user centric digital identity, talk for computer science and telecommunications board, national...

@identitywomanhttp://www.identitywoman.net

[email protected]

National Academies

User-Centric Digital Identity

by Kaliya Hamlin

September 23

presentation toComputer Science and Telecomunications Board

Internet Identity Workshop http://www.internetidentityworkshop.com

Friday, September 24, 2010

http://www.identitywoman.net


mailto:[email protected]


http://www.internetidentityworkshop.com


Building Identity and Trust into the Next Generation Internet

asn.planetwork.net

Where does my personal inspiration about user-centric digital identity come from?


Who am I?

IDENTITY GANG! formed in 2004

Internet Identity Workshopiiw.idcommons.net

www.internetidentityworkshop.com




Broad Base of Participation BIG COMPANY SPONSORSMSFTPingIDSUNFacebookGoogleYahooCiscoPlaxoCommerce NetAdobeBTNovellFacebookAOLPing IdentityPaypal / eBay

NONPROFIT SPONSORSISOCKantara/Liberty AllianceInfo Card FoundationOASIS IDTrustMozillaHiggins ProjectBandit ProjectPlanetworkInternet Society

CORPORATE PARTICIPANTSPaypal Booz Allen Hamilton AppleBurton GroupHewlett PackaredInternational Business MachinesIntuitLexisNexisNippon Telegraph and Telephone CorporationNokia Siemens NetworksNRIOracleOrangeRackspaceRadiant LogicSony EricssonThe MITRE CorporationTucows IncVeriSign, Inc.Vodafone Group R &DAlcatel-LucentAcxiom Identity SolutionsAcxiom ResearchEquifaxLinkedInAmazon

SMALL COMPANYSPONSORSFuGen SolutionsOUNORel-IDPokenVidoopChimpAuthentrusSxipClaimID

IETFW3COASIS

SMALL COMPANY PATICIPANTSÅngströDigg, Inc.PrivoExpensifyFamilySearch.orgFreshBooksGigyaGluuJanrainKynetxNetMesh Inc.ProtivitiSocialtextTriCipher, Inc.Trusted-IDWave SystemsSix Apart

NONPROFIT PARTICIPANTSCenter for Democracy and TechnologyDataPortability ProjectIdM Network NetherlandsOCLCOpen Forum FoundationWorld Economic Forum

UNIVERSITY PARTICIPANTSGoldsmiths, University of LondonNewcastle UniversityStanford University

GOVERNMENT PARTICIPANTSOffice of the Chief Informaiton Office, Province of British Columbia

and more...


Unconference Format


What is User-Centric Digital Identity(including how it arose in contrast to non-user-centric identity)

Technologies have been developed to dateOpenID, Information Cards, XRD, OAuth, UMA, SAML

Emerging: The Personal Data Ecology

Talk Outline


What is Digital Identity?

http://www.flickr.com/photos/wertarbeit/3825274153/in/photostream/

http://www.digital-identities.com/

The »Gestalt« of digital identity






Identifiers ClaimsSingle String Pairs

Identifiers link things together and enable correlation.

They can be endpoints on the internet.

A claim is by one party about another or itself.

It does not have to be linked to an identifier.

Proving you are over 18 for example and not giving your real name.


What is User Centric Digital Identity?

Big Co.

Web 1.0 Web 2.0


The Identity DogRepresents 2 things:

* Freedom to be who you want to be

* Freedom to share more specific info about yourself that is validated


Freedom to Aggregate


Freedom to Disaggregate


XFreedom to Disaggregate


http://www.fullenglishfood.com/?p=799

XWhy does User Centric Digital Identity Matter?


Buddhist in Tennessee

http://wwp.greenwichmeantime.com/time-zone/usa/tennessee/map.htmhttp://religions.iloveindia.com/buddhism.html


http://wwp.greenwichmeantime.com/time-zone/usa/tennessee/map.htm

http://wwp.greenwichmeantime.com/time-zone/usa/tennessee/map.htm

http://religions.iloveindia.com/buddhism.html

http://religions.iloveindia.com/buddhism.html

Women having the freedom not to present as women.

http://www.copyblogger.com/james-chartrand-underpants/

Why James Chartrand Wears Women’s Underpants




1) Live Journal Friends2) Professional ID3) Feminist Identity

1) Totally Professional on Domain, GMail, LinkedIN2) Social but me on Facebook3) Spiritual under pseudonym on Live Journal

1) Me linked to real name2) Spiritual3) Gaming

Real world examples of women managing different personae from She’s Geeky conference.


Goofy Habits or Hobbies


personal and

political

Freedom of Expression


Teachers being able to drink socially when in own time.

BLIZARD WoW in game IDvs “RealID” change

Young people free to explore themselves

Freedom of Action

this comes from not having all contexts linked togetherFriday, September 24, 2010

How do people “get” User Centric Digital Identity today?

Hack it together with handles from web mail providers or on a service like Twitter




Challenge with e-mail addresses as identitiesthe communications token is the “ID”



Google profilesYahoo! profiles





Google profilesYahoo! profiles

FacebookLinkedIn




What are our rights in these commercial spaces governed by Terms of Service?

How are we “citizens” in private space?

In physical life we have protection of our physical self - people will be prosecuted for harming us. What is the equivalent in online spaces?

Freedom to not be “erased” under TOS


Identifier side:

Own their own domain name.

Have a blog?Run an openID server?

Claims based side:

Almost impossible.

Little relying party adoption(Places where 3rd partyor self generated claims

will be accepted)

Little client side app adoption

How do people “get” User Centric Digtial Identity today?


Why have we have yet to succeed?It is a REALLY hard problem set to solve for,User Centric Digital Identity that is:

1. open standards based

2. the scale of the internet + other digital systems

3. that people find usable

4. that they understand

5. that is secure

6. it requires emergence of new social behavior

7. and changes business models & norms


Isn’t just a technical problem

TECHNOLOGY

LEGAL

SOCIAL BUSINESS?


We are still the make the vision real

Are we succeeding! with particular protocols with various levels of adoption.


What were User Centric Digital Identities ideas arising in response to?


Corporate mediated ID (Facebook LinkedIn).

Desire to have online world map to how ID works in physical world - selective disclosure.

A Bazillion different accounts.

Identity is socially constructed not institutionally issued.

These reasons were covered in the above


Corporate Issued IDs from employers

http://www.smartdraw.com/blog/archive/2008/09/04/four-ways-to-make-your-org-charts-more-useful.aspx




frequent flier customer number

health insurance numberhttp://usresident.com/

Corporate Issued IDs for customers


http://usresident.com/

http://usresident.com/

The claim there is no separation between online and offline life


Participants in the Federated Social Web Summit. Pre-Open Source Convention

July 18th, 2010, Portland, Oregon, USA


Protocols are Political

http://www.treehugger.com/files/2010/07/thousands-of-undiscovered-plants-face-extinction.php http://www.moviecritic.com.au/your-favourite-cinematic-dystopian-future/

It gets to the heart of what it means to have a civil society, how we organize together. The choices made in creating these architectures now will shape the future.


http://www.treehugger.com/files/2010/07/thousands-of-undiscovered-plants-face-extinction.php

http://www.treehugger.com/files/2010/07/thousands-of-undiscovered-plants-face-extinction.php

http://www.moviecritic.com.au/your-favourite-cinematic-dystopian-future/

http://www.moviecritic.com.au/your-favourite-cinematic-dystopian-future/

OR


What is the context for people gathering?

“We’re trying to build a social layer for everything.”

- Mark ZuckerburgFriday, September 24, 2010

Freedom to group and cluster outside commercial silos& business contexts.

Freedom of Movement and Assembly


Freedom to Peer-to-Peer Link

Freedom to determine how the link is seen by

others


How can people and groups be first class objects on the web

(and other electronic networks)?


• Freedom to Aggregate

• Freedom to Disaggregate

• Freedom to not be “erased” under TOS

• Freedom of Movement and Assembly

• Freedom to Peer-to-Peer link & the Freedom to determine if the link is seen by others

User Centric Digital Identity is the:


Transition to Technology Section


TextText

+?

Can you have both?


OpenID 101 (identifier)


OpenID has a Ton of Issues

• security• no payload - identifiers are not enough• people donʼt understand format URL• people donʼt have their own domains• often 3rd level domain• Nascar Problem• ADOPTION

• Namespace issue - “solved Facebook”


Users take actions on your siteUsers come to your site to consume your unique content. They take actions like commenting, reviewing, making purchases, rating, and more.Users share with friends, who discover your siteWith Facebook Connect, users can easily share your content and their actions with their friends on Facebook. As these friends discover your content, they click back to your site, engaging with your content and completing the viral loop.Social features increase engagementCreating deeper, more social integrations keeps users engaged with your site longer, and more likely to take actions they share with their friends. (For example — don't just show users what's most popular on your site, but what's most popular with their friends on your site.)

Connect


The response is a JSON object which contains some (or all) of the following reserved keys:

• user_id - e.g. "https://graph.facebook.com/24400320"• asserted_user - true if the access token presented was issued by

this user, false if it is for a different user• profile_urls - an array of URLs that belong to the user• display_name - e.g. "David Recordon"• given_name - e.g. "David"• family_name - e.g. "Recordon"• email - e.g. "[email protected]"• picture - e.g. "http://graph.facebook.com/davidrecordon/picture"

The server is free to add additional data to this response (such as Portable Contacts) so long as they do not change the reserved OpenID Connect keys.

Proposal for OpenID Connect


http://portablecontacts.net/draft-spec.html

http://portablecontacts.net/draft-spec.html

Information Cards (claims)

informationcard.net


Employee issued ID

the employer sees where used

Government Issued age verification

just like a drivers license in the real world

“Phones Home” Doesn’t “Phone Home”

Managed Cards Come in two Flavors


Verified Anonymity (U-Prove)


Information Cards have a ton of issues:

• Relying Party Adoption• why shift to claims from identifiers• Where are the libraries and tools for Relying

parties

• Client Download Required• New User Experience• What are Active Clients and How do they work

• Risk & Liability Models are Unclear• If a claim is validated and it is untrue who is liable


More Technologies


XRD (the most successful standard arising from user centric ID community that you have never heard of)


Discovery = Patterns +

Interfaces + Descriptors


XRDS --> XRD-Simple --> XRD (within XRI spec)

Evolution of Discovery


Application of

XRI/XDI


OStatus isn't a new protocol; it applies some great protocols in a natural and reasonable way to make distributed social networking possible.• Activity Streams encode social events in standard Atom or RSS feeds.

• PubSubHubbub pushes those feeds in realtime to subscribers across the Web.

• Salmon notifies people of responses to their status updates.

• Webfinger makes it easy to find people across social sites.


http://activitystrea.ms/

http://activitystrea.ms/

http://code.google.com/p/pubsubhubbub/

http://code.google.com/p/pubsubhubbub/

http://www.salmon-protocol.org/

http://www.salmon-protocol.org/

http://code.google.com/p/webfinger/

http://code.google.com/p/webfinger/

OAuth


User Managed Access


SAML

SAML has two parts1. Authentication2. Profiles

used in higher education


Big Challenge Protocol Interop


Big ChallengesRP adoption at scale.

Integration/adoption of active identity clients ("identity-in-the-browser") and/or cloud identity services.

Addressing the gap between what these protocols do (federated authentication, authorization, and simple third-party claims transfer) and what the market really needs (compelling solutions built on top of these tools that integrate other key components like personal data stores).

Harmonizing all of this with government policy and initiatives like US ICAM and NSTIC and UK Direct Gov open identity requirements.


ICAM and NSTICPortable trusted Identities for government.

With the ability to use commercially vetted identities to interact with government.

Reading NSTIC there is the potential to have verified anonymity be part of the ecology.


Trust Frameworks / Policy Repositories

Google

PayPal

Equifax

Yahoo!

AuditorsPolicy Repository

for

Trust Frameworks

ICAM John Steensen

OCLC

XAuth

PBS Kids

Levels of Assurance

Identity Providers

Levels of

Protection

Relying Parties

OtherAuditor

Open Identity Exchange

OtherAuditor

Relying Party

Relying Party


The next frontier PERSONAL DATA


Generating More Data than Ever

I put on The Big Data Workshop April 23, 2010http://www.bigdataworkshop.com


LessControl Than Ever


Can people control the flow of data about them from:

1.Self to others?2.Self to institutions?


Do you have a copy of what you put out on the web?

Implicit and Explicit DataMore and more digital devices collecting more data


We should have our own picture of our“digital selves” or digital projection.

Questions:• How do we get it (the picture - the data)?• Who do we trust to manage it?• How do we get insight into it?• What is the legal protection it is afforded?


Who you are and what you care about should not be the possession of someone else.


Time/space stamping

You can reconstruct who it is without PII attached to it

It makes the technical architectures matter more and the legal frameworks critical.


Personal Data Store Ecology

Open Standards based Personal Data Stores with people, groups and businesses as first class objects. It will include full data portability and a range of services.


Personal Data Ecology


Project VRM - 4th Parties

http://bit.ly/VRM4thParty




Stack for Personal Data Banks & Personal Data Exchanges

by Marc Davis (from IIW10)

APPLICATIONS

EXCHANGE

REFINEMENT

STORAGE

ID + ENCRYPTION

DATA + META DATA

SOURCES

$

DATA


Higgins Project XDI Stack

are there others?

Persona Data Model 2.0Uses card metaphor

RDF based Standardized at W3C

API’s XDI, OAuth, (soon) Activity Streams, PubSubHubbub,SPARQL

5+year old project

XDI BasedSupports Link ContractsLinkable dictionary of terms

No user interface develoepedStandardized at OASIS

Young project code is just starting to be published on the web.


Vision and Principles for the Personal Data Ecosystem

by Kaliya Hamlin

http://www.identitywoman.net/vision-principles-for-the-personal-data-ecosystem

• Dignity of the Individual is Core• Systems Must Respect Relationships• Remember the Greatness of Groups• Protocols that Enable Broad Possibilities are Essential• Open Standards for Data and Metadata are Essential• Defaults Must Work for Most People Most of the Time• Norms and Practices in the Personal Data Ecosystem Must

be Backed up by Law• Business Opportunities Abound in this New Personal Data

Ecosystem• Diversity is Key to the Success of the Personal Data

Ecosystem




PDX Principles by Phil Windley

user-controlledfederated

interoperablesemantic

portabilitymetadata management

broker servicesdiscoverable

automatable and scriptable

http://www.windley.com/archives/2010/09/pdx_principles.shtmlFriday, September 24, 2010

http://www.windley.com/archives/2010/09/pdx_principles.shtml

http://www.windley.com/archives/2010/09/pdx_principles.shtml

As a community we are working on making the Personal Data Store Ecology.


Questions• What will be the open standards for data and metadata?• What will be the legal frameworks for individual protection

(do you have to get warrant to search)?• What will be legal framework for individual protection and

freedom to remove data from services?• What business structures can hold ?• How is any of this going to be usable?• How will data be protected, encrypted, etc.? • How will people be able to store keys?• What will be compelling reasons for adoption? • Can industry make money and give user more control?• How will the network work based on identifiers AND not

have everything linkable?.... (ISOC is thinking a lot about this)


Questions• What is the right architecture for distributed groups?• How are e-mails not the basis of all “social” transactions?• How do mobile carriers participate in the personal data

ecosystem?• How do target populations have their needs met in the

design of these systems?• Women• Sexual Minorities• People of Color

• How are mechanisms for the peer production of governance at the core of these systems?

• What to do about the namespace issue?


Questions• Can we make active clients usable?• What are the defaults in these systems?• How do we get away from cookies to give personalized

services?• What do user-agents do?• How do user agents make contracts for the user• How are the data streams made available for agent based

services model?


I invite you to the next IIWNovember 2-4, Mountain View, CA

Meet the community, learn a lot, and ask them what would be helpful research questions to consider.

http://www.internetidentityworkshop.comFriday, September 24, 2010



@identitywomanhttp://www.identitywoman.net

[email protected]

Kaliya Hamlin

Thank You!






user centric digital identity, talk for computer science and telecommunications board, national...

Documents