Planet OpenID

I am Canadian so you can probably guess how I would have voted if I could have on Proposition 8 (the California constitutional amendment to define marriage as only between a man and a woman).
My views are not the point of this post. I am very concerned about what is playing out - online and in real life between the two sides of this issues following the passage of the amendment.

First of all we live in a democracy - the people of California voted for it - albeit by a small percentage but that was the will of the people.

When I look at this I think well the way the NO side wins is by doing all the work the YES side did last time - only better. They go and put an amendment to the constitution on the ballot and then build support for it.

The NO campaign assumed it couldn’t loose, was badly organized, didn’t have a comprehensive strategy for building support for its side across diverse communities throughout California. (The YES campaign was on the ground engaging with the black church community for example - they never saw anyone from the NO side come to their communities to engage them on the issue).

As the vote approach the NO side in a final very flawed move started attacking in television adds those who funded the YES side of the proposition and in particular the Mormon Church.

It was this turn of events that has lead into quite disturbing actions and behaviors by the NO campaign post election.

The blacklisting and subsequent public harassment and targeting of specific people and specific religious groups for their beliefs and support of YES on prop 8 is wrong.

I take this personally, I have and do work with people who are Mormon - (When I played water polo in university and in the Identity field). I respect the LDS church and the people in it - they have good values. Their religion is a very American one too (like Christian Science its origins are on this continent). Watch the Frontline/American Experience 4 hour documentary on the history of the church and their experience as a people/religious group.

A close personal family member I know also voted YES and for all I know could have donated.

When mobs start appearing at places of residence of YES contributors and their businesses. It makes me worried.

I thought about this issue earlier in the campaign when I wrote this post There are a lot of donkey’s in my neighborhood (and I know who they are)

From The Hive:

because she did about 60 gay ‘activists’ went to her restaurant and strong armed her in a scene reminiscent to Nazi Germany. They went down a list of people who gave as little as 100 dollars to boycott, harrass and attack them. They went there to ‘confront’ her for giving a measley hundred bucks based on her personal faith that she has had since childhood. They argued with her and it was reported by local news reporters was a “heated” confrontation.

So is this the America we want? Where if a private citizen wants to participate in the governmental process that they be harrassed and acosted. Their freedom of speech chilled by thugs.

From the NY Times:

The artistic director, Scott Eckern, came under fire recently after it became known that he contributed $1,000 to support Proposition 8…
In a statement issued on Wednesday morning, Mr. Eckern said that his donation stemmed from his religious beliefs — he is a Mormon — and that he was “deeply saddened that my personal beliefs and convictions have offended others.”

From the SF Chronicle:

Phillip Fletcher, a Palo Alto dentist who donated $1,000 to the campaign, is featured prominently on a Web site listing donors targeted for boycott. He said two of his patients already have left over the donation.

This is the site of the Anti Gay Blacklist Then there is a blog called Stop the Mormons.

The night Obama won and there was a party in the main street 6 blocks from my house - I had a moment of insight into the future. This was a happy celebratory Mob - it was basically safe. People were texting their friends and telling them where it was inviting them to join. I Tweeted about it so 900 people knew about it and where it was. I also knew that this new technology of texting and presence based real time information creates an increased capacity for mob formation. It made me wonder about the cultural skills and capacities we need to develop to interrupt mob behavior turning bad.

I think what is going on with the blacklists - that are directly targeting people in their private life is wrong. I think targeting specific religious institutions for protest is wrong.

These people and these religious institutions are not propagating HATE they are just not agreeing that marriage can be between a man and a man or a woman and a woman. This is a cultural difference of opinion.

I “get” where many of the gay activists are coming from - but it is not a place that will get them what they want. Many “fled” to the Bay Area to find a community and place where they could be who they were (gay, lesbian, queer, transgender etc). They were raised in conservative churches in other parts of the country that may have been explicitly anti-gay. They likely have strong feelings against these institutions and similar ones. It does not make it OK to the hate these people and act out against them. (If they want to proactively work on cultural change within these communities - Soul Force is doing a good job using nonviolence to work on change.)

We in the identity community need to understand what has unfolded here. The No on Prop 8 groups are using publicly available information. However this used to be information you could get if you went and asked for the paper versions from the court house. So it was public but with high friction to get the information. The web lowers the cost of getting this information (close) to zero - Daniel Solove writes about the change in publicly available information in the Digital Person.

I wonder about how we can balance the need to know who has contributed to political campaigns and propositions while at the same time prevent harassment and the emergence of negative physical and cyber mobs.

Marc Canter raises what many in the community have been saying for a long time, but what the OpenID Foundation seems to have a hard time wrapping its collective minds around:

... OpenID can actually solve ... [many] issues - by embracing other complementary technologies (like oAuth, OpenSocial, Portable Contacts, microformats, FOAF and RSS/Atom) to create a wrapper solution oriented approach - focused on simplifying the whole ID conundrum for end-users. Barriers of entry, usability issues and confusing messages can all be solved by OpenID positioning itself as a single point-of-contact solution.

He follows up the next day saying:

Open Stack is a little too general. I use the term open mesh - on purpose - cause I don't WANT it to be specific. Open Mesh has to represent the combination of a bunch of different stacks; some open, some semi-open, whatever.

But OpenID sure is a great term - and it could certainly be morphed into THE brand.

This is what we need right now - a single entry point into solving the ID conundrum. ID is hard and asking end-users to keep track of the difference between Single Sign-On, authenticaton, reliable parties, claims, trust, security, privacy, data portability and persona - is just not gonna happen.

...

Without that - and we'll be stuck catering to geeks and nerds like us - forever.

That last sentence is one that I've been re-iterating to anybody who'd listen in OpenID land for too many months now, or so it feels. Branding is at the very top of that list, and I completely agree that the brand has to bigger than a little protocol (and thus confuse the user with some many more little brands of other little protocols).

The question is: do the movers and shakers in this community have the courage to put the petty turf wars over being the biggest fish in a tiny pond aside, merge the ponds and actually create something, together, that is big enough to truly matter?

Says Marc:

Or as Rodney King said so eloquently "why can't we all work together?"

And I might add: and perhaps accomplish something that actually matters in the real world?

I had an absolutely great time last month in London speaking at the Future of Web Apps! Chris Messina and I gave a 3-hour tutorial on the "Open Stack" and then I spoke about Blowing Up Social Networks with Open Tech later in the week. Video and slides below along with a quick interview with Simon Mackie from Carsonified.

I figured it was time to learn IPv6 so I setup IPv6 at home using Hurricane Electric's free tunnel broker, one termination point of which is across the Bay in Fremont, so latency overhead is negligible, and he.net's IPv6 deployment is good (or so Lorenzo tells me).

sammy:~# ping6 ipv6.google.com
PING ipv6.google.com(2001:4860:0:2001::68) 56 data bytes
64 bytes from 2001:4860:0:2001::68: icmp_seq=1 ttl=58 time=97.7 ms
64 bytes from 2001:4860:0:2001::68: icmp_seq=2 ttl=58 time=96.9 ms
64 bytes from 2001:4860:0:2001::68: icmp_seq=3 ttl=58 time=97.2 ms
64 bytes from 2001:4860:0:2001::68: icmp_seq=4 ttl=58 time=98.0 ms

sammy:~# ping google.com
PING google.com (64.233.187.99) 56(84) bytes of data.
64 bytes from jc-in-f99.google.com (64.233.187.99): icmp_seq=1 ttl=246 time=94.5 ms
64 bytes from jc-in-f99.google.com (64.233.187.99): icmp_seq=2 ttl=246 time=97.7 ms
64 bytes from jc-in-f99.google.com (64.233.187.99): icmp_seq=3 ttl=246 time=93.7 ms
64 bytes from jc-in-f99.google.com (64.233.187.99): icmp_seq=4 ttl=246 time=92.5 ms

(Not that much worse.)

And I can now see all the dancing logos on various websites. (it's IPv6 tradition to serve animated GIFs of your company/site logo for people accessing it over IPv6.... silly, but cute.)

Still have some work to do... I need to get the rest of my machines routing through my Linux server (the one with the tunnel), including wifi. What's the typical configuration here? DHCPv6 and broadcast the route? Or does the IPv6 stateless auto-configuration for assigning the locally-scoped/link-local/etc addresses also include smarts of hosts w/ gateways advertising that?

In any case, still clueless, but at least with the tools to get slightly less clueless now.

It's weird having my own /64. (that's 2^64 addresses for my house)

This should not be surprising to anyone, but it has apparently caught out both me and Ma.gnolia: URLs can contain at signs!

Ma.gnolia has support for one of the fledgeling attempts at a protocol for email addresses as OpenID identifiers. A few weeks ago I posted about my own experimental implementation of a different approach to the same problem. Both of us made the mistake of identifying an email address by simply looking for an at sign anywhere in the entered URL.

This is, of course, not good enough. Flickr's OpenID identifiers that are already in the wild have at signs in them. There's nothing constraining anyone else from using an at sign, either. So what is a boy to do? Time for a more restrictive regex, I guess. /^[^:/]+@[^:/]+/ ought to do the trick, I think. There is of course the big elephant in the room that all of these are breaking backward-compatibility with existing implementations that turn mart@example.com into http://mart@example.com/.

I've had on my to-do list for a while now some research to see what existing implementations do when presented with URLs like that. I'm sure it's suboptimal whatever it is, but we need to consider how existing implementations will behave if we change the rules now. In an ideal world, we'd find that current implementations all behave basically the same and we can document that as opt-in fallback behavior when "proper" email address support is not available at a particular RP.

This is a follow-up to my previous post to say:

SO. FUCKING. AWESOME.

I got it all working. I now have an Android Activity (GarageDoorActivity) which interacts with an Android Service I wrote (InRangeService), letting me start and stop the service's wifi scanning task. The service gets the system WifiManager, holds a WifiLock to keep the radio active, and then does a Wifi scan every couple seconds, looking for my house.

When my house is in range, it does the magic HTTP request to my garage door opener's webserver (HMAC-signed timestamped URL, for non-replayability/forgeability if sniffed) and my garage door opens. Complete with a bunch of fun Toast notifications (like Growl) and Android Notifications (both persistent ongoing notifications for background scanning, and one-time notifications for things like the garage door actually opening).

I just threw on some shoes and hopped on my motorcycle to do a test lap around the neighborhood. When I got to the corner, I pulled up the activity and press "Start" (aka "Going home now"). A lady on the corner saw me playing with my phone on my motorcycle and said, "The reception's not so good up here." I thanked her, not wanting to explain what I was actually doing.

I then finished the lap around the block and the garage door started opening a few houses away. By the time I pulled up, I could already back the bike into the garage. HELL YES.

Update 2008-11-16: The source code is now available.

I've finally put the source code to my Android garage door opener online:

To get it, just run:

$ git clone git://github.com/bradfitz/android-garage-opener.git

Or browse the code online. Just keep in mind the code might suck because I barely know Java or Android, so educate me if you see bugs. But it works. *shrug*

Enjoy.

In my previous entry I mentioned that I couldn't find a way to go from an XFN-discovered URL to an hCard describing the corresponding person. It turns out that David's response was correct: there is a way to do this already. The catch is that rather than linking from the page to the hCard, it instead links from the hCard to the page. The fact that I already had half a solution in my mind when I was searching for existing practice prevented me from finding this one. Mea Culpa, I guess.

This is, however, a good example of what I consider a failure in the design of some Microformats. For me, the big advantage of Microformats over other data publishing mechanisms is that I just need to add a few adornments to data I'm already publishing, so I can add Microformats support quickly with no visual or structural impact on my page. This approach for marking "representative hCards" fails to deliver on this promise: my page doesn't have a link to itself. Why would it? You're already there!

This does draw my attention to something I hadn't noticed before: the hCard on my site doesn't contain my URL, so if you export it using existing tools you won't get the URL field populated. I'm loathe to put a self-referential link on my page, since that'd be confusing. It feels like hCard parsers should be able to infer that my URL is the current page URL having determined that this is the representative hCard... but of course, as currently specified, it can't determine whether it's the representative hCard unless I publish that self-referential link.

I've posted the proposal from my previous entry on the Microformats mailing list to see what the Microformats community thinks of it. I think it complements nicely the approach they're already recommending, allowing some additional possibilities that it can't support alone. It also doesn't invent anything new: the link element and rel="me" are being used to mean what their respective specifications say they should mean, and the hCard documentation already says that if a fragment is present in the URL the parser must look only within the identified element.

hCard is a microformat for encoding the contact information for a person, company, organisation or place. XFN is a microformat that uses URLs to represent people and links between those URLs to represent relationships.

If you've got a URL representing a person, how do publish the contact information for that person? An obvious answer is to include an hCard in the page returned at that URL. However, as far as I can tell there's no way presently to mark up the fact that a particular hCard on a page at a particular URL is the hCard of the person the URL represents, which I find to be an irritating disconnect.

Since I was unable to find any prior art for this, I'll make a straw-man proposal. On my main website I've had for some time my basic contact information marked up with hCard. To support discovery of my hCard, I added id="contactinfo" to the element that holds the vcard class and then added the following to <head>:

<link rel="me" href="#contactinfo">

My intent here is to say that the element with the id "contactinfo", which in this case is an hCard, represents the same person as the page as a whole. This technique could be used for any other person-related microformat too, such as perhaps an hAtom feed of a person's activity stream. (though rel="alternate" might make more sense in this case.)

This seems like a nice, straightforward way of filling this missing link. If there's an existing practice I missed then please let me know, or else I'd love to hear feedback on this approach.

Many technology vendors would go very far to be allowed to speak at one of the major analyst conferences for CIOs and other enterprise technology buyers.

So, in our case, an unsolicited invitation to speak at such a conference showed up in my e-mail inbox a couple of months ago. Then, a reminder, a few weeks later. And another repeat invitation. The jackpot, many vendors would say.

Except, that thanks to the spam-fighting wisdom of my e-mail program, I never got to see any of those e-mail invitations. Clearly, the spam filter must have thought, these guys are just trying to sell me something.

So here I am, having repeatedly sleighted this invitation from a major analyst firm, without even realizing it. I only found out yesterday, by accident.

Can one apologize on behalf of one's spam filter? Would anybody right in their mind accept such an apology?

Life used to be simpler ...

Today I've stumbled across OpenDD, which claims to be a format for describing social network data.

Having taken a look at their (fortunately quite short) specification, I can't help but think that this looks a lot like RDF. It identifies entities by URLs and describes properties and relationships of those entities, The only place where it deviates slightly from RDF is that the names of properties and relationships are just keywords, not URIs as they are in RDF. You could imagine just prefixing them all with something like http://opendd.net/schema/ and modelling them as RDF, though.

I've got mixed feelings about this specification. While the schema it creates looks like it could be useful for describing social network relationships, I'm not sure why that requires a whole new serialization. What's wrong with application/rdf+xml or application/turtle, for which processing libraries already exist?

The other interesting thing here is that much like RDF a given document isn't about a single subject but rather describes properties and relationships for various arbitrary entities. In order to make use of decentralized metadata like this, we need to be able to verify that the statements made by the metadata resource are authoritative.

With XFN, we know that the relationships are authoritative because they're published in the resource that is the subject of the relationships. With Atom, the <link rel="alternate"> in the resource implies that the Atom feed contains authoritative data about the resource. This could be achieved in a format like OpenDD's by removing all of the "subject" UUID attributes and having the document that links to the OpenDD data be the implied subject for all relationships. Is there an existing RDF serialization with the subject implied in this way? If so, this would seem like a good candidate for publishing social relationship data for those who dislike microformats.

I've been playing with this for a few weeks, it's really cool to watch Hulu on a giant projector and pull TV shows from my laptop. Gizmodo has a great writeup of how to use Boxee with your Apple TV!

Traditionally, a state diagram (aka state-event model) of authentication on the web is very simple. It has only two states: Anonymous and Authenticated.

A user's session moves from Anonymous to Authenticated upon successful presentation of valid credentials (such as a password). It moves back to Anonymous if the user logs out, or after the user's session expired.

This model is very simple to implement, which is why it is so widespread, but unfortunately it is not very user friendly. If applied to OpenID, we get the rather bad user experience of, say, the wiki at openid.net, where logging in with OpenID actually takes more steps than it would take to log in with a traditional username and password.

In time for IIW that starts tomorrow, I'd like to propose a more complex but much more user-friendly model that's shown here:

Here, we distinguish between the Anonymous state as before, but then three other states in which the user session may be. In each of these three states, the user is known, but with different levels of confidence.

• In the first state, "This request authenticated", the HTTP request carries the valid credentials, and thus we have the highest confidence that the user is indeed the correct one.
• From that state, the session immediately moves to "Session authenticated", typically implemented with a session cookie. While we are still fairly confident that the user is who was authenticated, we are less so than in the state "This request authenticated": for example, the user's cookie might have been stolen, or somebody else might be operating their browser because they stepped out of the office to get a cup of coffee.
• Finally, when the session has expired, we still know who the user likely is, but with far less confidence. After all, they haven't provided a valid credential in some time.

The reason this is a better model is the state "Session expired" shown with a fill color. If a web application receives an incoming request but the session is in that state, with OpenID, if often can transparently reauthenticate the user. In the extreme case, the user never has to provide any credentials to that application again (after the initial login), because every time the session times out, the application can transparently re-authenticate the user by going back to their OpenID provider. Note that unless the user explicitly logs out, the user's session never moves back into the Anonymous state; ergo, no fresh login is required. And there is just as much security as before.

In case of the OpenID wiki, that would mean that it would simply "recognize me" the next time I want to edit, and I don't have to go through the unnatural act of having to authenticate again. Unfortunately, MediaWiki does not implement that more complex state model, and so it's hard to make it behave that way. But it sure be nice if it did.

Interestingly enough, some web properties implement this more complex model. In case of Amazon, for example, you can recognize the state "Session expired" while the user is still known on their front page where it says "Recommendations for Johannes. Not Johannes?". It only requires valid credentials later in the transaction. Now imagine that it didn't even need those if they implemented OpenID ...

I am writing this post for all of you coming here after reading the Fast Company article listing the (13) Most Influential Women in Web 2.0. Here is my slide in the deck where you can see the picture Bob took in full glory.

Just to be clear I am part of more then the OpenID community
I facilitate The Internet Identity Workshop that I co-founded and co-produce with Phil Windley and Doc Searls. It has an amazing range of technologies participating - see below for the list.

I am involved with the whole community working on the identity layer of the web that works for people. OpenID is simply the most visible part in relation to “web 2.0″ right now. I am very optimistic about the future of information card technology and the potential for claims based identity to really transform the web.

I am actively involved in Identity Commons (where I got started in Identity in 2004) and it is where you can find a bunch of groups working on a range of social legal and technical issues in this field. Let me know if you want to get involved.

The Internet Identity Workshop is actually happening NEXT WEEK in Mountain View and there is still room - so feel free to sign up if you want to dive in.
Things covered at the Internet Identity Workshop….

Open Standards
* OpenID
* SAML
* Liberty Alliance ID-WSF
* WS-Trust
* OAuth
* OASIS XRI
* OASIS XDI
* XRDS-Simple
* Open Social
* Portable Contacts

Standards Interop
* OSIS
* Concordia

Major Information Card Projects
* CardSpace
* Higgins Project
* Bandit
* The Pamela Project Relying Party Code
* The first Java Information Card library Relying Party Code and Security Token Server code

Browser Based Card Selectors
* Higgins Project (offers both browser-based and native card selectors)
* openinfocard

Multi-Protocol Open Source Projects
* Higgins Project (supports Information Cards, OpenID, SAML, XRI, XDI)
* Shibboleth
* CAS (supports OpenID, SAML, prototype Information Card support)
* Bandit
* OpenSSO (supports SAML, Liberty ID-FF/ID-WSF, WS-Federation, Information Cards, OpenID)

Industry Consortia
* Identity Commons
* Liberty Alliance
* OASIS ID Trust
* ITU-T Focus Group on IdM and subsequent activity.

Groups Addressing Legal/Social/Business Issues
* PPEG Privacy Summits Liberty
* Project VRM
* Liberty Alliance Identity Assurance Framework
* Liberty Alliance Identity Governance Framework

I think the world needs more robots that climb up your ass:

One thing that's been bothering me of late is while we now have a bunch of open specifications for dealing with person and relationship data in a portable way -- the most notable being XFN for public data and OpenSocial REST APIs for non-public data -- we're still lacking a good way to handle other social objects generically. "Action stream" implementations sites are currently hardcoding lists of specific services so that they can present the stream data in a way suitable for that service: they need to hard-code that Twitter feeds contain status updates, that Flickr feeds contain photos, and so on. Even worse is that each service encodes this information in their feeds in a slightly different way.

I'd like to see a world where, given a "user page" URL on some arbitrary social service, action streaming systems and other kinds of social aggregator will automatically be able to "do the right thing". This allows new services to enter the market without every one of the growing list of streaming products needing to be altered. It also allows those who are publishing their own stuff on self-hosted personal websites to take part in the social web in a much more useful way. While it'll take a while to adapt to completely new concepts, there are plenty of sites out there for publishing photos, videos, events, musical tastes and so forth that are all needlessly publishing this information in non-interoperable ways.

As I've posted previously, I'm quite fond of the approach of using URLs to represent social objects just as we are now using URLs to represent people. URLs make quite good globally-significant identifiers, and when combined with a mechanism like rel="me" multiple URLs can be declared to "represent" the same object. The missing piece is the ability to go from a URL to useful data. We already have standard ways to go from a blog URL to recent entry data. It'd be great if we could standardize on a way to:

• Take a URL of an HTML page that represents a photograph and discover from that page the URL of the full image, thumbnails of various sizes and so on.
• Take the URL of an HTML page that represents an event and retrieve crucial information like the name, the date and time and the venue of the event.
• Publish relationships between social objects and people, such as "Jim is in this Picture", or "Jenny plans to attend this event".
• Represent the above also in Atom feeds in a standard way so that they can be incorporated into action streams.
• Do the above both for public data and for data that requires authentication, ideally using the same or a similar mechanism so we don't need two separate implementations.
• Figure out what other social objects are common between sites and figure something out for these as well.

I previously posted an XFN-like proposal for inter-object relationships (including a more general review of popular social objects) and later a re-casting of it in Atom for action streams. I'm not wedded to these particular approaches. I feel like we have most of the pieces already, we just need to figure out how to fit them together in a way that allows reliable discovery and processing and that can be implemented -- as easily as possible -- by sites that are already out there.

I'm hoping to talk to folks about this at IIW. If you're interested in this too then please let me know.

A somewhat problemantic picture has been floating around recently depicting the so-called "Open Stack":

There is just one problem with it: the dependencies are all wrong. For example, OpenID does not depend on OAuth; both depend on XRDS-Simple, however. That means the stack isn't actually a stack and perhaps a lot more confusing than it needs to be...

What about this instead:

Can we change this *before* too many people pick up this picture as their battly cry? Proposed improvements very much welcome; this is difficult to visualize. Please let me know. And if you can think of a better name for it, that'd be good too. (Just check Google what others think the term means)

I really wasn’t expecting the flood of emotions that came over me tonight after watching the Obama speech but also after letting it all sync in.

I was filled with these intense flashbacks to my old “apartment” (it was a doctors office that was formerly a house that had once again become a “live/work” space) - the day that 9/11 happened. I was JUST out of college - I had spent the summer at UC Berkeley taking the Haas School of Business intensive 9 unit summer program for undergraduates called BASE - Business for Arts Science and Engineering Majors. I had just driven to Canada with my boyfriend of 2 years to pick up my stuff and “move in”. I had been to one day on my first job - September 10th (I was working at the Metta Center for Noviolence Education - a nonprofit founded by my Gandhian Professor - Micheal Nagler). [[Yes, I do believe in both business and making the world better. They are not mutually exclusive.]]

I remember getting the e-mail from one of the foreign students from the BASE program - a German - he wrote this e-mail saying he hoped non of us or our families were affected by the event. I was like “what event” and went to find out. I was stunned - here I was on my second day of my first job and this happened and the organization was focused on teaching people about nonviolence. Part of the trigger is the feeling that now the cloud that descended with 9-11 I have felt we have been in since then was lifting with Obama’s election.

At that time I was just beginning to live with my boyfriend and we were planning to get married some time. I had a lot of memories flood me of that house and our time there.

It was before my cancer - I was diagnosed and treated for Hodgkins Lymphoma in 2002 (average age 25 - I was 25 - it is very treatable - 95% cure rate - I am past the 5y mark now I should be ok for sure now).

I was walking down the hill tonight - to the party in the street thinking about this about how just this last month I actually thought about not paying my health insurance - it is higher then my rent - it costs $640 a month - because of the cancer I am “uninsurable” - so I can’t give it up or I will never be able to get it again. The reason I thought about not paying it - the economic crisis and well being able to survive for longer if I don’t have work. I thought about my mother and her care and death. She died when I was 18 from an aggressive breast cancer and I know she got good care (in Canada)- I know if I was in Canada when I had my cancer I would have gotten good care. We were always raised to value the way health care happened in Canada to treasure the fact that our family and nobodies family would ever go without care and would not go bankrupt. I thought about the hope that I now have that maybe I will not have to feel so vulnerable here.

This evening got to thinking again about a post I have been thinking about since last week. I was moved by Phil’s post about his weighing of the candidates. I work closely with Phil to put on IIW and it got me thinking about negatives I hadn’t really seen with Obama until he pointed them out.

But that doesn’t disguise the fact that Obama is the most anti-business, pro-government (and those two don’t always go together) Presidential candidate in my memory. He has no business experience to speak of and—more to the point—his other experience is in organizations that are almost vehement in their anti-business rhetoric and activity.

I find the progressive left intolerable in its anti-business energy. It is small businesses that run this country and provide much of what we use to sustain ourselves - they feed us, cloth us etc etc. I have been friends with many in the Social Venture community - I first went to the fall SVN conference in 2003. Many of them were pioneers 20 years ago founding many brands the natural foods industry and they have been an organization for 20y. I really believe that business can do good and make money. I can only hope that the Obama actually gets some people in there who understand business and that this is a pro - small - green - tech - good - all kinds of - business administration.

One of things that makes me think things will be ok is how he dealt with being the head of the Harvard Law Review - he got there with the support of the conservatives and he appointed many of them to the editorial board.

The party outside the Elephant Pharmacy near downtown Berkeley was GREAT! The energy was super fun. It felt a little like being on the Playa (at Burning Man) but it was out in the streets. People were soooo happy. It reminded me of the need for public celebration and a book I read this year Dancing in the Streets: A History of Collective JOy by Barbare Ehrenreich (you might know more well known books published in the last few years Nickeled and Dimed and Bait and Switch). We need to get out and celebrate as people to be with each other in our neighborhoods and be joyful.

There is much to be done - Barack can’t do this - it isn’t for big government - we must work together. We must use digital tools to organize (and maybe use - all this identity stuff we all have been working on) to self organize - to help us work together in our communities.

At the National Coalition on Dialogue and Deliberation that I attended last month there was a panel of conservatives talking about why they were involved in the Dialogue movement and what the issues were with the dialogue movement’s progressive lean. Language is quite important - community organizing can sound like we are going to “organize” the people and then tell them what they should think - rather then how they can work together in community without “government”. I hope we can find ways to reach across the divides in this country by finding ways to talk with each other that are not alienating and polarizing.

I am applying for citizenship next year and feel full of joy and excitement that Obama will be the President under whom I will become a citizen. I really HOPE things can be better in the world now and better in America with this new presidency.

I was tired when I wrote the post last night. I complete all the thoughts that I had last night.

I am an immigrant to America myself - although my family has deep roots here, my grandmother was born in Mineral Point, Wisconsin and that line of the family has roots that go back to the late 1600’s.

I didn’t know a lot about the USA when I came to college. Actually one of the reasons I came here for university was to learn more (to understand what it mean to be a Canadian culturally defined as unAmerican) I took a full year of of american history - two courses one pre-civil war and post civil war.

I learned about the mythology and reality of the American understanding of being a city on the hill and a light to the nations of the world. It took me about 10 years of living here to “get” the internal psychology of the place; to fully understand the American story and dream and how it is lived.

Canadians and others get upset about american exceptionalism. From the outside I can see why it doesn’t seem that America should see itself as different then any other country. I am here and have lived here my whole adult life and I think it is. I know I am different for having come to this country and made my way. I am more entrepreneurial then I would have been had I stayed in Canada. I am working in an industry I never would have found in Canada.

I think Obama is an example of what is possible in American. When I learned about his story - it resonated with it and felt great like it was AMERICAN. I am really glad he is our president.

VeriSign’s Nico Popp discusses Google’s latest OpenID provider. Nico is convinced it’s a good move — God knows I’ve always claimed URLs make bad user identifiers — and be that as it may, but the arguments are flawed.

Nico claims

“The beauty is that Google did not even have to force a button or any branding on relying party web sites,”

which is in itself true, but what he skips is that the relying party has to amend how it processes discovery on given user identifiers. So either way, the RP has to do extra work. Nothing is free.

Nico continues

“The choice of identifier alone will make it easier for consumers to choose Google over FaceBook,”

but that only makes sense right now. The Facebook platform already is a de facto email network. It only takes FB a little bit of work to provide external email identifiers like alice@facebook.com, and whatever work has been done for @gmail addresses now works for FB, too, providing there is some sanity to the discovery phase.

And FB can do this without providing any external email services for their users at all.

It will be interesting to see what happens.

The OpenID Foundation is pleased to share that OpenID Japan has launched with 32 members including merchants, portals, educational institutions, insurance companies, manufacturing companies, airlines, and banks.

This announcement is significant for several reasons:

1. The number and breadth of industries represented by the new members
2. The use of OpenID by member companies for commercial transactions
3. Collaboration between OpenID Japan and Liberty Alliance Japan
4. An earlier survey by internet.com and Marsh Research of Japanese internet users found that 28% of knew about OpenID and 15% were using OpenID

Congratulations to OpenID Japan on these significant milestones.

This week John, Joseph and I shot an episode of TheSocialWeb.tv (Episode 16: "OpenID's Historic Week: Microsoft and Google Go Live") with Eric Sachs from Google's Security Team. Eric's team implemented Google's OpenID Provider and we ended up with a very interesting episode where he talks about some of the background going into why they chose OpenID and challenges they see needing to be solved in the future.

This is a historic week for OpenID. Google and Microsoft announced the release of code to support OpenID 2.0 across their most important properties. On Monday, Microsoft, announced OpenID 2.0 support for their 460 million users on the LiveID platform. On Wednesday Google said it will be supporting OpenID 2.0 for any user that has a Google account. Both of these deployments are great news for the OpenID community and the Internet at large. It can be safely said that within the coming months, every single user on the Internet will have an OpenID.

There was some discussion from a few people yesterday claiming that Google’s implementation was a fork of OpenID. Today, Eric Sachs, Google’s lead on this effort, has another post responding to some of this early criticism:

That registration requirement also led to some confusion because users wanted to be able to use existing websites that accept OpenID 2.0 compliant logins by simply entering gmail.com (or in some cases their E-mail address) into the login boxes on those websites. … Once the XRDS file is live, end-users should be able to use the service by typing gmail.com in the OpenID field of any login box that supports OpenID 2.0, similar to how Yahoo users can type yahoo.com or their Yahoo E-mail address (In the meantime, if you feel really geeky, you can type https://www.google.com/accounts/o8/id into an OpenID 2.0 login box).

Although these are both considered “preview releases” by both companies, the fact that they have put code out there that developers can start to work with is absolutely fantastic. Both Google and Microsoft have stated that these are testing implementations and as such, their may be certain limitations while they work on localization, scaling and general UI.

Mike Jones talks about some of the details of the Microsoft LiveID testing:

One feature of the OpenID 2.0 implementation that I’d like to call your attention to is that they give users a choice, on a per-relying party basis, whether to use a site-specific OpenID URL at the site for privacy reasons, or whether to use a public identifier for yourself – explicitly enabling correlation of your identity interactions on different sites.

We also have an episode of theSocialWeb.tv where we have Eric Sachs from Google talking about this historic week with David Recordon, Joseph Smarr and John McCrea:

http://www.sitepoint.com/blogs/2008/10/30/the-single-sign-on-war-will-ruin-openid/

I'm getting some pushback from my proposal to use DNS as the primary means of OpenID discovery for email addresses. I think this is largely because I've not done a good job of explaining my reasons for it. Aside from some idea of technical purity, what's the practical reason for using DNS for OpenID? Who would use it that way?

My previous employer provided, amongst other things, a hosted content management system product. The usual setup would be that our customer would either have an in-house IT department or they'd outsource their IT stuff to a third-party. These IT folks would generally be responsible for DNS and email in some capacity, even if that capacity was just clicking some buttons on someone else's control panel. When the customer bought a CMS-based website from us, we'd get their IT folks to point the A record for the domain at one of our CMS server clusters and configure a mapping of that domain to the appropriate site in the system.

In this scenario, the customer's pretty limited in what they can do to their website. In the interests of usability, the site is presented as a tree of pages which are edited via a WYSIWYG editor and munged into a complete page using a site-wide HTML template. There is no way that such a customer could set up Yadis discovery on their site; creating arbitrary files and arbitrarily fiddling with the contents of <head> are not things the software provides. Even if it did, it certainly doesn't provide an OpenID provider that recognises email addresses for the domain.

Lest you consider this an isolated case, consider some other examples of such an arrangement. The domain this blog is running on has its A record pointing at LiveJournal.com who host my blog. They don't allow me to override the Yadis document returned at the root of my site, but I do own and control my domain. Users of Six Apart's hosted blogging service TypePad can't add the necessary bits for Yadis discovery without switching to "advanced templates", at which point they lose some of the easy blog design features. Google provides a similar hosted CMS service as part of its "Google Apps for your Domain" package which can't support Yadis, though we could also come at this from the other direction and see that most folks using the Google Apps version of GMail for their domain have their website hosted somewhere else, because -- let's face it -- Google Sites is kinda limited.

It's been my experience, then, that it's far more often the case that DNS and email are controlled by the same team than are email and web. In the case of my previous employer, the IT folks can readily add new records to DNS without involving the CMS provider. In the case of Google Apps For Your Domain, being able to edit your DNS is already a prerequisite to deploy GMail, so if Google were to provide a hosted OpenID-for-email service as part of Apps they could just instruct administrators to add an additional DNS record to enable it.

While I don't disagree that publishing the discovery information over HTTP should be an option, DNS should not only be supported but should override whatever's published over HTTP. The compromise of using DNS TXT records as the transport for this discovery information rather than a more "correct" record type, we make it possible to deploy these records in domain management tools that exist today.

I hope the above will serve to show that my wish to use DNS for discovery is in fact for pragmatic reasons, not for reasons of theoretical purity. That it comes with a side-order of theoretical purity (for some definition of purity) is just a nice side-effect!

Following Microsoft on Monday, AOL last year, and Yahoo! earlier this year, Google is now an OpenID Provider. That said, people seem to like controversy...

Google is taking advantage of a feature in OpenID 2.0 known as "Directed Identity". This allows an OpenID 2.0 Relying Party to start the OpenID protocol flow using a known URL (Yahoo!'s is http://openid.yahoo.com/) to allow for "one click" style login dialogues. By performing discovery on this URL, using the XRDS XML format, the OpenID Provider advertises the OpenID Endpoint URL for the Relying Party to make a request against. Google is doing this correctly with the URL to perform discovery against being https://www.google.com/accounts/o8/id.

The piece that Google is currently doing differently is requiring pre-registration of each OpenID Relying Party before users can login to a given site. This does break the common deployment of OpenID on the web today, but Eric Sachs of Google has said on the OpenID mailing list that this is temporary as they work to stabilize their OpenID Provider:

We just need to do the standard scaling, stability, translation quality, etc. evaluation to make sure there are no major problems. If we are lucky, that won't take much time. However it is more then likely that we will need to tweak things in our user interface to make it easier to understand, and unfortunately translating any such tweaks into 40+ languages takes awhile.

As for using email addresses as OpenIDs, this is something the OpenID community is talking about quite a bit right now; Google included.

This seems to be the week for announcing OpenID implementations. Here's what we have so far:

• Microsoft announced that Windows Live ID (formerly Microsoft Passport) will soon be an OpenID Provider. They currently have up an experimental implementation on a different domain. This one's particularly cool because the closed nature of Microsoft Passport was one of the things that inspired OpenID in the first place.
• Google announced today that Google Accounts will soon have OpenID identifiers, too. Like Microsoft, they've currently deployed only an experimental version. Currently, it's only supported for RP sites that pre-register using a web form, though when this drew fire on the OpenID Mailing List Google folks gave the impression that this would open up after the experimental phase. They're also experimenting with using email addresses as identifiers, though it seems that their provider doesn't have any special support for this right now. They're also, I believe, the first provider to support Attribute Exchange.
• LiveJournal has quietly upgraded its OpenID consumer to support OpenID 2.0. Since LiveJournal was the first OpenID consumer, it's nice to see it adopt the new version. Now users of Yahoo!, Microsoft and (in theory) Google can use their identifiers to sign in to LiveJournal and leave comments. Since this blog runs on LiveJournal, you can try this on my comment form if you like.

It's good to see the last few existing "big" centralized identity providers rolling out OpenID support. While some continue to be upset that none of these are accepting OpenID as a relying party -- and I agree, that is a shame -- at least Yahoo! ID, Google Accounts and Windows Live ID are brands that users are used to seeing on login forms and this will hopefully provide motivation for other RPs to implement OpenID. I think email addresses as identifiers is the next step, and if these big providers that also provide email can get on board with one of the proposals OpenID will become even more attractive to RPs as it could optimize rather than complicate their user enrollment experience.

Yahoo!'s OP and now it seems Microsoft's OP both ignore the value of openid.identity provided to them, and just return an assertion for whatever user's logged in. While this is technically valid if you think of the result as an "unsolicited positive assertion" as per the spec, it's a bit counter-intuitive. While it works okay for the sign-on case, it's not so hot for the basic "prove I own a URL" case: consumers attempting to do this find that they end up with an assertion for a URL that they don't care about.

I think the ideal behavior, both to avoid breaking this use-case and to make it clear to users what they're logging in as, is to tell the user they're logged in as the wrong identifier and prompt them for the credentials for the identifier they entered. Of course, if openid.identity is the special value http://specs.openid.net/auth /2.0/identifier_select then the current behavior is fine; in this case, the RP is saying "tell me a URL this user owns", not "does this user own this URL?".

I'd be interested to hear what advantages there are to ignoring openid.identity. I've not been able to think of any.

I've been talking to a bunch of folks about using email addresses as identifiers, and it seems that right now there's little agreement on what the correct approach is. Some would like to make a generic mapping from email address to URL, which has the advantage that you can do anything to such an email address that you can do to the URL it maps to. However, I've also had some folks say they'd rather not have a URL for every email address, and they'd rather do something simpler with less indirection.

Since the EAUT folks are already exploring the former approach, I figured I'd have a go at the latter. A proposal I heard from a few folks is to just do Yadis discovery on the URL formed by taking the email domain and putting http:// in front of it and / after it. Hard-coding URLs always feels wrong to me; in this case, DNS feels like a much more natural place for this information. However, I acknowledge that for many people -- especially in the "vanity domain" camp where most of OpenID's early adopters are to be found -- putting stuff up on your website is easier than adding DNS records. With this in mind, I've devised a compromise. My approach, therefore, is this:

• Take the email address and turn the at sign into a dot, so frank@example.com becomes frank.example.com. Do a DNS lookup on this for discovery information (see below).
• If no information is found, take the bare domain and do a DNS lookup on this for discovery information (again, see below).
• If no information is found, take the bare domain and put http:// in front of it ant / behind it, giving http://example.com/. Do Yadis discovery on this URL, looking for the service type http://specs.openid.net/auth/2.0/signon/email. The URL of this service is an OpenID endpoint supporting email addresses.
• If no information is found, fail.

The other part of the debate is -- assuming for the moment that DNS will be used -- how the information will be represented in DNS. My experience with hosted DNS providers is that they tend to only allow users to create A, CNAME, MX and TXT records, so as contraversial as it is I went for simply encoding the information in a TXT record, as SPF did. The format, then, is TXT records containing key-value pairs inspired by the OpenID 2 link element values. My record looks like this:

mart.degeneration.co.uk. IN TXT "openid2.provider=https://www.myopenid.com/server openid2.local_id=https://mart.myopenid.com/"

The parser for this stuff considers only records whose values start with the string "openid2.". I've also extended these arguments with a new setting called openid2.redirect, which is used instead of the previous two to achieve the same thing as issuing an HTTP redirect has on traditional OpenID discovery: it acts as a normalization mechanism. Notice above that I've added OpenID support to my email address using delegation, just as I did with my HTTP-based identifier. I think it's important to preserve the ability to do delegation, since I think this is one of the main reasons that OpenID saw so much uptake among early adopters. RPs aren't going to bother updating to support email addresses if none are OpenID enabled, so we once again need a simple bootstrapping mechanism to get some working identifiers out there to foster adoption.

I've added support for this into an experimental branch of Net::OpenID::Consumer. I don't have a working demo up right now, but I hope to be able to get one up soon so folks can try it out.

I've been having fun writing Android apps.

My main Android app I care about is my garage door opener. I have a webserver hooked up my garage door opener, so I can open my garage over the network. Combined with a background process doing wifi scanning, the idea's that when I'm on my way home, I pull up to my house on my motorcycle and the garage door magically opens and I back into my garage without taking off my helmet/gloves/etc.

Last night I wrote the background wifi scanning service part and walked around my house and neighborhood to get the signal strengths to the three different APs in my house (and the other ones of my neighbors). Looks like it'll work perfectly. Now I just need to wire up my wifi scanning service with my garage door opening code (simple http client that HMAC signs one-time timestamped URLs).

I just mentioned to evan that it looks like I have enough data to real-time triangulate within my house which room I'm in, since I have enough access points and their signal strengths vary enough. I was going to just make some stupid widget on http://bradfitz.com/ show where I'm at (which room at home, at work, in car via Bluetooth detection, on google shuttle via wifi detection, etc...) even without GPS (or with, if available).

But evan went one further:

make it turn on the lights for whatever room you're in.
that'd be cute.
you could call it "magic wand of light"

Hell yes.

Update: See the conclusion in Part 2.

After a long time of having mixed feelings about it, I've recently become fond of the idea of allowing email addresses as OpenID identifiers. The EAUT project is writing a specification for mapping email addresses to HTTP URLs, which then allows Yadis and traditional OpenID service discovery to be carried out on the HTTP URL in place of the email address.

Their current approach to using this with OpenID puzzles me, however. It seems that they've put the email-to-URL mapping right at the beginning of the process, conceptually "before" OpenID, meaning that OpenID never sees the email address. It would seem far more sensible to me to put the email-to-URL mapping in the discovery phase, so the user's OpenID identifier is their email address.

This enables a nice signup experience on RPs: In the best case, the user provides an email address whose provider supports OpenID, in which case you can authenticate the user and validate his email address all in one transaction. If the email provider doesn't support OpenID, you do traditional email validation, and at the validation URL ask the user to choose a local password. When the user returns and signs in a second time, their provider might well now support OpenID in which case the "upgrade" experience from local account to OpenID account is far less clumsy, because you already know which local account belongs to the user.

For me, this optimized enrollment/upgrade flow is the main selling point for email addresses as identifiers, and is the only motivation I have to set up EAUT for my vanity domain. I think it'd be a shame to miss out on this by doing email-to-URL mapping too early and taking the OpenID protocol out of the loop. At it's core, OpenID supports any URI scheme if you can define a suitable discovery mechanism for it, as we've seen with XRI support.

Let's let OpenID do what it's good at -- verifying ownership of URIs -- and use it to fix the horrible user enrollment user experience that exists today. As a nice side-effect, we'd increase the value proposition for RP implementations, which can't be a bad thing.

The OpenID Provider Authentication Policy Extension (PAPE) Working Group recommends approval of PAPE Draft 7 as an OpenID Specification.  The draft is available at these locations:

http://openid.net/specs/openid-provider-authentication-policy-extension-1_0-07.html

http://openid.net/specs/openid-provider-authentication-policy-extension-1_0-07.txt

This note starts the 60 day public review period for the specification draft in accordance with the OpenID Foundation IPR policies and procedures.  This review period will end on Sunday, December 21st.  Unless issues are identified during the review that the working group believes must be addressed by revising the draft, this review period will be followed by a seven day voting period during which OpenID Foundation members will vote on whether to approve this draft as an OpenID Specification.

As background, the proposal to create the working group, which the membership approved, is available at http://openid.net/pipermail/specs/2008-May/002323.html.  The specifications council report on the creation of the working group is available at http://openid.net/pipermail/specs/2008-May/002326.html.

So there has been a lot of talk lately around OpenID, the user experience, how we make it better, Facebook Connect, Oauth, and the future of Identity on the “social web”.  Yahoo and Google both recently released usability data.  The results didn’t pull any punches and exposed some serious user experience problems with the way OpenID is implemented today.  Current implementations suck! They are much worse than username/password. I have to type in a URL, I get redirected, I get a trust screen, I get to type some squiggly letters.  Just let me in dammit! There is ZERO chance my mom will ever use this.

Let’s step out of the weeds for a minute.  Everyone is currently trying to solve these problems from the standpoint of every individual site’s different implementation, of which no one seems to agree on a standard.  We’ve got buttons, IDselectors, URL as Identifiers, email addresses as Identifiers, Google is proposing to do it one way, Yahoo another, etc…  Each with different trade-offs, but the end results are basically the same.  Mom doesn’t get it!  For everyday users to really understand online Identity, we need to solve the problem from the browser level.  We need to let the browser act on behalf of the Identity Providers.  One quick advantage is that it only requires a handful of project owners to agree on a standardized user experience, rather than every site on the entire Web.  Not only that, but discover-ability and education of OpenID can be standardized in the same handful of places.

The solution is Identity in the Browser (IDIB).

IDIB delivers the 3 main things that must be present for my mom to understand Identity on the Internet.

• Standardized experience with your Identity provider
• Standardized experience with your Relying party
• Standardized discover-ability

This is what it’s gonna take for Identity on the Internet to make sense.  Right, mom?

As OpenID continues to gain momentum, over the past few weeks both Google and Yahoo! have released the results of usability studies they’ve done around OpenID and digital identity systems in general. Google released their Usability Research on Federated Login looking at how to create user experiences that mainstream users can understand when using one account to login to other websites while Yahoo!’s OpenID Reasearch focused much more on how their own users are able (or not yet able) to understand what OpenID is and how they can use it. While at first glance this might seem troubling, instead it is actually one of the steps in the natural evolution of seeing a technology start to go from intriguing the early adopters to working on crossing the chasm to mainstream usage.

Yesterday at Yahoo!’s campus in California, nearly forty people from the OpenID community came together for a day to discuss the usability and user experience of OpenID and OAuth. Presentations were shared by Facebook about their experience developing Connect, MySpace explained how they’re combining OpenID and OAuth, Yahoo! around how they’re evolving their own OpenID Provider in response to their research, Magnolia shared how they’ve been using OpenID to help reduce spam, Google with their study on federated login user interfaces, and Plaxo wrapping up the day with how they’re looking at OpenID as a piece of a larger “open stack” for the Web. Lots of interesting presentations, analysis, and ways to move forward to help improve the usability of OpenID and OAuth came out of the day.

John McCrea has the play by play if you’re wanting to read more about what happened during the day, but I’m excited to see the sheer number of people and companies from various backgrounds (even those who compete with one another) collectively working to help improve OpenID and build a better Web.

Two weekends ago I was in Austin Texas for the 4th National Coalition for Dialogue and Deliberation Conference. They hold their conference every 2 years and I have attended that last two. What was surprising this time was I actually found identity projects in the wild. I met Lou and Wayne (Lou is wearing black so he is from NY - Wayne is wearing the uniform from DC a suit ad tie.)

Lou is working on CivicID (a project of Gateway to gov)- they do 3rd party constituent validation. The plan right now is to issue OpenID’s that can be used on different services. Because they get third party validation the idea is that legislators will listen to electronic communication more because they know it is from actual constituents. I asked if they would be issuing claims based information cards and he said yes they would get to that.

Wayne is working on the OPen Forum Foundation their first Project is to address communication difficulties between:

* Constituents: Are you happy with your ability to communicate with your elected officials and the people who make the decisions about your world?
* Government decision-makers and staff: Are you able to handle the inflow of emails, faxes, and phone calls from constituents and respond in the way that you would like?
* Advocacy Groups: Do you find it easy to express the voice of your members to their elected officials in a way that gets heard and is productive?

Two years ago I was at NCDD talking to the online deliberation guys explaining identity - this time there were several projects that all were aware of it at least.

Practical Evolution - this has gone through several evolutions and is being used in Australia.

Intellitics - Tim Bomans Company is working on Zilino

DeepDebate.org a project lead by Lucas Ciof is working on a system to help dive into different

Idealogue Inc. by Noam Shore is also doing online tools for civic engagement.

It was quite exciting to see all this activity Tim Erickson has a post on his blog with videos about three of them.

I had dinner both Friday and Saturday night with the tech guys - (Yes the first night I was the only woman at dinner and the second night one of two) I am hoping several of these guys come to IIW and share what they are working on.

Today I am headed to the Open Sustainability Network Camp and tomorrow to Bioneers (a conference I have been attending since 1999). I am hoping that I will be pleasantly surprised at both to find people doing interesting identity projects in the field.

I came to this field from a civil society perspective via my work with Planetwork. This does not mean however that I am anti-business or don’t care about the needs of large enterprises in this space. In the last several years I have come to appreciate how fundamentally essential their role is in making any of the original idealistic “user-centric” vision articulated in places like the ASN Paper happen. I also don’t think that business alone can get this layer to happen and without civil society engagement or uses it will take much longer. It is most definitely a both-and situation rather then an either-or.

I have often chosen to speak to the civil society perspective when I am in the community. There are already so many people who work at large enterprises and thinking about the business models. Perhaps this was a mistake because it may not be obvious how much I care about the business side of things. I CARE about it AND it is not all that matters. I am hoping in the next while to invite more people working day to day in the nonprofit, social and environmentally responsible business sector, advocacy groups and others to become more involved in the identity community. My finding of the projects at NCDD doing identity shows there is now a wider understanding of the use for identity and people beginning to experiment with application.

I'm currently in Spain for a bit of vacation with my mom before speaking at a conference here in a few days. Was at FOWA last week in London and had a great time (need to post more on that separately) and the Carsonified crew really know how to put on a great show!

In any case, the seventh? Internet Identity Workshop is coming up in a few weeks in Mountain View. To date there have been over 10 events like this - open space with the agenda made live by the people who are making the identity (relationship) layer happen. Some people say that in some ways the intensity of IIW is like 6 months on a mailing list the whole industry moves forward. So, if you're able to make it to Mountain View November 10th through 12th and are at all interested in online "identity" stuff then you should check it out. http://www.windley.com/events/iiw2008b/register.shtml

Prompted by Emanuel in a comment to my post on i-names, I’ve finally tended to the long-overdue item in my TODO queue, i.e. update FoXRI to work with Firefox 3.

The request from Emanuel came almost serendipitously 2 days after =les nonchalantly asked me if I had plans to update it to FF3, to which I answered “one of these days.”

New in this version are 2 patches from Michael Krelin which adds detection of URIs for more OpenID versions, and the handling of append attribute values. Changelog for the patches are available at his git repository.
Thanks, Michael!

Due to what seems like a new security restriction that protocol handlers are not allowed to link to chrome URIs, I can’t seem to get it to load the CSS and icons from the chrome any more. Therefore, those files are now hosted remotely at xrid.net so if you see requests to that host, please don’t be alarmed.

Just a reminder, IIW 2008b is coming up fast.  Things have been getting really hot in the space lately and a lot of conversations have been happening around usability, identifiers, security, etc…  A lot of work has been done and I know quite a few folks are planning on showing up with some serious data, thoughts, and prototypes.  Be sure and put it on you calendar.  Nov. 10 - 12th at the Computer History Museum in Mountain View, CA.

I've been happy to see XFN getting adopted as a lightweight way to add machine-readable interpersonal relationships to existing sites. As useful as that is, there's more to the social web than just people. I took a look at what sorts of social objects are out there on the popular social networking sites and how the sites link them together today. The result of this is a proposal for some rel values in similar vein to XFN that can be used to annotate these existing links. For the moment, I'm calling this HTML Social Network. To avoid biting off more than I can chew, for the moment I've stuck to just annotating links, leaving others to figure out what the best way is to publish the content at the linked URLs.

I'm interested to hear if others feel that this is a valuable problem to solve. I'd like to hear from other open social web enthusiasts and implementors how this proposal could be improved. I imagine that the end result of the discussion would be a set of smaller specifications, but one big all-encompassing proposal is easier for me to publish as a starting point.

Some time ago I posted about HTML Social Network, which is essentially just a bunch of link "rel" attribute values to indicate relationships between people and social objects.

One limitation of that approach, though, is that it lacks time information. You can't take the link relationships on an arbitrary HTML page and build an ordered list of (for example) status updates without additional context to give you the date and time of publication.

The obvious existing standard for time-based publishing is Atom, but the problem with Atom is that there's no way to know without out-of-band information that Twitter's Atom feeds are of status updates, and Flickr's Atom feeds are of photos, and (although HSN doesn't have a relationship for this right now) Last.fm's feeds are of tracks a user listened to recently. Action Stream services currently have to hard-code various services in order to present results in the correct context.

With this realisation, the obvious answer is to marry the "rel" attribute of HTML with the time-based publishing of Atom. Rather than publishing merely relationships between URLs, let's instead publish relationships between an Atom feed and its constituent entries, which themselves contain URLs. We can infer (using Atom auto-discovery) that a given Atom feed is a stream of information about a given resource. Here's one possible way to encode this:

<feed xml:lang="en-US"
    xmlns="http://www.w3.org/2005/Atom"
    xmlns:ahsn="http://example.com/xmlns/ahsn">
  <title>Twitter / worstusernameevar</title>
  <id>tag:twitter.com,2007:Status</id>
  <link type="text/html" rel="alternate" href="http://twitter.com/worstusernameevar"/>
  <updated>2008-10-13T19:14:32+00:00</updated>
  <subtitle>Twitter updates from Worst Evar / worstusernameevar.</subtitle>
  <entry ahsn:rel="status-update">
      <title>Reading about HSN in Atom.</title>
      <id>tag:twitter.com,2007:[omitted]</id>
      <published>2008-10-13T15:15:54+00:00</published>
      <updated>2008-10-13T15:15:54+00:00</updated>
      <link type="text/html" rel="alternate"
            href="http://twitter.com/.../statuses/957716495"/>
  </entry>
</feed>

Of course, I'm not wedded to this encoding, just the general principle of putting HTML's rel attribute into Atom. I'm open to suggestions of how to do it better. Though I called it AHSN here, really this can be generalized to all values of rel in HTML.

Obviously for backward compatibility for now Action Stream implementations will have to hard-code some assumptions such as "twitter.com feeds have an implied rel of status-update", but hopefully new services can start to include this extra information so that Action Stream services can start to handle these things intelligently without needing to hard-code every possible publishing service.

As usual, I'm open to suggestions about how this idea can be improved.

The Telegraph reports:

...hundreds of chip and pin machines in stores and supermarkets across Europe have been tampered with to allow details of shoppers' credit card accounts to be relayed to overseas fraudsters.

These details are then used to make cash withdrawals or siphon off money from card holders' accounts in what is one of the largest scams of its kind.

...America's counterintelligence chief said: "Previously only a nation state's intelligence service would have been capable of pulling off this type of operation. It's scary."

An organised crime syndicate is suspected of having tampered with the chip and pin machines, either during the manufacturing process at a factory in China, or shortly after they came off the production line.

This is why using the idea of a claims transformer as the general panacea for identity issues has always been very scary to me: if you have a good claims transformer, you don't really (want to) know that it is there, but your security depends on the security of each and every claims transformer in the chain.

Here, nobody thought that the card reader (a claims transformer) was even a possible security issue. How many more claims transformers are there in the credit card (or any other) value chain, and how many of them are susceptible to similar attacks? I think we'll only know after the next attack has been detected on the next claims transformer in the chain ... one by one .. and that's even more scary.

It's also a very good example for what works within an enterprise has little or no bearing on whether it works for a whole value chain, or the whole internet: in an enterprise you can enumerate and watch your claims transformers, even if it's hard. If you go beyond the enterprise, it's almost ridiculous to attempt and try ...

One thing I like about JSON is that it has types that map nicely on to types found in most everyday programming languages: strings, numbers, booleans, arrays, maps and null. XML, on the other hand, has basically two types: "element" and string. Element doesn't map particularly well onto any everyday programming language. Apparently, though, some frameworks make it easier to parse XML than JSON. (Go figure!) Certain protocols are requiring XML to be supported as a lossy transformation of JSON. I got to thinking that it would be useful to have an XML-based data format that can map to and from JSON without losing information.

Here's a stab at it. The main goal here is to structure it so that if you don't care about JSON's types you can just ignore the annotations and do things "the XML way", with XPath or XQuery or whatever's your poison. If you want to map it to a native data structure in your programming language, all of the type information provided by JSON is available, albeit in a much more verbose way. Let me demonstrate with an example. Here's some JSON-encoded data:

{
	"displayName": "Martin Atkins",
	"urls": [
		"http://martin.atkins.me.uk/"
		"http://www.apparently.me.uk/"
	],
	"accounts": [
		{
			"domain": "plaxo.com",
			"username": "apparentlymart",
		},
		{
			"domain": "ma.gnolia.com",
			"username": "Mart",
		},
	],
	"human": true,
	"favoriteNumber": 5,
	"names": {
		"familyName": "Atkins",
		"givenName": "Martin"
	},
	somethingElse: null
}

Now here's the equivalent XML-encoded-JSON:

<json:root xmlns="http://example.com/xmlns/json">
	<displayName>Martin Atkins</displayName>
	<urls>
		<json:li>http://martin.atkins.me.uk/</json:li>
		<json:li>http://www.apparently.me.uk/</json:li>
	</urls>
	<accounts>
		<json:li>
			<domain>plaxo.com</domain>
			<username>apparentlymart</username>
		</json:li>
		<json:li>
			<domain>ma.gnolia.com</domain>
			<username>Mart</username>
		</json:li>
	</accounts>
	<human json:type="boolean">true</human>
	<favoriteNumber json:type="number">5</favoriteNumber>
	<names>
		<familyName>Atkins</familyName>
		<givenName>Martin</givenName>
	</names>
	<somethingElse json:type="null" />
</json:root>

I'm sure you can guess the mapping from the above, but I'll spell it out a bit anyway:

• The root element is always root in a special namespace.
• Every JSON value maps onto an XML element where the name is not significant.
• An object maps to an element with non-namespaced child elements representing the values with the element name set to the key name.
• An array maps to an element with only namespaced li child elements, each of which represents a value from the array in order.
• A scalar value maps to an element containing only a text node. If there's no type attribute it's considered to be a string. Otherwise, the type attribute can be boolean, number or null.
• For scalar values of type boolean, the text content is either true or false.
• For scalar values of type number the text content is the number written out in base ten with optional decimal digits separated by an ASCII period.
• For scalar values of type null the text content is the empty string, or the element uses empty element syntax.

If all formats that are requiring both JSON and XML use something like the above for their XML, then the XML output becomes a more verbose serialization of the JSON data model, and the data model doesn't need to be dumbed down to fit inside XML. A single, generic library can be written that can do the mapping in both directions. The only constraint this places on the input JSON is that the key names must only contain characters valid in XML element names. Obviously the namespace doesn't necessarily need to have "json" in its name; it's just an example. I'm sure there must already be something like this out there, but all I can find is things for encoding XML as JSON -- usually lossily -- which seems like the wrong way around to me.

I have often thought about how my work in this field has made me look at the world differently - I almost always have “identity” glasses on. I notice how people use the word. I notice when people talk about authentication and authorization, validation, verification and enrollment (often mixing all those all together or calling one something else).

Today I am watching a random Netflix movie that came (I have not been shepherding my que very well) It is called Notebook on Cities and Cloths - it is about a Japanese fashion designer. To my surprise it is opening with a poem by the film maker Wim Vinders - part way through well it turned to identity ….

“Identity”…
of a person,
a thing,
a place.

“Identity”.
The word itself gives me shivers.
It rings of calm, comfort, contentedness.
What is it, identity?
To know where you belong?
To know your self worth?
To know who you are?
How do you recognize identity?
We are creating an image of ourselves,
we are attempting to resemble this image…
Is that what we call identity?
The accord
between the image we have created
of ourselves
and … ourselves?
Just who is that, “ourselves”?

We live in the cities.
The cities live in us…
time passes.
We move from one city to another,
from one country to another.
We change languages,
we change habits,
we change opinions,
we change clothes,
we change everything.