, staging attacks on corporate presences such as the Reebok and American Apparel stores.
THIS IS FUN:
RunBot Robot Walks:
“The basic walking steps of Runbot, which has been built by scientists co-operating across Europe, are controlled by reflex information received by peripheral sensors on the joints and feet of the robot, as well as an accelerometer which monitors the pitch of the machine. These sensors pass data on to local neural loops – the equivalent of local circuits – which analyse the information and make adjustments to the gait of the robot in real time.”
THIS IS GODO NEWS:
from the free-at-last dept:
“IBM is making it easier to utilize its patented intellectual property to implement nearly 200 standards in the SOA, Web services, security and other spaces. Under a pledge issued by the company Wednesday, IBM is granting universal and perpetual access to intellectual property that might be necessary to implement standards designed to make software interoperable. IBM will not assert any patent rights to its technologies featured in these standards. The company believes its move in this space is the largest of its kind.”
XFN, Liberty 2.0 and OpenID UX
Eran Sandler has two great posts about identity and OpenID. One links to my post on “the network of Me.” He asks if we can do ‘creative things’ with XFN and identities. I personally don’t want my identifier in anyone else’s XFN file. I want to be asked by the person if I want my relationship with them expressed in a new context. All our relationships do not exist in all contexts….there is however often a lot of overlap between people with whom we share multiple contexts – making these relationships traverse contexts in a privacy protecting and non-annoying way is the challenge. I hope that people interested in how identities, social graphs and social portability will go to the Free Liberty 2.0 meeting on January 22 to learn more about their proposed open standard for this.
He also blogs eloquently about the still emerging challenge of UI and OpenID adoption.
I keep on seeing two distinct ways that are common in such sites/services (at least in the sites that I’ve visited).
The first, is to separate the OpenID handling to a different page. In that page the process of sign-in/up is actually the same. If this is your first time of signing in with your OpenID it will actually transform itself to a sign-up process and may ask you a couple of questions and may interact with your OpenID provider.
The second, OpenID is integrated only in the Sign-In screen. If you sign in with an OpenID for the first time you will actually get a sign-up process and you may be asked a few questions and have an interaction with your OpenID provider.
The best place, of course, is to have OpenID in both the Sign-In and Up screens, if a user that do have an OpenID reaches any one of these screen the scenario of signing in for the first time (or not for the first time) will work no matter when he is.
What do you think? How would use design these processes that will still fit to your site/service and still support in a clear and obvious way OpenID?
There is an emerging community that is focused on User Experience. I hope that Eran and others who care about this join up. We need all the UX brains we can get on this not easy to solve puzzle.
i-names work in OpenID logins too
It should be noted to all of you coming from O’Reilly’s radar. That OpenID (the latest version) does accept i-names and identityprovider URL’s (this is the Sxip way of identity provision).
One of the reasons that i-names are cool is that they have persistence in a way that URLs have some challenges with in the long run. The names can be transfered to a new person but the i-number underneath is not. If you have domain name you are using as your identifier and you don’t renew it. The new owner of the URL can use it to sign-in to places you have had accounts.
i-names also have a nicer syntax and hopefully work for the internet users who may never get they can use URL’s to login.
UX and OpenID the hickups are beginning
The weather that Tom brings us on OpenID is mixed but good in the long run. He says that community is what counts 🙂
Here’s what I learned enabling the sites with OpenID:The Good: OpenID registration is a beautiful thing. The legacy registration page on Stuffopolis can be scrapped. Once that happens, validating email addresses, requiring passwords and lost password security questions for new members will be forever outsourced to the OpenID providers (those that your website trusts).
The Bad: When introducing OpenID, it is a breeze for new members coming to the site, but it can be a little confusing for existing members who registered with the legacy credentials. When those existing members find out about the OpenID option, instead of logging in with the legacy credentials to add the OpenID to their account, they often log in with their new OpenID instead. This log-in will attempt to create a new account by fetching simple registration data from their identity provider. If their email address (sent by their identity provider) matches the one already registered with their legacy account, they can be given some instructions, but sometimes it doesn’t match and now we have a problem because if they go back and log in with the legacy credentials, they can’t associate their new OpenID to it because another account (the one they accidentally created) now has that OpenID.
Update 12/17: What I need to do is when a member goes to his profile page and attempts to modify his OpenID, after a successful OpenID authentication, if the site detects that there is another account with the same OpenID, then the site will ask the member to confirm that he wants the other account deleted, making sure there is only one account with that OpenID.
The Ugly: Now that some popular open source packages (wordpress, mediawiki, phpBB) support OpenID, the software should honor each other’s OpenID sessions so that someone who logs into mediawiki with his OpenID doesn’t get presented with an OpenID login form when he visits phpBB, for instance. Although this isn’t a huge problem, it is a little ugly and it seems it will require a standard way of registering OpenID apps on a system so that an OpenID session state change in one app will inform the others.
In a nutshell: OpenID is still immature, but it has an extraordinarily committed community behind it and when it comes to software, that’s what counts.
What is a Barrier to Entry – OpenID
This comment was posted by Vivek Puri at the bottom of Ramana’s post (quoted above).
OpenID is great idea, but adds another layer of complexity for early adopters. This might not go down well with the startups who can end up loosing important initial users. Also bigger companies like Google will offer Single Sign-on only for their own apps which becomes another point of disconnect. In my case I use Writely for document editing, Editgrid for spreadsheet, and del.icio.us for bookmarks which is a pain to manage.
As for offline usage, that is a very much required feature. Especially Writely should be able to implement that part easily since they have already cracked the algorithm for multi-user data edit and sync. Groove networks does offer that feature but is not for individual.
I guess there is some miscommunication in what OpenID is and how it actually lowers the barrier to entry to try new Office 2.0 applications.
This is how I see it.
I have my blog URL that is openID enabled or I have an i-name. I now can go to any one of the new groovy Office 2.0 applications and instead of getting yet another login and password. I just use my OpenID. I don’t have to put it into that spreadsheet of all my names and passwords or just use the same one I use everywhere that is totally insecure. Instead I bring my identity to the site. I save time. If I am an early adopter type I will likely get an OpenID relatively quickly and it will be a handy fast way for me to try these things out. Of course Office 2.0 applications should not force people to have OpenID’s those who want yet another user name and password can have one.
I know personally I avoide signing up for anything new that requires yet another login. I would be more inclined to tryout an Office 2.0 application that has OpenID as a login option.
I think all these office 2.0 copmanies can collectively compete with the big silo’s by offering SSO amongst themselves.
OpenID on the 'edge of greatness"
Here are some of the great quotes about OpenID this week –
Tom in Austin says:
I’m a big fan of OpenID and I think it’s on the edge of greatness.
Norman Walsh:
Next time you build a web application that needs a login, consider OpenID.
btbytes:
Perhaps in future, sign-up fatigue will keep people away from signing up to new services. Providing OpenID option is very welcome.
Amblin:
You can now sign in with an OpenID when you leave comments on the blog. Why did I added this? To do my little part to try and break some of the ID silos.
Identity Open Space – Sept 11, Santa Clara
So we have had a fabulous series of open space events since May’s Internet Identity Workshop . The Identity Mashup at Berkman 3rd Day Open Space Post Liberty Alliance Identity Open Space specifically but also as major themes at Mashup Camp that had 5 sessions on identity and at OSCON and OSCamp.
I think one the reason things have been developing rapidly is because of the open opportunities to address critical issues and reflect as a community on next steps. So there is another one coming up before the next Internet Identity Workshop in December.
The Monday of Digital Identity World’s start we are hosting an Identity Open Space at the Santa Clara Convention Center. It will begin at 9am with agenda creation with sessions starting at 9:30 going until 3 when DIDW officially starts.
The cost is $25 just to cover lunch – so we can eat on site. Please sign up here… and add your name to the wiki and post suggested topics you bring to the conversation.
You also get a discount on attending Digital Identity World if you come to the Identity Open Space.
I know it is a bit of a challenge to travel on Sunday but I hope those of you from out of town will choose to do that. Hopefully we can get lost of folks working on new web tools who might be able to actually use – user-centric identity. Besides who wants to get on a plane on September 11th.
Technorati Tags: identity
Yet another digital identity protocol – YADIP:pass.net
I just met Alex Jacobs this morning. He told me within hours his new protocol for identity would be live within hours. It is now live.
It uses e-mail addresses (like so many sites) but users only have to authenticate their e-amil once.
How it works
1. User give you their email address e.g. john@example.com.
2. You post the email address, requested data, and a secret confirmation URL to the users mail domain e.g. in python: (see there site)
Arrival at etech – Lanyard Mashup and iname postcards
I just got into San Diego for eTech. I am in a very enjoyable tutorial by the Adaptive Path guys on Designing Web 2.0 applications.
The prime insight is that they are both informational hypertext systems and applications with a software interface. One must look at this duality throughout the development of the site on the stack from the must abstract – Strategy through Scope, structure, skeleton, surface – the most concrete.
I also got my 10th Sxip lanyard I have taken the liberty to do a Mashup adding the other Identity 2.0 protocols – OpenID, LID, inames, Yadis and front and center ID Gang. I took a photo you can see here.
We have new iname postcards promoting the developer portal that was launched today – content will be improving as the community contributes more.
Oh yes and as if that was not enough – we get to Sxip into our rooms – here is Phil with his Sxip Key. Maybe it is ‘sign’ that Sxip will work with infocards – they just did an STS exchange to issue us all hotel room keys. – this is of course an allusion to the presentation that Andre of Ping did at Digital Identity World last year where he went through the whole process of checking into the hotel and doing STS’s in analogue space.
we must be wary of the lawyers
The lawyers have learnt their lesson now…When the next disruptive communications technology – the next worldwide web – is thought up, the lawyers and the logic of control will be much more evident. That is not a happy thought.
From Slashdot. More from the article it refers to
Why is the web unlikely? Prepare for a moment of geek-speak. For most of us, the web is reached by generalÂpurpose computers that use open protocols – standards and languages that are owned by no one – to communicate with a network (there is no central point from which all data comes) whose mechanisms for transferring data are also open.
Takeaways – Open and Free.