User-Centric Identity - Where is it, how we got here and where is it going? An interview with Kaliya Hamlin
25 October 2007, 2:00 PM EDT
For O'Reilly, Kaliya wrote "identity is no small matter. It lies at the core of who we are as social beings. There are many ways to think about what identity is, such as: how we define ourselves (self-assertions), how others see us (facts about us), and what others think about us (our reputation)."
In this interview Kaliya will take your questions about the status of shared identity systems, especially OpenID; the work being done at the Identity Commons; and how communities can leverage these resources. Ask your questions now and then join us live on 25 October 2007, 2:00 PM EDT.
Read more about Kaliya Hamlin
Transcript
Brett:
Kaliya, does openID help prevent identity theft? Are these concepts related at all?
Kaliya Hamlin:
Yes in a particular way.
It doesn't solve 'identity theft' in the way portrayed in the media - people getting critical facts and identifiers for you - and by knowing these things they can pose as you and make transactions in your name.
The kind of 'identity theft' that OpenID can play a role in preventing is 'handle theft' if you will. Currently if I use the same handle on many sites say PURLEFLOWER. Then I become known for using that name and when people see it they associate it with me. Yet another social networking service opens up and someone else decides to register the username PURPLEFLOWER on that website and begin posting 'as if they were me' all of a sudden things are being associate with me or at least that online identity that are not mine.
OpenID provides a way to do distributed web wide SSO.
If I use an OpenID an identifier [=purpleflower] unique to me across contexts then people know it is 'me' not just someone pretending to be me cause they got my handle before I did in some new social service. I am the only one who can authenticate the password on that identifier so it must be 'me' the "real" purpleflower.
Just so you see what some different kinds of OpenID's can look like...
1) from an identity provider such as My openID http://purpleflower.myopenid.com or using your AOL screenname http://openID.aol.com/purpleflower
OR 2) a personal i-name =purpleflower (a personal iname)
OR 3) my own URL http://www.purpleflower.com that I put in some lines of code to redirect to an Identity Provider that does authentication OR I can put my own OpenID server on my box and do the authentication myself.
Looking into the future there are tools and systems being developed in the Identity Commons community that could address identity theft issues - these include the Higgins project. We are working on developing the concept of identity rights agreements to make EULA's more understandable. There are also new concepts like the Identity Oracle and the Limited Liability Persona being developed by Bob Blakeley and the Burton Group that could help address the underlying structural issues that cause identity theft.
A good book to read to understand the structural issues of data collection, storage and sharing that cause identity theft is The Digital Person by Daniel Solove and two papers by him - A Taxonomy of Privacy and A Model Regime of Privacy.
It doesn't solve 'identity theft' in the way portrayed in the media - people getting critical facts and identifiers for you - and by knowing these things they can pose as you and make transactions in your name.
The kind of 'identity theft' that OpenID can play a role in preventing is 'handle theft' if you will. Currently if I use the same handle on many sites say PURLEFLOWER. Then I become known for using that name and when people see it they associate it with me. Yet another social networking service opens up and someone else decides to register the username PURPLEFLOWER on that website and begin posting 'as if they were me' all of a sudden things are being associate with me or at least that online identity that are not mine.
OpenID provides a way to do distributed web wide SSO.
If I use an OpenID an identifier [=purpleflower] unique to me across contexts then people know it is 'me' not just someone pretending to be me cause they got my handle before I did in some new social service. I am the only one who can authenticate the password on that identifier so it must be 'me' the "real" purpleflower.
Just so you see what some different kinds of OpenID's can look like...
1) from an identity provider such as My openID http://purpleflower.myopenid.com or using your AOL screenname http://openID.aol.com/purpleflower
OR 2) a personal i-name =purpleflower (a personal iname)
OR 3) my own URL http://www.purpleflower.com that I put in some lines of code to redirect to an Identity Provider that does authentication OR I can put my own OpenID server on my box and do the authentication myself.
Looking into the future there are tools and systems being developed in the Identity Commons community that could address identity theft issues - these include the Higgins project. We are working on developing the concept of identity rights agreements to make EULA's more understandable. There are also new concepts like the Identity Oracle and the Limited Liability Persona being developed by Bob Blakeley and the Burton Group that could help address the underlying structural issues that cause identity theft.
A good book to read to understand the structural issues of data collection, storage and sharing that cause identity theft is The Digital Person by Daniel Solove and two papers by him - A Taxonomy of Privacy and A Model Regime of Privacy.
Brett:
Why did you start thinking about online identity issues? What brought you into this topic?
Kaliya Hamlin:
I went to the first Planetwork conference in 2000. They got to thinking about this topic because they posed the question - how could environmental groups (and then the people connected to these groups) work together via the web to address their common challenges. At a meeting in 1999 there was a predominant answer - "JOIN MY BIG PORTAL" but this didn't really work - competing portals - there is 'not just one' and if there was 'not just one' how could real collaboration happen. Empowering people - the people who are part of multiple groups with their own identities and having protocols of interoperability - standards would be a way to get around the dilemma of everything being disconnected (different username and password everywhere) OR only having one big portal.
A community called the link tank met for 18 months in 2000-2001 and out of that came the Augmented Social Network: Building Identity and Trust into the Next Generation Internet. It was published in 2003. I had been attending monthly Planetwork Forums and learning about tech projects including pre-friendster social networking sites. I was at the time thinking about how to support spiritual activist networking together but on independent autonomous sites (not one big site for 'everyone') I got identity and became an evangelist for this paper and its ideas. I worked for the first Identity Commons of 9 months beginning in June of 2004.
A community called the link tank met for 18 months in 2000-2001 and out of that came the Augmented Social Network: Building Identity and Trust into the Next Generation Internet. It was published in 2003. I had been attending monthly Planetwork Forums and learning about tech projects including pre-friendster social networking sites. I was at the time thinking about how to support spiritual activist networking together but on independent autonomous sites (not one big site for 'everyone') I got identity and became an evangelist for this paper and its ideas. I worked for the first Identity Commons of 9 months beginning in June of 2004.
Jim Cashel:
HI Kaliya -- a second question and I'll leave you alone. As a consumer, I keep some profile information on LinkeIn, some on Facebook, and a smaller amount on various other sites (such as credit card information at Apple). Is it likely that a year or two from now there will be one place where I maintain this -- or is it more likely (or am I better off) if it is more fragmented than that?
Kaliya Hamlin:
Yes.
I think in the next couple years you will see tools for managing and updating information like your blog address or phone number that you want to be current in multiple places. Market/consumer pressure to adopt open standards to manage this would help speed this process. Being fragmented should be a choice (having a different work life and personal life persona for example) not enforced by the fact standards are not there to get things to work together.
I think in the next couple years you will see tools for managing and updating information like your blog address or phone number that you want to be current in multiple places. Market/consumer pressure to adopt open standards to manage this would help speed this process. Being fragmented should be a choice (having a different work life and personal life persona for example) not enforced by the fact standards are not there to get things to work together.
Jim Cashel:
Hi Kaliya: Forum One now runs two community sites, one for kids and one for online community professionals. Should we be using Open ID or some standard technology now? What will be be almost certainly using 18 months from now?
Kaliya Hamlin:
OpenID will be in use 18 months from now. It already is in use.
Jo Ryden:
Hi Kaliya - where do you see the main obstacles in the adoption of OpenID; is it mainly on the provider and integrator side, or do you mostly see it in end-user skeptics staying skeptic even as OpenID is promoted and pushed on a wider basis by providers?
Kaliya Hamlin:
With any new standard that relys on network effects to bring value (fax machines only work if there are other fax machines to send faxes to) OpenID needs adoption of two things - OpenID providers (places where people get OpenID's from and authenticate them at) and OpenID Relying Parties - websites where people can use OpenID to login. This is the classic chicken and egg problem.
Which comes first relying parties or OpenID providers? This problem is being solved in an ingenious way - Large banks of OpenID's are being enabled - every AOL screen name is an OpenID and all of Livejournal's blog URL's are OpenID's creating a population of 160 million OpenID's. What is also true is that most of those people have no idea they have an OpenID - YET. This potential user base and commitment by large providers means that more websites have confidence to invest in becoming Relying Parties because know there is a real user base that is currently latent but will eventually (within the next year) become active.
A large issue for end-users is security and the phishing hole - you must trust the redirect from the Relying Party to the Identity Provider. Many smart folks are working on the answer and it involved 'brains on the client' to help ensure users are not entering their password into a site spoofing as their identity provider. CardSpace from Microsoft is an example of a tool that helps prevent this problem.
I am not sure how else you think they are 'skeptical'.
Which comes first relying parties or OpenID providers? This problem is being solved in an ingenious way - Large banks of OpenID's are being enabled - every AOL screen name is an OpenID and all of Livejournal's blog URL's are OpenID's creating a population of 160 million OpenID's. What is also true is that most of those people have no idea they have an OpenID - YET. This potential user base and commitment by large providers means that more websites have confidence to invest in becoming Relying Parties because know there is a real user base that is currently latent but will eventually (within the next year) become active.
A large issue for end-users is security and the phishing hole - you must trust the redirect from the Relying Party to the Identity Provider. Many smart folks are working on the answer and it involved 'brains on the client' to help ensure users are not entering their password into a site spoofing as their identity provider. CardSpace from Microsoft is an example of a tool that helps prevent this problem.
I am not sure how else you think they are 'skeptical'.
Denise:
Does open ID have sufficient security for use on children's sites?
Kaliya Hamlin:
OpenID can be used anywhere and has the same security issues everywere. Primarily the phishing issue articulated in the previous question.
OpenID does NOTHING to validate the identity of the person using an OpenID - identifier. A person can have dozens of OpenID's that are 'theirs'.
Having said this there are companies working on products and business models that would as a business provide COPPA compliance services with OpenID identifiers. They will verify parents identities and give them the power to manage their children's identities online. Thus helping sites come into COPPA compliance with a distributed system once verified the identifier could be used on many sites rather then each site having to take on this sort of burden to be in compliance.
OpenID does NOTHING to validate the identity of the person using an OpenID - identifier. A person can have dozens of OpenID's that are 'theirs'.
Having said this there are companies working on products and business models that would as a business provide COPPA compliance services with OpenID identifiers. They will verify parents identities and give them the power to manage their children's identities online. Thus helping sites come into COPPA compliance with a distributed system once verified the identifier could be used on many sites rather then each site having to take on this sort of burden to be in compliance.
Bill Johnston:
Are there tools and standards available to help corporate communities support community member data portability?
Kaliya Hamlin:
Yes but they are not fully 'there yet'
There are two basic approaches - one is to take existing avaliable one off API's and hack things together - this is the 'get it done now' approach - Marc Canter is a big champion of this way.
Standards for a distributed data at OASIS in the XRI and XDI technical committee. La Leche League International is actually using these protocols to manage personal data across multiple loosely linked sites. The Higgins Data Model and tools it is building are evolving. They are very early in development at version .8. Large companies are participating in their development including IBM and Novell.
There are two basic approaches - one is to take existing avaliable one off API's and hack things together - this is the 'get it done now' approach - Marc Canter is a big champion of this way.
Standards for a distributed data at OASIS in the XRI and XDI technical committee. La Leche League International is actually using these protocols to manage personal data across multiple loosely linked sites. The Higgins Data Model and tools it is building are evolving. They are very early in development at version .8. Large companies are participating in their development including IBM and Novell.
Bob Robertson-Boyd:
Can you talk to the issue of identity management and identifiers in URL/URI strings? Is there a need to disambiguate between authorizing domains for an openIDs?
Kaliya Hamlin:
I am not sure I fully understand your question.
Identity Management in the traditional 'enterprise' definition is - Provisioning (new employ comes on board need to give access to systems) and Termination (employee retires or is fired and must have access to those systems ended).
OpenID is about identifiers - using URL/URI's or XRI/inames. Any domain name can be an OpenID if it is enabled with an OpenID server that does authentication.
Identity Management in the traditional 'enterprise' definition is - Provisioning (new employ comes on board need to give access to systems) and Termination (employee retires or is fired and must have access to those systems ended).
OpenID is about identifiers - using URL/URI's or XRI/inames. Any domain name can be an OpenID if it is enabled with an OpenID server that does authentication.
Sandy:
Clients often ask for single signon "without having to log in again", but OpenID forces you to not only type in an identity with a relying site, but then authenticate or verify an authenticated session with an identity provider. What work is being done to ensure that a user can go to a provider or relying site, log in, and then ever after have every site that uses OpenID to "know" who the user is and that she is who she claims to be without any action on the user's part? So if Alice goes to example.com, she logs in there or at provider.com, then she goes to secondexample.com and she's still logged in without having to type alice.provider.com?
Kaliya Hamlin:
It depends on the settings of your Identity Provider. It is currently normative practice for a user to authenticate with an OpenID
user goes to example.com
example.com has and OpenID login box
user types in OpenID http://jane.provider.com
example.com redirects Jane to provider.com
provider.com asks for her password
she types it in
it is correct and
she is redirected back to example.com and is logged in
user goes to another site secondexample.com
secondexample has an OpenID login
she enters her OpenID http://jane.provider.com
secondexample.com 'redirects' to provider.com
provider.com says back to secondexample.com - http://jane.provider.com is already logged in.
User is logged in without seeing the redirect.
user goes to example.com
example.com has and OpenID login box
user types in OpenID http://jane.provider.com
example.com redirects Jane to provider.com
provider.com asks for her password
she types it in
it is correct and
she is redirected back to example.com and is logged in
user goes to another site secondexample.com
secondexample has an OpenID login
she enters her OpenID http://jane.provider.com
secondexample.com 'redirects' to provider.com
provider.com says back to secondexample.com - http://jane.provider.com is already logged in.
User is logged in without seeing the redirect.
Bill Johnston:
What is a reasonable migration path for corporate communities using closed ID systems based on their community platforms (Jive, Lithium, Etc), to OpenID?
Kaliya Hamlin:
I don't know what the 'best' way is. I think there are several approaches.
First of all enable their platforms to accept OpenID for login become a Relying Party. This first step helps participants active in online communities around topics to weave their persona's together. All activity about Sony or what ever the topic doesn't happen in just one place online. Trust across contexts sharing the same user base can grow because of OpenID - see the first question about Identity Theft.
They can enable their platforms to be OpenID providers. Give every user name the ability to be an OpenID.
First of all enable their platforms to accept OpenID for login become a Relying Party. This first step helps participants active in online communities around topics to weave their persona's together. All activity about Sony or what ever the topic doesn't happen in just one place online. Trust across contexts sharing the same user base can grow because of OpenID - see the first question about Identity Theft.
They can enable their platforms to be OpenID providers. Give every user name the ability to be an OpenID.
Mukund Mohan:
User centric identities = Single point of failure. This is my counter opinion. I dont trust one place enough to have everything be controlled by it.
Kaliya Hamlin:
So this issue is one folks have talked about. How to create distributed redundancy. Not sure what the answer is - we do seem to have a web that works even though most websites exist on 'one server' and have 'a single point of failure'.
OpenID and other emerging technologies are not about having 'everything in one place' or being controlled by that place. They are about giving the user choice and control they don't have now by having their identity divided up into 100's of pieces. (each website with a different user name and password).
OpenID and other emerging technologies are not about having 'everything in one place' or being controlled by that place. They are about giving the user choice and control they don't have now by having their identity divided up into 100's of pieces. (each website with a different user name and password).
Dave Witzel:
Kaliya, what events and resources do you recommend for people to 1) learn about user-centric identity and 2) promote adoption.
Thanks
Thanks
Kaliya Hamlin:
Identity Commons is the community hub so there are a lot of activity happening there. In the coming months I am going to be working on how to improve the 'on ramp' for new folks. the Side bar of my blog is a good resource - http://www.identitywoman.net. OpenID.net is great for both end users and developers. There is an aggregate blog on identity http://www.planetidentity.org and on OpenID http://planet.openID.net. The Internet Identity Workshop that I co-produce and facilitate Dec 3-5 and May 12-15 should be good. David Recordon and others like Simon Wilson are doing a good job of evangelizing adoption.
They have several good slide presentations on SlideShare.net
http://www.slideshare.net/daveman692/openid-bootcamp-tutorial
http://www.slideshare.net/simon/implications-of-openid-google-tech-talk
They have several good slide presentations on SlideShare.net
http://www.slideshare.net/daveman692/openid-bootcamp-tutorial
http://www.slideshare.net/simon/implications-of-openid-google-tech-talk
Kelly:
Hi Kaliya. After all of these years, why have the proprietary identify systems such as Microsoft Passport failed to become more universal?
Kaliya Hamlin:
Exactly.
Proprietary identity systems are not adoptable on the open web. It is why they fail and why people will not adopt them (as individuals or sites putting the code in).
An Open Standard that is distributed and decentralized is the only way - this is what OpenID is and why it is succeeding.
Proprietary identity systems are not adoptable on the open web. It is why they fail and why people will not adopt them (as individuals or sites putting the code in).
An Open Standard that is distributed and decentralized is the only way - this is what OpenID is and why it is succeeding.
Dave Witzel:
Hi Kaliya. Just to confirm your answer to Jim. You are predicting that Open ID will be "the standard" in 18 months? Are you putting money on that?
Kaliya Hamlin:
It already is 'the standard' it is not fully adopted yet.
Things shifted dramatically about a year ago when it went from "if" to "when". Having been involved from the beginning of this effort I have a good sense about this.
More on if to when -
It started out as a small group of startup companies fiddling with potential identity protocols OpenIDv1, LID, inams and sxip collaborating on Yadis which then all became OpenIDv2. This shift happened and build enough momentum for AOL to adopt and for Bill Gates to annouce on stage at RSA last year that they were working on supporting OpenID in Cardspace (the phishing resistant login client they have developed) and for other large portals to seriously consider the protocol. (let's just see who makes announcements in the next few months) Just last month IAC -Interactive Corp, Barry Dillers Company Ask.com etc. adopted with Bloglines supporting it. You have over 160million OpenID's and estimated number of relying parties is around 6,000 as of mid-way through September growing around 1500 per month as seen by one OpenID provider.
Things shifted dramatically about a year ago when it went from "if" to "when". Having been involved from the beginning of this effort I have a good sense about this.
More on if to when -
It started out as a small group of startup companies fiddling with potential identity protocols OpenIDv1, LID, inams and sxip collaborating on Yadis which then all became OpenIDv2. This shift happened and build enough momentum for AOL to adopt and for Bill Gates to annouce on stage at RSA last year that they were working on supporting OpenID in Cardspace (the phishing resistant login client they have developed) and for other large portals to seriously consider the protocol. (let's just see who makes announcements in the next few months) Just last month IAC -Interactive Corp, Barry Dillers Company Ask.com etc. adopted with Bloglines supporting it. You have over 160million OpenID's and estimated number of relying parties is around 6,000 as of mid-way through September growing around 1500 per month as seen by one OpenID provider.
Dave Witzel:
Kaliya, that's all the time we've got for today. Thanks so much for joining us!
Kaliya Hamlin:
Thanks. Feel free to contact me.
skype:identitywoman
AIM:kaliya@mac.com
e-mail:kaliya@mac.com
skype:identitywoman
AIM:kaliya@mac.com
e-mail:kaliya@mac.com
Further Reading
- OpenID from Wikipedia
- Identity Commons from Wikipedia
© 2008 Forum One Communications, some rights reserved. |