Pushing String

Yesterday a magazine came in the mail whose cover had this teaser title. The article was about a rock ‘n’ roll fantasy camp. Coincidentally, Mudcat had a gig last night. Don’t dream it, be it!

(Kaliya was a great sport about my pulling her up on stage for our karaoke caper at Catalyst — I can’t help singing, even in odd circumstances.)

This little rock ‘n’ roll hobby is feeling a lot more substantial these days. Last night was our fourth time playing the Montlake Ale House, and our now-regular audience members (wow, regulars! dare I call them “fans”?) have begun to ask where the CD is. No plans for that at the moment; nor do we have T-shirts, mugs, or holiday ornaments. But a modest website and email list are in the works.

We’re playing again on the 4th of July at a school fundraiser in Seattle. If you’re interested in coming to the gig, drop me a line for more info…

Well, that took a long time… This week I finally finished the XML haiku cross-stitch project that I started in July of last year. The corner parts were just a killer — of course I saved them till last, and since they’re all the same color (and not terribly different from the fabric color), they were not exactly stimulating to work on, so I went several whole plane trips without pulling out the project even once. With hindsight, I can say that the lettering and the boat were the most fun to implement, and the design process (done oh so long ago), especially getting the “O” to echo the sunset, was the most fun overall. Biggest lesson learned: If I pass up stitching on a plane for some reason, and I continue to have terrible lighting in my TV room, stitching will simply Not Happen.

Completed XML Haiku cross-stitch project

In case you’re having trouble reading that cool Asian-style font, yes, it does say:

Well-formed XML
Parsing is such sweet sorrow
Order but no gist

I’ve decided to try my hand at identity-stitching next, so stay tuned for more about that design process…

Pete Rowley’s thoughts on “people in the protocol” resonated with me, as they have with Paul Madsen; in fact, I had a great conversation with Pete about this general topic just after doing a user-centric identity panel at Burton Catalyst with Kim Cameron, Michael Graves, and Dick Hardt. But I think that to disambiguate all the options, we need a fuller set of terms, which indeed Paul lays out (this is the same set I used during my time on the panel).

The “user”-related terminology used in much of identity-land has been badly overloaded. One thing we’re all trying to do is articulate and label a philosophy (expressed in Kim’s “law #1″ about control and consent, and brought up by Pam Dingle in the panel Q&A period) about building respect for users’ wishes into identity systems. Another thing we’re doing is discussing the pros and cons of specific protocol flows and user interfaces for achieving this. For starters, let’s not use the same term for both!

To recap the terms Paul lays out:

• User consent is an umbrella term about giving the user the ability to consent (or not) to the exchange of their info. This is a minimum bar for respecting the user’s opinion about what should happen.

• User control refers to a user’s ability to set policy that governs the exchange at a finer grain. This is a much stronger and subtler form of consent.

• User centrism is reserved for a particular class of user-controlled identity info exchange wherein the technical protocol lets the user control the flow absolutely, by making them an intermediary at run time. (If we don’t reserve this term for this meaning, then a whole bunch of criticisms I’ve seen of “non-user-centric” systems make no sense!)

On the panel, I tried to point out a couple of things:

First, the Liberty Alliance is comfortable with the entire consent/control/centrism spectrum, and indeed it did some pioneering design work around identity clients that mediate information flow, which is now in SAML V2.0 as what’s called the Enhanced Client or Proxy — or ECP, pronounced “eck-pee”, sigh. (I even went so far as to assert that SAML and Liberty manage to have a single architecture for the entire spectrum of user empowerment choices, something I’ll try to elaborate on in a separate post.)

Second, some use cases lend themselves to user centrism, but some by their very nature take place when you’re not around — like medical professionals’ access to your health information when you’re lying insensible in the emergency room. (I didn’t know, when I brought this up, that there was a three-company demo in the Liberty suite that showed exactly this scenario!) Permission-based attribute sharing is at the very heart of Liberty Web Services.

One thing I brought up only later, to Pete and some other folks, is that we spend a lot of our time in the identity world trying to figure out how to securely remove synchronous (annoying, error-prone) user action from identity transactions — what is Single Sign-On about, after all? — and the last thing most users want is to be interrupted to handle some identity data flow when their predefined policy could take care of it for them. So I think there’s a bit of irony in calling the method that requires the most interrupting-of-the-user “user centrism” (centrality to the protocol is more like it, and more value-neutral). Or, since freedom and responsibility are twin values, we can see user centrism as the ultimate in user responsibility!

So, back around to philosophy… I like Pete’s “people in the protocol” phrase a lot, and think it would be great as the name of the overall philosophy we’re going for here. But reading his post again, I’m not sure if he means it to be applied to strict user centrism, or just to something like user consent/empowerment. When we chatted at lunch, I did ask whether it would be an acceptable model to gain user consent to an initial introduction between an identity provider and relying party, so as to let them “talk amongst themselves” thereafter in an approved manner, and he said yes. So perhaps we are indeed beginning to untangle the myriad ways of evincing respect for users.

UPDATE: Conor and I are having a discussion in the comments about finer gradations, terminological flexibility, and more that I’m finding very helpful. I wonder what others think: Is “user-centric” a term that’s here to stay, or open to further change as our understanding grows?

Sun today issued two “non-assertion covenants”, one on the SAML V2.0 standard and one on the Web SSO Interop specs we published jointly with Microsoft last year. I had the pleasure of announcing this in a Burton Catalyst user-centric identity panel a couple of hours ago (and Dick Hardt, up on the panel with me, got a smattering of applause going — cool!). You can find some definitions and context at Sun’s On the Record blog, but the short version is: Developers using these specs need not fear Sun patent attorneys breathing down their necks to squeeze royalties or anything else out of them. No web forms to fill out, no baying at the moon on Thursdays, nothing.

This is fairly similar to RSA Security’s statement made in April. I notice that another statement is now appearing on the SAML group’s IPR page: a non-assertion covenant from Fidelity. Wonderful news! And definitely a trend I’d like to encourage.

UPDATE: I can make no defense to Tag Boy’s point, except to note that English reuses too many darn words. However, I will note that one doesn’t actually need any IP in SAML to make such a statement — you’re just promising that if you ever did/do, and if it’s enforceable, you won’t actually enforce it (under whatever conditions). Try it, you’ll like it!

Jeff Hodges and Scott Cantor have been busy bees. They just published a draft of a new HTTP POST binding for SAML, called NoXMLdsig, that (surprise, surprise) eliminates the need for XML Signature. Its abstract reads:

This specification defines a SAML HTTP protocol binding, specifically using the HTTP POST method, and not using XML Digital Signature for SAML message and/or SAML assertion data origination authentication. Rather, a “sign the BLOB” technique is employed wherein a conveyed SAML message, along with any content (e.g. SAML assertions) is treated as a simple octet string if it is signed. Security is optional in this binding.

If you’ve got comments, let ‘em know!

I’m referring, of course, to users’ identity habits, which as many people have noted (including myself, in a W3C position paper) are far more promiscuous than we might wish. How can we work towards more robust privacy and security if people simply don’t care? What does it take to get people to shut up about themselves?

An article in New Scientist reports that the NSA is researching “mass harvesting of the information that people post about themselves on social networks.” One example given seems benign and even useful:

The research ARDA [the Advanced Research Development Activity] funded was designed to see if the semantic web could be easily used to connect people. The research team chose to address a subject close to their academic hearts: detecting conflicts of interest in scientific peer review. Friends cannot peer review each other’s research papers, nor can people who have previously co-authored work together.

So the team developed software that combined data from the RDF tags of online social network Friend of a Friend (www.foaf-project.org), where people simply outline who is in their circle of friends, and a semantically tagged commercial bibliographic database called DBLP, which lists the authors of computer science papers.

Joshi [one of the team’s leaders] says their system found conflicts between potential reviewers and authors pitching papers for an internet conference. “It certainly made relationship finding between people much easier,” Joshi says. “It picked up softer [non-obvious] conflicts we would not have seen before.”

The article places more emphasis on RDF and the formal semantic web than I think is warranted; arbitrary (well-documented) XML formats, microformats, and even HTML used in a regularized manner can be harvested or at least screen-scraped. And it’s actually very hard to do precise equivalence mapping between RDF (or any!) schemas in practice, just because taxonomies in the real world are so messy (are “given names” and “first names” and “Christian names” the same thing?). So it’s likely that well-known attribute schemas of whatever type will be just as effective targets for harvesting as RDF schemas will be. But the point remains: greater data portability and more accessible semantics for personal information add up to easier harvesting by other parties, whether they wear black hats or white.

Even if users have the opportunity to give informed consent, in many cases they may choose not to spend time thinking hard on the consequences of allowing access — possibly a form of rational ignorance if they never pay those consequences. An example from a more general context appears in Bill Cheswick’s talk from the the inaugural SOUPS conference:

To most attendees, it came as no surprise that the Cheswick found his father’s Windows machine chock-full of adware and spyware. Also unsurprising was the fact that even after a full cleanup, the machine was infected again within weeks (when the speaker visited his father next). Here’s the punch-line: the father was adamant that none of the security “fixes” or “solutions” break his machine. After all, explicit and annoying pop-up ads notwithstanding, he was still getting his work done, wasn’t he? Why fix something that ain’t broke?

(SOUPS is the “Symposium on Usable Privacy and Security”; its 2006 program looks incredibly meaty — soup-to-nutsy? — and I sure wish I could go.)

For those who do want to exercise more care, or if the consequences begin to be felt (Tag Boy points me to this example of googling-before-hiring), applying strong human-computer interaction principles in identity UIs should help in reducing misunderstanding and fatigue. And we could allow users to set up policies for avoiding annoying interactions involving identity exchange — reserving synchronous interaction for garnering point-of-”sale” consent for areas with a large potential for loss (of privacy, money, or whatever). Identity Rights Agreements could be a useful tactic, if users can get to know the options and if the interfaces for managing them are value-add rather than value-subtract.

The article concludes, in part:

… Tim Finin, a colleague of Joshi’s, thinks the spread of such technology is unstoppable. “Information is getting easier to merge, fuse and draw inferences from. There is money to be made and control to be gained in doing so. And I don’t see much that will stop it,” he says.

I’ve mentioned some forces that could potentially “stop it”, but people still have to want them. Let’s say that the perfect interfaces have been developed and people use them to set up policy-based bounds on identity sharing. But a really awesome new social networking program is all the rage and it requires fairly wide access in order to provide, say, genealogy linkages. A user has clicked all the right buttons to prove that they have given consent, or they’ve selected the desired identity “card” and sent it along. Their information gets used in some cool new way that was accounted for by the consent they gave, but embarrasses them or gets them into hot water. Has a confidence been breached? Are they just SOL?

Is it possible to come up with a “do what I mean” button for identity info exchange?

I found the Internet Identity Workshop in May to be valuable on a lot of levels. I’m anticipating similarly smart stuff coming from the newly announced Identity Open Space event on July 20-21, in lovely Vancouver, B.C.

The location is great, the timing is great, and the cool new bit is that the Open Space is being put on jointly by the IIW folks (hi, Identity Woman!) and the Liberty Alliance, in unconference fashion. This is a wonderful opportunity to continue getting good ideas on the table and do more consensus-building.

I like the “old and new” feel of the pair of organizers; after all, for decades (oops, we’re in Internet time, I meant five years) Liberty’s vision statement has been about a networked world in which individuals and businesses interact more easily while respecting the privacy and security of identity information…

So why the gory title above? Because of the co-location of Identity Open Space with a Liberty quarterly meeting, Liberty is extending to IIW folks an opportunity to attend what is usually a members-only work session. With Paul and Conor unsheathing their virtual rapiers of wit lately, no doubt there are lots of folks who will want to see them go at it live. (I hope Kim will be there to serve as referee!) And since the patented Stuffy Air™ face mask is not approved for use in Canada, I’m sure the experience will be nothing if not stimulating.

Technorati tags: IdentityOS, IdentityOSVan, iiw, libertyalliance