Dear IDESG, I’m sorry. I didn’t call you Nazi’s.

The complaint  by Mr. Ian Glazer was that I called my fellow IDESG colleagues Nazi’s. He was unsatisfied with my original statement about the tweet on our public management council mailing list.  Some how this led to the Ombudsman taking on the issue and after I spoke with him in Tampa it was followed by a drawn out 5 week “investigation” by the Ombudsman before he issued a recommendation.  During this time I experienced intensive trolling about the matter on twitter itself.

Here is the tweet that I authored while pondering theories of organizational dynamics in Tampa and without any intent to cause an association in the mind of a reader with IDESG, NSTIC, nor any person or persons in particular note that I did not reference anyone with a @____ or add any signifying hashtags e.g., #idesg or #nstic in this tweeted comment.


I own that the tweet was provocative but it was It was not my intent to cause harm to anybody or to the IDESG organization and wider identity community.

I in no way intended to imply that any member of the IDESG has any intention remotely similar to those of the NAZI party of Germany.

I in no way intended to imply that the content of the meeting of the IDESG related to the content of the meeting I referenced in the tweet.

I am very sorry if the tweet had an emotionally negative impact on people on the management council and particularly those of with Jewish Heritage.

I fully acknowledge that referencing anything relative to the Nazi era is triggering. It touches on our collective shame and surfaces vulnerability it is very hard to look at.

I also believe that we have to actually be prepared to do so. If we don’t examine the past we can’t be sure we will not repeat it. [Please click to see my my next post for this to be further expounded upon]

I’m sorry I didn’t say something along these lines sooner.

One should not feed the internet trolls and I didn’t.

I was in a process were I felt it was inappropriate to speak about this more until the Ombudsman’s process had run its course.

I think that we all need to keep in mind our roles as Directors of the IDESG when we interact with the public and with each other.

The whole process left my and my attorney puzzled. My attorney wrote a letter to the Management Council/Board of Directors with a whole bunch of questions and now that this is posted we look forward to their answers to those questions.




Resources for HopeX Talk.

I accepted an invitation from Aestetix to present with him at HopeX (10).

It was a follow-on talk to his Hope 9 presentation that was on #nymwars.

He is on the volunteer staff of the HopeX conference and was on the press team that helped handle all the press that came for the Ellsberg – Snowden conversation that happened mid-day Saturday.  It was amazing and it went over an hour – so our talk that was already at 11pm (yes) was scheduled to start at midnight.

Here are the slides for it – I modified them enough that they make sense if you just read them.  My hope is that we explain NSTIC, how it works and the opportunity to get involved to actively shape the protocols and policies maintained.

[Read more…]

Recent Travels Pt1: IIW

IIW is always a whirlwind and this one was no exception. The good thing was that even with it being the biggest one yet it was the most organized with the most team members.  Phil and I were the executive producers. Doc played is leadership role.  Heidi did an amazing job with production coordinating the catering, working with the museum and Kas did a fabulous job leading the notes collection effort and Emma who works of site got things up on the wiki in good order.

We had a session that highlighted all the different standards bodies standards and we are now working on getting the list annotated and plan to maintain it on the Identity Commons wiki that Jamie Clark so aptly called “the switzerland” of identity.











We have a Satellite event for sure in DC January 17th – Registration is Live.

We are working on pulling one together in Toronto Canada in

early February, and Australia in Late March.

ID Collaboration Day is February 27th in SF (we are still Venue hunting).

I am learning that some wonder why I have such strong opinions about standards…the reason being they define the landscape of possibility for any given protocol. When we talk about standards for identity we end up defining how people can express themselves in digital networks and getting it right and making the range of possibility very broad is kinda important.  If you are interested in reading more about this I recommend Protocol:  and The Exploit. This quote from Bruce Sterling relative to emerging AR [Augmented Reality] Standards.

If Code is Law then Standards are like the Senate.













National! Identity! Cyberspace!: Why we shouldn’t freak out about NSTIC.

This is cross posted on my Fast Company Expert Blog with the same title.

I was very skeptical when I first learned government officials were poking around the identity community to learn from us and work with us.  Over the last two and a half years, I have witnessed dozens of dedicated government officials work with the various communities focused on digital identity to really make sure they get it right. Based on what I heard in the announcements Friday at Stanford by Secretary of Commerce Locke and White House Cybersecurity Coordinator  Howard Schmidt to put the Program Office in support of NSTIC (National Strategy for Trusted Identities in Cyberspace) within the Department of Commerce. I am optimistic about their efforts and frustrated by the lack of depth and insight displayed in the news cycle with headlines that focus on a few choice phrases to raise hackles about this initiative, like this from CBS News: Obama Eyeing Internet ID for Americans.

I was listening to the announcement with a knowledgeable ear, having spent the last seven years of my life focused on user-centric digital identity.Internet Identity Workshop Logo Our main conference Internet Identity Workshop held every 6 months since the fall of 2005 has for a logo the identity dog: an allusion to the famous New Yorker cartoon On the internet, nobody knows you are a dog. To me, this symbolizes the two big threads of our work: 1) maintaining the freedom to be who you want to be on the internet AND 2) having the freedom and ability to share verified information about yourself when you do want to.  I believe the intentions of NSTIC align with both of these, and with other core threads of our communities’ efforts: to support identifiers portable from one site to another, to reduce the number of passwords people need, to prevent one centralized identity provider from being the default identity provider for the whole internet, to support verified anonymity (sharing claims about yourself that are verified and true but not giving away “who you are”),  support broader diffusion of strong authentication technologies (USB tokens, one-time passwords on cellphones, or smart cards), and mutual authentication, allowing users to see more closely that the site they are intending to do business with is actually that site.

Looking at use cases that government agencies need to solve is the best way to to understand why the government is working with the private sector to catalyze an “Identity Ecosystem”.

[Read more…]

Thoughts on the National Strategy for Trusted Identities in Cyberspace

Update: This blog post was written while reading the first draft released in the Summer of 2010. A lot changed from then to the publishing of the document in April 2011.

Here is my answer to the NSTIC Governence Notice of Inquiry.

And an article I wrote on Fast Company: National! Identity! Cyberspace! Why you shouldn’t freak out about NSTIC.

Interestingly in paragraph two on the White House blog it says that NSTIC stands for “National Strategy for Trusted Initiatives in Cyberspace” rather than “National Strategy for Trusted Identities in Cyberspace”.

This first draft of NSTIC was developed in collaboration with key government agencies, business leaders and privacy advocates. What has emerged is a blueprint to reduce cybersecurity vulnerabilities and improve online privacy protections through the use of trusted digital identities.

[Read more…]

Open Identity for Open Government Explained

Today the United States Government with digital identity industry leaders announced the development of a pilot project with NIH and related agencies using two of the open identity technology standards OpenID and Information Cards.

This is, as a friend said to me, a “jump the shark moment” – these technologies are moving out from their technologists technology cave into mainstream adoption by government agencies. We are seeing the convergence of several trends transform the way citizens participate in and communicate with government:

  • Top-down support for open government
  • The proliferation of social media
  • The availability of open identity technologies

The Obama administration open government memorandum called for transparency participation, collaboration and federal agencies have begun to embrace Web 2.0 technologies like blogs, surveys, social networks, and videocasts.

Today there are over 500 government websites and about 1/3 of them require a user name and password. Users need to be able to register and save information and preferences on government websites the same way they do today with their favorite consumer sites, but without revealing any personally identifiable information to the government.

The challenge is that supporting this kind of citizen interaction with government via the web means that identity needs to be solved. On the one hand you can’t just ask citizens to get a new user-name and password for all the websites across dozens of agencies that they log in to. On the other you also can’t have one universal ID that the government issues to you and works across all government sites. Citizens need a way to interact with their government pseudonymously & in the future in verified ways.

So how will these technologies work?

Those already familiar with OpenID know that typically when users login with it they give their own URL – (see this slideshare of mine if you want to see OpenID 101) There is a little known part of the OpenID protocol called directed identity – that is a user gives the name of their identity provider – Yahoo!, Google, MSN etc – but not their specific identifier. The are re-directed to their IdP and in choosing to create a directed identity they get an identifier that is unique to the site they are logging into. It will be used by them again and again for that site but is not correlatable across different websites / government agencies. The good news is it is like having a different user-name across all these sites but since the user is using the same IdP with different identifiers (unlinked publicly) but connected to the same account they just have to remember one password.

Information Cards are the new kids on the identity block in a way – this is their first major “coming out party” – I am enthusiastic bout their potential. It requires a client-side tool called a selector that stores the user’s “digital cards”. Cards can be created by the end user OR third parties like an employer, financial institution, or school can also issue them.

In essence, this initiative will help transform government websites from basic “brochureware” into interactive resources, saving individuals time and increasing their direct involvement in governmental decision making. OpenID and Information Card technologies make such interactive access simple and safe. For example, in the coming months the NIH intends to use OpenID and Information Cards to support a number of services including customized library searches, access to training resources, registration for conferences, and use of medical research wikis, all with strong privacy protections.

Dr. Jack Jones, NIH CIO and Acting Director, CIT, notes, “As a world leader in science and research, NIH is pleased to participate in this next step for promoting collaboration among Assurance Level 1 applications. Initially, the NIH Single Sign-on service will accept credentials as part of an “Open For Testing” phase, with full production expected within the next several weeks. At that time, OpenID credentials will join those currently in use from InCommon, the higher education identity management federation, as external credentials trusted by NIH.” In digital identity systems, certification programs that enable a site — such as a government agency — to trust the identity, security, and privacy assurances from an identity provider are called trust frameworks. The OIDF and ICF have worked closely with the federal government to meet the security, privacy, and reliability requirements set forth by the ICAM Trust Framework Adoption Process (TFAP), published on the website. By adopting OpenID and Information Card technologies, government agencies can cost effectively serve their constituencies in a more personalized and user friendly way.

“It’s good to see government taking a leadership role in moving identity technology forward. It’s also good to see government working with experts from private sector and especially with the Information Card Foundation and the OpenID Foundation because identity is not a technical phenomenon — it’s a social phenomenon. And technological support for identity requires the participation of a broad community and of representatives of government who define the legal framework within which identity will operate,” said Bob Blakley, Vice President and Research Director, Identity and Privacy Strategies, Burton Group. “Today’s announcement supplies the most important missing ingredient of the open identity infrastructure, mainly the trust framework. Without a trust framework it’s impossible to know whether a received identity is reliable.”

Under the OIDF and ICF’s open trust frameworks, any organization that meets the technical and operational requirements of the framework will be able to apply for certification as an identity provider (IdP). These IdPs can then supply authentication credentials on behalf of their users. For some activities these credentials will enable the user to be completely anonymous; for others they may require personal information such as name, email address, age, gender, and so on. Open trust frameworks enable citizens to choose the identity technology, identity provider, and credential with which they are most comfortable, while enabling government websites to accept and trust these credentials. This approach leads to better innovation and lower costs for both government and citizens.

The government is looking to leverage industry based credentials that citizens already have to provide a scalable model for identity assurance across a broad range of citizen and business needs – doing this requires a trust framework to assess the trustworthiness of the electronic credentials; see Trust Framework Provider Adoption Process (TFPAP).   A Trust Framework Provider is an organization that defines or adopts an online identity trust model involving one or more identity schemes, has it approved by a government or community such as ICAM, and certifies identity providers as compliant with that model. The OIDF and ICF will jointly serve as a TFP operating an Open Trust Framework as defined in their joint white paper, Open Trust Frameworks for Open Government.

Both the OpenID and Information Card Foundation have been working very hard on this for many months – last night I was fortunate to their boards at a history first ever joint dinner.

There are two women in particular though who have driven this forward: Judith Spencer of the Federal Identity, Credential, and Access Management Committee on the government side and Mary Ruddy of Meristic Inc on the industry side. Both of them will be speaking about the project at the Gov 2.0 Summit on Thursday.

Personally this announcement shows how far things have come since I facilitated the first Internet Identity Workshop in 2005 with 75 idealistic identity technologies talking about big ideas for use-centric identity. I am really looking forward to discussing these developments at the forthcoming 9th Internet Identity Workshop in November.

Identity for Online Community Managers

I was asked by Bill Johnson of Forum One Networks to kick off the discussion on the next Online Community Research Network call this week with the topic Identity for Online Community Managers – drawing on the presentation that I put together for the Community 2.0 Summit. I cover the basics of how OpenID, OAuth and Information Cards work, who is “in” terms of supporting the projects and what community managers/platforms can do. We will discuss the implications of these new identity and data sharing protocols on the call.

Online Identity for Community Managers: OpenID, OAuth, Information Cards

View more documents from Kaliya Hamlin.
I will also be attending the Online Community Summit in October Sonoma and will be sharing about these and other technologies there.

Web Finger! moving out into world

I love the Internet Identity Workshop! it is where innovative ideas are hatched, answers to hard problems are vetted and standards consensus emerges. This is just the latest in amazing collaborations that have emerged.

Web Finger was covered on Tech Crunch today with this headline – Google Points At WebFinger. Your Gmail Address Could Soon Be Your ID.

At IIW in May they had a session lead by John Panzer. The notes were not filled out that much but (All the Notes from IIW)   

but there is a white board of their conversation and a link to what google had up.

Chris Messina spliced it together

XRD the discovery protocol is part of how Web Finger works. This spun out of XRI.

Techcrunch didn’t explicitly pick up on the fact that Eran Hammer-Lahev has been a key collaborator and is at Yahoo! (they did link to the mailing list where he is posting). He has been really driving XRD forward lately.

All exciting stuff.

DiSo ideas are not that new.

Reading these:

A Perfect Storm Forming for Distributed Social Networking– Read Write Web

Evolution of Blogging – GigaOm

The Push Button Web – Anil Dash

The inside Out Social Network – Chris Messina

The Future Social Web – Jeremiah Owyang

I realize how incredibly ahead of the times I was along with many of the people I have been working with on open standards identity and social web standards.

I wrote this describing open standards for distributed social networking online in April of 2004f or the Planetwork Conference (from  that I was promoting.

———————— From April 2004 ——————

ID Commons: Social Networking For Social Good: Creating Community Trust Infrastructure Through An Identity Commons

In 2003 the Planetwork LinkTank white paper The Augmented Social Network: Building Identity and Trust into the Next-Generation Internet proposed weaving new layers of identity and trust into the fabric of the Internet to facilitate social networking for social good – online citizenship for the information age.

The LinkTank white paper outlined three main objectives:

  1. Establishing a new kind of persistent online identity that supports the public commons and the values of civil society.
  2. Enhancing the ability of citizens to form relationships and self-organize around shared interests in communities of practice and engage in democratic governance.
  3. Creating an Internet-wide system for more efficient and effective knowledge sharing between people across institutional, geographic, and social boundaries.

Currently each site with a login or membership profile is like an island, or at worst a walled castle, as no common inter-operation is possible among large numbers of them. Creating a truly interoperable network will require an explicit social agreement that governs the operation of the trusted network, and implementation of a new software protocol consistent with that agreement.

Identity Commons

[note this is a reference to the “first” Identity Commons – the current Identity Commons shares the values and some of the organizing principles of this first organization but evolved from it]

The Identity Commons is an open distributive membership organization, designed to develop and operate a common digital identity infrastructure standard based on the shared principle of protecting each user’s control of their own identity data. A common identity infrastructure must be embedded within a binding social agreement ensuring that the technology and its institutional users operate in accordance with core principles. In addition to developing this agreement, Identity Commons is managing the development and implementation of the new technology needed to achieve this as a fiscal project of Planetwork, a California 501(c)3 non-profit.

The Identity Commons is based on an implementation of two new OASIS standards:

XRI – a new identity addressing scheme fully compatible with URIs
XDI – specifies link contracts for shared use of data across the Internet

For more technical information see:

Once implemented, the Identity Commons infrastructure will:

  • Give individuals, organizations, and even ad-hoc groups persistent addresses (digital identities) that can be used in many ways. Each party can decide what their own address links to, and who can follow the links.
  • Provide single sign-on, enabling individuals to connect to multiple sites without having to provide a login and password to each.
  • Empower user/citizens to manage their own consolidated profiles, which will be likely to stay up to date as everyone maintains only their own master copy.
  • Generate network maps that enable communities to more efficiently understand their own membership, make connections, recognize patterns, filter messages, and self-organize around new topics and functions.
  • Provide collaborative filtering services based on knowledge and reputation databases where contributors can also control their own level of anonymity.
  • Enable group formation around common interests and affinities with reputation attributes for trusted communication, which could be the key to eliminate spam.

How is this different from what is already happening in the private sector?

Currently every web site has a privacy policy, but they vary widely, are rarely read, are only good until they are changed and are thus effectively useless.

The Identity Commons (IC) solves this by (1) replacing thousands of privacy policies with a single institutional membership agreement that simplifies the user experience. Every Identity Commons member site is party to a legally binding commitment that can only be changed by amending the IC membership agreement – which is governed by all IC members. And (2) by using electronic contracts to grant, record, and enforce data sharing across boundaries.

Ultimately there can only be one fully interoperable social network; just as email can travel anywhere on the Internet, your profile must also be able to do so. Microsoft would love to make this possible, and fully control it – their Passport system was designed to do just that. By hosting identity data for nearly everyone who has a computer Microsoft hopes to put themselves in the middle of every transaction they can.

In response to this, a group of large companies formed the Liberty Alliance which developed protocols that will allow institutions to “federate” data across company boundaries. Federation is an improvement over the Microsoft Passport model, however, both of these approaches treat individuals solely as consumers, and neither provide support for civil society, citizen collaboration or for individual citizens to control their own identity data.

The Identity Commons agreement and technical infrastructure is a way to correct this imbalance of power, allowing the Internet to fulfill its great potential as a “commons” in which individual citizens can interact freely and as equals everywhere on Earth.

————- end Identity Commons description from Planetwork’s 2004 site ———

Writing this document was the first work that I did as an evangelist for the proposed open standards for distributed digital identity to enable open distributed social networks.
I wrote it based on reading through all their work and listening to their vision of the founders of Identity Commons and those working together for 2+ years hoped for in the adoption of the open standards they were working on. These protocols are now all ratified in OASIS (one of three standards bodies for the internet the other two being IETF and W3C) – XRI, XDI along with XRD/XRD that spun out of XRI as it became incorporated in OpenIDv2 as a key part of what makes it work.

Identity that is user owned, controlled managed – and this includes the preferences, attention data, uterances, 1/2 of transaction data – is at the heart of what one needs to make this vision of distributed social networking work. I think until recently it has been misunderstood as esoteric and just talk – amazing progress has been made since the early days of the identity gang that community has grown and developed many of the conceptual understandings and protocols that are taken as givens.

Folks from what the identity community (and perhaps should consider “updating” its name to the identity and social web community).…invented – as in used for the first time these two words together Social and Web – SOCIAL WEB – (according to wikipedia)

With the title of this paper: The Social Web: Creating An Open Social Network with XDI

This paper was preceeded by the Augmented Social Network: Building and Trust into the Next Generation Internet

Like the Web or email, the ASN would be available to anyone. It would become a common part of the Internet infrastructure – a person-centered and group-centered service of the net. It will be implemented through the widespread adoption of technical protocols; any online community infrastructure could choose to be part of the ASN by implementing them. Central to its design are fundamental principles of openness, inclusivity, and decentralization — which are necessary for a thriving democracy. At the same time, the ASN would support the highest available forms of security to protect privacy.

The Identity Gang began talking/meeting in the later part 2004 and has continued to meet in the Internet Identity Workshop.

There is much wisdom that these communities have developed that can be useful in moving / re-articulating the vision… to be sure lessons are to be learned from understanding more about why certain approaches/standards/proposed ways of doing things didn’t happen (yet).

I think the market wasn’t ready for what the identity community was saying. As someone who has been evangelizing about this set of issues practically full time since 2004. In the first few years I would talk in a range of communities and at conferences about all these issues, user control, open standards the danger of the potential emergence of large silo’s that locked users in and people just “didn’t get” it was an issue or that there was even a need for these kinds of standards. Now the market is finally ready.

The 9th Internet Identity Workshop  is this November – and REGISTRATION IS OPEN!

There is a whole conversation on the DiSo list where I highlighted this context/history. There might be a beer meetup in Berkeley this evening at Triple Rock at 7:30.

Getting OpenID to work – when oh when?

Joseph Boyle who came to our identity panel at sxsw and then joined us for lunch has been sharing with me some of his OpenID challenges. These happen all the time – ALL THE TIME. Thing is – he is a tech guy and he still can’t get any of this to work. I asked him to document his challenges so I could share them with you – he sent this to me and O’Reilly tech folks (that was where he was trying to login)… I am hoping that these UI issues can be resolved soon.

I was going to sign up at:
and saw a Sign up with an OpenID option. Since I’m interested in OpenID, I thought I’d try to use an OpenID associated with one of my Yahoo or Google accounts, but this is proving more difficult than I expected.
I did manage to find Yahoo’s page for turning on OpenID support for my Yahoo account and did this, getting response:

Feeling geeky?
When you log in to a website that supports OpenID login we’ll send your OpenID identifier to the website so it can identify you.
To make things easy, we have generated this identifier for you:……………………..
You don’t need to save this identifier. While logging in to websites, you can simply look for a Yahoo! button or in the OpenID text field. You can also choose additional custom identifiers for your Yahoo! account below.

Not geeky enough, apparently, as pasting the Yahoo-provided identifiers into your OpenID box gives errors:
Unable to find OpenID server for ‘…………………….’Unable to find OpenID server for ‘’
Help! What am I doing wrong? Thanks, Joseph Boyle

The Up’s and Down of electronic surveillance litigation

Creapy Creapy from Slashdot:

The US government is seeking unprecedented access to private communications between citizens. ‘On October 8, 2007, the United States Court of Appeals for the Sixth Circuit in Cincinnati granted the government’s request for a full-panel hearing in United States v. Warshak case centering on the right of privacy for stored electronic communications. … the position that the United States government is taking if accepted, may mean that the government can read anybody’s email at any time without a warrant.

On the ‘up side’ from the Washington Post:

The AT&T whistle blower Mark Klein is

in Washington this week to share his story in the hope that it will persuade lawmakers not to grant legal immunity to telecommunications firms that helped the government in its anti-terrorism efforts.

“If they’ve done something massively illegal and unconstitutional — well, they should suffer the consequences,” Klein said. “It’s not my place to feel bad for them. They made their bed, they have to lie in it. The ones who did [anything wrong], you can be sure, are high up in the company. Not the average Joes, who I enjoyed working with.”

His story as articulated by the post is as follows:

The job entailed building a “secret room” in an AT&T office 10 blocks away, he said. By coincidence, in October 2003, Klein was transferred to that office and assigned to the Internet room. He asked a technician there about the secret room on the 6th floor, and the technician told him it was connected to the Internet room a floor above. The technician, who was about to retire, handed him some wiring diagrams.

“That was my ‘aha!’ moment,” Klein said. “They’re sending the entire Internet to the secret room.”

The diagram showed splitters, glass prisms that split signals from each network into two identical copies. One fed into the secret room, the other proceeded to its destination, he said.

“This splitter was sweeping up everything, vacuum-cleaner-style,” he said. “The NSA is getting everything. These are major pipes that carry not just AT&T’s customers but everybody’s.”

One of Klein’s documents listed links to 16 entities, including Global Crossing, a large provider of voice and data services in the United States and abroad; UUNet, a large Internet provider in Northern Virginia now owned by Verizon; Level 3 Communications, which provides local, long-distance and data transmission in the United States and overseas; and more familiar names such as Sprint and Qwest. It also included data exchanges MAE-West and PAIX, or Palo Alto Internet Exchange, facilities where telecom carriers hand off Internet traffic to each other.

“I flipped out,” he said. “They’re copying the whole Internet. There’s no selection going on here. Maybe they select out later, but at the point of handoff to the government, they get everything.”

Qwest has not been sued because of media reports last year that said the company declined to participate in an NSA program to build a database of domestic phone-call records out of concern about its legality. What the documents show, Klein contends, is that the NSA apparently was collecting several carriers’ communications, probably without their consent.

Another document showed that the NSA installed in the room a semantic traffic analyzer made by Narus, which Klein said indicated that the NSA was doing content analysis.

From Slashdot: Most Scary to Least Scary

FBI datamining for more then just terrorists:
“Computerworld reports that the FBI is using data mining programs to track more than just terrorists. The program’s original focus was to identify potential terrorists, but additional patterns have been developed for identity theft rings, fraudulent housing transactions, Internet pharmacy fraud, automobile insurance fraud, and health-care-related fraud. From the article: ‘In a statement, Sen. Patrick Leahy (D-Vt.), chairman of the Senate Judiciary Committee, said the report [on the data mining] was four months late and raised more questions than it answered. The report “demonstrates just how dramatically the Bush administration has expanded the use of [data mining] technology, often in secret, to collect and sift through Americans’ most sensitive personal information,” he said. At the same time, the report provides an “important and all-too-rare ray of sunshine on the department’s data mining activities,” Leahy said. It would give Congress a way to conduct “meaningful oversight” he said.'”

from the just-forward-your-mail-to-homeland-security dept:
“You probably already knew that the FBI was data mining Americans in the “search” for potential terrorists, but did you know that they’re also supposed to be looking for people in the U.S. engaged in criminal activity that is not really supposed to be the province of the federal government? Now the feds are alleged to be data mining for insurance fraudsters, identity thieves, and questionable online pharmacists. That’s what they’re telling us now. What else could they be looking for that they are not telling us about?”

From the is-that-anything-like-the-lime-in-the-coconut dept:
“The kernel meets The Colonel in a just-published Microsoft patent application for an Advertising Services Architecture, which delivers targeted advertising as ‘part of the OS.’ Microsoft, who once teamed with law enforcement to protect consumers from unwanted advertising, goes on to boast that the invention can ‘take steps to verify ad consumption,’ be used to block ads from competitors, and even sneak a peek at ‘user document files, user e-mail files, user music files, downloaded podcasts, computer settings, [and] computer status messages’ to deliver more tightly targeted ads.”

From the how much can you remember department:

The research reveals that the average citizen has to remember five passwords, five pin numbers, two number plates, three security ID numbers and three bank account numbers just to get through day to day life.

Six out of ten people claimed that they suffer from “information overload,” stating that they need to write these numbers down in order to remember them.

However, more than half of the 3000 people surveyed admitted to using the same password across all accounts, leaving them at risk of potentially severe security breaches.

Professor Ian Robertson, a neuropsychology expert based at Trinity College Dublin who carried out the study, said: “People have more to remember these days, and they are relying on technology for their memory.

“But the less you use of your memory, the poorer it becomes. This may be reflected in the survey findings which show that the over 50s who grew up committing more to memory report better performance in many areas than those under 30 who are heavily reliant on technology to act as their day to day aide memoir.”

Who ownes that copy?:

‘Copyfraud is everywhere. False copyright notices appear on modern reprints of Shakespeare’s plays, Beethoven’s piano scores, greeting card versions of Monet’s Water Lilies, and even the US Constitution. Archives claim blanket copyright in everything in their collections. Vendors of microfilmed versions of historical newspapers assert copyright ownership. These false copyright claims, which are often accompanied by threatened litigation for reproducing a work without the owner’s permission, result in users seeking licenses and paying fees to reproduce works that are free for everyone to use…'”

Second Life – the real picture emerges:

The LA Times is running a story today saying that marketers are pulling out of Second Life, primarily because — surprise, surprise — the ‘more than 8 million residents’ figure on the game’s Web site is grossly inflated. Also, as it turns out, the virtual world’s regular visitors — at most 40,000 of them online at any time — are not only disinterested in in-world marketing, but actively hostile to it, staging attacks on corporate presences such as the Reebok and American Apparel stores.

RunBot Robot Walks:
“The basic walking steps of Runbot, which has been built by scientists co-operating across Europe, are controlled by reflex information received by peripheral sensors on the joints and feet of the robot, as well as an accelerometer which monitors the pitch of the machine. These sensors pass data on to local neural loops – the equivalent of local circuits – which analyse the information and make adjustments to the gait of the robot in real time.”

from the free-at-last dept:
“IBM is making it easier to utilize its patented intellectual property to implement nearly 200 standards in the SOA, Web services, security and other spaces. Under a pledge issued by the company Wednesday, IBM is granting universal and perpetual access to intellectual property that might be necessary to implement standards designed to make software interoperable. IBM will not assert any patent rights to its technologies featured in these standards. The company believes its move in this space is the largest of its kind.”

XFN, Liberty 2.0 and OpenID UX

Eran Sandler has two great posts about identity and OpenID. One links to my post on “the network of Me.” He asks if we can do ‘creative things’ with XFN and identities. I personally don’t want my identifier in anyone else’s XFN file. I want to be asked by the person if I want my relationship with them expressed in a new context. All our relationships do not exist in all contexts….there is however often a lot of overlap between people with whom we share multiple contexts – making these relationships traverse contexts in a privacy protecting and non-annoying way is the challenge. I hope that people interested in how identities, social graphs and social portability will go to the Free Liberty 2.0 meeting on January 22 to learn more about their proposed open standard for this.

He also blogs eloquently about the still emerging challenge of UI and OpenID adoption.

I keep on seeing two distinct ways that are common in such sites/services (at least in the sites that I’ve visited).

The first, is to separate the OpenID handling to a different page. In that page the process of sign-in/up is actually the same. If this is your first time of signing in with your OpenID it will actually transform itself to a sign-up process and may ask you a couple of questions and may interact with your OpenID provider.

The second, OpenID is integrated only in the Sign-In screen. If you sign in with an OpenID for the first time you will actually get a sign-up process and you may be asked a few questions and have an interaction with your OpenID provider.

The best place, of course, is to have OpenID in both the Sign-In and Up screens, if a user that do have an OpenID reaches any one of these screen the scenario of signing in for the first time (or not for the first time) will work no matter when he is.

What do you think? How would use design these processes that will still fit to your site/service and still support in a clear and obvious way OpenID?

There is an emerging community that is focused on User Experience. I hope that Eran and others who care about this join up. We need all the UX brains we can get on this not easy to solve puzzle.

i-names work in OpenID logins too

It should be noted to all of you coming from O’Reilly’s radar. That OpenID (the latest version) does accept i-names and identityprovider URL’s (this is the Sxip way of identity provision).

One of the reasons that i-names are cool is that they have persistence in a way that URLs have some challenges with in the long run. The names can be transfered to a new person but the i-number underneath is not. If you have domain name you are using as your identifier and you don’t renew it. The new owner of the URL can use it to sign-in to places you have had accounts.

i-names also have a nicer syntax and hopefully work for the internet users who may never get they can use URL’s to login.

UX and OpenID the hickups are beginning

The weather that Tom brings us on OpenID is mixed but good in the long run. He says that community is what counts :)

Here’s what I learned enabling the sites with OpenID:The Good: OpenID registration is a beautiful thing. The legacy registration page on Stuffopolis can be scrapped. Once that happens, validating email addresses, requiring passwords and lost password security questions for new members will be forever outsourced to the OpenID providers (those that your website trusts).

The Bad: When introducing OpenID, it is a breeze for new members coming to the site, but it can be a little confusing for existing members who registered with the legacy credentials. When those existing members find out about the OpenID option, instead of logging in with the legacy credentials to add the OpenID to their account, they often log in with their new OpenID instead. This log-in will attempt to create a new account by fetching simple registration data from their identity provider. If their email address (sent by their identity provider) matches the one already registered with their legacy account, they can be given some instructions, but sometimes it doesn’t match and now we have a problem because if they go back and log in with the legacy credentials, they can’t associate their new OpenID to it because another account (the one they accidentally created) now has that OpenID.

Update 12/17: What I need to do is when a member goes to his profile page and attempts to modify his OpenID, after a successful OpenID authentication, if the site detects that there is another account with the same OpenID, then the site will ask the member to confirm that he wants the other account deleted, making sure there is only one account with that OpenID.

The Ugly: Now that some popular open source packages (wordpress, mediawiki, phpBB) support OpenID, the software should honor each other’s OpenID sessions so that someone who logs into mediawiki with his OpenID doesn’t get presented with an OpenID login form when he visits phpBB, for instance. Although this isn’t a huge problem, it is a little ugly and it seems it will require a standard way of registering OpenID apps on a system so that an OpenID session state change in one app will inform the others.

In a nutshell: OpenID is still immature, but it has an extraordinarily committed community behind it and when it comes to software, that’s what counts.

What is a Barrier to Entry – OpenID

This comment was posted by Vivek Puri at the bottom of Ramana’s post (quoted above).

OpenID is great idea, but adds another layer of complexity for early adopters. This might not go down well with the startups who can end up loosing important initial users. Also bigger companies like Google will offer Single Sign-on only for their own apps which becomes another point of disconnect. In my case I use Writely for document editing, Editgrid for spreadsheet, and for bookmarks which is a pain to manage.

As for offline usage, that is a very much required feature. Especially Writely should be able to implement that part easily since they have already cracked the algorithm for multi-user data edit and sync. Groove networks does offer that feature but is not for individual.

I guess there is some miscommunication in what OpenID is and how it actually lowers the barrier to entry to try new Office 2.0 applications.

This is how I see it.
I have my blog URL that is openID enabled or I have an i-name. I now can go to any one of the new groovy Office 2.0 applications and instead of getting yet another login and password. I just use my OpenID. I don’t have to put it into that spreadsheet of all my names and passwords or just use the same one I use everywhere that is totally insecure. Instead I bring my identity to the site. I save time. If I am an early adopter type I will likely get an OpenID relatively quickly and it will be a handy fast way for me to try these things out. Of course Office 2.0 applications should not force people to have OpenID’s those who want yet another user name and password can have one.

I know personally I avoide signing up for anything new that requires yet another login. I would be more inclined to tryout an Office 2.0 application that has OpenID as a login option.

I think all these office 2.0 copmanies can collectively compete with the big silo’s by offering SSO amongst themselves.

OpenID on the ‘edge of greatness”

Here are some of the great quotes about OpenID this week –

Tom in Austin says:
I’m a big fan of OpenID and I think it’s on the edge of greatness.

Norman Walsh:
Next time you build a web application that needs a login, consider OpenID.

Perhaps in future, sign-up fatigue will keep people away from signing up to new services. Providing OpenID option is very welcome.

You can now sign in with an OpenID when you leave comments on the blog. Why did I added this? To do my little part to try and break some of the ID silos.

Identity Open Space – Sept 11, Santa Clara

So we have had a fabulous series of open space events since May’s Internet Identity Workshop . The Identity Mashup at Berkman 3rd Day Open Space Post Liberty Alliance Identity Open Space specifically but also as major themes at Mashup Camp that had 5 sessions on identity and at OSCON and OSCamp.

I think one the reason things have been developing rapidly is because of the open opportunities to address critical issues and reflect as a community on next steps. So there is another one coming up before the next Internet Identity Workshop in December.

The Monday of Digital Identity World’s start we are hosting an Identity Open Space at the Santa Clara Convention Center. It will begin at 9am with agenda creation with sessions starting at 9:30 going until 3 when DIDW officially starts.

The cost is $25 just to cover lunch – so we can eat on site. Please sign up here… and add your name to the wiki and post suggested topics you bring to the conversation.

You also get a discount on attending Digital Identity World if you come to the Identity Open Space.
I know it is a bit of a challenge to travel on Sunday but I hope those of you from out of town will choose to do that. Hopefully we can get lost of folks working on new web tools who might be able to actually use – user-centric identity. Besides who wants to get on a plane on September 11th.

Technorati Tags:

Yet another digital identity protocol –

I just met Alex Jacobs this morning. He told me within hours his new protocol for identity would be live within hours. It is now live.

It uses e-mail addresses (like so many sites) but users only have to authenticate their e-amil once.

How it works
1. User give you their email address e.g.
2. You post the email address, requested data, and a secret confirmation URL to the users mail domain e.g. in python: (see there site)

Arrival at etech – Lanyard Mashup and iname postcards

I just got into San Diego for eTech. I am in a very enjoyable tutorial by the Adaptive Path guys on Designing Web 2.0 applications.

The prime insight is that they are both informational hypertext systems and applications with a software interface. One must look at this duality throughout the development of the site on the stack from the must abstract – Strategy through Scope, structure, skeleton, surface – the most concrete.

I also got my 10th Sxip lanyard I have taken the liberty to do a Mashup adding the other Identity 2.0 protocols – OpenID, LID, inames, Yadis and front and center ID Gang. I took a photo you can see here.

We have new iname postcards promoting the developer portal that was launched today – content will be improving as the community contributes more.

Oh yes and as if that was not enough – we get to Sxip into our rooms – here is Phil with his Sxip Key. Maybe it is ‘sign’ that Sxip will work with infocards – they just did an STS exchange to issue us all hotel room keys. – this is of course an allusion to the presentation that Andre of Ping did at Digital Identity World last year where he went through the whole process of checking into the hotel and doing STS’s in analogue space.

we must be wary of the lawyers

The lawyers have learnt their lesson now…When the next disruptive communications technology – the next worldwide web – is thought up, the lawyers and the logic of control will be much more evident. That is not a happy thought.

From Slashdot. More from the article it refers to

Why is the web unlikely? Prepare for a moment of geek-speak. For most of us, the web is reached by general­purpose computers that use open protocols – standards and languages that are owned by no one – to communicate with a network (there is no central point from which all data comes) whose mechanisms for transferring data are also open.

Takeaways – Open and Free.

Catalyst: SSO Simple Secure and Open – Dick on Identity .20

Dick – had a 580 slide deck done Lessig Style
This is a summary of his talk:

We found out about Dick’s Identity

We learned a about what Identity is

What I say about me
What other say about me (others trust this)
What others say about you
We learned about Identity Transactions:
Verbal in person (with visual cues)
Talk on phone (loss of visual cues)
Job Application (fill out form)

We learned about data verification using drivers licenses in the real world and how the process reduces Identity Friction.
Identity Transactions are Asymmetrical
There is separation of the acquisition and presentation of credential
The credential is reusable
Trust is social

What is digital identity?

Identity 1.0 Today

Today it is the hassel of filling out the same information again and again.
Basically today authentication is that you get to prove you are an entry in a directory entry. single authority on one credential – not portable – in silo.

Verified digital Identity is not what you give a site today.
e-bay -/-> Craigslist
We have walled gardens

Identity 2.0 is where the user can move it to any site.

Simple and open has a history of winning in new standards look at:

  • networking
  • e-mail
  • web – html

Identity Credential exchange is transparent transaction that is scalable.

users? – to many user names and passwords

won’t pay – little influence

enterprise? – partners, contracts, agents

but risky to lead… can’t get there
Identity 1.5



but localized


motivated to solve
theoretical trust relationship

Identity Ecosystem will emerge where

users are loosely coupled
share user identity

We are in a new era

Webservices – Flickr, Mappr, SalesForce

Web 2.0 will drive identity 2.0

It will happen on the edge of the Internet (not the edge of the enterprise).

XRI/XDI no web-service apps


name/value pairs

The goal is to mimic photo ID
With Sxip Network

SXIP 1.0 has had a few tire kickers

SXORE Blog comment spam solution

SXIP 2.0 support web services
SSO – Simple Secure and Open

Jamie Lewis –
Q: So will this go into a STANDARDS PROCESS?
A: We are working on it. We want to get it very close to right then put it into standards body. I like IETF. Our goal is to be open

How it ‘should’ work.

Doc is an endless source of amazement and wisdom. He has been communicating about this stuff so clearly for so long one wonders why they are not listening. At least the identity gang is.

The Net is a World
Craig Burton:
Think of the Net as a hollow sphere made entirely of people and resources it connects.
– It is the first world made by people for people.
We’ve only begun to terraform it
One of its virtues is the emptiness in the middle.

The Net is a World with Three Virtues
1. Nobody Owns it
2. Everybody can use it
3. Anybody can improve it

Notice the use of the word – body in these sentences not noone, everyone and anyone.

The history of the net is the history of its protocols.

Civilization doesn’t move all at the same speed.

mmm… this explains why marc is frustated with us meeting so much we are building infrastructure not buildings it takes a bit of time. Now that the infrastructure is there for real open standards for digital identity lets see what we can build with them.

Between two perspectives… Commerce and Governace lies infrastructure

How simple does it need to be?

FAQ’s about LID from Johannes Ernst’s Blog – I think they apply to the work happening around XRI/XDI and Identity Commons stuff. I am going to do my part by working on doing some essays with lots of simple diagrams to explain the ecology of organizations and roles. Hopefully we can also do a short video about it too.

What’s your measure of how complex a single-sign-on technology can be so it can be adopted broadly?

A weekend of implementation effort, maximum. Here’s why: SSO only makes sense if basically everybody can implement it. That includes a lot of players, from your 401k plan (who could probably afford a lot more than that) down to the message board of the parent-teacher assocation that’s run by Joey’s dad on his home Linux server. Joey’s dad is not going to spend more than a weekend of his time to make it work. He’s also not going to go out and buy expensive software. He might download some Perl, but that’s about it. Ergo: one weekend, no more.

Technorati Tags: ,