Here is an interesting article from SPIEGEL ONLINE (unfortunately in German only). It describes how one of their journalists  - Franz Walter - ended up in Spock.com as being related to the National Socialist Walter Gross. This caused another newspaper to contact Mr. Walter and ask him where he stood politically.

To understand the significance of this event, you should know that for all even half-way decent Germans any association with the former National Socialists is abhorrent. On top of this, the SPIEGEL ONLINE and its journalists are well known for their left-leaning political alignment, making such an association professionally untenable.

The root cause for this event seemed to have been a particular image on the web. That image had the file name "walter_gross.jpg", which would translate into English as "walter_big.jpg", referencing a large image of Mr. Walter. The algorithms of Spock were tuned to English key words, but associated a file called "walter_gross.jpg" to the former head of the national socialist racial policy office.

This episode is quite telling: when architecting complex identity system, we must be very careful with the semantic significance of attributes of a given digital identity. In this example, the linguistic limitations of the algorithm caused a false identification of a living person with a dead criminal.

This time it did not cause any harm, mostly because it was extreme and found very early. But what if a similar incident happens to fresh college graduate looking for a job? In this day, it not too uncommon for managers and HR departments to take a quick look at what Google, LinkedIn, or other search engines or social networks turn up on a given name. It is bad enough, when people ruin their reputation by publishing inappropriate photos of themselves. Worse, if someone impersonates an adversary and tries to ruin his or her online reputation. But having an "Identity System" or social network do this automatically makes me very afraid.

tag: identity, identity theft

There has been quite a bit of discussion about SXIP's recent OpenID Infocard token profile: Johnny Bufu, Peter Williams, and I had some email exchanges, Eve commented on Eric's blog, and Dick made some comments about his view on the IPR status.

All this is great, exciting, or anything else you might want to use for describing conditions of euphoria. And I do acknowledge the work that Dick, Johnny, and Mike put into this effort. However, the big questions that are still unanswered (at least for me) is: who cares? And: are we hurting ourselves?

The Bigger Picture

If I take a look at the deployment rate of new-identity-protocol relying parties, i.e. mostly OpenID and Infocard, the picture is rather sobering: there is little activity^[1] and currently also few signs that this might change. One of the interesting results of the recent OpenID project at Sun was that successful web property owners have little or no interest in outsourcing their identity system, or even only the authentication part of it (which is the only established role of OpenID or Infocards at this time).

The same kind of behavior can also be seen on a larger scale where the big application and service providers like Google, Facebook, or Yahoo! have little or no real interest in a truly federated/distributed internet-wide identity system, since it is not compatible with their respective business models^[2].

So overall, it seems safe to assume that any effort directed at convincing web property owners to adopt a particular identity system is an uphill battle. Especially, if they have to invest time and money into equipping their web server with a compatible relying party.

OpenID Tokens, Anyone?

Now, what would be required to use the OpenID Infocard token profile? In addition to the entire OpenID infrastructure (OpenID Auth 2.0 et al.), you would also need a - more or less - complete Infocard infrastructure. In addition, you would need to make sure that the respective parts are tightly synchronized ^[3].

In addition, none of the OpenID specifications have passed extensive peer review in an open standards process, have IPR issues plastered all over them, and are - pretty much - all in beta (or pre-alpha) at this time.While these issues have been discussed in the past, it still seems reasonable to point out in this context.

Rolling out a complete and fully supported Infocard infrastructure is somewhat easier, since Microsoft is providing de facto reference implementations for the card selector and the relying party. Also, the IPR situation is less confusing, since the OSP covers - as far as I can see at this time - a pretty large chunk of the complete Infocard identity system.

Who cares now?

For a potential deployer, the question is now: "If I have an (almost) shrink-wrap identity called Windows CardSpace, why should I start to dabble with the deployment and replace the built-in SAML tokens with OpenID tokens?" Besides the technical difficulties, there is also the issue that an OpenID token based Infocard deployment only allow what is called "auditing mode". Add to that, that most clients will probaby not have Infocards with the OpenID tokens installed, my initial questions come up again: who cares? And: are we hurting ourselves?

Most end-users do not care at all. In an Infocard-world, they just want to use the Windows CardSpace selector to login. If a given site does not support self-signed cards or a managed card they already have, chances are that they will simply go away.

The relying parties do not care either: most of them want to attract users to their sites. If there is a simple SSO/identity system they can deploy and buy support for, they probably will as long as it fits their business model. Many successful Liberty deployments attest to that. If it involves unreleased or unsupportable technology, potential patent disputes, or simply a lot of additional work, they will likely shy away from such a solution.

There are also no benefits to the IdPs: having to run a combined OpenID/Infocard infrastructure might attribute only to a little administrative overhead, but it does not really add a lot of additional benefits either.

Are We Hurting Ourselves?

My answer to this would be a decisive: "yes". While the OpenID Infocard token replaces the HTTP redirect with the much more phishing resistant Infocard scheme, it will lead to some significant confusion in the marketplace. Educating customers and end-users might help to some extent, but explaining the differences between auditing and non-auditing mode is going to be very difficult. This is why Kim is rather careful about not advocating it: it breaks his own 7 laws.

At the end of the day, relying parties will have to decide what they want to do - and it seems to me that the decision for or against a particular identity system (such as Liberty, Infocard, or OpenID) will not be based on tokens, but rather on the entire package, including vendor support, reachable customers, and overall acceptance.

tag: identity, OpenID, Liberty Alliance, SSO, InfoCard

[1] Especially when comparing this with the rate of IdP rollouts for these protocols.

[2] In fact, I would argue that the interoperability debates of the 90s - WindowsNT/Active Directory, eDirectory, LDAP, etc. - were focused on the same issue of identity. At that time, it was the software suppliers fighting over identity WITHIN the enterprise, since control over the user database was the key to influence a lot of strategic decisions.

[3] To be fair, this is true for all complex interoperability scenarios.

Just some Friday humor:

tag: facebook, identity, humor

Just a quick update: OpenSSO is now using the WSIT/Metro STS for WS-Trust protocol transactions. Congratulations to the team (and especially Mrudul) for getting this done!

tag: identity, opensource, opensso, ws-trust

During last week's Project Concordia call, we had an interesting discussion about cross-protocol identity use cases and scenarios. Ashish made a very good observation during this call: many times when we are discussing identity protocol transitions or cross-protocol use cases, we are not so much dealing with protocol interoperability, but rather with a protocol mashup.

Proper interoperability - in this definition - requires the ability to interpret foreign protocols and have full access to the semantical content. I have sometime referred to this level of interoperability as interchangeability. An example of such high level of interoperability would be the ability to extract authorization data from a Microsoft Kerberos ticket and use the NT-PAC data to create a SAML attribute statement.

A protocol mashup on the other hand would only require very limited knowledge about the semantics of another protocol, but instead it simply profiles the use of one protocol (or in this case: identity system) with another. A simple example would be the use of self-signed InfoCards to authenticate to an OpenID Provider.

tag: interoperability, identity, Liberty Alliance, OpenID, InfoCard

Tatsuo Kudo wrote an article in Japanese on how to configure the OpenID Extension for OpenSSO. As far as I could see (http://tinyurl.com/35gfuh), this is a great article.

tag: openid, sunopenid, opensso

Dare Obasanjo points out a couple of reasons why globally federated identity system have - at least today - a very hard time breaking into the the walled silos of service providers: Facebook immediately comes to mind, but so do others like Google, Yahoo!, etc. The most important reason for *not* accepting foreign credentials is the potential risk to the business model involved.

To some degree we have seen exactly the same behavior when we were trying to convince stakeholders at sun.com to sign up for accepting OpenIDs: their most commonly voiced concern was that they would potentially loose the ability to properly evaluate account attributes (for role assignment, general user management, etc.). Add to this the need of many advertisement driven service providers to also use their account databases for target marketing, and you can immediately see the significant risk to their business model. 

These issues and concerns are central to the (current) failure of general adoption of an OpenID 2.0 based attribute exchange^[1]: nobody relying on advertising income will agree to outsource their attribute collection. They might be willing to accept foreign authentication mechanisms (such as e.g. OpenID 1.x or InfoCard), but is only viable when combining this with an in-house account database that links these different accounts.

Am I talking about account linking? Hmm, seems that I heard that at some place over and over again... The significant benefit that the Liberty framework offers is that it does not only focus on the technical aspects of federation, single sign-on, and attribute sharing. Instead, it also deals at least as much with the business and policy issues surrounding such deployments. And - by the way - most of these non-technical issues are already solved.

tag: identity, OpenID, Liberty Alliance, federation

[1] Assuming that the IPR issues and patent threats around OpenID AX are ever resolved. Obviously another - already proven - way to implement attribute exchanges for identity protocols is SAML.

I usually try not to act as a sound board for marketing, but this seems quite interesting:

"IBM and Sun announced that IBM will distribute the Solaris operating system (OS) and Solaris Subscriptions for select x86-based IBM System x servers and Blade Center servers."

Cool... the power of Open.

tag: Sun, IBM, Solaris

... don't try this at home:

And here is what should happen to all mediocre audio equipment:

tag: humor, apple, iPhone, iPod

Constantin wrote a nice article on high-resolution audio, that I would really recommend to audio fans. I especially like the section on the shortcomings of CDs and some of the psychoacoustics behind it.

Just adding a few things:

• DVD-Audio discs are also found on the DVD layer of DualDiscs. The beasts are two-sided media, that have a Red Book CD side and a DVD side. If you own e.g. some of the re-releases of the Talking Heads (the Brick), you have DualDiscs with high-resolution (96 kHZ/24 bit - 5.1 and Stereo) audio. There are two major caveats with the DualDiscs: some do not feature DVD-A content, but rather a DVD-Video version, some interviews or live concert video coverage. The other problem is that a few CD players have reported issues when playing back the CD side, it is not 100% conformant to the physical characteristics of Red Book discs. I have yet to see a player where is would be the case.
  One of my favorite DualDiscs (beside the Talking Heads) is the 20th anniversary release of "Brothers in Arms" from the Dire Straights in DVD-A.
  
• To make all things codec even more complicated, starting with the new HD video media there are now also new HD audio codecs:
  
• Dolby TrueHD: Finally a code from Dolby that does not take away half the audio information, TrueHD is a 14 discrete channel container using MLP compression.
  
• DTS HD Master Audio: Another lossless HD contender, this time from DTS, with not logical limit on the number of discrete channels.
  
• It was quite obvious that the content mafia industry would insist on delivering broken products for high-definition reproduction: thus was born the completely useless HDCP scheme, that damages the HDMI (and DVI) transport beyond repair. Unless your system is blessed with the right keys for decrypting HDCP-scrambled packages, you will not see any HD content on your system. Microsoft is deeply in cahoots with these dubious characters businessmen and intentionally damaged Vista to not properly display movies or High Resolution audio, as Peter Gutmann recently explained.
  
• There is at least one more source for high-resolution audio links - and it is even free: check out the Internet Archive, music section. A lot of band allow fans to publish bootlegged versions of their concerts in any format, resulting in (sometime) really nice quality recordings at high bitrates.
  

tag: DVD-Audio, DRM, High-Definition, Audio

Today's announcement that Universal has finally decided to come to senses is quite encouraging. In this, they join the ranks of EMI that reported very positive revenue figures for their DRM free music. These are certainly encouraging signs that the music industry is finally recognizing that times have changed and that the People are not their enemy, but instead potential customers.

I would like to take this occasion to point to a record company that should be regognized for their groundbreaking approach to music distribution: Linn Records, subsidy of the well-regarded Linn audio products. Not only have they been selling DRM-free MP3s for quite some time now, but much more important, they are offering for a large part of their selection CD quality and - even better - studio master quality downloads. Note that these are not merely high bitrate MP3s, but in the case of the CD quality downloads they ship 44.1 kHz/16 bit resolution, for High Resolution it is mostly in 88.2 kHz or 96 kHz and 24 bit quantization. To make this even better, the files formats are either WAV (uncompressed) or the free lossless compression format FLAC. Burning the bit to CD or DVD-A is actually encouraged.

Currently these downloads are all in stereo only. But upon request, a spokesperson told me that they are actively looking into the possibility to releasing some of their 5.1 music in high resolution.

If that got you interested, you might also want to take a look at their physical products: many of their releases are available in SACD and/or HDCD, and the artistic quality is - from what I heard so far - pretty good.

tag: DVD-Audio, SACD, High-Definition, Audio, DRM

This is the taping of the full lecture - highly recommended:

tag: science, evolution

With this article I will try to clean up a little bit of the confusion that I help to create over the past few days. You might want to ask "WHY?" The answer to this is quite obvious: the medium is the message: the content of a message and how it is received depends strongly on the form it is presented in.

This will be my last post on the subject of "meta"-ness. At least for the time being.

It seems to me that there is a fundamental disconnect about what a system differentiates from a meta-system. For myself^[1] (and it seems also for Paul and Robin), a system is a set of rules, protocols, profiles, etc. that are to be implemented. For example, there is a system in place that governs the quality of gasoline and automobile motors, and its standard ways of distribution. This system consists of rules, regulations, engineering practices etc.

From what I gathered in the recent discussion with Bob and Pamela, it seems that they would call these rule-sets a meta-system (please correct me, if I am wrong). If I understand them correctly, the individual gasstations, car manufacturers, refineries, etc. would be called systems.

So far this comparative example held up well, therefore I will be trying to overstrech it now: To me, a meta-system would govern how e.g. different car fuel systems (such as hydrogen, electricity, natural gas) could be made to work together. Examples of this would be creating user devices cars or identity/service providers gas stations that can consume or dispense different types of fuels.

I am not quite sure what the right term for this would be, but the dreaded meta-meta-system certainly comes to mind. That is why I suggested (only half-jokingly) the term aleph 0 system^[2]since it would equalize the different 'starting points'.

---

Now, applying these thoughts to the identity world, I come to the following conclusions:

• Of the three contenders (Liberty, CardSpace, OpenID) for identity systems Liberty was the first identity meta-system.
  
• Concordia will hopefully serve us to arrive at an identity meta-system (better: an aleph 0 identity system).
  
• OSIS has so far tested implementations of identity systems (i.e. identity meta-systems), and will hopefully expand to use cases for identity meta-systems.
  

tag: identity, meta-system, meta-meta system

[1] In this article I will mark the terms system and meta-system either in blue or in orange, depending on whether I use them in my way or with the meaning that Bob and Pam have in mind.

[2] Ok, anybody with a better term?

There seems to be a little confusion over the differences between identity systems and meta identity systems. Some identirati are of the opinion that in order to qualify for the "meta" tag it suffices to support a single family of protocols and multiple token formats, while others are convinced that a "meta" system should also support multiple protocols.

Since this seems confusing to me, I implicitly suggested to call the later an "identity meta-meta-system". Opening this can of worms, you can easily derive at an "identity meta-meta-meta-system" etc. to include other staggering advances in interoperability such as semantics.

To prevent this kind of meta proliferation, I am now convinced that we should define the goal of "getting-these-pesky-identity-thingies-to-work-with-each-other": Aleph₀ Identity System (AIS) [1]. The AIS can - by definition - not be implemented, but describes the elysian state, where all identity systems that would like to be interoperable or interchangeable, are interoperable or interchangeable with all others participating in the Aleph₀ Identity System.

tag: identity, meta-system, meta-meta system, humor

[1] This is motivated by the notion that the cardinality of a countable set (in this case the meta's) is commonly denoted by Aleph 0:

Both Paul and Robin beat me to this ...

The recently published report by Burton's Bob Blakley summarizes the result of an interoperability testing fest at the Burton Catalyst conference earlier this year. This venue was a great success for the Windows CardSpace identity system, since it was the second OSIS event where a variety of open source projects and closed source commercial products demonstrated a significant level of interoperability. Given the early and evolving state of the InfoCard system, this is a great success for all parties involved.

However, Bob is somewhat mistaken in parts of his article:

"The interop participants accomplished in two months of concentrated effort what it would probably have taken them a year to do working independently without the looming deadline provided by the Catalyst demo."

This is not quite correct - the Catalyst interop fest was the second such event organized by OSIS. The first one was held earlier at the Internet Identity Workshop 2007. Results and blog reports on this can be found all over. Having been a member of OSIS for some time now, I find it a little unfair that this interesting (un)organization - that certainly had its ups and downs - is not given the credit it deserves.

"While it is still fair to say that user-centric identity technology is in its infancy, if progress continues at this rate the technology should be ready for enterprise adoption within a year."

I am surprised to see such a bold statement, especially since even some of the core developers and architects not quite happy with the term "user-centric identity". Let's just step back and start to count how many glossaries, lexicons, and lists-of-used-terms define digital identity, identity system, user, and user-centric in different ways with sometimes completely different semantics. Predicting enterprise adoption within a year seems a little overly optimistic to me, especially if we consider that there are still a number of significant issues even within the reference implementation of the InfoCard identity system.

As Mark Wahl has pointed out earlier, most of the issues encountered during the second OSIS interoperability fest are related to the lack of proper schema management for attributes and their semantics [1]. The only project in the Infocard system currently working on these issues is Higgins, with their use of OWL (although some people might argue that this is technological overkill).

Outside of the InfoCard system, there have been other efforts to get to at least some standardization of attribute interpretation (SAML attribute profiles, which work nicely with LDAP/X.500 and XACML and other likely sources) and work is being taken up by Liberty to standardize identity attribute sharing rules (e.g. the IGF/IDG work, based on CARML/AAPML).

At the end of the day (closing the loop and coming back to Paul's and Robin's point): Even though there have been a number of different products and projects that successfully worked together, this technology is a far cry from being an identity meta-system. Multiple-protocol interop on the wire would be a true metasystem, and is a goal that various systems -- Liberty, OpenID, and Windows CardSpace included -- would need to work on together. Concordia is (probably more than) a first step towards this goal.

tag: identity, IIW2007, interoperability, InfoCard, WCS
 
[1] Obviously a lesson well learned through the LDAP and - even worse - LDUP discussions.