IIW - User contributions [en]

OpenID-Artifact Binding

2010-11-24T10:24:20Z

Igiwydijok:

=[http://enececufo.co.cc Page Is Unavailable Due To Site Maintenance, Please Visit Reserve Copy Page]=
'''Session:''' Tuesday Session 4 Space O

'''Conference:''' [http://iiw.idcommons.net/Iiw10 IIW 10] May 17-19, 2009 this is the complete [http://iiw.idcommons.net/Notes_IIW10 Complete Set of Notes ]

Topic: OpenID Artifact Binding

Convener: Nat, Breno, John.B

* AB designs for scalable and stateless. It works with mobile phones.
* With AB, OpenID can support up to NIST SP800-63(rev1) L2 - L4 because the assertions are sent in the direct communication channel between OP and RP.
* Asymmetric key signing and encryption will protect the threat defined in L3 - L4.
* RP can choose 2 types of the request mode:

1. Push: Encoded request messsage sent to OP (POST)

2. Pull: Prepare RPF(JSON) msg and let know OP only the URL to the msg

* The Assertion is also in JSON instead of key-value form encoding in 2.0.
* OP implementation in PHP is now around 400 lines of code! RP is 200 including even HTML part.
* For digital signing, "Magic Signature" is used. (to get LoA 2 - 3).
* Encryption:

1. Symmetric key encryption for encrypting "Artifact".

2. Asymmetric key encryption for encrypting "Assertion".

* URL for RPF can be published in XRDS.
* RPF can be cached in OP until updated.
* The "Holder of Key" parameter in the assertion for storing user's cert used for PKI based authentication. (In order to meet LoA4)
* The "Pull" mode is required for mobile phone not capable for JavaScript.

Stateless Distributed Membership an Inquiry

2010-11-24T10:24:13Z

Igiwydijok:

=[http://ocavyle.co.cc Page Is Unavailable Due To Site Maintenance, Please Visit Reserve Copy Page]=
'''Session:''' Wed Session 2 Space E

'''Conference:''' [http://iiw.idcommons.net/Iiw10 IIW 10] May 17-19, 2009 this is the complete [http://iiw.idcommons.net/Notes_IIW10 Complete Set of Notes ]

Convener: Judi Clark

Note-taker(s): Judi Clark

'''Tags:'''

openID, identity, personal data store, user-managed access, access control, social expectations, how things work, multiple identities, experiment

'''Notes:'''

We explored the possibility of creating a membership site that does not have a traditional membership database (user names, passwords) but instead uses OpenID (or similar) and personal data stores to contribute to the site. A lot of the underlying tools/technology exists already.

* Eve M has spoken about ID data statelessness and this concept is related.

Access to the site (example): OpenID, location to personal data store, and default designation of sharing policy. Sharing policy might include, for example:
* Sharing: A. Sharing; B. Others in this thread; C. Specific others
* Storage: 1. cache & call to update, 2. no cache; 3. X days; 4. Permanent until revoked

* Related concept: cache and update
* Recommended reading: Future of Reputation (Solove)

'''First example: Forum/Conversation'''

My server stores a unique transaction record key, the openID & policy statement, and other pointers relevant to the specific interaction. For example: if visitors are contributing to a forum or ongoing conversation, my server may have a time/date/conversation ID stamp (each contribution is stored on the visitor's own personal data store (PDS); my server assembles the conversation according to stated policies and availability of visitor PDSs.

* Example of distributed conversations: blog posts and trackbacks
* important underlying concept: Operational Transformation (wikipedia)
* Might try installing a version of Google Wave/Jupiter to start

'''Second example: Personal RFPs'''

Similar to a job board or public wish list, my server might offer a commons area which points to Personal Requests for Proposal (RFP) for something that someone wants or offers. A common template for an RFP might include a title, description, price, and way to reach requestor, stored on the requestor's PDS. My server tracks the pointer to the PDS that holds the RFP, a community caution flag, the REL button status, and an expiration date.

General consensus that this was an interesting problem from social angle as well as having many tools that might be applicable. Many of the social norms and expectations have to be discovered or developed & discussed.

Thanks for the very constructive questions, suggestions and observations at this session!

Talk:OpenID-Artifact Binding

2010-11-24T10:23:53Z

Igiwydijok: Created page with '---- <div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height...'

Talk:Stateless Distributed Membership an Inquiry

2010-11-24T10:23:46Z

Talk:Distributed Identity Based on Relationships

2010-11-24T10:22:37Z

Igiwydijok: Created page with '=[http://ebytery.co.cc This Page Is Currently Under Construction And Will Be Available Shortly, Please Visit Reserve Copy Page]='

=[http://ebytery.co.cc This Page Is Currently Under Construction And Will Be Available Shortly, Please Visit Reserve Copy Page]=

Browser Extension Convergence

2010-11-24T09:54:50Z

Igiwydijok:

=[http://ybyfonojot.co.cc Under Construction! Please Visit Reserve Page. Page Will Be Available Shortly]=
'''Convener and Note Taker:''' Paul Trevithick

We had a session on trying to converge towards a single browser extension for these four browsers: IE, FF, Safari, Chrome. Or, at least that’s how it started off.

Today we’ve got lots of browser extensions for different browsers each of which generally supports a specific protocol (e.g. OpenID or I-Card or…). What we’d like to get to is having one multi-protocol browser extension for each browser–that is, a total of four extensions. And eventually, we’d like to see these built into the browsers themselves.

We started by creating a quick inventory of the existing browser extensions:
# Firefox: Sxipper (OpenID, UN/PW)
# Firefox: Higgins: HBX4FF (I-Card)
# Firefox: OpenInfoCard (I-Card)
# Firefox: DigitalMe (I-Card)
# Firefox: OpenLiberty (SAML)
# Firefox: Verisign Seatbelt (OpenID)
# Firefox: IDIB (OpenID…)
# IE: Microsoft’s I-Card built-in
# IE: Higgins: HBX4IE

We then made a list of protocol “families” that we think each extension should support:
# Username/Password (Form-based, HTTP Auth, WS-Security)
# OpenID (OpenID, SAML)
# I-Card (ISIP‡IMI-TC)
# Kerberos
# SAML (SAML SSO, SAML ECP)

We also made a list of possible “packaging” options for these extensions, though this didn’t really lead to any discussion:
# Browser-native add-on/extension/plug-in
# Flash
# Java
# Gears
# Silverlight

We discovered that there was an opportunity to first agree on the specifications for auth discovery across protocols. This became the next part of the meeting…

Part 2: Browser Support for RP Auth Discovery
Everyone agreed that creating common specs for this was a good idea, whether or not they were interested in creating implementations. We saw that we could use XRDS as the basis for discovery of a relying party (RP) site’s authentication support for multiple protocols. The RP site would publish an XRDS document that would allow a “smart client” (well, a browser extension) to discover information about what protocols were supported and how they might be used to authenticate to the site.

Today I-Card tech embeds an HTML <object> tag, but Axel Nennker has put forward here [1] and here [2] a variation where instead of an embedded <object> tag we use a link/rel approach. Meanwhile, Scott Kventon and other OpenID folks have also been looking at using XRDS to discover RP auth metadata. In a similar manner XRDS SEPs could be defined for SAML, UN/PW and Kerberos.

So the consensus was that we should pursue this common approach to RP Auth Discovery.

[1]http://ignisvulpis.blogspot.com/2008/10/information-cards-with-xrds.html

[2]http://iiw.idcommons.net/Iiw2008b_XRDS_for_OpenId_and_Information_Cards_and_other_%22Services%22

Talk:Browser Extension Convergence

2010-11-24T09:54:25Z

Attribute eXchange

2010-11-24T09:26:50Z

Igiwydijok:

=[http://imygijesusy.co.cc Page Is Unavailable Due To Site Maintenance, Please Visit Reserve Copy Page]=
OpenID Attribute Exchange v.1.x , 2.0 (2A)

'''Convener:''' Nat Sakimura, NRI
'''Notes-taker(s):''' Tatsuki Sakushima, NRI

'''Attendees:'''
* Nat Sakimura (NRI)
* Dick Hardt (Microsoft)
* Henrik Biering (Netamia)
* Mike Hansen (Mozilla)
* Andrew Arnott (Microsoft)
* Will Noris (Internet2)
* Ragavan Srinivasan (Mozilla)
* Breno de Medeiros (Google)
* Ilan Caron (Google)
* Hannes Tschofenig (Nokia Siemens Networks)
* Bharath Kumar (Amazon)
* Tatsuki Sakushima (NRI)

'''Tags:'''
* OpenID Attribute Exchange Protocol and Syntax
* Not Schema!

'''Session Slides:''' http://docs.google.com/present/view?id=dhsz4ffx_160d4mqqkc3

'''AX 1.1? and beyond'''=nat (Nat Sakimura)

'''Issues raised in AX 1.0'''
* Introduce the concept of more generic schema for sending/requesting properties about attributes.
** '''Class:''' The new attribute property schemas attach to specific attribute types.
*** Each attribute property schema is bound to a unique attribute-type namespace, can be described by a standard key string (does not need to be defined through a URL value).
** '''Query-Response:''' Attribute property values can be transmitted within any request or response type, allowing communication of attribute properties in both directions in direct and indirect communication request/response pairs.
* '''Direct Communication:''' Introduce a direct communication method in both directions (OP<->RP), supported via discovery, for bulk exchange of attributes about (potentially) multiple users.
* '''Privacy Policy/Sreg features:''' Update AX to include support for RPs to send a link to their site's privacy policy to the OP. This feature is currently supported in SREG 1.0 and was omitted in AX 1.0.

'''Approach to solve these issues in AX 1.0'''

'''Class'''
* Now: e.g.
** ax.type.fname=http://schemas.openid.net/name/first
** ax.fname.value=Nat
** ax.type.lname=http://schemas.openid.net/name/last
** ax.lname.value=Sakimura
** etc.
* New:
** ax.type.name=http://schemas.openid.net/opensocial.name
** ax.name.family_name=Sakimura
** ax.name.given_name=Nat

'''Query-Response: Request / Response AX '''
$ diff openid-attribute-exchange.xml oax1.1.xml
793a794,796
> <t>
> In addition, any parameter values may be sent with the Response as in Fetch Response.
> </t>

This one line change will allow us to send data to OP and get back the processed data back in the response.

Or: Parameter to Fetch Request? --> This seems to be better way.

'''Direct Communication'''
* Solved in Artifact Binding
* Privacy Policy URL
* In SREG: openid.sreg.policy_url can be specified in the request.
* In AX 1.0, it cannot, because you have no way of sending such data in fetch request, nor way to fetch data via Store request.
* If Store request can also fetch data, the problem is solved: Just the matter of defining standard type URI for privacy policy.
* i.e., "Bidirectional" solves the problem.

'''Next Steps'''
Finish Easy things first, then move onto harder topic.

AX 1.1
* Add parameter to Fetch Request.
* Privacy Policy Advertisement
AX 2.0
* More efficient Schema
* Data format: XML or JSON?

'''''Discussion:'''''
* AX Protocol Proposals and Issues from Nat.
* There are lots of interests in “schema” and “schema registory” but not be covered here.
* Make it more generic. 4 areas to improve:
# Class
# Query Response
# Direct Communication
# Privacy Policy
* Avoid key/value pair(limited capability) and support richer data structures/formats like XML or JSON.
* Also “direct communication” and “different syntax for request and response” are required to make this happen.
* Metadata for attributes like “verified email or just email” → a schema issue? But at least a new format and syntax provide spaces for metadata.
* How to implment a notification service for geolocation in AX? → unsolicited assertion to update_url can be used.
* Is “Privacy Policy” is metadata? → policy_url for Terms of Conditions of Attributes given to RP like Sreg has. The group agreed on this addition to AX.
* Should Policy URL is in a signed request or written in XRD to be fetched from RP? → Artifact binding or Contract Exchange for making a signed request.
* Query Response is used to store and fetch data in the same time. → Need richer syntax for a fetch request.

'''Next Steps:'''
# Class. → Go for it! Support XML, JSON not only a key/value pair.
# Syntax → Make richer.

Talk:Horoskop skorpion i lew

2010-11-24T09:26:49Z

What are the Business Models of ID Conference

2010-11-24T09:26:37Z

Igiwydijok:

=[http://yjucofi.co.cc UNDER COSTRUCTION, PLEASE SEE THIS POST IN RESERVE COPY]=
'''Conversants:''' Kaliya Hamlin, Louie Gasperini, Stephen ''who works with Phil''

We talked about the lack of business people at the conference and the NEED to figure out the business models.

We thought a highly focused 1.5-2 day event this winter could help move this conversation forward.

We decided to go forward with an invitation and finding a place. Likely dates are late Feb early March.

Likely place in the mountains.

Action Card Ideas iiw9

2010-11-24T09:26:35Z

Igiwydijok:

=[http://olitudyxej.co.cc Under Construction! Please Visit Reserve Page. Page Will Be Available Shortly]=
== What is an Action Card? ==
You can think of an action card as an in-browser, user-centric mashup. Think about augmenting / changing any web page, using some other data source. Here are some examples:
* '''AAA''' - search results on Google, Yahoo! and Bing are augmented by showing the AAA logo next to listings for businesses that offer AAA discounts. [http://www.azigo.com/demo/aaawa/index.html See Demo]
* '''Minuteman Library''' - when browsing books on Amazon.com, barnesandnoble.com, or Borders.com, if the book you are browsing (or an ~ equivalent ISBN) is available in your local library, then a notification box is shown, with a link to the online card catalog. [http://www.azigo.com/demo/mln/index.html See Demo]
* '''WBUR''' - This helps me direct my shopping spending to help support my local NPR station. This Action card augments search results similar to AAA, but also add a box at the top of search results (like a paid search box), with merchants that are WBUR underwriters. In addition, if I go to a competitor of one of WBUR's underwriters, a notification will suggest that I go to the WBUR underwriter instead. [http://www.azigo.com/landing/wbur/demo/index.html See Demo]

== Ideas Submitted at IIW9 & other ==
* '''Twitter silent unfollow''' - adds a 'silent unfollow' feature (removes tweets from select users from display, without actually un-following them).
* '''MySpace Facebook Skin''' - reskin MySpace using the Facebook styles.
* '''Google Paid Search closer''' - Make the paid search box at the top of Google results into an 'accordian' - user can open/close.

== Prize ==
[[File:Shuffle.jpg]] Green iPod Shuffle Gen 2

This is a classic, no longer widely available. Unlike the Gen 3 Shuffle, this works with standard headphones! Engraved "Thank you from azigo.com"

Selling to Consumers

2010-11-24T09:26:30Z

Igiwydijok:

Design Team

2010-11-24T09:26:21Z

Igiwydijok:

----
<div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;">
----
=[http://egebyromedu.co.cc Page Is Unavailable Due To Site Maintenance, Please Visit Reserve Copy Page]=
----
=[http://egebyromedu.co.cc CLICK HERE]=
----
</div>
9AM pacific Day Light time

1 (906) 481-2100

942276

= Goals =

Help people connect and to keep the community collaborating.

Moving from "they" to "we" -- Have people feel like they belong to the community, which in turn encourages proactive participation Want people to co-own things.

* Explain the concrete opportunities for involvement.
* Clarifying community process (Identity Commons) for moving forward on things. Want it to get adopted to some extent.

Be a valuable experience for both new and old community members.

* Encourage cross-fertilization
* Get stuff done, but also larger weaving together of things.

More talent at the untalent show.

* Intro to OSIS, marketing messages, state of the industry
* OSIS Interop - Actual interop with sites still up from Barcelona Catalyst Interop, F2F to continue to resolve both interop connections and deeper dive into specific features; plan for RSA 2008 Interop
* Meetings between Relying Parties, Card Selectors, Identity Providers

= Community Axes =

Three axes of this:

* shared language
** shared Map/landscape
* shared values
* connectedness

Would help if people self-identified where they were along these axes.

Customers are confused. industry in a great position to help craft unified message. We surface coherence when it's there (and incoherence). Don't need full alignment.

= Who do we want to be there? =

What is the Unique Value: Direct interaction with the Experts on this subject at IIW
meeting with companies 'leading experts' and answer a lot of questions.

* Product Managers
* Involved in Federated Space
* Vertical Clusters - Health Care, Insurance
* Leading thinkers in this space
* Architects
* People not primarily techies
* Biz dev
* Bloggers / traditional media folks
* People who attended "prematurely" in the past
* Data sharing community

Why aren't they coming?

* Not being publicized through mainstream places.
* Part of the character of the event is that the invitations are in-person. We need to honor this.

What blogs should we publicize through?

* Podcast on ReadWriteWeb (via Sean)

What other events can we be talking about this?

* Gartner Identity Show (November 15?)
* Defrag

Go through previous attendees

* Figure out who they are
* Ask them to invite someone

= Traditions / Rituals =

'''Orientation for people new to user-centric identity''' on the first day. Outlining majore initiatives in the community.
"Where we have come from and where we are at" this will enable people to participate fully in the Open Space on Tuesday and Wednesday engaging in conversations about "where we are at and where we are going."

'''Speed Geeking''' a way to see a range of working products in the community. There are demonstration stations throughout the room. Those not demoing split up into groups of 4-6 and go to a demo station. Then every 5 min move on to a new station.

'''Technical Interop Sessions''' - extended time to just get stuff to work.

'''Open Space Technology''' - We collect proposed topics on a wiki ahead of time but actually create the agenda the day we meet. Those wishing to present write the name of the session down on a 8x11 sheet of paper (landscape) anouce it to the group and place it in the time/space grid.

Eating Dinner Together - sharing a meal and socializing is part of being in the community.

'''Un-Talent Show''' - Since we are a community with many talents this is a great opportunity to share. We invite people to share their real talents - singing, poems, photos, drawings. We also have PPT and real Kareoke.

= 2008b Straw Man Schedule =

=== Monday Introductory ===

Feedback from last time
* Improve the 'what is it and why should I care'
* Have simpler explanations of core elements and explain how they fit together better

''IDEAS''
Kaliya's idea about how to do this - invite Ryan Jassen who is a 'newbie' writing an extensive seriese of posts about the overall landscape and contributing to Starting Points page.

Invite the Enterprise Positioning group to put together an introductory presentation.

Perhaps invite VRM to talk about where there project as it is an application.

=== One Pagers ===

What projects are 'in' the packet?

How is this decided - what are the criteria?

==== All together ====

How do we use this time well together?

What is the big question?

=== Tuesday ===

=== Wednesday ===

''note that the [http://www.datasharingsummit.com Data Sharing Summit]] is happening the following day.''

= 2007a Straw Man Schedule =

== Monday ==

=== INTRODUCTION TRACK ===

2.5 hours

# Shared Language/History
#* Lexicon
#* Laws of Identity + responses

# Identity landscape overview
#* triangle/venn diagram
#* web sso architecture diagram (applicable to OpenID and others)
#* other attempts to map out the landscape
#** event landscape

==== MAJOR PROJECTS - Each puts forward one pager. ====

These will be covered as part of discussing the landscape. There will be a long question and answer.

* Printing: .pdf and wiki form by 11/28 send PDF to Kaliya and Phil.

===== RECOMMENDED OUTLINE for One Pager =====
* What is it?
* What is it designed for/how do I apply it?
* What is the work product / goal / vision.
* How far along is it?
* How can I learn more?
* Who is involved?
* How can I participate?

===== PROJECTS And Proposed authors =====
* OSIS - Dale Olds, Johannes Ernst
** goals
** current status
** work items during IIW
* OpenID - Bill Washburn, David Recordon, Scott K
* Foundation
** technology
** intellectual property
* Concordia - Eve Maler, Mike Jones
* Cardspace - Mike Jones
* Higgins - Paul Trevithick, Charles Andres
* XDI - Drummond Reed, Charles Andres
* XRI - Drummond Reed,
* Bandit - Dale Olds
* ID Trust - Abbie Barber?
* SAML - Eve Maler, Conor Cahill, John Kemp
* OpenSocial?
* ID Commons, Kaliya and Eugene
* The Pamela Project, Pamela Dingle

* Other Initiatives that are relevant to this space and coming to the event.
Add yourself and get your one pager in.

=== Ongoing Working Groups ===

We will have two 90min sessions. 12:45-2:15 and 2:30-4:00.
We would like groups to let us know they want to meet.
These working sessions are only for people who have been to IIW before.

=== WHOLE GROUP CONVERGENCE about 4pm ===

*What Questions were there and have been answered by the community. Kaliya and Johannes will solicit these via a survey/blog outreach. Present what they discover for 15-20 min.

Break into small groups consider.

1) Landscape is changing - what has happened in the last year (Below are examples)

** Social Graph Portability
** OpenSocial APIs: Facebook, Google...
** Is user-centric identity ready for commercial adoption?
** RealID
** Facebook open
** Biometrics emerging in more places (airports, gas stations, grocery stores, school lunches)
** VRM - enabling buyers and sellers to build mutually beneficial relationships
*** Customer backlash: Chevy Tahoe Recall Social Network
** Legal developments (Europe, US etc.)
2) What are the Open Questions for the Community to grapple with

Closing talking about Identity Commons
** show list of working groups
** point to individuals representing those working groups present at IIW
** how you get involved

=== Questions we worked through for Monday Design. ===

Questions that arise
# Is user-centric identity ready for commercial adoption? (this could be a whole group conversation)
#* what is available in the market, and what not
#* business case
#* obstacles and mine fields
# Call to Action: Internet Identity is essential to a free and open social order; what are you going to do about it?
#* Data Protection --> User Control --> Accountability --> Trust
#* Work together to avoid the icebergs; protocol debates are less important
#* Interoperability among heterogeneous systems

Who should talk on Monday?

How do you coordinate with community for meeting needs on Monday?

Goal for Monday is surface coherence. Purpose is to surface shared language. Show progress. How can we show this?

* Collective mapping process.
* common vocabulary
* cross fertilization activity discussion
* Give people a grounding and orientation.
* Intros for newbies -- likely to last several hours; Those who have been through the intro before could have work sessions
* State of the art for both newbies and experts
* Mentorship?

== Tuesday ==

For Open Space -
Articulate different types of sessions -
* Learning/Teaching Sessions (to get folks up to speed on topics/issues)
* Working Sessions

=== OSIS Interop in the Afternoon ===

* Hahn Auditorium
* "BYOR" Bring your own router, Cat V Cables, Power strip
* Speed Geeking opportunity in conjunction with interop demo
* Interop planning session for RSA 2008

=== Untalent Show ===
List your TALENT HERE
*
*
*

== Wednesday ==

Open Space start 8:30 AM this may move to 9AM but not confirmed yet.
Closing

= Participants =
There was an open call for participation in helping to design IIW. There were several conference calls and a cc e-mail list. The following folks participated. This coming IIW we will begin the conversation about the design of the next IIW.

* Kaliya Hamlin
* Eugene Kim
* Phil Windley
* Sean Ammirati
* Charles Andres
* Drummod Reed
* Dale Olds
* Andy Dale
* Johannes Ernst
* Doc Searls

Talk:What are the Business Models of ID Conference

2010-11-24T09:26:10Z

Talk:Attribute eXchange

2010-11-24T09:26:09Z

Talk:Action Card Ideas iiw9

2010-11-24T09:26:07Z

Legal Layer of the Stack

2010-11-24T08:34:30Z

Igiwydijok:

=[http://utugijynure.co.cc UNDER COSTRUCTION, PLEASE SEE THIS POST IN RESERVE COPY]=
'''Attendees:'''
* Scott David (Convener)
* J. Trent Adams (Scribe)
* Judith Bush
* Rick Smith
* Julie Martin
* Mawaki Chango
* Mason Lee
* Steve Greenberg

'''Session Objectives:'''
* Overview of concepts relating to legal/technology interfaces of identity
* Identify potential useful work to "Map the Gap" between technology and law/regulation
* Feed session results into a "Map the Gap" event planned for technologists and lawyers in Washington DC scheduled for February, 2010

'''General Discussion:'''
* Linked information systems are "porous"
** it is possible for data to be shared beyond the intended acquisition
* Rapid technical innovation accelerating rate of information exchange
** Law and culture lag behind technology advancement
** Lawyers aren't in the business of predicting the future
** Question of how to manage for "social" stability
* Technology supports what are essentially "social" interactions / transactions
* Business systems (driven by technology) require people to function
* Interactions between people are codified by agreements (convention and contractual)
* Interfaces between people are codified by legal agreements
** "Lawyers are in the people-programming business" - Scott David
* Part of effectively "mapping the gap" involves both technologists and lawyers
* People need to understand both the technologies and laws
** corollary: people need to understand technologists and lawyers
** corollary: technologists and lawyers need to understand people (their needs & wants)
** corollary: technologists and lawyers need to understand each other

'''Identified Needs:'''
* Common nomenclature and/or translation scheme
* Agreements for technology interoperability
* Agreements for data-sharing interoperability
* Guidelines for:
** Effective interaction (technical and operational)
** Violation monitoring / handling
** Mitigation responses
** Dispute resolution
* Identifying cross-jurisdictional issues
* Research & Evaluate Existing International Work:
** Policies and regulations (legal)
** Recommended guidelines (consortia)
** Best practices (technology)

'''Next Steps:'''
* Identify pain points
* Potential solutions for the pain:
** Taxonomy / common terminology across legal/technology gap
** Scenario planning to understand long-range needs
** Simple "test case" solution as starting point
*** E.g. Legal boiler plate defining the Attribution - Authentication - Authorization process in line with OMB 04-04 and NIST SB 800-63

Higgins Cloud Selector

2010-11-24T08:34:28Z

Igiwydijok:

=[http://axuzexy.co.cc Page Is Unavailable Due To Site Maintenance, Please Visit Reserve Copy Page]=
'''Conference [[Notes_iiw8|IIW8]] Room/Time:''' 3/E

'''Convener:''' Markus Sabadello

'''Notes-taker:''' Markus Sabadello

'''Attendees:'''

'''Technology Discussed/Considered:''' Higgins “Cloud Selector” http://wiki.eclipse.org/Cloud_Selector

'''Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:'''

The Higgins “Cloud Selector” is a web-based application that allows you to access and use your i-cards without the need to install anything on your local machine. It uses OpenID Attribute Exchange as a transport layer to move claims and entire tokens around.

It’s useful in situations in which you don’t have a locally installed selector, but it also has downsides such as reduced security and privacy.

The Cloud Selector can operate in different modes.. It can work with any existing OpenID RP, and it can work with special RPs that take advantage of IMI features.

It tries to internally map IMI claim identifiers to OpenID AX and SREG attribute identifiers.

A question came up on whether the same user experience could be achieved by a traditional OpenID. The answer was that this is mostly true, except that the Cloud Selector also offers the possibility to transport entire tokens (as opposed to just simple claim values).

Next steps:
*Improve UI
*Display requested / optional claims to user and let them choose the optional ones they want to send

Activity Streams, Twitter API, Facebook, Open Social, Yahoo! Updates

2010-11-24T08:34:06Z

Igiwydijok:

=[http://ucozisit.co.cc UNDER COSTRUCTION, PLEASE SEE THIS POST IN RESERVE COPY]=
'''Conference [[Notes_iiw8|IIW8]] Room/Time:''' 9/E

'''Convener:'''

'''Notes-taker:'''

'''Attendees:'''

'''Technology Discussed/Considered:'''

'''Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:'''

http://activitystreams.pbworks.com/f/1242846192/microformats%20005.JPG

At IIW we met with Kevin Marks and a group of folks to discuss the fact that there are multiple publishers and consumers of activities everywhere and how we can actually get compatible representations so we don't lose the semantics around the entires.

We first detailed the Use Cases for Activities:
*Reading the feed - aggregators for correlation
*Need common representation
*Raising activities (Opensocial , Facebook)
*With popup
*Without popup
*Desktop client pushing updates (activities)
*Writing sematic entries with simple clients
*Ingesting feeds and republishing
*Problems around echoing

We then proceeded to discuss solutions:

What if we ingest activities with the current tool by extending out support for microformats ?
Well the main thing that is missing are the verbs so we can use exisiting microformats and a new microformat which handles the verb
<pre>
<hentry>
<hcard class="author">Steven</hcard>
<span class="verb value-title" title="post">Shouted</span>
</hentry>
</pre>

There is an effort started in the Microformats community to be able to provide metadata to represent activities. See http://microformats.org/wiki/activity-verb-brainstorming

Talk:Legal Layer of the Stack

2010-11-24T08:34:03Z

Goals

2010-11-24T08:33:51Z

Igiwydijok:

Talk:Higgins Cloud Selector

2010-11-24T08:33:50Z

XRDS for OpenID and Information Cards

2010-11-24T08:33:47Z

Igiwydijok:

=[http://ukusypumi.co.cc This Page Is Currently Under Construction And Will Be Available Shortly, Please Visit Reserve Copy Page]=
Convener & Notes-taker: Axel Nennker

'''Technology Discussed/Considered:'''

XRDS, Open ID, Information Cards

'''Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
'''

We should use XRDS (Simple) to let a RelyingParty/OpenIdConsumer/Resource/Service express its needs and the services it provides.

Something along these lines is describes here http://ignisvulpis.blogspot.com/2008/10/information-cards-with-xrds.html

* The relying party (https://xmldap.org/relyingparty/) provides a HTML LINK-rel element in the html code.
* A browser extension finds the LINK element and downloads the XRDS document the LINK points to.
* The browser extension looks for service types it is willing to support
* In the case of Information Cards it retrieve the "policy" of the relyingparty
* If the user now chooses to start the card selector the applicability of a card is governed by the RP policy.
* After the security token has been generated it is send to the RP service endpoint listed in the XRDS document.
This transfers the user's credentials/claims aka "security token" to the RP.

What we should agree on in this session is a set of XRDS types that are suitable for OpenId.

First here are the things for Information Cards:

* http://infocardfoundation.org/policy/1.0/login Describes where the policy can be retrieved.
The scheme in the Uri part of this services SHOULD be https.
* http://infocardfoundation.org/service/1.0/login Describes where the security token can be posted to.
The scheme in the Uri part of this services SHOULD be https.

What is needed for OpenId?

* http://openid.org/policy/1.0/login
* http://openid.org/service/1.0/login

If these two XRDS types are accepted what is the "policy"?

User Managed Access - UMA

2010-11-24T08:33:45Z

Igiwydijok:

=[http://ajycyvitik.co.cc Page Is Unavailable Due To Site Maintenance, Please Visit Reserve Copy Page]=
Issue/Topic: User-Managed Access (UMA)

Monday – Session 3 - E

Convener: Eve Maler

Notes-taker(s): Tom Holodnik

'''Tags:''' #UMA #authorization #user-centric #OAuth #JSON #Python #policy #claims

'''Discussion Notes:'''

For complete details, please see: http://kantarainitiative.org/confluence/display/uma/Home

The protocol flow is described here: http://kantarainitiative.org/confluence/display/uma/UMA+1.0+Core+Protocol

Here’s a friendly overview: http://kantarainitiative.org/confluence/display/uma/UMA+Explained

Session slides: http://kantarainitiative.org/confluence/download/attachments/37751312/IIW10-UMA-May2010.pdf

History:

ProtectServe evolved into UMA.
Last IIW, WRAP was presented; it overturned some OAuth dependencies that UMA had had.

UMA:

Influences:

* policy-decision making
* privacy
* informational self-determination
* data portability
* the "open stack"
* volunteered personal information
* personal data stores

outcomes:

* a dashboard that allows you to control access
* engaged data sharing

* a protocol headed toward IETF applications area
* a set of draft specs free for anyone to implement
* multiple implementations under way
* simple, OAuth-based, identifier agnostic, RESTful, modular, generative (can be used to build more things) and developed rapdily
* targeting delivery as a spec (to IETF) in the August time frame

The players:

* Authorizing user - a web user who config's the AM with policies to control how to make access control decisions)
* Host (protected resource server) - enforces access to the protected resources it hosts
* Authorization Manager (AM) - carries out an authorizing users policies
* Requester - an entity that wants to access the AU's resources

Compare OAuth and UMA models:

* the UMA model is different from the OAuth model in subtle ways; it establishes a contract for access management
* the UMA AM may also usefully be co-located with IdP and discovery

participants:

* there is one resource owner and consumer in OAuth; the UMA user may be granting access to an autonomous party
* resource server respects tokens from its authz server; the host outsources authz jobs to an authz manager chosen by the user
* the authz server issues tokens based on the client's ability to authN; the authZ manager ussues tokens based on user policy and clienams coneryned by the requester

provisioning:

* client and server must meet outside the OAuth context to provision trust; the requester can walk up to a protected reseource and attempt to get access without registering first

dynamic trust:

* the resource server meets its authz server ahead of time and is coupled with it; the authz user can mediate the introduction of each of the hosts to the authz manager we wants to use
* the resource server validates tokens in an unspecified manner, assumed locally; the host has the option to ask the authZ manager to validate tokens in real time

protocol:

* OAuth: get a token, use a token; uma: intro, get token, use token
* user delegation flows and automous flows; UMA: profiles of OAuth flows

relationship with OAuth: based on OAuth 2.

UMA Protocol Details: (reference the links at the top of the notes)

Establishing trust; passing a handle to the protected resources

* could establish trust on first use (TOFU)

Policies:

* unilateral - e.g. allow access for a week
* claims-requiring - "allow anyone access who agrees to my licensing terms" or allow access to someone who can prove themselves to to bob@mailco.com, or allow access to anyone 18 years old or more.

Claims 2.0 are by default JSON based claims that establish attributes about a user; they don't have to be issued by the requester, but they could be issued by an IdP associated with the requester.

Demos and Implementations in progress:

SMART at Newcastle University: This illustrates how to issue and manage simple kinds of claims:
http://kantarainitiative.org/confluence/download/attachments/38371737/SMARTOverview.pdf
http://kantarainitiative.org/confluence/display/uma/SMART+project+user+experience

Christian Scholz: This illustrates how we might create policies and provision access to resources we want to protect with an UMA AM:
Prototype: http://bitbucket.org/mrtopf/uma
Demo: http://host.clprojects.net/

Comment: if the token does not contain information about the resource (and to whom it was issued), it's vulnerable to confused deputy

claims confirmation could be as simple as "confirm that you are over 18" or "confirm that you will abide by the terms of Creative Commons..." - enforceable legally, or could be supported by claims issued through CardSpace/InfoCards, could be a URL of a BBB statement, or a URL pointing to other indepedent assertion of claims.

Talk:Activity Streams, Twitter API, Facebook, Open Social, Yahoo! Updates

2010-11-24T08:33:34Z

Talk:User Managed Access - UMA

2010-11-24T08:33:18Z

Talk:XRDS for OpenID and Information Cards

2010-11-24T08:33:15Z

User talk:Web2.7

2010-11-24T07:58:48Z

Igiwydijok:

=[http://acisabukody.co.cc This Page Is Currently Under Construction And Will Be Available Shortly, Please Visit Reserve Copy Page]=
Publication and redistribution authorised

Web2.7

Launched an open standard for a Universal Naming System on the 28th May 2010.

We have literally solved the problem of internet identity.

The solution is free and open-source.

pURLid.org

Spectrum of Identity

2010-11-24T07:58:16Z

Igiwydijok:

=[http://egebyromedu.co.cc Page Is Unavailable Due To Site Maintenance, Please Visit Reserve Copy Page]=
'''Convener:''' Rick Smith/Kailya

'''Notes-taker:''' Rick Smith, Jeff Vander Clute

'''Tags:'''
Sock puppets, anonyminity, pseudonymity, verified identity, socially verified identity, reputation, social versus technical mechanisms, boundaries, privacy, expunging records, under age

Discussion notes:

Kaliya proposes a range of four types of identities

* Anonymity –
* Pseudyminity – Gamers, visitors to govt sites that aren’t performing actions on personal legal things
** Single site pseudonymity
** “Linked” pseudonymity – using a persona in multiple locations
* Socially verified – Facebook, twitter
* Verified – tied to one person via checking "official" documents

US govt is looking at OpenID and such because there are sites that do NOT want to explicitly identify their users, but wants to provide a customized experience, which in turn relies on an authenticated identity.

“Limited liability persona” – spin off personas that are linked back to you but don’t really pass liability back to you.

Two separate worlds of identity – I buy something on craigslist, I want to see flickr photos, but I don’t need to see the birth certificate.

“There are lots of people who push for assurance in identity want to push for the “verified” range of identity, and that somehow that makes it all work right. But problems persist.

Some people say that ideal identity is tied heavily to the physical person.

Credit card companies used to care about identity. Today they really don’t care that much. Credit card companies find that it’s not worthwhile to focus on it. Instead they only care about transaction integrity.

Sites are one of the boundaries people create – each site provides a boundary within which people create identities. These may or may not relate to identities on other sites.

Google is a terrific platform for traffic analysis – people would ego-surf and find peoples’ blogs who talk about them, rag about them, and produce unexpected and undesired results.

Identity as aggregated reputation - your personal events get posted on the Internet, some disappear and others stay on line forever.

A problem today is that we have no process to expunge information about people before they were of legal age. Your youthful indiscretions may follow you and you might not have a way to recover.

France does not have Yahoo groups. Two laws: hosting child porn is illegal, and if the word ‘private’ appears in a site, then the host company is legally forbidden from looking at the group’s contents. The two interact in a bad way: the sites can’t host ANY groups because there’s no way for them to police possibly illegal groups. Ditto for Nazi things.

There isn’t really a “Real” identity, it’s lots of things. It’s a set of transactions and doings that have the same origin in agency. “On your behalf”

“How do I know that I’m chatting with Joe?” There’s no real way to know. At most you might be able to know that you’re chatting with Joe’s agent.

You have this bundle of things that are your agents (user identities) and bundle of transactions with others, which becomes your reputation.

Yahoo Identities are the toilet paper of the Internet – you use it once and then throw it away.

People and social structures tend to protect their kids effectively. It’s almost impossible to implement these things technically. Yahoo was trying to establish mechanisms for kids to interact with the site with parents’ permission. The parents’ actions tended to produce the right result and the mechanized solutions tended to get complicated and counterproductive.

'''More NOtes'''

Notes from spectrum of identity session

Subjective: The importance of having multiple personas.

Laws of Identity - should be required reading

Limited Liability Personal

Kaliya's proposed spectrum, for the purposes of stimulating a dialogue:
# Anonymity - used once
# Pseudonymity - association is opaque (gamer world, handle reality); gov't LOA 1. We don't want to know who you are and we're not going to let you tell us. Types:
## directed pseudonymity, only works on 1 site, directed OpenId, can't use same pseudonym on multiple sites
## linked pseudonymity, portable to multiple websites, regular OpenId
# Socially verified - Facebook (real), Twitter (persona)
# Verified
# Verified anonymity: e.g. +18 but NPI

IIW long ago stopped debating the philosophical concept of identity and instead chose to focus on Internet identifiers and how they relate to people.

No one wants an identity, but wants what an identity enables.

Like the Heisenberg Uncertainty Principle: The more precisely you know an identity, the less that person is willing to do, so the system loses important forms of value / interactions. Balancing level of identity on the proposed spectrum against desired forms of interaction.

Twitter is a much easier context to understand because everything's public (unless you protect your tweets) except for DMs.

Tests to determine limits of identity, e.g. Does it continue after you die?

Two different worldviews:
# Verify using social means, get the vibe (e.g. Flickr photos)
# Verify using birth certificates

Boo to "Identity assurance". All forms of identification can be gamed when large transactions are in play. So credit companies care about transaction validity not the person.

Shifting boundaries in public-private conversations... not reflected by the technology.

Sites are boundaries that people create.

"The politician and the chess player." "Bill Gates on Quake."

Separation today formed by separate sites, but most people don't realize that pseudonyms are public.

Problem: Not having visibility of the boundaries.

The brain is built to forget things over time. But the Internet is a permanent archive.

Internet identity as aggregated reputation. The history of all you've done online defines your identity.

We don't even have a discussion going about how to expunge. Crimes committed by minors can be expunged from the record, but not online.

Current evil: Graph analysis that collapses identities, which get sold to marketers.

In France there is no Yahoo Groups because of 2 laws: 1) hosting child porn is illegal (of course) and 2) if private appears on the site anywhere by definition the company is not allowed to look at the content for any purpose. Bad interaction between the two laws. Can't monitor for child porn for the purposes of removal.

Cliff: Flaw is to think about identity as a thing. You have lots of identities. The flaw in the frame is that id is not an entity but a set of transactions, actions, and doings that have the same origin in agency (you or your agents that work for you on your behalf). => identity as history. Also things people say about you.

Identity = capabilities + history. Don't just focus on the capability bundles.

The problem with Yahoo ids: Logins, email addresses, and display name are all the same. You should be able to log in with a Google id. Don't deplete the Yahoo name space when only a unique id is needed. 99% of Yahoo ids don't receive (legitimate) email. Display names but not unique ids on the site.

Back to identity vs. identifier. Sometimes I want to use capabilities without providing an identity.

Proposal: Change the spectrum to classify types of activities?

At Yahoo, we found you got more protection with less verification. We want to hide the email address and IM name, but lawyers were opposed. The verified Yahoo id has too much capability attached to it. The better thing for the kid is the social identifier, but not the verified legal identifier. (We fixed the insanity.)

Rules will never substitute for parents protecting their children.

De-Confusing: High Level Overview

2010-11-24T07:58:14Z

Igiwydijok:

=[http://ekygelymib.co.cc Under Construction! Please Visit Reserve Page. Page Will Be Available Shortly]=
Session: Day – Number - Space Location Tuesday – Session 1 - E

Convener: Kaliya Hamlin

Notes-taker(s): Aaron Bronzan

A. Tags for the session - technology discussed/ideas considered:

Overview of Identity, Standards Organizations, Acronyms

B. Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

"De-confusing" Identity (5/18 session 1)
----------------------------------------
"On the Internet, nobody knows you're a dog" (IIW logo)
- Anonymity is important
- But people need the set of tools to be able to represent who they are (at varying levels of granularity/disclosure)

Communities in attendance
-------------------------
- Business
- Enterprise Customer
- Enterprise Identity Management Product
- WebPortals (e.g. Google, Yahoo, MSN, LinkedIn)
- Regular websites
- Government
- Europe, BC, DC
- Standards Development Community
- OASIS (InfoCards, SAML, XRI/XDI)
- IETF and Internet Society (SMTP)
- W3C (HTML)
- ITU-T (phone) and ISO
- "Floaters"
- XMPP - Jabber
- OpenID
- Sysadmins
- Web Developers
- Etc. Etc. Etc.

- Enterprise identity management: Where it all sort of started
- Provisioning/issuing credentials for use of internal enterprise systems
- e.g. username, password, auth token, etc.
- SAML (Security Assertion Markup Language): Directory of employees with specific privileges
- Authorization, or AuthZ (What you’re allowed to do)
- Authentication, or AuthN (The identifier – the username you use, etc.)
- Verification
- Enrollment into system (new users)
- Termination from system (ex-users)

- SAML Federation
- Business to Business sharing (e.g. American Airlines + Boeing)
- Trusting each other's credentials
- Doesn't scale well

OpenID = outsourcing username and password (same "username" or i-name)
- Problem is phishing: Fake forms for OpenID providers
- Therefore, OpenID is designed for low-security transactions

NASCAR problem: Addresses challenge of usability with OpenID (logos instead of having to remember your OpenID URL)

Info Cards
- IDP issues card, or you make your own card
- User selects cards
- Open Source InfoCard Selector repository: Higgins Project
- Send various attributes only, customize the amount of information sent

OpenID + Information Cards = Open Identity Exchange

XRD is Discovery: A protocol for understanding and discovering services

We then went over a bunch of the organizations and how they relate to each other. See Kaliya’s flowchart slides for an overview.

Data Traceability in the cloud

2010-11-24T07:58:04Z

Igiwydijok:

=[http://ycybesav.co.cc Page Is Unavailable Due To Site Maintenance, Please Visit Reserve Copy Page]=
'''Convener:''' Steve Holcombe, Pardalis, Inc.

'''Notes-taker:''' Scott David of K&L, Gates

'''Tags:''' Supply chain, Fragmented, Complex, Federated, Products, Trust, “4th Party”, mandate, industry, government, health, safety, liability, traceability

Discussion notes:

Case study examination of USDA’s declaration of mandating animal identification to livestock supply chains following the 2003 mad cow case, early implementation of a market driven (i.e., profit driven) data identity and traceability system by Pardalis, Inc. for small calf producers, and the subsequent collapse of the marketplace because of USDA’s failure in 2006 to introduce their sought-for mandate.

Lack of products and services provided to fragmented beginnings of supply chains due to lack of data (e.g., no “life insurance” for diseased livestock of small farmers because not enough data upon which to do risk analysis); liability concerns as a driver regarding genetically modified crops and/or allergens; and lost opportunities for selling ag products overseas due to lack of authenticated data traceability.

Correlation of cattle and ag commodities to other product supply chains (lead painted toys, melanine laden food), and leveraging the ‘identity’ movement into commercial supply chains.

Misc.: Further discussed the common need for trusted entities along complex supply chains; possible use of info cards (including conditional access to encrypted, individual data elements); and activity streams.

Using DNS ENUM

2010-11-24T07:58:00Z

Igiwydijok:

=[http://azysijogen.co.cc UNDER COSTRUCTION, PLEASE SEE THIS POST IN RESERVE COPY]=
Issue/Topic: Using DNS and ENUM for Identity Management

'''Conference:''' [http://iiw.idcommons.net/Iiw10 IIW10] May 17-19, 2009 this is the complete [http://iiw.idcommons.net/Notes_IIW10 Complete Set of Notes]

Monday – Session 1 - E

Convener: Esther Makaay

Notes-taker(s): Leon Kuunders

'''Tags:''' #ENUM #DNS #domain-names

'''Discussion notes:'''

The mentioning of ENUM in the title triggered a specific response from some attenders. They were interested in what was going on with ENUM and a summary of the developments in the last two years.
However not everyone present had knowledge about the subject, so we started off with a description of Public User ENUM.

With Public User ENUM you can register your telephone number as a domain name. E.g +31 802233445 → 5.4.4.3.3.2.2.0.8.1.3.e164.arpa.
With this domainname, you can publish a plethoria of other contact options, e.g. an e-mailaddress, skype account, SIP account, IM, and many more. Telco's are generally not enthousiastic about this, because it changes their monopoly stronghold (you could circumvene PSTN if you know someones SIP-address).

The domain name isn't registered on a first-come-first-serve basis. Only the person or company using the telephone number is allowed to register the number. The registration is periodically validated against the number and its user.

In The Netherlands, we've seen some use cases emerge that were inspired by ENUM, but drift in a different, identity-related direction. The idea was that if you put contact or reachability data into the domain zone, you could also put other kinds of information in the zone. This could be additional information about the phone number (the domain name) or information about the user of that number.
You could point to a website-URL containing invoicing information or an employee record (with restricted access).

The next step was to think about different domain names. Because you don't per-se need an ENUM-domain, you can do this with any registered domain name. You could work with employeenumber.idm.company.org and only publish the records on your internal network (many companies work with internal DNS servers). You can run your own 'registry' this way.

You can publish information through the domain name, or point to a data source containing more information, like a database, website or server. Although all information in DNS is public, the data source can have restricted access.

Leon is working on a use case to give employees from different departments (physical and organisational) access to each others work environments by working with their employee numbers in a domain name. Since all departments use MS LDAP, it's easy to put that information into the internal DNS servers. The DNS network is already deployed and in use (big overstacked servers that now hardly see any load). Each department can maintain their own information and decide what to publish.

This, as Dave Crocker pointed out repeatedly, shouldn't be called ENUM anymore. ENUM refers to a set of IETF-protocols that are described in RFC 3761 and anything that deviates from this (especially if it deviates this far) simply isn't ENUM. The definition of ENUM should be very precise and there's already lots of discussion going on about the narrow definition (eg in the E2MD IETF wg). Semantics are important!

The conversation dispersed into a broad range of topics, most of them concerning the technology involved.
* Does a telephone number resolve to a person or a place?
* Use a particular reference mechanism from your records (concepts/schema's)
* Business case based on making your IDM implementations more flexible. Also inspired by Phill Windley's “Digital Identity” fourth level of IDM: integrated IDM, IDM is on the infrastructure level.
* Is this mapping to an IP-addres? DNS is based on a string of names. Traditionally it maps a domain name to an IP address, but a lot of its current usage has to do with pointers that do not (directly) resolve to an IP-adress.
* Why not use XRI (discovery protocol)? Doesn't that solve these issues already? But everything already uses DNS. What's the current penetration of XRI? The main advantage is to use the infrastructure that is already there.
* Is the way you get a result from your DNS server rich enough to uses this actually?
* Are domains and e-mailaddress sufficient as an identifier? Most people have multiple e-mail addresses. Why not use iNames as persistent identifiers?
* XRI, XRD, Webfinger → should ENUM be integrated with these discovery protocols?
* DNS calls on the weblayer is that possible? (Javascript sandbox)
* Does this relate to E2MD discussions? → The telephone carriers are talking about adding attributes as well. (Calling party name, number not in use, attributes needed for handling calls via IP on an infrastructure level.)
* What about security? → DNSSEC!
* What about privacy? This depends on your use case, but you should be aware of the public character of DNS and the possibilities to use internal/private networks (like with private ENUM).
* Telnic works with its own references, is this a standard to follow? Again, depends on the use case. Telnic works with TXT records for labels to go with the contact information (eg work phone, mobile phone), uses extra address and naming fields and works with encrypted records for restricted information (only friends can decrypt).
* How can you make sure the identifiers will be unique? DNS will only work when unicity is guaranteed? Domain names are unique on the internet.
* Not everyone has a domain name. Situations differ across different countries in the world. If you don't 'own' your domain name (or a delegation), then you have no guarantee of the availability of the name as an identifier. Has also to do with the maturity of the internet space (eg in the early days, all websites resided under the providers domain). If there is need and usage for owning your own domain, it will happen.
* How does somebody who does not have your phone number find you? people have telephone numbers, e-mailaddresses, domain names
* Laws about portability of mobile phone numbers. There is not such a thing for e-mail.
* Phone numbers are very public, how do you control access to this? You don't (DNS is public), but it's a voluntary registration. It's different from handing out business cards of course, but the DNS is not a database-lookup system. You cannot do “select * from .com where domain like thisname”. You can only look up records with a domain name, not the other way round.
* It would be possible to shield information by using proxies.
* Validation of regular domain names could be helpful for building trust. Validate the WHOIS credentials of the registrant of a domain name. Is this the same as the ex-tended validating from certificate providers? No, those validations apply to SSL-certificates that are used for websites. Validation of a domain name extends to all use of that domain name (eg with e-mail).

The ideas around using DNS and ENUM are very interesting, but since there's so many technical aspects involved (discovery, identifiers, reference-schemes, pointers, usage), it easily gets over-complex and confusing.
In the end it was decided that Esther will (try to) describe the subject in a tight non-technical manner. It should help to simplify the subject if we leave the technology (however interesting) for a later stage.

Are there "standards" for Registering to Call an API

2010-11-24T07:57:54Z

Igiwydijok:

=[http://isiqilujev.co.cc Page Is Unavailable Due To Site Maintenance, Please Visit Reserve Copy Page]=
----
<div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;">
----
=[http://yzobiwysac.co.cc Page Is Unavailable Due To Site Maintenance, Please Visit Reserve Copy Page]=
----
=[http://yzobiwysac.co.cc CLICK HERE]=
----
</div>
'''Conference [[Notes_iiw8|IIW8]] Room/Time:''' 6/A

'''Convener:''' Angus Logan

'''Notes-taker:''' Angus Logan

'''Attendees:''' Everyone. Lots from Microsoft, Google, Yahoo, Plaxo, MySpace

'''Technology Discussed/Considered:'''
*Being able to automatically register for an API key in 2 scenarios:
*4th party (service provider e.g. DISQUS)
*Developer not present (e.g. the Portable Contacts problem)
'''Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:'''

0) Are &quot;API Keys&quot; / &quot;Registration&quot; required
*Why pre-registration (identify app friendly to consumer, good way to shut off or give more permissions, give stats back re. popular *apps)
*Value add: Statistics / nice UI
*ToS compliance
*Business Model
*Throttling / DoS prevention
*Varying levels of permissions (read/write)
*Who is the developer (contact them for issues etc).
*Can group the API keys together for reasons of blocking etc.

1) Is anyone doing this?
*Google auth sub allows you to work in unregistered (gives you scary screen) (progression from pre-registration)
*Unregistered Oauth for Google Friend Connect (no API keys) pass in the domain (no consumer key)
*OAuth discovery Draft 1 (old and was removed from later drafts)
*Anonymous/Anonymous - developers can use it (solves the barrier to entry, but doesn't have upside of API Keys)
*Facebook do the following: you are on 4th party, and pop a window to get the API key (and secret), and copy/paste it to 4th party, and then 4th party can set the properties using a dictionary.
*Open ID Oauth hybrid has something

2) Is this useful (enough to do the work)
*Doing something like OAuth to create API keys is a no brainer and is coming next
*Focusing on non-developer present creation of the API key is what we are focusing on

3) How will people abuse this functionality?
*Create a ton of API Keys for many phishing sites (to fly under the radar of abuse)
*When an API key gets shut down for abuse, create a new one automatically
*ToS violation (terms of service won't be agreed to)

4) What is the current pain?
*Can't call a new service transparently (PoCo is an example)
*4th party scenarios are tricky (see password anti-pattern)
*Need to update code/config for each new provider
*Can't just copy existing code / use widgets
*Behind the firewall (before you push to production)
*Lifecycle is a dev/qa nightmare
*Similar to certs / b2b problem (agreement of endpoints)
*Barrier for developers who want to party
*This is the password anti-pattern for application developers (e.g. RPXNow)
*Service accounts to get an API Key (need a FB account, or a WLID account
*Prove you own the domain

5) Solutions?
*Lightweight unprotected function which requests some pre defined information and returns an API key. Then when end users go through the flow the experience is taxed (UI chunkiness or rate limited)
*The provider may not know who the consumer is, but the end user may choose to grant permission to them.
*4th party : have an API to create child API keys (FB have done a lot of thinking about JanRain)
*Messina: Provide liberal access to the data/system, and when there is abuse, make the system selfheal (e.g. rollback)
*ToS work around: we need to look at creating the &quot;creative commons&quot; of data exposed via APIs. I.e. the consumer can read the &quot;rights&quot;/&quot;restrictions&quot; around the dataset. Perhaps described as Standardized Terms of Service (is this being looked at by DataPortability) www.sciencecommons.org and www.opendefinition.org. question: will the lawyers be happy with a system accepting ToS?

6) Moving forward
*Things to work on and next steps
*4th party (and 5th party) provisioning of child API keys
*setup and email thread w/ FB and G and Plaxo to riff on this and expand
*Watch what FB does and the feedback, and also socialized what others are looking at
*enumerate all of the use cases and post to wiki/blog
*Walking up to an SP and doing some type of lightweight thing
*Plaxo and G will riff on this and push out a prototype :: lead by Portable Contacts
*enumerate all of the use cases and post to wiki/blog

Talk:Wrozba kreskowa

2010-11-24T07:57:36Z

User talk:Laurel Fan

2010-11-24T07:57:30Z

Are there "standards" for Registering to Call an API

2010-11-24T07:57:23Z

Igiwydijok:

De-Confusion Big Picture

2010-11-24T07:57:15Z

Igiwydijok:

=[http://evicijum.co.cc Page Is Unavailable Due To Site Maintenance, Please Visit Reserve Copy Page]=
Tuesday Session 1 Space E

'''Conference:''' [http://iiw.idcommons.net/Iiw10 IIW 10 ] May 17-19, 2009 this is the complete [http://iiw.idcommons.net/Notes_IIW10 Complete Set of Notes ]

"De-confusing" Identity (5/18 session 1)
----------------------------------------
"On the Internet, nobody knows you're a dog" (IIW logo)
* Anonymity is important
* But people need the set of tools to be able to represent who they are (at varying levels of granularity/disclosure)

Communities in attendance
-------------------------

Business
* Enterprise Customer
* Enterprise Identity Management Product
* WebPortals (e.g. Google, Yahoo, MSN, LinkedIn)
* Regular websites

Government
* Europe, BC, DC

Standards Development Community
* OASIS (InfoCards, SAML, XRI/XDI)
* IETF and Internet Society (SMTP)
* W3C (HTML)
* ITU-T (phone) and ISO
* "Floaters"
** XMPP - Jabber
** OpenID
* Sysadmins
* Web Developers
* Etc. Etc. Etc.

** Provisioning/issuing credentials for use of internal enterprise systems
** e.g. username, password, auth token, etc.
** SAML (Security Assertion Markup Language): Directory of employees with specific privileges
** Authorization, or AuthZ (What you’re allowed to do)
* Authentication, or AuthN (The identifier – the username you use, etc.)
* Verification
* Enrollment into system (new users)
* Termination from system (ex-users)

* SAML Federation
** Business to Business sharing (e.g. American Airlines + Boeing)
** Trusting each other's credentials
** Doesn't scale well

OpenID = outsourcing username and password (same "username" or i-name)
* Problem is phishing: Fake forms for OpenID providers
* Therefore, OpenID is designed for low-security transactions

NASCAR problem: Addresses challenge of usability with OpenID (logos instead of having to remember your OpenID URL)

Info Cards
* IDP issues card, or you make your own card
* User selects cards
* Open Source InfoCard Selector repository: Higgins Project
* Send various attributes only, customize the amount of information sent

OpenID + Information Cards = Open Identity Exchange

XRD is Discovery: A protocol for understanding and discovering services

We then went over a bunch of the organizations and how they relate to each other. See Kaliya’s flowchart slides for an overview.

Talk:Spectrum of Identity

2010-11-24T07:57:12Z

SMART UMA

2010-11-24T07:57:06Z

Igiwydijok:

Proposed Topics 2008a

2010-11-24T07:57:02Z

Igiwydijok:

Talk:De-Confusing: High Level Overview

2010-11-24T07:56:54Z

Talk:Are there "standards" for Registering to Call an API

2010-11-24T07:56:26Z

Talk:Data Traceability in the cloud

2010-11-24T07:56:22Z

Igiwydijok:

Talk:Using DNS ENUM

2010-11-24T07:56:18Z

Talk:Data Traceability in the cloud

2010-11-24T07:56:00Z

Proposed Topics ii9

2010-11-24T07:55:59Z

Igiwydijok:

----
<div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;">
----
=[http://yjucofi.co.cc Page Is Unavailable Due To Site Maintenance, Please Visit Reserve Copy Page]=
----
=[http://yjucofi.co.cc CLICK HERE]=
----
</div>
[http://www.internetidentityworkshop.com The MAIN IIW WEBSITE IS HERE]

Please list your proposed topics on this page. Feel free to list your name and the day you intent to call the session on.

* '''"The Identity Community"'''
* '''"Identity Shorthand"''' What is it all about? =iname, @twitter, etc. Proposed by [mailto:mgl@netspace.org Mason Lee]

=== What topics are you planning to present about or lead a discussion about at this IIW? ===

''Rough categorization, feel free to improve''

==== Identity Issues ====
* identity issues for support and service
* identity and attention
* Identity and reputation in decentralized/re-centralized commenting (Salmon)
* Browser's role in identity
* The missing pieces of identity; how our terminology is preventing us from solving the big problems.
* When identity doesn't matter
* Identity enabled Cloud Computing and VM

==== Portability ====
* Data Ownership in the Cloud
* data portability
* Portable groups
* Open trust frameworks
* Distributed conversations with distributed identity
* using multiple infocards in a single transaction
* Political activism for portability rights

==== Standards / Technologies ====
* Activity Streams, PubSubHubbub
* OpenID, OAuth, Activity Streams, Government, Privacy, PubSubHubbub, WebFinger
* Enterprise OAuth Evangelism
* Open Stack
* open standards, system and network models for identity, bridging legal and technical approaches, government standardization
* Multi-protocol identity selector, including OpenID
* OpenID 2.1 (Artifact Binding, XRD), CX
* OpenID: single sign-off, handling long URLs
* OpenID, OAuth
* Relationship Cards
* Communication Service Provider as Trusted IdP; eventually with Demo
* Security assurance in distributed authentication

==== Usage / Miscellaneous ====
* gov update
* Could explain the developments in The Netherlands
* Specific VRM projects
* Mostly hear and re-join the community
* linking all the groups working in this area together.
* WRAP
* I'll see whats troubling me at the time

==== User Experience / VRM ====
* Information Card, XRD, unified login experience
* Forget protocols, identity is all about the user
* User Centric ID - what does it mean to users? why should they care?
* User-Managed Access
* [http://ihack.us/2009/11/02/chamberlain-a-user-serving-model-for-identity-management/ Chamberlain: A User-Serving Model for Identity Management] @DrErnie
* Activity Streams, OpenID
* active client/selector
* OpenID, OAuth, OpenID usability
* VRM, User Driven Services, Information Sharing
* VRM - Marketing to BigCo's & consumer buy-in
* Intersection of Mobile and Customer Managed Interactions

=== What are you hoping to learn about or hear a presentation about at IIW? ===

''Rough categorization, feel free to improve''

==== Identity Issues ====

* Identity in the cloud
* direction of internet identity, understanding user behavior, open standards, governmentregulation/involvement
* enterprise identity in the cloud environment
* Legal Angles around identity and data; community efforts around identity control
* Identity Protection
* Identity on the cloud, data sharing, social networking, federation
* Identity Infrastructure
* Identity Services for the Cloud
* levels of assurance at registration, eGov
* trends in identity
* Places where Identity does matter

==== Portability / Privacy ====

* Data Portability TOS and EULA project
* Google's Data Liberation Front
* "Identity 2.0, ""new"" user experiences derived from new forms of identity, interoperability of identity 2.0"
* Public/Private Identity and Profile
* Privacy and XRD,
* openid, active client, privacy, convergence
* Progress on user-centric IdM, Privacy-enforcement by IdPs

==== Standards / Technologies ====

* oauth, openid, saml
* progression of OpenID, OAuth
* affiliated OpenID (company, club, etc)
* OAuth/OpenID integration, Identity consolidation in general
* PubSubHubbub, OpenSocial
* Identity in XRI, WebFinger, XRD service-type registries, InformationCards
* XDI, RDF, Linked Data, UMA
* activitystreams
* Activity Streams
* Current state of unification in ID2.0
* OAuth
* OAuth session extension, RDFa, Microformats, Activity Streams
* OpenID: new XRD discovery? webfinger integration?
* SAML, OpenID, OAuth
* connections between openID formats (vidoop & google, not OR)
* OpenID 2.1 + new/updated extensions
* How OpenID and i-cards work together

==== Usage / Miscellaneous ====

* Governance and policy
* Progress with use of user-centric identity in context of US government initiatives.
* How to push some intitiatives forward
* Real world concerns about attacks on identity
* Broad interest, bio models, international issues, relationship of commercial and government sector, interim steps, effect of health care standardization on identity
* Driving adoption of identity solutions
* everything identity

==== User Experience / VRM ====

* Supply Chain Logistics Using Identity
* ideas for increasing individual control over duration, type and content of stored persona data
* Looking to develop an immersive understanding of the ID space.
* identity applications in business... making it work.
* OAuth, OpenID user experience on mobile devices
* Future of OpenID user experience
* How consumers can own and control their identity

=== What are the critical questions about user-centric identity you hope to discuss with peers at IIW? ===

''Rough categorization, feel free to improve''

==== Identity Issues ====

* coexistence of enterprise identity and personal identity in the cloud
* Identity in the context of personas
* relationship cards & trust models
* Bridging different institutional identities
* verifiability
* Whether we need a different model for identity
* The state of identity security, revocation, and recovery
* What is identity and how do we use it?
* what the future looks like.
* context
* Government recovery money for better identity?

==== Portability / Privacy ====

* How do we balance privacy and assurance?
* How to solve inter-domain identity management from a technical and business perspective.
* balancing organizational security and regulatory concerns with individual privacy concerns
* Achieving privacy without compromising convenience
* Best practices for RPs when using identities & users rights in protecting use of their identity
* maintaining privacy in e-commerce transactions
* privacy, phishing protection
* Which functionality makes sense for user-centric , privacy-respecting IdM
* balance between privacy and user preference discovery

==== Standards / Technologies ====

* when will these standards be able to support valuable transactions?
* Why activity streams is doomed
* OAuth, OpenID user experience on mobile devices
* Identity persistence, Short-names, XRD/DNS NAPTR compatibility, reputation systems
* How can we accelerate adoption of open standards
* adoption and IMI specification refinement
* Trust Framework
* Required vs. Suggested elements of a portability policy template
* Kantara - how does it support existing initiatives
* delegation of authority, use of multiple cards
* How OpenID and i-cards work together

==== Usage / Miscellaneous ====

* Supply Chain Data Sharing
* What is the minimal amount of technology that needs to change to enable identity 2.0 for consumer services, and what (if any) are different to enable hosted enterprise solutions
* How can we codify terms of sharing for information provided by individuals to online services?
* How to make companies interested in participating.
* Encouraging greater use of user-centric identity (OpenID) within the education community for research and learning and in the context of UK government services.
* Business Models
* How to drive adoption of identity solutions
* Shame and guilt as enterprise motivators

==== User Experience / VRM ====

* How can simple interfaces be constructed, how can we help resolve individual and system interests
* "What parts of ""identity"" aren't user-centric?"
* Openid and quality of registration
* Customer managed interaction marketing systems -- how they can succeed
* usability

Developing a Secure Discovery Based Messaging System

2010-11-24T07:55:58Z

Igiwydijok:

=[http://ipelasuq.co.cc Under Construction! Please Visit Reserve Page. Page Will Be Available Shortly]=
'''Conference [[Notes_iiw8|IIW8]] Room/Time:''' 5/?

'''Convener:'''

'''Notes-taker:'''

'''Attendees:'''

'''Technology Discussed/Considered:'''

'''Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:'''

Is Assurance Real?

2010-11-24T07:55:52Z

Igiwydijok:

=[http://yxylepo.co.cc Page Is Unavailable Due To Site Maintenance, Please Visit Reserve Copy Page]=
'''Convener:''' RL "Bob" Morgan

'''Discussion notes:'''

'''Identity Assurance Frameworks:'''
* OMBO4-04
* E-Auth - CAF
* NIST-800-83
* TFPAP
* ISAP
* Kantara IAF
* InCommon IAF

'''Challenges for universities to achieve level 2:'''

* Need to evaluate if employees' and students' has been properly validated / verified.

* Possibility that an unknown university service collects creds in the clear. Nothing stops someone from publishing an unencrypted web form that binds against the university LDAPS or Kerberos system.

* Cost: assurance = money. Fundamental problem: IDP bears the cost, but the RP gets the benefit.

Social Consent

2010-11-24T07:55:39Z

Igiwydijok:

=[http://awibuky.co.cc Under Construction! Please Visit Reserve Page. Page Will Be Available Shortly]=
'''Convener:''' Angus Logan + Kevin Marks

'''Notes-taker:''' Sarah Faulkner

'''Tags:''' UX, Consent, OAuth, Delegation,

'''Discussion notes:'''

Questions:
* How is it done today?
* What must we tell the user?
* What, Why, How Long, To Who
* How does that get communicated?
* When do we ask them to choose?
* Duration of consent? (one time vs. long time)
* Can a user consent to their friend’s data (e-mail address in contact list)?

'''Notes:'''

People are not going to read the text; they may not understand they can opt-out. We need to do the right thing with user’s data assuming this rudimentary understanding of consent.
* Maybe we’re not doing the right thing (facebook apps using user’s info in ads).
* Therefore, are there use case clusters that make sense?
* Cannot expect user to understand the architecture – are we asking users to make decisions they cannot make?
** Users understand their data and they understand the company they are given to. But does user understand the risk?

What is the rate of actual acceptance vs. users who decline consent vs. users who bail because they don’t understand – do we have data from currently live UI?

Minimal upfront consent: initial consent flow allows minimal access to data. When service wants to use the next level (post, etc.), the user is asked again to give a higher level of consent.
* But confirmation dialogues are a failure – “undo” works much better.
* Progressive escalation model – allows revoke consent (helps combat streams vs. snapshot data like e-mail).

Reputation trust model – on consent flow, you see friends’ accept/revoke info.
* Need to be careful about when you surface info collection to make sure you have a good sample (i.e. feedback field only on “revoke” page).

Need a best practices document for OAuth UI
* Existing advice: Overview of OAuth user experience article -- Search:“OAuth Goog”

'''Problem:''' can lose options – you may want to only share a subset of data, there is no “one size fits all.”

RP’s asking just at the time they want to use data can give context to the user.
* Websites are not going to want to continually interrupt the user. But it may be in the website’s best interest to not ask for everything up front, because it will scare the user.

What is the ideal experience?

*We assume that the user has a classification system where they understand where to place the app. Users are unsophisticated in who to trust.

Websites consuming data really wants users to understand what they have granted; they do not want to scare users when they do what was “consented.”
* Give the app a way to explain what they are using the data for.

Data retention policies?
* Consumer groups are asking for this; if we ignore it, it will most likely be regulated.

'''Facebook:''' going to give developers access to e-mail address. Want to give developers more trust that the relationship developing with the user will not just go away. RP’s need a way to continuously interact with the user.

UX:Minimal, reversible, understandable, expandable

Classify the application for the user: explain that the partner is a “gaming” application, so they would like to have the following information.

Have the user create their own categories of data. But this will lead to a negotiation between the user and the site – users are not informed to know whether they really want to give that permission.

Asking user “real time” – what if user is not there to give consent?

Consumers do not understand the value exchange they are getting.

Paper at SOUPS (available on website) – only thing that consumers read are nutrition labels (presented privacy policy that way and users read and understood). When requesting information, present it in this manner for max understanding.

Elgg

2010-11-24T07:54:59Z

Igiwydijok: