IIW - User contributions [en]

IDCollab Proposed Topics

2010-12-30T03:03:00Z

IdentityWoman:

'''What topics are you planning to present about or lead a discussion about?'''
* NSTIC
* Personal Identity Verification Interoperability (PIV-I)
* Identity Assurance, Trust Frameworks
* Higher LOA certificationTrust FrameworksClient agents

'''What are you hoping to hear and learn about and/or discuss?'''
* harmonization of user and enterprise issues
* Whatever other people think is important
* latest version of OpenID ABC

'''What are the critical questions about user-centric, enterprise, government and other forms of identity you hope to discuss with peers?'''
* Levels of Assurance and the trust models to support them

IDCollab Proposed Topics

2010-12-30T03:02:36Z

IdentityWoman: Created page with ''''What topics are you planning to present about or lead a discussion about?''' * NSTIC * Personal Identity Verification Interoperability (PIV-I) * Identity Assurance, Trust Fram...'

'''What topics are you planning to present about or lead a discussion about?'''
* NSTIC
* Personal Identity Verification Interoperability (PIV-I)
* Identity Assurance, Trust Frameworks
* Higher LOA certificationTrust FrameworksClient agents

'''What are you hoping to hear and learn about and/or discuss?'''
* harmonization of user and enterprise issues
* Whatever other people think is important
* latest version of OpenID ABC

''What are the critical questions about user-centric, enterprise, government and other forms of identity you hope to discuss with peers?'''
* Levels of Assurance and the trust models to support them

Main Page

2010-12-30T02:59:36Z

IdentityWoman: /* Next Internet Identity Workshops */

<Big> Welcome to the Internet Identity Workshop (IIW) Wiki </big>

[http://www.internetidentityworkshop.com WE HAVE A WEBSITE/BLOG TOO!]

* To get updates regarding IIW [http://lists.idcommons.net/lists/info/iiwinfo subscribe here].

[[Subject Specific Note Collections]]

=== Next Internet Identity Workshops ===

IIW #12 will be in May 3-5, 2011. Dates will be announced in December 2010.

We are working on collaborating the Kantara Initiative on a community unconference before RSA on February 14th.
It will be run like IIW with attendees creating the agenda live the day of the event.

[http://idcolab.eventbrite.com REGISTRATION IS OPEN NOW & MORE INFORMATION].

[[IDCollab Proposed Topics]]

We are considering hosting IIW Satellite events on the East Coast of the United States and in Europe in 2011. Feel free to contact us if you are interested in helping/participating. (iiwnotes@gmail.com)

We have an [http://lists.idcommons.net/lists/subscribe/iiwinfo announcement list] that you can subscribe to if you would like to get an e-mail when new IIW & IOS events are announced.

=== Previous Internet Identity Workshops ===

* #11 Fall 2010 [[iiw11]] Nov 2-4, Tuesday-Thursday at the Computer HIstory Museum in Mountain View California
** [[Notes IIW11]]
** [http://www.internetidentityworkshop.com/what-is-iiw/ Responses to IIW is...] [http://www.internetidentityworkshop.com/iiw-values/ Values of IIW]

* [[iiw-europe-1|IIW Europe]] in London Monday October 11 (before RSA Europe) at the University of London
** [[iiw-europe-1-Notes]]
** [[iiw-europe-1-Reflection]] As a Result of Today....

* [[iiw-east-1|IIW East Coast]] in DC September 9-10 Thursday, Friday at the Josephine Butler Parks Center (following the Gov 2.0 Summit) the theme will be ''Open Identity for Open Government''
** [[Notes_IIW-East]]
** [[As a result of day 1 at IIW-East]]

* #10: Spring 2010 [[iiw10]] May 17-19 at the Computer History Museum.
** [[Notes IIW10]]

* #9: Fall 2009 [[iiw9]] TUESDAY November 3 to THURSDAY November 5.
** [[Notes_iiw9]]

* #8: Spring 2009 [[iiw8]] - '''May 18-20, 2009'''
** [[Notes_iiw9]]

* #7: Fall [[iiw2008b]] (2008B)- '''Nov 10-12''' - Computer History Museum, Mountain View, CA
** [[Notes_08b]]

* 6: Spring [[iiw2008a]] (2008A)- '''May 12-14, 2008''' - Computer History Museum, Mountain View, CA
** [[Notes_2008a]]

* [http://iiw.idcommons.net/index.php/Iiw2007b 5: December 3-5, 2007 - Computer History Museum, Mountain View, CA]

* [http://iiw.windley.com/wiki/Workshop_2007 4: May 2007 - Computer History Museum, Mountain View, CA]

* [http://iiw.windley.com/wiki/Workshop2006b 3: December 2006 - Computer History Museum, Mountain View, CA]

* [http://iiw.windley.com/wiki/Workshop2006 2: May 2006 - - Computer History Museum, Mountain View, CA]

* [http://www.socialtext.net/iiw2005/index.cgi?internet_identity_workshop_2005 1: October 2005 - Berkeley, CA]

=== Previous Identity Open Spaces ===

Identity Open Space events are co-produced by the IIW team (Phil, Kaliya, Doc) in collaboration with other organizations and events. To date we have worked with Digital Identity World and the Liberty Alliance. We are open to working with a variety organizations - if you are interested please don't hesitate to contact us.

[http://ios.windley.com/wiki/IOSSF September 2007 at Digital Identity World]

[http://ios.windley.com/wiki/IOSBrussels May 2007 following a Liberty Alliance Meeting in Brussels, Belgium]

[http://ios.windley.com/wiki/IOSSantaClara September 2006 at Digital Identity World]

[http://ios.windley.com/wiki/IOSVan July 2006 following a Liberty Alliance Meeting in Vancouver, Canada]

=== Previous Identity Birds of a Feather Meetings ===

June 2006 [http://www.identitygang.org/ Identity Gang Birds of a Feather Session] at Burton Group Conference, San Francisco

January 2006 [http://www.socialtext.net/iiw2005/index.cgi?identity_speed_geeking_o_reilly_emerging_telephony_conference Identity Speed Geeking Session] at O'Reilly's Emerging Telephony Conference

December 2005 [http://www.socialtext.net/iiw2005/index.cgi?informational_morning_for_developers Pre-Syndicate Informational Morning for Developers]

Main Page

2010-12-30T02:59:17Z

IdentityWoman: /* Next Internet Identity Workshops */

<Big> Welcome to the Internet Identity Workshop (IIW) Wiki </big>

[http://www.internetidentityworkshop.com WE HAVE A WEBSITE/BLOG TOO!]

* To get updates regarding IIW [http://lists.idcommons.net/lists/info/iiwinfo subscribe here].

[[Subject Specific Note Collections]]

=== Next Internet Identity Workshops ===

IIW #12 will be in May 3-5, 2011. Dates will be announced in December 2010.

We are working on collaborating the Kantara Initiative on a community unconference before RSA on February 14th.
It will be run like IIW with attendees creating the agenda live the day of the event.

[http://idcolab.eventbrite.com REGISTRATION IS OPEN NOW & MORE INFORMATION].

[IDCollab Proposed Topics]

We are considering hosting IIW Satellite events on the East Coast of the United States and in Europe in 2011. Feel free to contact us if you are interested in helping/participating. (iiwnotes@gmail.com)

We have an [http://lists.idcommons.net/lists/subscribe/iiwinfo announcement list] that you can subscribe to if you would like to get an e-mail when new IIW & IOS events are announced.

=== Previous Internet Identity Workshops ===

* #11 Fall 2010 [[iiw11]] Nov 2-4, Tuesday-Thursday at the Computer HIstory Museum in Mountain View California
** [[Notes IIW11]]
** [http://www.internetidentityworkshop.com/what-is-iiw/ Responses to IIW is...] [http://www.internetidentityworkshop.com/iiw-values/ Values of IIW]

* [[iiw-europe-1|IIW Europe]] in London Monday October 11 (before RSA Europe) at the University of London
** [[iiw-europe-1-Notes]]
** [[iiw-europe-1-Reflection]] As a Result of Today....

* [[iiw-east-1|IIW East Coast]] in DC September 9-10 Thursday, Friday at the Josephine Butler Parks Center (following the Gov 2.0 Summit) the theme will be ''Open Identity for Open Government''
** [[Notes_IIW-East]]
** [[As a result of day 1 at IIW-East]]

* #10: Spring 2010 [[iiw10]] May 17-19 at the Computer History Museum.
** [[Notes IIW10]]

* #9: Fall 2009 [[iiw9]] TUESDAY November 3 to THURSDAY November 5.
** [[Notes_iiw9]]

* #8: Spring 2009 [[iiw8]] - '''May 18-20, 2009'''
** [[Notes_iiw9]]

* #7: Fall [[iiw2008b]] (2008B)- '''Nov 10-12''' - Computer History Museum, Mountain View, CA
** [[Notes_08b]]

* 6: Spring [[iiw2008a]] (2008A)- '''May 12-14, 2008''' - Computer History Museum, Mountain View, CA
** [[Notes_2008a]]

* [http://iiw.idcommons.net/index.php/Iiw2007b 5: December 3-5, 2007 - Computer History Museum, Mountain View, CA]

* [http://iiw.windley.com/wiki/Workshop_2007 4: May 2007 - Computer History Museum, Mountain View, CA]

* [http://iiw.windley.com/wiki/Workshop2006b 3: December 2006 - Computer History Museum, Mountain View, CA]

* [http://iiw.windley.com/wiki/Workshop2006 2: May 2006 - - Computer History Museum, Mountain View, CA]

* [http://www.socialtext.net/iiw2005/index.cgi?internet_identity_workshop_2005 1: October 2005 - Berkeley, CA]

=== Previous Identity Open Spaces ===

Identity Open Space events are co-produced by the IIW team (Phil, Kaliya, Doc) in collaboration with other organizations and events. To date we have worked with Digital Identity World and the Liberty Alliance. We are open to working with a variety organizations - if you are interested please don't hesitate to contact us.

[http://ios.windley.com/wiki/IOSSF September 2007 at Digital Identity World]

[http://ios.windley.com/wiki/IOSBrussels May 2007 following a Liberty Alliance Meeting in Brussels, Belgium]

[http://ios.windley.com/wiki/IOSSantaClara September 2006 at Digital Identity World]

[http://ios.windley.com/wiki/IOSVan July 2006 following a Liberty Alliance Meeting in Vancouver, Canada]

=== Previous Identity Birds of a Feather Meetings ===

June 2006 [http://www.identitygang.org/ Identity Gang Birds of a Feather Session] at Burton Group Conference, San Francisco

January 2006 [http://www.socialtext.net/iiw2005/index.cgi?identity_speed_geeking_o_reilly_emerging_telephony_conference Identity Speed Geeking Session] at O'Reilly's Emerging Telephony Conference

December 2005 [http://www.socialtext.net/iiw2005/index.cgi?informational_morning_for_developers Pre-Syndicate Informational Morning for Developers]

Main Page

2010-12-30T02:55:30Z

IdentityWoman: /* Next Internet Identity Workshops */

<Big> Welcome to the Internet Identity Workshop (IIW) Wiki </big>

[http://www.internetidentityworkshop.com WE HAVE A WEBSITE/BLOG TOO!]

* To get updates regarding IIW [http://lists.idcommons.net/lists/info/iiwinfo subscribe here].

[[Subject Specific Note Collections]]

=== Next Internet Identity Workshops ===

IIW #12 will be in May 3-5, 2011. Dates will be announced in December 2010.

We are working on collaborating the Kantara Initiative on a community unconference before RSA on February 14th.
It will be run like IIW with attendees creating the agenda live the day of the event.

[http://idcolab.eventbrite.com REGISTRATION IS OPEN NOW & MORE INFORMATION].

We are considering hosting IIW Satellite events on the East Coast of the United States and in Europe in 2011. Feel free to contact us if you are interested in helping/participating. (iiwnotes@gmail.com)

We have an [http://lists.idcommons.net/lists/subscribe/iiwinfo announcement list] that you can subscribe to if you would like to get an e-mail when new IIW & IOS events are announced.

=== Previous Internet Identity Workshops ===

* #11 Fall 2010 [[iiw11]] Nov 2-4, Tuesday-Thursday at the Computer HIstory Museum in Mountain View California
** [[Notes IIW11]]
** [http://www.internetidentityworkshop.com/what-is-iiw/ Responses to IIW is...] [http://www.internetidentityworkshop.com/iiw-values/ Values of IIW]

* [[iiw-europe-1|IIW Europe]] in London Monday October 11 (before RSA Europe) at the University of London
** [[iiw-europe-1-Notes]]
** [[iiw-europe-1-Reflection]] As a Result of Today....

* [[iiw-east-1|IIW East Coast]] in DC September 9-10 Thursday, Friday at the Josephine Butler Parks Center (following the Gov 2.0 Summit) the theme will be ''Open Identity for Open Government''
** [[Notes_IIW-East]]
** [[As a result of day 1 at IIW-East]]

* #10: Spring 2010 [[iiw10]] May 17-19 at the Computer History Museum.
** [[Notes IIW10]]

* #9: Fall 2009 [[iiw9]] TUESDAY November 3 to THURSDAY November 5.
** [[Notes_iiw9]]

* #8: Spring 2009 [[iiw8]] - '''May 18-20, 2009'''
** [[Notes_iiw9]]

* #7: Fall [[iiw2008b]] (2008B)- '''Nov 10-12''' - Computer History Museum, Mountain View, CA
** [[Notes_08b]]

* 6: Spring [[iiw2008a]] (2008A)- '''May 12-14, 2008''' - Computer History Museum, Mountain View, CA
** [[Notes_2008a]]

* [http://iiw.idcommons.net/index.php/Iiw2007b 5: December 3-5, 2007 - Computer History Museum, Mountain View, CA]

* [http://iiw.windley.com/wiki/Workshop_2007 4: May 2007 - Computer History Museum, Mountain View, CA]

* [http://iiw.windley.com/wiki/Workshop2006b 3: December 2006 - Computer History Museum, Mountain View, CA]

* [http://iiw.windley.com/wiki/Workshop2006 2: May 2006 - - Computer History Museum, Mountain View, CA]

* [http://www.socialtext.net/iiw2005/index.cgi?internet_identity_workshop_2005 1: October 2005 - Berkeley, CA]

=== Previous Identity Open Spaces ===

Identity Open Space events are co-produced by the IIW team (Phil, Kaliya, Doc) in collaboration with other organizations and events. To date we have worked with Digital Identity World and the Liberty Alliance. We are open to working with a variety organizations - if you are interested please don't hesitate to contact us.

[http://ios.windley.com/wiki/IOSSF September 2007 at Digital Identity World]

[http://ios.windley.com/wiki/IOSBrussels May 2007 following a Liberty Alliance Meeting in Brussels, Belgium]

[http://ios.windley.com/wiki/IOSSantaClara September 2006 at Digital Identity World]

[http://ios.windley.com/wiki/IOSVan July 2006 following a Liberty Alliance Meeting in Vancouver, Canada]

=== Previous Identity Birds of a Feather Meetings ===

June 2006 [http://www.identitygang.org/ Identity Gang Birds of a Feather Session] at Burton Group Conference, San Francisco

January 2006 [http://www.socialtext.net/iiw2005/index.cgi?identity_speed_geeking_o_reilly_emerging_telephony_conference Identity Speed Geeking Session] at O'Reilly's Emerging Telephony Conference

December 2005 [http://www.socialtext.net/iiw2005/index.cgi?informational_morning_for_developers Pre-Syndicate Informational Morning for Developers]

Main Page

2010-12-30T02:53:34Z

IdentityWoman: /* Next Internet Identity Workshops */

<Big> Welcome to the Internet Identity Workshop (IIW) Wiki </big>

[http://www.internetidentityworkshop.com WE HAVE A WEBSITE/BLOG TOO!]

* To get updates regarding IIW [http://lists.idcommons.net/lists/info/iiwinfo subscribe here].

[[Subject Specific Note Collections]]

=== Next Internet Identity Workshops ===

IIW #12 will be in May 3-5, 2011. Dates will be announced in December 2010.

We are working on collaborating the Kantara Initiative on a community unconference before RSA on February 14th.
It will be run like IIW with attendees creating the agenda live the day of the event.

[http://idcolab.eventbrite.com REGISTRATION IS OPEN NOW & MORE INFORMATION].

We are considering hosting "Identity Open Space" events on the East Coast of the United States and in Europe in 2011. Feel free to contact us if you are interested in helping/participating. (kaliya (at) Mac.com)

We have an [http://lists.idcommons.net/lists/subscribe/iiwinfo announcement list] that you can subscribe to if you would like to get an e-mail when new IIW & IOS events are announced.

=== Previous Internet Identity Workshops ===

* #11 Fall 2010 [[iiw11]] Nov 2-4, Tuesday-Thursday at the Computer HIstory Museum in Mountain View California
** [[Notes IIW11]]
** [http://www.internetidentityworkshop.com/what-is-iiw/ Responses to IIW is...] [http://www.internetidentityworkshop.com/iiw-values/ Values of IIW]

* [[iiw-europe-1|IIW Europe]] in London Monday October 11 (before RSA Europe) at the University of London
** [[iiw-europe-1-Notes]]
** [[iiw-europe-1-Reflection]] As a Result of Today....

* [[iiw-east-1|IIW East Coast]] in DC September 9-10 Thursday, Friday at the Josephine Butler Parks Center (following the Gov 2.0 Summit) the theme will be ''Open Identity for Open Government''
** [[Notes_IIW-East]]
** [[As a result of day 1 at IIW-East]]

* #10: Spring 2010 [[iiw10]] May 17-19 at the Computer History Museum.
** [[Notes IIW10]]

* #9: Fall 2009 [[iiw9]] TUESDAY November 3 to THURSDAY November 5.
** [[Notes_iiw9]]

* #8: Spring 2009 [[iiw8]] - '''May 18-20, 2009'''
** [[Notes_iiw9]]

* #7: Fall [[iiw2008b]] (2008B)- '''Nov 10-12''' - Computer History Museum, Mountain View, CA
** [[Notes_08b]]

* 6: Spring [[iiw2008a]] (2008A)- '''May 12-14, 2008''' - Computer History Museum, Mountain View, CA
** [[Notes_2008a]]

* [http://iiw.idcommons.net/index.php/Iiw2007b 5: December 3-5, 2007 - Computer History Museum, Mountain View, CA]

* [http://iiw.windley.com/wiki/Workshop_2007 4: May 2007 - Computer History Museum, Mountain View, CA]

* [http://iiw.windley.com/wiki/Workshop2006b 3: December 2006 - Computer History Museum, Mountain View, CA]

* [http://iiw.windley.com/wiki/Workshop2006 2: May 2006 - - Computer History Museum, Mountain View, CA]

* [http://www.socialtext.net/iiw2005/index.cgi?internet_identity_workshop_2005 1: October 2005 - Berkeley, CA]

=== Previous Identity Open Spaces ===

Identity Open Space events are co-produced by the IIW team (Phil, Kaliya, Doc) in collaboration with other organizations and events. To date we have worked with Digital Identity World and the Liberty Alliance. We are open to working with a variety organizations - if you are interested please don't hesitate to contact us.

[http://ios.windley.com/wiki/IOSSF September 2007 at Digital Identity World]

[http://ios.windley.com/wiki/IOSBrussels May 2007 following a Liberty Alliance Meeting in Brussels, Belgium]

[http://ios.windley.com/wiki/IOSSantaClara September 2006 at Digital Identity World]

[http://ios.windley.com/wiki/IOSVan July 2006 following a Liberty Alliance Meeting in Vancouver, Canada]

=== Previous Identity Birds of a Feather Meetings ===

June 2006 [http://www.identitygang.org/ Identity Gang Birds of a Feather Session] at Burton Group Conference, San Francisco

January 2006 [http://www.socialtext.net/iiw2005/index.cgi?identity_speed_geeking_o_reilly_emerging_telephony_conference Identity Speed Geeking Session] at O'Reilly's Emerging Telephony Conference

December 2005 [http://www.socialtext.net/iiw2005/index.cgi?informational_morning_for_developers Pre-Syndicate Informational Morning for Developers]

ID Commons -IIW Intro

2010-12-06T23:11:03Z

IdentityWoman:

'''Conference:''' [http://iiw.idcommons.net/Iiw11 IIW-11] November 2-4, Mountain View, [http://iiw.idcommons.net/Notes_IIW11 Complete Notes Page]

Convener: Kaliya Hamlin

See Slides on SlideShare:http://www.slideshare.net/Kaliya/iiw11introtalk

Notes IIW11

2010-12-06T23:06:14Z

IdentityWoman:

[http://iiw.idcommons.net/File:IIW-11-BOP.pdf Here is the complete Book of Proceedings in PDF Form]

= Tuesday =

== Session 1 ==

A: [[Intro to PDS]] (Personal Data Store)

B: [[Trust Frameworks Analogue to Digital Converters]]

D: [[Decline of User-Centric Identity]] an analysis

E: [[OAuth Listening Tour]]

F: [[Activity Streams 101]]

G: [[Verified Identity Claims 1]]

I: [[UMA 101]] User Managed Access

== Session 2 ==

A: OpenID OAuth - [[Social Networking for online retailers]]

B: [[ID Commons -IIW Intro]]

C: [[Open-Federated Social Networking]]

E: [[Deep Dive OpenID - AB]]

F: [[VRM Development]]

I: [[No Base String]]

== Session 3 ==

A: [[Attenuated Redelegation]]

B: [[Web inSecurity]]

C: [[Verified Identity Claims]] "U Prove Intro"

D: [[Facebook as a Personal Data Store]]

E: [[JSON Tokens]]

F: [[Mobile Social Networking]]

I: [[OpenID Connect Discovery]]

== Session 4 ==

C: [[Pseudonyms for Privacy]]

F: [[Rap Leaf]] Is it a joke?

G: [[Verified Identity Claims 3]]

I: [[Handling Unregistered Clients]] in OAuth and OpenID connect

== Session 5 ==

A: [[Change Notify Proposal]]

B: [[OAuth Multiple Token]]

C: [[NSTIC]]

E: [[OpenID Connect]]

F: [[Personal Data Ecosystem]]

G: [[Health and VRM]]

I: [[Making Security Decisions Disappear]]

= Wednesday =

== Session 1 ==

A: [[Value Network Mapping]] Analysis for personal data ecosystem

D: [[Future Phone Device Authorization]]

E: [[Enterprise OAuth BOF Level Set]]

I: [[OpenID Connect Sessn Mgmt]]

== Session 2 ==
A: [[PDE- Why would anyone adopt?]]

B: [[Fix Session Mgmt Jacking]]

D: [[UMA 201 Q and A]]

E: [[Enterprise OAuth BOF]]

F: [[OAuth2 Exts.]]

G: [[Poor Man Verified ID]]

H: [[Int'l Presence of OpenID]]

I: [[OAuth for Installed Apps]]

== Session 3 ==

A: [[VERIFIED IDENTITY CLAIMS – Selectors (W3A)]]

E: [[OAuth2 for Devices]]

G: [[Building a CAKE Detector]]

H: [[Shifting Global Economy w-Identity]]

I: [[OpenID ABC Artifact Binding]]

== Session 4 ==

A: [[Personal Data Ecosystem Biz Models]]

C: [[Using a Personal Data Store]]

E: [[JSON Token Spec - Encryption]]

H: [[Verified Identity Claims - UX]]

== Session 5 ==

A: [[Deadly Sins Distributed Authentication]]

B: [[Personal Data Ecosystem Model 2]]

C: [[Cloud Directory Standards]]

D: [[Infrastructure Focus - Relationships Among Things]]

E: [[JSON Token Spec - Claim Names]]

F: [[OAuth LEELOO]]

G: [[What do USERS want?]]

I: [[OpenID Attrib - Beyond AX-SREG]]

= Thursday =

== Session 1 ==

A: [[Go To Market - PDE]] Adoption drives for Personal Data Ecosystem

C: [[Google Sample OpenID]] RD and RP Best Practices

E: [[JSON Spec Work continued]]

F: [[User Managed Permission Interface]]

== Session 2 ==

E: [[Terms of Use Privacy Policy]]

G: [[Look Up by Phone Number]]

I: [[Kitties are Fluffy]]

M: [[Go To Market PDE 2]]

== Session 3 ==

A: [[PDE - Go to Market and Community Strategy]]

E: [[R Button Affordamies]]

F: [[Adopting OAuth 2 OpenID Connect]]

G: [[Email is not Dead Yet]]

L: [[Policy Framework]]

== Session 4 ==

E: [[Best Ways to Connect People to Content]]

F: [[Personal Data Ecosystem Org Role]]

G: [[The Transactional Graph]]

== Session 5 ==

C: [[Google Usability]]

F: [[Personal Data Ecosystem Org Role]]

File:IIW-11-BOP.pdf

2010-12-06T23:05:54Z

IdentityWoman:

Trust Frameworks Analogue to Digital Converters

2010-12-06T17:08:54Z

IdentityWoman:

=[http://ezemitekywe.co.cc Under Construction! Please Visit Reserve Page. Page Will Be Available Shortly]=
'''Issue/Topic:''' Trust Frameworks as Analog o Digital Converters

'''Session:''' Tuesday 1B

'''Conference:''' [http://iiw.idcommons.net/Iiw11 IIW-11] November 2-4, Mountain View, [http://iiw.idcommons.net/Notes_IIW11 Complete Notes Page]

'''Convener:''' Scott David

'''Notes-taker(s):''' Jamie Clark

'''Tags:'''

trust_framework, taxonomy, contracts, risk_allocation, UI

'''Discussion notes:'''

[[File:Nov_2_Rethinking_Personal_Data_Workshop.pdf ]]

Facilitating Personal Data Transactions in a Secured Manner on a
Global Scale": part of presentation for WEF (Davos) prep session on
"Rethinking Personal data" workshop, New York, September 2010; should
be posted shortly to OIX website

What's the international law of identity?

There isn't any.

Can we do things with law and/or rules and/or tech to weave together the
disparate systems that interact?

What should identity systems do? Meet "system participant" (user) needs. Such
as:
* data subjects need identity integrity
* replying parties need assurance
* identity providers need risk reduction
These high-level 'needs' share some basic lower-level functional requirements
like, security, reliability, UI, etc.

What can tech and law do about this?
* technology tools guide data movement & protect data at rest
* legal rules create duties to incent behavior

-- By far most of the data breaches I've seen (S. David) were human error, not
tech failure. So the human rules and incentives matter.

A "Trust Framework" is a possible documentation style ("term sheet"?) for the
agreed risk and reliance arrangements between system participants.

There is some "low hanging fruit" of law and practice guiding these duties:
* In the US: NSTIC, Levels of Assurance. In some states, data breach laws.
* Privacy laws like HIPAA, Gramm-Leach, FICA, etc.
* Fair Info Practice Principles (originally US DHEW 1973) - levels of
control

ABA drafting a report on Federated Identity which addresses a taxonomy of
issues and actors; OIX doing a "risks wiki"; some out for public review now;
posted work product expected early 2011(?)

One difficulty is operationalizing assurance which is mostly processed by
end-users as emotional states like "trust", "reliability." Quantification
needed, to clear the semantic fog here.

The idea here is to address some recurring liability issues, but not all.
80/20 approach, not boiling the ocean. May be industry groups and self-
regulatory efforts that give rise to the best evolving solutions.

First step is a candidate common analytical framework, to get to "apples-to-
apples" on some of the risks, practices and concepts

Inspirational vision: UI simplification - risks and control issues displayed
simply like red-light-yellow-light-green-light displays.

Audience: Frameworks generally get developed in a context of siloes -
non-interoperable specialized cases. Is there a "metalanguage" for crosswalks
among the privacy practices of those siloed players? Or 15% of them, anyway,
for scalability's sake.

''there is a PPT deck associated with this session: "nov 2 Rethinking Personal Data Workshop.ppt"''

Social Networking for online retailers

2010-12-06T17:08:15Z

IdentityWoman:

'''Session:''' Tuesday 2A

'''Conference:''' [http://iiw.idcommons.net/Iiw11 IIW-11] November 2-4, Mountain View, [http://iiw.idcommons.net/Notes_IIW11 Complete Notes Page]

'''Convener:''' Brian Kissel

[[File:OpenID_Foundation_Retail_Advisory_Committee_Overview.pdf]]

OpenID Foundation: Retail Advisory Committee

'''Thoughts to Consider…'''
* Increasingly, consumers want to research and execute purchases on the web, and the trend is accelerating with younger generations
** In order to gain mindshare and market share, you need to know more about customers
** With more consumers and retailers interacting via the web, “identity fatigue” is becoming an issue: “if its too much effort I’ll just buy it from Amazon”
** How do you get more visitors to register on your website, remain engaged, and login early during each return visit? How do you ensure that user profile data is complete and up-to-date?
* Social Commerce is a reality. What friends recommend is becoming more important than banner ads, search results, or even customer ratings and independent reviews (c|net, Consumer Reports)

'''Social Marketing'''
* The trust factor of friends’ suggestions can make a big difference. Loopt’s users are 20X more likely to click on a place their friends had liked or visited than a place that simply ranked higher in search results.
* “Improving search has always been about improving relevance,” Augie Ray of Forrester said. “But the thinking now is that getting information from your immediate social network is what will really make results more relevant.”
* “People are likely to find what your friends are saying about the iPhone 4 or a Chinese restaurant more helpful in a Web search,” said Matt Cutts, a software engineer who oversees search quality at Google.
* http://www.nytimes.com/2010/09/13/technology/13search.html

'''Benefits of 3rd Party ID and Social Networks for Retailers'''
* '''Higher Registrations:''' Increase conversion of visitor to registered user by 25% to 50%*
* '''Better Login:''' Reduce forgotten password costs and frustration by up to 50%*
* '''Increased Referral Traffic, SEO, and Brand Projection:'''
** Allow users to share activities (purchases, product reviews, blogs, surveys, video views) with friends on social networks (Facebook, Twitter, Yahoo, Google, MySpace, LinkedIn, Microsoft, etc.) with links back to your websites
** Customers as advocates, project your brand beyond your website, links back improve SEO
** Websites seeing anywhere from 5 to 25* referral visits for each social publishing link
** Referral visitors are highly qualified and come with active identity accounts for easy registration & login
* '''Collecting Rich Customer Data:''' Build richer customer profiles by using customers’ existing online accounts - name, verified email address, shipping address**, phone**, payment info**, nickname, language, zip code, age, friends lists, address books, personal interests & hobbies, photos, etc.
* '''Improved Mobile Experience:''' Provide a much quicker and simpler user experience via mobile applications
* '''Website Federation:''' Single sign-on (SSO) for your customers across multiple web properties and component solutions (commenting, rating and reviews, customer feedback, community, etc.).

''' OpenID Foundation'''
* Founded in 2007
* Non-profit, open-standard technology organization like Linux Foundation
* Promoting open standards for user-managed identity
* Board members include folks from Google, Yahoo, Facebook, PayPal, Microsoft, IBM, Sears, NY Times, and NPR
* OpenID Foundation members include: Google, PayPal, Facebook, Yahoo!, CA, Microsoft, IBM, LexisNexis, VeriSign, BBC, Booz | Allen | Hamilton, GameShop, PingIdentity, JanRain

'''Identity Providers and Technologies'''
[picture]

'''Integrated into Leading Technology Platforms You may already be using one of these on your websites…'''
''Social Network & Community Platforms''
KickApps, Viewpoints, Talki, Wetpaint

''Customer Feedback Tools''
Get Satisfaction, IdealScale, Uservoice

''CMS Turnkey Plug-ins''
WordPress, Drupal

''Content Communication Platforms''
Disqus, Echo, Pluck

'''Sears Sign-in and Social Publishing Demo Visitor arrives at Sears website and clicks sign in…'''

'''Offered choice of 3rd party ID providers…'''

'''Customer selects Google and grants permission…'''

'''Logged in, personalized experience…'''

'''Offered opportunity to write a product review…'''

'''Customer writes personal product review…'''

'''Review received by Sears, offered chance to share… Can be configured for multiple social networks…'''

'''Customizable Sign-in Interfaces: HP Favicons for initial engagement, contextual messages for each ID provider'''

Trust Frameworks Analogue to Digital Converters

2010-12-06T17:06:29Z

IdentityWoman:

=[http://ezemitekywe.co.cc Under Construction! Please Visit Reserve Page. Page Will Be Available Shortly]=
'''Issue/Topic:''' Trust Frameworks as Analog o Digital Converters

'''Session:''' Tuesday 1B

'''Conference:''' [http://iiw.idcommons.net/Iiw11 IIW-11] November 2-4, Mountain View, [http://iiw.idcommons.net/Notes_IIW11 Complete Notes Page]

'''Convener:''' Scott David

'''Notes-taker(s):''' Jamie Clark

'''Tags:'''

trust_framework, taxonomy, contracts, risk_allocation, UI

'''Discussion notes:'''

[[File:OpenID_Foundation_Retail_Advisory_Committee_Overview.pdf]]

Facilitating Personal Data Transactions in a Secured Manner on a
Global Scale": part of presentation for WEF (Davos) prep session on
"Rethinking Personal data" workshop, New York, September 2010; should
be posted shortly to OIX website

What's the international law of identity?

There isn't any.

Can we do things with law and/or rules and/or tech to weave together the
disparate systems that interact?

What should identity systems do? Meet "system participant" (user) needs. Such
as:
* data subjects need identity integrity
* replying parties need assurance
* identity providers need risk reduction
These high-level 'needs' share some basic lower-level functional requirements
like, security, reliability, UI, etc.

What can tech and law do about this?
* technology tools guide data movement & protect data at rest
* legal rules create duties to incent behavior

-- By far most of the data breaches I've seen (S. David) were human error, not
tech failure. So the human rules and incentives matter.

A "Trust Framework" is a possible documentation style ("term sheet"?) for the
agreed risk and reliance arrangements between system participants.

There is some "low hanging fruit" of law and practice guiding these duties:
* In the US: NSTIC, Levels of Assurance. In some states, data breach laws.
* Privacy laws like HIPAA, Gramm-Leach, FICA, etc.
* Fair Info Practice Principles (originally US DHEW 1973) - levels of
control

ABA drafting a report on Federated Identity which addresses a taxonomy of
issues and actors; OIX doing a "risks wiki"; some out for public review now;
posted work product expected early 2011(?)

One difficulty is operationalizing assurance which is mostly processed by
end-users as emotional states like "trust", "reliability." Quantification
needed, to clear the semantic fog here.

The idea here is to address some recurring liability issues, but not all.
80/20 approach, not boiling the ocean. May be industry groups and self-
regulatory efforts that give rise to the best evolving solutions.

First step is a candidate common analytical framework, to get to "apples-to-
apples" on some of the risks, practices and concepts

Inspirational vision: UI simplification - risks and control issues displayed
simply like red-light-yellow-light-green-light displays.

Audience: Frameworks generally get developed in a context of siloes -
non-interoperable specialized cases. Is there a "metalanguage" for crosswalks
among the privacy practices of those siloed players? Or 15% of them, anyway,
for scalability's sake.

''there is a PPT deck associated with this session: "nov 2 Rethinking Personal Data Workshop.ppt"''

Trust Frameworks Analogue to Digital Converters

2010-12-06T17:06:02Z

IdentityWoman:

=[http://ezemitekywe.co.cc Under Construction! Please Visit Reserve Page. Page Will Be Available Shortly]=
'''Issue/Topic:''' Trust Frameworks as Analog o Digital Converters

'''Session:''' Tuesday 1B

'''Conference:''' [http://iiw.idcommons.net/Iiw11 IIW-11] November 2-4, Mountain View, [http://iiw.idcommons.net/Notes_IIW11 Complete Notes Page]

'''Convener:''' Scott David

'''Notes-taker(s):''' Jamie Clark

'''Tags:'''

trust_framework, taxonomy, contracts, risk_allocation, UI

'''Discussion notes:'''

[[File:OpenID_Foundation_Retail_Advisory_Committee_Overview.pdf]]

[slides]: "Facilitating Personal Data Transactions in a Secured Manner on a
Global Scale": part of presentation for WEF (Davos) prep session on
"Rethinking Personal data" workshop, New York, September 2010; should
be posted shortly to OIX website

What's the international law of identity?

There isn't any.

Can we do things with law and/or rules and/or tech to weave together the
disparate systems that interact?

What should identity systems do? Meet "system participant" (user) needs. Such
as:
* data subjects need identity integrity
* replying parties need assurance
* identity providers need risk reduction
These high-level 'needs' share some basic lower-level functional requirements
like, security, reliability, UI, etc.

What can tech and law do about this?
* technology tools guide data movement & protect data at rest
* legal rules create duties to incent behavior

-- By far most of the data breaches I've seen (S. David) were human error, not
tech failure. So the human rules and incentives matter.

A "Trust Framework" is a possible documentation style ("term sheet"?) for the
agreed risk and reliance arrangements between system participants.

There is some "low hanging fruit" of law and practice guiding these duties:
* In the US: NSTIC, Levels of Assurance. In some states, data breach laws.
* Privacy laws like HIPAA, Gramm-Leach, FICA, etc.
* Fair Info Practice Principles (originally US DHEW 1973) - levels of
control

ABA drafting a report on Federated Identity which addresses a taxonomy of
issues and actors; OIX doing a "risks wiki"; some out for public review now;
posted work product expected early 2011(?)

One difficulty is operationalizing assurance which is mostly processed by
end-users as emotional states like "trust", "reliability." Quantification
needed, to clear the semantic fog here.

The idea here is to address some recurring liability issues, but not all.
80/20 approach, not boiling the ocean. May be industry groups and self-
regulatory efforts that give rise to the best evolving solutions.

First step is a candidate common analytical framework, to get to "apples-to-
apples" on some of the risks, practices and concepts

Inspirational vision: UI simplification - risks and control issues displayed
simply like red-light-yellow-light-green-light displays.

Audience: Frameworks generally get developed in a context of siloes -
non-interoperable specialized cases. Is there a "metalanguage" for crosswalks
among the privacy practices of those siloed players? Or 15% of them, anyway,
for scalability's sake.

''there is a PPT deck associated with this session: "nov 2 Rethinking Personal Data Workshop.ppt"''

OAuth2 for Devices

2010-12-06T17:03:12Z

IdentityWoman:

'''Title:''' OAuth 2 for Devices

'''Session:''' Wednesday, Session 3, Space E

'''Conference:''' [http://iiw.idcommons.net/Iiw11 IIW-11] November 2-4, Mountain View, [http://iiw.idcommons.net/Notes_IIW11 Complete Notes Page]

'''Convener:''' Marius S.

'''Note Taker:'''Andrew Wansley

'''Discussion Notes:'''

[[File:Device.pdf]]

What is a device

A device as we're concerned with it here has a display and a limited or painful input. We're explicitly not talking about headless devices, devices with no display and or no input like a refrigerator. These devices as far as we know just run a webserver locally and do the webserver profile.

What's the flow

From the user's perspective, the device displays a URL and code. User goes to URL and enters the code. The device magically works.

From the device's perspective, the device presents AuthZ server with a clientID and gets back a URL a user code which it displays to the user and a device code used for polling. The device then starts polling the AuthZ server which tells it "not yet" for a while then eventually returns yes and a token or no.

AuthZ server has preregistered a device and replies to the device's requests as described above.

The session fixation attack

Trick the user into approving it from a link. Somewhat of a weakness but not a huge threat.

Other sorts of connections

I've already paired my Playstation with my Sony acct. It would be nice if when I add a netflix app it could just pair with Sony's frontend and then that connection could live across devices. In this case we could just do a webserver flow.

Another way to authorize devices is to do bluetooth sharing of credentials. Like I can authorize my photoframe by connecting my android.

[[File:Device.pdf‎]]

[[File:UnregisteredClientExtension.pdf]]

OAuth2 for Devices

2010-12-06T17:02:58Z

IdentityWoman:

'''Title:''' OAuth 2 for Devices

'''Session:''' Wednesday, Session 3, Space E

'''Conference:''' [http://iiw.idcommons.net/Iiw11 IIW-11] November 2-4, Mountain View, [http://iiw.idcommons.net/Notes_IIW11 Complete Notes Page]

'''Convener:''' Marius S.

'''Note Taker:'''Andrew Wansley

'''Discussion Notes:'''

[[File:File:Device.pdf]]

What is a device

A device as we're concerned with it here has a display and a limited or painful input. We're explicitly not talking about headless devices, devices with no display and or no input like a refrigerator. These devices as far as we know just run a webserver locally and do the webserver profile.

What's the flow

From the user's perspective, the device displays a URL and code. User goes to URL and enters the code. The device magically works.

From the device's perspective, the device presents AuthZ server with a clientID and gets back a URL a user code which it displays to the user and a device code used for polling. The device then starts polling the AuthZ server which tells it "not yet" for a while then eventually returns yes and a token or no.

AuthZ server has preregistered a device and replies to the device's requests as described above.

The session fixation attack

Trick the user into approving it from a link. Somewhat of a weakness but not a huge threat.

Other sorts of connections

I've already paired my Playstation with my Sony acct. It would be nice if when I add a netflix app it could just pair with Sony's frontend and then that connection could live across devices. In this case we could just do a webserver flow.

Another way to authorize devices is to do bluetooth sharing of credentials. Like I can authorize my photoframe by connecting my android.

[[File:Device.pdf‎]]

[[File:UnregisteredClientExtension.pdf]]

OAuth2 Exts.

2010-12-06T16:57:19Z

IdentityWoman:

'''Title:''' OAUTH 2 Extensions

'''Session:''' (W2F)

'''Conference:''' [http://iiw.idcommons.net/Iiw11 IIW-11] November 2-4, Mountain View, [http://iiw.idcommons.net/Notes_IIW11 Complete Notes Page]

'''Convener:''' Justin Richer & Marius Scurtescu

'''Notes-taker(s):''' Marius

'''Discussion:'''

[[File:NativeClientExtension.pdf]]

[[File:UnregisteredClientExtension.pdf]]

Hosts (and only participants): Justin Richer & Marius Scurtescu

We talked about several proposed OAuth 2 extensions that we worked on or we thought are important:
* Instance Information
* XML Encoding
* UX
* Unregistered Clients
* Native Clients
* Token Types

Instance Information and Unregistered Clients are somewhat related and we explored if they can be combined. In the end we decided that they are orthogonal and should stay as separate extensions.

For Unregistered Clients the proposal is to specify well known values to two existing parameters and add a required and two optional
parameters:
* client_id=anonymous
* client_secret=anonymous
* client_name - required
* client_description - optional
* client_icon - optional

We explored alternate ways to signal an unregistered client, specifically to omit the client_id and client_secret parameters from the request. The problem with this approach is that these two parameters are required by the core spec so generic libraries that are not aware of this extensions will have problems handling messages like these. Also, a potential benefit in providing these parameters with special values is that some code paths in the authz server implementation can stay agnostic to the client type (by hard coding a fake registration for anonymous/anonymous for example).

The only issue with special values is that a client id of "anonymous"
my collide with a legitimate registered client.
For Instance Information the two proposed new parameters looks fine:
* instance_name
* instance_description

For symmetry we should consider adding a instance_icon, maybe.

For Native Clients we discussed an extension that allows the client to specify that it does not have a redirect URI, and that the authz server should provide a default one in this case. The extension also specifies the that default page should add the response to the <title> tag in a specific way so it shows up in the window title. This allows clients to implement OS specific window title scraping.
* redirect_uri=oob
* <title>Success code=123&state=abc</title>

We also considered adding an optional parameter called "instructions"
through which the client can provide additional instructions to the end user.

The Token Types extension introduces three new optional request parameters, all are hints from the client for the authz server. These allow the server to issue only the tokens that the client really
needs:
- tokens=[access|refresh]
- expires_in - optional
- token_usage=single

tokens tells the authz server what tokens it needs. A web based client may not need a refresh token, during refresh a client may want a new refresh token, when swapping an authorization code a client may need only a refresh token.

expires_in allows the authz server to issue access tokens that expire sooner than the default, this allows lowering the load on the server if some clients are asking for a large number of tokens in short periods of time.

token_usage allows clients to ask for access tokens that are single use. This allows reducing load, as before, or reduce the risk if tokens are sent over insecure channels (think One Time Password). We also considered this parameter to take a number as value, instead of "single", and this number to represent the number of uses allowed for the access token, in this case 1 == single.

We noted that expires_in and token_usage can be approximated by using token revocation endpoint.

XML Encoding should rely on an automatic mapping between the JSON format and the XML format. We considered generalizing this extension and also allow for form encoded responses. One possible issue with form encoded is that it allows only name/value pairs, whereas JSON and XML allow for tree structures. For now all responses are name/value pairs, and maybe it should stay like that, to be similar to requests and in browser responses.

[[File:Device.pdf‎]]

[[File:UnregisteredClientExtension.pdf]]

[[File:NativeClientExtension.pdf]]

Verified Identity Claims

2010-12-06T16:52:26Z

IdentityWoman:

=[http://ojiqovam.co.cc UNDER COSTRUCTION, PLEASE SEE THIS POST IN RESERVE COPY]=
'''Issue/Topic:''' VERIFIED IDENTITY CLAIMS – An introduction to U-Prove privacy-enhancing technology

'''Session:''' Tuesday 3C

'''Conference:''' [http://iiw.idcommons.net/Iiw11 IIW-11] November 2-4, Mountain View, [http://iiw.idcommons.net/Notes_IIW11 Complete Notes Page]

'''Convener:''' Craig Wittenberg (Microsoft)

'''Notes-taker(s):''' Ariel Gordon (Microsoft)

'''Tags:'''
Verified Claims; Identity Attributes; Privacy; Privacy Enhancing Technology; Cryptography; user-centric technology: user control.

'''Participants:'''

*Craig Wittenberg Microsoft
*Ariel Gordon Microsoft
*Jan Unger
*Tim Cole KuppingerCole
*Bret Tobey Assa Abloy
*John Fontana Ping Identity
*Jon Webb Sony PlayStation network
*Nishant Kaushix Oracle
*Takeshi Kitagawa NTT Communications
*Mark Horstmeier Kynetx
*Matt Tebo Proviti
*Greg Turner Sierra Systems
*Mike Min Booz
*Guibin Kony Google
*Aravmdan Ranga PayPal
*Tom Leon AOL
*Jim Fenton Cisco
*Dale Olds Novell
*Ben Goodman Novell
*Fady Semaan AOL
*Henrik Biering Peer Craft
*Stuart Proffitt Novell
*Jeff Stollman Secure Identity
*Ambarsh Malpar CA
*Alex Ran Intuit
*Thomas Hardjono MIT Kerberos
*Peter Capek Self
*Lloyd Burch Novell
*Kimberly Little LexisNexis
*Frank Travestino eBay
*Heather Ford UC Berkeley

'''Discussion notes:'''

[[File:U-Prove_technology_overview-Nov2010.pdf]]

Verified Identity Claims -- Technical introduction
Craig Wittenberg presented the U-Prove technology
U-Prove well respected in academia. Originally created by Credentica; purchased by Microsoft two years ago; incubated as part of the Verified Claims Team .

Similar characteristics as X.509 certificate but with much better privacy characteristics.

Craig presented a few scenarios, starting with Alice purchasing wine online and proving that she's over 21 and that she's a resident of WA state. Other scenarios included leveraging a German eID to access citizen and private services.

Many clarification Q&A followed on the technology and its benefits, including:

Q: Why not do back-end attribute exchange? Why go through all this trouble for exchanging attributes?

A: There are scenarios with privacy requirements such as un-traceability. If you take the case where Governments issue identity claims, there are requirements for the government not to be able to trace where the user is using his proof of age (for example). Depending on the geography, the privacy requirements may come from the government itself or from Privacy Groups.

Q: If there is a Cloud Service that stores and releases information, does it effectively create a secondary IdP?

A: If there are no client side bits, there is effectively a “broker” in the cloud that manages the user’s private keys. Microsoft and its partners are investigating different ways to build the u-prove verified claims agent that mitigates those issues.

''there is a powerpoint deck associated with this session: U-Prove technology overview-Nov2010.pptx''

File:U-Prove technology overview-Nov2010.pdf

2010-12-06T16:41:29Z

IdentityWoman:

File:OpenID Foundation Retail Advisory Committee Overview.pdf

2010-12-06T16:39:54Z

IdentityWoman:

File:Nov 2 Rethinking Personal Data Workshop.pdf

2010-12-06T16:38:19Z

IdentityWoman:

File:NativeClientExtension.pdf

2010-12-06T16:27:20Z

IdentityWoman: uploaded a new version of "File:NativeClientExtension.pdf"

Notes IIW-East

2010-12-06T14:52:56Z

IdentityWoman:

[http://iiw.idcommons.net/File:IIW-East-BOP.pdf Complete Book of Proceedings for IIW-East in PDF form]

== THURSDAY ==

=== Session 1 ===

T1A: [[Role of Government as Identity Oracle (Attribute Provider)]]

T1B: [[B2B and B2C: How to Balance the Difference and Challenges of Each Environment]]

T1C: [[Proofing the Masses]]

F1D: [[NSTIC 101 (wtf?)]]

T1E: [[More Government Employees at IIW Next Time]]

T1F: [[PDX Ecosystem]]

T1G: [[High Assurance Consumer Identity]]

=== Session 2 ===

T2A: [[Certifying Use Location for Politics Governance]]

T2B: [[Useability: Addressing the click - click - click problem]]

T2D: [[Leveraging Identity to Enable and Foster Scientific Collaboration]]

T2C: [[Identity and Cross Domain Systems (multilayer security)]]

T2E: [[Should We Create "Ownership Rights" in Law for Personal Data?]]

T2F: [[Personal Data Vision of Future: Video]]

T2G: [[Attributes Claims - Identify Attributes LOA]]

=== Session 3 ===

T3A: [[Are Mediation Tools Useful in Authentication?]]

T3B: [[Open Identity for Closed Government: NSTIC the Cybersecurity Answer?]]

T3C: [[Wholesale Privacy]]

T3D: [[Building Standards for "Trustable" ID Providers]]

T3E: [[Liability and Financial models for Identity Providers, Attribute Providers and Identity Proofers]]

T3F: [[Personal Data Stores and Context Automation]]

T3D: [[Patient Centric Medical Record Federation - Securing HData]]

T3H: [[How to Make HTTP Authentication Useful Again?]]

=== Session 4 ===

T4A: [[PRIVACY - Did We Solve Privacy for Web Identity Systems (technically already?)]]

T4C: [[Personal Data Store/Archive]]

T4D: [[Service Chaining and Trust]]

T4E: [[Extending OpenID Assertions with SAML+]]

T4F: [[NSTIC - "Identity Ecosystem"]]

T4G: [[Cross Federation Trust w/Meta Data]]

== FRIDAY ==

=== Session 1 ===

F1A: [[OAUTH - What Topics Should We Focus On Next?]]

F1D: [[Liability for ldps, APs, RPs... Continued]]

F1E: [[Getting More .gov @IIW]]

F1F: [[Identity Commons "3.0" Big Tent Creation]]

=== Session 2 ===

F2A: [[Government Relationship Management]]

F2E: [[Enterprise Open ID]]

F2C: [[Identity in the Browser (F2C)]]

=== Session 3 ===

F3B: [["Today Geekdom, Tomorrow the World"]]

F3D: [[Personal Data Locker? What is it and Why?]]

F3E: [[Ownership Rights in Data Pt2]]

F3F: [[Information Security Standards and "Levels of Protection"]]

F3G: [[Certification Coordination - OIX, Kantara, ID Commons]]

=== Session 4 ===

[[OAUTH Signing #2]]

F4D: [[Making NST IC Open/Making NST IC Happen]]

F4E: [[Hybrid Online/Offline Debate BYO Issue]]

F4F: [[Roadmap for Personal Data Store Ecology: Let's Make One]]

F4G: [[Demo]]

File:IIW-East-BOP.pdf

2010-12-06T14:52:10Z

IdentityWoman:

Iiw-europe-1-Notes

2010-12-06T14:45:27Z

IdentityWoman:

[http://iiw.idcommons.net/File:IIW-Europe-BOP.pdf Complete Book of Proceedings from IIW-Europe in PDF]

=== Session 1 ===

1A: [[What is the MYDEX Prototype?]]

1B: [[Federated Network Access]]

1C: [[Partial Identities Privacy and Credentials]]

1D: [[Privacy and Federated Social Networking w/o Correlation]]

1E: [[OpenID Tiered Providers]]

1F: [[Federated Identity as a Business Model]]

=== Session 2 ===

2A: [[Scoping the Single European Digital Identity Community]]

2C: [[WebID and DNSSEC - combined session]]

2D: [[U-Prove - How Do We Use Privacy Enhancing Crypto?]]

=== Session 3 ===

3A: [[What Do We Actually Mean When We Talk About Identity?]]

3B: [[The Quality of Customer Intelligence (Authenticity/Relevance Correlation)]]

3C: [[Personal Data Store Harmonizing = Project Nori DEMO]]

3D: [[Claims]]

3E: [[Authent-New Tools - Opportunities - Business]]

3F: [[Remonetizing the Web:]] from 'Give privacy, get service' to: A win-win social web ecosystem for customers, Telcos, Banks, Websites

3G: [[Identity Assurance (merges with) Automated Policy Negotiation]]

=== Session 4 ===

4A: [[CardSpace in the Clouds]]

4B: [[Introduction to Digital Death - What Happens to Internet Identity After Death?]]

4C: [[One Social Web . org]]

4D: [[Why do Politicians Understand So Little? Our Fault or Theirs?]]

4E: [[How Do You (we) Manage Heterogeneous Groups?]]

4F: [[Issues About Profiling and Cross-Border Data Stores]]

4G: [[OpenID the Nascar Problem Revisited]]

=== Session 5 ===

5A: [[UK Gov. - They Want To Talk Identity. How Do We Help?]]

5B: [[Embedding Privacy Controls in OnLine Identity Mechanism: How and Why?]]

5C: [[Privacy Dashboard Demo]]

5D: [[Financial Services - distance selling, money laundering, "Know Your Customer"]]

5E: [[Personal Data Ecosystem.org]]

Iiw-europe-1-Notes

2010-12-06T14:41:29Z

IdentityWoman:

Complete Book of Proceedings from IIW-Europe in PDF form can be downloaded by clicking on this link
[Media:IIW-Europe-BOP.pdf‎]

=== Session 1 ===

1A: [[What is the MYDEX Prototype?]]

1B: [[Federated Network Access]]

1C: [[Partial Identities Privacy and Credentials]]

1D: [[Privacy and Federated Social Networking w/o Correlation]]

1E: [[OpenID Tiered Providers]]

1F: [[Federated Identity as a Business Model]]

=== Session 2 ===

2A: [[Scoping the Single European Digital Identity Community]]

2C: [[WebID and DNSSEC - combined session]]

2D: [[U-Prove - How Do We Use Privacy Enhancing Crypto?]]

=== Session 3 ===

3A: [[What Do We Actually Mean When We Talk About Identity?]]

3B: [[The Quality of Customer Intelligence (Authenticity/Relevance Correlation)]]

3C: [[Personal Data Store Harmonizing = Project Nori DEMO]]

3D: [[Claims]]

3E: [[Authent-New Tools - Opportunities - Business]]

3F: [[Remonetizing the Web:]] from 'Give privacy, get service' to: A win-win social web ecosystem for customers, Telcos, Banks, Websites

3G: [[Identity Assurance (merges with) Automated Policy Negotiation]]

=== Session 4 ===

4A: [[CardSpace in the Clouds]]

4B: [[Introduction to Digital Death - What Happens to Internet Identity After Death?]]

4C: [[One Social Web . org]]

4D: [[Why do Politicians Understand So Little? Our Fault or Theirs?]]

4E: [[How Do You (we) Manage Heterogeneous Groups?]]

4F: [[Issues About Profiling and Cross-Border Data Stores]]

4G: [[OpenID the Nascar Problem Revisited]]

=== Session 5 ===

5A: [[UK Gov. - They Want To Talk Identity. How Do We Help?]]

5B: [[Embedding Privacy Controls in OnLine Identity Mechanism: How and Why?]]

5C: [[Privacy Dashboard Demo]]

5D: [[Financial Services - distance selling, money laundering, "Know Your Customer"]]

5E: [[Personal Data Ecosystem.org]]

Iiw-europe-1-Notes

2010-12-06T14:40:12Z

IdentityWoman:

Complete Book of Proceedings from IIW-Europe in PDF form can be downloaded by clicking on this link
[[File:IIW-Europe-BOP.pdf‎]]

=== Session 1 ===

1A: [[What is the MYDEX Prototype?]]

1B: [[Federated Network Access]]

1C: [[Partial Identities Privacy and Credentials]]

1D: [[Privacy and Federated Social Networking w/o Correlation]]

1E: [[OpenID Tiered Providers]]

1F: [[Federated Identity as a Business Model]]

=== Session 2 ===

2A: [[Scoping the Single European Digital Identity Community]]

2C: [[WebID and DNSSEC - combined session]]

2D: [[U-Prove - How Do We Use Privacy Enhancing Crypto?]]

=== Session 3 ===

3A: [[What Do We Actually Mean When We Talk About Identity?]]

3B: [[The Quality of Customer Intelligence (Authenticity/Relevance Correlation)]]

3C: [[Personal Data Store Harmonizing = Project Nori DEMO]]

3D: [[Claims]]

3E: [[Authent-New Tools - Opportunities - Business]]

3F: [[Remonetizing the Web:]] from 'Give privacy, get service' to: A win-win social web ecosystem for customers, Telcos, Banks, Websites

3G: [[Identity Assurance (merges with) Automated Policy Negotiation]]

=== Session 4 ===

4A: [[CardSpace in the Clouds]]

4B: [[Introduction to Digital Death - What Happens to Internet Identity After Death?]]

4C: [[One Social Web . org]]

4D: [[Why do Politicians Understand So Little? Our Fault or Theirs?]]

4E: [[How Do You (we) Manage Heterogeneous Groups?]]

4F: [[Issues About Profiling and Cross-Border Data Stores]]

4G: [[OpenID the Nascar Problem Revisited]]

=== Session 5 ===

5A: [[UK Gov. - They Want To Talk Identity. How Do We Help?]]

5B: [[Embedding Privacy Controls in OnLine Identity Mechanism: How and Why?]]

5C: [[Privacy Dashboard Demo]]

5D: [[Financial Services - distance selling, money laundering, "Know Your Customer"]]

5E: [[Personal Data Ecosystem.org]]

File:IIW-Europe-BOP.pdf

2010-12-06T14:39:03Z

IdentityWoman: IIW Europe Book of Proceedings. Oct 11, 2010, London.

IIW Europe Book of Proceedings. Oct 11, 2010, London.

Subject Specific Note Collections

2010-11-16T06:48:44Z

IdentityWoman:

[[Personal Data Ecosystem-Notes]]

[[OpenID-Notes]]

[[OIX and Trust Frameworks-Notes]]

[[UMA-Notes]]

[[Information Cards-Notes]]

[[OpenID-Notes]]

[[Security-Notes]]

[[OAuth-Notes]]

[[NSTIC-Notes]]

[[EnterpriseID-Notes]]

[[SAML-Notes]]

[[Email-Notes]]

[[Socaial Web Open Standards-Notes]]

[[ID and Government-Notes]]

[[Claims-Notes]]

[[Identifiers-Notes]]

[[JSON-Notes]]

[[Browser and Clients-Notes]]

[[Assurance-Notes]]

[[Law and Policy-Notes]]

[[XRI/XDI-Notes]]

OAuth2 Exts.

2010-11-16T04:32:26Z

IdentityWoman:

'''Title:''' OAUTH 2 Extensions

'''Session:''' (W2F)

'''Conference:''' [http://iiw.idcommons.net/Iiw11 IIW-11] November 2-4, Mountain View, [http://iiw.idcommons.net/Notes_IIW11 Complete Notes Page]

'''Convener:''' Justin Richer & Marius Scurtescu

'''Notes-taker(s):''' Marius

'''Discussion:'''

Hosts (and only participants): Justin Richer & Marius Scurtescu

We talked about several proposed OAuth 2 extensions that we worked on or we thought are important:
* Instance Information
* XML Encoding
* UX
* Unregistered Clients
* Native Clients
* Token Types

Instance Information and Unregistered Clients are somewhat related and we explored if they can be combined. In the end we decided that they are orthogonal and should stay as separate extensions.

For Unregistered Clients the proposal is to specify well known values to two existing parameters and add a required and two optional
parameters:
* client_id=anonymous
* client_secret=anonymous
* client_name - required
* client_description - optional
* client_icon - optional

We explored alternate ways to signal an unregistered client, specifically to omit the client_id and client_secret parameters from the request. The problem with this approach is that these two parameters are required by the core spec so generic libraries that are not aware of this extensions will have problems handling messages like these. Also, a potential benefit in providing these parameters with special values is that some code paths in the authz server implementation can stay agnostic to the client type (by hard coding a fake registration for anonymous/anonymous for example).

The only issue with special values is that a client id of "anonymous"
my collide with a legitimate registered client.
For Instance Information the two proposed new parameters looks fine:
* instance_name
* instance_description

For symmetry we should consider adding a instance_icon, maybe.

For Native Clients we discussed an extension that allows the client to specify that it does not have a redirect URI, and that the authz server should provide a default one in this case. The extension also specifies the that default page should add the response to the <title> tag in a specific way so it shows up in the window title. This allows clients to implement OS specific window title scraping.
* redirect_uri=oob
* <title>Success code=123&state=abc</title>

We also considered adding an optional parameter called "instructions"
through which the client can provide additional instructions to the end user.

The Token Types extension introduces three new optional request parameters, all are hints from the client for the authz server. These allow the server to issue only the tokens that the client really
needs:
- tokens=[access|refresh]
- expires_in - optional
- token_usage=single

tokens tells the authz server what tokens it needs. A web based client may not need a refresh token, during refresh a client may want a new refresh token, when swapping an authorization code a client may need only a refresh token.

expires_in allows the authz server to issue access tokens that expire sooner than the default, this allows lowering the load on the server if some clients are asking for a large number of tokens in short periods of time.

token_usage allows clients to ask for access tokens that are single use. This allows reducing load, as before, or reduce the risk if tokens are sent over insecure channels (think One Time Password). We also considered this parameter to take a number as value, instead of "single", and this number to represent the number of uses allowed for the access token, in this case 1 == single.

We noted that expires_in and token_usage can be approximated by using token revocation endpoint.

XML Encoding should rely on an automatic mapping between the JSON format and the XML format. We considered generalizing this extension and also allow for form encoded responses. One possible issue with form encoded is that it allows only name/value pairs, whereas JSON and XML allow for tree structures. For now all responses are name/value pairs, and maybe it should stay like that, to be similar to requests and in browser responses.

[[File:Device.pdf‎]]

[[File:UnregisteredClientExtension.pdf]]

[[File:NativeClientExtension.pdf]]

OAuth2 Exts.

2010-11-16T04:30:45Z

IdentityWoman:

'''Title:''' OAUTH 2 Extensions

'''Session:''' (W2F)

'''Conference:''' [http://iiw.idcommons.net/Iiw11 IIW-11] November 2-4, Mountain View, [http://iiw.idcommons.net/Notes_IIW11 Complete Notes Page]

'''Convener:''' Justin Richer & Marius Scurtescu

'''Notes-taker(s):''' Marius

'''Discussion:'''

Hosts (and only participants): Justin Richer & Marius Scurtescu

We talked about several proposed OAuth 2 extensions that we worked on or we thought are important:
* Instance Information
* XML Encoding
* UX
* Unregistered Clients
* Native Clients
* Token Types

Instance Information and Unregistered Clients are somewhat related and we explored if they can be combined. In the end we decided that they are orthogonal and should stay as separate extensions.

For Unregistered Clients the proposal is to specify well known values to two existing parameters and add a required and two optional
parameters:
* client_id=anonymous
* client_secret=anonymous
* client_name - required
* client_description - optional
* client_icon - optional

We explored alternate ways to signal an unregistered client, specifically to omit the client_id and client_secret parameters from the request. The problem with this approach is that these two parameters are required by the core spec so generic libraries that are not aware of this extensions will have problems handling messages like these. Also, a potential benefit in providing these parameters with special values is that some code paths in the authz server implementation can stay agnostic to the client type (by hard coding a fake registration for anonymous/anonymous for example).

The only issue with special values is that a client id of "anonymous"
my collide with a legitimate registered client.
For Instance Information the two proposed new parameters looks fine:
* instance_name
* instance_description

For symmetry we should consider adding a instance_icon, maybe.

For Native Clients we discussed an extension that allows the client to specify that it does not have a redirect URI, and that the authz server should provide a default one in this case. The extension also specifies the that default page should add the response to the <title> tag in a specific way so it shows up in the window title. This allows clients to implement OS specific window title scraping.
* redirect_uri=oob
* <title>Success code=123&state=abc</title>

We also considered adding an optional parameter called "instructions"
through which the client can provide additional instructions to the end user.

The Token Types extension introduces three new optional request parameters, all are hints from the client for the authz server. These allow the server to issue only the tokens that the client really
needs:
- tokens=[access|refresh]
- expires_in - optional
- token_usage=single

tokens tells the authz server what tokens it needs. A web based client may not need a refresh token, during refresh a client may want a new refresh token, when swapping an authorization code a client may need only a refresh token.

expires_in allows the authz server to issue access tokens that expire sooner than the default, this allows lowering the load on the server if some clients are asking for a large number of tokens in short periods of time.

token_usage allows clients to ask for access tokens that are single use. This allows reducing load, as before, or reduce the risk if tokens are sent over insecure channels (think One Time Password). We also considered this parameter to take a number as value, instead of "single", and this number to represent the number of uses allowed for the access token, in this case 1 == single.

We noted that expires_in and token_usage can be approximated by using token revocation endpoint.

XML Encoding should rely on an automatic mapping between the JSON format and the XML format. We considered generalizing this extension and also allow for form encoded responses. One possible issue with form encoded is that it allows only name/value pairs, whereas JSON and XML allow for tree structures. For now all responses are name/value pairs, and maybe it should stay like that, to be similar to requests and in browser responses.

[[File:Device.pdf‎]]

[[File:UnregisteredClientExtension.pdf]]

[[Flie:NativeClientExtension.pdf]]

File:NativeClientExtension.pdf

2010-11-16T04:29:53Z

IdentityWoman:

OAuth2 Exts.

2010-11-16T04:28:42Z

IdentityWoman:

'''Title:''' OAUTH 2 Extensions

'''Session:''' (W2F)

'''Conference:''' [http://iiw.idcommons.net/Iiw11 IIW-11] November 2-4, Mountain View, [http://iiw.idcommons.net/Notes_IIW11 Complete Notes Page]

'''Convener:''' Justin Richer & Marius Scurtescu

'''Notes-taker(s):''' Marius

'''Discussion:'''

Hosts (and only participants): Justin Richer & Marius Scurtescu

We talked about several proposed OAuth 2 extensions that we worked on or we thought are important:
* Instance Information
* XML Encoding
* UX
* Unregistered Clients
* Native Clients
* Token Types

Instance Information and Unregistered Clients are somewhat related and we explored if they can be combined. In the end we decided that they are orthogonal and should stay as separate extensions.

For Unregistered Clients the proposal is to specify well known values to two existing parameters and add a required and two optional
parameters:
* client_id=anonymous
* client_secret=anonymous
* client_name - required
* client_description - optional
* client_icon - optional

We explored alternate ways to signal an unregistered client, specifically to omit the client_id and client_secret parameters from the request. The problem with this approach is that these two parameters are required by the core spec so generic libraries that are not aware of this extensions will have problems handling messages like these. Also, a potential benefit in providing these parameters with special values is that some code paths in the authz server implementation can stay agnostic to the client type (by hard coding a fake registration for anonymous/anonymous for example).

The only issue with special values is that a client id of "anonymous"
my collide with a legitimate registered client.
For Instance Information the two proposed new parameters looks fine:
* instance_name
* instance_description

For symmetry we should consider adding a instance_icon, maybe.

For Native Clients we discussed an extension that allows the client to specify that it does not have a redirect URI, and that the authz server should provide a default one in this case. The extension also specifies the that default page should add the response to the <title> tag in a specific way so it shows up in the window title. This allows clients to implement OS specific window title scraping.
* redirect_uri=oob
* <title>Success code=123&state=abc</title>

We also considered adding an optional parameter called "instructions"
through which the client can provide additional instructions to the end user.

The Token Types extension introduces three new optional request parameters, all are hints from the client for the authz server. These allow the server to issue only the tokens that the client really
needs:
- tokens=[access|refresh]
- expires_in - optional
- token_usage=single

tokens tells the authz server what tokens it needs. A web based client may not need a refresh token, during refresh a client may want a new refresh token, when swapping an authorization code a client may need only a refresh token.

expires_in allows the authz server to issue access tokens that expire sooner than the default, this allows lowering the load on the server if some clients are asking for a large number of tokens in short periods of time.

token_usage allows clients to ask for access tokens that are single use. This allows reducing load, as before, or reduce the risk if tokens are sent over insecure channels (think One Time Password). We also considered this parameter to take a number as value, instead of "single", and this number to represent the number of uses allowed for the access token, in this case 1 == single.

We noted that expires_in and token_usage can be approximated by using token revocation endpoint.

XML Encoding should rely on an automatic mapping between the JSON format and the XML format. We considered generalizing this extension and also allow for form encoded responses. One possible issue with form encoded is that it allows only name/value pairs, whereas JSON and XML allow for tree structures. For now all responses are name/value pairs, and maybe it should stay like that, to be similar to requests and in browser responses.

[[File:Device.pdf‎]]

[[File:UnregisteredClientExtension.pdf]]

OAuth2 for Devices

2010-11-16T04:27:49Z

IdentityWoman:

'''Title:''' OAuth 2 for Devices

'''Session:''' Wednesday, Session 3, Space E

'''Conference:''' [http://iiw.idcommons.net/Iiw11 IIW-11] November 2-4, Mountain View, [http://iiw.idcommons.net/Notes_IIW11 Complete Notes Page]

'''Convener:''' Marius S.

'''Note Taker:'''Andrew Wansley

'''Discussion Notes:'''

What is a device

A device as we're concerned with it here has a display and a limited or painful input. We're explicitly not talking about headless devices, devices with no display and or no input like a refrigerator. These devices as far as we know just run a webserver locally and do the webserver profile.

What's the flow

From the user's perspective, the device displays a URL and code. User goes to URL and enters the code. The device magically works.

From the device's perspective, the device presents AuthZ server with a clientID and gets back a URL a user code which it displays to the user and a device code used for polling. The device then starts polling the AuthZ server which tells it "not yet" for a while then eventually returns yes and a token or no.

AuthZ server has preregistered a device and replies to the device's requests as described above.

The session fixation attack

Trick the user into approving it from a link. Somewhat of a weakness but not a huge threat.

Other sorts of connections

I've already paired my Playstation with my Sony acct. It would be nice if when I add a netflix app it could just pair with Sony's frontend and then that connection could live across devices. In this case we could just do a webserver flow.

Another way to authorize devices is to do bluetooth sharing of credentials. Like I can authorize my photoframe by connecting my android.

[[File:Device.pdf‎]]

[[File:UnregisteredClientExtension.pdf]]

File:UnregisteredClientExtension.pdf

2010-11-16T04:27:07Z

IdentityWoman:

OAuth2 for Devices

2010-11-16T04:25:51Z

IdentityWoman:

'''Title:''' OAuth 2 for Devices

'''Session:''' Wednesday, Session 3, Space E

'''Conference:''' [http://iiw.idcommons.net/Iiw11 IIW-11] November 2-4, Mountain View, [http://iiw.idcommons.net/Notes_IIW11 Complete Notes Page]

'''Convener:''' Marius S.

'''Note Taker:'''Andrew Wansley

'''Discussion Notes:'''

What is a device

A device as we're concerned with it here has a display and a limited or painful input. We're explicitly not talking about headless devices, devices with no display and or no input like a refrigerator. These devices as far as we know just run a webserver locally and do the webserver profile.

What's the flow

From the user's perspective, the device displays a URL and code. User goes to URL and enters the code. The device magically works.

From the device's perspective, the device presents AuthZ server with a clientID and gets back a URL a user code which it displays to the user and a device code used for polling. The device then starts polling the AuthZ server which tells it "not yet" for a while then eventually returns yes and a token or no.

AuthZ server has preregistered a device and replies to the device's requests as described above.

The session fixation attack

Trick the user into approving it from a link. Somewhat of a weakness but not a huge threat.

Other sorts of connections

I've already paired my Playstation with my Sony acct. It would be nice if when I add a netflix app it could just pair with Sony's frontend and then that connection could live across devices. In this case we could just do a webserver flow.

Another way to authorize devices is to do bluetooth sharing of credentials. Like I can authorize my photoframe by connecting my android.

[[File:Device.pdf‎]]

File:Device.pdf

2010-11-16T04:25:18Z

IdentityWoman:

OAuth2 for Devices

2010-11-16T04:23:56Z

IdentityWoman:

'''Title:''' OAuth 2 for Devices

'''Session:''' Wednesday, Session 3, Space E

'''Conference:''' [http://iiw.idcommons.net/Iiw11 IIW-11] November 2-4, Mountain View, [http://iiw.idcommons.net/Notes_IIW11 Complete Notes Page]

'''Convener:''' Marius S.

'''Note Taker:'''Andrew Wansley

'''Discussion Notes:'''

What is a device

A device as we're concerned with it here has a display and a limited or painful input. We're explicitly not talking about headless devices, devices with no display and or no input like a refrigerator. These devices as far as we know just run a webserver locally and do the webserver profile.

What's the flow

From the user's perspective, the device displays a URL and code. User goes to URL and enters the code. The device magically works.

From the device's perspective, the device presents AuthZ server with a clientID and gets back a URL a user code which it displays to the user and a device code used for polling. The device then starts polling the AuthZ server which tells it "not yet" for a while then eventually returns yes and a token or no.

AuthZ server has preregistered a device and replies to the device's requests as described above.

The session fixation attack

Trick the user into approving it from a link. Somewhat of a weakness but not a huge threat.

Other sorts of connections

I've already paired my Playstation with my Sony acct. It would be nice if when I add a netflix app it could just pair with Sony's frontend and then that connection could live across devices. In this case we could just do a webserver flow.

Another way to authorize devices is to do bluetooth sharing of credentials. Like I can authorize my photoframe by connecting my android.

Main Page

2010-11-16T04:20:06Z

IdentityWoman: /* Previous Internet Identity Workshops */

<Big> Welcome to the Internet Identity Workshop (IIW) Wiki </big>

[http://www.internetidentityworkshop.com WE HAVE A WEBSITE/BLOG TOO!]

* To get updates regarding IIW [http://lists.idcommons.net/lists/info/iiwinfo subscribe here].

[[Subject Specific Note Collections]]

=== Next Internet Identity Workshops ===

IIW #12 will be in May of 2011. Dates will be announced in December 2010.

We are working on collaborating with our industry organizational peers on a community unconference before RSA on February 14th.

We are considering hosting "Identity Open Space" events on the East Coast of the United States and in Europe in 2011. Feel free to contact us if you are interested in helping/participating. (kaliya (at) Mac.com)

We have an [http://lists.idcommons.net/lists/subscribe/iiwinfo announcement list] that you can subscribe to if you would like to get an e-mail when new IIW & IOS events are announced.

=== Previous Internet Identity Workshops ===

* #11 Fall 2010 [[iiw11]] Nov 2-4, Tuesday-Thursday at the Computer HIstory Museum in Mountain View California
** [[Notes IIW11]]
** [http://www.internetidentityworkshop.com/what-is-iiw/ Responses to IIW is...] [http://www.internetidentityworkshop.com/iiw-values/ Values of IIW]

* [[iiw-europe-1|IIW Europe]] in London Monday October 11 (before RSA Europe) at the University of London
** [[iiw-europe-1-Notes]]
** [[iiw-europe-1-Reflection]] As a Result of Today....

* [[iiw-east-1|IIW East Coast]] in DC September 9-10 Thursday, Friday at the Josephine Butler Parks Center (following the Gov 2.0 Summit) the theme will be ''Open Identity for Open Government''
** [[Notes_IIW-East]]
** [[As a result of day 1 at IIW-East]]

* #10: Spring 2010 [[iiw10]] May 17-19 at the Computer History Museum.
** [[Notes IIW10]]

* #9: Fall 2009 [[iiw9]] TUESDAY November 3 to THURSDAY November 5.
** [[Notes_iiw9]]

* #8: Spring 2009 [[iiw8]] - '''May 18-20, 2009'''
** [[Notes_iiw9]]

* #7: Fall [[iiw2008b]] (2008B)- '''Nov 10-12''' - Computer History Museum, Mountain View, CA
** [[Notes_08b]]

* 6: Spring [[iiw2008a]] (2008A)- '''May 12-14, 2008''' - Computer History Museum, Mountain View, CA
** [[Notes_2008a]]

* [http://iiw.idcommons.net/index.php/Iiw2007b 5: December 3-5, 2007 - Computer History Museum, Mountain View, CA]

* [http://iiw.windley.com/wiki/Workshop_2007 4: May 2007 - Computer History Museum, Mountain View, CA]

* [http://iiw.windley.com/wiki/Workshop2006b 3: December 2006 - Computer History Museum, Mountain View, CA]

* [http://iiw.windley.com/wiki/Workshop2006 2: May 2006 - - Computer History Museum, Mountain View, CA]

* [http://www.socialtext.net/iiw2005/index.cgi?internet_identity_workshop_2005 1: October 2005 - Berkeley, CA]

=== Previous Identity Open Spaces ===

Identity Open Space events are co-produced by the IIW team (Phil, Kaliya, Doc) in collaboration with other organizations and events. To date we have worked with Digital Identity World and the Liberty Alliance. We are open to working with a variety organizations - if you are interested please don't hesitate to contact us.

[http://ios.windley.com/wiki/IOSSF September 2007 at Digital Identity World]

[http://ios.windley.com/wiki/IOSBrussels May 2007 following a Liberty Alliance Meeting in Brussels, Belgium]

[http://ios.windley.com/wiki/IOSSantaClara September 2006 at Digital Identity World]

[http://ios.windley.com/wiki/IOSVan July 2006 following a Liberty Alliance Meeting in Vancouver, Canada]

=== Previous Identity Birds of a Feather Meetings ===

June 2006 [http://www.identitygang.org/ Identity Gang Birds of a Feather Session] at Burton Group Conference, San Francisco

January 2006 [http://www.socialtext.net/iiw2005/index.cgi?identity_speed_geeking_o_reilly_emerging_telephony_conference Identity Speed Geeking Session] at O'Reilly's Emerging Telephony Conference

December 2005 [http://www.socialtext.net/iiw2005/index.cgi?informational_morning_for_developers Pre-Syndicate Informational Morning for Developers]

Subject Specific Note Collections

2010-11-16T04:17:18Z

IdentityWoman:

Subject Specific Note Collections

2010-11-16T04:16:32Z

IdentityWoman:

Telco-Web-Data User Model Scenarios

2010-11-16T04:02:56Z

IdentityWoman:

'''Session:''' Wed Session 5 Space F

'''Conference:''' [http://iiw.idcommons.net/Iiw10 IIW 10] May 17-19, 2009 this is the complete [http://iiw.idcommons.net/Notes_IIW10 Complete Set of Notes ]

'''Convener:''' Nancy Frishberg

'''Notes-taker(s):''' Christie Grabyan

''' technology discussed/ideas considered:'''

We shared ideas about what the scope of the discussion should be:
* User scenarios/use cases specific to the Web/Telco interaction discussed previously
* What scenarios does a personal data store concept enable?
* What use cases are there to drive adoption by users of a personal data store?
* What is the narrative/story between a user and scenario (how many players are there? Is there a specific case to delve into?) An overview where parts can be storyboarded

We chose to focus on the perspective of types of users and their interactions with the web and/or Telco infrastructure. We want to discuss both the macro and micro (global vs. local) interactions.

'''Notes:'''

Terminology check:
User profile = user persona
Use case = user scenario

Example user scenario: Woman who has a single cell phone in a South American village and she makes a living renting out her cell phone to others in the community to make calls. (We have assumed a one-to-one relationship of person-to-phone). This is not a technical challenge; it is that there is not perceived value by the users to uniquely identify themselves.

Example user scenario: A colleague goes to China and tries to figure out how her product’s companies will fit into the Chinese culture and lifestyle. Not everyone (the China user base) had a computer, but pretty much everyone had at least one phone. Many users had many phones. It is perceived at useful for one person to have multiple devices. Often these phones are pay-as-you-go structure. Different phones are used in different contexts.

Example user scenario: We suspect that usage behavior will vary by age group. For example, younger users may not pay for their service (paid for by parents), and they may text much more than they call. Conversely, different phones and plans are marketed towards different groups/peoples.

One application for the personal data concept is that it limits that monopolization of data (by Facebook, etc). But, for people who are not on any social networks, what is their “personal data store”?

Family historians today share family information, but often “offline”. But if this were digitized, there could be more of a need for personal data store for this population. Marketers and advertisers are interested in data like recent browser searches, not always information considered personal, like the family historian artifacts.

Adoption is usually driven by either ease-of-use. People often don’t trust claims of privacy and security.

Not only “what is the killer app to get people on board with personal data store”? But also what is the killer app to get more people to be “social”? The discussion is that everyone is social, but perhaps not digitally social.

A user might not understand the use of a personal data store until they understand what they will gain from it. They need to understand what scenarios will be the reasons they would want to protect and/or share their personal information.

It’s not just about what data to share, but how easy is it for data that already exists about you to be shared back with you. (i.e. the digitization of medical records in the U.S.). There is also the international scenario of people who move countries, and information (residential, health, etc) is essentially lost or no longer usable.

In Singapore, there are national ID cards that are assigned when born and then that number is used on ID cards when you are an adult. There is efficiency in the system, but obviously a lack of user control over your own information or the aggregation of information.

The aggregation of data is the scary part to users, even if it’s the aggregation of data that already exists. It’s the same political issue as the resistance against the government having a national ID card scheme. There will definitely be an education effort for the average consumer to understand what the personal data store means, and why it is necessary, useful, beneficial, etc. The negative incidents that occur are what will give consumers the awareness required to care about these kinds of issues. It’s not that a bank account has to be compromised, but it’s that someone can take and exploit your aggregation of digital data. The emotional impact on the public/consumer base will drive the adoption of change of behavior.

Scenario: what is your last/recent web searches? How does this interact with or integrate with your personal data store.

If you don’t know what is IN the personal data store, you won’t be in a position to decide what and how to share.

Subject Specific Note Collections

2010-11-16T04:02:20Z

IdentityWoman:

Personal Data Ecosystem-Notes

2010-11-16T03:47:12Z

IdentityWoman: /* IIW 11 */

== IIW 11 ==

* [[Intro to PDS]] Mon, Session 1A
* [[Facebook as a Personal Data Store]] Mon Session 3A
* [[Personal Data Ecosystem]]
* [[PDE- Why would anyone adopt?]]
* [[Personal Data Ecosystem Biz Models]]
* [[Using a Personal Data Store]]
* [[Value Network Mapping]]
* [[Personal Data Ecosystem Model 2]]
* [[Go To Market - PDE]]
* [[Go To Market PDE 2]]
* [[PDE - Go to Market and Community Strategy]]
* [[Personal Data Ecosystem Org Role]]

== IIW Europe ==

* [[What is the MYDEX Prototype?]]
* [[Federated Identity as a Business Model]]
* [[ Personal Data Store Harmonizing = Project Nori DEMO]]
* [[Issues About Profiling and Cross-Border Data Stores]]
* [[Personal Data Ecosystem.org]]

== IIW East ==

* [[PDX Ecosystem]]
* [[Personal Data Vision of Future: Video]]
* [[Personal Data Stores and Context Automation]]
* [[Personal Data Store/Archive]]
* [[Personal Data Locker? What is it and Why?]]
* [[Ownership Rights in Data Pt2]]
* [[Roadmap for Personal Data Store Ecology: Let's Make One]]

== IIW 10 ==

* [[Personal Data Stores]]
* [[VRM Parts & Whole]]
* [[Telco-Web-Data User Model Scenarios]]
* [[Personal Data Store Ecosystem Design]]
* [[Telco/Web/Data Meta Story]]

== IIW 9 ==

* [[Information_Sharing]]

Personal Data Ecosystem-Notes

2010-11-16T03:38:00Z

IdentityWoman: /* IIW 9 */

== IIW 11 ==

* [[Intro to PDS]] Mon, Session 1A
* [[Facebook as a Personal Data Store]] Mon Session 3A
* [[Personal Data Ecosystem]]
* [[PDE- Why would anyone adopt?]]
* [[Personal Data Ecosystem Biz Models]]
* [[Using a Personal Data Store]]
* [[Personal Data Ecosystem Model 2]]
* [[Go To Market - PDE]]
* [[Go To Market PDE 2]]
* [[PDE - Go to Market and Community Strategy]]
* [[Personal Data Ecosystem Org Role]]

== IIW Europe ==

* [[What is the MYDEX Prototype?]]
* [[Federated Identity as a Business Model]]
* [[ Personal Data Store Harmonizing = Project Nori DEMO]]
* [[Issues About Profiling and Cross-Border Data Stores]]
* [[Personal Data Ecosystem.org]]

== IIW East ==

* [[PDX Ecosystem]]
* [[Personal Data Vision of Future: Video]]
* [[Personal Data Stores and Context Automation]]
* [[Personal Data Store/Archive]]
* [[Personal Data Locker? What is it and Why?]]
* [[Ownership Rights in Data Pt2]]
* [[Roadmap for Personal Data Store Ecology: Let's Make One]]

== IIW 10 ==

* [[Personal Data Stores]]
* [[VRM Parts & Whole]]
* [[Telco-Web-Data User Model Scenarios]]
* [[Personal Data Store Ecosystem Design]]
* [[Telco/Web/Data Meta Story]]

== IIW 9 ==

* [[Information_Sharing]]

Main Page

2010-11-16T03:35:59Z

IdentityWoman: /* Previous Internet Identity Workshops */

<Big> Welcome to the Internet Identity Workshop (IIW) Wiki </big>

[http://www.internetidentityworkshop.com WE HAVE A WEBSITE/BLOG TOO!]

* To get updates regarding IIW [http://lists.idcommons.net/lists/info/iiwinfo subscribe here].

[[Subject Specific Note Collections]]

=== Next Internet Identity Workshops ===

IIW #12 will be in May of 2011. Dates will be announced in December 2010.

We are working on collaborating with our industry organizational peers on a community unconference before RSA on February 14th.

We are considering hosting "Identity Open Space" events on the East Coast of the United States and in Europe in 2011. Feel free to contact us if you are interested in helping/participating. (kaliya (at) Mac.com)

We have an [http://lists.idcommons.net/lists/subscribe/iiwinfo announcement list] that you can subscribe to if you would like to get an e-mail when new IIW & IOS events are announced.

=== Previous Internet Identity Workshops ===

* #11 Fall 2010 [[iiw11]] Nov 2-4, Tuesday-Thursday at the Computer HIstory Museum in Mountain View California
** [[Notes IIW11]]
** [http://www.internetidentityworkshop.com/what-is-iiw/ Responses to IIW is...] [http://www.internetidentityworkshop.com/iiw-values/ Values of IIW]

* [[iiw-europe-1|IIW Europe]] in London Monday October 11 (before RSA Europe) at the University of London
** [[iiw-europe-1-Notes]]
** [[iiw-europe-1-Reflection]] As a Result of Today....

* [[iiw-east-1|IIW East Coast]] in DC September 9-10 Thursday, Friday at the Josephine Butler Parks Center (following the Gov 2.0 Summit) the theme will be ''Open Identity for Open Government''
** [[Notes_IIW-East]]
** [[As a result of day 1 at IIW-East]]

* #10: Spring 2010 [[iiw10]] May 17-19 at the Computer History Museum.
** [[Notes IIW10]]

* #9: Fall 2009 [[iiw9]] TUESDAY November 3 to THURSDAY November 5.
** [[Notes_iiw9]]

* #8: Spring 2009 [[iiw8]] - '''May 18-20, 2009'''
** [[Notes_iiw9]]

* #7: Fall [[iiw2008b]] (2008B)- '''Nov 10-12''' - Computer History Museum, Mountain View, CA
** [[Notes_08b]]

* 6: Spring [[iiw2008a]] (2008A)- '''May 12-14, 2008''' - Computer History Museum, Mountain View, CA
** [[Notes_2008a]]

* [http://iiw.idcommons.net/index.php/Iiw2007b 5: December 3-5, 2007 - Computer History Museum, Mountain View, CA]

* [http://iiw.windley.com/wiki/Workshop_2007 4: May 2007 - Computer History Museum, Mountain View, CA]

* [http://iiw.windley.com/wiki/Workshop2006b 3: December 2006 - Computer History Museum, Mountain View, CA]

* [http://iiw.windley.com/wiki/Workshop2006 2: May 2006 - - Computer History Museum, Mountain View, CA]

* [http://www.socialtext.net/iiw2005/index.cgi?internet_identity_workshop_2005 1: October 2005 - Berkeley, CA]

=== Previous Identity Open Spaces ===

Identity Open Space events are co-produced by the IIW team (Phil, Kaliya, Doc) in collaboration with other organizations and events. To date we have worked with Digital Identity World and the Liberty Alliance. We are open to working with a variety organizations - if you are interested please don't hesitate to contact us.

[http://ios.windley.com/wiki/IOSSF September 2007 at Digital Identity World]

[http://ios.windley.com/wiki/IOSBrussels May 2007 following a Liberty Alliance Meeting in Brussels, Belgium]

[http://ios.windley.com/wiki/IOSSantaClara September 2006 at Digital Identity World]

[http://ios.windley.com/wiki/IOSVan July 2006 following a Liberty Alliance Meeting in Vancouver, Canada]

=== Previous Identity Birds of a Feather Meetings ===

June 2006 [http://www.identitygang.org/ Identity Gang Birds of a Feather Session] at Burton Group Conference, San Francisco

January 2006 [http://www.socialtext.net/iiw2005/index.cgi?identity_speed_geeking_o_reilly_emerging_telephony_conference Identity Speed Geeking Session] at O'Reilly's Emerging Telephony Conference

December 2005 [http://www.socialtext.net/iiw2005/index.cgi?informational_morning_for_developers Pre-Syndicate Informational Morning for Developers]

Personal Data Ecosystem-Notes

2010-11-16T03:35:12Z

IdentityWoman: /* IIW East */

== IIW 11 ==

* [[Intro to PDS]] Mon, Session 1A
* [[Facebook as a Personal Data Store]] Mon Session 3A
* [[Personal Data Ecosystem]]
* [[PDE- Why would anyone adopt?]]
* [[Personal Data Ecosystem Biz Models]]
* [[Using a Personal Data Store]]
* [[Personal Data Ecosystem Model 2]]
* [[Go To Market - PDE]]
* [[Go To Market PDE 2]]
* [[PDE - Go to Market and Community Strategy]]
* [[Personal Data Ecosystem Org Role]]

== IIW Europe ==

* [[What is the MYDEX Prototype?]]
* [[Federated Identity as a Business Model]]
* [[ Personal Data Store Harmonizing = Project Nori DEMO]]
* [[Issues About Profiling and Cross-Border Data Stores]]
* [[Personal Data Ecosystem.org]]

== IIW East ==

* [[PDX Ecosystem]]
* [[Personal Data Vision of Future: Video]]
* [[Personal Data Stores and Context Automation]]
* [[Personal Data Store/Archive]]
* [[Personal Data Locker? What is it and Why?]]
* [[Ownership Rights in Data Pt2]]
* [[Roadmap for Personal Data Store Ecology: Let's Make One]]

== IIW 10 ==

* [[Personal Data Stores]]
* [[VRM Parts & Whole]]
* [[Telco-Web-Data User Model Scenarios]]
* [[Personal Data Store Ecosystem Design]]
* [[Telco/Web/Data Meta Story]]

== IIW 9 ==

Personal Data Ecosystem-Notes

2010-11-16T03:31:52Z

IdentityWoman: /* IIW Europe */

== IIW 11 ==

* [[Intro to PDS]] Mon, Session 1A
* [[Facebook as a Personal Data Store]] Mon Session 3A
* [[Personal Data Ecosystem]]
* [[PDE- Why would anyone adopt?]]
* [[Personal Data Ecosystem Biz Models]]
* [[Using a Personal Data Store]]
* [[Personal Data Ecosystem Model 2]]
* [[Go To Market - PDE]]
* [[Go To Market PDE 2]]
* [[PDE - Go to Market and Community Strategy]]
* [[Personal Data Ecosystem Org Role]]

== IIW Europe ==

* [[What is the MYDEX Prototype?]]
* [[Federated Identity as a Business Model]]
* [[ Personal Data Store Harmonizing = Project Nori DEMO]]
* [[Issues About Profiling and Cross-Border Data Stores]]
* [[Personal Data Ecosystem.org]]

== IIW East ==

== IIW 10 ==

* [[Personal Data Stores]]
* [[VRM Parts & Whole]]
* [[Telco-Web-Data User Model Scenarios]]
* [[Personal Data Store Ecosystem Design]]
* [[Telco/Web/Data Meta Story]]

== IIW 9 ==

Personal Data Ecosystem-Notes

2010-11-16T03:29:28Z

IdentityWoman: /* IIW 11 */

Personal Data Ecosystem-Notes

2010-11-16T03:24:26Z

IdentityWoman: /* IIW 10 */

== IIW 11 ==

== IIW Europe ==

== IIW East ==

== IIW 10 ==

* [[Personal Data Stores]]
* [[VRM Parts & Whole]]
* [[Telco-Web-Data User Model Scenarios]]
* [[Personal Data Store Ecosystem Design]]
* [[Telco/Web/Data Meta Story]]

== IIW 9 ==

Personal Data Store Ecosystem Design

2010-11-16T03:24:04Z

IdentityWoman:

'''Session:''' Wednesday, Session 1 Space A

'''Conference:''' [http://iiw.idcommons.net/Iiw10 IIW 10] May 17-19, 2009 this is the complete [http://iiw.idcommons.net/Notes_IIW10 Complete Set of Notes ]

Convener: Kaliya Hamlin

We saw 8 different potential/existing models presented

(see photos)

We asked people to articulate what they saw in common between these models and what was different.

COMMON
* User control of information “user data vault” or centralized store of personal information
* Not a technical issue
* Business Case is the Question
* Assumption that individual control and privacy is desirable
* Right to User Activity Digital
* User owns his/her data
** user data vault
** privacy bank
** personal data store (PDS)
* Telco as IdP: Nat’s, Christies’ Pauls, Rolf’s Marc’s
* Dashboard usability?
* Need to reset control thermostat between service providers + users

DIFFERENT
* User Centric “Identity”
* Personal Data Store Central or Distributed
* Not Common: Different Business models - who pays whom
* Mechanisms to Manage Change
* To Datastore or not to Datastore?
* Value-Chain from User Perspective (where is Gov?)

QUESTION:
* How is Money $ Made?
* Best Route to Bootstrap?
* Regulation
* Leverage “right” big elephant
* create the right consortium
* right business model
* Personal Data Stored in a “BANK” or under my mattress (& I can still participate)
* How Many Data Vaults, Exchanges (Competitive?)
* Telcos or New Org?
* Which Data?
* User Value Explain to the average user?
* People Not on the Grid Yet? (Kenyan Farmer) (Identity Place Holder)
* Responsibility of user in understanding what is in the PDS and how it will be used. Is that reasonable?
* Data as “money” to be “exchanged” Except data is more nuanced, which needs to be understood
* If not understood by the user, it invites explanation by the company.
* Different Emphasis on AuthN and Attributes (how do telco’s off to others)
* Role of Regulator?
* Privacy as a Toxic Asset. But How do we Launder it. (Private data store? Say its dead? or not collect?

COMMENTS:
* PDS = User Data Vault
* Eat their own dogfood?
* New Rolls - Data Broker, Data Lawyer
* Economic Power ($ Euro Yen) (Telco-Webco- Banks) Marketing

ASSUMPTION:
* The Network is a free cost less ubiquitous resource (not true)

Store - PDS, UDB, “Vault”

Collecting - implicit - behavioral tracking, GPS, Search

Implicit - VPI, Lists

Sharing - PDX/UDE

Rule Set Store

Control and Contract

Interfaces

open standards

regulations

context

granularity

Regulation

Slows things down

Vault does not equal exchange

Personal Data Store

marketing?

on phone?

syncrhonized?

portable? / sharable? templates

Is Data Really Centralized? (not necessarily)