In Context

I’m very glad I’ve come to Doc’s Vendor Relationship Management (VRM) workshop at the Berkman center this week Among other things, I’ve met some wonderful new fellow travelers in this promising new space. I was particularly interested in the discussions centered on defining the value proposition for the “v” in VRM–the merchants, manufacturers, and so on that would like a better relationship with there customers, members, patients and citizens. I also enjoyed the chance to up with the other startups in this area.

On a tech level, I remain convinced that VRM is an application layer over identity infrastructure. More specifically, it seems that the VRM “rel button” concept blends well with r-cards.

At long last the Information Card Foundation launched on June 24th after spending about a year and a half in the works. Here’s the press release and some coverage of it. Also, Bob Blakley gave Charles and I a few minutes to talk about ICF on one of his panels at the Catalyst conference a couple of weeks ago.

A few words about how we got here. Pretty much the first year was all about discovering new, clever ways to not start the foundation. Probably the biggest mistake was to start by trying to get corporate sponsors. The problem is that when you do it this way, you’re always a supplicant.

About six months ago we decided that since our colleages are the the developers, architects and inventors in the information card space, and since we’ve been working together in one forum or another for years, why not take a page from the OpenID Foundation, and just start the foundation as ourselves–without sponsors! So we did. We incorporated in Febrary, and invited ourselves to the board! We called up Andy, Axel, Ben, Drummond, Kim, Mary, Pamela and Patrick and invited them to the party with Charles Andres as the executive director. Every one of these warm, fun, thoughtful people thought this was a great idea. We figured that now we’d have a forum to work out technical wrinkles and to promote adoption of this tech that we’re all so enthusiastic about. After this, it was much easier to recruit Google, Equifax, Microsoft, Novell, Oracle and PayPal to the board, to attract sponsors like BackgroundChecks.com, Gemalto, IDology, IP Commerce, Parity, Ping Identity, Privo and Wave as well as to create ties with the Liberty Alliance and the Fraunhofer Institute FOKUS.

In closing, I want to thank Charles for his willingness to take a huge leap of faith that the ICF would ultimately get funded. We’re all indebted to him for that.

They said:

The second special prize goes to open source projects Higgins and Bandit, which we consider the most important open source initiatives in the field of Identity Management.

I’ll be demonstrating:

• Higgins Firefox-embedded Selector (with hosted i-card service)
• An experimental Higgins Adobe AIR selector (with hosted i-card service)
• An experimental Higgins Selector Selector (IE or Firefox or a local mapping demo app can all call the HSS which in turn can launch either Microsoft CardSpace or the Higgins AIR selector)

…along with 33 companies and 23 other projects that working together to build an interoperable user-centric identity layer for the Internet.

Date: Tuesday and Wednesday, April 8 and 9 at RSA 2008, Moscone Center, San Francisco, California
Location: Mezzanine Level Room 220

Interactive Working Sessions: Tuesday and Wednesday, 11am - 4pm
Demonstrations: Tuesday and Wednesday, 4pm - 6pm
Reception: Wednesday, 4pm - 6pm

I just got back from EclipseCon 2008. The other Higgins co-lead, Mary Ruddy, and I gave a tutorial on Higgins. And Mary gave a talk about the business side of open source. We met with Ian, Bjorn and Mike and discussed the recent release of Higgins 1.0 and how to drive adoption of Higgins and user-centric technologies like OpenID and I-Cards. Unfortunately, in flying back early I missed the keynote given this morning by Sam Ramji. Sam directs the Open Source Software Lab at Microsoft. A little birdie told me that one of the things he was going to highlight was the collaborative efforts that have between underway for years between Microsoft and Higgins and other open source projects in the user-centric ecology. I’m sure Mary will fill me in.

The Organisation for Economic Cooperation and Development (OECD) this week released At a Crossroads: Personhood and Digital Identity in the Information Society, by Berkman Fellow Mary Rundle and co-authors Bob Blakley, Jeff Broberg, Anthony Nadalin, Dale Olds, Mary Ruddy, Marcelo Thompson Mello Guimarães, and me.

The paper describes user-centric “properties of identity” that can guide and inform the development of the emerging identity layer architecture. In the spirit of “code is law”, I believe that as technology architects we have an opportunity to embody principles that promote an open, high-trust society while respecting the the “privacy” human right. This paper helps illustrate those principles.

The idea of writing this paper was suggested by Tony at a Higgins meeting. Thereafter a few Higgins folks with the addition of Bob began the project. We approached my colleague Mary Rundle and asked if she’d take the lead organizing role. Mary in turn added Marcelo to the team. Kudos to Mary Rundle, who gracefully played the key organizing role, and without whom this paper never would have been completed. Thanks again Mary.

Stefan and his team are rock stars in privacy-enhancing crypto. Today their technology and patents were acquired by Microsoft as you can read here, here, here, here and here. I want to congratulate Stefan personally. Here’s a fellow entrepreneur, and someone I’m honored to call a friend who’s done it all. Developed a deep technology, created a startup to implement it, and (now) found a distribution channel to bring it to everyone. And if that wasn’t all, the kind of technology that Stefan has developed is key to bringing about an identity layer that doesn’t trade away personal privacy. That is, it supports selective disclosure while reducing traceability. Way to go Stefan!

Here’s the press release from Eclipse. We’ve been getting lots of congratulations from friends. Which feels great. Thanks to all of you.

The next trick will be building awareness and adoption. When you consider that 0% of all websites (or enterprise apps) accept i-cards or OpenID, and 0% of sites issue cards, it’s small wonder that 0% of users today even know what an identity selector is. We’ve got our work cut out for us!

Being eternally optimistic, I think it is only a matter of time before we people start using identity selectors to:

• log in to websites (instead of remembering passwords)
• manage their relationships with friends (instead of being captive to any one social network or tool)
• manage their relationships with vendors (instead of being “managed” by the vendors — CRM)
• manage their relationships with government agencies and healthcare providers
• fill in forms automatically (instead of being asked for the 18,446th time “First name:______”)
• share preferences, interests and passion for causes and brands
• discover like-minded people…

Oh, and do all of this across the web, across silos, and out from under Facebook’s terms of service!

I think people will come to understand that they have rights in their own identity information. They’ll even eventually see that most advertising “flow” can be reversed because their own preferences, needs, affiliations, history and interests are worth gold to brands, merchants and service providers.

…back to work. 1.0.1 beckons!

[Related blog links: Ian Skerrett, Nishant Kaushik, Mike Jones, Pam Dingle]

Congratulations to my friends at the OpenID Foundation on the news that Google, IBM, Microsoft, VeriSign, and Yahoo! have joined the board. I’ve been in lots of meetings in the past week and the buzz is everywhere.

This happy event has jogged me into writing a few thoughts about OpenID technology and how it fits nicely with information cards (aka i-cards). So here goes.

OpenIDs offer something to people that i-cards don’t. Even run of the mill, freebie, URL-based OpenIDs give you a public identifier that you feel like you own. And the i-name flavor of OpenIDs give you a public identifier that you really do own cuz you’re not locked in to a particular OpenID provider.

OpenID is the winning, lightweight, technology for public, low-value transactions.

• Why winning? The OpenID community blended together the three competing lightweight technologies (LID, OpenID, and i-names) into a unified specification, community, code, and foundation.
• Why public? Because the appealing notion of having OpenID URI that’s mine (e.g. “=paul.trevithick”) also has the side-effect of projecting the same identifier to every relying site allowing me to be easily tracked. To be fair, there is a “directed identity” feature of OpenID that I can use to prevent this–I can just type in the URI of my OpenID OP instead. But I still think the perception is that an OpenID is mostly public.
• Why low-value? Because its simple and lightweight architecture does not incorporate a client component, end-to-end crypto, anti-phishing protection, etc. necessary to support higher value transactions and other privacy-enhancing features. But its great for logging in to blogs, etc.

OpenID + i-cards…

But the best news of all is that the strengths and weaknesses of OpenID just mentioned are a perfect complement to at least the “web-based” flavor of identity selector technology we’re developing in Higgins. With a web-based selector, a user must somehow authenticate to their i-card service provider in the cloud. Otherwise, everyone would have access to everyone else’s i-cards. This authentication step could be supplied by an OpenID OP service. The selector could provide the UI for the authentication interaction and harden it from phishing attacks at the same time.

Here’s how it would work. If I start a new browser session and try to log into a site that accepts i-cards, my identity selector’s “card picker” UI would normally pop up. But since this is a new session, I first need to authenticate to my i-card service–the service that holds my cards. So the identity selector would put up a login window and I’d type in “=paul.trevithick” and my OpenID password. No browser phishable browser redirects happen all because my selector would communicate directly with my OpenID OP server and authenticate me. The OP would return a pseudonymous token that is used to gain access to my i-card service.

Essentially my OpenID password is my master password to unlock my cards. And my cards kind of live “underneath” my OpenID. I use cards when I don’t necessarily want to be identified, and/or when I have a higher value transaction, and/or when I need claims made by third parties about me, etc., etc. all the use cases that cards work best for.

The astute reader will no doubt realize that there other cool synergies are made possible with this OpenID/i-card marriage. And they probably realize that the scenario above points out the need for a new protocol in the OpenID family to provision new services (e.g. an i-card service) in the person’s OpenID XRDS document. In other words, there’s a lot more to this story than I’ve written here.

One last thing. Now that Microsoft is being much more careful about only using the term “information card” generically, I’m feeling free to use the term myself with “i-card” as a handy contraction.

Next week is the Higgins F2F Meeting in Provo, Utah. All are invited! (easy for me to say, as Dale Olds is our host!). As you can see the topics range from unification with OpenID, to Selector UI harmonization, to Selector Selector design work, to SAML/STS IdP harmonization, IDF requirements for IdAS, XDI restful web service binding for IdAS, XDI, Introduction to R-Cards, etc. At best we’ll only scratch the surface of these topics. But it’s going to be really fun and exciting. [Besides, a bunch of us are really just going for the skiing days on Monday and Friday].

Higgins 1.0 in the middle of final IP review followed by “graduation” from Incubation/Release review by the Eclipse Foundation. Assuming all goes well and we can quickly accommodate any issues, Higgins 1.0 should be formally released (with press releases, etc.) in February (2008). March for sure.

So what that means is that for the first time in many moons we’re actually talking about new/interesting things. The road ahead. New capabilities. New challenges. How to drive Higgins adoption. Setting up a non-profit foundation. Stepping up our outreach and participation with other groups (e.g. http://dataportability.org, among others).