Pushing String

Somehow I’d been missing out on the phenomenon of the Gnomedex tech-enthusiast conference, even though its location in recent years coincides perfectly with my new(ish) Northwest residency. (Hey, I haven’t gone to Bumbershoot yet either — bad, bad Eve!)

This year I’ve got a great chance to fix the situation. I met Chris Pirillo and his lovely wife Ponzi through Eli, and after a couple of fun evenings where I blabbed excitedly about Vendor Relationship Management and he blabbed excitedly about a project that was soon to become his WicketPixie social-media WordPress theme (it would be interesting to “VRM-enable” this theme, yes??), they were kind enough to invite me to speak this year. I’m looking forward to introducing VRM concepts to this audience and getting some discussion going on how to improve the customer-vendor nexus.

If you can be in Seattle August 21-23, I hope you’ll register and join the fun.

In addition to our wedding anniversary and the anniversary of our first date, Eli and I now have another event to celebrate: July 27, 2008 was the day we confirmed our “married” relationship on Facebook. We immediately got two messages of congratulation, one facetious…and one seemingly sincere! For the record, we’ve been married for 18 years and together for 22 — but we love having another special occasion to add to the list.

Today Sun launched OpenSSO Express, a cool new way to get your hands on innovative features destined for its Access Manager commercial product over the long haul but freshly available every three months in a stable, tested, supported build of the OpenSSO open-source project.

Daniel Raskin (dubbed the Smoking Monkey by Coté and taking the moniker quite seriously…) has a great post linking to lots more info and even a podcast on the subject. Check it out!

Internet2 hosted an interesting gathering in early June, called Federation Soup, which I had the privilege of attending. These folks have had to face some of the hardest federation problems out there because of the higher education community’s unique mix of needs, and they take a relentlessly practical approach. Ken Klingenstein said it was okay to blog what I heard at the event, but it took me a little while! Here are some of the tidbits I collected.

Interfederation looks pretty different in Internet2-land and in places like the U.S. government. In the latter, the emphasis is on PKI bridges, while the education sector is looking for more loosely coupled solutions.

It’s not just about higher education; a fair number of people are working on what are called K-20 initiatives that span education at all levels and of all types. This brings in all the hard problems of gathering consent from the custodians of minor children.

The InCommon federation is pretty attractive. Some parties that come from outside traditional education, such as news organizations that want to distribute content in a controlled way and U.S. government agencies that don’t want to use a peered federation model, are joining this federation or at least considering it. At the same time, InCommon is not the only answer; smaller educational system federations will continue to coexist with it. And some federations need independent branding. Finally, some universities simply don’t feel the need for federation at this point.

A lot of the discussion was around how to increase federation adoption. A common theme was to find the killer app or anchor tenant that makes the whole exercise worthwhile all by itself. Some people felt that what sells is not “trust”, but collaboration services. Buyer’s clubs (such as subscriptions to journals) are also an attraction.

At a BOF on privacy, tricky jurisdiction problems were discussed. What if a U.S. student is studying temporarily in Paris? Do you go by their geolocation, or by the IdP’s jurisdiction, or the SP’s? Do you purge logs for privacy according to EU requirements, or retain them for homeland security according to U.S. requirements?

Finally, for the heck of it, some juicy quotes:

• Scott Cantor: “As far as the software is concerned, there’s no such thing as a federation.”
• Ken K. on identity proofing and levels of assurance: “It’s ratholes all the way down.”
• Someone: “Where the duct tape is holding, people are very reluctant to let go.”

Neat project. But is it penguin-centric?

Lately I’ve been discussing three human tendencies we should take into account in designing identity-enabled systems: new-relationship energy, the efficiency imperative, and the self-revelation imperative. I’ve put aside the privacy imperative (essentially the opposite of self-revelation) because it seems more interesting to discuss challenges to privacy by examining the forces working against it.

I just got a handy reminder that whatever privacy imperative we have is, at least in part, learned rather than innate. In going through a storage-roomful of boxes to stock some new bookcases, I came across a calligraphy instruction book that’s more than 20 years old. I’d gotten it second-hand, and its previous owner had claimed ownership of the book and practiced his italic in one swoop by writing his name and his social security number inside the front cover…

In my talk at the Burton Catalyst conference earlier this week on The Care and Feeding of Online Relationships, I presented a brief argument for specific requirements on relationship management solutions.

My appreciation of these requirements has deepened through conversations with Bob Blakley (who kindly invited me to speak in his track — Bob, you should blog more!), people involved in Project VRM and Internet2, customers, Sun colleagues, and others.

I’ve noticed that when I present on “everyday identity”, usability folk come out of the woodwork, excited that someone is talking about Don Norman’s work, human-centered design, HCI, and the like. Luckily I have a real expert like Jen McGinn to keep me honest… I think we’d all benefit from listening to usability experts more closely.

(The title of this post is taken from the lovely Flickr photo that I borrowed for the first slide. Thanks, hojusaram!)

Eric Wilde and Bob Glushko have produced a wonderful compendium of problems people have with XML due to overblown expectations or plain old misunderstandings: XML Fever. It’s funny because it’s true!

(And hey, don’t forget about authorial illnesses like Tag Abuse Syndrome [see Sec 4.1.2.3], for which markup models can be carriers…)

Ooh, cool — Wordle can make word clouds out of anything.

This is the Venn of Identity article, Wordled (Wordlified? Wordlimicated?). Can you find the “SPs” in this picture?… At least the “user” is well represented!

Check it out — OASIS has added a SAML entry to its growing list of XML.org community websites for its Standards (press release), and Sun is a proud sponsor. I’m not exactly sure why there’s a space instead of a dot between the SAML and XML part, but the official name is SAML XML.org.

The Security Services Technical Committee is in the middle of doing a refresh of our original public home page to ensure that there are no missing tidbits of info on the new site. Also check out our working-area wiki if you want to know the status of various docs in progress.

This is also a great juncture to announce a Call for Profiling Intentions. A what?? Let me ’splain.

In the post-SAML2 era the SSTC has fielded many requests to take up profiles, bindings, and extensions based on real-world experience — things like SimpleSign for less digital signing overhead, an alternative method for IdP Discovery, and an Attribute-Sharing Profile that’s X.509-friendly.

I know there are at least a few other profiles-in-waiting out there, so in order to manage our docket better over the next few months and ensure that these new specs are designed cohesively, the SSTC is asking you to give us a heads-up on your plans.

Just drop me a note with a proposed title, short abstract/motivation, and the anticipated date of your initial contribution — and if you’re doing any kind of profile on your own and plan to seek the SSTC’s advice, let me know that too. I’ll coordinate upcoming schedules with our co-chairs Brian Campbell and Hal Lockhart and with you.

Please get in touch by Friday July 25 so we can get our next round of work mapped out.

Share and enjoy!