AKMA, Simon Grice, Doc Searls, Marc Canter, Simon Phipps

Simon Grice, CEO, Midentity: examples of grassroots nondigital identities include t-shirts, haircuts, tattoos ("Be Yourself" barcode), vanity plates. Examples of grassroots digital identities include personal email domains, mobile phone ring tones (staggering amounts spent on this). Examples of issued identities: passwords, drivers licenses, credit cards. Grassroots identity is created by the person whose identity it is. Why should enterprise be interested in grassroots identity?

Simon Phipps: privacy is a negative thing from a business standpoint, describes what you can't do. "No digital ID is an island; do not ask for whom the legislation tolls, it tolls for you." More and more, people are considering their identities a personal issue.

Marc Canter: there's a personalization feature that only 3% of AOL users use, because it sucks. Enterprise tech is now making its way to the home. Employees of an enterprise go home, have a life at home, and bring their WiFi, etc. with them.

Doc: I get the feeling sometimes at this conference that we're talking about farming at a convention for paving contractors. Do the pavers recognize the need for farming?

Audience member comments that it's a question of markets. Thinks there's room for farming if the farming is profitable. eBay.

Simon Phipps: eBay is a silo. Ringtones are another example, and they're about to do some nasty things to us. They're not designed to protect the user, but to suck the user in for other purposes.

Esther Dyson: I think we shouldn't confuse an identity with a social network. There's a great power to social networks if your goal is sales. But trust may be inversely proportional to linkage. You may be a great eBay seller, but a lousy babysitter. You may be a great date, but ... [laughs]. It would be a useful social indicator to compare, on a Friendster or other social network, the people who say they're your friends rather than the people YOU think are your friends.

Simon Phipps: Agrees, you can federate identity but you can't federate trust.

Cory Doctorow: Cory is skeptical that individuals can ever have the market power to get entities to except their data in a DRM wrapper that they control. It's much more likely to work the other way.

Doc switches metaphors: we have a lot of dormant seeds out there. People won't care about having a grassroots digital identity until they find they can do something really cool with it.

Simon Grice, Marc Canter, Doc: Notion of selling your personal attributes to the highest bidder, we learned this didn't work. Instead, the models where you don't compromise the data that's yours will succeed. Doc thinks we have to sell relationships, or, as Esther puts it, attention. Right now, because relationships are isolated and structured, they don't work together. Coming up with one or two systems that allows that to happen will be the beginning of grassroots digital identity.

One of the things we're missing is a way to extend our identity in a contextual way into the digital environment. Marc Canter, yes, the essence of ID is context.

Doc, proxying for Andre Durand: there is something inherently sovereign about our own identities. What we're talking about is having more power to enter into market relationships and bring our own value to them.

Simon Phipps: online, we have secrets and public information. There's nothing in between. We're lacking a way to specify what you can do with semi-public information. We need a way to specify contexts and permissions for all information that is public or potentially public.

Doc, now proxying for David Sifry: email is a start to this. There are a series of social conventions around email.

Marc Canter can be bought. Objected in principle to supermarket reward cards, but a couple of $1 Thanksgiving turkeys put a quick end to that. He now guesses he's saved a couple of thousand dollars, and if they think they're getting value from his shopping habits, God bless them.

Doc: the whole concept of grassroots is relationships that begin somewhere and go somewhere. You lose this when all kinds of technical rules are imposed from the top.

Simon Phipps: the speed camera gives you a ticket when you're speeding your wife to the delivery room; the motorcycle cop gives you an escort.

Marc Canter: the things that a human values very often have nothing to do with lining anyone's pockets. I want to keep track of my music, manage my RSS feeds, interact with my friends, etc. I'm building my meme. If along the way someone can make a buck, I don't mind.

Simon Phipps: Unfortunately that view is unpopular with my CEO. [Laughs] Disclosure of the action, respecting and involving the person in the transaction, not engaging in subterfuge about what you're doing with your database, is key.

Simon Grice: whatever these applications are, they need to be incredibly simple. If I start having to use a number of different systems, I won't.

AKMA: if you think of digital ID as just a wallet, you're going to hit resistance. Must put the people first.

Doc: the consumers-as-plankton mindset, who just absorb whatever is cast to them, is done. Networked customers are much smarter than the typically envisioned "consumer." In a transaction based economy, the customer gets screwed. In a relationship based economy, this doesn't happen.

Marc Canter: some proof of this is how SMS routes around the Hollywood marketing machine for movies that stink. The message gets out from the opening screenings in a very rapid way

Eric Norlin, Peter Biddle, Steven Sprague (and guest appearance by Cory Doctorow)

Peter Biddle: Perimeter security no longer works. Enterprises are porous. Laptops disappear. CEOs use phones to do transactions with no proxy security, no WEP. Full access to email, databases, decisionmaking processes can be picked up on the table at Starbucks. Microsoft's response (Trusted Computing, NGSCB) is contextual: a user with specific needs when using a specific device.

Steven Sprague, Wave: Works on how to manage and deploy strong authentication in a simple manner. This is very powerful, inexpensive technology for anyone involved in enterprise security (and there are some widespread misperceptions about it). Right person walks up to the door, door opens, preferably automatically. Wrong person, preferably he's electrocuted.

Cory took the mike to describe the EFF's mixed feelings about Trusted Computing. You'll never find a better friend of crypto than the EFF. The EFF's problem with Trusted Computing is to secure the computer against its owner. When you take away the ability to control your own computer, you open the door to anticompetitive activity that harms not only individuals but enterprises. We see things like forced downgrades (iTunes, reduction of features), IP litigation issues (NGSCB under fire for patent violation). EFF's solution is Owner Override (telling beneficial lies, in the tradition of Samba), but it loses us certain things like DRM.

Question to Peter: is the charge correct? In the gains v. losses calculus, the gains of Trusted Computing from an overall policy basis win out. The EFF's paper is fair, but it's wrong. On a system that has owner override, you have the ability to lie in a way that makes it impossible to detect the difference between lies and truth. So why would you trust an attestation if you know there's no guaranty of reliability?

Steven: Preexisting trusted relationships (your mom) vs. anonymity. If you wanted to reinforce the strength of software attestations, you could. Today, the ability to ensure purely virtual relationships that are not 100% fraudulent does not exist. There is a strong societal demand for better and context specific control over what and who goes where.

Peter: points out that we engage in cultural imperialism when we think we can build technology that takes into account globally applicable copynorms.

Cory: but you also shouldn't build software that takes away the public's copyrights, fair use rights, first sale rights, by default.

Steven: the consumer has done an excellent job of voting with his or her feet on this sort of thing.

[...]

Phil Windley

Phil's useful talk focused on explaining the emerging standards for identity infrastructure, using examples like booking a flight and concurrently renting a car online, or setting up an ecommerce site online that also has a credit card processing facility. The identity standards that will enable these kinds of arms length transactions involving customers and one or more companies are XML signatures, XML encryption, SAML and SPML.

The final standard Phil discussed is XACML, which is more suited for internal use, and really more of a programming language. Phil discussed how organizational policies are communicated from top down, usually beginning with a Word document that can either get discarded or not translated to code and operations that are uniformly deployed to a company's servers. "Policies are a nice exercise that keep CIOs fully employed." XACML strives to solve this problem. The translation need only be done once, and enables uniform updates in a streamlined manner.

"Federation" involves single sign-on between/across organizations (e.g., book a flight, rent a car), and encompasses issues beyond just the technological standards: policies, legal issues, etc. Sun was right: "The network is the computer." Some examples of the different kinds of efforts in this area include Liberty Alliance and Microsoft Passport (now built into .NET, and, in Phil's estimation, Microsoft's effort to dominate this area the way it has dominated the OS and business apps).

At this point, Cory Doctorow raised what may be the question of the conference: are these emerging standards all latent SCOs? Nobody is making representations about not suing over incorporation and re-use of the intellectual property involved in these standards. It makes sense to deal with these issues on the front end, rather than building infrastructure out of ideas that might be proprietary, or in any event claimed as proprietary further down the road. Cory: "We didn't build infrastructure out of GIFs [referring to the Unisys flap]; we're talking about building infrastructures out of XACML."

[...]

Phil's concluding thought: Security is something that happens when you have a good digital identity management strategy, but is not the focus.

Adam at the SCOTUSBlog runs down today's grants of certiorari by the Supreme Court, and advises the Court will take on COPA:

Ashcroft v. ACLU, No. 03-218, reviews the constitutionality of the Child Online Protection Act ("COPA"). COPA proscribes the commercial use on the Internet of "any material that is harmful to minors." The case was remanded by Supreme Court in 2002 with instructions to consider the District Court's findings on issues other than the use of community standards to identify potentially harmful content. Upon rehearing, the Third Circuit reaffirmed its ruling that the Act is overbroad in violation of the First Amendment.

Links to the opinion under review and Washington Post coverage are there as well.

Great turnout, there are several hundred people here, in addition to this conference's hallmark ubiquitous WiFi and aggregator of real time coverage.

Phil Becker: greetings, housekeeping, conference overview

Some discussion by George Eberstadt, nTag: the conference is using these tags to help bring attendees together. By making the badge dynamic, you can start the conversation at a point more relevant than "How's the weather?" The tags will swap business card information; attendees who customized their tag information will get a personalized Web page with all the contact information they've been sent, in several downloadable formats.

The tags use a form of collaborative filtering/referral methodology as well. If you're talking to someone who has already talked to someone whose interests you share, your tag lets you know.

Phil Becker [FYI, I've decided Phil's linkable identity is a search that lists his Digital ID World articles]: Digital ID World is the Identity Conversation. The goal of the conference is to provide context, perspective, and background, bring together those from different backgrounds who don't normally share ideas.

Phil thinks identity is next organizing paradigm for computing of all kinds, that digital identity is extremely central to the story of what's happening right now. [Rolls clip from Sandra Bullock identity theft movie, The Net.] That movie was a decade ago now, people began to realize that the network becomes inherently hostile when you begin to connect everything. The network was built with a naively presumed trust that is not its natural state. The language that has developed speaks of quarantine: firewalls. Creating an island, safe from the hostile nature of the network. The last several years of doing this is what has focused the need for digital identity, so you don't lose the benefits of the network by walling everything off. Identity management = organizing data about identity so that it is where it should be, is not where it shouldn't. Today, identity management is concerned with infrastructure and administration, but ultimately, it's about the data. Management by identity = using identity to organize, manage, and secure computing processes. Will allow for networking of business and other human-related processes. Technology has now reached the point where networking across boundaries is possible, and soon that will become a requirement. Will promote and release productivity, because humans are networking animals, and build and use computers to solve the problems in front of them. People control things bigger than themselves through human networks: family, tribal, school—any long-term human relationship. Management by identity is coming into being because people want their tools to work the way they work. It doesn't, because it lacks the dynamic organization that humans do naturally.

Networks require trust to fully release their power, this is why networks result from long-term human relationships. Trust is not instantaneous, cannot be bought or created, can only be granted. Transparency is one of the surest past to trust. Secrecy at any point makes trust more difficult to achieve. This is part of what makes computing in general intimidating. The current way we've built computing infrastructure is a limitation on where we need to go to make the tools work like we do in managing identity and trust. Reorganizing computing around identity is the solution. Security is one obvious benefit, but is just the beginning. The real key is the collaboration this also will enable. The Web browser taught people about the discovery and networking of documents in real time. This was the revelation that drove the first Internet boom (there will be many more). Web services are being designed to deliver the same kind of dynamic discovery and networking at the application and data levels. There's no way to do this except to manage by identity.

Federated identity is the first step. Integrates "silos" of identity into "networks" of identity. Seeks to allow integration of identity usage without requiring the integration of identity management, administration, or the identities themselves. This is a big part of what people at this conference are trying to accomplished. Focused on the user, who just wants everything to work and be organized in the unique way they want. It's impossible to pre-define all the ways users will want data and applications to be integrated. Businesses need the ability to integrate on demand, once applications become building blocks. Identity-centric techniques are the only ones that can possibly accomplish this.

In the enterprise, the portal actually has no natural boundaries. Ideally, it presents information dynamically. The user's identity and needs, coupled with the policies of the owner of the applications and data are the only organizing factors. Portability and rights management go hand in hand.

The maze of regulatory compliance. New laws are focusing on creating accountability or assurance about who did what with which data when? Privacy obviously is key. Privacy is a negative attribute, it's about what you agree not to do with data you have gathered. Today, privacy largely is enforced by policy. It needs to be created structurally and architecturally to be trustworthy. Authentication = an enabling portion of the identity infrastructure, making it easy for the right person to get through the door, and impossible for the wrong person to do so.

Identity thus is the central thread that will enable security, control, manageability, and accountability in a fully distributed network. Who is sitting at the computer makes all the difference. It will be a long time before it's natural, flows, is easy. But the way to get there is through identity. This conference is about that conversation.