This is the taping of the full lecture - highly recommended:

tag: science, evolution

With this article I will try to clean up a little bit of the confusion that I help to create over the past few days. You might want to ask "WHY?" The answer to this is quite obvious: the medium is the message: the content of a message and how it is received depends strongly on the form it is presented in.

This will be my last post on the subject of "meta"-ness. At least for the time being.

It seems to me that there is a fundamental disconnect about what a system differentiates from a meta-system. For myself^[1] (and it seems also for Paul and Robin), a system is a set of rules, protocols, profiles, etc. that are to be implemented. For example, there is a system in place that governs the quality of gasoline and automobile motors, and its standard ways of distribution. This system consists of rules, regulations, engineering practices etc.

From what I gathered in the recent discussion with Bob and Pamela, it seems that they would call these rule-sets a meta-system (please correct me, if I am wrong). If I understand them correctly, the individual gasstations, car manufacturers, refineries, etc. would be called systems.

So far this comparative example held up well, therefore I will be trying to overstrech it now: To me, a meta-system would govern how e.g. different car fuel systems (such as hydrogen, electricity, natural gas) could be made to work together. Examples of this would be creating user devices cars or identity/service providers gas stations that can consume or dispense different types of fuels.

I am not quite sure what the right term for this would be, but the dreaded meta-meta-system certainly comes to mind. That is why I suggested (only half-jokingly) the term aleph 0 system^[2]since it would equalize the different 'starting points'.

---

Now, applying these thoughts to the identity world, I come to the following conclusions:

• Of the three contenders (Liberty, CardSpace, OpenID) for identity systems Liberty was the first identity meta-system.
  
• Concordia will hopefully serve us to arrive at an identity meta-system (better: an aleph 0 identity system).
  
• OSIS has so far tested implementations of identity systems (i.e. identity meta-systems), and will hopefully expand to use cases for identity meta-systems.
  

tag: identity, meta-system, meta-meta system

[1] In this article I will mark the terms system and meta-system either in blue or in orange, depending on whether I use them in my way or with the meaning that Bob and Pam have in mind.

[2] Ok, anybody with a better term?

There seems to be a little confusion over the differences between identity systems and meta identity systems. Some identirati are of the opinion that in order to qualify for the "meta" tag it suffices to support a single family of protocols and multiple token formats, while others are convinced that a "meta" system should also support multiple protocols.

Since this seems confusing to me, I implicitly suggested to call the later an "identity meta-meta-system". Opening this can of worms, you can easily derive at an "identity meta-meta-meta-system" etc. to include other staggering advances in interoperability such as semantics.

To prevent this kind of meta proliferation, I am now convinced that we should define the goal of "getting-these-pesky-identity-thingies-to-work-with-each-other": Aleph₀ Identity System (AIS) [1]. The AIS can - by definition - not be implemented, but describes the elysian state, where all identity systems that would like to be interoperable or interchangeable, are interoperable or interchangeable with all others participating in the Aleph₀ Identity System.

tag: identity, meta-system, meta-meta system, humor

[1] This is motivated by the notion that the cardinality of a countable set (in this case the meta's) is commonly denoted by Aleph 0:

Both Paul and Robin beat me to this ...

The recently published report by Burton's Bob Blakley summarizes the result of an interoperability testing fest at the Burton Catalyst conference earlier this year. This venue was a great success for the Windows CardSpace identity system, since it was the second OSIS event where a variety of open source projects and closed source commercial products demonstrated a significant level of interoperability. Given the early and evolving state of the InfoCard system, this is a great success for all parties involved.

However, Bob is somewhat mistaken in parts of his article:

"The interop participants accomplished in two months of concentrated effort what it would probably have taken them a year to do working independently without the looming deadline provided by the Catalyst demo."

This is not quite correct - the Catalyst interop fest was the second such event organized by OSIS. The first one was held earlier at the Internet Identity Workshop 2007. Results and blog reports on this can be found all over. Having been a member of OSIS for some time now, I find it a little unfair that this interesting (un)organization - that certainly had its ups and downs - is not given the credit it deserves.

"While it is still fair to say that user-centric identity technology is in its infancy, if progress continues at this rate the technology should be ready for enterprise adoption within a year."

I am surprised to see such a bold statement, especially since even some of the core developers and architects not quite happy with the term "user-centric identity". Let's just step back and start to count how many glossaries, lexicons, and lists-of-used-terms define digital identity, identity system, user, and user-centric in different ways with sometimes completely different semantics. Predicting enterprise adoption within a year seems a little overly optimistic to me, especially if we consider that there are still a number of significant issues even within the reference implementation of the InfoCard identity system.

As Mark Wahl has pointed out earlier, most of the issues encountered during the second OSIS interoperability fest are related to the lack of proper schema management for attributes and their semantics [1]. The only project in the Infocard system currently working on these issues is Higgins, with their use of OWL (although some people might argue that this is technological overkill).

Outside of the InfoCard system, there have been other efforts to get to at least some standardization of attribute interpretation (SAML attribute profiles, which work nicely with LDAP/X.500 and XACML and other likely sources) and work is being taken up by Liberty to standardize identity attribute sharing rules (e.g. the IGF/IDG work, based on CARML/AAPML).

At the end of the day (closing the loop and coming back to Paul's and Robin's point): Even though there have been a number of different products and projects that successfully worked together, this technology is a far cry from being an identity meta-system. Multiple-protocol interop on the wire would be a true metasystem, and is a goal that various systems -- Liberty, OpenID, and Windows CardSpace included -- would need to work on together. Concordia is (probably more than) a first step towards this goal.

tag: identity, IIW2007, interoperability, InfoCard, WCS
 
[1] Obviously a lesson well learned through the LDAP and - even worse - LDUP discussions.

Here is a thought on privacy in Germany: it often appears that privacy protection is taken very seriously in Germany and citizens have decent control over who gets access to their personally identifiable information. I was under that impression myself for a long time, until a discussion with a friend prompted me to take a closer look at the situation.

I was extremely surprised to see how little privacy protection actually exists in Germany - with respect to the government. It is true that the federal data protection act ("Bundesdatenschutzgesetz") puts a lid on obtaining, storing, evaluating, and disseminating personal data, especially for the private sector. In general, the "opt-in" principle is followed, where the data subject must give express permission to collect or store PII, and has the right to recall such permission at any time. However, this federal law also makes it clear that some or all of these provisions can be lifted by specialized laws.

One set of these laws limiting the federal data protection act are the laws requiring every person living in Germany to register with city hall when taking residence ("Meldegesetze"). These laws actually precede the data protection laws and allow the registration agency ("Einwohnermeldeamt") to collect and store the following attributes:

1. all names (including former names, pseudonyms, etc.) and academic titles

2. DOB, place of birth, sex

3. addresses (all current and former), including the dates when they changed

4. legal guardian(s), including addresses, DOB, date of death, titles, etc.

5. all citizenships

6. religious affiliation

7. marital status, including dates and reasons for changes

8. spouse (including names, titles, DOB, date of death, all current and former addresses)

9. underage children (again, names, titles, DOB, ... you get the idea)

10. date and place of death

11. restrictions for releasing this data

12. eligibility to vote in national or European elections

13. tax relevant data (including religious affiliation of spouse)

14. unique tax ID (as soon as its issued)

15. weapon permits, demolition permits

All this data is - more or less - freely accessible to any government agency, including the German internal revenue department and federal tax agencies, welfare offices, motor vehicle registries and licensed religious institutions.

In addition, the registration agencies will release your core data (names, titles, addresses) to any thrid party that asks without notifying you. If said third party has a reasonable interest (e.g. they claim you owe them money) the authorities will release pretty much all the information about you with the exception of 6, 9 and 11-15.

Other government agencies (besides the registration authorities) may collect, store, and use more data from you. An interesting example are the tax agencies, who can automatically obtain your records at any financial institution - without a warrant (they police themselves) or telling you or the banks.

At the end of the day you have almost as little privacy and freedom from government (and private sector) intrusion in the "holy land" of data protection rights, as you have here in database country. To some extend you might even have more freedom in the U.S., which has not only a very vocal privacy advocacy community, but has also already gone through the disaster of raging ID theft.

tag: identity, privacy, policy

Totally unrelated to the usual topics, but still interesting (IMO): I have been really into multi-channel high-definition music for some time now and really enjoy SACDs and DVD-Audio discs. Chances are that you haven't eve heard about these formats yet, since the content mafia music industry decided to introduce these very exciting formats with no marketing at all. Both have been around in force since about 2001 and they deliver (sometimes) excellent 5.1 surround music in extremely high definition: 

• DVD-Audio (PCM)
  
• Stereo: up to 192 kHz/24 bit = about 4.3 times the frequency resolution of the Audio CD and 144 dB theoretical sound to noise vs. 96 dB with the Redbook CD (that's 256 time better).
  
• Surround (5.1 discrete channels): up to 96 kHz/24 bit - still more than double the frequency resolution than Redbook Audio CDs and 28000 Hz above the best human perception.
  
• These high-resolution formats are contained in the DVD-Audio section of the disc that CANNOT be read by a "normal" DVD-Player. You will need a special DVD-Audio or Universal player for this.
  
• DVD-Audio discs most often also have a DVD-Video section that typically contains the stereo track in standard 48 kHz/16 bit PCM stereo and sometime a DTS or Dolby Digital version of the surround mix. This section is playable in any standard DVD player.
  
• DualDisc DVD-Audios have two sides - one containing the DVD-Audio side, the other containing a CD Audio side.
  
• SACD (DSD)
  
• Instead of the usual PCM encoding, the SACD uses DSD encoding which is significantly different from PCM by using a single bit quantization at a relatively high sampling rate (2.8 MHz - yes, MEGA Hertz). The claim of the DSD fans is that the demodulated signal is closer to an analog signal when compared to PCM encoding. Opponents complain about the more limited S/N ratio at high frequencies, artifacts of the (necessary) noise shaping and - in general - about a too low sampling rate in the SACD specification.
  
• SACDs must have a stereo DSD track and most often also have a 5.1 surround DSD track. These tracks can only be read by SACD players (or universal players). Most times, the signal is only available as an analog signal, although there are some players (Denon 3910, Oppo, PS3) that convert the DSD signal into high resolution PCM and send it over HDMI to the DAC or receiver.
  

While DVD-Audio is most common in popular music (e.g. Talking Heads re-release on DualDisc), SACD is most common with Classic titles. Since the have had such a slow start from 2001 through 2006, many early adopting labels have either stopped DVD-A and SACD production completely right now, or are only releasing obscure titles or only a very limited selection. Notable exceptions to this are (in the Classical world): Tacet, MDG (DVD-Audio); Pentatone, Channel Classics, BIS, Alia Vox (SACD). Please check my del.icio.us links for online retailers.

Going forward, I expect that SACD will get a lot of attention, especially from the labels (see e.g. the Genesis re-releases on SACD). The reason for this is quite simple IMO: SACD the the *ONLY* format that has not been hacked so far - all others (including BluRay and HD-DVD) are copyable. And I think that this will stay like this for quite a while for the following reasons:

• There is no SACD drive for computers - that makes hacking infinitively more difficult.
• The copy protection mechanisms are not very well understood.
• There is no known way to create a SACD at home that can be played on a stock SACD player.
• Even if the SACD was hacked, there is virtually no mainstream hardware and almost no software support for DSD, making the digital data very mainstream unfriendly.

You might argue that you could sample the analog out at 96 kHz or better or capture the converted PCM from some hacked HDMI conversion player. All this would require a lot of expertise and probably some fairly expensive hardware, again making this approach not attractive to the mainstream user.

No even if you overcame all these hurdles, you'd need to play the 5.1 96KHz track somewhere. The only easy-to-use solution today is the creation of a DVD-Audio disc (which is not trivial or expensive). Alternatively, you would need a decent PC with a 6 analog out and some knowledge to configure the soundcard(s) properly ... not mainstream user, again.

Instead, they would simply copy the RedBook data from Hybrid discs and be happy. Therefore, I think that at least the SACD will survive the HD wars.

tag: DVD-Audio, SACD, High-Definition, Audio