The IIW conference is again underway in Mountain View, CA. This is the 12th conference. I’m capturing some of the sessions in video and/or picture-enhanced audio streams. The later option is important as the Computer History Museum offers free wi-fi, but for over 200 attendees it’s spread pretty thin.
Lately I’ve been beta testing out a low-bandwidth record/broadcast app for my phone called Chachanga. It captures the audio and pairs it with a picture, captured periodically from my phone’s camera. I started the recording a bit late in our first session–here’s most of the Trust Frameworks session with Drummond Reed of Connect.me.
What’s a Trust Framework? From the Open Identity Exchange (OIX):
In digital identity systems, a trust framework is a certification program that enables a party who accepts a digital identity credential (called the relying party) to trust the identity, security, and privacy policies of the party who issues the credential (called the identity service provider) and vice versa.
Basically, it’s a system that helps establish trust between parties: including people (“users” in this picture), sites or services that can verify who you are, and sites or services that need to know who you are. The OIX offers several pdf whitepapers explaining more about Trust Frameworks.
Coaching moment: I care about trust frameworks because I want certain services to be available in a way that protects and assures me that what I want is accurately represented. For example, if I need to digitally prove I’m over 18, I might rely on the DMV to back up my claim. If I need to show that my eyes have 20:20 vision, my eye doctor or health care provider will vouch for me.
One interesting thing about this is that the parties in these scenarios don’t need to know or provide more information about me than necessary: Yes, over 18 years old, or Yes, 20:20 vision. There’s no extra or out of bounds sharing, like “18 years old and… (cue Facebook pictures).” This is about “just the facts” from parties who can be trusted (in a legal sense).
1. Mobile identity always has been and will continue to be the biggest game in town. Each year nearly 5 billion smart card technology subscriber identity modules are sold. And as smart phones grow in sophistication and as a result occupy an increasing percentage of user screen time they will become the most important area in the identity marketplace.
2. None of the Facebook, Google, OpenID, triad will actually manage to issue trusted identities in 2011 and consumers will continue to fail to realize they are the product and not the customer for these and many other identity providers.
7. The User Managed Access work of the Kantara Initiative will gain support as it addresses the overarching requirement of the need for user control of personal information in the era of shared infrastructure.
9. Consumers will demand the adoption and benefits of commercial off-the-shelf application software to provide privacy and identity protection of data at rest and in motion via encryption and secure channels in their day to day communications with banks, health care organizations, and other organizations even in those states where it is not mandated.
11. Identity theft and fraud will continue to grow and be subsidized by consumers via premiums, user fees and interest rates without the mandate for strong interoperable identities. And while the National Strategy for Trusted Identities will talk the talk it remains to be seen if it can walk the walk.
Coaching moment: As passive customers of digital services, we are prone to greater influence and manipulation by the system, for the benefits of the system and not for ourselves. If we wish to empower ourselves–and the commercial marketplace generally–with better and more trustworthy practices, we will need to be active and even vocal supporters of the alternatives that lead us in that preferred direction. This isn’t as scary as it might seem. It just means making certain choices more mindfully, more aware of the cost of “free.”
At this past IIW, I convened a session to ask if and how it might be possible to do a stateless distributed membership for a website. There are two main ideas behind this proposal. First, I don’t really NEED to have a membership database of my own. That is, I don’t need to have another place for you to create an account, user ID and password. We can use OpenID, Information Cards, or other technologies for authenticating and authorizing you. Second, if I want to move toward a world where you control your own data, I don’t need to maintain the database of your comments. I only need to know where your comments are stored so I can properly assemble things as needed. It’s convenient but not technically necessary to own and control all the bits myself.
My proposal for a Stateless Distributed Membership is a mouthful, so I’ll unpack it a bit. There are three parts: a membership, being stateless, and being distributed.
Membership
Let me start with the easy part. You probably understand the idea of membership as a group or association of people contributing to something like a conversation or project. They’re members of a group, or in my case, members of a conversation or project on my site. Nothing unusual about this idea.
Being Stateless
Next is the idea of being stateless. In computer science, the http protocol that you use to call a web page and associated resources is stateless because you call a page from the URL or a link in your browser, the server responds by sending the page, graphics, or whatever, then you see it. Each request is separate; there’s no need to stay connected to the servers. In my case, being “stateless” means that each transaction is independent. Eve Maler talks about a stateless identity in her post Both a data borrower and a data lender be:
This is a kind of data statelessness, in that when you tell various sites they can set, read, and republish your [information from your Personal Data Store], they’re letting go of any pretense of exclusive hosting control so that they can offer you a different kind of value.
Now, in the IdM and VRM worlds, some of us have been talking aboutidentity statelessness for a while, which is similar but looks more like straight data-sharing (reading) rather than arbitrary service access (setting).
For some reason this is a tougher sell — even though CRM systems and user accounts are shot through with pale copies of stale data (and, in the enterprise case, even though syncing directories and replicating databases is brittle and no fun).
Even when one party — say, you yourself — is authoritative for some piece of personal data (like your home address), all the sites insist on making you provision a copy of this data into their profile pages by hand and by value, and insist on thinking they own something truly valuable even after you move and forget to tell them.
The bottom line: if I don’t insist on “owning” your data, we both will realize more value from our trust and flexibility. It’s daring, and in the larger scheme of things, I believe it’s a Good Thing.
Distributed
Finally, the term distributed refers to the fact that all parts of the conversation or projects are stored elsewhere on the net. If you wish to add a comment to a conversation on my server, your comment is added to your personal datastore (wherever it is, and whatever form it might take). When you wish to read the conversation, my server compiles the contributions as needed.
In this model, I do need to maintain a database of where to find your comments and a way to authorize you as the person who granted permission for me to include them in the conversation on my website. But think of it: if you want to revoke permission for me to use your comments, you can. How revolutionary (and potentially messy) is that?
Furthermore, you may choose to log in using an identity that’s different from the last one you used. That works on my server. For example, you might wish to be a regular person contributing to most conversations, but if you’re a professional fundraiser and one of the threads is about raising funds for a non-profit, you may wish to disclose your work and position in that context. Your two identities describe different parts of your life, and you may have good reasons to keep those parts separate.
The IIW Session
In my session, I described this concept and asked what people thought about it. I offered three scenarios where people might interact. One of them: a conversation or forum where blog posts and trackbacks can help create a threaded conversation. The session is an hour-long exploration and discovery of the possibilities. If you have questions or can add a piece to this puzzle, I’d love to hear from you.
My heartfelt thanks go to the people with whom I’ve spoken about this, including =JeffH, Eve, the guy at the end of the video talking with me about trackbacks (I’m sorry I can’t find your name), several others who made great suggestions and shared ideas at my session, and Joe, who spent considerable time exploring underlying frameworks with me.
Coaching moment: You probably have more than one account online, and have likely cursed the problem of forgetting user names and passwords. You may have wished that the picture of you holding a beer wasn’t online for your boss to see. Maybe you’ve been spooked by an advertisement for something that you really didn’t want. If you could do things differently, what would you do? How do you handle your accounts now? Do you feel secure about your online practices? Do you even want to be in control? Not everyone does.
This video is the first of eight parts of a panel discussion from RSA 2009: Panel of Identity Organizations. This panel discussion is a bit technical, with speakers talking about standards and how things work (or not). RSA, the company hosting this conference, is involved in security, cryptography, and related technologies.
The entire series in this panel discussion is about an hour long. Sometimes I don’t mind listening to discussions that are over my head in terminology or technical detail if I can take away a general idea of where things are. From this hour, I came to understand the following things:
open source, and more importantly open standards, are key to developing interoperable tools
making all of these ideas work together is “in progress” as there are lots of pieces in each idea
it’s tough to find a balance between putting us in control and giving us too much to control
there are many bright and determined minds working on this
Coaching moment: I’m optimistic that a day will come in which you can choose to represent yourself with greater detail. For example, you may not wish to “friend” everyone who asks you on Facebook or MySpace, and you might not follow everyone back on Twitter. If you did, you might want to choose to see (or not see) certain people in your friend or twitter streams every day. It will be easy to, say, turn off “loudmouthguy” for a few days, or “use this account to log into those other accounts.”
Mind boggling, eh? Here’s the secret: it all gets down to trust and attention. Both are your most valuable assets.
Who in your life do you trust most? Who would you like to pay greatest attention to? Now imagine some form of customimized slider bars that you could adjust for everyone you know: from 0 (not much trust or attention) to 10 (alert me if this person says anything). Once you set this up, what would your world be like?
The Internet Identity Workshop (IIW8) was held in May 2009 at the Computer History Museum in Mountain View, CA. Here’s my brief conference report.
Coaching moment: Like most developments, first comes an idea then a discussion, followed by an implementation and testing. Thankfully most people aren’t involved in these early stages when things may not work well, or may take more patience or tech skills than you have. That said, it’s good to know what’s on the horizon. It helps you be aware of tools that will help you when they become available, and knowing about these tools helps counter some of the spin from companies that want to “help you” protect yourself.
![[del.icio.us]](http://digitalidcoach.com/wp-content/plugins/bookmarkify/delicious.png)
![[Facebook]](http://digitalidcoach.com/wp-content/plugins/bookmarkify/facebook.png)
![[LinkedIn]](http://digitalidcoach.com/wp-content/plugins/bookmarkify/linkedin.png)
![[Ma.gnolia]](http://digitalidcoach.com/wp-content/plugins/bookmarkify/magnolia.png)
![[Technorati]](http://digitalidcoach.com/wp-content/plugins/bookmarkify/technorati.png)
![[Twitter]](http://digitalidcoach.com/wp-content/plugins/bookmarkify/twitter.png)
![[Email]](http://digitalidcoach.com/wp-content/plugins/bookmarkify/email.png)