Thursday, April 30, 2009

A friend is planning a trip

The new math

Self worth = Twitter (# Followers - # Following/# Followers)

I posit that a score exceeding, oh I dunno, let's say 1.4834, means the individual is both friendly and insightful - with a tweet stream to match.

If your score is negative, you are pathetic. Or a successful web marketer. Or both.


In my deck at the RSA Workshop, I referred to all of OpenID, SAML, ID-WSF, cards, OAuth etc as federated technologies.

Even as I made the statement, I was prepared to duck, wincing mentally in anticipation of objections as many disagree with the generalization, liking to use 'federation' to distinguish the various protocols.

Nice to see I'm not alone.

Wednesday, April 29, 2009

Me Tarzan

In 'The Unfolding of Language - an evolutionary your of mankind's greatest invention', linguist Guy Deutscher presents a theory as to the processes and mechanisms by which human language might have evolved to it's current power and complexity (as best exemplified by Shakespeare's sonnets, Japanese haikus, and Twitter streams).

According to the theory, human language evolved through opposing forces of destruction (our natural tendency to save effort by shortening and compressing words) & creation (new words).

Deutscher starts with a simple story, told without the structures such as prepositions, tenses, cases, conjunctions etc that give current language its expressiveness

girl fruit pick     turn        mamoth see
girl run        tree reach        climb     mammoth tree shake
girl yell yell             father run        spear throw
mammoth roar       fall

Justifying the above simple 'Me Tarzan' scaffolding as a legitimate starting point on which his evolutionary forces would have operated, Deutscher presents 4 'natural and transparent principles' (e.g. keep things that are close together in time close together in the story, etc) that, he argues, are sufficient.

The third principle is "Don't be a bore", i.e. those parts of the narrative which are less important, or can be understood from the context, need not be restated. For instance, reworking the story's first part and repeating the actor involved

girl fruit pick    girl turn    girl mammoth see    girl run     girl tree reach    girl tree climb

Because listeners can work out from the context that it was the girl that turned around, and not the mammoth, there is no need to restate it every time. To do so is wasted effort. The identities need only be made explicit when there are multiple possibilities, e.g. either the girl or the mammoth might have run away. At other times, identities may be safely left implicit (or replaced with time and effort-saving references such as the pronouns 'she' & 'it'.)

As a warning, Deutscher writes

Of course, speakers cannot always assume that the identity of the participants will be obvious to the listener.


Tuesday, April 28, 2009

Explicit assurance disclaimer

So I got that goin' fer me

I am happy to report that Canadian Tony Mandarich, ex NFLer, is following me on Twitter.

Apparently, his tweet stream is free of any illegal substance (unlike his urine stream of the past).

Which is nice.

A failed experiment

Motivated by Twitter's brilliantly inefficient 'reply' mechanism ( i.e. you reply to a person, the burden of determining which of their Tweets motivated you to do so falls on them), I began this morning an experiment in applying this model to other communication channels.

Word to the wise, busy women balancing the demands of a young family, an immature husband and a nursing career may not appreciate the value of a conversational model in which your participation manifests itself as randomly replying to previous statements or queries of your partner.

Calling it 'paradigm shifting' will fall on deaf ears.

Friday, April 24, 2009


After forgetting I last signed into Twitter as one of my alter-egos, the 'following' I did this morning all inadvertently occurred under the purview of that identity.

Error: Selector is jammed

I have to believe these would get stuck.

Something to chew on while we wait for RPs though.

Thursday, April 23, 2009

Turns out it was a rant

Update: my people tell me that existing Liberty members will have to go through a membership registration process, i.e. it will not be an automatic transfer.

In a comment, Dave clarifies
It was a rant, Paul.

Thanks Dave, if there was a standard for semantic blog tagging, we could avoid confusion like this (and I could  apply a useful filter to my RSS reader).

Dave goes on
But it seems you (unlike those of us on the outide) have access to the KI members list - could you please post all of it (or did you)?

What was announced on Monday at the workshop was a call for participation - not the actual launch. There wasn't even a press release AFAIK. The public faq has this to say about membership
Kantara Initiative has been co-formed by the DataPortability Project, the Concordia Project, Liberty Alliance, the Internet Society (ISOC), the Information Card Foundation (ICF), and All of these organizations are now members of Kantara Initiative. The name of the organization was announced during the April 20 Identity Workshop at RSA Conference 2009, at which time the co-founders introduced key goals, benefits to the industry, and issued a formal call for participation. Many other individuals and organizations have also become members of Kantara Initiative. Kantara Initiative will release a full list of members once industry stakeholders have the opportunity to respond to the April 20 call for participation.

By default, those companies that are currently members of Liberty will become members of KI (and I acknowledge that, at least initially, some may do so if only because their fees are covered. I expect we will winnow these types out through the rigorous hazing process).

With respect to VRM representation in KI, I recommend reading the most recent (public) call minutes of the the VPI (Volunteered Personal Information) SIG.

With respect to OpenID Japan interest in KI, please check out Nat Sakimura's (public) message to the OpenID list.

With respect to whether KI offers mutual benefit, clearly some communities agree with Dave and don't see it that way. Maybe that will change in the future. If not, meh...

Is this right?

The alert for the recent OAuth vulnerability has the following text

After the victim grants approval, the attacker can use the saved Request Token to complete the authorization flow, and access whatever Protected Resources are exposed by the (honest) Consumer site as part of its service.

As I understand the attack, when complete, the attacker will be able to sign-in as normal to his (honest) Consumer account and, in so doing, be able to (indirectly) access the Protected Resources that the honest (Service Provider) exposes (through OAuth). In other words, it's not the User's Consumer site resources that are compromised (as the above text suggests), but rather their SP resources.

Separately, I think the recommended warning text would have users running for the hills if they understood it. Why not piggy-back on whatever accumulated wisdom users have for detecting a phish?

Wednesday, April 22, 2009

Would that assurance was this easy


Can't quite see an RP saying 'Well I'd like Level 4 but I can get by with 3'.

Liberty 2.0

Only a matter of time before a somebody goes to the '2.0' meme in describing the Kantara Initiative. The 'Yet Another' meme is already being worked to death. Think of the title as a pre-emptive strike.

Of course, the fact that KI has already attracted the likes of ICF, DataPortability, XDI, and ISOC, with strong (publicly declared) interest from OpenID Japan and VRM's VPI will be brushed aside - can't let facts interfere with a good rant (or was it a rave or musing, it's so hard to tell).

I don't know if KI will succeed. I do know that its formation is just the last in a series of attempts by one identity community to establish mutually beneficial relationships with others. From where I sit I can think of precious few examples where the reverse happened.

This changes everything?

In the ICF session of Monday's RSA worskhop, Drummond described the new 'action card' concept (as enabled by Kynetx and demonstrated by the AAA and ChoixVert) with the phrase 'this changes everything'.

While the idea of client-side personalization of search results is undeniably cool, I would question its 'changing everythingness' - not because it's not a powerful idea but simply because everything changed a while ago with GreaseMonkey.

With GreaseMonkey already installed in Firefox, I installed a script (found by searching on 'environment' at UserScripts) that augments Google Finance pages with the environmental scores of the companies searched for - the 'hue' pulled from

For instance, below is the results page for Nike

Google didn't serve up the text in green, it was appended by GreaseMonkey, as specified by the script. Beyond the above simple script, there is even a whole project dedicated to the idea - the Web Browser Environmental Sustainability Toolkit.

WebBEST was built to address the world's sustainability issues. We feel that people are ill informed of their impact in the environmental, perhaps because of the lack of environmental information in popular online services. With the system in place, people no longer need to go out of their way to find environmental information. Instead, people need only install our scripts and that information is brought to them directly though the online service they frequent, relative to the content they are viewing.

The ChoixVert whitepaper argues that Kynetx's system is unique

There are many scripting languages and web augmentation
technologies out there. All of these are interesting but don’t hold a
candle to KNS. Here is why.

1. KNS is selector driven.
2. KNS is accessible. The Kynetx Rules Language is based on a
human readable programming paradigm.
3. KNS glues any accessible data to any service or application—
anywhere on the Internet—and it does so securely and with
the user’s consent. This has never been done before. 

I expect being 'selector driven' offers both advantages and disadvantages. As a possible example of the latter, can I the user customize the ChoixVert card, managed card that it is? I can see the card in the Azigo selector but don't seem to have any means to edit? A definite example of the latter is that there is but one 'GreaseMonkey Script Chooser' so the user doesnt have to deal with 'Script Chooser Chooser' windows.

The fact that the rules are human readable will reassure my mother I'm sure - she does worry so about being able to read code....

Separately, I find 'action card' as a descriptor somewhat strange, from the user's PoV, a typical 'sign in' card involves far more 'action' than this quiet personalization operation.

Getting warmer

Monday, April 20, 2009

See me about a t-shirt


Unfortunately, I am told the coffee mugs and mouse pads are already sold-out.

Thursday, April 16, 2009

Choice choices

I'm reading about the early days of submarine telegraph cables - this in the context of the eruption of Krakatoa in 1873 , as authored by Simon Winchester in Krakatoa - The Day the World Exploded.

Apparently, when sending a telgraph from Java to Europe, senders had a choice

It could either go, slowly and insecurely, via the long chain of landlines that had been established midcentury, ... or it go "Via Eastern". A customer could in those days specify on the telegram forms which cable should be used, and pay the costs that particular cable company charged. Specify Via Eastern, and it made most of its long journey by sea. Leave the cable-routing box blank, and the message went the long and slow way, and for most of its length, by land.

Clearly there are a number of ways I could go with this.

Monday, April 13, 2009


My nephew posing with his fake ID.


He had another but I can't see it working too well.

Clearly fake. No way would a real license would allow sunglasss to be worn.

Friday, April 10, 2009

Calling all gays

This Boing Boing article 'outing' a video created by this organization prompted me to grab this Twitter account in a preemptive land grab.

Let's keep hate off the Web - keep it in the home where it belongs!

Thursday, April 09, 2009


My Archos 5 and I have decided to give it another try. She's back from repair and, so far, our relationship is back to how it started.

Some 'wiseacre' friend of mine decided to formalize the reunion through Facebook.

I'd pay real $ for an OpenID from

here (as reported by Scott).

I'd sign up early to ensure I got 'andeggs' as a username. Or 'lettuceandtomato'.

Wednesday, April 08, 2009

Clever (not so much)

This service will let you create a unique OpenID

For instance


unfortunately, when I present the above at an RP, it gets (somehow?) resolved into

I may need to write this one down.

That hairy character writes

Well, to be specific, Vittorio writes, in discussing OpenID's (and other redirect protocols) challenge for OP/IDP discovery,

The nice part about the home realm discovery is that it has a simple & elegant solution, which happens to work well on the internet too: information cards.

A nit - the solution to the problem is smarter clients and/or user-agents - information cards are but one instantiation.

All things are possible when the User's client is smart enough to store identity (either attributes or location) and to engage in transactions on their behalf.

With respect to Chris's original point about the 'nascarization' of OpenID UI, I suggest a more global (and one more likely to resonate with those not living in trailer parks) example of the phenomena of 'branding gone bad' than Nascar is the jerseys of European hockey players.

Tuesday, April 07, 2009



Readable is a cool script that allows you to view page content in a format more conducive to reading.You specify how you want text formatted, drag a button to your bookmarks bar, and then use it on any page you want formatted.

The user is not constrained by whatever formatting decisions the page designer made.

Why not a similar (user-customizable) script that rendered existing identity UI components in the page how the user wanted them?

For myself, I've always thought log-in buttons should be blinking. And purple.

Monday, April 06, 2009

Maybe I'm overthinking

In a tweet, Brett praises the OAuth-based UX between WeFollow and Twitter.

Personally, I find it confusing in a couple of places.

First, on the WeFollow (OAuth Consumer) side, I'm getting mixed messages.

'Authorize WeFollow' tells me that I'm in the driver seat and have control over WeFollow. But 'need to verify your identity on Twitter' gives the impression that it's WeFollow doing me the favour, and not the other way around.

Once I get sent over to Twitter (the OAuth SP), I stay confused


If I'm presenting my password (or other credential), I expect to see a 'LogIn' button, not an 'Allow'.

This UI confused Sxipper as well. When I allowed Sxipper to fill in and submit the form, the result wasn't what I expected.

Damn, damn, damn!

Friday, April 03, 2009


Division of Roles

The ProtectServe proposal (I'd attribute it to Eve but I think she has been lionized enough recently) separates out the PDP (Policy Decision Provider) role from the PEP (Policy Enforcement Provider) role - this compared to default OAuth which collapses the two.

This made me think of a possibly useful way to look at different identity systems for permissions-based attribute sharing.

I posit that any given request for some user's identity attributes can have associated with it the following actors/roles

1) on behalf of which actor the request is being sent
2) which actor's identity attribute is being sought
3) which actor is sending the query
4) which actor holds the identity attribute (PEP)
5) which actor makes the authz decision (PDP)

ProtectServe distinguishes itself from default OAuth by introducing the Relationship/Authorization (which is it going to be) Manager. The SP holds the identity attributes, but the AM holds the corresponding authorization policy for the release of those attributes to specific Consumers. The AM provides a single policy management point for the User, hopefully simplifying for the User that burden.

Neither OAuth nor ProtectServe explicitly support 'social identity requests', i.e. a Consumer sends to an SP a request for Alice's attributes on behalf of Bob'. Liberty's SOAP Binding does allow this scenario, by allowing both Alice's and Bob's identities to be carried on a request. Bob would be the 'invoking identity' (ie that on whose behalf the request it sent) and Alice would be the 'target identity' (i.e. that that 'owns' the attribute).

In this scenario, the WSC sends a request on behalf of Bob to a WSP that carries some identity attribute of Alice's. The WSP looks at the policy that Alice has defined for her friend's abilities to access those attributes, and decides whether the request should be authorized.

Through the People Service, ID-WSF also allows the User to effectively separate out the above PDP role (probably more a PIP) from the WSP.

Instead of Alice defining her 'social authorization rules' at the WSP that holds her attributes, she can specify them in terms of a social structure maintained at her People Servicee, e.g. 'Allow any member of the group 'Family' to access my private calendar'. By so doing, Alice can leverage that same social structure for defining authorization at other WSPs, e.g. 'Allow any member of the group 'Family' to view my current location', etc.

Ultimately, I think User's need to be able to define authorization rules for their identity attributes in terms of both

1) the requesting actor (Consumer in OAuth/ProtectServe, WSC in ID-WSF)
2) an individual with some defined social relationship to themselves

ProtectServe's AM is designed to simplify for User's the definition and management of the first type of authz rules, Liberty's People Service the second. 

Wednesday, April 01, 2009

The dog has been dead for 35 years

But Intuit Canada would have me change his name.

Don't worry Fred, I picked a different question.

Good boy.

Just because I can

This Twitter account is in no way affiliated with this other site with a somewhat similar name.

Things are looking up

I tested my new WiMax modem at the cottage yesterday.

Strong signal, plenty of speed. Bye-bye dial-up.

Must look into getting a long extension cord. And a waterproof laptop.

Social weave?

Axel suggests that Mozilla Weave should sync Infocards.

The Weave graphic that Axel adds Infocards to makes reference to 'friends & family' - implying some social aspect to Weave.

Hopefully that doesn't mean using Weave to share site credentials with your social network. Social sharing needs to be more granular than the 'all or nothing' that impersonation enables.

I've yet to hear the Infocards social story. One thing for sure, I do not want to be tracking & managing cards given to me by my friends & family - each card reflecting some set of 'sharing rights' assigned me by the owner. That way leads to madness.