Stream of Consciousness

I (along with most if not all of the digital identity crowd) have been following the development (as well as, it appears, the general acceptance) of Kim Cameron’s seven Laws of Identity with great interest. Kim seems to “get it,” despite the fact that he works for Microsoft, the company that wanted to take total control over your identity to ease your online life - and to have full visibility into all of your online transactions - with Passport. (Needless to say, that didn’t go over very well.)

While reviewing Kim’s Laws, it occurred to me that there are some missing points and/or areas that could use some additional clarification, perhaps even to the extent that several new laws need to be drafted. I take the latter approach here. Though some of the “laws” presented below may be alluded to in Kim’s original seven, or given their obvious nature it could be considered overkill (or redundant) to explicitly state them as “laws,” I believe that the area we are exploring is so vital to the future of the Internet that no such assumptions should be made.

Kim is interested in creating an open platform (or “backplane”) that will interoperate with all (or at leas most) of the various identity systems under development (Liberty/PingID, SAML/Shibboleth, LID, Sxip, FOAF and my favorite, XRI/i-names). Further, he has mentioned that he might use the excellent (though still nascent) WS-Trust specification to provide trust credentials across domains. I’ve looked at WS-Trust as a mechanism to support inter-community and inter-federation trust credential negotiation within the Identity Commons, but I’ve also had some concerns…

Intellectual Property

I’m no expert on IP issues, but my understanding is that the WS-* suite has IP restrictions, since the license is Royalty Free (RF) - which according to Microsoft’s Glossary “says nothing about other terms and restrictions within a particular license, or whether a license may be refused to certain licensees” - but not RAND (Reasonable And Non-discriminatory), the combination of which makes for a “GPL-compatible” (but still capable of proprietary use and extensions) license that paves the way for widespread adoption.

I’m particularly interested in using the the WS-Trust specification, as it could become a key component of the structure of XDI federations, but I’m concerned that it may impose restrictions that prevent its free and open use in the wider (dare I say, non-corporate) community. This brings me to my first law, which I will audaciously number “8″ as an addendum to Kim’s seven:

8. Freedom

The entity (often a person) using an online digital identity system must be in total control of their information. This implies that not only the data but also the access protocols and authorization mechanisms must not be encumbered by someone else’s (IP) rights, unless such restrictions were previously - and explicitly - agreed to.

Particular implementations or jurisdictions may impose restrictions, but the underlying identity management architecture and reference implementations must themselves impose none. Further, many may wish to cede certain control over their information to third parties for reasons ranging from security to convenience but again, this should be by choice, not by design. As we in the “digital identity community” are breaking ground by creating an interoperable set of identity standards, let us require that all reference implementations be 100% free and open source. Anything less leads us down the slippery slope of customer lock-in that should be avoided, having learned our lessons from earlier proprietary, closed and centralized solutions.

As Microsoft is a primary author of the WS-* specifications, I believe that if they put their weight behind the freeing of these currently encumbered specifications, they would not only gain positive press but would also see these specifications embraced by the open source community, thus moving the whole process a step closer to global acceptance.

That brings us to another proposed “Law” that has been much discussed but has not been explicitly stated, and which I believe merits being put forward:

9. Decentralization

An identity system should be decentralized.

I would like to say “must” rather than “should” but this is a very hard problem to tackle (see, e.g., Zooko’s Triangle). We need to aim for as close as we can get, as centralized identity systems are too easily co-opted by the dreaded spectre of Big Brother. Note that for the hard core among us (particularly the capability security gang), even systems based on DNS are centralized in that the DNS space itself is centralized at the so-called dot authority (the implied “.” at the end of every domain name).

For example, while the only currently implemented XRI/i-name namespace is rooted at a centralized authority, that is not a requirement of the technology and one can even run their own root(s) or distribute the roots across the internet, perhaps using a technology such as distributed hash tables. In the meantime, there is a suggested worse-is-better approach to solving Zooko’s Triangle (PDF) that i-name technology, for one, supports.

The reference to i-names, one of many identity architectures in a sea of evolving identity systems and standards, brings to the fore the requirement for the next law:

10. Portability

Bridges must exist - or be straightforward to create - between identity systems so that users are not locked into a single provider.

This relates to the “Freedom” and “Decentralization” laws above, adding an explicit call for some sort of ontological translation or taxonomy-sharing mechanism that allows concepts in one data space (as defined by a particular instance/combination of user and identity system) to be translated into another. This may not always be possible (as the Sapir-Whorf hypothesis suggests) but it is a goal of the Semantic Web activity and as such must also be a goal of an Identity Infrastructure (or Dataweb).

“Portability” (of both data and identity) is another way saying that the technology itself must be free from customer lock-in. In essence, a customer using services provided by one set of vendors should be able to move to a completely different set of vendors and retain (at minimum) the great majority of their services. Some vendors, of course, will continue to build in lock-in, but providers that offer open systems will (in my crystal ball) gain greater customer loyalty.

Note that there is a tremendous opportunity here for Microsoft to build and embrace a truly open system. With their talented developer pool, they can provide the best user interfaces, system integration and overall user experience on an open system. If the system is truly open, this alone will be a huge selling point and provide maximal customer loyalty, something I believe Microsoft would like to maintain. However, if the system is closed and locks users into a Microsoft-only system… well, we’re already beginning to see backlash in that sphere, what with Firefox and various open document standards.

Finally, we come to a law directly related to the user experience. Users report a positive experience with a system when it clearly serves a perceived need, puts them in command of the user interface, makes it safe to explore its features, and empowers them with its capabilities. It is the word “safe” that I would like to call attention to here with the next Law:

11. Transparency

There should be a clear and (if desired) visible cause and effect relationship in all identity related transactions.

(I have a slightly different take on the term “transparency” than, say, Wikipedia, likely as a result of my previous work on OpenPrivacy.)

While in a typical deployed system there may be a lot going on “under the covers,” the relevant details of interactions must be available to the specific parties involved. If an old high school buddy finds me through the system, I’d like to be able to query the system to find out how this happened (in reality, this form of backtracking may not be initially feasible but it is a worthy goal). If my (personal) data is shared, I should be able to determine exactly under what conditions this occurs, and further, exactly how the data will be used by the obtaining entity.

Ultimately, I would like to see legislation that requires companies to make the data they maintain on their customers available to those customers (not dissimilar to current EU privacy regulations). Not only will this contribute to the enforcement of transparency, but it will also allow users to manage their own SuperProfile, yet another “holy grail” of the digital identity world.

I’ve recently returned to the study of design patterns, originally stemming from Christopher Alexander’s book, A Pattern Language. While the book concerns itself with patterns in physical architecture, software architects embraced the concept as they saw patterns in the design of software systems. The state of the art in Computer Science has, in only a few short years, embraced the concept of patterns, and with many tools, languages and conferences devoted to software design patterns and languages. But I digress…

In my research, I discovered a set of patterns designed for developing a community (in this particular case, the Jini community) and I found many of the patterns to be remarkable and particularly apropos to what Identity Commons is striving to create. When I noticed that one of the authors as Richard Gabriel, I got even more excited, as Dick is sort of a hero of mine, as he was a primary architect of the Common Lisp Object System (CLOS) in the 80’s (did I mention that Lisp is my favorite language?). He’s also the author of Worse Is Better that I received on a MIT mailing list in 1991. (I’m still digressing!)

So I’ll get to the point: here’s a link to the Jini Community Pattern Language (which could easily be renamed the Identity Commons Community Pattern Language!). But first, a note on the terminology of pattern definitions: These patterns have four parts:

1. Context sets the stage
2. Problem defines the problem
3. Force (this one can be confusing) it is a noun, a “force” that exerts pressures on the Problem within the Context
4. Therefore is the conclusion (or strategy to find one)

There’s a lot there, so let me whet your appetite with a few teasers:

• A Dangerous Waterhole occurs when competitors come to “drink” from the same (possible non-existent) resource…
• …so the first thing you need the community needs to do is Grow the Market.
• Of course, you need a Safe Place to Share,
• and it really helps to have a strong Compatibility Logo.
• In the end, it’s Survival of the Fittest.

I leave the rest to you, dear reader. May we all thrive!

I haven’t blogged for over a month, so here’s a random rant to try to kick start this for me again…

Since the Xerox machine, people have been able to make easy copies of “the news,” but forgery was tough as (say) the New York Times had a distinctive type face and “feel” to it.

Now with the Internet, it’s trivial to make forgeries. (Phishing attacks work by creating convincing forgeries of trusted web sites.) It’s deep within my philosophy that anything that can be reduced to bits (what I generically call “software”) should be free. (Why should we pay lawyers try to make a plentiful resource scarce?) IMO, the real value comes with software’s timely production, searching, indexing, matching, storage, maintenance, support, additional commentary, etc. In this vision (of utopia?) authentication is supreme. Anything that wasn’t authenticated would be generally ignored.

XDI helps raise authentication to a new level, as access to arbitrary data can be mediated by arbitrary contracts and policies. It’s turtles all the way down. And the danger of “tunnel vision” — seeing only what you pre-define that you want to see — is only real if that’s what you want. Through authenticated, constantly evolving relationships and communities, and perhaps even subscription to special (open source or for-profit) “serendipity” editors, a sound and well-rounded view (you pick the subject(s)) is readily available.

Problem is, it puts responsibility back on the person. But then, by joining a community that will assume certain responsibilities for you, you can offload that, too.

Sort of like the “real” world.

Just came across Chis Ceppi’s blog posts on more Less Databases. He suggests that:

…some aggregation of identity information into centralized systems would be a big step in the right direction. Each aggregation point will be held to higher benchmarks for trust, security, privacy, and open standards than any completely decentralized system can ever attain.

I disagree on (at least) two accounts: first, he’s still talking about multiple aggregation points, so by definition (and being admittedly nitpicky) we’re still talking decentralized. But the major issue is: who controls the identity information?

Chis seems to think that we can and should trust a very few, highly secure, semi-centralized databases. Perhaps we should trust the government to hold all our personal information? Or maybe Microsoft? (As I used to say, ‘the only good thing about Passport is at least Microsoft won’t buy their database.’) Personally, I would rather trust who I want to trust, whether it’s my bank or a personal identity broker (like 2idi) or my own home server running a hardened personal copy of the open source i-broker software on an encrypted file system.

Such an i-broker can provide other sites with the ability to access and potentially even cache portions of my personal information, assuming they sign and abide by the specifics of the appropriate data sharing contracts. Adherence to these social contracts is governed by a mixture of technology and community reputation metrics that each community can define and manage as they see fit. Such social mechanisms simplify usability and puts the privacy burden on policies and trust federations (which I believe can become very powerful force indeed).

In this way, the number of databases truly drops to one, and as there is just one me - and I am the best authority for any information related to me - it seems natural and normal that I would be in control over my personal information.

Joi Ito wrote today about Global Voices (blog, wiki) which is “a name, an identity, a watchword to ward away the chills of restricted expression. A place for coordinating ideas; a source for inspiration; an optimistic, collaborative manifesto“. This is a very cool project and about the best thing I can think of to blog about on a holiday honoring the birth of a person who loved and respected all human beings.

And at the same time, I see many challenges. One of which is creating technologies that will enable people to read what they want and to publish their ideas - and maintain control over them - without fear of retribution. (This is also a primary goal of 2idi and the Identity Commons.) There is a project just underway aimed at giving all the people of Costa Rica a virtual identity (perhaps using i-names) with emphasis on the poor so as to help the distribution of aid and supplies where needed the most.

Let’s all get together and make the better world we envision real.

Stephen Downes makes some observations that are indicative of some of the misunderstandings that surround i-name technology. I will briefly address two issues in particular:

I-names can be free

While so-called “global” i-names cost money, there are at least two type of free i-names, and I expect the large majority of i-names issued will be free. First, “community” i-names, which are delegated from a globally rooted organizational i-name, will, in most cases, be free. (Of course, it’s up to the delegating community to charge for them if they wish to.) Then there’s the wide open frontier of i-names that use a cross reference as a root, which enables a fully distributed P2P and/or DNS-based community root system. (This may also give you an idea of how completely open-ended the protocols are.) All that said, the current (limited time fund raiser) offering of 50 year global i-names for $25 is, IMO, a very good deal.

No governance required

But most civil society finds a certain amount of governance to be useful. It’s a good thing that people in this country drive on the right side of the road and that murder is illegal. In the online world, mailing lists like to limit posts from trolls or advertisers and K-12 forums like to limit (e.g.) sexual language. The Identity Commons is proposing an identity-based governance framework that enables member communities to decide for themselves what rules they will allow for inter-member and inter-community communications. For example, while a community may limit unrequested outside advertising (spam), it may allow - and even encourage - intra-community advertising. XDI-based negotiation mechanisms will enable communities to define their rules (XDI contracts) and their i-broker (such as 2idi) will enforce these contracts.

Our open APIs and open source vision are aimed at giving people 100% control over their personal identity information. It distresses me that there’s so much misunderstanding out there. At the same time, it’s understandable, given the identity systems proposed so far (e.g., Passport). The bottom line (IMO) is that we’re really on track to creating the identity services framework that will enable anyone to use it however they want to use it. That’s simply the way it should be.

Olivier Travers writes of the need for open APIs. We at Identity Commons consider open APIs to be crucial (as well as open governance, open privacy and security mechanisms, etc.). Not only are the technologies used by 2idi to implement the IC platform based upon open standards and code (LAMP, XRI, XDI and SAML/Lasso), but all 2idi core software will be dual (BSD/GPL) licensed. In addition, we will be explicitly working with service providers of all types to create more and better open APIs so that they can more easily use the open authentication model. It may sound counterintuitive, but not only do we want to have as many people and applications connecting to us as possible, but we also want to encourage a multitude of providers offering services compatible with ours - all part of our open source plan for success.

As there will be other identity models in existence for a while (after all, we’re coming in rather late to the game) we will work to create interoperability where possible. Of course, since 2idi/Identity Commons is the only initiative that I know of that is aimed at a fully open system giving its users total control over their identity - including where their information is stored - some of the other identity providers that we interface with may have less than the desired level of compatibility.

One of my favorite technology bloggers, Jon Udell, mentioned Identity Commons in his blog today. But even he got a part of the picture wrong. I don’t know how we’re going to do it, but we’ve got to get our message clearer.

John quotes Owen Davis as saying that [global] i-names will be priced similarly to DNS names. My goal (and I believe Owen shares it) as founder of 2idi.com (the first i-broker) is to provide [community] i-names for free as soon as possible. While global i-names will continue to cost money, local or community i-names can and will (in most cases) be free. Basic hosting will be free, too, and the cost of services will tend towards zero. Furthermore, as the interesting things happen on the edges of the ‘net, delegated community and sub-community i-names will be where all the action is.

So where is the business model when everything is free? To conjure an old joke: volume! We plan to provide a trustworthy and valuable service that, because of our open source business model, people are not locked into - rather, they choose to host their i-names with us. Once we are securely giving one, maybe two million people total control over their personal information, communities will form that have certain needs that we will be in an excellent position to service. And with that buying power, there will be marketers tripping over themselves to get access. Since our customers - and the communities that they make up - are in control, true permission-based marketing becomes possible. As we connect willing, qualified buyers with the products they are seeking, it should be easy for 2idi to skim (say) 1% off of the discounted purchase price, and everyone wins! (For more, see these musings.)

To Jon’s final point, after working on privacy protected personal profile systems for 25 years now, what excites me about Identity Commons is the planned chaordic governance model that is of, by and for the members. Building secure, reputation-based identity and transaction systems requires either a larger-than-usual degree of personal knowledge and responsibility, or a flexible, federated, community governance system to fill in the holes. I’m betting on the latter.

Wow - we just got Slashdotted! (And our servers seem to have withstood a sustained load over six times what their previous peak had been - whew!) Anyway, it seems clear that our messaging around how we work has got some holes in it…

First, it appears many people think that this is a centralized system. Actually, i-brokers, which are based on the open OASIS XRI, XDI and SAML standards, are not centralized. Well, they are now only because there is just one of them, but we have a project underway to package our code for release - under the dual GPL/BSD license - by the end of the year. At that point in time anyone can be an i-broker. As our business model is based on us being trustable (as people can easily move to any other i-broker if ours loses favor) it’ll simply have to be so - and provide an excellent set of services that cause people to stay with us.

Also, the fact that there is only one global i-broker may lead to some misunderstandings. While it is true that there are only two (primary) global namespaces - rooted in the ‘=’ (personal) and ‘@’ (organizational) global context symbols - there are two other types of namespaces that open the system wide open. Community i-names, usually rooted with an organizational ‘@-name’, allow each community to create its own local namespace. For example, I’m “broadcatch” in the Slashdot namespace. Every community can create as many local namespaces as it wants to - for free!

The other primary global namespace, which opens things even wider, is the concept of rooting a namespace on an XRI cross reference. This will allow roots based on cryptographic public keys, among other things, and will be ideal in peer-to-peer systems as a vehicle for creating truly decentralized i-names.

Finally, besides the fact that i-name users have i-name portability that enables easy movement between i-brokers, the data that the i-broker manages for them can reside anywhere - including on their personal systems. There is no requirement that the data be stored at the i-broker - in fact, a basic i-broker has no mechanism for such data storage!

More later…

With Identity Commons going live this past Monday, I finally had a moment to breathe and write a bit about our business model, which depends upon our software being open source and available.

At 2idi (disclaimer: I am a co-founder) we are building open source software to give people complete control over their personal information.

We are basing our technology on a new, open (OASIS) standard called XRI that provides, among other things, data portability. This means you can move the “home” of your identity to any XRI-compliant identity broker (i-broker) and the data itself can be stored at the service provider of your choice.

Simply put, in order for people to have control, they must have a choice regarding not only who can see their data, for what purpose and how that data is used, but also where it is stored and by whom it will be managed. So our software MUST be open source in order to ensure that our customers have that choice. If we did anything to “lock in” our customers, it would be against this very purpose.

It is through this transparency that we plan to prosper - by creating a brand that is stable, secure, open and thus deserving of trust. We understand that anyone making disclosures of personal or otherwise sensitive information must feel safe from harm, real or imagined. Once people have a place they can trust, they can choose to “open up” in order to receive desired services, make better connections and work together more effectively.

Our goal is to make this technology so safe that even we - the owners of this system - could not pry into people’s lives - or retrieve their Real Names - without their consent.

Such trust and safety offers unparalleled opportunities for matching, social networking, cooperation and true, permission-driven (I’m going to use the M-word) marketing in ways as yet unavailable without total loss of control over one’s personal information.

We believe that this initiative is not only good for the earth and its inhabitants, but also has a very real potential to be financially rewarding for everyone involved.