User Centric Digital Identity, Talk for Computer Science and Telecommunications Board, National Academies

User-Centric Digital Identity September 23 presentation to Computer Science and Telecomunications Board National Academies by Kaliya Hamlin @identitywoman http://www.identitywoman.net kaliya@identitywoman.net Internet Identity Workshop http://www.internetidentityworkshop.com Friday, September 24, 2010

Where does my personal inspiration about user- centric digital identity come from? Building Identity and Trust into the Next Generation Internet asn.planetwork.net Friday, September 24, 2010

Who am I? IDENTITY GANG! Internet Identity Workshop formed in 2004 iiw.idcommons.net www.internetidentityworkshop.com Friday, September 24, 2010

Broad Base of Participation SMALL COMPANY BIG COMPANY SPONSORS SPONSORS NONPROFIT SPONSORS MSFT FuGen Solutions ISOC PingID OUNO Kantara/Liberty Alliance CORPORATE PARTICIPANTS SUN Rel-ID Info Card Foundation Paypal Facebook Poken OASIS IDTrust Booz Allen Hamilton SMALL COMPANY Google Vidoop Mozilla Apple PATICIPANTS Yahoo Chimp Higgins Project Cisco Burton Group Authentrus Ångströ Bandit Project Hewlett Packared Digg, Inc. Plaxo Sxip Planetwork International Business Machines Privo Internet Society Commerce Net Intuit ClaimID Expensify Adobe LexisNexis FamilySearch.org NONPROFIT BT Nippon Telegraph and Telephone Corporation FreshBooks PARTICIPANTS Novell Nokia Siemens Networks Gigya Center for Democracy and Facebook NRI Gluu Technology AOL Oracle Janrain DataPortability Project Ping Identity Orange Kynetx IdM Network Netherlands Paypal / eBay Rackspace NetMesh Inc. OCLC Radiant Logic Protiviti Open Forum Foundation World Economic Forum Sony Ericsson The MITRE Corporation IETF Socialtext TriCipher, Inc. UNIVERSITY PARTICIPANTS Tucows Inc VeriSign, Inc. W3C Trusted-ID Wave Systems Goldsmiths, University of London Newcastle University Stanford University Vodafone Group R &D Alcatel-Lucent OASIS Six Apart Acxiom Identity Solutions Acxiom Research GOVERNMENT PARTICIPANTS Equifax Office of the Chief Informaiton Office, Province of British Columbia LinkedIn Amazon and more... Friday, September 24, 2010

Unconference Format Friday, September 24, 2010

Friday, September 24, 2010

Talk Outline What is User-Centric Digital Identity (including how it arose in contrast to non-user-centric identity) Technologies have been developed to date OpenID, Information Cards, XRD, OAuth, UMA, SAML Emerging: The Personal Data Ecology Friday, September 24, 2010

What is Digital Identity? http://www.digital-identities.com/ The »Gestalt« of digital identity http://www.ﬂickr.com/photos/wertarbeit/3825274153/in/photostream/ Friday, September 24, 2010

Identifiers Claims Single String Pairs Identifiers link things together A claim is by one party about and enable correlation. another or itself. It does not have to be linked to They can be endpoints on the an identifier. internet. Proving you are over 18 for example and not giving your real name. Friday, September 24, 2010

What is User Centric Digital Identity? Big Co. Web 1.0 Web 2.0 Friday, September 24, 2010

What is User Centric Digital Identity? Friday, September 24, 2010

The Identity Dog Represents 2 things: * Freedom to be who you want to be * Freedom to share more speciﬁc info about yourself that is validated Friday, September 24, 2010

What is User Centric Digital Identity? Friday, September 24, 2010

Freedom to Aggregate Friday, September 24, 2010

Freedom to Disaggregate Friday, September 24, 2010

Freedom to Disaggregate Friday, September 24, 2010 X

X Why does User Centric Digital Identity Matter? http://www.fullenglishfood.com/?p=799 Friday, September 24, 2010

Buddhist in Tennessee http://religions.iloveindia.com/buddhism.html http://wwp.greenwichmeantime.com/time-zone/usa/tennessee/map.htm Friday, September 24, 2010

Women having the freedom not to present as women. Why James Chartrand Wears Women’s Underpants http://www.copyblogger.com/james-chartrand-underpants/ Friday, September 24, 2010

Real world examples of women managing different personae from She’s Geeky conference. 1) Live Journal Friends 2) Professional ID 3) Feminist Identity 1) Me linked to real name 2) Spiritual 3) Gaming 1) Totally Professional on Domain, GMail, LinkedIN 2) Social but me on Facebook 3) Spiritual under pseudonym on Live Journal Friday, September 24, 2010

Goofy Habits or Hobbies Friday, September 24, 2010

Freedom of Expression personal and political Friday, September 24, 2010

Freedom of Action Teachers being able to drink Young people free to socially when in own time. explore themselves BLIZARD WoW in game ID vs “RealID” change this comes from not having all contexts linked together Friday, September 24, 2010

How do people “get” User Centric Digital Identity today? Hack it together with handles from web mail providers or on a service like Twitter Friday, September 24, 2010

How do people “get” User Centric Digital Identity today? Hack it together with handles from web mail providers or on a service like Twitter Challenge with e-mail addresses as identities the communications token is the “ID” Friday, September 24, 2010

How do people “get” User Centric Digital Identity today? Hack it together with handles from web mail providers or on a service like Twitter Challenge with e-mail addresses as identities the communications token is the “ID” Google proﬁles Yahoo! proﬁles Friday, September 24, 2010

How do people “get” User Centric Digital Identity today? Hack it together with handles from web mail providers or on a service like Twitter Challenge with e-mail addresses as identities the communications token is the “ID” Google proﬁles Facebook Yahoo! proﬁles LinkedIn Friday, September 24, 2010

Freedom to not be “erased” under TOS What are our rights in these commercial spaces governed by Terms of Service? How are we “citizens” in private space? In physical life we have protection of our physical self - people will be prosecuted for harming us. What is the equivalent in online spaces? Friday, September 24, 2010

How do people “get” User Centric Digtial Identity today? Identiﬁer side: Claims based side: Almost impossible. Own their own domain name. Little relying party adoption (Places where 3rd party Have a blog? or self generated claims Run an openID server? will be accepted) Little client side app adoption Friday, September 24, 2010

Why have we have yet to succeed? It is a REALLY hard problem set to solve for, User Centric Digital Identity that is: 1. open standards based 2. the scale of the internet + other digital systems 3. that people ﬁnd usable 4. that they understand 5. that is secure 6. it requires emergence of new social behavior 7. and changes business models & norms Friday, September 24, 2010

Isn’t just a technical problem TECHNOLOGY SOCIAL ? BUSINESS LEGAL Friday, September 24, 2010

We are still the make the vision real Are we succeeding! with particular protocols with various levels of adoption. Friday, September 24, 2010

What were User Centric Digital Identities ideas arising in response to? Friday, September 24, 2010

These reasons were covered in the above Corporate mediated ID (Facebook LinkedIn). Desire to have online world map to how ID works in physical world - selective disclosure. A Bazillion different accounts. Identity is socially constructed not institutionally issued. Friday, September 24, 2010

Corporate Issued IDs from employers http://www.smartdraw.com/blog/archive/2008/09/04/four-ways-to-make-your-org-charts-more-useful.aspx Friday, September 24, 2010

Corporate Issued IDs for customers frequent ﬂier http://usresident.com/ customer number health insurance number Friday, September 24, 2010

The claim there is no separation between online and ofﬂine life Friday, September 24, 2010

Participants in the Federated Social Web Summit. Pre-Open Source Convention July 18th, 2010, Portland, Oregon, USA Friday, September 24, 2010

Protocols are Political It gets to the heart of what it means to have a civil society, how we organize together. The choices made in creating these architectures now will shape the future. http://www.treehugger.com/ﬁles/2010/07/thousands-of-undiscovered-plants-face-extinction.php http://www.moviecritic.com.au/your-favourite-cinematic-dystopian-future/ Friday, September 24, 2010

OR Friday, September 24, 2010

What is the context for people gathering? “We’re trying to build a social layer for everything.” - Mark Zuckerburg Friday, September 24, 2010

Freedom of Movement and Assembly Freedom to group and cluster outside commercial silos & business contexts. Friday, September 24, 2010

Freedom to Peer-to-Peer Link Freedom to determine how the link is seen by others Friday, September 24, 2010

How can people and groups be ﬁrst class objects on the web (and other electronic networks)? Friday, September 24, 2010

User Centric Digital Identity is the: • Freedom to Aggregate • Freedom to Disaggregate • Freedom to not be “erased” under TOS • Freedom of Movement and Assembly • Freedom to Peer-to-Peer link & the Freedom to determine if the link is seen by others Friday, September 24, 2010

Transition to Technology Section Friday, September 24, 2010

Text Text + ? Can you have both? Friday, September 24, 2010

OpenID 101 (identiﬁer) Friday, September 24, 2010

OpenID has a Ton of Issues • security • no payload - identiﬁers are not enough • people donʼt understand format URL • people donʼt have their own domains • often 3rd level domain • Nascar Problem • ADOPTION • Namespace issue - “solved Facebook” Friday, September 24, 2010

Users take actions on your site Users come to your site to consume your unique content. They take Connect actions like commenting, reviewing, making purchases, rating, and more. Users share with friends, who discover your site With Facebook Connect, users can easily share your content and their actions with their friends on Facebook. As these friends discover your content, they click back to your site, engaging with your content and completing the viral loop. Social features increase engagement Creating deeper, more social integrations keeps users engaged with your site longer, and more likely to take actions they share with their friends. (For example — don't just show users what's most popular on your site, but what's most popular with their friends on your site.) Friday, September 24, 2010

Proposal for OpenID Connect The response is a JSON object which contains some (or all) of the following reserved keys: • user_id - e.g. "https://graph.facebook.com/24400320" • asserted_user - true if the access token presented was issued by this user, false if it is for a different user • profile_urls - an array of URLs that belong to the user • display_name - e.g. "David Recordon" • given_name - e.g. "David" • family_name - e.g. "Recordon" • email - e.g. "recordond@gmail.com" • picture - e.g. "http://graph.facebook.com/davidrecordon/picture" The server is free to add additional data to this response (such as Portable Contacts) so long as they do not change the reserved OpenID Connect keys. Friday, September 24, 2010

Information Cards (claims) informationcard.net Friday, September 24, 2010

Managed Cards Come in two Flavors “Phones Home” Doesn’t “Phone Home” Government Employee issued ID Issued age veriﬁcation the employer sees where used just like a drivers license in the real world Friday, September 24, 2010

Veriﬁed Anonymity (U-Prove) Friday, September 24, 2010

Information Cards have a ton of issues: • Relying Party Adoption • why shift to claims from identiﬁers • Where are the libraries and tools for Relying parties • Client Download Required • New User Experience • What are Active Clients and How do they work • Risk & Liability Models are Unclear • If a claim is validated and it is untrue who is liable Friday, September 24, 2010

More Technologies Friday, September 24, 2010

XRD (the most successful standard arising from user centric ID community that you have never heard of) Friday, September 24, 2010

Discovery = Patterns + Interfaces + Descriptors Friday, September 24, 2010

Evolution of Discovery XRDS --> XRD-Simple --> XRD (within XRI spec) Friday, September 24, 2010

Application of XRI/XDI Friday, September 24, 2010

OStatus isn't a new protocol; it applies some great protocols in a natural and reasonable way to make distributed social networking possible. • Activity Streams encode social events in standard Atom or RSS feeds. • PubSubHubbub pushes those feeds in realtime to subscribers across the Web. • Salmon notifies people of responses to their status updates. • Webfinger makes it easy to find people across social sites. Friday, September 24, 2010

OAuth Friday, September 24, 2010

User Managed Access Friday, September 24, 2010

SAML SAML has two parts used in higher education 1. Authentication 2. Proﬁles Friday, September 24, 2010

Big Challenge Protocol Interop Friday, September 24, 2010

Big Challenges RP adoption at scale. Integration/adoption of active identity clients ("identity-in-the- browser") and/or cloud identity services. Addressing the gap between what these protocols do (federated authentication, authorization, and simple third-party claims transfer) and what the market really needs (compelling solutions built on top of these tools that integrate other key components like personal data stores). Harmonizing all of this with government policy and initiatives like US ICAM and NSTIC and UK Direct Gov open identity requirements. Friday, September 24, 2010

ICAM and NSTIC Portable trusted Identities for government. With the ability to use commercially vetted identities to interact with government. Reading NSTIC there is the potential to have veriﬁed anonymity be part of the ecology. Friday, September 24, 2010

Trust Frameworks / Policy Repositories Open Identity Exchange Policy Repository Levels of for Auditors Levels of Assurance Protection Trust Frameworks Identity Providers Relying Parties ICAM John Google Relying Party Steensen OCLC PayPal Other Relying Party Auditor PBS Kids Equifax Other Auditor Yahoo! XAuth Friday, September 24, 2010

The next frontier PERSONAL DATA Friday, September 24, 2010

Generating More Data than Ever I put on The Big Data Workshop April 23, 2010 http://www.bigdataworkshop.com Friday, September 24, 2010

Less Control Than Ever Friday, September 24, 2010

Can people control the ﬂow of data about them from: 1.Self to others? 2.Self to institutions? Friday, September 24, 2010

Do you have a copy of what you put out on the web? Implicit and Explicit Data More and more digital devices collecting more data Friday, September 24, 2010

We should have our own picture of our “digital selves” or digital projection. Questions: • How do we get it (the picture - the data)? • Who do we trust to manage it? • How do we get insight into it? • What is the legal protection it is afforded? Friday, September 24, 2010

Who you are and what you care about should not be the possession of someone else. Friday, September 24, 2010

Time/space stamping You can reconstruct who it is without PII attached to it It makes the technical architectures matter more and the legal frameworks critical. Friday, September 24, 2010

Personal Data Store Ecology Open Standards based Personal Data Stores with people, groups and businesses as ﬁrst class objects. It will include full data portability and a range of services. Friday, September 24, 2010

Personal Data Ecology Friday, September 24, 2010

Project VRM - 4th Parties http://bit.ly/VRM4thParty Friday, September 24, 2010

$ APPLICATIONS EXCHANGE REFINEMENT STORAGE ID + ENCRYPTION DATA + META DATA DATA SOURCES Stack for Personal Data Banks & Personal Data Exchanges by Marc Davis (from IIW10) Friday, September 24, 2010

Higgins Project XDI Stack Persona Data Model 2.0 XDI Based Uses card metaphor Supports Link Contracts Linkable dictionary of terms RDF based Standardized at W3C No user interface develoeped Standardized at OASIS API’s XDI, OAuth, (soon) Activity Streams, PubSubHubbub, SPARQL Young project code is just starting to be published on 5+year old project the web. are there others? Friday, September 24, 2010

Vision and Principles for the Personal Data Ecosystem by Kaliya Hamlin • Dignity of the Individual is Core • Systems Must Respect Relationships • Remember the Greatness of Groups • Protocols that Enable Broad Possibilities are Essential • Open Standards for Data and Metadata are Essential • Defaults Must Work for Most People Most of the Time • Norms and Practices in the Personal Data Ecosystem Must be Backed up by Law • Business Opportunities Abound in this New Personal Data Ecosystem • Diversity is Key to the Success of the Personal Data Ecosystem http://www.identitywoman.net/vision-principles-for-the-personal-data-ecosystem Friday, September 24, 2010

PDX Principles by Phil Windley user-controlled federated interoperable semantic portability metadata management broker services discoverable automatable and scriptable http://www.windley.com/archives/2010/09/pdx_principles.shtml Friday, September 24, 2010

As a community we are working on making the Personal Data Store Ecology. Friday, September 24, 2010

Questions • What will be the open standards for data and metadata? • What will be the legal frameworks for individual protection (do you have to get warrant to search)? • What will be legal framework for individual protection and freedom to remove data from services? • What business structures can hold ? • How is any of this going to be usable? • How will data be protected, encrypted, etc.? • How will people be able to store keys? • What will be compelling reasons for adoption? • Can industry make money and give user more control? • How will the network work based on identiﬁers AND not have everything linkable?.... (ISOC is thinking a lot about this) Friday, September 24, 2010

Questions • What is the right architecture for distributed groups? • How are e-mails not the basis of all “social” transactions? • How do mobile carriers participate in the personal data ecosystem? • How do target populations have their needs met in the design of these systems? • Women • Sexual Minorities • People of Color • How are mechanisms for the peer production of governance at the core of these systems? • What to do about the namespace issue? Friday, September 24, 2010

Questions • Can we make active clients usable? • What are the defaults in these systems? • How do we get away from cookies to give personalized services? • What do user-agents do? • How do user agents make contracts for the user • How are the data streams made available for agent based services model? Friday, September 24, 2010

I invite you to the next IIW November 2-4, Mountain View, CA Meet the community, learn a lot, and ask them what would be helpful research questions to consider. http://www.internetidentityworkshop.com Friday, September 24, 2010

Thank You! Kaliya Hamlin @identitywoman http://www.identitywoman.net kaliya@identitywoman.net Friday, September 24, 2010

User Centric Digital Identity, Talk for Computer Science and Telecommunications Board, National Academies

by Kaliya Hamlin on Sep 24, 2010

Accessibility

Tags

Upload Details

Usage Rights

2 Embeds 55

Statistics

User Centric Digital Identity, Talk for Computer Science and Telecommunications Board, National Academies — Presentation Transcript

http://www.identitywoman.net	54
http://paper.li	1