Monthly Archives: November 2006

IIW 2006B: Be There

Next week is the Internet Identity Workshop 2006B. I first went to an IIW in October 2005 as a result of some diplomatic coercion from Dr Nadalin. It’s been an amazing series of workshops. A small, almost-militantly-informal gathering of people that talk about abstract notions of “identity”, and how to make them real. I have heard them ridiculed as “grass roots” gatherings and indicative of the “bottom up” movements in Internet identity systems. That’s the best kind. I do believe these workshops have changed the direction of identity systems and how we will interact over the Internet.

Lots of very cool people will be there collaborating on lots of very cool projects and initiatives.

I will be attending and hope to help demo how an identity provided by an LDAP directory via Higgins (IdP and STS) can work through a Microsoft infocard client to access an open source MediaWiki — with authorization provided by a Bandit component. Multiple open source projects working together — surrounding Microsoft. Good stuff.

I hope it works.

User-centric Tedium and Modulated Identity Signals

A few months ago I was filling out some forms for my children’s school. It’s a long and tedious process and I had a lot of time to think. I hate filling out forms. I really hate it. My great preference would be to have someone else do it. One of the advantages of having a wife was that she would usually fill out school forms. For many years now it’s been just me and my kids. And I really hate it filling out those damn forms.

My kids have some severe food allergies, asthma, and assorted other industrial diseases (as Mark Knopfler would say). Their school requires one form for each medication with name, address, dosage, and contact information for allergist, pediatrician, parent, and backup responsible adult. There are consent forms each for the doctor and the parent, per medication. Then there is a separate consent form for each child to give to the bus company for field trips — with name, address, medications, emergency and doctor contact information. With all the permutations, I filled out more than 20 pages, mostly redundant.

So what does all this whining have to do with online identity information?

It’s a rather long, round about answer, but I’ll get there…

I found that, as I filled out the forms, I wanted to introduce variations. For example, refer to a child by their nickname here, full name there. Say “Dr J. Jones” on this form and “Allergist Jack Jones” on that form. It broke up the boredom and allowed me a pathetically small vent for my displeasure. Of course, planning to go buy a cool all-in-one printer and copy machine would have been better, but that’s another issue.

I started to think about how I could encode information in the forms and yet still give accurate information. It’s like making up email addresses when registering for something online. I do this and I know many other folks do too. I have some domain names that I own that are configured so that any email address in that domain dumps into a single account, like So when I register for something at XYZ company, I can use an email address that encodes where I registered. I make up an email address like If I suddenly start getting spam addressed to xyz-registration, I know that XYZ company did not handle my registration information properly. I have, in a sense, modulated my identity information so that, while it still works for it’s intended purpose, I can also identify the initial recipient.

Maybe we could automate this technique with online identity information.

Many user centric identity systems deal with personas. I was recently playing with my openid account and saw that it supports personas to group attributes and selectively give out identity information. But I wonder if we could also encode extra information in the attributes associated with each persona when that information is given out, so that, if I see information about me used inappropriately, I might determine the source. Like my spam source detector system, I do not think of it as a rigorous system, just something that might be useful on occasion.

I think implementing such a system would be preferable to filling out forms. I hate forms.