user centric digital identity, talk for computer science and telecommunications board, national...
Post on 18-Oct-2014
14.585 views
DESCRIPTION
I presented this talk on September 23 to the Computer Science and Telecommunications Board of the National Academies in Washington DC. It has three parts 1) What is User Centric Digital Identity2) What are the technologies that have been developed to date3) Emerging work on developing a Personal Data Ecosystem.TRANSCRIPT
@identitywomanhttp://www.identitywoman.net
National Academies
User-Centric Digital Identity
by Kaliya Hamlin
September 23
presentation toComputer Science and Telecomunications Board
Internet Identity Workshop http://www.internetidentityworkshop.com
Friday, September 24, 2010
Building Identity and Trust into the Next Generation Internet
asn.planetwork.net
Where does my personal inspiration about user-centric digital identity come from?
Friday, September 24, 2010
Who am I?
IDENTITY GANG! formed in 2004
Internet Identity Workshopiiw.idcommons.net
www.internetidentityworkshop.com
Friday, September 24, 2010
Broad Base of Participation BIG COMPANY SPONSORSMSFTPingIDSUNFacebookGoogleYahooCiscoPlaxoCommerce NetAdobeBTNovellFacebookAOLPing IdentityPaypal / eBay
NONPROFIT SPONSORSISOCKantara/Liberty AllianceInfo Card FoundationOASIS IDTrustMozillaHiggins ProjectBandit ProjectPlanetworkInternet Society
CORPORATE PARTICIPANTSPaypal Booz Allen Hamilton AppleBurton GroupHewlett PackaredInternational Business MachinesIntuitLexisNexisNippon Telegraph and Telephone CorporationNokia Siemens NetworksNRIOracleOrangeRackspaceRadiant LogicSony EricssonThe MITRE CorporationTucows IncVeriSign, Inc.Vodafone Group R &DAlcatel-LucentAcxiom Identity SolutionsAcxiom ResearchEquifaxLinkedInAmazon
SMALL COMPANYSPONSORSFuGen SolutionsOUNORel-IDPokenVidoopChimpAuthentrusSxipClaimID
IETFW3COASIS
SMALL COMPANY PATICIPANTSÅngströDigg, Inc.PrivoExpensifyFamilySearch.orgFreshBooksGigyaGluuJanrainKynetxNetMesh Inc.ProtivitiSocialtextTriCipher, Inc.Trusted-IDWave SystemsSix Apart
NONPROFIT PARTICIPANTSCenter for Democracy and TechnologyDataPortability ProjectIdM Network NetherlandsOCLCOpen Forum FoundationWorld Economic Forum
UNIVERSITY PARTICIPANTSGoldsmiths, University of LondonNewcastle UniversityStanford University
GOVERNMENT PARTICIPANTSOffice of the Chief Informaiton Office, Province of British Columbia
and more...
Friday, September 24, 2010
Unconference Format
Friday, September 24, 2010
Friday, September 24, 2010
What is User-Centric Digital Identity(including how it arose in contrast to non-user-centric identity)
Technologies have been developed to dateOpenID, Information Cards, XRD, OAuth, UMA, SAML
Emerging: The Personal Data Ecology
Talk Outline
Friday, September 24, 2010
What is Digital Identity?
http://www.flickr.com/photos/wertarbeit/3825274153/in/photostream/
http://www.digital-identities.com/
The »Gestalt« of digital identity
Friday, September 24, 2010
Identifiers ClaimsSingle String Pairs
Identifiers link things together and enable correlation.
They can be endpoints on the internet.
A claim is by one party about another or itself.
It does not have to be linked to an identifier.
Proving you are over 18 for example and not giving your real name.
Friday, September 24, 2010
What is User Centric Digital Identity?
Big Co.
Web 1.0 Web 2.0
Friday, September 24, 2010
What is User Centric Digital Identity?
Friday, September 24, 2010
The Identity DogRepresents 2 things:
* Freedom to be who you want to be
* Freedom to share more specific info about yourself that is validated
Friday, September 24, 2010
What is User Centric Digital Identity?
Friday, September 24, 2010
Freedom to Aggregate
Friday, September 24, 2010
Freedom to Disaggregate
Friday, September 24, 2010
XFreedom to Disaggregate
Friday, September 24, 2010
http://www.fullenglishfood.com/?p=799
XWhy does User Centric Digital Identity Matter?
Friday, September 24, 2010
Buddhist in Tennessee
http://wwp.greenwichmeantime.com/time-zone/usa/tennessee/map.htmhttp://religions.iloveindia.com/buddhism.html
Friday, September 24, 2010
Women having the freedom not to present as women.
http://www.copyblogger.com/james-chartrand-underpants/
Why James Chartrand Wears Women’s Underpants
Friday, September 24, 2010
1) Live Journal Friends2) Professional ID3) Feminist Identity
1) Totally Professional on Domain, GMail, LinkedIN2) Social but me on Facebook3) Spiritual under pseudonym on Live Journal
1) Me linked to real name2) Spiritual3) Gaming
Real world examples of women managing different personae from She’s Geeky conference.
Friday, September 24, 2010
Friday, September 24, 2010
Goofy Habits or Hobbies
Friday, September 24, 2010
personal and
political
Freedom of Expression
Friday, September 24, 2010
Teachers being able to drink socially when in own time.
BLIZARD WoW in game IDvs “RealID” change
Young people free to explore themselves
Freedom of Action
this comes from not having all contexts linked togetherFriday, September 24, 2010
How do people “get” User Centric Digital Identity today?
Hack it together with handles from web mail providers or on a service like Twitter
Friday, September 24, 2010
How do people “get” User Centric Digital Identity today?
Hack it together with handles from web mail providers or on a service like Twitter
Challenge with e-mail addresses as identitiesthe communications token is the “ID”
Friday, September 24, 2010
How do people “get” User Centric Digital Identity today?
Google profilesYahoo! profiles
Hack it together with handles from web mail providers or on a service like Twitter
Challenge with e-mail addresses as identitiesthe communications token is the “ID”
Friday, September 24, 2010
How do people “get” User Centric Digital Identity today?
Google profilesYahoo! profiles
FacebookLinkedIn
Hack it together with handles from web mail providers or on a service like Twitter
Challenge with e-mail addresses as identitiesthe communications token is the “ID”
Friday, September 24, 2010
What are our rights in these commercial spaces governed by Terms of Service?
How are we “citizens” in private space?
In physical life we have protection of our physical self - people will be prosecuted for harming us. What is the equivalent in online spaces?
Freedom to not be “erased” under TOS
Friday, September 24, 2010
Identifier side:
Own their own domain name.
Have a blog?Run an openID server?
Claims based side:
Almost impossible.
Little relying party adoption(Places where 3rd partyor self generated claims
will be accepted)
Little client side app adoption
How do people “get” User Centric Digtial Identity today?
Friday, September 24, 2010
Why have we have yet to succeed?It is a REALLY hard problem set to solve for,User Centric Digital Identity that is:
1. open standards based
2. the scale of the internet + other digital systems
3. that people find usable
4. that they understand
5. that is secure
6. it requires emergence of new social behavior
7. and changes business models & norms
Friday, September 24, 2010
Friday, September 24, 2010
Isn’t just a technical problem
TECHNOLOGY
LEGAL
SOCIAL BUSINESS?
Friday, September 24, 2010
We are still the make the vision real
Are we succeeding! with particular protocols with various levels of adoption.
Friday, September 24, 2010
What were User Centric Digital Identities ideas arising in response to?
Friday, September 24, 2010
Corporate mediated ID (Facebook LinkedIn).
Desire to have online world map to how ID works in physical world - selective disclosure.
A Bazillion different accounts.
Identity is socially constructed not institutionally issued.
These reasons were covered in the above
Friday, September 24, 2010
Corporate Issued IDs from employers
http://www.smartdraw.com/blog/archive/2008/09/04/four-ways-to-make-your-org-charts-more-useful.aspx
Friday, September 24, 2010
frequent flier customer number
health insurance numberhttp://usresident.com/
Corporate Issued IDs for customers
Friday, September 24, 2010
The claim there is no separation between online and offline life
Friday, September 24, 2010
Friday, September 24, 2010
Participants in the Federated Social Web Summit. Pre-Open Source Convention
July 18th, 2010, Portland, Oregon, USA
Friday, September 24, 2010
Protocols are Political
http://www.treehugger.com/files/2010/07/thousands-of-undiscovered-plants-face-extinction.php http://www.moviecritic.com.au/your-favourite-cinematic-dystopian-future/
It gets to the heart of what it means to have a civil society, how we organize together. The choices made in creating these architectures now will shape the future.
Friday, September 24, 2010
OR
Friday, September 24, 2010
Friday, September 24, 2010
Friday, September 24, 2010
Friday, September 24, 2010
Friday, September 24, 2010
What is the context for people gathering?
“We’re trying to build a social layer for everything.”
- Mark ZuckerburgFriday, September 24, 2010
Freedom to group and cluster outside commercial silos& business contexts.
Freedom of Movement and Assembly
Friday, September 24, 2010
Freedom to Peer-to-Peer Link
Freedom to determine how the link is seen by
others
Friday, September 24, 2010
How can people and groups be first class objects on the web
(and other electronic networks)?
Friday, September 24, 2010
• Freedom to Aggregate
• Freedom to Disaggregate
• Freedom to not be “erased” under TOS
• Freedom of Movement and Assembly
• Freedom to Peer-to-Peer link & the Freedom to determine if the link is seen by others
User Centric Digital Identity is the:
Friday, September 24, 2010
Transition to Technology Section
Friday, September 24, 2010
TextText
+?
Can you have both?
Friday, September 24, 2010
OpenID 101 (identifier)
Friday, September 24, 2010
Friday, September 24, 2010
Friday, September 24, 2010
Friday, September 24, 2010
Friday, September 24, 2010
Friday, September 24, 2010
Friday, September 24, 2010
Friday, September 24, 2010
Friday, September 24, 2010
Friday, September 24, 2010
Friday, September 24, 2010
Friday, September 24, 2010
Friday, September 24, 2010
Friday, September 24, 2010
OpenID has a Ton of Issues
• security• no payload - identifiers are not enough• people donʼt understand format URL• people donʼt have their own domains• often 3rd level domain• Nascar Problem• ADOPTION
• Namespace issue - “solved Facebook”
Friday, September 24, 2010
Users take actions on your siteUsers come to your site to consume your unique content. They take actions like commenting, reviewing, making purchases, rating, and more.Users share with friends, who discover your siteWith Facebook Connect, users can easily share your content and their actions with their friends on Facebook. As these friends discover your content, they click back to your site, engaging with your content and completing the viral loop.Social features increase engagementCreating deeper, more social integrations keeps users engaged with your site longer, and more likely to take actions they share with their friends. (For example — don't just show users what's most popular on your site, but what's most popular with their friends on your site.)
Connect
Friday, September 24, 2010
The response is a JSON object which contains some (or all) of the following reserved keys:
• user_id - e.g. "https://graph.facebook.com/24400320"• asserted_user - true if the access token presented was issued by
this user, false if it is for a different user• profile_urls - an array of URLs that belong to the user• display_name - e.g. "David Recordon"• given_name - e.g. "David"• family_name - e.g. "Recordon"• email - e.g. "[email protected]"• picture - e.g. "http://graph.facebook.com/davidrecordon/picture"
The server is free to add additional data to this response (such as Portable Contacts) so long as they do not change the reserved OpenID Connect keys.
Proposal for OpenID Connect
Friday, September 24, 2010
Information Cards (claims)
informationcard.net
Friday, September 24, 2010
Friday, September 24, 2010
Friday, September 24, 2010
Friday, September 24, 2010
Friday, September 24, 2010
Employee issued ID
the employer sees where used
Government Issued age verification
just like a drivers license in the real world
“Phones Home” Doesn’t “Phone Home”
Managed Cards Come in two Flavors
Friday, September 24, 2010
Verified Anonymity (U-Prove)
Friday, September 24, 2010
Information Cards have a ton of issues:
• Relying Party Adoption• why shift to claims from identifiers• Where are the libraries and tools for Relying
parties
• Client Download Required• New User Experience• What are Active Clients and How do they work
• Risk & Liability Models are Unclear• If a claim is validated and it is untrue who is liable
Friday, September 24, 2010
More Technologies
Friday, September 24, 2010
XRD (the most successful standard arising from user centric ID community that you have never heard of)
Friday, September 24, 2010
Discovery = Patterns +
Interfaces + Descriptors
Friday, September 24, 2010
XRDS --> XRD-Simple --> XRD (within XRI spec)
Evolution of Discovery
Friday, September 24, 2010
Application of
XRI/XDI
Friday, September 24, 2010
OStatus isn't a new protocol; it applies some great protocols in a natural and reasonable way to make distributed social networking possible.• Activity Streams encode social events in standard Atom or RSS feeds.
• PubSubHubbub pushes those feeds in realtime to subscribers across the Web.
• Salmon notifies people of responses to their status updates.
• Webfinger makes it easy to find people across social sites.
Friday, September 24, 2010
OAuth
Friday, September 24, 2010
Friday, September 24, 2010
Friday, September 24, 2010
Friday, September 24, 2010
Friday, September 24, 2010
Friday, September 24, 2010
Friday, September 24, 2010
Friday, September 24, 2010
Friday, September 24, 2010
Friday, September 24, 2010
Friday, September 24, 2010
Friday, September 24, 2010
Friday, September 24, 2010
Friday, September 24, 2010
Friday, September 24, 2010
User Managed Access
Friday, September 24, 2010
SAML
SAML has two parts1. Authentication2. Profiles
used in higher education
Friday, September 24, 2010
Big Challenge Protocol Interop
Friday, September 24, 2010
Big ChallengesRP adoption at scale.
Integration/adoption of active identity clients ("identity-in-the-browser") and/or cloud identity services.
Addressing the gap between what these protocols do (federated authentication, authorization, and simple third-party claims transfer) and what the market really needs (compelling solutions built on top of these tools that integrate other key components like personal data stores).
Harmonizing all of this with government policy and initiatives like US ICAM and NSTIC and UK Direct Gov open identity requirements.
Friday, September 24, 2010
ICAM and NSTICPortable trusted Identities for government.
With the ability to use commercially vetted identities to interact with government.
Reading NSTIC there is the potential to have verified anonymity be part of the ecology.
Friday, September 24, 2010
Friday, September 24, 2010
Trust Frameworks / Policy Repositories
PayPal
Equifax
Yahoo!
AuditorsPolicy Repository
for
Trust Frameworks
ICAM John Steensen
OCLC
XAuth
PBS Kids
Levels of Assurance
Identity Providers
Levels of
Protection
Relying Parties
OtherAuditor
Open Identity Exchange
OtherAuditor
Relying Party
Relying Party
Friday, September 24, 2010
The next frontier PERSONAL DATA
Friday, September 24, 2010
Generating More Data than Ever
I put on The Big Data Workshop April 23, 2010http://www.bigdataworkshop.com
Friday, September 24, 2010
LessControl Than Ever
Friday, September 24, 2010
Can people control the flow of data about them from:
1.Self to others?2.Self to institutions?
Friday, September 24, 2010
Do you have a copy of what you put out on the web?
Implicit and Explicit DataMore and more digital devices collecting more data
Friday, September 24, 2010
Friday, September 24, 2010
Friday, September 24, 2010
Friday, September 24, 2010
We should have our own picture of our“digital selves” or digital projection.
Questions:• How do we get it (the picture - the data)?• Who do we trust to manage it?• How do we get insight into it?• What is the legal protection it is afforded?
Friday, September 24, 2010
Friday, September 24, 2010
Who you are and what you care about should not be the possession of someone else.
Friday, September 24, 2010
Time/space stamping
You can reconstruct who it is without PII attached to it
It makes the technical architectures matter more and the legal frameworks critical.
Friday, September 24, 2010
Personal Data Store Ecology
Open Standards based Personal Data Stores with people, groups and businesses as first class objects. It will include full data portability and a range of services.
Friday, September 24, 2010
Personal Data Ecology
Friday, September 24, 2010
Personal Data Ecology
Friday, September 24, 2010
Personal Data Ecology
Friday, September 24, 2010
Personal Data Ecology
Friday, September 24, 2010
Personal Data Ecology
Friday, September 24, 2010
Project VRM - 4th Parties
http://bit.ly/VRM4thParty
Friday, September 24, 2010
Stack for Personal Data Banks & Personal Data Exchanges
by Marc Davis (from IIW10)
APPLICATIONS
EXCHANGE
REFINEMENT
STORAGE
ID + ENCRYPTION
DATA + META DATA
SOURCES
$
DATA
Friday, September 24, 2010
Higgins Project XDI Stack
are there others?
Persona Data Model 2.0Uses card metaphor
RDF based Standardized at W3C
API’s XDI, OAuth, (soon) Activity Streams, PubSubHubbub,SPARQL
5+year old project
XDI BasedSupports Link ContractsLinkable dictionary of terms
No user interface develoepedStandardized at OASIS
Young project code is just starting to be published on the web.
Friday, September 24, 2010
Vision and Principles for the Personal Data Ecosystem
by Kaliya Hamlin
http://www.identitywoman.net/vision-principles-for-the-personal-data-ecosystem
• Dignity of the Individual is Core• Systems Must Respect Relationships• Remember the Greatness of Groups• Protocols that Enable Broad Possibilities are Essential• Open Standards for Data and Metadata are Essential• Defaults Must Work for Most People Most of the Time• Norms and Practices in the Personal Data Ecosystem Must
be Backed up by Law• Business Opportunities Abound in this New Personal Data
Ecosystem• Diversity is Key to the Success of the Personal Data
Ecosystem
Friday, September 24, 2010
PDX Principles by Phil Windley
user-controlledfederated
interoperablesemantic
portabilitymetadata management
broker servicesdiscoverable
automatable and scriptable
http://www.windley.com/archives/2010/09/pdx_principles.shtmlFriday, September 24, 2010
As a community we are working on making the Personal Data Store Ecology.
Friday, September 24, 2010
Questions• What will be the open standards for data and metadata?• What will be the legal frameworks for individual protection
(do you have to get warrant to search)?• What will be legal framework for individual protection and
freedom to remove data from services?• What business structures can hold ?• How is any of this going to be usable?• How will data be protected, encrypted, etc.? • How will people be able to store keys?• What will be compelling reasons for adoption? • Can industry make money and give user more control?• How will the network work based on identifiers AND not
have everything linkable?.... (ISOC is thinking a lot about this)
Friday, September 24, 2010
Questions• What is the right architecture for distributed groups?• How are e-mails not the basis of all “social” transactions?• How do mobile carriers participate in the personal data
ecosystem?• How do target populations have their needs met in the
design of these systems?• Women• Sexual Minorities• People of Color
• How are mechanisms for the peer production of governance at the core of these systems?
• What to do about the namespace issue?
Friday, September 24, 2010
Questions• Can we make active clients usable?• What are the defaults in these systems?• How do we get away from cookies to give personalized
services?• What do user-agents do?• How do user agents make contracts for the user• How are the data streams made available for agent based
services model?
Friday, September 24, 2010
I invite you to the next IIWNovember 2-4, Mountain View, CA
Meet the community, learn a lot, and ask them what would be helpful research questions to consider.
http://www.internetidentityworkshop.comFriday, September 24, 2010
@identitywomanhttp://www.identitywoman.net
Kaliya Hamlin
Thank You!
Friday, September 24, 2010