Temporal discontinuity

A comment Eve just made on a call prompted this

Consider some magazine at which I've subscribed. The mag only needs my address at the start of every month, just in time for sending out that month's edition.

Their demand curve (I'm sure there is a proper economics term) for my address looks like


If the magazine relies on me actually visiting their site (to view online content etc) as the mechanism by which it can get the most recent address, then they are at the mercy of my erratic visit schedule for the update operation.


If I happen to move in mid February


then I don't get the March edition.

Infocards, ID-WSF, and R-Cards

Although I think the name is misleading (do not other cards also represent relationships?), Higgin's R-cards are interesting.

My (current) understanding is that R-cards are used to establish a long-lived, secure & privacy-respecting 'identity pipe' (or is it a bus?) between some entity that holds a user's identity, and another that wants those attributes. Unlike the relationship enabled by 'normal' cards, the R-Card relationship works even without the user's explicit participation/mediation at the time of sharing. (how about a name that reflects this distinction, e.g. Direct-Card, Silent-Card, etc?)

What R-cards don't do is define just how the identity actually flows, i.e. what are the specifics of how the requestor asks for the attributes, in what format are they passed, how can the requestor subscribe to be notified should they change etc.

That's where something like Liberty ID-WSF is needed, because ID-WSF defines just this sort of plumbing.

Fundamentally, to get things going for ID-WSF, the requestor needs to get a WS-Addressing EndpointReference (EPR) (as profiled by Liberty) for the user's Discovery Service. Once armed with this DS EPR, the requestor would be able to obtain the EPRs for particular service types, e.g. contacts, calendar etc.

The graphic below portrays this simplest case.


As modelled, the originally provisioned card does not capture a semantic of 'this attribute is stored at this provider' but rather 'This card can be used to discover where the user's attributes are stored'. Is this weird?

Tags: Infocards, Higgins, R-Cards, Liberty Alliance, ID-WSF

An experiment in privacy

To test the Google Health privacy policy, I plan on adding all known conditions, diseases, and ailments to my profile.

The theory is that if some drug company contacts me with an offer to participate in a drug trial, then I'll know that Google sold my data to the highest bidder. If not, I will continue to trust Google with my calendar info.

I plan on working through alphabetically as the interface for adding conditions is slow & clunky (why not a 'Select All' option?)



I've learned to live with the fissures, but I do confess that the pap smear results have me concerned. And the 'premature' thing? That was just once!

Tags: Google Health, privacy

A counter example

Not discounting the power of token issuance chaining as explained by Vittorio, I offer the following as an example of the fragility of the model.

1. Friend1 owes me money for hockey
2. Friend1 gives money to Friend2, says 'Pass to Paul'
3. Friend2 give money to WifeOfFriend2, says 'Pass to WifeOfPaul'
4. WifeOfFriend2 gives money to WifeOfPaul, says 'Pass to Paul'
5. WifeOfPaul gives money to Paul
   

This is of course the 'theoretical sequence', the actual broke down somewhere around the steps involving the more feminine endpoints.

Net net, Paul has no money, and hears alot of 'Oh what a nice summer dress, it it new?'

Bi-channel infocards

Axel is pushing for mobile infocards.

To my mind, an interesting twist of a mobile selector is that the resource being accessed need not be accessed on the mobile, i.e. a mobile selector can be used to facilitate PC based access.

When surfing from a PC, rather than rely on any selector on the PC, use the one you have on your phone (and thereby indirectly achieve card portability across different PCs). This is the same model that NTT explored with our SASSO - a SAML IDP on a phone.

One challenge for this model is solving the 'how do I wake up the identity agent?' issue. In the 'normal' sequence, the selector is invoked by the browser (or some other application) when it comes across some indication from an RP that identity is being sought.

Not so easy to do when the application is on the PC, and the selector on a phone.

You either have the PC communicate the invocation to the phone (through Bluetooth, QR codes, etc), depend on the selector to determine if it needs to wake up at any instance (by polling, etc), or have the user manually launch the selector.

Tags: SAML, Infocards, SASSO

A Kick Asa Demo

Ha-ha.

Asa has posted a write up of his IIW demo of 'OpenID bootstrap to ID-WSF'. (a horrible misnomer, because as cool as that part is, the demo shows so much more).

Asa has long hair, wears sandals, and advocates local currencies. I have much to learn from him on the topic of 'hipness'.

Asa is also a serious non-conformist, as evidenced from the accompanying PDF

I use RED-ID to log in to my home made twitter platform and proceed to twit (I know it is tweet, but I like twit)

That way leads to anarchy young man.

I may decide to be a non-conformist, but I want to see how the crowd goes first.

Verified by OoTao?

Andy posts about OoTao's MCP supporting verified emails and i-names.

If you want to consume these claims you will need to ask for:

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/verified/emailaddress
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/verified/iname

The 'verifiedness' (verificity?, verificabiltiy? verificatiousness?) is built right into the claim identifier.

To my mind, the level of assurance that can be ascribed to a claim is orthogonal to the claim itself. An IDP makes a claim, and then provides supporting information to help an RP decide how to treat it.

Do we need a 'Verification Context'?

And maybe I want only a 50% verified claim .... :-)

Deck from IIW2008a

Tags: IIW2008a, SAML, Liberty Alliance ID-WSF

For want of punctuation

Pat corrects what he interprets to be a misunderstanding on my part.

Actually, I mistyped when I wrote 'I bet not' (which admittedly does give the impression that I'm suggesting that fedlet WOULD NOT be reusable across different IDPs).

I had meant to write 'I bet. Not'.

The first sentence indicates my belief in the fedlet's power, flexibility and reusability. The second expressing my moral stance against wagers.

Pat, I hope that clarifies things.

SLO?

You don't get any more logged out than this.

Fortunately, QR codes have more mundane applications for identity.

Sun Fedlet

I understand the attractiveness of Sun's new fedlet (separately, the site gets my vote for most tenuous application of Guns'n'Roses - I'm seeing Axel drunk on stage at some future JavaOne) mechanism for quickly enabling federated operations with a partner, but how is it all relevant that fedlet is built on SAML?

If you control the technology at both the IDP & SP ends, the fact that both ends use a standard for messaging and assertions is irrelevant isn't it?

Would the fedlet, once deployed by an SP, be reusable with other IDPs (than the one that created it initially) and thereby be considered a quick and easy way to SAML enable an SP? I bet not.

Tags: SAML, fedlet, Sun Micro

Worrying rumour

Word from Redmond is that, inspired by this salesmanship fiasco, in order to demonstrate their corporate loyalty Kim and Mike are working on their own music video, a duet remake of the Beatles 'Please Mister Postman'.

I been standing here waiting mister postman
So patiently
For just a card or just a letter

Disquieting as that thought may be, I find it less disturbing than the conflicting rumour that the two of them will be performing 'O SAML Mio' with Vittorio.

Fallen Fruit?

I don't think I can count how many times I heard discussed at IIW the privacy challenge inherent in one user deciding to share their social network - the contents of which necessarily containing or referencing the PII of other users.

As far as I know, there is as yet no name for this effect/issue?

As they say, Nature abhors a terminology vacuum .....

According to Wikipedia,

Usufruct is the legal right to use and derive profit or benefit from property that belongs to another person, as long as the property is not damaged.

The word derives from the Latin words for 'use' & 'fruit' - the archetypical example is enjoying the apples from a tree growing in your neighbour's yard (and not harming the tree).

Is my sharing of the fact that you are in my social network an example of usufruct?

[Amateur Lawyers: insert comments here]

Full Circle

• User-centric is out, relationships are in, according to Bob at least. Rather than think of identity as being centered on the user, Bob argues that it is more appropriate to think in terms of of the relationships that exist between the user and their providers (and their friends etc.)
  
• Bob draws an analagy between this interpretation and planetary dynamics. Before Nicolaus Copernicus, the belief (popularized by Ptolemy) was that the planets and Sun orbited the Earth - a so called geocentric universe. Copernicus proposed what he saw as a simpler model, he demoted the Earth from the center and placed the Sun there instead - a heliocentric model.
• As important as this shift was, Copernicus stuck with other aspects of the geocentric model. For instance, he still described the planets as orbiting on circular paths on fixed invisible spheres in space. So, a step closer to the truth, but no better at creating a stable calendar than Ptolemy.
• It was on the observations of the Dane Tycho Brahe that Johannes Kepler took the heliocentric model to the next level. Kepler used Brahe's data to calculate elliptical orbits for the planets, the motion due to a force of attraction from the Sun and no longer requiring magical spheres.
• Johannes Ernst led an interesting session at IIW entitled 'Partioning the Space'. In that session, we developed an interesting way to think about how the relationships between customers and bricks'n'mortar stores deepen gradually and incrementally, but how typical consent models in federated identity completely break with this slow growth pattern (e.g. 'Do you consent to sharing all your identity attributes with this SP you've just met?')

Apparently Bob is correct, it is indeed all about relationships.

Two Aussies and a Kiwi go into a bar

and write a paper on 'Use Cases for Identity Management in E-Government '.

Hmmmm, punch line sounded funnier when I heard it.

Separately, the award for 'Best Title in an IDM paper' goes to this surgically sharp Caesarian chapter (or is it a section?).

Relationship Therapy

Therapist: So, SP, why don't you get us started and tell me why you and User are here today?
SP: Well, I just think that User and I are drifting apart. The relationship was great at the beginning. I mean, User even had a password with me. And I stored all his attributes. We were really close.
Therapist: And that has changed?
SP: yes, ever since he has been hanging around with his new federated friends, things are different.
Therapist: How so?
SP: Well, for one thing, we never spend any, you know, err .... 'quality time' alone.
Therapist: Quality time?
SP: (blushing) yes, he uh, he always insists now that one of his IDP friends join us.
Therapist: And how does that make you feel?
SP: Well, let's just say that my Mother didn't raise me that way.
Therapist: OK, I see. User, why don't you tell me your view point.
User: Well, I don't see what the big deal is. Sure I'm bringing some IDPs home, but I'm just trying to spice up the relationship - the password thing was getting tiresome.
Therapist: And you think adding IDPs to the relationship will help?
User: Yeah, and I mean, it's not like I'm bringing home some Passport or anything. These IDPs are all right.
Therapist: SP, is the issue that you don't know anything about these IDPs?
SP: Definitely. User will have a few beers after work and then just show up with some IDP and, with only a very brief introduction, expect me to 'party', as he puts it. And then he says he wants to watch because he doesn't trust us!
Therapist:Just to clarify, by 'party' do you mean engage in the transfer of identity assertions?
SP: Well yes, but you don't have to be so blunt about it.
Therapist: Sorry about that. Would it help you if you knew more about these IDPs that User was introducing you to?
SP: Yes I think so.
Therapist: OK, I think we're getting somewhere. User, would you be OK with if SP got this info about your IDP friends?
User: Sure, just so long as I still get, you know, serviced ....
SP: And a bottle of wine wouldn't hurt either. Maybe some flowers once in a while. An SP likes to feel appreciated after all.
Therapist: User...?
User: (sighing) Sure, wine & flowers sounds fair. Hey, can we talk about her Mother-in-Law always coming over?
Therapist: Let's save that for the next session. SP, are you in agreement that User can involve IDPs if you are able to find out more about them?
SP: Yes, but fair is fair right. Maybe I might want to party with an IDP User introduces me to without User even being at home
User: No way, nope, I'm not ready for that. I need to be present.
Therapist: Why don't we work up to that. Baby steps right?

Tags: Infocard, SAML, OAuth, OpenID, ID-WSF, Liberty Alliance, Credentica

Sensitivity Training

I think it was the psychology course I took in 1st year (or maybe its because I'm an Ottawa Senators fan) but, for some reason, I am particularly attuned to the suffering and frustration of others.

That's why I'm able to read between the lines of Andy's post on Infocards and see what most people, oblivious to the subtle signals the post sends, would miss.

On the surface, Andy's post is an amusing romp of a story about an experience he had with Infocards, specifically logging in to leave a comment on Kim's blog. All seems well. Dig a little deeper however, go beyond the surface hunky-doriness, and there are tell-tale signs that the experience might not have been optimal for Andy.

For an emotionally aware person like myself, certain phrases act like signposts for Andy's, otherwise hidden, true frame of mind. Phrases like

- Infocard Hell
- frustrated anxiety
- I have now been trying to write .... about this damn post for 3 hours

are indicators that many just don't (or won't) see. You shouldn't feel bad if you missed them. I am, as I said, very sensitive.

Someone less sensitive than I, someone more inclined to go for a laugh at the expense of another, might say to Andy

'Hey man, stop your whining and suck it up. You've just come across the joy of tri-party communication interoperability.'

It's a curse being this tuned into the suffering of others. Weddings for example, make me cry every time.

Tags: Infocards

The Bard on ID Theft

Who steals my purse steals trash ....
But he that filches from me my good name
Robs me of that which not enriches him,
And makes me poor indeed.

I think it's fair to say that Will underestimated the business model.

Jack of all trades, master of most

If I didn't know I wouldn't see him for another month and a half, I'd hesitate to gush over George like a lovesick teenager but ..

There is nobody I know in identity that has a better grasp of ALL the various systems in play.

Whether SAML, OpenID, ID-WSF, XRI, Infocards, OAuth, XRDS, OpenSocial, FOAF, XFN, etc, I'd venture that George has 90% of all of them (and 100% of most of them).

I think I might have George on XDI (but only because I attended Markus's session this afternoon and he didn't). Take that Mister Smarty Pants.

In addition to George's unparalled expertise in identity is his unmatched friendliness & easy going nature. Never will you hear a negative word from him.

I am actually quite proud of myself for not letting such clear character flaws interfere with our friendship.

FriendDA

Sensing an emergent meme, I want to make sure I get in as an early adopter.

Bob is modelling a relationship as (my interpretation)

some number of participants, taking on defined roles, and promising to abide by a set of rules with respect to sharing of claims

Bob makes the point that if society doesn't provide a sufficient set of rules or policies that a relationship can leverage, then the relationship needs to be able to define its own rules.

Pam called this a 'friendDA' last night at dinner.

Serendipity

It was by pure luck (for me, as he has a car and can drive me to and fro the meetings) that I ended up in the same hotel as Peter for IIW2008a.

The lovely Ramada Inn Limited. Pool, hot tub and free breakfast. Business travel at its best.

It's the combination of Peter's bookings that is critical. If he and I were both in the same hotel but he had no car, then the benefit to me is limited, perhaps shared cab fare and some sarcastic and snide banter on the drive.

If on the other hand Peter had a rental car but was staying at a different hotel, then I would need to guilt him into picking me up and dropping me off each time. I've had great success with this ploy in the past but I don't like to overuse it.

What I would love is a hotel booking engine that, in addition to allowing me to filter hotels based on the normal criteria, e.g. free WiFi, pool, exercise room, etc, it would allow me to specify a search param of

"Only show me hotels where a friend who has rented a car are staying (and give higher weight to a convertible)"

This would be a special case of using your social network to help find services of interest and value, as in the diagram below (which I cant remember if I created, stole, or adapted)



In Liberty People Service, the rough flow would be

1) Expedia.ca, helping me book travel, discovers and queries my People Service to see my 'Travel Friends'
2) Expedia.ca uses info it gets from People Service to discover and query the 'travel calendar' of each of those friends
3) Expedia.ca uses info in my friends travel calendars to filter out hotels in my search
4) I ride for free

Faces as index

Do you not think that, given that 90% of people's photos are of the same people (either young & drooling, or older and intoxicated) over and over, that this privacy protecting process is somewhat irrelevant?

It's not you, it's me

Much talk yesterday about relationships at IIW.

In Drummond's macrame demonstration, Asa's ability to end the relationship with a single snip was portrayed as key.

In the absence of e-scissors (now there is a business model and domain name packaged up for you), how might relationships be ended?

Follows are some of the 'relationship termination reasons' asserted to myself over the years, almost all of which might be used to severe an identity relationship.

- Work is really busy these days
- Let's still be friends
- You know, I was really drunk
- You're really awesome, but ....
- I like you, but not in that way.
- I'm not looking for a big commitment
- It was Spring Break!

Tags: IIW2008a

Talking Points

Last week I was at a Liberty Alliance TEG meeting, talking about

- Privacy Constraints
- Reconciling OpenID PAPE & SAML AC
- Profiling WS-Trust for security token issuance within ID-WSF
- a 'multi-device' SSO use case, where a user starts watching a video on her mobile, but then transfers the security & application context to her set-top box so that she can watch the remainder in HD
- a RESTful/like binding for ID-WSF
- Orange APIs

Next week, I'll be at IIW, where I expect to talk about

- a use-case from my own family that motivates Liberty People Service
- that beer Ping owes me
- s-Cards
- identity rights agreements & privacy constraints
- data portability
- how Ping never settles invoices in a timely manner
- a multi-factor authn use case that requires OpenID PAPE & SAML AC be reconciled
- how IIW 'Closing Circle' makes me think of summer camp
- legal options for forcing Ping to honour its debts