Security/identity · 2006-05-02

IIW impressions

I’ve had a devil of a time getting “on the grid” in the last few days — I’m temporarily without a cell phone and I spent yesterday at day 1 of the Internet Identity Workshop unable to get a workable net connection. Arrghh! But now the wireless seems to be working for me…ahhhh.

Yesterday’s session was in the more traditional conference mode — a series of presentations intended primarily for information transfer — whereas now we’re in unconference mode. Kaliya had asked me to speak yesterday on SAML and Liberty, and in my allotted 20 minutes I attempted to do a few things: introduce SAML and Liberty versions of terms for common concepts; review their design centers; and demonstrate (with Hubert’s help) how these protocols can be used in a user-centric interaction model. I’ll post my slides once I solve a few more of my remaining technical difficulties. (I’m not sure if it was entirely clear that, while Hubert was working from a Flash demo for convenience, what was shown was really implemented — albeit not in productized form — using Sun’s Access Manager product…)

The unconference concept is intriguing. I like its self-organizing nature, and it’s blissfully free of the over-engineered conference planning and expensive collateral you usually find at technical conferences. We’re meeting in the Computer History Museum in various corners of a huge open space, which feels right. There’s also a free espresso bar service provided, which seems like an essential given that Kaliya described the goal as making the whole event about the coffee breaks rather than rigid speaking sessions.

Here are a few of my random notes and impressions from day 1.

Eugene Eric Kim: Noted that everyone lies on self-registration forms on the web. He suggested that a policy infrastructure that allows for you to direct a site not to share your attributes, or only share them on your terms, could give the right incentives for people not to lie. For example, what if a site gave you a cut of the money they make off of selling your demo data? Hmm.

Paul Trevithick: Mentioned in passing that he believes the goal of “owning your identity” is naive. Bold! Mostly he spoke about the lexicon work at I have to say that I’m uncomfortable with a lot of the definitions that have been flying around, mostly because they don’t take into account the enormous work that’s been done on security glossaries. My W3C workshop paper pointed to several sources that I think are more comprehensive and useful. It does seem that “identity provider” and “claim” seem to be winning the day and that’s probably good, though we need a lot more precision around them both. (One person here at IIW is going to be hosting a session called “What does ‘persona’ mean?” Good luck to him!)

Johannes Ernst: Discussed mostly Yadis, which has a cool logo I hadn’t noticed before. Yadis seems like hot stuff. I wasn’t fully convinced by some of Johannes’s arguments in favor of URL-based identity (SMTP remains a huge killer app), but I’d like to dig into it more. My question to him after his session: Wow, how can Yadis possibly do all those things without using WS-Policy?!? (Do I need to put a smiley on that?)

Dick Hardt: Did a revised version of his famous presentation, which some wag in the audience dubbed “Identity 2.1”. The new news here was that SXIP is moving its DIX standardization effort into a form that is built on top of SAML — he called it a “user-centric profile of SAML”. This is great news, and I’m eager to see how this is shaping up; John Merrells is doing a session today on that.

More later…

Technorati tag: