Monthly Archives: September 2007

100% Open Source information cards, and how Ben might win an iPhone

I was rather surprised today to read a post by Ben Laurie where he writes that “there is no practical difference between Cardspace and Passport.” Please read the whole post to understand the context. It’s not long.

He contends that Cardspace is only supported on Microsoft systems, and that, since the identity provider and consumer are therefore the same entity, there is no privacy advantage. I think there are a number of huge and hugely invalid assumptions in that contention. A centralized service hosted by a single vendor is very different than a distributed service — even if the service components are implemented by a single vendor. But it is not true that information card systems are implemented only by Microsoft. In fact, no Microsoft code at all is needed to deploy a complete system.

Ben also makes some rather general statements about lack of support for OpenID and that it “has no consumers of note.” Hmmph. I use OpenID all the time and find it useful. I wonder what I need to do to be a consumer of note.

I’m all for bloggers getting to vent their opinions, and, in that respect, there’s a lot in the post to love. I’m also for pointing out reality, and I think pointing out real users and deployments is important. I expect that Ben is right that there are currently more enterprise deployments of SAML federations than information cards or OpenID. But I disagree that OpenID has no consumers of note, and I disagree that Microsoft controls all identity providers and consumers of information card systems.

For example, please consider this shamelessly self-serving, but complete, illustration:

Novell and the Bandit Project just launched a campaign to promote awareness of information card technologies. The campaign site consists of an identity provider which is running on OpenSUSE 10.2 and includes a Security Token Service from the Higgins project, as well as various authorization and auditing components from the Bandit project. The same domain also hosts sites running Joomla and WordPress that receive information cards using plugins from the Pamela Project. There are links provided so that users can get an identity selector for Linux, Mac, and even Windows. Most of the identity selectors are open source and developed by the Higgins and Bandit projects. We do throw in a link to a Microsoft site for those who are running Windows and need to download Cardspace. We didn’t think that would be offensive.

Ben, please check it out. You might win an iPhone. You can use information cards to access the site, or even deploy your own identity provider or consumer using 100% open source software.

Banking on the One True Internet identity system

In the past few years there have been many times when people have told me that they really want simplification and convergence in digital identity systems. Their requests can take many forms. Sometimes it’s that they want just one way of identifying themselves — one username and password or one smart card that’s good everywhere. Sometimes they want to know which system will ‘win’, i.e. which vendor’s product or which identity system protocol is going to be adopted to the exclusion of other protocols. I’m sure I don’t want what they say they want. I also don’t think they actually want those things.

I do want simplification and convergence in digital identity systems — to a point. Managing all my identity data, and especially a gazillion usernames and passwords, is a pain. Too many passwords make me unsecure and insecure. I’m all for making the whole thing simpler and more manageable. But I don’t want convergence to a single identity information source, or a single authentication method, or a single identity information exchange protocol. My identity data is too valuable for that.

My identity information is valuable, like money. In fact, if someone can assume my identity they have a good chance of getting all my money, so the two are connected. Perhaps I can illustrate why I don’t want too much convergence in identity systems by way of an analogy with financial systems. I’m going to make an analogy that involves several accounts and systems for handling financial transactions, and correspond them to Internet identity systems. Please keep in mind that it’s just an analogy that seems to fit my current perceptions of the intent of some systems. Please don’t try to take the analogy beyond that intent; I do not intend to extol or bash the technical merit of any system, though I will give some of my preferences.

In the financial world, I don’t want to keep all my money in one account. If something happens to one account — it’s compromised in some way such as I lose the credit card or check book — I have other accounts to finance my attempts to repair the situation. Similarly, I don’t want a single way to access those accounts. Right now I commonly use credit/debit cards, but I also still use checks and scheduled withdrawals by linked accounts — three distinct access mechanisms, each with their own mechanisms to control access my money. They each have their own advantages and disadvantages. They are all useful, but I also appreciate that they are all different.

Checks are very easy to understand. They are like a paper promise that can be easily accepted by many individuals and businesses. The promise is to be paid with money withdrawn from the account identified on the check. There is very low cost for businesses to accept checks. But checks are not very secure for some purposes. Some problems with checks can be reduced by combining a them with another system, such as an identification or credit card.

Linked accounts are also quite useful for some purposes. By linked accounts, I mean a system in which I fill out a form that authorizes one business to take money from one of my accounts when a charge has been incurred. For example, I authorize my dentist to charge my insurance account. Linked accounts are a little heavy on the paperwork side. I have to set up everything and make sure both entities know their role. It’s easier when I can present a card, like my insurance card, to set up the initial link. I generally don’t like linked accounts because I prefer knowing when the money is going to leave my account. But there are times I use them and don’t know a better way to handle some situations, like the dentist.

Credit and debit cards are personally what I use the most for financial transactions. I tend to like them because they are both convenient and a point of control for me to authorize money taken from one account and given to a business. Credit cards are more burdensome for businesses than checks, but more secure. Credit cards are less burdensome for businesses than establishing a link to each customers bank. I also like that I can easily have multiple cards for multiple purposes. I can even easily keep track of purchases from a single business when I am in different roles by using my work card vs. my personal card. I’m sure I could do that with the other systems as well, but I don’t. It seems more natural with cards.

Furthermore, I don’t expect my financial world to be limited to these systems. If I lose all my cards and checks, I still want to be able to walk into the bank and authenticate in person to gain access to my account. And there may be new systems in the future.

So how does this correspond to identity systems? Just like my finances, I want multiple accounts for my identity information, and I want identity systems to co-exist peacefully and work well together (and that’s what the Bandit project is working towards). I personally think the information card metaphor will be the most common way to access my identity information, but I also find OpenID and federated accounts to be useful. And in some cases I actually want access via username and password to remain supported.

The only thing that I want to be able to correspond my accounts and access mechanisms — the thing that is in the center — is me, not an external identity information store. You might even say that my account correlation preferences are user-centric (for some definitions of user centric).

So why do multiple systems reduce my risk and still end up being more manageable?

It’s a matter of convenience, points of control, and manageability. In my current financial world I have less than 10 accounts; I commonly use less than 10 cards; I rarely write checks; I rarely link accounts, and even more rarely go into the bank to access my account in person, but I generally manage to keep my accounts current. In the online world I have hundreds of accounts and passwords. Incorrect information abounds because I can’t keep track of it all. My online world is more easily compromised in the sense that someone could get into my accounts without my knowledge. It’s harder to keep track of it all due to the sheer volume of accounts. If I can get to an online world that uses a combination of information cards, OpenID, and federated accounts, but in which I have less than 10 accounts to manage, that will be much better than what I have now and I would still be able to divide up the risk.

So that’s my analogy. It’s not a perfect analogy, but I think it fits how this space feels to me. It even has some other interesting illustrative points.

For example, it’s not surprising that a specialist in electronic funds transfers would scoff at paper checks. It’s also likely that a professor of economics would think checks, electronic funds transfers, and credit cards all have their place.

We can also see that there is value is some integration points between systems. There are a number of cases that I get cash with a card from an ATM (a financial token service as opposed to a security token service), or use a card in combination with other systems. But I don’t want them too enmeshed either. In my financial systems, I want integration at key points, but not complete convergence. Same with my identity systems.

What makes the overall financial system work is an underlying conceptual framework built on this rather vague notion called money. There are common concepts and principles that underly all the systems, even though they are often abstract and not well understood by everyone that uses the system. Sounds like identity systems to me.

So what is the One True Identity System that I want? It’s diversity of access mechanisms and sources of identity information built around a common conceptual foundation of identity, authentication, authorization, delegation, auditing, etc. Sounds complicated, but we do it all the time with money.

mystic oracle atmPlease note that in this whole post I didn’t use any word that started with ‘meta‘ … yet. But if I was going to discuss anything meta-ish I would start with Bob‘s discussion of a meta-identity system and the identity oracle, and I would use this photo. The question is, which box is more like the meta-identity system oracle?

New identity selector packages for Mac now available

My fellow Bandit Andy Hodgkinson is not a prolific blogger. So far he’s averaging one post every 1.25 years or so. But his post today will interest a lot of people.

Earlier this year we showed a version of an open source identity selector running on Linux and the Mac. It was announced with the name DigitalMe, and we donated the code to the Higgins project, where it is affectionately referred to as “the Higgins H2 Native Identity Agent”. But there were some problems. Even though the selector works fine for me on OpenSUSE Linux 10.2 and sports a lovely GTK UI, the Mac UI was a port and it required too many dependencies to install easily. It really needed to have a native Mac OS X UI. So Andy and Jim Norman set about this summer to learn Objective C and write a Cocoa UI, in addition to enhancing the selector interoperability and their regular jobs. And it needed to be conveniently packaged for Mac users, so Andy fixed that too.

obligatory screen shot of digitalme on Mac OS XLast Friday, Andy quietly posted the Mac binary packages. Drag and drop install. We have tested it with many relying parties and identity provider sites (many more than those linked). We have also notified a few interested power users and got some initial feedback. It’s looking good so far.

So if you’d like to run an easily installed, 100% open source package for OpenSUSE 10.2 or Mac OS X, you can get from the Bandit instructions and download page.

It’s shiny and new, and just might work. Please let us know how it works for you!