Getting Started with Identity

Welcome to the Identity Woman Blog

I am an advocate for the rights and dignity of our digital selves.

Top Posts:

How to Join NSTIC, IDESG: A Step-by-step Guide

How to Participate in NSTIC: A Step-by-step Guide

Where I am in the World:

I live on the East Bay of the San Francisco Bay.

ID360  April 9-10, Austin

NSTIC Management Council Retreat  April 22-23 in DC

Internet Identity Workshop - May 6-8, Mountain View, California.

SHARE: Catalyzing the Sharing Economy – May 13-14 in San Francisco

NSTIC 9th Plenary June 17-19 in DC

Cloud Identity Summit – July 19-22 in Monterey, California

Web of Change (tentative) Hollyhock, Cortez Island, BC, Canada

World Economic Forum - YGL Summit + Annual Meeting of New Champions – Sept 7-12 in Taijin, China

Internet Identity Workshop number 19, October 4-6, Mountain View California

Latest Media:

NSTIC in Tech President: In Obama Administration’s People-Powered Digital Security Initiative, There’s Lots of Security, Fewer People 

Article on the BC eID Citizen Engagement Panel in Re:ID. PDF: reid_spring_14-BC

Fast Company Live Chat: On Taking Back Your Data

Fast Company: World Changing Ideas of 2014: You Will Take your Data Back

Posts on NSTIC:

  • Participatory Totalitarianism! - My TEDxBrussels Talk about how if we don’t get this NSTIC stuff right we will end up in a really creepy world.  It references my struggles with Google+ to use the name I chose for my online self.

Posts about Identity:

  •  NymWars – My Personal Saga with Google in the [psuedo] NymWars to use the name I choose on their service – annotation of all my posts.
  • My speech at the Digital Privacy Forum in January 2011 articulating a vision that goes beyond “Do-Not-Track” vs. Business as Usual, creating a new ecosystem where people collect their own data.

Organizations and Events I share leadership in:

  • I am co-leading a new project – more details coming soon.
  • I am on the Management Council of the IDESG – the Identity Ecosystem Steering Group of NSTIC – the National Strategy for Trusted Identities in Cyberspace.
  • I co-founded, co-produce and co-facilitate the Internet Identity Workshop #18 May 6-8  in Mountain View, CA. This conference has focused on User-Centric Identity since 2005.
  • I am a steward of Identity Commons which keeps all the organizations and groups working on user-centric identity linked together.
  • I am the volunteer network director at Planetwork.net the civil society organization I have been affiliated with since 2003.
  • I founded She’s Geeky a women’s only unconfernece for those in Technology and STEAM fields (Science, Technology, Engineering, Art and Math)
  • I co-founded Digital Death Day and work with that community to continue to host events on the issue. You can see a video of me talking at Privacy Identity and Innovation about this. The next conference is in London on October 6th.
  • I own a business Unconference.net that designs and facilitations participant driven events for a range of clients (IIW, She’s Geeky and Digital Death Day are all Unconferences).

BC Identity Citizen Consultation Results!!!!

As many of you know I (along with many other industry leaders from different industry/civil society segments) was proactively invited to be part of the NSTIC process including submitting a response to the notice of inquiry about how the IDESG and Identity Ecosystem should be governed.

I advocated and continue to advocate that citizen involvement and broad engagement from a broad variety of citizen groups and perspectives would be essential for it to work. The process itself needed to have its own legitimacy even if “experts” would have come to “the same decisions” if citizens were and are not involved the broad rainbow that is America might not accept the results.

I have co-lead the Internet Identity Workshop since 2005 every 6 months in Mountain View, California at the Computer History Museum. It is an international event and folks from Canada working on similar challenges have been attending for several years this includes Aran Hamilton from the National oriented Digital ID and Authentication Council (DIAC) and several of the leaders of the British Columbia Citizen Services Card effort.

I worked with Aron Hamilton helping him put on the first Identity North Conference to bring key leaders together from a range of industries to build shared understanding about what identity is and how systems around the world are working along with exploring what to do in Canada.

CoverThe British Columbia Government (a province of Canada where I grew up) worked on a citizen services card for many years. They developed an amazing system that is triple blind. An article about the system was recently run in RE:ID. The system launched with 2 services – drivers license and health services card. The designers of the system knew it could be used for more then just these two services but they also knew that citizen input into those policy decisions was essential to build citizen confidence or trust in the system.  The other article in the RE:ID magazine was by me about the citizen engagement process they developed.

They developed to extensive system diagrams to help provide explanations to regular citizens about how it works. (My hope is that the IDESG and the NSTIC effort broadly can make diagrams this clear.)

 

The government created a citizen engagement plan with three parts:

The first was convening experts. They did this in relationship with Aron Hamilton and Mike Monteith from Identity North – I as the co-designer and primary facilitator of the first Identity North was brought into work on this. They had an extensive note taking team and the reported on all the sessions in a book of proceedings. They spell my name 3 different ways in the report.

The most important was a citizen panel that was randomly selected citizens to really deeply engage with citizens to determine key policy decisions moving forward. It also worked on helping the government understand how to explain key aspects of how the system actually works. Look in the RE:ID I wrote an article for RE:ID about the process you can see that here.
The results were not released when I wrote that. Now they are! yeah! The report is worth reading because it shows the regular citizens who are given the task of considering critical issues can come out with answers that make sense and help government work better.

 

 

They also did an online survey open for a month to any citizen of the province to give their opinion. That you can see here.

Together all of these results were woven together into a collective report.

 

Bonus material: This is a presentation that I just found covering many of the different Canadian province initiatives.

 

PS: I’m away in BC this coming week – sans computer.  I am at Hollyhock…the conference center where I am the poster child (yes literally). If you want to be in touch this week please connect with William Dyson my partner at The Leola Group.

I’ve co-founded a company! The Leola Group

Thursday evening following Internet Identity Workshop #18 in May I co-Founded and became Co-CEO of the Leola Group with my partner William Dyson.

So how did this all happen? Through a series of interesting coincidences in the 10 days (yes just 10 days) William got XDI to work for building working consumer facing applications. He showed the music meta-data application on Thursday evening and wowed many with the working name Nymble registry.  The XDI [eXtneible Resource Identifier Data Interchange] standard has been under development at OASIS for over 10 years. Getting it to actually work and having the opportunity to begin to build applications that really put people at the center of their own data lives is a big step forward both for the Leola Group and the  Personal Data community at large.

William and I met in September of 2013 via an e-mail introduction from Drummond Reed.  We started working together the day I met him on the efemurl project.  We were dating a few days later and a few weeks later we were engaged. We announced this during the closing circle at IIW #17.

The efemurl project was taking a extensively featured web platform William had built over several years and working to turn it further develop it and turn it into a consumer-co-operative.  The short hand way to describe, you know in that way they describe movie plots, it’s like Google and REI have a baby.  The core ideas developed for the efemurl platform will be brought over into the applications the Leola Group is developing.  Core aspects of what the Leola Group is are to valuable to be owned by one company and we will be working with Planetwork to turn the operation of those into a consumer co-operative.

So big questions for people in the community include:

Are you still involved with IIW? 
Yes of course!  IIW will continue and my roll with it will too. Phil Windley founded his company Kynetx and continues to be a co-leader of IIW with me and Doc.  We have a great production team lead by Heidi Nobantu Saul.

What is going to happen to PDEC?

We have worked to create a 6 month transition plan for the organization/community to new leadership.   We have brought on Dean Landsman (well known for his leadership in the VRM community) serve as Communications Director and among other things host regular community calls and host a podcast.  As part of taking on the Co-CEO role in the new company I have woven into the job taking the time needed to properly transition out of my role as Executive Director and work with the community over the next 6 months to get governance in line and then have that leadership group hire an new Executive Director. You can read more about it on the PDEC blog and see a video we made.

The organization just welcomed 11 new members. Dean will be presenting about his new role with PDEC at the Personal Data Meetup in NYC on Monday.

When are you getting Married?

William and I are getting married the weekend after IIW #20 which is April 7-9 (Yes, it’s way early!!!).  This will help friends coming for IIW from around the world being able to join in the celebration.

Resources for HopeX Talk.

I accepted an invitation from Aestetix to present with him at HopeX (10).

It was a follow-on talk to his Hope 9 presentation that was on #nymwars.

He is on the volunteer staff of the HopeX conference and was on the press team that helped handle all the press that came for the Ellsberg – Snowden conversation that happened mid-day Saturday.  It was amazing and it went over an hour – so our talk that was already at 11pm (yes) was scheduled to start at midnight.

Here are the slides for it – I modified them enough that they make sense if you just read them.  My hope is that we explain NSTIC, how it works and the opportunity to get involved to actively shape the protocols and policies maintained.

I am going to put the links about joining the IDESG up front. Cause that was our intention in giving the talk to encourage folks coming to HopeX to get involved to ensure that the technologies and policies for for citizens to use verified identity online when it is appropriate and also most importantly make SURE that the freedom to be anonymous and pseudonymous online.
This image is SOOO important I’m pulling it out and putting it here in the resources list.

WhereisNSTIC

Given that there is like 100 active people within the organization known as the Identity Ecosystem Steering Group as called for in the National Strategy for Trusted Identities in Cyberspace published by the White House and signed by president Obama in April 2011 that originated from the Cyberspace Policy Review that was done just after he came into office in 2009. Here is the website for the National Program Office.

The organization’s website is here:  ID Ecosystem - we have just become an independent organization.

My step by step instructions How to JOIN.

Information on the committees - the one that has the most potential to shape the future is the Trust Framework and Trust Mark Committee

Here is the video.

From the Top of the Talk

Links to us:
Aestetix -  @aestetix Nym Rights
Kaliya – @identitywoman  -  my blog identitywoman.net

Aestetix – background + intro #nymwars from Hope 9

     Aestetix’s links will be up here within 24h
We mentioned Terms and Conditions May Apply – follows Mark Zuckerberg at the end.

Kaliya  background + intro

I have had my identity woman blog for almost 10 years  as an Independent Advocate for the Rights and Dignity of our Digital Selves. Saving the world with User-Centric Identity

In the early 2000’s I was working on developing distributed Social Networks  for Transformation.
I got into technology via Planetwork and its conference in 2000 themed: Global Ecology and Information Technology.  They had a think tank following that event and then published in 2003 the Augmented Social Network: Building Identity and Trust into the Next Generation Internet.
The ASN and the idea that user-centric identity based on open standards were essential – all made sense to me – that the future of identity online – our freedom to connect and organize was determined by the protocols.  The future is socially constructed and we get to MAKE the protocols . . . and without open protocols for digital identity our ID’s will be owned by commercial entities – the situation we are in now.
Protocols are Political – this book articulates this – Protocols: How Control Exists after Decentralization by Alexander R. Galloway. I excerpted key concepts of Protocol on my blog in my NSTIC Governance Notice of Inquiry.
I c0-founded the Internet Identity Workshop in 2005 with Doc Searls and Phil Windley.  We are coming up on number 19 the last week of October in Mountain View and number 20 the third week of April 2015.
I founded the Personal Data Ecosystem Consortium in 2010 with the goal to connect start-ups around the world building tools for individual collect manage and get value from their personal data along with fostering ethical data markets.  The World Economic Forum has done work on this (I have contributed to this work) with their Rethinking Personal Data Project.
I am shifting out of running PDEC to Co-CEO with my partner William Dyson of a company in the field The Leola Group.

NSTIC

Aestetix and I met just after his talk at HOPE 9 around the #nymwars (we were both suspended.
So where did NSTIC come from? The Cyberspace Policy Review in 2009 just after Obama came into office.
Near-Term Action Plan:
#10 Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the Nation.
Mid-Term Action Plan:
#13 Implement, for high-value activities (e.g., the Smart Grid), an opt-in array of interoperable identity management systems to build trust for online transactions and to enhance privacy.
NSTIC was published in 2011: Main Document – PDF  announcement on White House Blog.
Trust Frameworks  are at the heart of what they want to develop to figure out how navigate how things work.
What will happen with results of this effort?
The Cyber Security Framework  (paperObama Administration just outlined . NSTIC is not discussed in the framework itself – but both it and the IDESG figure prominently in the Roadmap that was released as a companion to the Framework.  The Roadmap highlights authentication as the first of nine different, high-priority “areas of improvement” that need to be addressed through future collaboration with particular sectors and standards-developing organizations.

The inadequacy of passwords for authentication was a key driver behind the 2011 issuance of the National Strategy for Trusted Identities in Cyberspace (NSTIC), which calls upon the private sector to collaborate on development of an Identity Ecosystem that raises the level of trust associated with the identities of individuals, organizations, networks, services, and devices online.

I wrote this article just afterwards: National! Identity! Cyberspace! Why we shouldn’t Freak out about NSTIC   (it looks blank – scroll down).
Aaron Titus writes a similar post explaining more about NSTIC relative to the concerns arising online about the fears this is a National ID.
Staff for National Program Office

The put out a Notice of Inquiry – to figure out How this Ecosystem should be governed.

Many people responded to the NOI – here are all of them.

I wrote a response to the NSTIC Notice of Inquiry about Governance.  This covers that covers much of the history of the user-centric community  my vision of how to grow consensus. Most important for my NSTIC candidacy are the chapters about citizen’s engagement in the systems co-authored with Tom Atlee the author of the Tao of Democracy and the just published Empowering Public Wisdom.

The NPO hosted a workshop on Governance,  another one Privacy – that they invited me to present on the Personal Data Ecosystem.  The technology conference got folded into IIW in the fall of 2011.

OReilly Radar – called it The Manhattan Project for online identity.

The National Program Office published a proposed:

Charter for the  IDESG Organization

ByLaws  and Rules of Association for the IDESG Organization

Also what committees should exist and how it would all work in this webinar presentation.  The Recommended Structure is on slide 6.  They also proposed a standing committee on privacy as part of the IDESG.

THEN (because they were so serious about private sector leadership) they published a proposed 2 year work plan.  BEFORE the first Plenary meeting in Chicago in August 2012

They put out a bid for a Secretariat to support the forthcoming organization and awarded it to a company called Trusted Federal Systems.
The plenary was and is open – to anyone and any organization from any where in the world. It is still open to anyone. You can join by following the steps on my blog post about it.
At the first meeting in August 2012 the management council was elected. The committees they decided should exist ahead of time had meetings.
The committees - You can join them – I have a whole post about the committees so you can adopt one.

Nym Issues!!!

So after the #nymwars it seemed really important to bring the issues around Nym Rights and Issues into NSTIC – IDESG.  They were confused – even though their bylaws say that committees. I supported Aestetix writing out a charter for a new committee – I read it for the plenary in November of 2012 – he attended the Feb 2013 Pleanary in Pheonix. I worked with several other Nym folks to attend the meeting too.
They suggested that NymRights was to confrontational a name so we agreed that Nym Issues would be a fine name. They also wanted to make sure that it would just become a sub-committee of the Privacy Committee.
It made sense to organize “outside” the organization so we created NymRights.
Basically the committee and its efforts have been stalled in limbo.
        Aestetix’s links will be up here within 24h

The Pilot Grants from the NPO

Links
Year 1 – announcement about the FFO , potential applicant Webinar – announcement about all the grantees and an FAQ.
  • Daon, Inc. (Va.): $1,821,520
    The Daon pilot will demonstrate how senior citizens and all consumers can benefit from a digitally connected, consumer friendly Identity Ecosystem that enables consistent, trusted interactions with multiple parties online that will reduce fraud and enhance privacy. The pilot will employ user-friendly identity solutions that leverage smart mobile devices (smartphones/tablets) to maximize consumer choice and usability. Pilot team members include AARP, PayPal, Purdue University, and the American Association of Airport Executives.
  • The American Association of Motor Vehicle Administrators (AAMVA) (Va.): $1,621,803
    AAMVA will lead a consortium of private industry and government partners to implement and pilot the Cross Sector Digital Identity Initiative (CSDII). The goal of this initiative is to produce a secure online identity ecosystem that will lead to safer transactions by enhancing privacy and reducing the risk of fraud in online commerce. In addition to AAMVA, the CSDII pilot participants include the Commonwealth of Virginia Department of Motor Vehicles, Biometric Signature ID, CA Technologies, Microsoft and AT&T.
  • Criterion Systems (Va.): $1,977,732
    The Criterion pilot will allow consumers to selectively share shopping and other preferences and information to both reduce fraud and enhance the user experience. It will enable convenient, secure and privacy-enhancing online transactions for consumers, including access to Web services from leading identity service providers; seller login to online auction services; access to financial services at Broadridge; improved supply chain management at General Electric; and first-response management at various government agencies and health care service providers. The Criterion team includes ID/DataWeb, AOL Corp., LexisNexis®, Risk Solutions, Experian, Ping Identity Corp., CA Technologies, PacificEast, Wave Systems Corp., Internet2 Consortium/In-Common Federation, and Fixmo Inc.
  • Resilient Network Systems, Inc. (Calif.): $1,999,371
    The Resilient pilot seeks to demonstrate that sensitive health and education transactions on the Internet can earn patient and parent trust by using a Trust Network built around privacy-enhancing encryption technology to provide secure, multifactor, on-demand identity proofing and authentication across multiple sectors. Resilient will partner with the American Medical Association, Aetna, the American College of Cardiology, ActiveHealth Management, Medicity, LexisNexis, NaviNet, the San Diego Beacon eHealth Community, Gorge Health Connect, the Kantara Initiative, and the National eHealth Collaborative.In the education sector, Resilient will demonstrate secure Family Educational Rights and Privacy Act (FERPA) and Children’s Online Privacy Protection Act (COPPA)-compliant access to online learning for children. Resilient will partner with the National Laboratory for Education Transformation, LexisNexis, Neustar, Knowledge Factor, Authentify Inc., Riverside Unified School District, Santa Cruz County Office of Education, and the Kantara Initiative to provide secure, but privacy-enhancing verification of children, parents, teachers and staff, as well as verification of parent-child relationships.
  • UniversityCorporation for Advanced Internet Development (UCAID) (Mich.): $1,840,263
    UCAID, known publicly as Internet2, intends to build a consistent and robust privacy infrastructure through common attributes; user-effective privacy managers; anonymous credentials; and Internet2′s InCommon Identity Federation service; and to encourage the use of multifactor authentication and other technologies. Internet2′s partners include the Carnegie Mellon and Brown University computer science departments, University of Texas, the Massachusetts Institute of Technology, and the University of Utah. The intent is for the research and education community to create tools to help individuals preserve privacy and a scalable privacy infrastructure that can serve a broader community, and add value to the nation’s identity ecosystem.

Year 2 – announcement about the FFO, potential applicant webinar, annoucement about the grantees.

  • Transglobal Secure Collaboration Participation, Inc. (TSCP) (Va.): $1,264,074
    The TSCP pilot will deploy trusted credentials to conduct secure business-to-business, government-to-business and retail transactions for small and medium-sized businesses and financial services companies, including Fidelity Investments and Chicago Mercantile Exchange. As part of this pilot, employees of participating businesses will be able to use their existing credentials to securely log into retirement accounts at brokerages, rather than having to obtain a new credential. Key to enabling these cross-sector transactions will be TSCP’s development of an open source, technology-neutral Trust Framework Development Guidance document that can provide a foundation for future cross-sector interoperability of online credentials.
  • Georgia Tech Research Corporation (GTRC) (Ga.): $1,720,723
    The GTRC pilot will develop and demonstrate a “Trustmark Framework” that seeks to improve trust, interoperability and privacy within the Identity Ecosystem. Trustmarks are a badge, image or logo displayed on a website to indicate that the website business has been shown to be trustworthy by the issuing organization. Defining trustmarks for specific sets of policies will allow website owners, trust framework providers and individual Internet users to more easily understand the technical, business, security and privacy requirements and policies of the websites with which they interact or do business.Supporting consistent, machine-readable ways to express policy can enhance and simplify the user experience, raise the level of trust in online transactions and improve interoperability between service providers and trust frameworks. Building on experience developing the National Identity Exchange Federation(NIEF), GTRC plans to partner with the National Association of State Chief Information Officers (NASCIO) and one or more current NIEF member agencies, such as Los Angeles County and the Regional Information Sharing Systems (RISS).
  • Exponent (Calif.): $1,589,400
    The Exponent pilot will issue secure, easy-to-use and privacy-enhancing credentials to users to help secure applications and networks at a leading social media company, a health care organization and the U.S. Department of Defense. Exponent and partners Gemalto and HID Global will deploy two types of identity verification: the use of mobile devices that leverage so-called “derived credentials” stored in the device’s SIM card and secure wearable devices, such as rings and bracelets. Solutions will be built upon standards, ensuring an interoperable system that can be easily adopted by a wide variety of organizations and companies.
  • ID.me, Inc. (Va.): $1,204,957
    ID.me, Inc.’s Troop ID will develop and pilot trusted identity solutions that will allow military families to access sensitive information online from government agencies, financial institutions and health care organizations in a more privacy-enhancing, secure and efficient manner. Troop ID lets America’s service members, veterans, and their families verify their military affiliation online across a network of organizations that provides discounts and benefits in recognition of their service. Today, more than 200,000 veterans and service members use Troop ID to access benefits online. As part of its pilot, Troop ID will enhance its current identity solution to obtain certification at Level of Assurance 3 from the U.S. General Services Administration’s Trust Framework Providers program, enabling Troop ID credential holders to use their solution not only at private-sector sites, but also when interacting online with U.S. government agencies through the recently announced Federal Cloud Credential Exchange (FCCX). Key project partners include federal government agencies and a leading financial institution serving the nation’s military community and its families.
  • Privacy Vaults Online, Inc. (PRIVO) (Va.): $1,611,349
    Children represent a unique challenge when it comes to online identity. Parents need better tools to ensure safe family use of the Internet, while online service providers need to comply with the requirements of the Children’s Online Privacy Protection Act (COPPA) when they deal with minors under the age of 13. PRIVO will pilot a solution that provides families with COPPA-compliant, secure, privacy-enhancing credentials that will enable parents and guardians to authorize their children to interact with online services in a more privacy-enhancing and usable way. Project partners, including one of the country’s largest online content providers and one of the world’s largest toy companies, will benefit from a streamlined consent process while simplifying their legal obligations regarding the collection and storage of children’s data.

Year 3 – ? announcement about FFO - grantees still being determined.

Big Issues with IDESG

Diversity and Inclusion

I have been raising these issues from its inception (pre-inception in fact I wrote about them in my NOI).

I was unsure if I would run for the management council again -  I wrote a blog post about these concerns that apparently made the NPO very upset.  I was subsequently “univited” to the International ID Conf they were hosting at the White House Conference Center for other western liberal democracies trying to solve these problems.

Tech President Covered the issues and did REAL REPORTING about what is going on.  In Obama Administration’s People Powered Digital Security Initiative, There’s Lots of Security, Fewer People.

This in contrast to a wave of hysterical posts about National Online ID pilots being launched.

They IDESG have Issues with how the process happens. It is super TIME INTENSIVE.  It is not well designed so that people with limited time can get involved.  We have an opportunity to change tings becoming our own organization.

The 9th Plenary Schedule – can be seen here.  There was a panel on the first day with representatives who said that people like them and others from other different communities needed to be involved AS the policy is made.  Representatives from these groups were on the panel and it was facilitated by Jim Barnett from the AARP.

  • NAACP
  • Association of the Blind
  • ACLU

The Video is available online.

The “NEW” IDESG

The organization is shifting from being a government initiative to being one that is its own independent organization.

The main work where the TRUST FRAMEWORKS are being developed is in the Trust Framework and Trust Mark Committee.  You can see their presentation from the last committee here.

 

Key Words & Key Concept form the Identity Battlefield

Trust

What is Identity?  Its Socially Constructed and Contextual

Identity is Subjective

Aestetix’s links will be up here within 24h

What are Identifiers?: Pointers to things within particular contexts.

Abrahamic Cultural Frame for Identity / Identifiers

Relational  Cultural Frame for Identity / Identifiers

What does Industry mean when it says “Trusted Identities”?

What is Verified?

AirBnB
Verified ID in the context of the Identity Spectrum : My post about the spectrum.

Reputation

In Conclusion: HOPE!

We won the #nymwars!

Links to Google’s apology.

Skud’s the Apology we hopped for.

More of Aestetix’s links will be up here within 24h

The BC Government’s Triple Blind System

Article about & the system  they have created and the citizen engagement process to get citizen buy-in – with 36 randomly selected citizens to develop future policy recommendations for it.

Article about what they have rolled out in Government Technology.

Join the Identity Ecosystem Steering Group

Get engaged in the process to make sure we maintain the freedom to be anonymous and pseudonymous online.

Attend the next  (10th) Plenary in mid-September in Tampa at the Biometrics Conference

Join Nym Rights group.

http://www.nymrights.org

Come to the Internet Identity Workshop

Number 19 – Last week of October – Registration Open

Number 20 – Third week of April

 

 

 

 

 

 

Rosie the [New Language] Developer – Where are you?

This past week we [me, Phil, Heidi + Doc] put on the Internet Identity Workshop. It was amazing.

There is a new project / company forming and they are very keen to have women programmers/developers in the first wave of hires.  They are also committed to cultural diversity.

Since they are developing in a new language – you don’t need to have experience in “it” – you just need to have talent and the ability to learn new things.

I asked them for a list of potentially helpful per-requisites:

  • Some experience with ruby on rails
  • Some experience with JSON
  • Some experience with XML
  • Some experience with HTML5
  • Some experience with semantic data modeling
  • Some understanding of the ideas related to the semantic web and giant global graphs

If you are reading the list and thinking – I don’t have “all” of those qualifications…then read this before you decide not to reach out to learn more – The Confidence Gap from this month’s Atlantic.  TL:DR “Remember that women only apply if they have 100% of the jobs qualifications, but men apply with 60%!”

Please be in touch with me if you are interested. I will connect you with them this week.

Kaliya [at] identitywoman [dot] net

 

 

 

 

Field Guide to Internet Trust Models: Introduction

This is the first in a series of posts that cover the Field Guide to Internet Trust Models Paper.

The post for each of the models is here – full papers is downloadable [Field-Guide-Internet-TrustID]

The decreasing cost of computation and communication has made it easier than ever before to be a service provider, and has also made those services available to a broader range of consumers. New services are being created faster than anyone can manage or even track, and new devices are being connected at a blistering rate.

In order to manage the complexity, we need to be able to delegate the decisions to trustable systems. We need specialists to write the rules for their own areas and auditors to verify that the rules are being followed.

This paper describes some of the common patterns in internet trust and discuss some of the ways that they point to an interoperable future where people are in greater control of their data. Each model offers a distinct set of advantages and disadvantages, and choosing the appropriate one will help you manage risk while providing the most services.

For each, we use a few, broad questions to focus the discussion:

  • How easy is it for new participants to join? (Internet Scale)
  • What mechanisms does this system use to manage risk? (Security)
  • How much information the participants require from one another how strongly verified?

(Level of Assurance -not what I think assurance is…but we can talk – it often also refers to the strength of security like number of factors of authentication )

Using the “T” Word
Like “privacy”, “security”, or “love”, the words “trust” and “identity”, and “scale” carry so much meaning that any useful discussion has to begin with a note about how we’re using the words.
This lets each link the others to past behavior and, hopefully, predict future actions. The very notion of trust acknowledges that there is some risk in any transaction (if there’s no risk, I don’t need to trust you) and we define trust roughly as:
The willingness to allow someone else to make decisions on your behalf, based on the belief that your interests will not be harmed.
The requester trusts that the service provider will fulfill their request. The service provider trusts that the user won’t abuse their privileges, or will pay some agreed amount for the service. Given this limited definition, identity allows the actors to place one another into context.

Trust is contextual. Doctors routinely decide on behalf of their patients that the benefits of some medication outweigh the potential side effects, or even that some part of their body should be removed. These activities could be extremely risky for the patient, and require confidence in the decisions of both the individual doctor and the overall system of medicine and science. That trust doesn’t cross contexts to other risky activities. Permission to prescribe medication doesn’t also grant doctors the ability to fly a passenger airplane or operate a nuclear reactor.

Trust is directional. Each party’s trust decisions are independent, and are grounded in the identities that they provide to one another.

Trust is not symmetric. For example, a patient who allows a doctor to remove part of their body should not expect to be able to remove parts of the doctor’s body in return. To the contrary, a patient who attempts to act in this way would likely face legal sanction.

Internet Scale

Services and APIs change faster than anyone can manage or even track. Dealing with this pace of change requires a new set of strategies and tools.

The general use of the term “Internet Scale” means the ability to process a high volume of transactions. This is an important consideration, but we believe that there is another aspect to consider. The global, distributed nature of the internet means that scale must also include the ease with which the system can absorb new participants. Can a participant join by clicking “Accept”, or must they negotiate a custom agreement?

In order to make this new world of user controlled data possible, we must move from a model broad, monolithic agreements to smaller, specialized agreements that integrate with one another and can be updated independently.

A Tour of the Trust Models

The most straightforward identity model, the sole source, is best suited for environments where the data is very valuable or it is technically difficult for service providers to communicate with one another. In this situation, a service provider issues identity credentials to everyone it interacts with and does not recognize identities issued by anyone else. Enterprises employing employees, financial institutions, medical providers, and professional certifying organizations are commonly sole sources. Because this is the most straightforward model to implement, it is also the most common.

Two sole sources might decide that it’s worthwhile to allow their users to exchange information with one another. In order to do so, they negotiate a specific agreement that covers only the two of them. This is called a Pairwise Agreement and, while it allows the two parties to access confidential resources, the need for a custom agreement makes it difficult to scale the number of participants. This is also a kind of federated identity model, which simply means that a service accepts an identity that is managed someplace else.

As communication technology became more broadly available, the number of institutions who wanted to communicate with one another also increased. Groups of similar organizations still wanted to issue their own identities, but wanted their users to be able to interact freely with one another. The prospect of each service having to negotiate a custom agreement with every other service was daunting, so similarly chartered institutions came up with standard contracts that allow any two members to interact. These groups are called Federations, and there are several different kinds. Federation agreements and membership are managed by a Contract Hub.

When the federation agreement limits itself to policy, governance, and common roles, but leaves technical decisions to the individual members, it’s referred to as a Mesh Federations. Individual members communicate form a mesh, and can communicate directly with one another using whatever technology they prefer.

Alternatively, a Technical Federation defines communication methods and protocols, but leaves specific governance and policy agreements to the members. In some cases, the technical federation may also route messages between the members.

As the number of services has increased, so has the problem of managing all of those usernames and passwords. Users might decide to reuse an existing identity rather than creating a new one. In recent years, some organizations have made identities that they issue available to other services. Service providers accept these identities because it lowers the cost of user acquisition. When the same entity provides identities for both the requester and the service provider, it is referred to as a Three Party Model.

If the requester and the service provider have provider have separate but compatible identity providers, it is called a Four Party model. This is present in highly dynamic models, such as credit card processing,

Peer-to-peer networks are for independent entities who want to identity assurance, but who lack a central service that can issue identities to everyone. To get around this, the participants vouch for one another’s identities.

Individual contract wrappers are an innovation to enable complex connections between services where the terms and conditions of using the data are linked to the data.

Common Internet Trust Models

Sole source: A service provider only trusts identities that it has issued.

Pairwise Federation: Two organizations negotiate a specific agreement to trust identities issued by one another.

Peer-to-Peer: In the absence of any broader agreement, individuals authenticate and trust one another.

Three-Party Model: A common third party provides identities to both the requester and the service provider so that they can trust one another.

“Good Enough” Portable Identity: In the absence of any institutional agreement, service providers accept individual, user-asserted identities.

Federations: A single, standard contract defines a limited set of roles and technologies, allowing similar types of institution to trust identities issued by one another.

Four-Party Model: An interlocking, comprehensive set of contracts allows different types of entity to trust one another for particular types of transaction.

Centralized Token Issuance, Distributed Enrollment: A shared, central authority issues a high-trust communication token. Each service provider independently verifies and authorizes the identity, but trusts the token to authenticate messages.

Individual Contract Wrappers: Manage how personal data is used rather than trying to control collection. Information is paired contract terms that governs how it can be used. Compliance is held accountable using contract law.

Open Trust Framework Listing: An open marketplace for listing diverse trust frameworks and approved assessors.

Personal Cloud + Agents: An Individual has a personal Cloud and delegates agents it trust to work on their behalf.