WS-Federation 1.1 is out... and skipping through the TOC, I have this strange feeling of deja vu.

Thanks to Pat, I caught the five-things-bug as well...

So here are the five things that most folks probably do not know about me:

1. I attended a Jesuit border school in Bonn from grade 9 through 11. The only reason for getting away from there was that I was kicked out after partying too much ...

2. In order to make some money during my university years, a friend and I started a boot camp for high school students, to prepare them for their final exams (Abitur). After the first few years this became a big event, and Uwe is now making a living of it. He is mz son's godfather.

3. There is a story behind my given name "Gerald": My parents had differing opinions about how I should be called, so "Gerald" (my father's name) was the compromise. He got that name, because my grandmother really liked the movie "Gone with the Wind" and named her son after Gerald O'Hara.

4. I am really a Linux guy by heart. I converted my PC (a 486) to SLS at kernel revision 0.99.15 in 1992. Seems like a few lifetimes back ...

5. My favorite beer is Mühlen Kölsch.

And now the pleasant part: Robin, Dale, Hubert, Clemens, Marc - you're it!

After talking to Robin and some other folks, I think it might be an interesting exercise to define a few terms and describe how I have been using them in mny blog post. This is not necesarrily an attempt to create a dictionary or lexicon, but an explanation of how I understand things ...

• InfoCard (System): This is an authentication system, originally devised by Kim Cameron and other folks at Microsoft. It utilizes the WS-* network protocols for transport, and uses a "Wallet" metaphor for vizualizing identy information on client machines through credit card-like graphics.
  

• Windows CardSpace: By this I mean Microsoft's implementation of the InfoCard system on Windows. This includes Vista and the WCS port for Windows XP and 2003.

• IdentityCard: A single instance of an identity holding card in an InfoCard System. IdentityCards can be e.g. Higgins I-Cards holding OpenID information or Windows CardSpace cards.

• InfoCard (Card): The Windows CardSpace implementation of an IdentityCard.

One thing that I am really interesting in finding out is how (and if!) consumers will pick up on the visual IdentityCard metaphor.

I am starting this series of truly random thoughts on various identity-related topics with an area that I have - so far - not spend a lot of time thinking about: Identity for Voice. What do I mean by that?

I have my bank accounts, health care insurances (or not), credit cards, etc. Whenever I interact with these companies and organizations through a phone, they typically try to identify me by asking me questions about the identity information they have about me: PIN, social security number, birthday, zip code, maiden name of my mother, last name of my first teacher in middle school and similarly absurd questions. Based on the capability to give the correct attribute value, they consider me authenticated as "me". A local maximum of absurdity was recently reached in my digital life, when my bank switched to a system where I have to answer at least 2 questions from a list of 10, some of them as ridiculous as "Where does your next relative live?".

There are times, where things get a little more fancy. One example is using caller ID as a means to identify the phone I am calling from. Not only is it quite dubious in my mind that this is a good way to authenticate. Even worse is the fact that there are plenty of ways to fake the caller ID system.
Beyond that, we also have voice recognition (which might get quite good), but there is always the option of a tape recorder and voice synthesization technology. Also, there are call-back mechanisms.

Another problem is the potential for phishing through voice based systems. To address this, there would need tobe a way to authenticate the provider (i.e. the bank, insurrance company, etc.) to the caller, which is - to my knowledge - not easily possible at all at this time.

Quite obviously, I am not really happy with identity in voice UI land. While this might be ignorance on my part (there have to be quite a few folks out there thinking about solutions to this problem), I think that the distributed-services-and-federated-identity crowd that I am working with mostly, is equally disconnected from these problems.

So what can we do about this? First of all, get smart about the the voice ID problems. I have started to talk to a friend of mine working in this area, and he gave me a lot of interesting entry points into the world of voice UI. Beyond that, I suppose we might have quite a few ways to extend security:

• Integrated multi-factor authentication: Voice print, caller ID, call back and attribute knowledge are - by themselves - insufficient. A combination of these might be sufficient for low risk transactions.
  
• Increased integration of electronic and voice technologies: Authentication could be done through a web site (based on strong crypto). The web site would then issue a single use, time limited password, that would serve as an additional authentication factor. There are quite a few technologies available today that I would put into this category, including SMS based authentication schemes for cell phones.
  
• Better Meta Data with each call: If we could transmit meta with each call (e.g. proof of posession of a private key), we would immediately increase the level of trust I could have in a voice communication. While traditional telephones do not offer any reasonable extension points, cell phone or - eve more so - VoIP system can send additional data through a data channel.
  

An additional meta data channel with each call would be - as far as I am concerned - the best solution.  This would allow us to tie the authentication for the voice UI into cryptographically strong identity techniques.

James McGovern asks whether federated identity might require (at least sometimes) federated authorization. I think this is a pretty good question and one that is not easy to answer. My initial take on this would be that federated identity should not require federated authorization, assuming that I understand correctly what federated authorization really is.

For simplicity's sake, let identity be just a bag full of attributes (e.g. e-mail address, names, phone number, etc.). An indentity provider is then nothing more than a service that asserts that certain attributes have a particular value for a given digital identity. A relying party (i.e. a service provider like e.g. AmazingBookStore) can choose to trust such an assertion - either in full, or just certain parts of it. At the end of the day, the relying party will have to determine the level of access based on the type of assertion and the content of the "attribute bag". As such, in this case authorization is local.

If authorization is to be delegated to another point (as in e.g. the XACML model), the relying party forwards it to a policy decision point, where the contained attribute information and additional attributes the PDP might obtain are evaluated according to a set of policies.

Now what is federated authorization? If I understand it correctly, it would be a scenario where you trust access level decisions to your resources to a third party (e.g. you would let YahaPortals.COM decide whether or not a user can get access to data you own). I am tempted to say that the risk that YahaPortals has about a false negative or false positive decision is quite substantial, particularly in our age of increased liability.

While there might be some use cases that do (or will) require such a model, I would argue that XACML provides a pretty substantial technology base for a federated authorization system, should the need arise. Some additional elements for such a system (e.g. trust establishment, crypto, etc.) could be either profiled or application specific.

UPDATE: As usual (at least in the last couple of weeks), I am quite behind things. James apparendly commented on quite a few blogs (hmm, was that related to IIW tagging ... noooo, can't be) and got some pretty substantial answers from Pat, Conor, and Paul.

After suggesting the general OSIS session at IIW, I obviously was obliged to run the session as well. Overall, I think that the session was sucessful - although I believe that only those that have been working in the context of OSIS for a while have been really satisfied.

One of the things that have been requested during the session was a somewhat comprehensive, yet high-level overview of the OSIS "sector" of the identity landscape. I tend to agree. While those that have been involved in OSIS  and some of the projects associated with OSIS are starting(!) to get some shared understanding of what OSIS is about and how things relate to it, many people in the industry just don't. [1]

Unfortunately, we did not have the time to "bash" Johannes' overview talk on OSIS, which I found to be a reasonable first introduction.

So allow me to making an attempt to clarify the "elevator pitch:

OSIS is a - intentionally - fairly informal working group under the newly formed identitycommons. Its short term goal is to facilitate the creation of an InfoCard compatible client that is fully interoperable with Microsoft's Windows CardSpace implementation. Down the road - as soon as we can present some tangible results on our first goal - we intend to broaden the scope and will include OpenID, Liberty and other open source identity technologies to create an open and interoperable general purpose identity SYSTEM.

The way to achieve these goals (i.e. the facilitation) is by providing a place to discuss the needs, status and goals for all OSIS projects. In particular, OSIS will not:

• create profiles or standards
• attempt to force its consituents to develop into a certain direction
• provide a comprehensive administrative and legal framework

The biggest value-add of OSIS to me is its informal participation structure: this allows a fairly free flow of ideas between technologists that are trying to get things to work with each other. Politics and religion stay (largely) out of this by design.

[1] Yes, OSIS does have a charter under IDcommons. However this charter is not really a good high-level overview in my opinion. In fact, the charter really underlines the informal character of the group by being *really* open-ended.

Interesting news from the Compact Framework group: They are planning on releasing a subset of WCF on the Compact Framework (i.e. their mobile edition). This is quite interesting, not the least because a lot of their mobile devices are frequently used in a disconnected mode and only updated at scheduled times. One solution to the problems that arise with this mode of operation is the use of SMTP as a transport protocol for SOAP.

In a recent school shooting in Germany, a troubled and bullied kid went on a killing spree, wounding 37 and killing at least himself. He was apparently disillusioned by an economic situation that would have sent him straight from the school into unemployment. This is very sad and a horrible waste of talent that no modern society can really afford in an age of global competition.

Now, after the desaster, politicans across the board are trying to "understand" what happened, i.e. come up with lame excuses for their incompetence and offer rash, unreflected but popular strategies to address the issues. Germans - with their tradition of state control and a somewhat troubled history of civic freedoms - have an universal approach to this: Verboten! As such, it is not surprising that first-person shooters (such as e.g. Half-Life or Quake) are targeted for censorship.

I do not want to argue about the pedagogical value of such games. However, in a society where freedom is considered one of the fundamental values [1], censorship is not an option. I do think that access to violent computer games should be limited to adults and that children should be educated about proper use of modern media in school. But teletubbyfying entertainment is simply ludicrous.

The gravest failure lies with the parents, and to a lesser degree with teachers and local society as a whole - they are co-responsible for the failure to educate this young man and offer him a future. At the end of the day however, he pulled the trigger - so the primary responsibility lies with him - and certainly not with the game industry or with the Internet in general.

The proper questions to ask would be: Why did the parents allow him play FPS for such a long time? Why did they not recognize that he had social and academic problems at school and react accordingly? Why did the teachers not discourage bullying at an early stage? And finally: how long will Germany continue on its current trajectory, where qualified labor is desperately needed, but the structures in education and the labor market are so inflexible that talented young people do not get the chance to excel and pursue happiness?

[1] Germany national anthem begins with "Einigkeit und Recht und Freiheit ...", i.e. "Unity and Justice and Freedom ...".

After some extended time without any new entries, I am back. Besides being insanely busy with all kinds of work for the last couple of weeks, I am going through a somewhat stressful personal time: a close family member is going through liver cancer and it is not yet clear what is going to happen. In such times it is really reassuring to have colleagues that are quite understanding, so thanks to all of you.

On more technical side, I have been playing a lot with the (now released) Windows Communication Foundation.. congratulations to the entire Indigo team for delivering the product. Also, Windows CardSpace is occupying a lot of my time and last, but not least, there is the ASP.NET AJAX Beta 1 which came out recently, along with the production release of NetBeans 5.5, the official start of the Interop Vendor Alliance, open sourcing Java ... and so on.

I hope to be able to put down a few interesting things in the next couple of days - however, tomorrow and on Friday I will attend the Higgins face to face meeting in Cambridge, MA.