See also: IRC log
<trackbot> Date: 09 June 2010
<MacTed> paul, is that 416 number you?
<paul> I'm on a 781 number
<tlr> 781.416...?
<rreck> are we meeting?
<rreck> me too
i'm having trouble geting in too
<tlr> the UK and FR lines seem to have issues, yes
<rreck> afk
<hhalpin> Mischa - can you scribe?
<hhalpin> scribe: danbri
is the log loggering?
<hhalpin> PROPOSED: to approve minutes from June 2nd meeting.
<hhalpin> http://www.w3.org/2010/06/02-swxg-minutes.html
<hhalpin> +1
+1
<hhalpin> RESOLVED: approved minutes from June 2nd meeting
danbri regrets for next week (Notube f2f project meeting)
<hhalpin> Next Meeting: Distributed access control languages for privacy providers, MIT on AIR and PrimeLife on XACML
hhalpin: run-thru of final report
actions
... we had several regrets
... mischa started an etherpad draft
<hhalpin> melvster: share etherpad with the rest of the group?
<melvster> one sec
<melvster> just dailing in
<melvster> sure!
<melvster> *work in progress* http://openetherpad.org/Ea4YsoZGeU
hhalpin: i didn't make muh progress on gap analysis
any prog on use cases?
<hhalpin> http://openetherpad.org/Ea4YsoZGeU
(i dropped some messy notes into etherpad but not done much yet)
(welcome Paul...)
<hhalpin> http://www.slideshare.net/ptrevithick/swxg-201069
ok i won't scribe things that are in the slides
<hhalpin> http://www.slideshare.net/ptrevithick/active-clients-and-pd-ses-4452852
who joined?
<hhalpin> Paul, do you wish to begin?
Paul: Harry asked for a few thoughts on state of Identity industry. Hard challenge!
<hhalpin> So we are on first slide-deck, i.e. http://www.slideshare.net/ptrevithick/swxg-201069
Paul: identity hard problem as
perceived differently in different communities
... language varies by community; it 'obviously' means x to
some, something quite different / richer to others
<bblfish> hi
Paul: some call that more
advanced form 'claims based' identity
... you don't necessarily need to identify a person to haev an
interaction
... some see authorisation as primal, identification as
secondary
<melvster> bblfish: http://www.slideshare.net/ptrevithick/swxg-201069
Paul: most of us tend to drop the
word entirely due to these kinds of confusion
... i was looking yesterday at privacy aware Web definitions,
use of 'publisher', ... have to get over these kinds of
terminological problems
... - requirements vary by community
... idea that different people are trying to solve slightly
different problems
... why do we look at this so differently?
... idea of levels of assurance, eg. NIST's 4 levels
... how much can relying party depend on strength of some
assertions
... some need levels of assurance > 1
(hmm this? http://en.wikipedia.org/wiki/Identity_Assurance_Framework#Assurance_Level_Criteria )
<hhalpin> NIST levels are interesting...
scribe: challenge here , some
feel that anything > 1 is irrelevant, uninteresting
... that perspective driven by high volume, low value social
web transactions
... those on higher level (payment, govt) sometimes feel like
'long tail' cornercases
<hhalpin> but the high-volume transactions can eventually get need higher NIST level, i.e. binding payment to your social networking account ala Payswarm
scribe: also eg yesterday talked
w/ natioanl cancer institute re sharing medical records
... also Verified vs self-asserted attributes
... much socialweb stuff is just asserted by end users
... other scenarios (reputation systems, payment systems), ...
some people / communities will look at these requirements and
say 'no thanks'
... eg. equifax can issue 'bearer of assertion is > 21 years
old' (but we'll reveal nothing else about them)
... a lot of probs around protecting children are around lack
of verified 3rd party assertions of attributes
... also req: need to aggregate from multiple different
providers
... for high volume / simple sites, this isn't a problem
... other use cases, you distinguish even from an ID provider
and an attribute provider
<hhalpin> attribute provider/identity provider an interesting distinction.
scribe: you can not have to keep authenticating but can aggregate attribs [missed]
[slide 5 now on slideshare]
scribe: linkability
... this makes perfect sense to some, but too much for others
[see kim camerons laws of id ... re deployable systems]
... you can agree / disagree, but this is the landscape of
[lack of ] consensus
"Some uses cases require high assurance and unlinkability (and sometimes even offline presentation of security tokens)."
submarine example; disconnected from 'net but need to auth things internally
scribe: a lot of discussion
lately re levels of protection
... converse of levels of assurance
... coudl we could to a world where use is a party to digitally
signed contract
... it's released to relying party, but the rp is bound not to
resell
... for that to be non-repudiable, need ... [missed detail,
sorry]
... concern that lately too much emphasis on crypto
... some control, but also more on accountability, in everyday
life
<bblfish> zakim aaee is bblfish
scribe: so there are only
prototypes of tech currently that can handle this
... again these are just examples of why this [consensus] is
hard
... hard to build something universal, addressing all
requirements
... ie. this talk might be considered something of an apology
for lack of progress given the energy/effort
<hhalpin> no apologies needed paul, there is clearly progress being made and the problem is hard!
scribe: several community
Identity Commons (2005) http://idcommons.net
scribe: distinguishing open / user centric id folk from enterprise / proprietary world (of which i know little)
IIW is the (intense, 3 day) hub of this world
scribe: OpenID Foundation (2007) http://openid.net
[ is http://community.livejournal.com/lj_dev/683939.html the 1st openid spec btw?]
scribe: internal competition
within openid now
... different groups, perceive problem sets differently
...Qs: what is the openid foundation? a broad church or an
advocacy org for one particiular protocol?
dataportability? DataPortability.org (2007)
scribe: struck a nerve re user control
Information Card Foundation (2008) http://informationcard.net
scribe: began around ms cardspace
and oasis IMI, ...
... "Next generation: Integrated with the browser. Consistent
UX across protocols including: un/pw, OpenID (to reduce
phishing), IMI (legacy), and OpenID V.Next, client side certs
(perhaps)?"
... that foundation also at a crossroads
... is more emphasising active clients
... found some issues w/ active clients
esp requiring a download, and insisting on a single unifying protocol
scribe: soul-searching and next
gen work
... moving beyond single protocol
makign it 'better with'
"Kantara (2009) - http://kantarainitiative.org
scribe: kinda interesting
... analysis coupleyears ago, interviewed rigorously many from
ID scene
... under NDA
... to make a new org
... they [we] concluded that we have moved into a
cross-protocol era
... needed a pulling together of a number of these disperate
communities
... was then the old liberty alliance, saml work
... which was a response to hailstorm/passport
... also openid appeared
... 3 tech groups appeared
... to some extent it's an unrealised objective
... strategically it's right
... Kantara replaced liberty alliance
... and working on some crosscutting stuff
( also new ones this year )
a joint board, infocard and openid(?)
scribe: discussion of what's
missing, usability vs specs
... role of biz agreements that allocate liability
... joint sales efforts
... obama team wanted to open govt up and use commercial ids
from industry
... catalytic effect
... govt said we like openid, but want also stronger
assurances, info card stuff, ... but hey we're just a
customer,...
... big enough that got attention of those 2 foundations, who
self-organized and stopped quibbling
... in some way stopped competing a bit
... united front to the federal govt, and said 'whichever, we
see the fed govt won't enter into commercial relationships w/
for example paypal, yahoo, google, whoever... unless there are
certifiable properties, privacy characteristics, audits,
...
... understand liability, ...
... caused spontaneous creation of the Open Identity
Exchange
(OIX?)
scribe: so they joined forces to form that
<Zakim> danbri, you wanted to ask how messy patent situation is (what is feasible royalty-free?)
(patent talk later)
kantara and others ... corporate sponsors, + leadership council
(i missed some detail)
<hhalpin> likes the community members and corporate sponsor model, maybe that could work for the w3c
oidf and icf ,... same governance model, blender board, 1 member one vote, community members outweigh
scribe: re participartion, indivs
and companies can join, but $100 for an indiv, in some cases
$25
... in terms of how openly they operate, that could be
debated
... theoretically, all open to all
... but strong interpersonal relationships and personalities
are in many cases the driver of what happens than the formal
structures
... has to be seen to be believed
... this is not something like w3c or oasis
... kantara is most formal/structure, icf more, openid
foundation
they all have public archived mailing lists
all 3 have private board lists
vast majority of everything is public
last one, Xauth, is interesting ---
--- it's a way to personalise the login situation
scribe: if oyu only have an unmodified browser, you show up with a fresh browser it can't be customised
(forgetting the CSS History hack :)
scribe: school of thought that
says 'browsers don't know who you are ...
... nor who your preferred attribute/identity providers
are
... hence the 'nascar problem', long list of logos
... so a tyranny of the mega-brands
... so relying parties put facebook/google/yahoo at the
top
... which has a somewhat perverse effect
... xauth says with html5 and some tricks, we can hack a way
for the relying party to learn what someone's prefs are
... shorter list
... these are ways to work around an architectural
problem
... which is that browsers don't know who you are
... slide 7 http://www.slideshare.net/ptrevithick/swxg-201069
... openid 2.0 (legacy openid)
50k sites and growing, relying parties
scribe: q is where we go from here
openid has a number of problems
3 key
1 - OpenID-AB [Attribute Binding] - http://bitbucket.org/openid/ab/wiki/Home
Proposed by Nat Sakamura and others in early 2009
scribe: has not had much attention yet
2 - OpenID V.Next
(discussed last fall and this spring at IIW)
v.Next codename for whatever appens
in May, OpenID Connect proposal from David Recordon (and social Web friends)
all these 3 are breaking changes
not backwards compatible
scribe: I don't yet see how this
is going to get resolved
... openid connect is 'get a spec out there ... let's just do
it!'
... caught some ppl by suprise
... openid community is trying to figure out a way fwd thru all
this
... I hope the earlier slides set some context for this
... and difficulty in agreeing even common requirements
Slide 9 -
personal opinion -
scribe: we can't stop creation of
new protocols
... open, etc
... what happens a lot is much reinvention
... come up with stuff, don't see what came before
... do something quick/dirty that solves some problems
now
... then start making it more robust
... realise it isn't 80% solution, but 45%, ...
... then someone new jumps in
... natural cycle of reinvention
... yesterday/last-night investigating webid [ie. foaf+ssl]
<bblfish> I'd say WebId being based on the semweb, in one protocol that can then bind all of them together.... One can bind in OpenId for example. (not sure about the others)
scribe: looks like it would solve
some fraction of use cases, has nice characteristics
... but partial solution
... not clear how much things will converge
... or how much analogy with email, where Internet email
eventually dominated
... i note that whenever we build something new that gets used,
... it is out there and not going away
... and that username + password could easily stay dominant for
10+ more years
... we have learned things
... users don't care
... they want something that makes sense to them
... ux is the key to them
... if you go to an RP and say 'this is great tech, saml no
infocard no openid no ...." the RP will say "well, we have to
support at least username/ password .. and i'll have to link
the accounts ...
<bblfish> (note on above there is work integrating WebID with SAML in Machester, with SOAP in University of Southampton...)
scribe: so the RPs live in a necessarily multi-protocol world
but our communities don't organize in those terms
scribe: eg create a common apache
module
... this is a structural problem
[ very interesting! --danbri ]
scribe: communities eventually
say 'oh we have overlap, need to blend things ... '
... attempts to say 'here is an active client, eg. ms cardspace
'. ... it just didn't work
... to use the solution, you needed 'this thing', the right
version with your OS, download it if needed, need to be on
windows, etc etc
... so the idea that active clients needed for system to work
... a nonstarterr
... always this locked down enterprise computer, library kiosk,
... person can't install plugin, upgrade a pc, etc ...
... so lately active client ppl have a 'better with'
approach
... ie. it works normally but is 'better with' the addon
(whether an ng-browser, or addon)
... ppl look at 'open identity community' and they see a
swirling churning mess of people putting down each other's
stuff, partial penetration, etc
... and they say 'ok, let's wait for this catfight to calm
down'
... status quo, is do nothing, use a proprietary thing, if
username/password don't do it
... with 1 exception: facebook connect, picking up a lot of use
across Web
... they have an id tech plus attributes
... last pt: the identity community, with all these nonprofits,
is not structurally in a good place to solve needs of the
marketplace
... couple of specific points re socialweb
... identifiers and user experience
... my perception
... in beginning, was 'type in your openid URI'
... rough consensus: not working
... they understand it only as for pages/info
... doesn't work on ppl
... they understand email addresses
... so openid said 'click on a button'
... but measured results were higher conversion rates
<dsearls2> Hey Dan, all. It's Doc.
scribe: with benefit to those at top of list
see link for logs, doc
<dsearls2> ok
paul: 'people get that, re use of
email
... end-user re-education is a huge issue
... and now with xauth we can personalise the nascar icon list
to something more manageable
... best we can do short of active client
... slide 12:
<oshani> dsearls2, here's the slides: http://www.slideshare.net/ptrevithick/swxg-201069
attribute schemes
scribe: there are so many of
these things, so much overlap, ...
... if you start taking view from biz point of view, that
relying party is key ,... you want that to be easy as
possible
too many schemas makes RP's life hard
<Zakim> danbri, you wanted to ask how messy patent situation is (what is feasible royalty-free?) and to
[other deck]
can you scribe harry?
<rreck> thanks for your presentation, it was very informative
<hhalpin> scribenick: hhalpin
danbri: any patents in identity
scene?
... any idea how messy situation is?
paul: it doesnt get talked about
that much
... varies by organization depending on struture
... we try in ICF and Kantara to have IPR rules
<danbri> (w3c history - eg see http://www.w3.org/TR/P3P-analysis )
paul: we can tell that things
happen just willy nilly
... not developed in a structure and not necessarily
ideal
... pretty confusing to me
... hard to know whats lurking out there, esp. with OpenID
danbri: if we wanted to get
something in all the browsers
... could we get those vendors to commit to RF-status?
paul: I work in this Eclipse
Higgins project
... so our patent reviews are pretty good
... an explicit license is being given to contribution
danbri: relevant specification, go back to paper trail to see how the W3C developed its patent policy
paul: not sure re specs
<scribe> scribenick: danbri
<melvster> paul: awesome job
<bblfish_> ?q
<bblfish_> heh
<Zakim> tlr, you wanted to ask whether Paul sees any chance for the identity work to move into less willy-nilly space, eventually
tlr: thx for the talk, paul
... in your answer to danbri's impossible q, you sounded mildly
frustrated
... re work happening in a 'willy nilly' way
... see any chance for that to fix itself over time?
paul: for full disclosure, ...
there is a project 'bingo' towards consolidating a number of
these efforts, back into a more structured but broad
church
... where the church is about consistent
messaging/marketing/ipr, not tech
... my personal bias is that we would do better to come up with
a broad base consolidating a number of these
<dsearls2> Think big tent instead of church.
paul: but saying that i can hear
friends of mine like dave recordon, chris messina, saying 'we
can just hack it...'
... but when the recession came, they took jobs at big
companies
... so now when they say it you have to consider the source,
they work for google, yahoo, facebook etc
<bblfish_> Hey, I am unemployed now!
<dsearls2> Dave works for a different big co every year.
<bblfish_> so you can trust me :-)
paul: you always have to figure
out what's personal view, and what [ not wanting to say
something unfair here ] ... looking at openid connect,
...
... could be perceived as a retrospective stdisation of fb
connect
<hhalpin> theres also Google FriendConnect
<hhalpin> i.e. FriendSense :)
paul: some aren't so concerned
for the crypto
... and oauth hardcodes rather a lot
... so i'm somewhat at a loss to predict what'll happen
<Zakim> hhalpin, you wanted to ask about browser integration and w3c
harry: a lot of discussion
talking more now about browser-based integration
... w3c has some work there w/ html5, ... and w/ big browser
makers
... discussion before re w3c involvement has focussed on its
membership model which can be seen as exclusive
... do you think w3c could have a role w/ one or more
foundations, to see if some mature tech here could go into new
browsers?
... possibility of stdisation (at format level? more w3c's
thing than protocols which go better at ietf)
... if so, what to do about the number of these
foundations?
<rreck> got to go, thanks again
harry: trying to appreciate
thigns on a tech level, and figure out what kind of a role
might make sense for us
... eg. browser aspect, html5 etc happening
paul: I think now is a great
time
... things are at a crossroads in most of the foundations
... kantara, oidf, ... [missed last acronym]
... dan based on your comments last week, i've mentioned to
others there might be a new actor [=w3c] to consider
<dsearls2> ICF... Information Card Foundation
paul: there is sort of this
feeling that, from the californian web kids' perspective, ...
that w3c isn't relevant but browser folk are, ... if you get
mozilla to build this stuff in, that's the way to go
... and html5 is a part of the equation
... more discussion about getting this into browsers [ie,
firefox, chrome] than html5
... but that's not to say there's nothing discussed there
<hhalpin> also notes two years ago I was talking about OpenID with Hixie at TPAC :)
paul: 2 years ago, w/ david recordon, relying party metadata stuff should be in html5
(thx dsearls2)
scribe: my personal belief, that
w3c thru html5 angle, a great place to advance this idea of
active clients, ID in the browser, ...
... has in past been a lot of outreach from w3c on these
things
... in past, ID folks also tended to talk amongst themselves,
but not have strong links to browser world
... speaking for info card foundation, definitely
interested
<tlr> paul, I'd be happy to help with that sort of discussion from the W3C side
scribe: and kantara, new chair...
(tlr, can you put that in audio, don't know if paul reading irc)
<tlr> happy to
paul: some will be wary of even
more institutionalisation
... there are threads, eg. 'if the openid foundation doesn't do
it, we'll just do it'
tlr, these days we are shying away from joint work with the ietf ...
scribe: in sense of a group being
simultatnously belong to both
... however we are doing much more heavily coordinated work
with them, and it is going pretty well
<hhalpin> The IETF does make sense for OpenID connect, unless OpenID Connect feels like its need browser integration or the W3C RF Patent Policy
scribe: re paul / infocard, ...
i'd behappy to help from w3c side
... can take it to email and see where it goes
bblfish: thx for mentioning webid
...
... there has been work on linking that with SAML (from
manchester), with [missed, SOAP??] from S/hampton
... because semweb is an abstraction of all syntaxes that it is
a perfect foundation for integrating all these different
pieces; you can map anything into the sw
[any format at least? -- dan]
scribe: so you can see semweb as a glue for all these pieces.
tlr, url for diagrams?
paul: I understand, and happen to think semweb and linked data have a bigger role to play in future in identity ...
<Zakim> hhalpin, you wanted to ask about ostatus
<tlr> q0
hhalpin [asks about ostatus]
paul: it absolutely is related
<hhalpin> ostatus framework hooking up to OpenID/WebID/etc.?
paul: these 2 worlds have to come
together in a coherent way
... ostatus stuff has to come together in a coherent way
... with the identity world
... some admirable things happening via 'small pieces loosly
joined'
... ostatus is a great example of that
... but if we step back and say 'lets look at it from ux
perspective' [as we're doing in new kantara group]
... moving beyond simple login, ... it is about sharing, things
like ostatus, ... how do you make this understandable,
coherent, simple?
... what i've found, the need to knit things together becomes
self-evident, and the gaps in the available technologies become
clearer
lately am trying to be ux first, tech 2nd
<hhalpin> linked data has a fairly hostile user experience :)
scribe: so there i think we need to think about ostatus, and about updates to linked data too
paul: good to be here forming
some bridges
... diplomacy and tact may be undervalued in some community,
but it's the only way we'll make progress in the bigger
picture
<tlr> Thanks, again, Paul for joining!
+1, thanks Paul :)
<paul> My pleasure
<melvster> thanks paul, awesome call
<bblfish_> thanks, very much
<bblfish_> great talk
<hhalpin> trackbot, end meeting
<paul> Thank you all. I look forward to continuing
This is scribe.perl Revision: 1.135 of Date: 2009/03/02 03:52:20 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) Found Scribe: danbri Inferring ScribeNick: danbri Found ScribeNick: hhalpin Found ScribeNick: danbri ScribeNicks: danbri, hhalpin Default Present: MacTed, Thomas, +1.781.416.aaaa, +1.218.296.aabb, paul, rreck, hhalpin, danbri, oshani, +1.510.931.aadd, melvster, +1.510.931.aaee Present: MacTed Thomas +1.781.416.aaaa +1.218.296.aabb paul rreck hhalpin danbri oshani +1.510.931.aadd melvster +1.510.931.aaee Agenda: http://lists.w3.org/Archives/Public/public-xg-socialweb/2010Jun/0010.html Found Date: 09 Jun 2010 Guessing minutes URL: http://www.w3.org/2010/06/09-swxg-minutes.html People with action items:[End of scribe.perl diagnostic output]