Archive for 'Language'

Talking about security that “assumes DNS holds”

In discussions of economics, a predictive statement is often accompanied by the qualifier ceteris paribus, or, roughly, “other things being equal”, in order to compare apples fairly to apples. In discussions of Internet security, more and more I hear, and have occasion to use, a qualifier like “assuming DNS holds”. For a while, I used a stock formulation that went like “assuming DNSSEC or no cache poisoning”.

An awful lot rides on getting to the domain you think you’re getting to; it’s a basic ingredient in many web protocols. It lets you do things like treat unsigned metadata from a known-good domain as sufficient for lightweight use cases. And being clear about this assumption lets you compare solutions on their other merits.

UMAnitarian Joseph Holsten and I tried to cook up a pseudo-Latin equivalent for the economics phrase: ceteris nomina indubia, hoping to translate it roughly to “assuming non-doubtful names”.

But now I realize the first word isn’t right (ceteris is the “other things” part, like in et cetera), and we need something in the vindicatum or sumo category. Or we could just leave that part out, since “ceteris paribus” doesn’t have the “assume” part either. Any Latin scholars want to opine?

By the way, Pushing String has hit its sixth blogiversary. Thanks for sticking around!

The Economist and “ecto gammat”

Remember in The Fifth Element when Leeloo threatens to shoot Korben Dallas for stealing a kiss, saying “ecto gammat”? Turns out it means “never without my permission”. A good rallying cry for personal data sharing in today’s world!

The Economist has a thoughtful article called The Data Deluge on the benefits, and the privacy risks, of making better use of the torrent of data (it mostly focuses on, but doesn’t ever say, “personal” data) being generated in all kinds of business and marketplace endeavors. My favorite part, ’cause I share this assumption with the author:

The best way to deal with these drawbacks of the data deluge is, paradoxically, to make more data available in the right way, by requiring greater transparency in several areas. First, users should be given greater access to and control over the information held about them, including whom it is shared with.

This article makes a great companion to this meaty blog post by Iain Henderson laying out a serious vision for the notion of a personal datastore as a personal data warehouse. Iain knows whereof he speaks; he’s been in the CRM business a long time, and runs the Kantara InfoSharing work group (along with Joe Andrieu, another thoughtful guy who’s passionate about this stuff). I’m lucky to have both of them on my entirely complementary User-Managed Access group, UMA serving as a technological match for InfoSharing use cases.

I tried to add a comment to the Economist article about an aspect it didn’t cover: the quality of the personal data that’s floating around. Either this commenting effort completely failed, or in the fullness of time three copies of the same comment will appear — sigh. In the spirit of using this blog as my pensieve, here’s the main bit:

Volatile data goes stale. Excessive data collected directly from people is often larded with, to put it bluntly, lies. (To acquire a comment account on this site, I was required to provide my given name, surname, email address, country of residence, gender, and year of birth. If everyone were totally honest when signing up, that’s a powerful set of facts with which to locate and track them pretty precisely. You can tell which fields are excessive by looking at which ones people lie to…) And data collected silently through our behavior is, at best, second-hand and can never know our true intent.

Privacy is not secrecy (says digital identity analyst Bob Blakley). It is context, control, choice, and respect. Ideal levels of personal data sharing may actually be higher in total than now — but more selective. And they won’t be interesting to people without offering convenience at the same time.

Wouldn’t it be great to get out of the defensive crouch of “never without my permission” and turn it into “with my permission, sure, why not, it’ll help me just as much as it will help you”?

(Any bets on whether I told the truth and nothing but the truth when I registered at the Economist site?)

Concordian (noun): Busy bee

Okay, so there’s no English word “Concordic”, but that’s the adjective often used to describe the topics and use cases we discuss in Project Concordia. Some call the participants in these discussions “Concordians”, occupying slightly firmer Internet-search-term ground.

Whatever you call us/them, we’ve been keeping busy lately working on them. Now’s a great time to pay close attention if you’ve got stubborn identity issues.

For starters, the Concordia survey on identity federation — our first survey — went splendidly. The survey results are on the Concordia site, and you can also find some nice graphs directly on SurveyMonkey. One hundred and three people completed the survey, with interesting results. It appears that complex federation topologies are no longer a rare beast. Don’t forget to check out all the “other” comments.

We’re now gearing up to do a second survey, on identity assurance this time. If you’re interested in this subject, feel free to add your desired survey questions here.

Of course, we Concordians participated in a huuuge identity workshop prior to the RSA conference a few weeks ago — with over 700 people coming through the doors at one point or another during the day. The presentations are available, and also don’t forget to check out the OSIS “I5” testing results.

And now we’re in the planning stages for a Concordia workshop to be held at the Burton Catalyst conference in San Diego in late July. Our theme is Use Cases Driving Identity in Enterprise 2.0: The Consumerization of IT, and we’re actively soliciting your problem statements, use cases, solutions, and issues in the form of short position papers. If you’ve got a one-pager — or even a paragraph-sized abstract — that describes an Enterprise 2.0 identity topic you’d like to bring up, please send it along to our intrepid Britta Glade at britta [at] as soon as you can. The agenda will grow and evolve online, right before your eyes. We’ll conduct this workshop in more of a traditional mold — lots of interactive discussion.

Wouldn’t you like to be a Concordian too?

Where in the world, with bonus silliness

A roundup of places been and places to be. Some silliness embedded; bonus silliness at the end.

I’ve spent most of this past week in Liberty Alliance plenary meetings, which as usual have been chock-full of great work being done by great people. I got to spend some quality time with Lucy Lynch and Trent Adams of the Internet Society, which recently joined Liberty as a new board member. ISOC has brought a ton of experience and wise counsel to the table.

A new series of OpenSSO Community Days is springing up all over. I can’t make the one in New York on March 17, but I hope you can. And I will be able to make the one in Munich on May 5. See you there?

That community day in Munich is in association with the Kuppinger-Cole European Identity Conference, at which I’m delighted to be speaking this time around. It’s a highly regarded event, and one I’ve haven’t been able to attend in the past. Come on down for both events and save 20% on registration!

If you’re going to Gartner IAM in London (wish I could), don’t miss the after-hours bowling party Sun is hosting on March 23. Daniel Raskin, Grand Poobah of Identity Festivities, has the scoop.

A bunch of folks involved in Concordia and many, many other like-minded identity communities are putting together a pre-conference workshop at the RSA Conference on April 20. More about this event anon — the agenda is shaping up to be awesome.

Finally, looking way out to August, I’ve already registered for Gnomedex 9.0, the most happenin’ technology conference in the Pacific Northwest or indeed anywhere. Have you?

And now, your moment of zensilliness. In fat-fingering “WS-Trust” last week, I may have accidentally invented a new protocol. What would WS-Tryst accomplish? What (as Ian Glazer wondered) would the interop look like? And would it involve WS-MeatdataExchange?…

Conference goings-on

A roundup of some upcoming meetings and conferences on which I’ve got my eye, and/or on whose program committee I serve, and/or at which I will appear. (This preposition-first business is nonsense up with which I have just put…)

  • 4th ACM Workshop on Digital Identity Management: This workshop will be held October 31 (pack your Halloween costume…) in Fairfax, VA. Early-bird registration ends October 10. You can register for just the workshop if you can’t attend the ACM CCS2008 conference with which it’s colocated. The program this year looks really interesting; the theme is “services and identity”.

  • Identity Forum 2008: I’m a late addition to the program of this conference, speaking on Project Concordia on October 7 in Rotterdam. Should be a great trip. If you’re planning to be there, I hope you’ll say hi.

  • Project VRM Standards Committee: This group is holding its first proper face-to-face meeting and coding camp on October 15-16 in Cambridge, MA. (I can’t attend but will be calling in.) RSVP to Joe Andrieu. (I have in the past described this group’s telecon series as “like crack” — if you’re addicted to rapid-fire idea generation and lots of “ooh, now I grok it” moments.)

  • Net-ID 2009: This conference on identity, trust, privacy, and security is being held February 16-17 in Berlin, and the Call for Papers is now open.

The Wordle of the Venn of Identity

Ooh, cool — Wordle can make word clouds out of anything.

This is the Venn of Identity article, Wordled (Wordlified? Wordlimicated?). Can you find the “SPs” in this picture?… At least the “user” is well represented!

Everyday identity and human-centered design

The Managing Identity in New Zealand conference has been an amazing experience. The organizers did a superb job constructing a uniquely valuable event, reflecting the thoughtfulness that’s present everywhere in the NZ government’s approach to its citizens’ identity.

I hope to have more time very soon to put together lots more thoughts on the many talks and conversations, but for now I just wanted to share the slides for the keynote I presented on Tuesday: The Design of Everyday Identity.

And one additional thought for now: I’m extremely sympathetic to the views of Doc and Adriana regarding the oddity of the phrase “user-centric”. I’ve remarked many times on the problems with assuming that people are always online and in front of a user agent (that is, “users”), and the very word describes people relative to the systems that are supposed to be helping them, which seems backwards — especially since the systems don’t seem to be too inclined to actually help them do what they want to do!

My research for this talk led me back to the classic ideas in Don Norman‘s usability work, where he invoked the phrase “human-centered design” starting back in the 80’s. I would happily switch to “human-centered” from “user-centric”, and I suspect it would help us all be more open to the many ways to achieve this goal, particularly if Don Norman’s cautionary tale is kept in mind.

(As always, you can find my presos and papers and such linked from my Publications page. See that page if you want a more extensive bibliography for the talk, and keep an eye out for the conference proceedings paper I’ll be finishing in the next couple of weeks.)


Lauren gives her take on our fiberrific outing (or would that be “fibriffic” spelled her way?). I guess I needn’t have been so coy about the identities of “my very experienced and talented knitting friends”, and as it happens, she and Yvonne are also my very knowledgeable and talented colleagues. Lauren has a great crafting blog; I hope Yvonne considers blogging her crafting adventures as well.

Lauren notes that the tech quotient of the actual event was low, but we suspected there were plenty of techie-types in attendance. As we went around the room doing introductions in my Charting class, I mentioned that I had designed some XML-related cross-stitch charts; one young woman piped up: “You mean like web services?” Yowza.

One more language note: I learned a great acronym from the Creative Crochet Lace book. It’s common to yield to temptation repeatedly and buy lots of yarn for what is called one’s “stash”. Eventually you run the risk of a terrible condition called SABLE: Stash Acquisition Beyond Life Expectancy. This is an addiction, folks — clearly we should be taking it much more seriously. Time to start a .org!

Fiber jazz

Test scrumbles
Test scrumbles

So I survived the Madrona Fiber Arts Winter Retreat, and had a wonderful time learning and hanging out with friends. Both brain and fingers have gotten a real workout. This event is somewhat like a convention or technical conference of the sort I’m used to, but with an overtly social purpose, and attendees sign up for specific classes, rather than floating from track to track at will.

The language of knitting and crocheting has really gotten under my skin. I took Creative Crochet Lace with Myra Wood, and found that the class — along with the companion book — was filled with delicious words and phrases. For starters, there’s scrumble, a piece of lace created in a freeform fashion (when you stitch these pieces you’re scrumbling). Makes me want to crochet up a fruit-themed work just so I can call it an “apple scrumble”. (Hmm, plenty of Google hits for this one referring to recipes, though it does ask the fateful question “Did you mean apple crumble?”) The book casually invokes the phrase fiber jazz to describe a particular style of freeform lace. Lovely.

The past tense of knit became something of an irritant to me every time I heard it in the “Market” (what I would have called the huckster room had I been at an SF con…). If knitting isn’t a pastime of yours, I bet you’d say it should be knitted. I guess I’m revealing my newbie status in agreeing with you. But it turns out the past tense all the cool knitters use is knit, as in “I knit four sweaters and three hats last year.” I found a source that defends the irregularity of this verb and in the process earned myself a whack across the knuckles: I do use the American English past tense of fit, which is of course fit. Then again, I also say “day-tah” for data but “statt-us” for status, so sue me.

In another class on charting written patterns (and conversely writing out charted patterns) with Karen Alfke, I learned sweater-knitting tricks that I probably won’t be ready to try out for a year or so — haven’t made my bones on sweaters yet. She has an honest-to-goodness methodology (with paper-form tools!) for the multitasking involved in knitting a main pattern with (say) cables running up it, an armhole decrease, and a neckline decrease so that it all lines up properly at the top. One way she put it was that you’re fileting the pattern. Nice. (The term filet also shows up in the context of a totally different crochet technique, lest you get confused.)

With the help of my very experienced and talented knitting friends, I’m planning to tackle a lace shawl soon. Next lessons up: new stitches, circular needles, and teeny weeny yarn…

Fry some more

Thanks to Tim, I just checked out the new blog by Stephen Fry. Who knew?? Fry’s blessays (as he self-consciously calls them) are charming and relevant to readers of tech blogs. This is just wonderful — more Fry! (Or will blogging be the siren call that distracts him from writing novels?…)