Drstarcat

Kim Cameron and the Philosophy of Privacy: (iCards, pt 5)

I’m currently trapped on the six-hour flight out west to join the rest of the Identity crowd at this year’s Internet Identity Workshop, so I thought I’d use the time to write my final post on the history of iCards. Fittingly, the subject of this post is the father (grandfather?) of iCards, Microsoft’s own Identity Architect in residence, Kim Cameron.

Many people know (of) Kim from his Seven Laws of Identity, but Kim’s story (like most of the participants in the community) starts much earlier. Kim began his career in academia teaching Sociology (he had concentrated in both Sociology and Math/Physics), an occupation that he loved (teaching), but a subject that he soon became disillusioned with (as he said, “There was never any way to prove who was right”). Like any disillusioned sociology professor, he did the natural thing and started a Reggae band (no, I’m NOT making this up), called the Limbo Springs and proceeded to tour the East coast of Canada and the US for the next 7 years.

Having come off his 1981 sold-out stadium tour promoting the multi-platinum “MetaLimbo” (okay, THAT I made up, but JUST that), he returned to Canada to teach Assembly at George Brown University, Canada’s largest community college (as he explains, technology was always his fall-back when he needed money—sounds familiar!). It wasn’t long, however, until he realized that teaching technology wasn’t what he wanted to do long-term, so he and the head of the IT department decided to start a technology business. As he explains, they were dead-broke at the time (as btw it seems everyone in this space is broke at some time or another—I, myself, like to go broke about once every four years), so they did what any broke technologist would do and started consulting.

Kim and his partner were obviously quite good at what they did because they built this nascent technology company into a 40 person strong outfit by 1992, which was when Kim first encountered the problem of Identity (How many of YOU can say THAT?!). The issue of Identity arose when he was trying to build an email directory for Sprint’s 60,000 employees. The problem was that those 60,000 employees had 150,000 email addresses (it was common to have an email for every ISP at the time). The question was, how do you find a way to associate each of those email addresses with the correct person in the directory?

If you know anything about Kim or his company, you will recognize this was his first foray into the technology that would put Zoomit on the map (and eventually in Redmond as part of Microsoft)—the metadirectory. Metadirectory technology arose out of the need to simplify the management of people and software in the enterprise. Anytime someone joins a company, they have to be given permission to use any of a number of pieces of software and other digital assets. The larger the corporation and the more wired it is, the larger this problem becomes. How can an administrator setup 25 accounts for every person for a company that hires 10,000 employees a year? Better yet, how can an administrator ensure that access has been properly removed for a company that fires that many people in a year?

To solve this problem, Kim and the Zoomit team came up with the concept of a “metatdirectory”. Metadirectory software essentially tries to find correlation handles (like a name or email) across the many heterogeneous software environments in an enterprise, so network admins can determine who has access to what. Once this is done, it then takes the heterogeneous claims and transforms them into a kind of claim the metadirectory can understand. The network admin can then use the metadirectory to assign and remove access from a single place.

Zoomit released their commercial metadirectory software (called “Via) in 1996 and proceeded to clean the clock of larger competitors like IBM for the next few years until Microsoft acquired the company in the summer of 1999. Now anyone who is currently involved in the modern identity movement and the issues of “data portability” that surround it has to be feeling a sense of deja vu because these are EXACTLY the same problems that we are now trying to solve on the internet—only THIS time we are trying to take control of our OWN claims that are spread across innumerable heterogeneous systems that have no way to communicate with each other. Kim’s been working on this problem for SIXTEEN years—take note!

When I asked Kim what his single biggest realization about Identity in the 16 years since he started working on it was, he was slow to answer, but definitive when he did—privacy. You see, Kim is a philosopher as well as a technologist. He sees information technology (and the internet in particular) as a social extension of the human mind. He also understands that the decisions we make as technologists have unintended as well as intended consequences. Now creating technology that enables a network administrator to understand who we are across all of a company’s systems is one thing, but creating technology that allows someone to understand who we are across the internet, particularly as more and more of who we are as humans is stored there, and particularly if that someone isn’t US or someone we WANT to have that complete view, is an entirely other problem.

Kim has consistently been one the strongest advocates for obscuring ANY correlation handles that would allow ANY Identity Provider or Relying Party to have a more complete view of us than we explicitly give them. Some have criticized his concerns as overly cautious in a world where “privacy is dead”. When you think of your virtual self as an extension of your personal self though, and you realize that the line between the two is becoming increasingly obscured, you realize that if we lose privacy on the internet, we, in a very real sense, lose something that is essentially human. I’m not talking about the ability to hide our pasts or to pretend to be something we’re not (though we certainly will lose that). What we lose is that private space that makes each of us unique. It’s the space where we create. It’s the space that continues to ensure that we don’t all collapse into one.

Well on that rather heady note, I’ll end this look into the history of iCards. I for one, however, am glad that as we explore this space and redefine what it is to be a person, that we have someone like Kim deeply involved. I want to move forward as much as anyone, but I also understand that we are touching on what it means to be a person in the 21st century, and when dealing with the core of humanity, we ought be most careful about any unintended consequences we may produce. Next up, the “original” identity metasystem, the Liberty Project, and the lightweight alternative that is taking the internet by storm, OpenID.

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.

¶ Posted 09 May 2008 † drstarcat § History of Tomorrow's Internet ‡ Comments (1) ° Tagged: iCards, Identity

Becoming an RP with the Pamela Project (pt. 2)

Okay. So when I last posted I was waiting for my SSL cert to get installed and I left to enjoy the rest of the day with my wife and daughter. Good choice, as there were still a fair number of obstacles ahead of me. When I returned from my walk, the superstars at Bluehost had emailed me with the good news that my SSL cert had been installed. This was VERY good news, as installing an SSL certificate is NOT something to be done by mere mortals (see Mike’s post here–and HE’S not even MORTAL!)

Having my brand new certificate installed, I was anxious to take it out for a spin. I went to the SSL manager in my Bluehost control panel, and low and behold, they were NOT lying… there was my certificate. I clicked on the link to view my private key. This is what I saw in my Bluehost panel (I’ve change two characters in the image below so it’s STILL private!):

And this is what the fields I need to copy SOMETHING into look like in the Plugin options:

Okay… three fields need to be filled in. I guessed the secure site URL was just “https://drstarcat.com”, and when I clicked saved, the plugin gave me a green arrow next to the URL so I was on the right track. Now the tough part… what part of the above information about my SSL certificate is the Private Key? I’d installed these things before, but I couldn’t remember. It DEFINITELY seemed like the information in the top box, but what piece of it? Do I include the “—–BEGIN RSA PRIVATE KEY—–” part or just the stuff between it and the “—–END RSA PRIVATE KEY—–”? I tried BOTH of course and I STILL couldn’t get that last red “X” to turn into a green check mark.

I then begin to fixate on the “SSL Passphrase” piece. Do I have one of those? And if so, where is it? I write back to Bluehost. They reply almost immediately (Nice!). I DO have a pass phrase, but they hadn’t told me this. Now with my pass phrase in hand I am SURE I am nearing success. I try the pass phrase with just the stuff between the begin and end statements. No green arrow. I try it with the begin and end statement included–STILL no green arrow. NOW I’m in that very bad place where I have three variables, none of which I’m sure about, and no combination that seems to work. What do I do?–the manly thing of course. I write Pamela and ask her for help (yes, I was whining in the email).

I wait for a couple of hours for Pamela to respond. Given the fact, however, that this is NOT her job, she does not respond to me like my new pals at Bluehost. I start to tinker again. As I mess around I notice that my SSL certificate is ACTUALLY for “www.drstarcat.com”, not “drstarcat.com”. Now I had already tried switching the URL field to “https://www.drstarcat.com”, but I still hadn’t gotten the green arrow. Regardless, I was sure this would be a problem in the future, so I went ahead and wrote Bluehost to tell them to give me a new one with just “drstarcat.com”. They tell me that they stopped issuing certs for the base URL because “Cpanel would randomly uninstall the SSL”. I tell them I’ll take my chances and to get me the new one.

Two hours later (and just a little while ago), I’m done with dinner and I stumble back over here to my computer to see what new information I might have. Still no Pamela, Mike’s enjoying my pain, BUT the guys at Bluehost have given me the new cert. I’m pretty skeptical that it’s going to work, but since I don’t have anything better to try, I begin trying all the possible combinations in the three fields, and BAMN, like a sore-luck loser in Vegas who finally sees lucky 7s across the slot machine window, I get it… SIX green arrows! The winning combination:

Secure Site URL: https://drstarcat.com

SSL Private Key: Include the “Begin” and “End” statements

SSL Pass phrase: Required (at least for me).

Nice… my wife appreciates how I have to prove that I actually got it to work with an image. Too bad! I EARNED those six green arrows! Now the funny part is that I still don’t know what to do with my now functioning iCard enabled blog. I don’t require people to sign in to post (in fact, I can’t figure out HOW to require people to sign in, even for fun!). Regardless, if you’d like to sign into my blog using your iCard, you now can at this link. I’ll make sure that I learn how to require signing in to comment on my MOST important posts and enable LOTS of other really cool exclusive stuff for people who can figure out how to use an iCard, so I’m SURE it will be worth your while.

So what’s the final word on the Pamela Project? Well, clearly, I don’t have it, as this project (along with the rest of the Identity space) is JUST beginning in spite of how much work has already gone into it. Obviously any sane person isn’t going to go through what I did, but I also found out in my struggles that Pamela is about to release a version of the plugin that does NOT require SSL (talk about timing!) So really if you think about it, with just a little better instruction (put the dumb dumb download up front, and show exactly what needs to go into each blank), I probably could have installed the plugin (without SSL) in about 5 minutes (instead of 7 hours). If EVERY website in the world could become a relying party in 5 minutes, and that meant NO one EVER had to enter a password again… well, I’ll leave the math to you, but I think they might just be onto something.

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.

¶ Posted 04 May 2008 † drstarcat § Uncategorized ‡ Comments (6) ° Tagged: iCards, Identity, Pamela Project

Becoming an RP with the Pamela Project (pt. 1)

Boy, I must REALLY be insane. Below is picture of this BEAUTIFUL spring day here in NYC, my wife and baby are in the park playing, and I’m sitting on my balcony trying to install the Pamela Project on my blog. The odds are stacked against a glowing review, as iCards are still an emerging technology, the Pamela Project is in v0.9, and I really shouldn’t be doing this. Of course, knowing the little I do of Pamela, it will probably work out A-OK.

Just to give some background, I’m attempting to install the Pamela Project Wordpress plugin v0.9 on my drstarcat.com blog that is hosted at Bluehost. The first step is to find the Wordpress plugin page on the Pamela Project site. Normally I’d go to the Wordpress plugin directory, but I believe Pamela doesn’t want to post it there until v1.0. The first thing I notice when coming to this page (because it is so well laid out) are the requirements:

This already puts me in a bit of bad mood because I don’t know if I have ANY of these things besides a “Wordpress blogging environment” and it pretty much looks like I’m here for the afternoon. The next thing I do is go to the link that provides installation instructions. The first thing they ask me to do is to get the plugin (seems like a good idea).

At first I panic because the instructions tell me to go to some directory on my server and then checkout the code from Subversion followed by some Unix commands. This sounds like something my development team asks me to do while looking at me as if they just asked me to grab a quart of milk from the fridge. As a non-Unix person, I can attest that it is more akin to doing some quick calculus to figure out how to put someone on the moon.

Fortunately, my panic subsides as I realize they have dumb-dumb instructions below this with a link to download the plugin. I can then just use Cyberduck to upload it to my plugins directory (yes, I like my technology masked by familiar childhood playthings). Wow… I actually have it on my server already, maybe today isn’t going to be so bad after all! Now I just go to my Wordpress admin page and go to the Plugins tab, and cool… there is the Pamela Project!

After I click the “activate” link on the plugin, I go to my “Options” tab to see if I can actually get this thing to work. As I look at the page, I’m both happy and sad:

I’m THRILLED that it looks like I have PHP 5 and these mysterious “Crypto Libraries” already installed (I probably would have had to quit otherwise!). I’m mildly sad to see that I need to get an SSL cert. Now, given that I understand iCards at a low enough level to know they use SSL, and given the fact that Pamela warned me on the instructions page that I would need this, I shouldn’t be disappointed, but I was REALLY hoping I could get away without it.

After sulking a bit, I give Bluehost a call. They make me feel better by making it seem like it’s not going to be such a big deal. At first I hope I’m going to be able to use the “shared” certificate that Bluehost let’s anyone use, but once I explain that I need the “Private Key” they tell me I’ve got to get my own. This also requires that I get a static IP (I KNOW, I was already warned in the requirements!)–total price: $90. Pamela will owe me a drink at IIW! Since it’s going to take a few hours to get my SSL cert issued and installed, I think I’ll post this and go outside for a break!

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.

¶ Posted 04 May 2008 † drstarcat § Uncategorized ‡ Comments (1) ° Tagged: iCards, Identity, Pamela Project

Internet Identity Workshop May 12-14th in Mountainview

Just a note to remind everyone that IIW is just around the corner (1 week from Monday!). This is THE event for the Identity community and just about anyone who’s doing anything in the space will be there. If you are thinking about getting involved or want to understand why User-Centric Identity may be the biggest improvement to the Internet since it’s birth, please join us at the Computer History Museum.

Details about the event are here: http://iiw.idcommons.net/index.php/Iiw2008a

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.

¶ Posted 01 May 2008 † drstarcat § Uncategorized ‡ Comments (0) ° Tagged: Identity IIW

The History of Tomorrow’s Internet: Identity (iCards, pt 5)

Long time, no blog. The whole identity space has been busy with conference season, and I’ve taken the last two weeks to get to know my baby girl Fay again. I am officially back though. Whether that is good or bad is yet to be determined. What is definitely good though, is the topic of today’s post, The Pamela Project.

As I’ve explained more than once in this blog, a greater problem than finding reliable Identity Providers is getting the websites we know and love to become Relying Parties. That is exactly the problem that Pamela has deemed to attack with her eponymous project. As the project’s mission statement says, “The Pamela Project is a grassroots organization dedicated to providing community support for both technical and non-technical web users and administrators who wish to use or deploy information card technologies.” Given the difficulties I experienced even USING iCards as a non-technical web user, this seems like a pretty ambitious task, and as part of this post, I’m going to try to get my blog up and running. First, a few words about Pamela and the history of the project.

Pamela first ran into the issues surrounding Identity in her role as a technology consultant in Calgary in 1999. Anyone who’s done any large-scale enterprise software installation has likely had a similar experience–try to do anything and you’ll run into a myriad of (often semi-functional) authentication and directory services before you can even get off the ground. She’d been working at a company that does Peoplesoft installations and with Oblix (an enterprise self-service password management tool later acquired by Oracle), when she attended her first Burton Identity conference in 2001. It was here she first began to think of Identity as a (the?) core technology problem, as opposed to something peripheral to what she wanted to get done. It’s a realization that, once had, can become a little consuming (trust me, I spend WAY too much time building software to be blogging about anything–especially, SOFTWARE).

Her second “ah-ha” moment came when, if my notes serve me correctly, she was “hit on the head with a brick” by Kim Cameron at the 2002 Catalyst conference. There he drew her a brief sketch on a napkin where he showed the three party system (Subject, Relying Party, Identity Provider) that is at the core of most of the emerging identity systems. She was hooked, but it wasn’t until in 2005, when Kim added some sample PHP Relying Party code to his blog that she saw a place where she could contribute. As a sometimes PHP hacker, she took the simple code, and began to port it over to some of her favorite PHP frameworks (Wordpress, Joomla, and MediaWiki). Since that time, she and about 10 other contributers have been working to get a 1.0 version of the product out, which, given Pamela’s commitment, I suspect will be about like most other project’s 2.0 release.

Before writing about my experience installing the WordPress v0.9 plugin, a word about the seemingly self-promulgatory name of the project because I think it says a lot about Pamela as a person and the Identity movement she’s part of. According to Pamela it’s the last name she would have thought of as a woman working as a technologist. As she explains, it’s hard enough as a woman to get recognized as a serious technologist without drawing unnecessary attention to yourself. Having a wife who is one the best Java engineers in NYC, but who also is regularly asked if she REALLY wrote the stunning code she produces, I can attest this is true. It’s because of this stereotype though that Pamela chose the name. She was tired, as someone who is self-admittedly “vocal”, of this kind of self-inflicted sheepishness. So in “defiance to self-regulation”, and at Craig Burton’s urging, she chose The Pamela Project.

This is indicative of Pamela and many others I’ve met in the Identity movement not only because it demonstrates the self-reflection surprisingly consistent in this crowd. It is indicative because it shows a willingness to take a risk and do something insanely difficult in order to do something you believe in. I finished my talk with Pamela asking her why she does it. Why leave a long day of fighting with technology to spend the evening coding on something that she can never hope to gain from financially? Her answer was that it is BECAUSE Identity is still too early for many to make a living at it that she participates. It ensures that the many technologists looking to make a quick buck are nowhere to be found. It ensures that Pamela can spend time with people who do what they do, because like her, they care.

I’ll let you know how my experience actually USING the Pamela project goes in my next post. In the mean time, as you wait in breathless anticipation, why not go over to the project’s site and ask Pamela how you can be of use. This is a big project and they’re going to need all the help they can get.

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.

¶ Posted 28 April 2008 † drstarcat § History of Tomorrow's Internet ‡ Comments (1) ° Tagged: Higgins, iCards, Pamela Project

The History of Tomorrow’s Internet: Identity (iCards, pt 4)

I just finished up my three part series on Microsoft’s CardSpace implementation of iCards, but one of the most important things to understand is that CardSpace is just ONE implementation of iCards. The specifications are completely open and in fact, have been implemented in an open source project simultaneously. That project is Higgins and I recently had a chance to spend some time with Paul Trevethick, the project’s lead.

Paul, like most of the people in this space is an adult (which is one of the things I find most appealing about Identity). He’s been building software companies since he left MIT in 1982. When he left his last position as President of the publicly traded BitStream in 2000, he left with the express intent of building a BIG company–one that could fundamentally transform the internet and leave a lasting legacy. So in 2000, when he co-founded Pariity with John Clipinger, did he set out to build an Identity layer for the internet?

As is the case for most people in this space (and another reason I find it so appealing), the answer is no. Paul had a vision of an internet where trust between people and organizations could be automatically brokered, similar to that expressed in the Augmented Social Network paper I discussed in my first post in this series. He wanted to surround each individual with a reputation layer and then build the algorithms that would help efficiently establish trust between those individuals. The problem that he and so many others have run into when attempting to “thicken” the data that surrounds us on the internet so that it can be shared across sites is that WE don’t exist on the internet. In other words, like so many others, Paul stumbled into the problem of Identity.

In 2003, about the time Paul ran into this problem, he caught wind of what Microsoft was implementing on the Identity layer and realized both that it would be perfect for what he wanted to accomplish AND that there clearly needed to be an open source implementation of iCards. So Paul’s project took both a turn to Identity and to open source, and Higgins, which now is primarily thought of as the open source implementation of iCards, was born.

I don’t want to go over the details that distinguish the Higgins’ implementation of iCards from CardSpace because it has been designed (intentionally) much along the sames lines, so that it remains compatible with that emerging standard. One important point to note though, is that it suffers from the same schizophrenic nomenclature as CardSpace, in that the Higgins the project encompasses BOTH the iCard selector that lives locally AND the server based technology for brokering claims.

Besides this, it does have one additional layer that is extremely powerful that deserves some discussion: the rCard. As I discussed in my CardSpace series, CardSpace supports a pCard (a PERSONAL card that allows you to assert limited claims about yourself) and mCards (that organizations with information about you use to “officially” assert information about you). So what is this “Relationship Card” (rCard)?

Two things distinguish and rCard from an mCard: persistency and bi-directionality. What do I mean by these two things and why should you care? With an rCard that is persistent and bi-directional, YOU can provide constantly updated assertions about YOURSELF to a claim provider. How might this work? Well, think about the implicit attention data currently locked up on your computer. Might you want to allow a company that serves as your “movie preference” claim provider to have a persistently updated stream of your implicit movie data? For example, if you established such a relationship with Netflix, they would have a real-time stream of your movie searching, viewing, and purchasing activity that occurred OUTSIDE of their site, and could thereby provide you and other sites where you used their “Movie iCard” with better recommendations.

So the rCard puts YOU back in the loop of the iCard claim stream and allows you to automatically update that information on a POLICY basis. In other words, with an rCard, you can set a policy that defines WHO gets updates on WHAT data and WHEN at a granular level. If PERSISTENT, GRANULAR, BI-DIRECTIONAL data links sound familiar to those who’ve been reading this series, it should. Establishing those kind of data pipes are exactly what XRI/XDI are designed to do, and in fact Higgins uses XRI/XDI in the rCard layer.

So what are the most important things to remember about Higgins?

The technology has been in development for FIVE years now, so you may want to think twice before duplicating it.
It is MORE than just the open source iCard implementation. Identity is a MEANS to an end, not the end itself.
With the rCard, YOU are back in the loop and can establish persistent and granular assertions about yourself.

Next up are the two final installments on iCards: a discussion of the Pamela Project and an interview with Kim Cameron of Microsoft’s Cardspace.

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.

¶ Posted 06 April 2008 † drstarcat § History of Tomorrow's Internet ‡ Comments (2) ° Tagged: Higgins, iCards, Identity, XRI/XDI

The History of Tomorrow’s Internet: Identity (iCards, pt 3)

It’s been over a week since I last posted for a number of reasons, but one of them is because in this post I wanted to explain how it feels for a regular person to use Cardspace. This poses a few challenges as we’ve used Macs exclusively at Angelsoft since we began three years ago, and I’ve had a Mac at home for nearly as long. Little did I know this was only the beginning of my struggles.

Now let me preface this post by saying that I’ve never been a big participant in the Mac vs. PC war. I ran a NetOps business back in the Web 1.0 days, and we managed high-volume Windows, Unix, and Linux environments successfully. More importantly, as someone who’s business it is to build great software, I KNOW how hard good UI is. Believe me, I work with a GREAT product team and we try REALLY hard to make intuitive software and we fail EVERY day. Having said that, this post isn’t going to paint a real pretty picture.

My story begins in what I used to think of as my office. I USED to think of it as such because now my 5 month old rules the room, and I work out on the kitchen counter. I still keep my PC in the office though, so in between naps I sneaked back to play with Cardspace. The first thing you will note if you are one of the many people with a slightly older PC still running XP and IE 6.x is that you don’t HAVE Cardspace. In order to get Cardspace, you need to download IE 7.x and the .NET Framework 3.0 Runtime Components. NetFx3.com has a nice sandbox that will walk you through this process [Note: They link to the 3.0 .Net Framework, but 3.5 has been released and may have some UI improvements]. I hadn’t installed anything on Windows for years, but boy did this bring back memories–total download and install time: 1 hour, 15 minutes.

Okay… now that you HAVE Cardspace, it’s time to create an iCard. An iCard is a visual representation of identity data. Cardspace has two kinds of iCards: Managed and Personal. A Managed card is issued to you by someone else (what I call a “Claim Provider”) who supposedly has “official” data about you, like the fact that you have a certain credit limit or are a citizen of a particular country. Since none of these exist, I decided to create a Personal card. To do this, I went to my Control Panel and opened up Cardspace.

This is where I experienced the first slightly annoying thing about Cardspace. When you open Cardspace, for whatever reason, it takes over your entire computer. What do I mean by this? Your entire computer screen is dimmed except for the Cardspace light box and no keys function outside of Cardspace. Why was this annoying? Because I wanted to take screenshots! Nothing works for this. PrintScreen is disabled [Note: Mike Jones pointed out this is in fact NOT true. While all SCREEN elements are frozen, and PrintScreen APPEARS to do nothing, it actually does copy the screen–damnit!]. I had even gone to the trouble to install a better screenshot capture plugin–also disabled. I resorted to the 1970s solution of taking photos of what I was doing and they sucked so bad, I couldn’t use them. Fortunately, the Window’s geniuses at dotnetslackers.com figured out how to get screenshots, so I’m using them. So let’s create our first Personal iCard!

Now as you can probably tell from the screenshot above this is actually what pops up when you try to use an iCard using Cardspace. They guys at Nethacker had already created one, but you’ll see essentially the same screen the first time, but with just the “Add” feature. Annoying UI feature 2: Click on the “Add a Card” icon and you will NOT be taken to an iCard creation screen. Instead the button at the bottom of the screen changes to “Add Card”. Click that, and then you’re taken to the iCard creation screen.

Once you get there, you will note the second shocker when it comes to Cardspace. The Personal card, which you can create, is limited to your most basic contact information. You CANNOT even add a picture of yourself (the upload pic dialog is for the image that YOU see to identify the card). There is no ability to add additional fields, so you are limited to your name, address, email address, phone numbers, and URL. This is pretty disappointing because I can think of all sorts of self-issued cards you might want to create, but apparently that’s not part of Cardspace.

Alright, so anytime you touch Cardspace it locks the rest of your windows, the creation process is a little clunky, and you have no choice as to what kind of data to add–once it’s created though, it must be a pleasure to use right? To test this, I decided not to tax my new iCard too much and just use it to leave a comment on a blog. To do this, I chose Mike Jones’ cool blog, Self Issued, since I knew I’d seen the Cardspace login logo on it. After navigating to the blog, I easily identified the Cardspace login logo. When I clickd on it, I was taken to this screen (note I can use screenshots here because I haven’t entered Cardspace land yet):

So this looks promising. I see Mike’s using the Pamela Project, which is a very cool project to help sites become relying parties for any kind of iCard (not just Cardspace). The natural thing felt like to click the Cardspace logo again, but when I hovered over it, my cursor failed to turn into a hand. The buttons at the top were hot, but those didn’t seem like something I wanted to click on. The words “Use your Card Now”, though equally tempting, also failed to register as hot. After about 20 seconds I decided to click on the icon even though it gave every indication of being dead–Bingo!

Once I clicked on the Cardspace logo, I saw my newly created iCard (note, the borrowed screenshots again, since my computer is now frozen). It actually looked a little different on my screen as it noted the site wasn’t verified as a bank or financial institution and also showed me Mike’s SSL cert. I was a little surprised about this, as most people have no idea what an SSL cert is and the primary purpose of Cardspace is to fullfill the UI requirements of the Laws of Identity. Regardless, I then chose my new personal iCard and selected “Send”.

Instead of sending my card and getting down to the business of commenting, I got the following screen (or actually one that looked basically the same). Apparently if you haven’t sent your iCard to THAT site before, even if you select to send it, you will be taken to preview. This is probably a good security feature, but annoying nonetheless (why even give me the option?). If I’ve created my personal card and KNOW what it contains, why do I have to preview it EVERY time I send it to a new site? Imagine every time you pay for something on a new site using your new Visa iCard. When you click send you will be required to look at all the information–I KNOW what’s on the credit card iCard, that’s the point.

Ready to post? Not yet. Since my iCard is self-issued, Mike’s site (yes, the site is called self-issued.info ironically enough) doesn’t trust me and has now decided that I need to verify my email address. This is obviously a little annoying, but it brings up a good use-case for the first Claim Provider–one that has verified my email address, home address, and phone numbers, so I NEVER have to respond to an email or text message like this again.

After I got the email and clicked on the verification link in it, I was taken to the screen above. I don’t really know what it means, but I figured I should probably click on the (still dead-appearing) Cardspace icon again and it might let me post.

The screen above signaled that my journey might finally be over. I clicked on the “Go to Blog” link and I was logged in and ready to post. The posting went very smoothly and my name and URL showed up as I would have expected. A comment well-earned!

So what’s the final analysis? Well, as I stated in the beginning, the purpose of this post isn’t to bash Microsoft or Cardspace. Like I said, I build software and when I actually see a normal person use it for the first time, I’m inevitably embarrassed at how difficult it is. Software is hard and Cardspace is brand new. Nonetheless, this does show how far the technology has to go before Mom and Dad are going to be using it. Usernames and Passwords are UBIQUITOUS. We’ve been trained on the visual metaphors for at least a decade. Replacing that with ANY other paradigm is going to rough. To have any chance of success, the Cardspace workflow will need to be much improved.

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.

¶ Posted 30 March 2008 † drstarcat § History of Tomorrow's Internet ‡ Comments (11) ° Tagged: CardSpace, iCards, Identity

Doc Searls, VRM, and the Redemption of Tomorrow’s Internet

I spent a couple of hours on the phone with Doc yesterday as he ran back and forth across the Harvard campus, where he’s currently a fellow at the Berkman Center. The conversation was as frenetic and wide-ranging as his movements (from his personal past, through VRM, to the meaning of the modern day Catholic church), but despite this, there was a consistent narrative that helped me understand the real human energy behind VRM.

To really understand Doc, you’ve got to go back to 1969, when he was living with his parents, wife and two kids in Jersey, and his primary activity was avoiding getting sent to the jungles of Vietnam to fight a war. Beginnings like that help put into perspective modern day concerns like not having WiFi in the airport or too much foam in your Frappuccino. In 1976, he found himself playing the role of local radio persona (Doctor Dave–the origins of “Doc”) at a progressive rock radio station in Durham, N.C. and living in near poverty when a couple of local advertising guys noticed his ability to write and asked him to join their nascent advertising firm. Doc was tired of his life, saw this as a way out, and in 1978 Hodskins, Simone and Searls was born.

HS&S then grew to become the largest high-tech agency in North Carolina. Still, that day is significant because, as Doc’s wife would put it later, that’s when he sold out — not because he went into advertising, but because he gave up on radio, which had always been a passion of his. That passion was one of personal connection, not just between performer and audience, but between passionate and appreciative people on both sides. He saw radio not just as a one-way medium for performers and sellers, but as a two-way medium serving common interests and passions.

In 1984 a customer pointed out, “There’s more action on one street in Sunnyvale than in all of North Carolina,” so in 1985 Doc and company packed up and moved to the Valley where by 1987 they had became one of the top high-tech PR agencies and Doc’s role as one of the most prodigious connectors in the technology community began. It was in this role that in 1998 he was talking to Chris Locke and Dave Weinberger (also marketing guys) about the insanity of the DotCom boom and how to get rid of annoying clients when he told them his strategy: Markets are conversations; and conversation is fire. Therefore, marketing is arson. They thought this message itself might be fire-worthy, and a few months later, the phenomenon that was the Cluetrain Manifesto was born.

In 1999, the energy surrounding Cluetrain, Dave Winer’s insistence that he blog, and his wife’s revelation that he’d been living as a sellout for 20 years seemed to open a new horizon for Doc. At 52, in the midst of one of the biggest technology booms and busts this country has ever seen, Doc completed his transition from advertising guy to editor of the Linux Journal and the roving open-source evangelist he is today.

It is in this role (and his consistent role as connector) that the modern identity movement and its VRM off-shoot were born. Doc knew Kim Cameron before Zoomit and its Metadirectory (a technology with may similarities to the Identity Metasystem) were acquired by Mircrosoft. He knew Drummond Reed (XRI/XDI) and Andre Durand (Jabber and Ping Identity), and through his work with the Identity Gang brought in people like Brad Fitzpatrick (OpenID). As Doc explains, many Open Source movements are as competitive and proprietary as anything the corporate world could dream up, but from day one, identity has been a collective effort between technologists who knew that no one could build it all and that if it was going to work, it all would have to work together.

So what do Doc’s past and Identity have to do with VRM, and what is VRM anyway? VRM (Vendor Relationship Management) is the reciprical of CRM (Customer Relationship Mangement). CRM systems are the hugely complicated pieces of sofware where vendors store all the information they think they know about you (remember that time you yelled at the Verizon rep–they remember). They’re supposed to help the vendor provide you with better service, but the problem is that every vendor only has a small piece of you and since, you have no say in how they describe you, they are probably wrong (no Verizon, I’m not a dick–my dog died that day–and your service sucks!).

VRM’s goal is to help you play a larger role in the relationship between you and your vendors. Though its origins are earlier, the term stems from a conversation at Visual Identity World in Denver in 2004 where Drummond came up with “CoRM” (Company Relationship Management–later modified by Mike Vizard during a discussion on the Gillmore Gang to VRM). Any technology or system that puts the customer at the center of the relationship falls under the general umbrella of VRM, but the canonical version sees you owning all of the information that is currently locked in each vendor’s silo and sharing it with vendors as you choose. Obviously a strong sense of Identity along with the principles of Data Portability need to be in place for this vision to become a reality.

Doc and his past have a much more subtle but absolutely pervasive effect on the focus of VRM today. Currently he is working with public radio to enable listeners (particularly those of podcasts) to donate directly to the shows they like with a simple “buy” or “donate” button. Obviously Doc’s origins in radio play a role here, but more importantly, as a marketing professional for over 20 years, he came to see clearly how traditional advertising and fund-raising models create an inauthentic (and even destructive) relationship between buyers and sellers. In the long-term VRM may be about putting the customer in control in a number of ways, but in the short-term it’s a personal crusade against what Doc views as the scourge of the internet and as a practice fully against the principles of VRM–advertising.

Doc talks about Google and its corporate hubris with a sense of disbelief. As he described the excess evident in their Mountain View headquarters, you can see him taken back to the excess of an earlier internet boom where the only business model (and what was in fact, no business model at all) was advertising. As he points out, and what no one is really talking about is that the people–you and me–hate advertising. Not only is it an artificial and unwelcome intrusion into our personal conversations, it is hugely inefficient and ineffective. Vendors spamming every corner of the internet with their best guesses as to what they might be able to sell us isn’t a fair or rational conversation at all–and we’re learning to ignore it.

There is a deeper point to be made here though: how can we, the technorati, who are responsible for instantiating societal values through technology, continue to blithely gorge on the excesses that internet advertising bring us when we know full-well that the model isn’t sustainable and more importantly, that we’re building a machine reliant on wasting what we now know to be one of the most precious and most human resources–our attention?

As Doc rode the bus home, he and I ended our conversation discussing the passing of Bill Buckley and Doc’s occasional relationship with the Catholic church. It was appropriate as the VRM project is, in some sense at least, a project of personal redemption. Doc has spent the majority of his adult life helping companies reach their customers, and no doubt he’s taught them well. He’s now working to help us take back control of those conversations. From one sellout to another, I hope he succeeds. Happy Easter everyone.

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.

¶ Posted 21 March 2008 † drstarcat § Uncategorized ‡ Comments (5) ° Tagged: Attention Economy, VRM

Drummond on XRI/XDI and OpenID

At the IDtrust Symposium in Maryland, Drummond just presented a paper about how the XRI/XDI support in OpenID can be used to avoid some of the more wicked hacks necessary for some of the richer functionality in the OpenID 2.0 spec. The paper is an interesting read and now public here:

http://middleware.internet2.edu/idtrust/2008/papers/01-reed-openid-xri-xrds.pdf

For an overview of some of the cool features about XRI/XDI, check out my 3 posts on the History of Tomorrow’s web series here.

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.

¶ Posted 17 March 2008 † drstarcat § Uncategorized ‡ Comments (0) ° Tagged: Identity, XRI/XDI

The History of Tomorrow’s Internet: Identity (iCards, pt 2)

In my last post I wrote about the 7 laws of identity. In this post, I’ll try to explain how Microsoft is implementing these laws through Cardspace. To begin with, we need to take a look at a diagram I posted back in the beginning of this series:

As I explained in that post, three participants make up this simplified view of the Identity Metasystem, a Subject (you), a Relying Party (the website that needs to authenticate you) and the Identity Provider (the service you and the RP both trust to assert claims about who you are). CardSpace encapsulates all of these entities and their interactions using the Web Services (WS-*) specifications.

Before explaining how this is done, just a brief word on the history of Web Services. Web Services are a suite of specifications that enable two (or more) different software systems to interact without knowing the details of the other’s technology. SOAP, the core specification, was released in 1998 and essentially defined a way to encapsulate data in XML. Since that time, many specifications have been developed that add advanced functionality to this simple idea. These specifications are collectively known as WS-*.

Now let’s return to Identity and our various parties in the above diagram. To represent your identity CardSpace uses the WS-Security Token. WS-Security was one of the first extensions of SOAP and, as the name implies, it specifies a way of protecting SOAP messages. Part of the WS-Security specification is the concept of a WS-Security Token, which is essentially a way to encapsulate tokens from existing security specifications into universally understandable security tokens. The cool thing about this is that, theoretically at least, your Identity Provider could use whatever security specification it prefers, convert the authentication data into a WS-Security Token and send it to the Relying Party, who could then translate the WS-Security Token back into whatever format of authentication it needed.

Now that we have a way to securely encapsulate our identities using WS-* Security Tokens, we need a way for websites (RPs) and your Identity Providers (IPs) to figure out what the RP needs and what the IP has. To do this, CardSpace uses WS-Policy and WS-Metadata. As usual the WS geniuses have named the services well. WS-Policy and WS-Metadata enable the RP to encapsulate and publish exactly what it needs (SAML token from the DMV asserting you are over 21) and WS-Metadata allows the IP to publish what it is capable of (I’m the DMV and have an over 21 claim for you authenticated using Kerberos).

Cool! Now that the RP and IP can figure out what each other has and needs, and they can both understand a WS-Security token we just need to convert their specification specific tokens into the WS-Security tokens. To do this CardSpace uses the WS-Trust specification, which, along with a LOT of other things, defines a Security Token Service (STS). The STS is a token exchange where the input can be any of five existing token profiles (Username, SAML, X.509, Kerberos, Rights Expression Language) and convert them into each other.

As you can see, all the communication technologies needed for CardSpace already exists in the WS* specifications. If you refer back to the 7 Laws of identity, you will note that I haven’t addressed Laws 6 and 7 that address making the Identity Metasystem usable by ordinary people. I’ll cover that in my next post.

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.

¶ Posted 16 March 2008 † drstarcat § History of Tomorrow's Internet ‡ Comments (3) ° Tagged: CardSpace, iCards, Identity

The History of Tomorrow’s Internet: Identity (iCards, pt. 1)

In my OpenID report from SXSW I jumped to OpenID briefly, but I want to cover iCards before continuing down that road. iCards are the generic name (technically just for the client-side technology, but I’m using the term generically to refer to Cardspace and Higgins) for a couple of implementations of what has become known as the “Identity Metasystem”. The Identity Metasystem is in turn a formalization of what have become known as the “Laws of Identity”. So let’s backup to the beginning and talk about the Laws in this post.

In 2004, Microsoft was still smarting from its hugely ambitious and hugely unpopular Passport service. As a way to move forward, Kim Cameron, Microsoft’s Identity Architect, did an interesting thing: he started a blog. On his identity blog Kim started a discussion about why Passport had failed and how to properly bring an identity layer to the internet. In 2005, Kim encapsulated the discussion of the previous year in a white paper called “The Seven Laws of Identity”.

1. User control and consent: Pretty straight-forward—people should determine what information they share about themselves.

2. Minimal disclosure for a constrained use: This means the system should share ONLY what it needs to. The canonical example is buying booze. The Identity Metasystem should only say that you are “over 21” (necessary), not your actual age (too much information).

3. Justifiable Parties: Only parties that need to be involved should be involved. This one is a little tricky—how to we determine who needs to be involved? The short answer is you do. The point of this is NOT that there shouldn’t be a third party (like an Identity Provider), the point is that if there IS a third-party, it should be clear to YOU that they are involved so you can make the choice whether to proceed.

4. Directed Identity: A directed identity is one intended for a particular party (e.g. my medical records for my doctor). It seems OBVIOUS that an identity metasystem would do this, but REALLY what this law is asserting is that the system shouldn’t use correlatable information as your identity. In other words, an identity metasystem that decided to send your Social Security number to every site that wanted to verify you are you would be subject to GROSS abuse. Instead, the IP should send a unique token to each site, so that it isn’t easy for them to realize you are the same person across sites.

5. Pluralism of Operators and Technologies: This just means that we can’t have a single company or a single technology manage identity for the internet. The prohibition against a single company is pretty obvious, as that company would be WAY to powerful. The prohibition against a single technology is more controversial. On the surface it makes sense for the identity layer to handle any previous and future protocols and security frameworks. In reality though, the internet has done pretty well relying on HTTP, and there is a real question as to whether this law adds unnecessary complexity.

6. Human integration: Put simply this means the metasystem should be as clear as possible to ordinary people. Implicitly it means this need should overrule other considerations (like UI customization or rad design). This is also the “anti-fishing” law.

7. Consistent experience across contexts: This is kind of a weird one, but essentially it means that whether you are handing over your medical records or just your email address, the experience should be consistent enough so that in both cases you know that you are giving up a piece of your identity.

I’ll save the discussion as to whether these laws are ALL really necessary and some of the real historical reasons for their inclusion for other posts. Next up is the actual implementation of an identity metasystem that Kim derived from these laws and after that the Higgins project.

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.