Pushing String

A roundup of some upcoming meetings and conferences on which I’ve got my eye, and/or on whose program committee I serve, and/or at which I will appear. (This preposition-first business is nonsense up with which I have just put…)

• 4th ACM Workshop on Digital Identity Management: This workshop will be held October 31 (pack your Halloween costume…) in Fairfax, VA. Early-bird registration ends October 10. You can register for just the workshop if you can’t attend the ACM CCS2008 conference with which it’s colocated. The program this year looks really interesting; the theme is “services and identity”.

• Identity Forum 2008: I’m a late addition to the program of this conference, speaking on Project Concordia on October 7 in Rotterdam. Should be a great trip. If you’re planning to be there, I hope you’ll say hi.

• Project VRM Standards Committee: This group is holding its first proper face-to-face meeting and coding camp on October 15-16 in Cambridge, MA. (I can’t attend but will be calling in.) RSVP to Joe Andrieu. (I have in the past described this group’s telecon series as “like crack” — if you’re addicted to rapid-fire idea generation and lots of “ooh, now I grok it” moments.)

• Net-ID 2009: This conference on identity, trust, privacy, and security is being held February 16-17 in Berlin, and the Call for Papers is now open.

In keeping with Daniel Raskin’s — what did he call it? his Barnum and Bailey style, I believe — he’ll be stalking a mythical creature, the IdentiCat, during the unveiling of OpenSSO Enterprise 8. You won’t want to miss the show, to be held in Second Life next Tuesday, September 30. It’s not too late to sign up!

(Has Mr. Winky the IdentiCat met Mr. Winkle the dog?)

I come to the VRM world from a tradition (if that’s the right word) of digital identity management. With so many organizational efforts swirling around trying to create identity layers, data portability, metasystems, and suchlike, I kept noticing that there was a common set of bedrock features involving human beings and the networked apps they use. And, yes…I saw it as a Venn diagram.

I’ve been trying this out on folks for a while now, and used it in a couple of recent talks, particularly my Gnomedex 8.0 one. Here’s my thinking behind it. (This is more than a straight Venn because of the metaphorical shadow thingie. Couldn’t resist! My web services Venn “cheated” too.)

Digital identity management is, at base, about identification so app usage can be correlated and audited, authorization to provide secure controlled access, and personalization, all counterbalanced by privacy. It has a strong individual (single-human-to-app) bent, though sometimes it involves Shibboleth-style scenarios where you mostly track anonymous group members rather than unique people.

Social networking is about building feelings of connectedness and offering the benefits of collaboration, such as crowdsourcing. Social apps focus on human-to-human relationships, but to provide infrastructure for this, they have to do plenty of the human-to-app variety. Social networking today stresses revelation of personal details (the OpenSocial best practices doc is one example) much more than it stresses privacy, though the latter is an increasing concern.

VRM partly involves what could be called restriction of data flow — undoing vendors’ grip on users’ info in a way that’s familiar to proponents of privacy-enhanced and user-controlled IdM. But other VRM scenarios involve enhancement of individuals’ opportunities to share personal information, for example by issuing a personal RFP to potential vendors. As Doc Searls has said, VRM is “personal first and social second”, so it seems to have a closer kinship with digital identity but could provide new social opportunities as well.

Each area has its unique features. But all share a common trait — differentiated app behavior depending on special aspects of you (whether this comes from attributes, claims, and transactional details in IdM; social graph data and user-generated content in social apps; or proactive requests and other personal data offered up in VRM). And to deliver on this promise they all share a common requirement — knowing more about you, with permission.

By contrast, where apps know about you through improper data gathering or aggregation, you get digital shadow effects — like direct marketing that is distinctly not permissioned or welcomed. Today, permissioning is still something of an art rather than a science, hence the title of this post.

We have a number of infrastructural options that more or less satisfy the requirements of the intersection, and later I hope to provide further thoughts on that. For now, I hope you’ll let me know what you think of this new instance of John Venn’s invention.

What a trip my first Gnomedex was — I think I’m hooked. It’s Chris’s happening, baby, and it freaks him out! (Think he can be convinced to dress up full-Austin next time? I did notice a bit of a shiny-jacket trend in the crowd.)

Lots of people have done roundups, so I’m mostly going to be lazy and point to Beth Kanter’s, which gives a great sense of the breadth, the depth, the value, and the occasional silliness of this event. I was very glad to meet Beth and to see her demonstrate, right in front of our eyes, the principles she was teaching. Really, the two-plus days were a virtual parade of interesting people, compelling stories, and cool tech.

Speaking of virtual… Gnomedex’s sheer level of online+meatspace social connectedness was something new for me. The 8.0 community feeling started early, with the @gnomedex Twitter feed. It continued with the conference badges that came with a social network. It got really strong while several hundred people watched the conference from home on the video feed (archive) and hung out on Twitter or in Chris’s chat room. (I daresay this feeling wouldn’t have been possible without the single-track setup.) And it continues even now. I mean, I tweet, and I speak at conferences, but I’ve never before sat down after giving a talk to find that dozens of people — some in the same room and others a world away — have just started following me. Delighted to meet you all! (Admittedly, I also exchanged business cards with some folks during coffee breaks, the old-fashioned way.)

I’ll post some thoughts later about my talk on online data-sharing relationships. But, staying “meta” for now, I’ll just send you to one more roundup, Micah Baldwin’s 3 Rules of Gnomedex 8.0, which I think nicely captures what made it special. Quoting will just spoil it, so just go ye and read…

This is a special moment.

I get to sit here at Gnomedex watching Ben Huh of ICHC review the Lolean Timescale of lolcat history — apparently the correct pronunciation is lole-cat and I’ve been doin it rong.

And I just met Kris Krug, photographer extraordinaire, who has promised to do portraits on-site for those who give him some linky love. I’m only too happy to oblige (uh, literally).

Finally, here are the additional notes I took on the OAuth/WS-Trust session Ashish Jain moderated at the recent(ish) SSO Summit, to supplement his post.

In addition to the use cases already mentioned by Ashish, we discussed use cases for having a security token service in its most basic form. There are “syntactic” reasons to need to exchange tokens:

• Going from a proprietary token format to a standard one (e.g., Kerberos to SAML)
• Going from one standard token format to another (e.g., SAML1.1 to SAML2)
• Going from one proprietary token format to another

The participants considered this pretty much a “necessary evil” for integration purposes — a tactical need that is likely to subside over time as standard token formats stabilize, converge, etc. We saw both internal and cross-domain uses for this, but identified today’s WS-Trust sweet spot as being within enterprises where multiple token formats are (still) in use.

Then there are semantic reasons to exchange tokens. For example, “identity oracle” use cases might have a need for this (handing out a cooked/computed assertion that someone’s “over 25″ rather than sharing their actual date of birth).

There are as many unique use cases here as one can imagine. I noted that Liberty ID-WSF has a few of these baked into services that it has defined, but they don’t currently use WS-Trust. (As an aside, there’s a group taking the first steps in a rapprochement here, appropriately pronounced “sig-wish“! Check it out, and let me know if you’re interested in helping.)

Somehow I’d been missing out on the phenomenon of the Gnomedex tech-enthusiast conference, even though its location in recent years coincides perfectly with my new(ish) Northwest residency. (Hey, I haven’t gone to Bumbershoot yet either — bad, bad Eve!)

This year I’ve got a great chance to fix the situation. I met Chris Pirillo and his lovely wife Ponzi through Eli, and after a couple of fun evenings where I blabbed excitedly about Vendor Relationship Management and he blabbed excitedly about a project that was soon to become his WicketPixie social-media WordPress theme (it would be interesting to “VRM-enable” this theme, yes??), they were kind enough to invite me to speak this year. I’m looking forward to introducing VRM concepts to this audience and getting some discussion going on how to improve the customer-vendor nexus.

If you can be in Seattle August 21-23, I hope you’ll register and join the fun.

In addition to our wedding anniversary and the anniversary of our first date, Eli and I now have another event to celebrate: July 27, 2008 was the day we confirmed our “married” relationship on Facebook. We immediately got two messages of congratulation, one facetious…and one seemingly sincere! For the record, we’ve been married for 18 years and together for 22 — but we love having another special occasion to add to the list.

Today Sun launched OpenSSO Express, a cool new way to get your hands on innovative features destined for its Access Manager commercial product over the long haul but freshly available every three months in a stable, tested, supported build of the OpenSSO open-source project.

Daniel Raskin (dubbed the Smoking Monkey by Coté and taking the moniker quite seriously…) has a great post linking to lots more info and even a podcast on the subject. Check it out!

Internet2 hosted an interesting gathering in early June, called Federation Soup, which I had the privilege of attending. These folks have had to face some of the hardest federation problems out there because of the higher education community’s unique mix of needs, and they take a relentlessly practical approach. Ken Klingenstein said it was okay to blog what I heard at the event, but it took me a little while! Here are some of the tidbits I collected.

Interfederation looks pretty different in Internet2-land and in places like the U.S. government. In the latter, the emphasis is on PKI bridges, while the education sector is looking for more loosely coupled solutions.

It’s not just about higher education; a fair number of people are working on what are called K-20 initiatives that span education at all levels and of all types. This brings in all the hard problems of gathering consent from the custodians of minor children.

The InCommon federation is pretty attractive. Some parties that come from outside traditional education, such as news organizations that want to distribute content in a controlled way and U.S. government agencies that don’t want to use a peered federation model, are joining this federation or at least considering it. At the same time, InCommon is not the only answer; smaller educational system federations will continue to coexist with it. And some federations need independent branding. Finally, some universities simply don’t feel the need for federation at this point.

A lot of the discussion was around how to increase federation adoption. A common theme was to find the killer app or anchor tenant that makes the whole exercise worthwhile all by itself. Some people felt that what sells is not “trust”, but collaboration services. Buyer’s clubs (such as subscriptions to journals) are also an attraction.

At a BOF on privacy, tricky jurisdiction problems were discussed. What if a U.S. student is studying temporarily in Paris? Do you go by their geolocation, or by the IdP’s jurisdiction, or the SP’s? Do you purge logs for privacy according to EU requirements, or retain them for homeland security according to U.S. requirements?

Finally, for the heck of it, some juicy quotes:

• Scott Cantor: “As far as the software is concerned, there’s no such thing as a federation.”
• Ken K. on identity proofing and levels of assurance: “It’s ratholes all the way down.”
• Someone: “Where the duct tape is holding, people are very reluctant to let go.”