Conceptual Models and Reassuring Confirmations
This material is from April 2006, while I was preparing for IIW 2006a, my first visit. I notice that there has been progress, but I am not sure that progress has been so much on this topic. I'm still pretty much a beginner (except now I have a couple of Information Cards) and it is still a pain in the butt to have e-mail exchanges with Johannes. Hmm ...
- Orcmid 17:06, 27 November 2007 (PST)
What conceptual models are encouraged? How am I to understand what is happening? What conceptual pitfalls and misattributions are to be avoided?
How can they be used to inspire confidence? How do they afford demonstrated security of information and operation?
What are the trust requirements? Who am I trusting? What has them be trustworthy for me?
What are the threats? How are they mitigated? Who/what can I rely on in the event of an exploit or incident?
Some Beginners-Mind Experiences
It will be obvious that I really am a beginner, and I am out to capture everything that happens and where I go wrong before I start to absorb too much of the craft of this and no longer see any roadblocks.
Some links presumably to this Wiki raised a SocialText signon screen. There is no explanation of why and how one could have or obtain a SocialText signon.
A Welcome to IIW e-mail inivited participation on this Wiki (for sure), and said that the site is OpenID-enabled. There was no suggestion that there was any alternative means of registration.
I went through the OpenId registration process and I succeeded. I thought (probably reading too much about URL-based identity tokens) that my OpenId became http://orcmid.myopenid.com but I was mistaken. I should have realized that "orcmid" is the OpenID, I just read too much into the URL business. I figured the whole URL was required to establish some sort of context or authority regime for the ID.
Next, on attempting to register myself here, I had some miserable failures using the myOpenId URL. The behavior was inscrutible. There was no explanatory message and I ended up at a mostly-blank screen with no idea what I had or had not accomplished. I was pretty sure that I wasn't registered with the site, because the little "Login" link was still in the upper right corner of the page. I even used my myOpenId password along with the URL and that didn't make any difference at all. (I knew that was dangerous, but I wasn't that concerned about the sanctity of my OpenID. I was simply out to find any use case that works at all.)
I finally attempted "orcmid," with no password, and it worked just fine. In fact, it worked scarily well. "Orcmid" was simply accepted and I wasn't asked to authenticate myself in any way. This is when things got eerie, because I have no idea what had that all be so agreeable. One can certainly see that "orcmid" is a myOpenID (and I guess that means it is an OpenID by however that is coordinated), but I somehow missed the step by which it was determined that the person/computer from which the ID is being used is somehow associated with the person/computer to whom the ID has been "issued."
Even stranger, if I remember correctly (it is all a blur now), I was asked to provide descriptive information for myself. So basically, I had to do everything I would have gone through for a site-specific registration, except it took me longer to figure out how to get in and I never presented a password or created one at any time. (I am moderately confident that there are cookies lying about that have something to do with this. I'm not going to clear my cookie cache just to see what that does, just yet. That will be a new experience.)
Today, Johannes points out that this Wiki is YADIS-enabled. Well, that's cool. Does that mean I could have used the myLID that I already have? How could I do that? Can I still do that or will that mess up my "identity" here? So I probably won't try it, because I see no way to manage it. (I don't use myLID because I find the e-mail authenticating service a bit weird and I already have and use PKI-based digital signatures and encryption on e-mail, but those are other experiences.)
At the end, I have no idea what the OpenID protocol is and what the basis is for regarding it as a secure identification scheme. I think it is proposed to be a single-signon system, but the failure to have me authenticate in a visit to a new site has me think that the authentication is really, really weak. And how that ties into YADIS is a complete mystery at another level.
I'll keep playing.
- -- Orcmid 12:20, 14 April 2006 (MDT) (hmm, not my time zone there)
Oh, another interesting aspect of registration. I also received an e-mail confirmation message that wanted to let the user of my e-mail account known that someone had registered under the name orcmid on this wiki. I had to do the usual click-through to accept the registration as valid (with respect to whatever it is the recipient at my e-mail account might mean by all that). Now, I may have done enough different things to provoke this, but I think it came from providing my profile, after I got my OpenID to let me in.
I figure this is all a work in progress. I would like to see an account for how it is being developed, what the speed bumps are, and also what the target is. I think that would be very useful in terms of experiences and ways of confirming what is going on for newcomers and beginners.
- -- Orcmid 13:19, 17 April 2006 (MDT)
A Little More Experience: Getting Started
Checking on the source of changes to the suggested topics, I saw that Johannes managed to use his myLID as an User identification here. That's clever. I wonder how that got through the registration page. I'm guessing that it was done as a non-OpenID manual registration, but don't know for sure.
I'm definitely interested in the Getting Started topic. I think that would be a good way for newbies such as myself to contribute to this conversation. It would be great to make cyber-identity understandable and the mechanisms transparent for anyone.
- Orcmid 17:16, 16 April 2006 (MDT)
The Federation in the Sky
I was recently moved to do two things:
- Comment on Johannes Ernst's blog about some things.
- Add the LID icon and my myLID identity thingy, uh, token, alongside my name on the "Who's Coming" page.
Commenting on Johannes blog is really painful, because there is no comment mechanism although there is something like a LIDwriteback, but following those links say that LID-authenticated Trackback is not yet implemented (and will be bloody awful for those of us whose blogging software doesn't do trackbacks and completely useless for those who have no blogging software and want to comment). The offered alternative is that a comment must be left. The next line apologizes for the fact that comments are not enabled at this time.
So the other way is to send Johannes a message. This means I must use the very strange LID mechanism for sending messages from one LID-authenticated user to another. It is also done on the web, I get no copy of my own message, and it is through an inscrutible intermediary.
Johannes likes this sort of thing, so he notices my LID identity and sends me a LID-authenticated message to me. These messages are actually kind of sucky. I don't think I can reply to them, they are pretty opaque, and they leave me feeling queezy, like I am in a group of people who can't shake hands without putting on surgical gloves and face masks first. This whole deal is socially off-putting and *it* *makes* *me* *work* *too* *damned* *hard* for no compensating benefit to me.
Here's the message as the myLID system managed to deliver it to me:
-----Original Message----- From: firstname.lastname@example.org  Sent: Thursday, April 27, 2006 11:16 To: email@example.com Subject: LID Message for me The user with LID http://mylid.net/jernst sent the following message through your LID URL http://mylid.net/orcmid. As you expect from LID, your e-mail address was not revealed. ----- START LID MESSAGE ----- Hi there, saw your LID icon on the IIW attendee list. Are you aware that your MyLID.net URL is now also an OpenID? And Yadis-enabled? Looking forward to meeting you next week. Johannes. ----- END LID MESSAGE -----
I am very much looking forward to meeting Johannes too. His being there was the tip-over factor in my registering and making some complicated arrangements to be able to attend. Now that Eugene Eric Kim and Kim Cameron and others are on the list too, I am becoming excited about this event. I'm also feeling stupid and will have to find a way to at least take the Yadis, OPML, LID, Sxip, and other documents along with me so I can refer to them while there.
Now, I have no interest in the fact that having a LID identifier (I think it is http://mylid.net/orcmid) allows me to stay anonymous to people who want to send me e-mail. This is apparently a cool thing for Johannes, but (1) I have no interest in having it be that hard for other people to reach me, (2) I publicize my e-mail address all over the place, and I willingly struggle through my spam folder to make sure that people unknown to me can reach me. I do this even though one of my very old e-mail addresses is apparently a popular disguise for nasty-grams for which I receive the postmaster notices about needing to validate, being undeliverable, etc. I never send mail with that origin, so I know it's not me. I may close that account completely, now, since my "orcmid" identity is pretty well established (ask Google). And I established it the hard way.
The other problem is that the LID-mediated messages arrive in terribly sterile condition. The sender is not something it is useful to file under. The subject line is even worse. What happens if I receive several of these? These are impossible. So this is decidedly unfriendly with respect to all of my tools, all of my work practices around e-mail, and so on.
The other problem with sending Johannes a message via the form on his blog is that, when I was kicked over to myLID to authenticate myself, it left me there. So I had no idea whether the message was actually sent, etc. So I went back (by using the Back button in my browser) and sent the message again. The second time I found there was a way to see a log of my actions with my myLID identity (token or whatever I should call it), and I could see that myLID thought I had passed muster and sent Johannes a message. I have no idea. He hasn't replied to it so I don't know if that process worked or not, and now I can't even remember what I said.
I commented somewhere that I found this experience sending a message to Johannes to be lame, where a calibration on "lame" was that Passport is friendlier and easier to use (and preferable). In fact, using PKI and my (and others) digital signatures (from VeriSign in this case) for sending e-mail via SMTP/POP3 is also way more effortless. I am accustomed to this. It takes two extra clicks and no entries to sign a message. It takes almost no effort to receive a signed message. And this is something that people think is too hard! Imagine how getting anything done with LID and OpenID fit on that scale.
OK, one more thing. Johannes is happy to let me know that LID is an OpenID and at least LID is Yadis-enabled. No, I didn't know that. I also have no idea what that means I can do. I got an OpenID because Phil Windley said I needed one in his IIW welcome e-mail. I already had a LID. I would have had no reason to try it on the log-in/registration for this wiki. I had enough trouble figuring out what my actual OpenID was. (I am happy that it is just "orcmid", I just didn't expect it to be that simple, and I still don't see how I was ever authenticated to this wiki, which ended up doing an ordinary e-mail confirmation link-back check anyhow). And so far, I have no idea what it means to me that LID and perhaps OpenID are Yadis-enabled.
The bottom line. There's far more work needed to get the use cases and interactions with these systems to be easy for end-users and to have them stay out of the users' way as much as possible. I'm sure that will be done (for the survivors). It just seems useful to point out the gap between the current (experimental?) provisions and the idealized end-state.
- Orcmid 17:19, 27 April 2006 (MDT)