The Catalyst Conference last week was a great event. The Burton Group has a way of combining solid technical information with social interaction and humor to make a very potent experience. The speakers’ analysis of industry needs and trends was insightful and useful, as usual. Significant collaboration happened in the hallways and after hours in local restaurants and bars.

A particularly proud moment this year for me was convincing my son to drive up from San Jose and crash the opening reception with me. I’m sure it was not very pleasant for him at first, but he survived, nodded at appropriate moments, was relatively polite, and didn’t argue too vigorously with my stories about him. Thanks JT.

It was great to get reacquainted with Craig Burton, as well as get a chance to converse with Jamie and the whole Burton Group crew. Of course, the place was packed with the card carrying members of the Identity Gang. I was so surprised to come around a corner and run into Pete Rowley that I exclaimed “good to see you, Phil!”. Social competence has never been my strong point. Sorry Phil, er, Pete.

On Wednesday I participated in a panel discussion entitled: “Protocol Preferences Aside: How’s All This Stuff Going to Work Together?” I had been very hesitant about it since the other panel members represented large Internet access and federation service providers, whereas I represented small Open Source identity management projects. The moderator, Bob Blakley, and the audience asked great questions and I thought the discussion was actually enjoyable (which is not what I usually feel on stage). My fellow panel members were very engaging and we found that we are all trying to make Internet identity systems work together, and willing to listen and learn. I hope the audience found it as helpful as I did.

But, by far, the most significant event for me was the “User-Centric Identity Management Interoperability Demonstration“. The event was sponsored by the Burton Group and many projects associated with the OSIS working group of the Identity Commons participated. The Bandit team had been working for months to support the interoperability event. We had Bandit entries in the Identity Provider and Relying Party functional areas, and we supported the DigitalMe identity selector that we had contributed to the Higgins project.

The event showed:

• 11 Identity Providers from 10 different vendors/projects
• 6 Identity Selectors from 4 different vendors/projects
• 24 Relying Party components from 16 different vendors/projects

Unfortunately, the Bandit Project’s participation was omitted from the press release and the Burton Groups’s web site, and much that has been written about the event does not list the Bandit project as a participant. I’m sure it was an oversight but that one aspect was very uncool.

Overall, the event showed very significant progress in implementations of these types of identity systems. The most productive aspect was the collaboration with other projects in preparation for the event itself.

And it was fun to see it work. While there were many bugs and hiccups along the way, diverse projects pulled together and did the real work of making it work. The vast majority of projects represented were able to successfully interoperate with other components of the distributed identity system. A subtle shift happened in our thinking as well. We began to think about the system in more social, relational, and powerful ways. I’ll write more on that later.

Now we’re looking to a more rigorous testing phase and what we can learn from real deployments.

And, of course, we’re looking forward to the next Catalyst.

There is just no easy way to explain an Internet Identity Workshop. It is an unconference, which is important, but that’s not really sufficient to explain it. It attracts a group of people who care deeply about Internet identity technology, its design and adoption, and its social, political, and economic impact. Many of them are people who have debated, supported, and known each other for a long time, so there is a sense of camaraderie. But it’s definitely not a closed group. It’s outrageously open and inclusive of newbies. Some of the most important decisions and leaps of progress in Internet identity systems have happened at IIW, or as a result of relationships established there. In addition to all of that, there is the untalent show, which is unfortunately self explanatory.

The great usefulness and significance of IIW is hard to explain. You just need to go to the next one.

On the opening day of this IIW I gave an overview presentation of the Open Source Identity System (OSIS) working group of the Identity Commons. After that there was a “speed geeking” event in which fellow Bandit Andy Hodgkinson showed the Higgins Native Identity Agent — an open source application that is roughly functionally equivalent to Microsoft’s Cardspace. Andy is the primary author of the code and finally got a chance to escape from his office for a while and show it off in person.

On Tuesday the OSIS group held a long working session in which we brought together many projects to collaboratively test a set of capabilities and scenarios. By all accounts it was a resounding success. Code from many projects worked together in multiple combinations and end-to-end scenarios. We had far more projects involved than I expected, we checked numerous scenarios, and many bugs and inconsistencies were identified — some fixed on the spot.

Bob Blakley moderated the session and managed to get everyone moving productively even though things didn’t start off quite as planned. The wireless network had become rather unstable. Most developers had difficulty getting an address via DHCP, and even when they did, the routing configuration was off and we could not connect to external servers. At one point Pamela Dingle became a human DHCP server and manually assigned IP addresses to each participant with correct routing information.

The fun was watching the different participants work through the process. Here are some photos of Andy Hodgkinson, Chuck Mortimore, Tony Nadalin, Ian Brown, and Kim Cameron as they collaborated on information card selector implementations:

There was a team from Oracle that was attempting to get their relying party code to work with the various Identity Provider and Identity Agent projects. Things didn’t work at first, but … the expressions on their faces say it all.

Then the Oracle team asked me to take their photo with Kim. Now that’s a friendly interoperability event.

The OSIS session at IIW was intended to be an informal interaction that would help projects prepare for the more formal, and more visible, Catalyst Interop Event. Not only did it succeed in that goal, but I think most participants accelerated their understanding, improved their code, and raised their expectations for what we can show at Catalyst.

Of course there was much more done at IIW than this OSIS working group session. Phil Windley blogged a series of daily overviews.

There were a number of significant trends that seemed to me to take root at this IIW. Clearly there was a stronger interest in political and legal issues surrounding Internet identity systems. I think this is because the implementations and deployments are happening, and as people actually use this stuff they encounter subtle changes in their thinking. We start to actually think in more social terms in our internet use. It is fairly easy to recognize that there must be numerous points of contact between the identity systems and the legal system. I am sure there will be much more emphasis and discussion on these issues in the future. I know my own thoughts in these areas are still fermenting.

Another trend of this IIW was the increased emphasis on marketing. One session resulted in a new Identity Marketing working group of the Identity Commons.

The Bandit team was fortunate to be right in sync with this trend. We managed to get our Novell marketing representative (and Bandit-at-heart) Carolyn Ford to attend. Carolyn managed to soak up a huge amount of information and IIW culture in a short time.

After IIW I attended a meeting of the ITU-T Focus Group on Identity Management that took advantage of the IIW attendance to co-locate its meeting to Mountain View. While the meeting was vastly different than IIW and hosted by a vastly different organizational culture, it confirmed that the same issues around identity systems for networked devices are coming up in many areas.

I attended Kuppinger Cole and Partner‘s 1st European Identity Conference in Munich, May 7 – 10.

The trip to the conference was an adventure in itself. It started with ticket confusion and delays for international bag check-in, then long security lines out into the airport parking lot, running to another terminal with shorter lines, sprinting down the concourse only to be told that the paperwork had already been done and I could not board (even though the plane was right there and the door was not shut when I arrived). Sigh. Missed flight. Reschedule. Another missed flight in Atlanta due to lack of an available (airplane) parking place. Reroute through Paris. I’d never been to Paris before. Now I can say that I’ve run through a very nice airport in Paris. About 24 hours after I left home, I got to Munich.

At least I learned a new phrase to use when I don’t want to cooperate with someone: “I’m sorry sir, the paperwork has already been completed and there’s nothing I can do.”

I had been trying to arrive in time to hear Dr. Jeff Jaffe’s keynote. I knew part of his presentation would refer to the Bandit project and I wanted to hear both the presentation and the audience reaction. Oddly enough, even though I arrived many hours later than scheduled, the conference was running a little late and I got to hear most of the presentation.

Jeff covered some great concepts about the history of Identity Management products and the role of Open Source. His presentation went very well, and there are photos of it here and here. Since then he has written about the same concepts.

The next day I participated in a panel discussion on Trends in Open Source Identity Management. It was a very lively discussion. Tim Cole did a fine job of moderating before it got too lively. What is not obvious in the photos is that we are in front of large classroom and it’s full of people — standing room only. In the audience were Dick Hardt, Conor Cahill, Bavo De Ridder, and other experts in this area. So the session was also very interactive. At one point, David put a question to the audience, and the panel listened as members of the audience debated. In the end it was very productive. I think numerous valid points were raised, but mostly we found that, while vigorously discussed, there was not as much disagreement as expected. As I remember the main points:

• Open source development has advantages, but we don’t expect identity infrastructure to be exclusively open or exclusively closed source.
• Open standards are essential, and open source development can be very complementary with standards development.
• Numerous protocol families are gaining prominence and have valid uses, but there will not be a single dominant protocol in the near future.
• Open source identity services must plan for clear evolutionary paths from existing systems.
• We have moved out of the realm of debates about theory and possibilities and into debates about user experiences, system capabilities, and operational experiences. Deployments are happening.

Afterward the discussion continued over some fine German beverages.

The conference itself was very informative, and very well run. However, my usual programmer attire is a little underdressed for European gatherings. I’ll work on it.

Munich was beautiful. My hotel was fairly far away from the conference location, so I got to know the subway system. The subways were amazingly bright and colorful.

A few months ago the Bandit team showed an open source identity selector at Novell’s Brainshare conference.

I wrote about the demo then, and so did many others, but Gil Kirkpatrick‘s blog post about it really caught my attention. It was significant in many ways. He had not actually seen the demo, just read and heard about it from others, yet his comments were particularly insightful. He really got the important points of what was shown. As his comments about me also show, some of us have been working in the Directory Services and Identity Management space for a LONG time. And times are changing again in the identity services world. There are some new possibilities now. My perspective is that this has a lot to do with a clear movement away from an enterprise and vendor specific focus, towards more of an emphasis on integrating business with the general Internet, and therefore interoperable identity services. Gil’s comment seemed to me to reflect this perspective — he was excited about the possibilities for general use of an open source selector. He even mentioned perhaps giving news from my employer a fresh hearing (I appreciate that)!

So I contacted Gil, and we decided to renew our aquaintence at NetPro’s Directory Experts Conference.

I wanted to attend DEC for many reasons. For years I had heard that it was a great conference. My background is in directory services and I knew this was a serious conference for the same types of troubled souls as me. I also knew that Kim Cameron, Stuart Kwan, and Pamela Dingle would all be there and giving talks about information cards to the Active Directory Faithful — THAT sounded entertaining. And it was in Las Vegas which is about a 6 hours aways by car, so it sounded like a a great excuse for a road trip.

All very good reasons, but the reason I was particularly interested in attending DEC was a chance to help with an identity system used at the conference and get almost-real-world deployment experience for Bandit and Higgins components. The conference identity system in question involved information cards, embarassing photographs, and a large poultry impersonator. After all, it was in Las Vegas.

The DEC hot chicken contest, as well as it’s usage of Bandit and Higgins components, was put together by the Pamela Project. The system involved getting conference members to either avoid embarassment or win a zune by accessing a web site with an information card. I think there was some reference to a carrot and stick, but when there’s a huge chicken walking around I’m not sure whether the reference was literal or figurative. The best writeup of the overall system and it’s results is from Pamela herself, here.

The Pamela Project Cards site allows anyone to create an account and generate a managed information card so that they can gain access to the Hot Chicken site. I got to help set it up and even wrote some actual code. It was great fun, and very useful; I gathered a lot of very good input about how to improve our identity provider package in the future.

I would like to emphasize that the Pamela Project’s “Cards” Identity Provider was built from completely open source software. It included components from many projects, but the most notable to me are the Higgins STS, Bandit management, authorization and audit code, all on an Ubuntu LAMP system.

The conference itself was well run, with great sessions, great food and a positive environment for conversation and collaboration. A great time was had by all, I’m sure, and certainly pointedly educational for me. Many thanks to Gil and Pam.

Oddly enough, the very next week my friend and coleader of the Bandit team, Pat Felsted, also took a road trip to attend yet another conference in Las Vegas. His description of the experience is here.

I haven’t updated this blog for a while. It hasn’t been due to lack of interest or lack of activity. Actually, quite the opposite. A huge amount has been happening and I have a number of experiences I’d like to relay to illustrate the progress that has been made by Bandit, Higgins, the Pamela Project, and other aspects of the Open Source Identity System community…

But first….

I needed to move this domain and my blog to a new hosting site, move registrars, get a certificate, rent a static IP address, and on and on. What a pain. I wanted to make the move for various reasons; one of which was to have more control so that I can finally start using the cool new emerging identity systems. And I’m a little stubborn about how I manage my own stuff, so I have been futzing around with it between conferences and customer trips for the past few months. I appreciate the patience of my Internet tech supporters as they put up with my questions and peculiar spurts of interest. Now the site is moved, and seems to be operational. I have tried to keep it as much the same as possible, so you won’t notice many changes yet, but it represents a whole new set of possibilities for me.

For now, please notice that the login page now accepts an information card or an OpenID.

The OpenID plugin seems to be operational. There were a few hiccups in installation, but overall it went well.

The PamelaWare wordpress plugin is a development snapshot, but I am very happy with it. The installation was smooth and configuration was straightforward. The nice validation checks on the options page made the whole process much easier, and enabled me to quickly work out a few glitches in my installation.

I wish the certificate management and domain transfer had been that easy.

The co-existance of the OpenID and the PamelaWare WordPress plugins is experimental. Oddly enough, even though they implement different identity protocols, they seem to get along just fine — philosophically and practically. Please let me know (via a comment or my i-name) if you notice any bugs or if you have any suggestions.

Enabling this blog for Internet identity is just a first step. More to come.

This week was Novell’s Brainshare conference. It’s a big deal for Novell folks and it’s a great event. It gives us a place to show off new technologies like the emerging Internet identity systems and some of the recent work that we have done on the Bandit team.

Our most significant demo this year was shown during the technology preview keynote on Friday. The whole series of demos is interesting — I especially liked some of the Linux desktop stuff — but if you want to just skip to the infocard stuff, it starts at about 40 minutes into the video.

For those who may want to know more detailed information about what the demo actually does, let me give some background information here:

There were 3 new open source components written by Bandits and made available this week:

• A fully open source, cross platform identity selector service was contributed to Higgins. Written in C++, this Higgins ISS runs as a daemon (no UI) and provides core infocard selector service: it accesses multiple card stores, enumerates available cards, matches cards based on requested claims, and interacts with the appropriate STS to get a token. It is almost complete on support for personal cards, with an internal STS, etc. The real deal.
• A UI process for the Higgins ISS. It is currently written in C#, runs on Mono, and leverages much of the management UI of the CASA component of Bandit.
• A new OpenID context provider was contributed to Higgins. This context provider plugs into the Higgins IdAS and allows identity data to be accessed from any OpenID Provider. What this means is that, with no change to the Higgins STS code (since the STS uses IdAS), we could set up a demo such that infocards can be generated from any OpenID identity. In other words, using the Higgins STS and the new OpenID context provider, I can access any site that accepts infocards with my openID account.

So what Baber showed in the demo:

1. A fully functional, native infocard selector running on the Mac.
2. He accessed a shopping site with an infocard generated from an OpenID account. Put some things in the cart and logged out.
3. Baber switched to a SUSE Linux Desktop machine. Fully functional infocard selector there as well. Accessed the same site with an OpenID infocard and see stuff in his cart from the Mac session.
4. Goes to check out. The site asks for a card with different claims, needs a payment card.
5. The Higgins Infocard selector supports multiple card stores. In this case Baber selects a credit card from a card store on his mobile phone via bluetooth.
6. He authorizes a (hypothetical) payment and the online shopping site (the relying party) only gets his shipping address and an authorization code from the credit card.

It’s a simple demo, and easy to miss the number of technologies and interactions involved, but this is the kind progress that we have been working towards for a long time.

The Bandits are happy and tired.

There has recently been an interesting blogosphere conversation around Kim’s series of posts on delegation. It started with Kim’s post about a statement attributed to Eve Maler. He focused on the phrase “user absent scenario” that Eve reportedly maintains Cardspace doesn’t support. Kim then goes on through a number of posts to explain the concept of delegation. It’s actually a concept that Eve mentioned as well. I think Kim reacted mostly against the phrase “user absent”, and the conversation was then picked up by others as being confrontational. I’d hate to have my casual conversations over coffee reported to the Internet and scrutinized over a single phrase. So please do not construe this post as picking a side between current identity system brands. I don’t see these concepts being deployed very much at all right now, certainly not to Internet scale. Even in Kim’s post he mentions that, using Cardspace, someone can build a system that can delegate a user’s authority. Such systems are not here yet.

What I’d like to do is expand on Kim’s exposition on delegation. You might even say, embrace and extend those thoughts to capabilities of authorization and audit.

The concepts he explains are, in my experience, right on. This stuff is exciting to old directory services developers. It even drew Pete out of his code for a while. Much of my career has been working on a directory service from the inside — where identity is represented as a flat list of authorization entities on the other end of a connection. Connection based services. They are fine for many purposes and necessary. But they don’t support delegation well. They don’t allow an entity to take a subset of it’s authority and delegate it to service for a specific purpose and time. Nor does it allow much more complicated scenarios, like those that actually happen when I walk into a Starbucks and pay with a credit card.

What we need for many operations is identity data, especially data used for authorization, that is composable — something like a document that allows chunks of data from multiple sources to be combined into a single authorization document. That way the data can pass through multiple entities and be securely transformed and composed, almost like a mini-workflow. Often delegation involves a time-bound subset of the authority of one entity given to another entity. There are probably many ways of doing this, but one way is to call those chunks of data “claims”, and the document an “infocard”. There are even techniques to keep the claims secure and yet properly pseudonymous.

BUT, the authorization data still needs to keep track of all the entities that authorized some portion of each request. It needs to be composable, but separable to individual authorization entities. There are many reasons why we need to keep them separate, but one reason is so that we can audit who did what. In my directory services experience, I’ve seen many other services login to the directory service as a privileged account, say serviceAdmin, and then make requests on behalf of its users. But all the audit logs can record is that serviceAdmin did everything. Imagine a backup service. I want to delegate to the service my authority to back up some of my files for a specific period of time each night. When the backup service reads my financial data at 2am, I want the audit log to indicate that is was the backup service reading my data on my behalf, not that it was me reading the data. Hopefully, I was asleep.

Audit logs can be necessary for a service to prove compliance with various corporate policies, but it can also be of great value to the consumer. When I buy something at a store, I usually use a credit card. I almost always get a document from the store, the relying party, that indicates who I am, what I purchased, how much they agree to charge me, and what they agreed to do for me. It’s an audit record. A document that gives me a record that I delegated a bit of my authority to that store for a specific purpose. It’s called a receipt. Then when I get the financial statement that says how much was debited from my account by that store, I can correspond it with the receipt. These are all documents that give are composed of delegation and audit trails from multiple entities involved in the transaction.

What about the field trip to the planetarium?

These concepts are all illustrated in a this rather simple recent event.

A few weeks ago my daughter brought me a permission form. I had to fill it out before she could go with her class on a field trip to the planetarium. It had a check box for whether I would drive her myself, or delegate that to the bus company with which her school had contracted transportation. It had a place for my name and signature, and what dates this authorization was effective. That document was then transported (via a rather unreliable medium) to my daughters teacher, to the school administration, where it was processed (I assume), and some derivative document was filed with the bus company. It is very important to me that all points of delegated authorization are clear and auditable. If my daughter wanders off after the show, I want the bus service to wait for her. I do not want it recorded that I drove my daughter to the planetarium. Because it wasn’t me. I delegated some of my authority to another service. I want my online transactions to have these same capabilities — only better.

Authorization and audit matter, and need to be composable from multiple entities. Delegation is a key concept.

This is actually a precursor to the another post. While typing that post I became increasingly tired of typing “Identity Metasystem” and “Information Cards”, and have decided to revert to infocards. This is why…

I’m tired of trying to figure out what to call a system of software agents that support a particular style of interactions and data exchanges. Exchanges which are in the style of WS-Trust, use security tokens and security token services, employ an information card metaphor, and are probably to some degree compatible with Microsoft’s Cardspace implementation of an identity selector. What is that system called?

I have read that some feel this system should be called the Identity Metasystem and on my last rereading of Kim’s paper, I mostly think that’s his intent. Mostly. But I’m not sure. And certainly others tell me that the metasystem can’t be meta if it relies on specific protocol exchanges. Protocol exchanges define an identity system, not a metasystem. Also, how can a protocol encompass future systems? It would have to be incredibly fuzzy and abstract (perhaps as fuzzy as WS-*).

So a metasystem should encompass other systems — but does that mean other distibuted systems or other host based systems? Put another way, is a metasystem a conceptual thing only, since actual communications between agents would involve a specific set or system of protocol exchanges. Or is it a metasystem if it is a protocol system that is so incredibly felxible, extensible, and general that connectors can be written to connect all host based identity systems into it?

Reading the paper again just now, I think that Kim’s intent is that the “Identity Metasystem” is a set of protocols and profiles — based on WS-Trust and sometimes called WS-*. But I don’t think it’s commonly understood that way, and I’m not at all sure I’m right.

There’s also the concept of the MetaIdentity System.

And I’m still tired of dancing around what to call it. So, in the posts that follow (until I’m corrected or change my mind) I intend to call it by name of infocard. Using the Microsoft code name as a generic term for the overall paradigm. I know most people now call them “Information Cards”. But that’s so LONG and I’m an old coder that doesn’t type well. It’s as long as “Identity Metasystem”. I like short, but specific names. Preferably all lower case. So I intend to refer to the specific visual metaphor as infocard, and the system as infocards, or perhaps, “an infocard system” when necessary.

In my last post, I talk about three ways that the Bandit Project is contributing to emerging Internet identity space. In this post I want to expand on the third area of that post. This area will be an increased focus of the Bandit project this year. Since the Internet identity systems are happening, we are betting that the Bandit components will be strongly needed, and we expect them to be deployed in real world installations. And we want to accelerate that process.

So we are starting to visit deployment sites and validating these concepts, as well as our component designs and project communication. We’ve been learning a lot. What follows is an excerpt from a letter I sent to some enterprise sites to illustrate our reasoning. It was sent to some Novell customers, hence the Novell focus, but don’t take that too strongly either. Often Novell customers write custom code to integrate web applications, and we want to make the identity integration at those points as easy as possible. But we work with non-Novell customers, partners, and other vendors just as well. Bandit components do not require Novell products (though we do try to make them work well together). Here’s part of the letter:

The Internet identity foundation is coming together quickly. Useful Bandit components are already available. Over the next year, the Bandit team will be focusing more on integrating our development with the community, customers and partners to validate and evolve the project vision.

It also sounds like great fun to me! I’m looking forward to it.