I was rather surprised today to read a post by Ben Laurie where he writes that “there is no practical difference between Cardspace and Passport.” Please read the whole post to understand the context. It’s not long.

He contends that Cardspace is only supported on Microsoft systems, and that, since the identity provider and consumer are therefore the same entity, there is no privacy advantage. I think there are a number of huge and hugely invalid assumptions in that contention. A centralized service hosted by a single vendor is very different than a distributed service — even if the service components are implemented by a single vendor. But it is not true that information card systems are implemented only by Microsoft. In fact, no Microsoft code at all is needed to deploy a complete system.

Ben also makes some rather general statements about lack of support for OpenID and that it “has no consumers of note.” Hmmph. I use OpenID all the time and find it useful. I wonder what I need to do to be a consumer of note.

I’m all for bloggers getting to vent their opinions, and, in that respect, there’s a lot in the post to love. I’m also for pointing out reality, and I think pointing out real users and deployments is important. I expect that Ben is right that there are currently more enterprise deployments of SAML federations than information cards or OpenID. But I disagree that OpenID has no consumers of note, and I disagree that Microsoft controls all identity providers and consumers of information card systems.

For example, please consider this shamelessly self-serving, but complete, illustration:

Novell and the Bandit Project just launched a campaign to promote awareness of information card technologies. The campaign site consists of an identity provider which is running on OpenSUSE 10.2 and includes a Security Token Service from the Higgins project, as well as various authorization and auditing components from the Bandit project. The same domain also hosts sites running Joomla and WordPress that receive information cards using plugins from the Pamela Project. There are links provided so that users can get an identity selector for Linux, Mac, and even Windows. Most of the identity selectors are open source and developed by the Higgins and Bandit projects. We do throw in a link to a Microsoft site for those who are running Windows and need to download Cardspace. We didn’t think that would be offensive.

Ben, please check it out. You might win an iPhone. You can use information cards to access the site, or even deploy your own identity provider or consumer using 100% open source software.

In the past few years there have been many times when people have told me that they really want simplification and convergence in digital identity systems. Their requests can take many forms. Sometimes it’s that they want just one way of identifying themselves — one username and password or one smart card that’s good everywhere. Sometimes they want to know which system will ‘win’, i.e. which vendor’s product or which identity system protocol is going to be adopted to the exclusion of other protocols. I’m sure I don’t want what they say they want. I also don’t think they actually want those things.

I do want simplification and convergence in digital identity systems — to a point. Managing all my identity data, and especially a gazillion usernames and passwords, is a pain. Too many passwords make me unsecure and insecure. I’m all for making the whole thing simpler and more manageable. But I don’t want convergence to a single identity information source, or a single authentication method, or a single identity information exchange protocol. My identity data is too valuable for that.

My identity information is valuable, like money. In fact, if someone can assume my identity they have a good chance of getting all my money, so the two are connected. Perhaps I can illustrate why I don’t want too much convergence in identity systems by way of an analogy with financial systems. I’m going to make an analogy that involves several accounts and systems for handling financial transactions, and correspond them to Internet identity systems. Please keep in mind that it’s just an analogy that seems to fit my current perceptions of the intent of some systems. Please don’t try to take the analogy beyond that intent; I do not intend to extol or bash the technical merit of any system, though I will give some of my preferences.

In the financial world, I don’t want to keep all my money in one account. If something happens to one account — it’s compromised in some way such as I lose the credit card or check book — I have other accounts to finance my attempts to repair the situation. Similarly, I don’t want a single way to access those accounts. Right now I commonly use credit/debit cards, but I also still use checks and scheduled withdrawals by linked accounts — three distinct access mechanisms, each with their own mechanisms to control access my money. They each have their own advantages and disadvantages. They are all useful, but I also appreciate that they are all different.

Checks are very easy to understand. They are like a paper promise that can be easily accepted by many individuals and businesses. The promise is to be paid with money withdrawn from the account identified on the check. There is very low cost for businesses to accept checks. But checks are not very secure for some purposes. Some problems with checks can be reduced by combining a them with another system, such as an identification or credit card.

Linked accounts are also quite useful for some purposes. By linked accounts, I mean a system in which I fill out a form that authorizes one business to take money from one of my accounts when a charge has been incurred. For example, I authorize my dentist to charge my insurance account. Linked accounts are a little heavy on the paperwork side. I have to set up everything and make sure both entities know their role. It’s easier when I can present a card, like my insurance card, to set up the initial link. I generally don’t like linked accounts because I prefer knowing when the money is going to leave my account. But there are times I use them and don’t know a better way to handle some situations, like the dentist.

Credit and debit cards are personally what I use the most for financial transactions. I tend to like them because they are both convenient and a point of control for me to authorize money taken from one account and given to a business. Credit cards are more burdensome for businesses than checks, but more secure. Credit cards are less burdensome for businesses than establishing a link to each customers bank. I also like that I can easily have multiple cards for multiple purposes. I can even easily keep track of purchases from a single business when I am in different roles by using my work card vs. my personal card. I’m sure I could do that with the other systems as well, but I don’t. It seems more natural with cards.

Furthermore, I don’t expect my financial world to be limited to these systems. If I lose all my cards and checks, I still want to be able to walk into the bank and authenticate in person to gain access to my account. And there may be new systems in the future.

So how does this correspond to identity systems? Just like my finances, I want multiple accounts for my identity information, and I want identity systems to co-exist peacefully and work well together (and that’s what the Bandit project is working towards). I personally think the information card metaphor will be the most common way to access my identity information, but I also find OpenID and federated accounts to be useful. And in some cases I actually want access via username and password to remain supported.

The only thing that I want to be able to correspond my accounts and access mechanisms — the thing that is in the center — is me, not an external identity information store. You might even say that my account correlation preferences are user-centric (for some definitions of user centric).

So why do multiple systems reduce my risk and still end up being more manageable?

It’s a matter of convenience, points of control, and manageability. In my current financial world I have less than 10 accounts; I commonly use less than 10 cards; I rarely write checks; I rarely link accounts, and even more rarely go into the bank to access my account in person, but I generally manage to keep my accounts current. In the online world I have hundreds of accounts and passwords. Incorrect information abounds because I can’t keep track of it all. My online world is more easily compromised in the sense that someone could get into my accounts without my knowledge. It’s harder to keep track of it all due to the sheer volume of accounts. If I can get to an online world that uses a combination of information cards, OpenID, and federated accounts, but in which I have less than 10 accounts to manage, that will be much better than what I have now and I would still be able to divide up the risk.

So that’s my analogy. It’s not a perfect analogy, but I think it fits how this space feels to me. It even has some other interesting illustrative points.

For example, it’s not surprising that a specialist in electronic funds transfers would scoff at paper checks. It’s also likely that a professor of economics would think checks, electronic funds transfers, and credit cards all have their place.

We can also see that there is value is some integration points between systems. There are a number of cases that I get cash with a card from an ATM (a financial token service as opposed to a security token service), or use a card in combination with other systems. But I don’t want them too enmeshed either. In my financial systems, I want integration at key points, but not complete convergence. Same with my identity systems.

What makes the overall financial system work is an underlying conceptual framework built on this rather vague notion called money. There are common concepts and principles that underly all the systems, even though they are often abstract and not well understood by everyone that uses the system. Sounds like identity systems to me.

So what is the One True Identity System that I want? It’s diversity of access mechanisms and sources of identity information built around a common conceptual foundation of identity, authentication, authorization, delegation, auditing, etc. Sounds complicated, but we do it all the time with money.

Please note that in this whole post I didn’t use any word that started with ‘meta‘ … yet. But if I was going to discuss anything meta-ish I would start with Bob‘s discussion of a meta-identity system and the identity oracle, and I would use this photo. The question is, which box is more like the meta-identity system oracle?

My fellow Bandit Andy Hodgkinson is not a prolific blogger. So far he’s averaging one post every 1.25 years or so. But his post today will interest a lot of people.

Earlier this year we showed a version of an open source identity selector running on Linux and the Mac. It was announced with the name DigitalMe, and we donated the code to the Higgins project, where it is affectionately referred to as “the Higgins H2 Native Identity Agent”. But there were some problems. Even though the selector works fine for me on OpenSUSE Linux 10.2 and sports a lovely GTK UI, the Mac UI was a port and it required too many dependencies to install easily. It really needed to have a native Mac OS X UI. So Andy and Jim Norman set about this summer to learn Objective C and write a Cocoa UI, in addition to enhancing the selector interoperability and their regular jobs. And it needed to be conveniently packaged for Mac users, so Andy fixed that too.

Last Friday, Andy quietly posted the Mac binary packages. Drag and drop install. We have tested it with many relying parties and identity provider sites (many more than those linked). We have also notified a few interested power users and got some initial feedback. It’s looking good so far.

So if you’d like to run an easily installed, 100% open source package for OpenSUSE 10.2 or Mac OS X, you can get from the Bandit instructions and download page.

It’s shiny and new, and just might work. Please let us know how it works for you!

What follows is actually a portion of an email I wrote earlier this summer, but the principle it is attempting to pin down came up again today in an analysis of government requirements for identity systems. It keeps coming up. I’m posting it in hopes of sparking a link or thought to take it farther.

There are a few slogans I have accumulated over the years that I think are worth repeating. One is “working code wins”. Another is more subtle, but I think it was at the root of many important lessons we learned in distributed directory services development and deployments. It applies to most distributed systems that appear as a seamless whole, and I also think it affects designs for everything from file system ACLs to the ASP business model. The problem is that there can be very subtle problems in these systems based on where a policy is actually stored, who can access the policy, what is the security for retrieving the policy, etc.

And the slogan sounds very silly. It is “the physical location of the data matters”.

It’s really an identity issue. Any distributed system has to account for the identities of the constituent parts that run the system. Even the book I’m reading (“Code 2.0” by Lessig) is discussing how we often think of cyberspace as a separate space from the real world. It is not. His point is that there are legal interactions between them. My experience is that there are physical, and especially administrative, interactions. The two are often intertwined and we need to be aware of how they are intertwined. It is not like the Matrix, or the Metaverse; it matters to me in real, tangible ways who runs the servers and where my data is stored ‑‑ and who is liable when there is a failure.

The photo is not much related to the slogan, though it is of a physical location where I’d like my personal data to spend more time.

The Catalyst Conference last week was a great event. The Burton Group has a way of combining solid technical information with social interaction and humor to make a very potent experience. The speakers’ analysis of industry needs and trends was insightful and useful, as usual. Significant collaboration happened in the hallways and after hours in local restaurants and bars.

A particularly proud moment this year for me was convincing my son to drive up from San Jose and crash the opening reception with me. I’m sure it was not very pleasant for him at first, but he survived, nodded at appropriate moments, was relatively polite, and didn’t argue too vigorously with my stories about him. Thanks JT.

It was great to get reacquainted with Craig Burton, as well as get a chance to converse with Jamie and the whole Burton Group crew. Of course, the place was packed with the card carrying members of the Identity Gang. I was so surprised to come around a corner and run into Pete Rowley that I exclaimed “good to see you, Phil!”. Social competence has never been my strong point. Sorry Phil, er, Pete.

On Wednesday I participated in a panel discussion entitled: “Protocol Preferences Aside: How’s All This Stuff Going to Work Together?” I had been very hesitant about it since the other panel members represented large Internet access and federation service providers, whereas I represented small Open Source identity management projects. The moderator, Bob Blakley, and the audience asked great questions and I thought the discussion was actually enjoyable (which is not what I usually feel on stage). My fellow panel members were very engaging and we found that we are all trying to make Internet identity systems work together, and willing to listen and learn. I hope the audience found it as helpful as I did.

But, by far, the most significant event for me was the “User-Centric Identity Management Interoperability Demonstration“. The event was sponsored by the Burton Group and many projects associated with the OSIS working group of the Identity Commons participated. The Bandit team had been working for months to support the interoperability event. We had Bandit entries in the Identity Provider and Relying Party functional areas, and we supported the DigitalMe identity selector that we had contributed to the Higgins project.

The event showed:

• 11 Identity Providers from 10 different vendors/projects
• 6 Identity Selectors from 4 different vendors/projects
• 24 Relying Party components from 16 different vendors/projects

Unfortunately, the Bandit Project’s participation was omitted from the press release and the Burton Groups’s web site, and much that has been written about the event does not list the Bandit project as a participant. I’m sure it was an oversight but that one aspect was very uncool.

Overall, the event showed very significant progress in implementations of these types of identity systems. The most productive aspect was the collaboration with other projects in preparation for the event itself.

And it was fun to see it work. While there were many bugs and hiccups along the way, diverse projects pulled together and did the real work of making it work. The vast majority of projects represented were able to successfully interoperate with other components of the distributed identity system. A subtle shift happened in our thinking as well. We began to think about the system in more social, relational, and powerful ways. I’ll write more on that later.

Now we’re looking to a more rigorous testing phase and what we can learn from real deployments.

And, of course, we’re looking forward to the next Catalyst.

There is just no easy way to explain an Internet Identity Workshop. It is an unconference, which is important, but that’s not really sufficient to explain it. It attracts a group of people who care deeply about Internet identity technology, its design and adoption, and its social, political, and economic impact. Many of them are people who have debated, supported, and known each other for a long time, so there is a sense of camaraderie. But it’s definitely not a closed group. It’s outrageously open and inclusive of newbies. Some of the most important decisions and leaps of progress in Internet identity systems have happened at IIW, or as a result of relationships established there. In addition to all of that, there is the untalent show, which is unfortunately self explanatory.

The great usefulness and significance of IIW is hard to explain. You just need to go to the next one.

On the opening day of this IIW I gave an overview presentation of the Open Source Identity System (OSIS) working group of the Identity Commons. After that there was a “speed geeking” event in which fellow Bandit Andy Hodgkinson showed the Higgins Native Identity Agent — an open source application that is roughly functionally equivalent to Microsoft’s Cardspace. Andy is the primary author of the code and finally got a chance to escape from his office for a while and show it off in person.

On Tuesday the OSIS group held a long working session in which we brought together many projects to collaboratively test a set of capabilities and scenarios. By all accounts it was a resounding success. Code from many projects worked together in multiple combinations and end-to-end scenarios. We had far more projects involved than I expected, we checked numerous scenarios, and many bugs and inconsistencies were identified — some fixed on the spot.

Bob Blakley moderated the session and managed to get everyone moving productively even though things didn’t start off quite as planned. The wireless network had become rather unstable. Most developers had difficulty getting an address via DHCP, and even when they did, the routing configuration was off and we could not connect to external servers. At one point Pamela Dingle became a human DHCP server and manually assigned IP addresses to each participant with correct routing information.

The fun was watching the different participants work through the process. Here are some photos of Andy Hodgkinson, Chuck Mortimore, Tony Nadalin, Ian Brown, and Kim Cameron as they collaborated on information card selector implementations:

There was a team from Oracle that was attempting to get their relying party code to work with the various Identity Provider and Identity Agent projects. Things didn’t work at first, but … the expressions on their faces say it all.

Then the Oracle team asked me to take their photo with Kim. Now that’s a friendly interoperability event.

The OSIS session at IIW was intended to be an informal interaction that would help projects prepare for the more formal, and more visible, Catalyst Interop Event. Not only did it succeed in that goal, but I think most participants accelerated their understanding, improved their code, and raised their expectations for what we can show at Catalyst.

Of course there was much more done at IIW than this OSIS working group session. Phil Windley blogged a series of daily overviews.

There were a number of significant trends that seemed to me to take root at this IIW. Clearly there was a stronger interest in political and legal issues surrounding Internet identity systems. I think this is because the implementations and deployments are happening, and as people actually use this stuff they encounter subtle changes in their thinking. We start to actually think in more social terms in our internet use. It is fairly easy to recognize that there must be numerous points of contact between the identity systems and the legal system. I am sure there will be much more emphasis and discussion on these issues in the future. I know my own thoughts in these areas are still fermenting.

Another trend of this IIW was the increased emphasis on marketing. One session resulted in a new Identity Marketing working group of the Identity Commons.

The Bandit team was fortunate to be right in sync with this trend. We managed to get our Novell marketing representative (and Bandit-at-heart) Carolyn Ford to attend. Carolyn managed to soak up a huge amount of information and IIW culture in a short time.

After IIW I attended a meeting of the ITU-T Focus Group on Identity Management that took advantage of the IIW attendance to co-locate its meeting to Mountain View. While the meeting was vastly different than IIW and hosted by a vastly different organizational culture, it confirmed that the same issues around identity systems for networked devices are coming up in many areas.

I attended Kuppinger Cole and Partner‘s 1st European Identity Conference in Munich, May 7 – 10.

The trip to the conference was an adventure in itself. It started with ticket confusion and delays for international bag check-in, then long security lines out into the airport parking lot, running to another terminal with shorter lines, sprinting down the concourse only to be told that the paperwork had already been done and I could not board (even though the plane was right there and the door was not shut when I arrived). Sigh. Missed flight. Reschedule. Another missed flight in Atlanta due to lack of an available (airplane) parking place. Reroute through Paris. I’d never been to Paris before. Now I can say that I’ve run through a very nice airport in Paris. About 24 hours after I left home, I got to Munich.

At least I learned a new phrase to use when I don’t want to cooperate with someone: “I’m sorry sir, the paperwork has already been completed and there’s nothing I can do.”

I had been trying to arrive in time to hear Dr. Jeff Jaffe’s keynote. I knew part of his presentation would refer to the Bandit project and I wanted to hear both the presentation and the audience reaction. Oddly enough, even though I arrived many hours later than scheduled, the conference was running a little late and I got to hear most of the presentation.

Jeff covered some great concepts about the history of Identity Management products and the role of Open Source. His presentation went very well, and there are photos of it here and here. Since then he has written about the same concepts.

The next day I participated in a panel discussion on Trends in Open Source Identity Management. It was a very lively discussion. Tim Cole did a fine job of moderating before it got too lively. What is not obvious in the photos is that we are in front of large classroom and it’s full of people — standing room only. In the audience were Dick Hardt, Conor Cahill, Bavo De Ridder, and other experts in this area. So the session was also very interactive. At one point, David put a question to the audience, and the panel listened as members of the audience debated. In the end it was very productive. I think numerous valid points were raised, but mostly we found that, while vigorously discussed, there was not as much disagreement as expected. As I remember the main points:

• Open source development has advantages, but we don’t expect identity infrastructure to be exclusively open or exclusively closed source.
• Open standards are essential, and open source development can be very complementary with standards development.
• Numerous protocol families are gaining prominence and have valid uses, but there will not be a single dominant protocol in the near future.
• Open source identity services must plan for clear evolutionary paths from existing systems.
• We have moved out of the realm of debates about theory and possibilities and into debates about user experiences, system capabilities, and operational experiences. Deployments are happening.

Afterward the discussion continued over some fine German beverages.

The conference itself was very informative, and very well run. However, my usual programmer attire is a little underdressed for European gatherings. I’ll work on it.

Munich was beautiful. My hotel was fairly far away from the conference location, so I got to know the subway system. The subways were amazingly bright and colorful.

A few months ago the Bandit team showed an open source identity selector at Novell’s Brainshare conference.

I wrote about the demo then, and so did many others, but Gil Kirkpatrick‘s blog post about it really caught my attention. It was significant in many ways. He had not actually seen the demo, just read and heard about it from others, yet his comments were particularly insightful. He really got the important points of what was shown. As his comments about me also show, some of us have been working in the Directory Services and Identity Management space for a LONG time. And times are changing again in the identity services world. There are some new possibilities now. My perspective is that this has a lot to do with a clear movement away from an enterprise and vendor specific focus, towards more of an emphasis on integrating business with the general Internet, and therefore interoperable identity services. Gil’s comment seemed to me to reflect this perspective — he was excited about the possibilities for general use of an open source selector. He even mentioned perhaps giving news from my employer a fresh hearing (I appreciate that)!

So I contacted Gil, and we decided to renew our aquaintence at NetPro’s Directory Experts Conference.

I wanted to attend DEC for many reasons. For years I had heard that it was a great conference. My background is in directory services and I knew this was a serious conference for the same types of troubled souls as me. I also knew that Kim Cameron, Stuart Kwan, and Pamela Dingle would all be there and giving talks about information cards to the Active Directory Faithful — THAT sounded entertaining. And it was in Las Vegas which is about a 6 hours aways by car, so it sounded like a a great excuse for a road trip.

All very good reasons, but the reason I was particularly interested in attending DEC was a chance to help with an identity system used at the conference and get almost-real-world deployment experience for Bandit and Higgins components. The conference identity system in question involved information cards, embarassing photographs, and a large poultry impersonator. After all, it was in Las Vegas.

The DEC hot chicken contest, as well as it’s usage of Bandit and Higgins components, was put together by the Pamela Project. The system involved getting conference members to either avoid embarassment or win a zune by accessing a web site with an information card. I think there was some reference to a carrot and stick, but when there’s a huge chicken walking around I’m not sure whether the reference was literal or figurative. The best writeup of the overall system and it’s results is from Pamela herself, here.

The Pamela Project Cards site allows anyone to create an account and generate a managed information card so that they can gain access to the Hot Chicken site. I got to help set it up and even wrote some actual code. It was great fun, and very useful; I gathered a lot of very good input about how to improve our identity provider package in the future.

I would like to emphasize that the Pamela Project’s “Cards” Identity Provider was built from completely open source software. It included components from many projects, but the most notable to me are the Higgins STS, Bandit management, authorization and audit code, all on an Ubuntu LAMP system.

The conference itself was well run, with great sessions, great food and a positive environment for conversation and collaboration. A great time was had by all, I’m sure, and certainly pointedly educational for me. Many thanks to Gil and Pam.

Oddly enough, the very next week my friend and coleader of the Bandit team, Pat Felsted, also took a road trip to attend yet another conference in Las Vegas. His description of the experience is here.