Burton Catalyst 2008: Learning from the enterprise.

Wow.  I would never have thought that my first post after IIW wouldn’t come until Catalyst.  I’ve been absolutely absorbed in my work helping angel investors with Angelsoft, as we’re releasing Version 3.0 of the platform on August 1st (and it is going to be SICK!).  Fortunately, I’ve got a little more time now that we’re out of the product development stage, so I’m back at the keyboard.Even more fortunate, is the fact that I’m at Burton’s Catalyst Conference!  For those of you who don’t know, Burton has long had the strongest Identity practice in the industry and has played a major role in helping enterprises understand the identity problem.  I’ve been a proponent of applying the lessons learned from the enterprise to the issues we’re trying to solve for the internet, and this conference has only served to further that belief.  Anyone who is working on the issues surrounding internet identity and doesn’t think the work being done in the enterprise is relevant is just kidding themselves.  They’ve been doing it way longer, with way more people; and they’ve been forced to be extraordinarily rigorous, as they are controlling access to trillions in assets.It’s easy to see why this lack of communication between the two communities exists.  As I’ve written before, the origins of the internet identity movement were deeply idealistic and anti-corporate.  Much of the energy comes from a desire to usher in a sci-fi vision of the virtual worlds portrayed in books like Snow Crash or Down and Out in the Magic Kingdom.  What could the short-sleeved, button-down wearing IT servants of the corporate machine have to say about this brave new world?It turns out a lot.  The first thing to remember about the enterprise space is that many of these enterprises have tens of thousands of people, offices in dozens of countries, and hundreds of applications that each of their employees use.  Moreover, through acquisitions and the fiefdoms that naturally arise in organizations of this scale, there is rarely any consistent architecture from team to team or office to office.  In fact, when you begin to look inside these organizations, you quickly realize that these massive intranets have almost all the same characteristics as the World Wide Web.To get a sense of some of the issues they have dealt with that the internet identity movement has just begun to look at, let’s take a look at a few:

  1. International Regulations:  Hearing from George Sherman about the constraints put on Morgan Stanley’s efforts to build an Identity system, given that they have to comply with dozens of regulatory jurisdictions, clearly demonstrates the hazards we are likely to face as we grapple with the widely divergent privacy legislation emerging throughout the world.
  2. Revocation: Employees move on (often not by their own choice).  Enterprises understand all the complexities of revoking access to multiple systems.
  3. Federation: Companies need to work with partners, suppliers, consultants and a multitude of other organizations.  They’ve dealt with the issues required to enable people from other organizations to access to their secure systems.
  4. Usability: The enterprise has experimented with hundreds of Identity Management products and has an extremely tight feedback loop with their users.  We can learn from their UI sucesses and failures.
  5. Roles: Enterprises have had to deal with fine-grained permissioning for decades.  What kind of employees should have access to which details of a customer isn’t too far from wanting to let your mom see your baby’s first step, but not your drunken exploits from the weekend that’s all the rage with your friends.
  6. Monitoring: Enterprises need to know when someone’s credentials have been compromised so they can take immediate action.  What happens when someone’s internet ID has been compromised?  How do we even know and what do we do?
  7. Concensus Building:  Getting different business units to agree on a framework is no less easy than getting Google and Microsoft to agree (okay… maybe a LITTLE easier).  Regardless, spend a half-hour speaking with a CIO who’s implemented a company-wide identity management project, and you will quickly learn how expert they are at building concensus around a project.

These are just a few examples, but it’s clear the enterprise has dealt with identity issues for a long time and solved use-cases many in the internet identity community have yet to consider.  We need to learn from them, so we don’t make the same mistakes or repeat work that’s already been done.  I don’t know exactly how to start this dialog, but it’s one that needs to begin.  Any suggestions?  That’s what Comments are for.

Report on IIW 2008

There’s no place like home. When I walked in the door this morning after taking the red-eye back from Mountain View, my 6 month-old daughter squealed with delight, turned to her mom, and immediately forgot who I was again–stupid baby. There is also, however, no place like the Internet Identity Workshop. With its (un)conference format and list of passionate identity attendees, it continues to be the event of the year in the Identity space.

For those of you unfamiliar with the (un)conference format, it bears going over. At 8:45 am all the attendees circle up and people go the center to fill out notebook-sized cards with discussions, presentations, or demonstrations that they’d like to lead. They then each give a brief overview and post the cards on a giant wall schedule. Some of the sessions have been planned long ago, others are inspired by the day, but everyone has equal access to time slots. Only two rules prevail: sessions should go on only as long as they still have energy (this could mean a session ends early or takes all day) and individuals should remain in a session only as long as it is the most valuable place for them to be (in other words, getting up and leaving for whatever reason is encouraged).

With spontaneous session selection, indeterminate times, and roaming participants, it may seem that such a conference would quickly degrade into chaos, but I experienced just the opposite at IIW. Some highlights from the sessions I attended:

A session led by Dick Hardt on bi-directional validation of blog comments made by a single user across sites to help establish reputation. Conclusion: interesting but probably not worth the complex technology necessary to make it work for now.

A session led by Johannes Earnst on creating a community to ensure people are properly represented in the “Digital Deal” emerging between them and the sites they go to. Conclusion: a working group has been formed and a community site broad enough to embrace the multitude of perspectives is forthcoming.

Two sessions led by Joseph Smarr on the emerging social stack and a proposed consolidation of the major players’ various contact portability apis. Conclusion: the best description of the tools now available for social data export (posted on his blog) and a specification that is likely to be implemented by most of the major internet players over the next year.

A demonstration by Andy Dale of Ootao‘s new iPage product. Conclusion: a VERY powerful backend that masks the complexity of the various claims sharing protocols and the first implementation I’ve seen that allows you to consolidate claims from various iCards into a single managed card.

A description by Drummond Reed of the XRDS-Simple, a discovery service being adapted by OpenID and Oath for service discovery. Conclusion: a light-weight alternative to XRDS that is likely to become the standard for these lighter protocols.

A demonstration of relationship cards (rCards) by the Higgins team. Conclusion: Cardspace makes a strong distinction between Self-Issued iCards (where you control the claims) and Managed iCards (where the vendor controls the claims). Since in most cases, you should control some of the claims (contact info) and the vendor should control some (like an airline with frequent flier miles), segmenting control over claims in a single card makes a TON of sense.

A preview of a paper by Bob Blakley that argued that the true value of an Identity Provider was not the DATA they have about the person, but rather the RELATIONSHIP they have with the person. In doing this, he proposed that the IP actually needs to provide much more than just the Identity information–they need to establish the terms under which the Identity can be used by the Relying party as well provisions for damages should the Relying Party abuse the Identity data or should the IP provide untrue Identity Data. Conclusion: This helps clarify what organizations would make good identity providers and moves the discussion from IP vs User vs RP rights into a discussion of mutual agreement of usage through contracts.

Now how many conferences have you been to where you can recall by memory every session you attended after a red-eye home? I’m lucky if I can remember what most sessions at a typical conference are about half way through the session itself! This just goes to prove the real quality of IIW. Much of the credit for this goes to the high-caliber of the attendees, but much credit also deserves to go to the day-to-day leader of the conference and one of the truly great connectors in the Identity space, the Identity Woman, Kaliya Hamlin.

Kaliya doesn’t get nearly as much credit as she deserves. Leading a conference and a movement that’s composed of SO many smart and opinionated people is a real trick. There are a lot of egos, careers, and hard work at stake in these emerging standards and people fight hard for what they believe in. Kaliya doesn’t assert herself into the middle of these necessary conflicts. Don’t get me wrong–Kaliya takes great glee is stirring the pot, but a community of technologist NEEDS this kind of communication and she never comes across as mean-spirited or controlling. Kaliya understands two of the most important aspects of leadership–a willingness to serve and a willingness to facilitate without domination. There are many communities that would be lucky to have leaders who understand these things, and IIW is lucky to have Kaliya.

Kim Cameron and the Philosophy of Privacy: (iCards, pt 5)

I’m currently trapped on the six-hour flight out west to join the rest of the Identity crowd at this year’s Internet Identity Workshop, so I thought I’d use the time to write my final post on the history of iCards. Fittingly, the subject of this post is the father (grandfather?) of iCards, Microsoft’s own Identity Architect in residence, Kim Cameron.

Many people know (of) Kim from his Seven Laws of Identity, but Kim’s story (like most of the participants in the community) starts much earlier. Kim began his career in academia teaching Sociology (he had concentrated in both Sociology and Math/Physics), an occupation that he loved (teaching), but a subject that he soon became disillusioned with (as he said, “There was never any way to prove who was right”). Like any disillusioned sociology professor, he did the natural thing and started a Reggae band (no, I’m NOT making this up), called the Limbo Springs and proceeded to tour the East coast of Canada and the US for the next 7 years.

Having come off his 1981 sold-out stadium tour promoting the multi-platinum “MetaLimbo” (okay, THAT I made up, but JUST that), he returned to Canada to teach Assembly at George Brown University, Canada’s largest community college (as he explains, technology was always his fall-back when he needed money—sounds familiar!). It wasn’t long, however, until he realized that teaching technology wasn’t what he wanted to do long-term, so he and the head of the IT department decided to start a technology business. As he explains, they were dead-broke at the time (as btw it seems everyone in this space is broke at some time or another—I, myself, like to go broke about once every four years), so they did what any broke technologist would do and started consulting.

Kim and his partner were obviously quite good at what they did because they built this nascent technology company into a 40 person strong outfit by 1992, which was when Kim first encountered the problem of Identity (How many of YOU can say THAT?!). The issue of Identity arose when he was trying to build an email directory for Sprint’s 60,000 employees. The problem was that those 60,000 employees had 150,000 email addresses (it was common to have an email for every ISP at the time). The question was, how do you find a way to associate each of those email addresses with the correct person in the directory?

If you know anything about Kim or his company, you will recognize this was his first foray into the technology that would put Zoomit on the map (and eventually in Redmond as part of Microsoft)—the metadirectory. Metadirectory technology arose out of the need to simplify the management of people and software in the enterprise. Anytime someone joins a company, they have to be given permission to use any of a number of pieces of software and other digital assets. The larger the corporation and the more wired it is, the larger this problem becomes. How can an administrator setup 25 accounts for every person for a company that hires 10,000 employees a year? Better yet, how can an administrator ensure that access has been properly removed for a company that fires that many people in a year?

To solve this problem, Kim and the Zoomit team came up with the concept of a “metatdirectory”. Metadirectory software essentially tries to find correlation handles (like a name or email) across the many heterogeneous software environments in an enterprise, so network admins can determine who has access to what. Once this is done, it then takes the heterogeneous claims and transforms them into a kind of claim the metadirectory can understand. The network admin can then use the metadirectory to assign and remove access from a single place.

Zoomit released their commercial metadirectory software (called “Via) in 1996 and proceeded to clean the clock of larger competitors like IBM for the next few years until Microsoft acquired the company in the summer of 1999. Now anyone who is currently involved in the modern identity movement and the issues of “data portability” that surround it has to be feeling a sense of deja vu because these are EXACTLY the same problems that we are now trying to solve on the internet—only THIS time we are trying to take control of our OWN claims that are spread across innumerable heterogeneous systems that have no way to communicate with each other. Kim’s been working on this problem for SIXTEEN years—take note!

When I asked Kim what his single biggest realization about Identity in the 16 years since he started working on it was, he was slow to answer, but definitive when he did—privacy. You see, Kim is a philosopher as well as a technologist. He sees information technology (and the internet in particular) as a social extension of the human mind. He also understands that the decisions we make as technologists have unintended as well as intended consequences. Now creating technology that enables a network administrator to understand who we are across all of a company’s systems is one thing, but creating technology that allows someone to understand who we are across the internet, particularly as more and more of who we are as humans is stored there, and particularly if that someone isn’t US or someone we WANT to have that complete view, is an entirely other problem.

Kim has consistently been one the strongest advocates for obscuring ANY correlation handles that would allow ANY Identity Provider or Relying Party to have a more complete view of us than we explicitly give them. Some have criticized his concerns as overly cautious in a world where “privacy is dead”. When you think of your virtual self as an extension of your personal self though, and you realize that the line between the two is becoming increasingly obscured, you realize that if we lose privacy on the internet, we, in a very real sense, lose something that is essentially human. I’m not talking about the ability to hide our pasts or to pretend to be something we’re not (though we certainly will lose that). What we lose is that private space that makes each of us unique. It’s the space where we create. It’s the space that continues to ensure that we don’t all collapse into one.

Well on that rather heady note, I’ll end this look into the history of iCards. I for one, however, am glad that as we explore this space and redefine what it is to be a person, that we have someone like Kim deeply involved. I want to move forward as much as anyone, but I also understand that we are touching on what it means to be a person in the 21st century, and when dealing with the core of humanity, we ought be most careful about any unintended consequences we may produce. Next up, the “original” identity metasystem, the Liberty Project, and the lightweight alternative that is taking the internet by storm, OpenID.

Becoming an RP with the Pamela Project (pt. 2)

Okay. So when I last posted I was waiting for my SSL cert to get installed and I left to enjoy the rest of the day with my wife and daughter. Good choice, as there were still a fair number of obstacles ahead of me. When I returned from my walk, the superstars at Bluehost had emailed me with the good news that my SSL cert had been installed. This was VERY good news, as installing an SSL certificate is NOT something to be done by mere mortals (see Mike’s post here–and HE’S not even MORTAL!)

Having my brand new certificate installed, I was anxious to take it out for a spin. I went to the SSL manager in my Bluehost control panel, and low and behold, they were NOT lying… there was my certificate. I clicked on the link to view my private key. This is what I saw in my Bluehost panel (I’ve change two characters in the image below so it’s STILL private!):


And this is what the fields I need to copy SOMETHING into look like in the Plugin options:


Okay… three fields need to be filled in. I guessed the secure site URL was just “https://drstarcat.com”, and when I clicked saved, the plugin gave me a green arrow next to the URL so I was on the right track. Now the tough part… what part of the above information about my SSL certificate is the Private Key? I’d installed these things before, but I couldn’t remember. It DEFINITELY seemed like the information in the top box, but what piece of it? Do I include the “—–BEGIN RSA PRIVATE KEY—–” part or just the stuff between it and the “—–END RSA PRIVATE KEY—–“? I tried BOTH of course and I STILL couldn’t get that last red “X” to turn into a green check mark.

I then begin to fixate on the “SSL Passphrase” piece. Do I have one of those? And if so, where is it? I write back to Bluehost. They reply almost immediately (Nice!). I DO have a pass phrase, but they hadn’t told me this. Now with my pass phrase in hand I am SURE I am nearing success. I try the pass phrase with just the stuff between the begin and end statements. No green arrow. I try it with the begin and end statement included–STILL no green arrow. NOW I’m in that very bad place where I have three variables, none of which I’m sure about, and no combination that seems to work. What do I do?–the manly thing of course. I write Pamela and ask her for help (yes, I was whining in the email).

I wait for a couple of hours for Pamela to respond. Given the fact, however, that this is NOT her job, she does not respond to me like my new pals at Bluehost. I start to tinker again. As I mess around I notice that my SSL certificate is ACTUALLY for “www.drstarcat.com”, not “drstarcat.com”. Now I had already tried switching the URL field to “https://www.drstarcat.com”, but I still hadn’t gotten the green arrow. Regardless, I was sure this would be a problem in the future, so I went ahead and wrote Bluehost to tell them to give me a new one with just “drstarcat.com”. They tell me that they stopped issuing certs for the base URL because “Cpanel would randomly uninstall the SSL”. I tell them I’ll take my chances and to get me the new one.

Two hours later (and just a little while ago), I’m done with dinner and I stumble back over here to my computer to see what new information I might have. Still no Pamela, Mike’s enjoying my pain, BUT the guys at Bluehost have given me the new cert. I’m pretty skeptical that it’s going to work, but since I don’t have anything better to try, I begin trying all the possible combinations in the three fields, and BAMN, like a sore-luck loser in Vegas who finally sees lucky 7s across the slot machine window, I get it… SIX green arrows! The winning combination:

Secure Site URL: https://drstarcat.com

SSL Private Key: Include the “Begin” and “End” statements

SSL Pass phrase: Required (at least for me).


Nice… my wife appreciates how I have to prove that I actually got it to work with an image. Too bad! I EARNED those six green arrows! Now the funny part is that I still don’t know what to do with my now functioning iCard enabled blog. I don’t require people to sign in to post (in fact, I can’t figure out HOW to require people to sign in, even for fun!). Regardless, if you’d like to sign into my blog using your iCard, you now can at this link. I’ll make sure that I learn how to require signing in to comment on my MOST important posts and enable LOTS of other really cool exclusive stuff for people who can figure out how to use an iCard, so I’m SURE it will be worth your while.

So what’s the final word on the Pamela Project? Well, clearly, I don’t have it, as this project (along with the rest of the Identity space) is JUST beginning in spite of how much work has already gone into it. Obviously any sane person isn’t going to go through what I did, but I also found out in my struggles that Pamela is about to release a version of the plugin that does NOT require SSL (talk about timing!) So really if you think about it, with just a little better instruction (put the dumb dumb download up front, and show exactly what needs to go into each blank), I probably could have installed the plugin (without SSL) in about 5 minutes (instead of 7 hours). If EVERY website in the world could become a relying party in 5 minutes, and that meant NO one EVER had to enter a password again… well, I’ll leave the math to you, but I think they might just be onto something.

Becoming an RP with the Pamela Project (pt. 1)

Boy, I must REALLY be insane. Below is picture of this BEAUTIFUL spring day here in NYC, my wife and baby are in the park playing, and I’m sitting on my balcony trying to install the Pamela Project on my blog. The odds are stacked against a glowing review, as iCards are still an emerging technology, the Pamela Project is in v0.9, and I really shouldn’t be doing this. Of course, knowing the little I do of Pamela, it will probably work out A-OK.


Just to give some background, I’m attempting to install the Pamela Project WordPress plugin v0.9 on my drstarcat.com blog that is hosted at Bluehost. The first step is to find the WordPress plugin page on the Pamela Project site. Normally I’d go to the WordPress plugin directory, but I believe Pamela doesn’t want to post it there until v1.0. The first thing I notice when coming to this page (because it is so well laid out) are the requirements:


This already puts me in a bit of bad mood because I don’t know if I have ANY of these things besides a “WordPress blogging environment” and it pretty much looks like I’m here for the afternoon. The next thing I do is go to the link that provides installation instructions. The first thing they ask me to do is to get the plugin (seems like a good idea).

At first I panic because the instructions tell me to go to some directory on my server and then checkout the code from Subversion followed by some Unix commands. This sounds like something my development team asks me to do while looking at me as if they just asked me to grab a quart of milk from the fridge. As a non-Unix person, I can attest that it is more akin to doing some quick calculus to figure out how to put someone on the moon.

Fortunately, my panic subsides as I realize they have dumb-dumb instructions below this with a link to download the plugin. I can then just use Cyberduck to upload it to my plugins directory (yes, I like my technology masked by familiar childhood playthings). Wow… I actually have it on my server already, maybe today isn’t going to be so bad after all! Now I just go to my WordPress admin page and go to the Plugins tab, and cool… there is the Pamela Project!


After I click the “activate” link on the plugin, I go to my “Options” tab to see if I can actually get this thing to work. As I look at the page, I’m both happy and sad:


I’m THRILLED that it looks like I have PHP 5 and these mysterious “Crypto Libraries” already installed (I probably would have had to quit otherwise!). I’m mildly sad to see that I need to get an SSL cert. Now, given that I understand iCards at a low enough level to know they use SSL, and given the fact that Pamela warned me on the instructions page that I would need this, I shouldn’t be disappointed, but I was REALLY hoping I could get away without it.

After sulking a bit, I give Bluehost a call. They make me feel better by making it seem like it’s not going to be such a big deal. At first I hope I’m going to be able to use the “shared” certificate that Bluehost let’s anyone use, but once I explain that I need the “Private Key” they tell me I’ve got to get my own. This also requires that I get a static IP (I KNOW, I was already warned in the requirements!)–total price: $90. Pamela will owe me a drink at IIW! Since it’s going to take a few hours to get my SSL cert issued and installed, I think I’ll post this and go outside for a break!

Internet Identity Workshop May 12-14th in Mountainview

Just a note to remind everyone that IIW is just around the corner (1 week from Monday!). This is THE event for the Identity community and just about anyone who’s doing anything in the space will be there. If you are thinking about getting involved or want to understand why User-Centric Identity may be the biggest improvement to the Internet since it’s birth, please join us at the Computer History Museum.

Details about the event are here: http://iiw.idcommons.net/index.php/Iiw2008a

The History of Tomorrow’s Internet: Identity (iCards, pt 5)

Long time, no blog. The whole identity space has been busy with conference season, and I’ve taken the last two weeks to get to know my baby girl Fay again. I am officially back though. Whether that is good or bad is yet to be determined. What is definitely good though, is the topic of today’s post, The Pamela Project.

As I’ve explained more than once in this blog, a greater problem than finding reliable Identity Providers is getting the websites we know and love to become Relying Parties. That is exactly the problem that Pamela has deemed to attack with her eponymous project. As the project’s mission statement says, “The Pamela Project is a grassroots organization dedicated to providing community support for both technical and non-technical web users and administrators who wish to use or deploy information card technologies.” Given the difficulties I experienced even USING iCards as a non-technical web user, this seems like a pretty ambitious task, and as part of this post, I’m going to try to get my blog up and running. First, a few words about Pamela and the history of the project.

Pamela first ran into the issues surrounding Identity in her role as a technology consultant in Calgary in 1999. Anyone who’s done any large-scale enterprise software installation has likely had a similar experience–try to do anything and you’ll run into a myriad of (often semi-functional) authentication and directory services before you can even get off the ground. She’d been working at a company that does Peoplesoft installations and with Oblix (an enterprise self-service password management tool later acquired by Oracle), when she attended her first Burton Identity conference in 2001. It was here she first began to think of Identity as a (the?) core technology problem, as opposed to something peripheral to what she wanted to get done. It’s a realization that, once had, can become a little consuming (trust me, I spend WAY too much time building software to be blogging about anything–especially, SOFTWARE).

Her second “ah-ha” moment came when, if my notes serve me correctly, she was “hit on the head with a brick” by Kim Cameron at the 2002 Catalyst conference. There he drew her a brief sketch on a napkin where he showed the three party system (Subject, Relying Party, Identity Provider) that is at the core of most of the emerging identity systems. She was hooked, but it wasn’t until in 2005, when Kim added some sample PHP Relying Party code to his blog that she saw a place where she could contribute. As a sometimes PHP hacker, she took the simple code, and began to port it over to some of her favorite PHP frameworks (WordPress, Joomla, and MediaWiki). Since that time, she and about 10 other contributers have been working to get a 1.0 version of the product out, which, given Pamela’s commitment, I suspect will be about like most other project’s 2.0 release.

Before writing about my experience installing the WordPress v0.9 plugin, a word about the seemingly self-promulgatory name of the project because I think it says a lot about Pamela as a person and the Identity movement she’s part of. According to Pamela it’s the last name she would have thought of as a woman working as a technologist. As she explains, it’s hard enough as a woman to get recognized as a serious technologist without drawing unnecessary attention to yourself. Having a wife who is one the best Java engineers in NYC, but who also is regularly asked if she REALLY wrote the stunning code she produces, I can attest this is true. It’s because of this stereotype though that Pamela chose the name. She was tired, as someone who is self-admittedly “vocal”, of this kind of self-inflicted sheepishness. So in “defiance to self-regulation”, and at Craig Burton‘s urging, she chose The Pamela Project.

This is indicative of Pamela and many others I’ve met in the Identity movement not only because it demonstrates the self-reflection surprisingly consistent in this crowd. It is indicative because it shows a willingness to take a risk and do something insanely difficult in order to do something you believe in. I finished my talk with Pamela asking her why she does it. Why leave a long day of fighting with technology to spend the evening coding on something that she can never hope to gain from financially? Her answer was that it is BECAUSE Identity is still too early for many to make a living at it that she participates. It ensures that the many technologists looking to make a quick buck are nowhere to be found. It ensures that Pamela can spend time with people who do what they do, because like her, they care.

I’ll let you know how my experience actually USING the Pamela project goes in my next post. In the mean time, as you wait in breathless anticipation, why not go over to the project’s site and ask Pamela how you can be of use. This is a big project and they’re going to need all the help they can get.

The History of Tomorrow’s Internet: Identity (iCards, pt 4)

I just finished up my three part series on Microsoft’s CardSpace implementation of iCards, but one of the most important things to understand is that CardSpace is just ONE implementation of iCards. The specifications are completely open and in fact, have been implemented in an open source project simultaneously. That project is Higgins and I recently had a chance to spend some time with Paul Trevethick, the project’s lead.

Paul, like most of the people in this space is an adult (which is one of the things I find most appealing about Identity). He’s been building software companies since he left MIT in 1982. When he left his last position as President of the publicly traded BitStream in 2000, he left with the express intent of building a BIG company–one that could fundamentally transform the internet and leave a lasting legacy. So in 2000, when he co-founded Pariity with John Clipinger, did he set out to build an Identity layer for the internet?

As is the case for most people in this space (and another reason I find it so appealing), the answer is no. Paul had a vision of an internet where trust between people and organizations could be automatically brokered, similar to that expressed in the Augmented Social Network paper I discussed in my first post in this series. He wanted to surround each individual with a reputation layer and then build the algorithms that would help efficiently establish trust between those individuals. The problem that he and so many others have run into when attempting to “thicken” the data that surrounds us on the internet so that it can be shared across sites is that WE don’t exist on the internet. In other words, like so many others, Paul stumbled into the problem of Identity.

In 2003, about the time Paul ran into this problem, he caught wind of what Microsoft was implementing on the Identity layer and realized both that it would be perfect for what he wanted to accomplish AND that there clearly needed to be an open source implementation of iCards. So Paul’s project took both a turn to Identity and to open source, and Higgins, which now is primarily thought of as the open source implementation of iCards, was born.

I don’t want to go over the details that distinguish the Higgins’ implementation of iCards from CardSpace because it has been designed (intentionally) much along the sames lines, so that it remains compatible with that emerging standard. One important point to note though, is that it suffers from the same schizophrenic nomenclature as CardSpace, in that the Higgins the project encompasses BOTH the iCard selector that lives locally AND the server based technology for brokering claims.

Besides this, it does have one additional layer that is extremely powerful that deserves some discussion: the rCard. As I discussed in my CardSpace series, CardSpace supports a pCard (a PERSONAL card that allows you to assert limited claims about yourself) and mCards (that organizations with information about you use to “officially” assert information about you). So what is this “Relationship Card” (rCard)?

Two things distinguish and rCard from an mCard: persistency and bi-directionality. What do I mean by these two things and why should you care? With an rCard that is persistent and bi-directional, YOU can provide constantly updated assertions about YOURSELF to a claim provider. How might this work? Well, think about the implicit attention data currently locked up on your computer. Might you want to allow a company that serves as your “movie preference” claim provider to have a persistently updated stream of your implicit movie data? For example, if you established such a relationship with Netflix, they would have a real-time stream of your movie searching, viewing, and purchasing activity that occurred OUTSIDE of their site, and could thereby provide you and other sites where you used their “Movie iCard” with better recommendations.

So the rCard puts YOU back in the loop of the iCard claim stream and allows you to automatically update that information on a POLICY basis. In other words, with an rCard, you can set a policy that defines WHO gets updates on WHAT data and WHEN at a granular level. If PERSISTENT, GRANULAR, BI-DIRECTIONAL data links sound familiar to those who’ve been reading this series, it should. Establishing those kind of data pipes are exactly what XRI/XDI are designed to do, and in fact Higgins uses XRI/XDI in the rCard layer.

So what are the most important things to remember about Higgins?

  1. The technology has been in development for FIVE years now, so you may want to think twice before duplicating it.
  2. It is MORE than just the open source iCard implementation. Identity is a MEANS to an end, not the end itself.
  3. With the rCard, YOU are back in the loop and can establish persistent and granular assertions about yourself.

Next up are the two final installments on iCards: a discussion of the Pamela Project and an interview with Kim Cameron of Microsoft’s Cardspace.

The History of Tomorrow’s Internet: Identity (iCards, pt 3)

It’s been over a week since I last posted for a number of reasons, but one of them is because in this post I wanted to explain how it feels for a regular person to use Cardspace. This poses a few challenges as we’ve used Macs exclusively in my work with angel investors at  Angelsoft since we began three years ago, and I’ve had a Mac at home for nearly as long. Little did I know this was only the beginning of my struggles.Now let me preface this post by saying that I’ve never been a big participant in the Mac vs. PC war. I ran a NetOps business back in the Web 1.0 days, and we managed high-volume Windows, Unix, and Linux environments successfully. More importantly, as someone who’s business it is to build great software, I KNOW how hard good UI is. Believe me, I work with a GREAT product team and we try REALLY hard to make intuitive software and we fail EVERY day. Having said that, this post isn’t going to paint a real pretty picture.My story begins in what I used to think of as my office. I USED to think of it as such because now my 5 month old rules the room, and I work out on the kitchen counter. I still keep my PC in the office though, so in between naps I sneaked back to play with Cardspace. The first thing you will note if you are one of the many people with a slightly older PC still running XP and IE 6.x is that you don’t HAVE Cardspace. In order to get Cardspace, you need to download IE 7.x and the .NET Framework 3.0 Runtime Components. NetFx3.com has a nice sandbox that will walk you through this process [Note: They link to the 3.0 .Net Framework, but 3.5 has been released and may have some UI improvements]. I hadn’t installed anything on Windows for years, but boy did this bring back memories–total download and install time: 1 hour, 15 minutes.Okay… now that you HAVE Cardspace, it’s time to create an iCard. An iCard is a visual representation of identity data. Cardspace has two kinds of iCards: Managed and Personal. A Managed card is issued to you by someone else (what I call a “Claim Provider”) who supposedly has “official” data about you, like the fact that you have a certain credit limit or are a citizen of a particular country. Since none of these exist, I decided to create a Personal card. To do this, I went to my Control Panel and opened up Cardspace.This is where I experienced the first slightly annoying thing about Cardspace. When you open Cardspace, for whatever reason, it takes over your entire computer. What do I mean by this? Your entire computer screen is dimmed except for the Cardspace light box and no keys function outside of Cardspace. Why was this annoying? Because I wanted to take screenshots! Nothing works for this. PrintScreen is disabled [Note: Mike Jones pointed out this is in fact NOT true. While all SCREEN elements are frozen, and PrintScreen APPEARS to do nothing, it actually does copy the screen–damnit!]. I had even gone to the trouble to install a better screenshot capture plugin–also disabled. I resorted to the 1970s solution of taking photos of what I was doing and they sucked so bad, I couldn’t use them. Fortunately, the Window’s geniuses at dotnetslackers.com figured out how to get screenshots, so I’m using them. So let’s create our first Personal iCard!Cardspace CreateNow as you can probably tell from the screenshot above this is actually what pops up when you try to use an iCard using Cardspace. They guys at Nethacker had already created one, but you’ll see essentially the same screen the first time, but with just the “Add” feature. Annoying UI feature 2: Click on the “Add a Card” icon and you will NOT be taken to an iCard creation screen. Instead the button at the bottom of the screen changes to “Add Card”. Click that, and then you’re taken to the iCard creation screen.Card create dialogOnce you get there, you will note the second shocker when it comes to Cardspace. The Personal card, which you can create, is limited to your most basic contact information. You CANNOT even add a picture of yourself (the upload pic dialog is for the image that YOU see to identify the card). There is no ability to add additional fields, so you are limited to your name, address, email address, phone numbers, and URL. This is pretty disappointing because I can think of all sorts of self-issued cards you might want to create, but apparently that’s not part of Cardspace.Alright, so anytime you touch Cardspace it locks the rest of your windows, the creation process is a little clunky, and you have no choice as to what kind of data to add–once it’s created though, it must be a pleasure to use right? To test this, I decided not to tax my new iCard too much and just use it to leave a comment on a blog. To do this, I chose Mike Jones’ cool blog, Self Issued, since I knew I’d seen the Cardspace login logo on it. After navigating to the blog, I easily identified the Cardspace login logo. When I clickd on it, I was taken to this screen (note I can use screenshots here because I haven’t entered Cardspace land yet):picture-4.pngSo this looks promising. I see Mike’s using the Pamela Project, which is a very cool project to help sites become relying parties for any kind of iCard (not just Cardspace). The natural thing felt like to click the Cardspace logo again, but when I hovered over it, my cursor failed to turn into a hand. The buttons at the top were hot, but those didn’t seem like something I wanted to click on. The words “Use your Card Now”, though equally tempting, also failed to register as hot. After about 20 seconds I decided to click on the icon even though it gave every indication of being dead–Bingo!Cardspace CreateOnce I clicked on the Cardspace logo, I saw my newly created iCard (note, the borrowed screenshots again, since my computer is now frozen). It actually looked a little different on my screen as it noted the site wasn’t verified as a bank or financial institution and also showed me Mike’s SSL cert. I was a little surprised about this, as most people have no idea what an SSL cert is and the primary purpose of Cardspace is to fullfill the UI requirements of the Laws of Identity. Regardless, I then chose my new personal iCard and selected “Send”.cardspace2_005.jpgInstead of sending my card and getting down to the business of commenting, I got the following screen (or actually one that looked basically the same). Apparently if you haven’t sent your iCard to THAT site before, even if you select to send it, you will be taken to preview. This is probably a good security feature, but annoying nonetheless (why even give me the option?). If I’ve created my personal card and KNOW what it contains, why do I have to preview it EVERY time I send it to a new site? Imagine every time you pay for something on a new site using your new Visa iCard. When you click send you will be required to look at all the information–I KNOW what’s on the credit card iCard, that’s the point.picture-1.pngReady to post? Not yet. Since my iCard is self-issued, Mike’s site (yes, the site is called self-issued.info ironically enough) doesn’t trust me and has now decided that I need to verify my email address. This is obviously a little annoying, but it brings up a good use-case for the first Claim Provider–one that has verified my email address, home address, and phone numbers, so I NEVER have to respond to an email or text message like this again.picture-2.pngAfter I got the email and clicked on the verification link in it, I was taken to the screen above. I don’t really know what it means, but I figured I should probably click on the (still dead-appearing) Cardspace icon again and it might let me post.picture-3.pngThe screen above signaled that my journey might finally be over. I clicked on the “Go to Blog” link and I was logged in and ready to post. The posting went very smoothly and my name and URL showed up as I would have expected. A comment well-earned!So what’s the final analysis? Well, as I stated in the beginning, the purpose of this post isn’t to bash Microsoft or Cardspace. Like I said, I build software and when I actually see a normal person use it for the first time, I’m inevitably embarrassed at how difficult it is. Software is hard and Cardspace is brand new. Nonetheless, this does show how far the technology has to go before Mom and Dad are going to be using it. Usernames and Passwords are UBIQUITOUS. We’ve been trained on the visual metaphors for at least a decade. Replacing that with ANY other paradigm is going to rough. To have any chance of success, the Cardspace workflow will need to be much improved.

Doc Searls, VRM, and the Redemption of Tomorrow’s Internet

I spent a couple of hours on the phone with Doc yesterday as he ran back and forth across the Harvard campus, where he’s currently a fellow at the Berkman Center. The conversation was as frenetic and wide-ranging as his movements (from his personal past, through VRM, to the meaning of the modern day Catholic church), but despite this, there was a consistent narrative that helped me understand the real human energy behind VRM.

To really understand Doc, you’ve got to go back to 1969, when he was living with his parents, wife and two kids in Jersey, and his primary activity was avoiding getting sent to the jungles of Vietnam to fight a war. Beginnings like that help put into perspective modern day concerns like not having WiFi in the airport or too much foam in your Frappuccino. In 1976, he found himself playing the role of local radio persona (Doctor Dave–the origins of “Doc”) at a progressive rock radio station in Durham, N.C. and living in near poverty when a couple of local advertising guys noticed his ability to write and asked him to join their nascent advertising firm. Doc was tired of his life, saw this as a way out, and in 1978 Hodskins, Simone and Searls was born.

HS&S then grew to become the largest high-tech agency in North Carolina. Still, that day is significant because, as Doc’s wife would put it later, that’s when he sold out — not because he went into advertising, but because he gave up on radio, which had always been a passion of his. That passion was one of personal connection, not just between performer and audience, but between passionate and appreciative people on both sides. He saw radio not just as a one-way medium for performers and sellers, but as a two-way medium serving common interests and passions.

In 1984 a customer pointed out, “There’s more action on one street in Sunnyvale than in all of North Carolina,” so in 1985 Doc and company packed up and moved to the Valley where by 1987 they had became one of the top high-tech PR agencies and Doc’s role as one of the most prodigious connectors in the technology community began. It was in this role that in 1998 he was talking to Chris Locke and Dave Weinberger (also marketing guys) about the insanity of the DotCom boom and how to get rid of annoying clients when he told them his strategy: Markets are conversations; and conversation is fire. Therefore, marketing is arson. They thought this message itself might be fire-worthy, and a few months later, the phenomenon that was the Cluetrain Manifesto was born.

In 1999, the energy surrounding Cluetrain, Dave Winer’s insistence that he blog, and his wife’s revelation that he’d been living as a sellout for 20 years seemed to open a new horizon for Doc. At 52, in the midst of one of the biggest technology booms and busts this country has ever seen, Doc completed his transition from advertising guy to editor of the Linux Journal and the roving open-source evangelist he is today.

It is in this role (and his consistent role as connector) that the modern identity movement and its VRM off-shoot were born. Doc knew Kim Cameron before Zoomit and its Metadirectory (a technology with may similarities to the Identity Metasystem) were acquired by Mircrosoft. He knew Drummond Reed (XRI/XDI) and Andre Durand (Jabber and Ping Identity), and through his work with the Identity Gang brought in people like Brad Fitzpatrick (OpenID). As Doc explains, many Open Source movements are as competitive and proprietary as anything the corporate world could dream up, but from day one, identity has been a collective effort between technologists who knew that no one could build it all and that if it was going to work, it all would have to work together.

So what do Doc’s past and Identity have to do with VRM, and what is VRM anyway? VRM (Vendor Relationship Management) is the reciprical of CRM (Customer Relationship Mangement). CRM systems are the hugely complicated pieces of sofware where vendors store all the information they think they know about you (remember that time you yelled at the Verizon rep–they remember). They’re supposed to help the vendor provide you with better service, but the problem is that every vendor only has a small piece of you and since, you have no say in how they describe you, they are probably wrong (no Verizon, I’m not a dick–my dog died that day–and your service sucks!).

VRM’s goal is to help you play a larger role in the relationship between you and your vendors. Though its origins are earlier, the term stems from a conversation at Visual Identity World in Denver in 2004 where Drummond came up with “CoRM” (Company Relationship Management–later modified by Mike Vizard during a discussion on the Gillmore Gang to VRM). Any technology or system that puts the customer at the center of the relationship falls under the general umbrella of VRM, but the canonical version sees you owning all of the information that is currently locked in each vendor’s silo and sharing it with vendors as you choose. Obviously a strong sense of Identity along with the principles of Data Portability need to be in place for this vision to become a reality.

Doc and his past have a much more subtle but absolutely pervasive effect on the focus of VRM today. Currently he is working with public radio to enable listeners (particularly those of podcasts) to donate directly to the shows they like with a simple “buy” or “donate” button. Obviously Doc’s origins in radio play a role here, but more importantly, as a marketing professional for over 20 years, he came to see clearly how traditional advertising and fund-raising models create an inauthentic (and even destructive) relationship between buyers and sellers. In the long-term VRM may be about putting the customer in control in a number of ways, but in the short-term it’s a personal crusade against what Doc views as the scourge of the internet and as a practice fully against the principles of VRM–advertising.

Doc talks about Google and its corporate hubris with a sense of disbelief. As he described the excess evident in their Mountain View headquarters, you can see him taken back to the excess of an earlier internet boom where the only business model (and what was in fact, no business model at all) was advertising. As he points out, and what no one is really talking about is that the people–you and me–hate advertising. Not only is it an artificial and unwelcome intrusion into our personal conversations, it is hugely inefficient and ineffective. Vendors spamming every corner of the internet with their best guesses as to what they might be able to sell us isn’t a fair or rational conversation at all–and we’re learning to ignore it.

There is a deeper point to be made here though: how can we, the technorati, who are responsible for instantiating societal values through technology, continue to blithely gorge on the excesses that internet advertising bring us when we know full-well that the model isn’t sustainable and more importantly, that we’re building a machine reliant on wasting what we now know to be one of the most precious and most human resources–our attention?

As Doc rode the bus home, he and I ended our conversation discussing the passing of Bill Buckley and Doc’s occasional relationship with the Catholic church. It was appropriate as the VRM project is, in some sense at least, a project of personal redemption. Doc has spent the majority of his adult life helping companies reach their customers, and no doubt he’s taught them well. He’s now working to help us take back control of those conversations. From one sellout to another, I hope he succeeds. Happy Easter everyone.

Drummond on XRI/XDI and OpenID

At the IDtrust Symposium in Maryland, Drummond just presented a paper about how the XRI/XDI support in OpenID can be used to avoid some of the more wicked hacks necessary for some of the richer functionality in the OpenID 2.0 spec.  The paper is an interesting read and now public here:


For an overview of some of the cool features about XRI/XDI, check out my 3 posts on the History of Tomorrow’s web series here.

The History of Tomorrow’s Internet: Identity (iCards, pt 2)

In my last post I wrote about the 7 laws of identity. In this post, I’ll try to explain how Microsoft is implementing these laws through Cardspace. To begin with, we need to take a look at a diagram I posted back in the beginning of this series:


As I explained in that post, three participants make up this simplified view of the Identity Metasystem, a Subject (you), a Relying Party (the website that needs to authenticate you) and the Identity Provider (the service you and the RP both trust to assert claims about who you are). CardSpace encapsulates all of these entities and their interactions using the Web Services (WS-*) specifications.

Before explaining how this is done, just a brief word on the history of Web Services. Web Services are a suite of specifications that enable two (or more) different software systems to interact without knowing the details of the other’s technology. SOAP, the core specification, was released in 1998 and essentially defined a way to encapsulate data in XML. Since that time, many specifications have been developed that add advanced functionality to this simple idea. These specifications are collectively known as WS-*.

Now let’s return to Identity and our various parties in the above diagram. To represent your identity CardSpace uses the WS-Security Token. WS-Security was one of the first extensions of SOAP and, as the name implies, it specifies a way of protecting SOAP messages. Part of the WS-Security specification is the concept of a WS-Security Token, which is essentially a way to encapsulate tokens from existing security specifications into universally understandable security tokens. The cool thing about this is that, theoretically at least, your Identity Provider could use whatever security specification it prefers, convert the authentication data into a WS-Security Token and send it to the Relying Party, who could then translate the WS-Security Token back into whatever format of authentication it needed.

Now that we have a way to securely encapsulate our identities using WS-* Security Tokens, we need a way for websites (RPs) and your Identity Providers (IPs) to figure out what the RP needs and what the IP has. To do this, CardSpace uses WS-Policy and WS-Metadata. As usual the WS geniuses have named the services well. WS-Policy and WS-Metadata enable the RP to encapsulate and publish exactly what it needs (SAML token from the DMV asserting you are over 21) and WS-Metadata allows the IP to publish what it is capable of (I’m the DMV and have an over 21 claim for you authenticated using Kerberos).

Cool! Now that the RP and IP can figure out what each other has and needs, and they can both understand a WS-Security token we just need to convert their specification specific tokens into the WS-Security tokens. To do this CardSpace uses the WS-Trust specification, which, along with a LOT of other things, defines a Security Token Service (STS). The STS is a token exchange where the input can be any of five existing token profiles (Username, SAML, X.509, Kerberos, Rights Expression Language) and convert them into each other.

As you can see, all the communication technologies needed for CardSpace already exists in the WS* specifications. If you refer back to the 7 Laws of identity, you will note that I haven’t addressed Laws 6 and 7 that address making the Identity Metasystem usable by ordinary people. I’ll cover that in my next post.

The History of Tomorrow’s Internet: Identity (iCards, pt. 1)

In my OpenID report from SXSW I jumped to OpenID briefly, but I want to cover iCards before continuing down that road. iCards are the generic name (technically just for the client-side technology, but I’m using the term generically to refer to Cardspace and Higgins) for a couple of implementations of what has become known as the “Identity Metasystem”. The Identity Metasystem is in turn a formalization of what have become known as the “Laws of Identity”. So let’s backup to the beginning and talk about the Laws in this post.

In 2004, Microsoft was still smarting from its hugely ambitious and hugely unpopular Passport service. As a way to move forward, Kim Cameron, Microsoft’s Identity Architect, did an interesting thing: he started a blog. On his identity blog Kim started a discussion about why Passport had failed and how to properly bring an identity layer to the internet. In 2005, Kim encapsulated the discussion of the previous year in a white paper called “The Seven Laws of Identity”.

1. User control and consent: Pretty straight-forward—people should determine what information they share about themselves.

2. Minimal disclosure for a constrained use: This means the system should share ONLY what it needs to. The canonical example is buying booze. The Identity Metasystem should only say that you are “over 21” (necessary), not your actual age (too much information).

3. Justifiable Parties: Only parties that need to be involved should be involved. This one is a little tricky—how to we determine who needs to be involved? The short answer is you do. The point of this is NOT that there shouldn’t be a third party (like an Identity Provider), the point is that if there IS a third-party, it should be clear to YOU that they are involved so you can make the choice whether to proceed.

4. Directed Identity: A directed identity is one intended for a particular party (e.g. my medical records for my doctor). It seems OBVIOUS that an identity metasystem would do this, but REALLY what this law is asserting is that the system shouldn’t use correlatable information as your identity. In other words, an identity metasystem that decided to send your Social Security number to every site that wanted to verify you are you would be subject to GROSS abuse. Instead, the IP should send a unique token to each site, so that it isn’t easy for them to realize you are the same person across sites.

5. Pluralism of Operators and Technologies: This just means that we can’t have a single company or a single technology manage identity for the internet. The prohibition against a single company is pretty obvious, as that company would be WAY to powerful. The prohibition against a single technology is more controversial. On the surface it makes sense for the identity layer to handle any previous and future protocols and security frameworks. In reality though, the internet has done pretty well relying on HTTP, and there is a real question as to whether this law adds unnecessary complexity.

6. Human integration: Put simply this means the metasystem should be as clear as possible to ordinary people. Implicitly it means this need should overrule other considerations (like UI customization or rad design). This is also the “anti-fishing” law.

7. Consistent experience across contexts: This is kind of a weird one, but essentially it means that whether you are handing over your medical records or just your email address, the experience should be consistent enough so that in both cases you know that you are giving up a piece of your identity.

I’ll save the discussion as to whether these laws are ALL really necessary and some of the real historical reasons for their inclusion for other posts. Next up is the actual implementation of an identity metasystem that Kim derived from these laws and after that the Higgins project.

SXSW Report: A Critical Look at OpenID

I’ve been intending to write about iCards next, but Paul and Kim have yet to get back to me. Since I just got out of the OpenID panel at SXSW, I’ll go ahead and cover the panel. Beware–This is going to be a long one.

I actually made my way through the labyrinth that is SXSW to one of the lesser rooms about 15 minutes early (WAY early in SXSW time). To my shock, the room was already packed (300-500 people). Even more telling, this was a very sophisticated 300-500 people. I would guess that about a quarter were implementing or looking to implement identity solutions in some form or another. In other words, this space is SCALDING hot.

Jason Levitt (formerly with Yahoo) moderated the panel. Artur Bergman (Wikia), David Recordon (Six Apart), Simon Willison (simonwillison.net), Andy Smith (Google), and George Fletcher (AOL) were on the panel and seated from left to right in the order I’ve listed them. I’ll probably describe the panel as I describe the participants, so let me just make clear (before I say anything that can be construed as snarky) that all of these guys did a great job and all of them clearly understand the identity space very well. Besides the fact that it is of personal interest to me, this was one of the best panels of the event.

Jason Levitt—It was a little funny watching him trying to “moderate” this discussion. After Simon gave a (very good) overview of OpenID, Jason was going to do a small presentation about Yahoo, but his laptop wasn’t cooperating. While he was trying to fix it, an impromptu conversation began between the audience and the panel. By the time he finally got his computer working, the few slides were almost an unwelcome interruption. He then tried to take over the questioning from the audience and the panel over-ruled him. As his last act as moderator, he requested that AT LEAST audience members should ask questions from the microphone. Overall, he did a good job of letting go, which was clearly the right (though not necessarily easy) thing to do.

Simon Wilson—As I already mentioned, Simon gave a very good overview of Open ID. A few points were of particular interest:
1. He demonstrated that once you sign into an RP (relying party–a site that needs to authenticate you) with your OpenID, your OP (open ID provider) can ask you if you would like it to remember that you trust that site. This means OpenID can support persistent trust relationships.
2. He demonstrated “Simple Registration”. These are 9 common registration fields you can choose to have your OP give to any RP. This is huge because it means you can associate and share identity claims through your OP.
3. He also explained that in Open ID 2.0, the RP can use their base URL (e.g. aol.com) instead of the unique identifier (opened.aol.com/drstarcat). The cool thing about this, is you could have a button that says “Authenticate with Aol” instead of the more technical “Please enter your Open ID URL here”.

I haven’t run into Simon before, but he was introduced as an Open ID evangelist—NO KIDDING! He was RELENTLESSLY positive about the technology. The audience was sophisticated and asked some real questions. Simon’s answers were overwhelmingly optimistic:
1. If someone gets my OpenID, can’t they login to all my sites? Yes, but this happens if they get a hold of your email as well (they can send password reminder requests).
2. What about fishing? Paypal has the same issue and survives.
3. Big companies refuse to be relying parties? Not an issue. Google, Yahoo, and AOL don’t NEED to be relying parties. Open ID is best for smaller sites that don’t want to deal with registration.
4. Doesn’t the big two (Google and Microsoft/Yahoo) serving as THE OPs become just like Passport was back in the day? Nope, two is better than one.

I don’t necessarily disagree with any of these points, but I would have appreciated some acknowledgment of the real challenges that face Open ID (and any identity solution). Regardless, Simon is a great evangelist for Open ID, and I’m sure we’ll be connecting in the future.

George Fletcher—George was main “adult” in the room (he actually has grey hair!), and was also the most moderate voice. He’s in charge of implementing OpenID at AOL, and it’s pretty clear he understands the issues. One of his recurring themes was that OpenID really needs more requirements around it’s security layer (like mandating SSL) if it’s going to be trusted.

He also didn’t gloss over the question about why no major Internet properties are relying parties. Simon turned to him to claim that AOL was opening its properties to OpenID authentication (this is a common and mistaken claim based on Ficklets, a unique Aol property), and George tellingly gave him a little “not really” shake of the head. He basically admitted that properties that are tasked with protecting real user assets aren’t likely to use OpenID until some of the security and trust issues can be resolved.

The Implementors (David, Artur, and Andy)—I’m not lumping these three guys together because they are less important or distinctive. Just the opposite—David and Artur really drove much of the conversation and gave some of the best answers, and anyone who reads this blog will know that, as someone who likes to build things in reality, I like and respect nothing more than real implementors . These guys are exactly the kind of people I love on my team.

David, bushy-haired and having a lot of fun, made a few great points:
1. Because OPs focus on providing identity as a job, they can devote all their resources to doing it correctly.
2. Security vendors who come up with security enhancements will be able to more efficiently market their improvements with a few OPs (instead of millions of RPs).
3. Becoming an RP is a good idea for a startup (by reducing technical and legal liability); whereas, becoming an OP is a very bad idea (by increasing technical and legal liability).
4. There are no real OpenID adoption metrics, as its distributed nature makes this nearly impossible.

Artur gives the slightest impression of a German (Swedish?) economy of emotion and words, but also made some great points and was having some real fun. His primary response to most questions was, “That’s the responsibility of the OP”. In other words, I think he feels that not every issue should be solved on the specification layer (though he did advocate additional, optional specifications for more secure OpenID implementations); rather, it is the responsibility of the OP to innovate and find ways to become a trusted provider. This makes a lot of sense, as this will allow the market to determine the correct trade-offs between security and usability.

There were actually a number of other great things that came out of this panel, but I’ll save most of those for later posts. Two important takeaways though:
1. OpenID DOES define an “attribute exchange” layer, which extends the “simple registration” fields, so that an OP can use the protocol to broker identity claims.
2. OpenID along with OAuth can compete with much of the functionality of iCards and, because of their simplicity, have emerged as the stack to beat in the identity space.

The History of Tomorrow’s Internet: Identity (iNames, pt.4)


The names of Ootao and Andy Dale come up a lot when you’re looking at the identity landscape, but if you look at either of their sites, it’s pretty hard to understand why. Further Andy Dale’s got a British accent, came to the Bay area from Israel, and pronounces his company’s name “Ew’ Dow”. Pretty mysterious stuff indeed! Look a little deeper though, and you’ll find one of the most practical and passionate implementors of real world identity technologies, particularly those surrounding XRI/XDI.

Andy and Ootao (Andy is VERY quick to mention that it is a team effort) are the enterprise guys who can actually build real life, highly scalable services in the identity space. Go to an iBroker? Chances are it’s running off of Ootao’s infrastructure. Heard about Plaxo’s OpenID implementation plans? Ootao’s there too. One of Ootao’s most ambitious projects to date is an XRI/XDI implementation they’ve done for the La Leche League (an organization that promotes breastfeeding). This may sound like a strange combination, but not if you understand LLLI’s needs and what XRI/XDI are great at. LLLI wants new mothers to be able to self-organize into communities around the world. Spontaneous self-organization requires people to have both a strong personal identity AND the ability to share aspects of that identity selectively. If you remember back to my post about XRI/XDI, establishing these granular trust relationships is exactly what XRI/XDI are great at.

Talk to Andy though, and LLLI is just the beginning. Ootao has created a new services company called Wingaa (great name, great logo, TERRIBLE user interface on their site!). It takes some digging, but essentially Wingaa is offering a suite of services to Registrars that enables them to turn your newly purchased URL into you Identity Hub. Want your URL to be your OpenID address? Done. Want your home page to be your personal iName contact page? Done. Want to access all your identity related accounts (Linked In, Facebook, Blog, etc.) at a single URL? Done. And Ootao is doing this the right way by building the INFRASTRUCTURE and allowing the companies that already have a relationship the person enhance that relationship using their tools.

As I wrote in my first post about the identity movement, one of its greatest strengths is it’s idealistic roots. This has also been an Achilles’ heel though, as it’s struggled to build out the necessary technologies and find viable business models. The people of Ootao come out of the enterprise and are implementors at heart. Because of their unique mindset they have played and will continue to play an important role in the ever evolving identity landscape.

The History of Tomorrow’s Internet: Identity (iNames, pt. 3)

In my last post, I covered the history of iNames to demonstrate how hard it is to create internet-wide standards and how important it is for them to be absolutely open. In this post, I want to explain the business model behind iNames. I’m doing this for two reasons:

1. Finding business models for identity products is REALLY hard.
2. If you ever think of getting an iName, this stuff is pretty confusing.

If you’ve read my previous posts, you should have a basic understanding of XRI/XDI (the technology behind iNames) and know that it is now an “open” standard. But what does that mean? A few things:

1. The XRI/XDI specifications are managed by their respective Oasis (the XML standards body) technical committees.
2. The patents that govern the technology have been licensed exclusively to XDI.org, a non-profit public trust organization.
3. Anyone can implement the technologies for any purpose without the prior consent of XDI.org.

So how does Cordance, the company that bequeathed the patents to XDI.org ever hope to make any money (which if you refer to the companies history has been a pressing issue for some time)? Well as part of the bargain for handing over the rights to the XRI/XDI technologies, Cordant was granted the right of first refusal to be the GSP (Global Service Provider) for any Global Services XDI.org might want to offer for the first 15 years after the Global Registry Service went live (2005). Let me attempt to unpack this.

As I explained before, XRI and XDI are cool technologies because they allow extensible, persistent, permissioned, granular connections between two data elements (like people). Now imagine if the unique identifiers for each data element could be resolved using a web browser by referring to a global registrar (like domain names) for each of these data elements. Essentially using simple syntax, you could define what elements about you any website in the world had access to. Cordance, along with Neustar (a giant registrar infrastructure company that runs among other things the .biz domain) has built this global registry.

Since Cordance is the defacto GSP for all XDI.org services, they are essentially the wholesale registrar (think Network Solutions) of high level XRIs (think names and companies). Cordance also authorizes iBrokers (think GoDaddy) to retail these high level XRIs. If you’ve followed the history of Network Solutions, you will understand this can be a pretty valuable business. VERY valuable in fact, IF web browsers spoke XRI/XDI by default (which they don’t).

If they did, however, not only would Drummond‘s patience with the technology finally pay off, it would hugely simplify building a powerful identity layer into the internet. More broadly, it would make it possible to build persistent, granular “trust contracts” that would make it MUCH easier for all of us (people and companies) to control what information we would like to share with each other.

As to whether this will ever happen is very much in the air. I hope, however, that by explaining how difficult it has been for Cordance to free the technology and yet still make enough money to provide a meaningful service, we can understand how difficult the “business model” problem for identity companies is going to be to crack. In my next (and final) post on iNames, I’ll write about the mysterious Ootao and its founder Andy Dale.

Meeting at SXSW…

Hey all,I’m going to be at SXSW interactive Sunday through Tuesday this year. The company I manage (www.angelsoft.net) is the software provider to about 12,000 angel investors around the world and on Friday we’re releasing a way for entrepreneurs to apply to an open deal space where our investors can pull deals from (in addition to applying directly through the group’s website, which is the only way it works now). This is the first time entrepreneurs will be dealing directly with us, so we thought it would be worth the trip.If anyone is going to be there and would like to meet to discuss Identity, DP, Recommendation Engines, or the Attention Economy, I’d be happy to do so. I also manage a small angel fund and am always looking for good deals in this space to invest in. You can reach me at =rj to set something up.

The History of Tomorrow’s Internet: Identity (iNames, pt. 2)

In my last post I wrote about some of the cool things about XRI/XDI. In this post I want to focus on the history of trying to make XRI/XDI an internet standard. I’m doing this because we’re going to have to do something on an internet-wide scale to solve the identity problem, and I want us to understand both how hard it is and how important it is to be open. XRI/XDI didn’t follow the most direct path in either case (as you will see), but in the real world paths are seldom straight.

Let’s jump into the wayback machine to 1995. Netscape is still crashing your computer every time you run it because it’s a memory hog. Drummond Reed‘s teamed up with Peter Heymann (ex-Microsoft, ex-Warton MBA guy–nice!) to build a company called Intermind (the first company to own the XRI/XDI patents). They’ve been working on this “Communication Objects” technology that’s kind of like RSS, and by 1997 they’ve raised around $17 million and have a team of 70 people. One morning Drummond wakes-up and Microsoft has dropped an open standard that competes directly with his proprietary one and his business evaporates. What do you do?

Well, you first probably try to shop around your intellectual property (which he did, to Netscape in particular). Assuming you don’t have any takers (which he didn’t), you probably learn from your mistake and make sure the next time you try to implement a standard, you make it an open one (which is what Drummond did). He joined the P3P (privacy platform preferences) technical committee and let Tim Berners Lee know that even though Intermind held patents that might cover what they’re trying to implement, he wanted to play open this time.

Now let’s fast forward a few months and note that Microsoft is playing a VERY heavy role in the P3P TC. Let’s also note that Netscape has noticed and is (belatedly) trying to get involved. If you’re Netscape and you see Intermind on the TC, you probably think, “Hey, isn’t that the company that was trying sell us the patents covering all this stuff”. As Netscape you probably bring this to the TC’s attention too, which they did. Tim Berners Lee asks Intermind to make a declaration of their intent about these patents.

Okay, so remember a few posts ago how Drummond’s like the drummer, who’s the only consistent member in a band that keeps changing names and members? Well Intermind has a brand new CEO from the telco industry (who shall remain unnamed because he’s about to make a big mistake). Drummond, remembering back to that painful morning when he got out-opened by Microsoft, thinks the obvious thing to do is to declare that Intermind intends to release the patents to an open standards body. Telco CEO says he’s got a better plan and announces that Intermind will charge royalties. Now wakeup to WSJ articles claiming you’re holding the internet hostage, lose your place at the P3P table, and remember really hard that next time you’re introducing a standard, it better be open.

Fast forward a few more years–new CEO, $30 million more, IP in a public trust (XNS.org), specification being managed by OASIS (the XML standards body). So far so good, but how do make money? Well, new CEO wants to build enterprise software based on the now open standards. Good idea. CEO doesn’t know how to sell enterprise software (bad), Dotcom crash (very bad), 9/11 (tragic). No more company–join the crowd.

What do you do? Well, remember, you’re Drummond Reed and you love this technology, so you get new investors, new CEO, and make one(?!!) more go of it. That company is Cordance. In my next post I’ll explain the relationships between XDI.org (formerly XNS.org, but same public trust of IP), Cordance (iNames Global Service Provider), Neustar (iNames Registrar Infrastructure Provider), and iBrokers (iName retailers).

Latest XDI RDF model…

Drummond pointed me to the latest XDI RDF model for those who’d like to go a little deeper. You can get it at: http://wiki.oasis-open.org/xdi/XdiRdfModel

It’s very similar to the original concept, but more in line with current technology trends.

The History of Tomorrow’s Internet: Identity (iNames, pt. 1)

The first branch of the identity movement I want to write about is iNames. Your first introduction to iNames will probably come the first time you read a blog about identity or email someone in the identity community. The only way to contact them will often be through their iName, which looks like “=whatevericallmyself”. My iName is =rj. Your first reaction is likely to be: What the hell is that thing and why would anyone want one?

Good question. iNames are an implementation of a set of technical specifications called XRI/XDI that has been under the stewardship of Drummond Reed since at least 1994. The specifications haven’t always been called XRI/XDI (originally Communication Objects, then XNS), and the company associated with them hasn’t always been Cordance (originally Intermind, then One Name). Drummond and the core concepts are about the only things that have survived throughout (If XRI/XDI ever really catches on, he may be known as St. Drummond for his infinite patience!).

So what is XRI/XDI and who cares? Also a good question. XRI is a way to refer to things on the internet (e.g. people, businesses, addresses, etc) that creates a permanent machine-readable identifier (a number) along with a human-readable identifier that can change over time. This is cool for identity because whereas I may want you ALWAYS to have access to my address, the actual CONTENT of that address is likely to change over time. With XRI, my address is a data element assigned a PERMANENT numerical identifier, but the human readable identifier can be changed (and even transferred) to someone else.

Okay. Midly cool. XDI is VERY cool though. What XDI enables is a way to create a PERMENANT, PERMISSIONED, GRANULAR pipe between two data elements. So taking the address example again, let’s say both you and I have an iName, which is just a specific kind of XRI for people and means we each have a permanent number and a modifiable human-readable name. Using XDI, I can establish a PERMANENT (unless I revoke it) link between the two of us that allows you to have access (PERMISSIONED) only to my work contact information (GRANULAR).

Better yet, since both XRI and XDI are extensible (that is, you can associate as much stuff as you want to them), my XRI can have ANY number of data elements associated with it (contact information, preferences, friends, music, etc.) and the link between us can have ANY number of rules (contact info: allowed, auto-update: allowed, friends: denied).

This stuff is a little complicated, but if you’ve started thinking about how to OWN and CONTROL your identity data on an INTERNET-WIDE scale, without drowning in complexity, and without having any ONE company in control, you will quickly understand that the existing internet protocols aren’t up for the task. If you were then to spend the next ten years working through all the technical and political issues surrounding what’s missing, you’d probably have something that looks a lot like XRI/XDI. On my next post I’ll write about the ownership of the XRI/XDI specifications and Andy Dale and Ootao, the primary implementers of the technology. In the mean time, take a look at this paper on XDI to go a little deeper.