Pushing String

The article says “scroll down for more“, but I have a feeling there are millions of female Daniel Radcliffe/Harry Potter fans who are disappointed that it just gives them more pictures, not more Dan.

Bruce Sterling snarks a bit (at least, I think that’s snark — “How entirely 2007 of them”?) about BurdaStyle, which wants to be “an open-source hub of ideas, expertise, and amazing patterns” — sewing patterns, that is, not software design patterns.

It certainly does seem that craft patterns are yet another kind of information that wants to be free. By their nature, patterns are an open book; they have to tell you exactly how to make something, or they’re no good. In that sense, their algorithms are “open-source” already, if not necessarily free or available for anyone to enhance. And scanning and high-quality electronic copying are pretty much zero-cost at the margin, which presents a problem for commercial print publishers of patterns, copyright laws notwithstanding. You can even reverse-engineer some designs fairly handily. What will be the business model going forward for designers of sewing, knitting, crocheting, etc. patterns? Perhaps it will look more and more like the newer business models for software.

There’s already vertical integration (selling kits that include everything you need, such as those offered by the not-safe-for-work Subversive Cross Stitch), which tends to be attractive to beginners. There’s custom services (like designs for special-purpose stitched alphabets or incorporating a loved one’s name into a pattern; here’s a lovely example). And now maybe there’s, um, middleware — or should that be “middlewear”? — for end-product developers (BurdaStyle says it’s “the first established pattern publisher to release its designs under a creative commons license, allowing members of the public to market their BurdaStyle creations in limited editions”).

And of course there’s building a community (BurdaStyle has begun a “Sewpedia” which people will be able to contribute to) as a potential audience for advertising. I suppose there’s even DRM, sigh (a designer once supplied a read-only electronic file for a pattern I bought, but I think it was just because I only had the free “reader” version of the stitch design program).

Of course, often you only get what you pay for. Nth-generation photocopied patterns are hard to work with, and even the simplest of free patterns whipped up by nonprofessionals have sometimes led me badly astray. I gladly pay for excellent patterns that meet my use cases, and I do adhere to the designers’ wishes around copying. I wonder if voluntary payment is a model that could work for some. Perhaps community contributions to a pattern’s “reputation” (quality of instructions, accuracy of time and difficulty estimates, beauty of the finished work) could be factors in determining a price or suggested donation.

It appears that pattern delivery channels, at least, are getting more sophisticated. In poking around tonight, I found this Makezine article from last September about its sewing instructions (audio, video, and PDF) being delivered over iTunes. This really makes me wonder why the cryptic notation for knitting and crocheting sticks around; most applications don’t need such strong compression anymore!

And relatedly, I just came upon the Open Source Embroidery project, which invokes Ada Lovelace in:

…bring[ing] together programming for embroidery and computing. It’s based on the common characteristics of needlework crafts and open source computer programming: gendered obsessive attention to detail; shared social process of development; and a transparency of process and product.

If you’re interested in exploring the similarities between tech and craft, by all means do check out this one.

And now, I do believe I’m sufficiently fired up for the Stitch ‘n’ Bitch session I’m hosting on Friday.

(Thanks to Gunnar Peterson for the tip.)

You can find my new ID-WSF Basics presentation from the Liberty 2.0 workshop here (PDF). This workshop had the highest concentration of really solid Liberty Web Services information that I’ve ever seen (though I’ll let others judge my contribution to it), with real-life deployment info, tons of business motivation, a good dose of protocol flow explanations, and even a walkthrough of how to code a “web services consumer of identity data”. We even got an explanation of Project Higgins in the mix. Go here for the whole set of presos from Roger Sullivan, Fulup Ar Foll, Paul Madsen, Conor Cahill, John Kemp, Mary Ruddy, and myself.

[UPDATED to add links to the speakers. I was too tired when posting last night to do this, so my apologies.]

A bunch of us who are involved in OpenID, SAML, XRI, and Liberty identity web services took advantage of our relative proximity this past week and got together just prior to the Portland OpenID Mashpit to discuss the proposition:

Where and how can we move from incompatibility to convergence?

(We thought of this as a “northwest nexus” gathering, and I rather like the definitions of “nexus” that I’m getting out of Answers.com: a means of connection, a link or tie, a connected series or group, or the core or center. If you like, you can take the “swirling” part in the title to refer to the frozen precipitation that caused us so much grief this week!)

Besides myself, on hand were gracious JanRain host Scott Kveton, his colleague Jason McKerr (who ably talked me and my car down from a precarious position on a steep icy street), RL “Bob” Morgan of Shibboleth fame, OpenID maven David Recordon, XRI guru Drummond Reed, his colleague (and my fellow songwriter) Laurie Rae, and SAMLista Jeff Hodges of Neustar. I hope these folks will speak up to correct any details I’ve gotten wrong here. I’ve supplemented with a ton of links that weren’t in my original notes so as to make this post as directly useful as possible.

There are lots of reasons to be striving for better compatibility and more convergence. SAML and Liberty technologies have deliberately stayed the heck away from questions of user experience, which OpenID is exploring in rapid, consensus-driven fashion as an essential part of its innovations around web-friendly identifiers. OpenID has deliberately stayed the heck away from being a trust system, a challenge that Liberty has met head-on with technology, public policy, and business needs in mind. The growth curve of OpenID has been truly staggering, but in the realm of lightly protected data and lightweight applications so far. SAML and Liberty have an adoption pattern that is both deep and wide, but is typically enterprise-heavy and not intended for “promiscuous” open-Internet use (though there are notable exceptions, such as ProtectNetwork and OpenIdP). OpenID has already been through a convergence trend, incorporating XRI and Yadis and being influenced by several other systems. SAML has done the same, with Shibboleth profiles and Liberty’s federation work ultimately coming to rest in SAML2. A lot of complementarity here, yes? There are some jobs they both tackle to varying degrees today — namely identity provider discovery, service metadata, and authentication services — though their knobs and dials for security and ease of deployment are tuned to different settings.

So how did we begin? With some fine pirate cookin’ for dinner.

The next morning, refreshed, we continued the “convergence touchpoints” exploration that began back in October and saw progress in December.

We spent a fair bit of time on what we in Sun call TOIs, or transfers of information. Yes, I know, attack of the TLAs… JeffH presented a document he’s been working on called Comparison: OpenID and SAML and collected a few clarification points from David. We also compared notes on the various approaches being used and explored for attribute representation and exchange and for message transfer in OpenID; the SAML-based Shibboleth approach to attribute exchange that has been deployed in the Internet2 community; and the Liberty Alliance ID-WSF framework for attribute services. (I’ll blog my new presentation on this last subject in the next couple of days.)

JeffH also presented a draft OpenID-SAML profile that leverages the work he and Scott Cantor have already done on Lightweight SSO. As I have previously noted, there’s already a set of specs that combines the use of i-names with SAML-based single sign-on; the XRI Authentication Service Profiles — written by Drummond and Peter Davis last year — got pretty far towards imagining how OpenID and SAML could use the same discovery and metadata methods. And of course Pat Patterson showed the world how easy it is to implement something very OpenID-SAMLish in his “Lightbulb” pure-PHP implementation of a relying party.

So after all this palaver (sorry, I’m reading The Dark Tower and it’s affecting my vocabulary), what did we conclude by the end of the day? My notes from our “next steps” discussion (conducted as the Mashpit participants straggled in) are sprinkled with question marks, but here were the items I captured as being interesting to do next:

• Work on the OpenID-SAML profile already begun, both to illuminate the semantic relationship between “OpenID-native” and “OpenID-SAML” ways of doing things but also to inform us about potential convergence futures.

• Define a canonical mapping between SAML assertions and the OpenID equivalents (likely as part of the comparison document already begun), partly again for the pedagogical value but also to assist anyone who might require a formal STS-like token exchange function to do this (since you can’t just convert a signed token willy-nilly and expect it to remain valid).

• Consider ways in which the SAML and/or Liberty communities might want to profile or pick up the UX work being done for OpenID.

• Take a look at how native SAML profiles and ID-WSF — for which there are extensive testing procedures, various open-source implementations (OpenSAML, SourceID, OpenSSO, Entrouvert, ZXID, Conor’s), and many vendor products — can provide guidance in the OpenID attribute exchange exploration.

• Sketch out how an OpenID-enabled People Service (or other such identity service, but everyone seems pretty hot on this one — and with good reason!) might work.

• Relatedly, get moving on ways to mix ID-WSF support and OpenID support in a single open-source home so they can be played with together (David mentioned PIP, into which ZXID or Conor’s code — suitably wrapped — could be incorporated, and OpenSSO seems like a good target from the other side).

I hope others will find these items interesting as well, and if so, maybe even help out on some of them. Let me know what you think! I would also love to discuss these swirling thoughts with folks at the Liberty 2.0 workshop being held on Monday. Hope to see you there.

My pal Dave White alerted me to this lovely match for the well-formed birthday cake I got on my 0×28th birthday. I’m pretty sure birthday messages aren’t supposed to have < ! -- [ endif ] -- > instructions in them.

Well, well, well. I wondered if posting that yearbook entry of Barack Obama would be a traffic-generator, and I guess it was. I don’t have a hit counter and I barely even look at my logs, but when my site crashes because of Daily Kos and Wonkette links, it’s a sign! (Wonkette is hysterical, subsequently picking up on the Hawaiian pidgin usage in the yearbook entry. We go blog! Laters!) Now I’ve just gotten a call from CNN, looking for background on a story I’m told they’ll run at 4pm Eastern time.

On the off-chance that Barry/Mr. Obama remembers me (um, I was in the theater/music crowd that hung out on the Alexander steps, if that helps :-) ), I’ll just apologize for any inconvenience — though I hope he’ll think, as obviously many people do, that he’s held up pretty darn well over the years.

So to all those coming here for the first time and wondering what this crazy hybrid blog is about (usually more mundane things like identity management, XML, cross-stitching, crocheting, rock ‘n’ roll…have I left anything out?) — welcome!

It looks like Barack Obama has taken the plunge and is forming an exploratory committee to seek the U.S. presidential nomination from his party. To me, this is a case of Local Boy Makes Good: though we didn’t really travel in the same circles and I was a year behind him, I actually went to the same high school he did (Punahou), and at the time he went by, yes, “Barry”. I’m pretty sure he’s “Mr. Obama” to me now. :-)

I’ve taken the liberty, since he’s a public figure and all, of reproducing his senior yearbook entry below. (Click to enlarge.)

Barry Obama, class of ‘79

Lots of late-70’s influence there, including that great haircut, those fantastic lapels, and the shout-out to his “Choom Gang” (chooming = smoking pakalolo, at least back then).

Good luck, Barr…uh, Mr. Obama!

UPDATE: A number of commenters have taken me to task for posting this entry. I’ve added one final comment, and I’d like to address the “charges” here.

Some people have leapt to Barry’s* defense, assuming that I was mounting an attack or trying to embarrass him. My intent was merely to have a little timely fun in the “brush with fame” category. It was far from an attack; what I saw in the entry and what seemed to be the consensus among others (until this week) was a handsome, athletic fellow with plenty of friends at school and love for his family, who — yes — happened to be pretty fond of his teenaged bad habits.

I would never have deliberately broken any news about this, and in fact I established before publishing the post that this was indeed old news, broken and discussed many times by Barry himself in the last decade and largely dismissed by the media.

I do think that someone running for president has to tolerate a ton of public scrutiny, and I’m confident my entry was entirely fair and benign to post under those conditions. (Someone suggested it wasn’t fair to post under copyright law, but it seems to come under fair use guidelines as I understand them.)

However, I’m no longer confident that it wasn’t a uncool thing to do, and for that I’m sorry. Though I meant to cause no embarrassment, it’s apparent some felt it crossed the line. And because I would certainly have asked my close friends before sharing their entries, I’ve belatedly sent a note to Barry’s campaign asking what his preferences are.

One last point: I see that my lighthearted comment about smoking being a rite of passage was taken badly by some other former Punahou students. I’m truly sorry to have upset them. I certainly wasn’t intending to tar everyone with that brush (I feel I have to insert a “not that there’s anything wrong with that” here), so let me apologize to those who took it that way. Punahou was not and is not a hotbed of drug activity; I have the utmost respect for the school and the experience I had there, and I support it to this day.

Let me spell out the point I was trying to make in joshing fashion: it’s undeniable that the era (late 70’s), the location (Hawaii), and the venue (high school) lent themselves to such indulgences on the part of quite a few teenagers. The fact that such references could appear explicitly in a yearbook — a Punahou yearbook, no less — supports this. And I actually think it’s a fair part of a discussion anyone might want to have about politicians and former drug use, if people want to get into that. Personally, I care far less what someone did in high school than the political stances they take in the modern era. And for what it’s worth, I happen to support marijuana legalization.

*I had a tough time deciding how to refer to Barry in this update. Honestly, it’s really hard to think of him as “Barack”, but equally (as I noted above), we didn’t know each other at school. I ultimately decided to stick with the “Punahou usage” that pervades the thread, but please understand that he and I are not on a first-name basis.

Conor already did a much better job than I would have, discussing Dave Kearns’s point in Putting ID all together about “in-the-net” services for storing identity data vs. coordinating local storage of same.

So I find myself with nothing much to add on that point, other than to note that the earliest demonstrations of real-live Liberty Alliance ID-WSF usage, like Radio@AOL, have allowed for personal devices that work as identity services that securely help you customize your online experience. John Kemp has been showing how this works on Nokia phones for the last couple of years (which has always been a big hit at the XML Summer School!).

What I was trying to get at originally was that if a human wants to get assistance in correlating identity information from different sources, she will have to expose information about herself to the “thing” assisting her — whether it’s a local device that has network access, or a service she logs into through some browser or other, or whatever. Otherwise she’s stuck mentally — or “Post-It Notely” — correlating everything herself. The nature of federation is that you have to inform one keeper-of-info that there’s another keeper-of-info in the picture. You can protect yourself from having to give your master list of usernames to all of them by having them exchange fake names (pseudonyms) for you.

I recall Conor and Dick Hardt getting down to cases at IIW2006b on the differences between Dick’s approach vs. Liberty’s, surrounding how many keepers-of-info should be in the picture. Dick was assuming that the user, having chosen an identity provider (in that discussion, an OpenID Provider or OP), would happily entrust everything about themselves to that one OP and wants all relying parties to upload any interesting facts about the user back to the OP; his requirements flowed from this to make the upward provisioning happen. On the other hand, Liberty has a requirement to get attributes from varying master sources depending on where it makes most sense to be the supplier; this has attendant requirements about security, privacy, policy, etc. because there’s a whole transfer infrastructure you need to support this. (I’ll be reviewing some of the details of this at the Liberty 2.0 workshop on January 22.)

If all you’re storing is self-asserted info about you personally, then sure, it’s handy to consolidate all of it in one place over which you have direct control, whether that’s a traditional web app/service, a device you carry on your person, etc. But as soon as you get into information that someone else has the right to own (including mundane things like your employment status, which comes up a lot when you, say, apply for loans), I can’t see their being okay with giving you the “gold copy” to hold. That’s where multi-sourcing really shows its stuff.

(Pat just made a related point about how to manage minimal disclosure of your identity data when relying parties come calling… Don’t miss that.)

If you’ve been keeping a wary eye on the topic of identity-based web services and wonder how they might relate to modern web applications, you’ll definitely want to come to the workshop that the Liberty Alliance is hosting on January 22 in Redwood City, CA. The agenda is chock-full of goodness. It’s not too late to register, and it’s free to attend.

I’ll be presenting an overview of ID-WSF, the Identity Web Services Framework, with all-new material — though if you saw my talk at IIW2006b, you got a hint!

There, I got through this post without saying Web 2.0. (Oops.)

Dave Kearns remarks on the vast gulf between the identity-based behavior of teens and adult business folks. He quotes danah boyd’s ruminations on ephemeral profiles: “Forgot your IM password? Sign up again. Forgot your email address? Create a new one. Forgot your login? Time for a change. …. Some teens chew through IM handles like candy; their nicks are things like “o-so-funny” rather than the first name, last name standard that seems to pervade professional worlds.”

Certain aspects of this behavior gap aren’t limited to teens. Until this decade, I had never had an email account that wasn’t handed to me by an employer, so all my handles were boring. But when my mom finally got email, she was free to have fun with it, and named it whimsically. Also, a young miss of my acquaintance, seven years old, has an account at Webkinz and visits it daily. She also changes her password daily. For fun. Huh??

(My own xmlgrrl handle got started, in case you’re wondering, when I found myself on a cruise ship with a nascent business-center capability in the late 90’s, and they were temporarily giving out net access for free. What a concept! I tried to telnet into my home machine to send email (”Guess where I’m writing this from?”) but failed, and the attendant suggested I create an account at one of the free service providers. I ended up doing that, but all the obvious logins seemed to be taken. Having created a bracelet with charms that spelled out “xmlgrrl” as a joke on one of our shore excursions, I hit on this as a handle that was unlikely to be used already. Bingo.)

But as danah points out, “While losing passwords is common amongst adults as well, starting over happily isn’t.” I certainly don’t consider it fun to set up new accounts over and over, and I bet teens wouldn’t either if they were, say, applying for a pile of entry-level jobs over the web. Lots of people get new personal email accounts — very unhappily — to stem the tide of spam.

Dave ponders: “Perhaps - some time in the not so distant future - they’ll be clamoring for a way that they can unite all of their “identities” - but only if they can guarantee that they alone can see the consolidated material.”

If a person is is going to ask for assistance from a service on the web in doing this consolidation, that service will necessarily have to know something about her (otherwise she might as well keep everything in her head like she does now, her brain being the only existing consolidation point), but federation through the exchange of pseudonyms keeps it to a minimum. In this way, consolidation corresponds pretty well with the federation portion of the taxonomy I had drawn up a little while back. I’ve refined it to focus in on the relevant bit:

Whether people have URL-based identifiers or some other kind, they’re just as likely to have more than one than only one. It would certainly be Bad for a worldwide-scalable identity system to make everyone get exactly one. So far, quite a lot of people — not just teens — using the network for non-business reasons are comfortable creating and playing with many identities for themselves. As soon as they’ve invested something significant (perhaps, as danah notes, involving a mobile device, or just inputting data that they really really don’t want to have to input again) in enough of them, consolidation will become attractive indeed.