Now that I’m done doing those three articles I need to update the .ppt and go shake some trees for $1.5M in funding to pay for our pilot Digital Bureau and basic build out.

Meanwhile…

Lots of great stuff happened at the OpenID UX summit. Now I can’t wait til the Open Standards Stack roadshow hits the road to bring the message to normal people.

Indeed the usage of social media aggregators are useful in a niche scenario - but most people don’t have the need for an aggregator - that is ONLY an aggregator. So that says to me that social media aggregation is a feature, not a product!

Toyota has a branded channel on Tweetmeme - nice!

Great advice from Joel on how ot use your company blog - about something BIGGER than yourself.  How ’bout your product and it’s category?  Show off your expertise and people will think your product benefits from that expertise.

Products are finally coming out of Microsoft’s research labs

I wonder if Anil Dash or Gina Tripani asked Dave Winer if they could use the title “Think Tank“. Some of us remember….

Liquid Computing R.I.P. - I know of at least one company which uses Liquid Computing which is benefiting on the short term…..

Apparently Akamai is finally lowering it’s prices!

10 upcoming deals in on-line video

Killer Rube Goldberg rock video

Open Source SaaS - that’s kind of what we do

Setting up a base public account with git

Salmon Rising

Streetline, Dropcan,

Apparently it’s nearly five years since I first wrote about this and now it finally seems we might get to use selective disclosure.

I’m not going to re-iterate what selective disclosure is good for and apparently my friend Ben Hyde has spared me from the need to be cynical, though I think (I am not a lawyer!) he is wrong: the OSP applies to each individual specification – you are not required to use them in the context of each other.

So, for now, I will just celebrate the fact that Microsoft has finally made good on its promise to open up the technology, including BSD-licensed code. Though I guess I will have to inject one note of cynicism: a quick glance at the specification (you can get it here) suggests that they have only opened up the most basic use of the technology: the ability to assert a subset of the signed claims. There’s a lot more there. I hope they plan to open that up, too (how long will we have to wait, though?).

Share This

Over the weekend I took a quick stab at what a new draft of an OAuth 2.0 spec would look like. I don't have a lot of normative text but wanted to share what I was thinking about in terms of the specification's structure and technical inner-workings.

This comes out of the survey from two weeks ago which Peter Saint-Andre summarized as there being consensus around:

• OAuth 2.0 taking aspects from both the 1.0 and WRAP specs/drafts with a preference toward the WRAP draft
• we should go back to working on a single document
• OAuth 2.0 should support signatures as a mechanism for making requests

Documents involved:

1. OAuth 1.0: http://tools.ietf.org/html/draft-hammer-oauth-10
2. WRAP: http://tools.ietf.org/html/draft-hardt-oauth-01

Combined document structure:

My goal is that sections one through four are not more than fifteen to twenty pages combined.

0. Abstract

1. Introduction
1.1 Acknowledgments
1.2 Terminology
1.3 Notational Conventions

2. Getting an Access Token
2.1 Web App / JavaScript Profile (in browser)
2.2 Rich App Profile (can open a browser)
2.3 Device Profile (no browser, should be like the Netflix flow)
2.4 Username and Password Profile
2.5 Client key and secret (not in the context of a user)

3. Refreshing an Access Token

4. Accessing a Protected Resource
4.1 Using SSL
4.2 Using a signature

5. Security Considerations

Abstract

OAuth 2.0 provides a method for an application (Client) to access the Protected Resource hosted on a server on behalf of a Resource Owner (such as a different client or an end-user). It provides a process for end-users to authorize third-party access to their Protected Resources via a variety of Authorization Profiles which generally do not include having to share their credentials (typically, a username and password pair). A server can additionally delegate authorization to one or more authorities (Authorization Server) which issue Access Tokens to Clients.

Introduction

• This section should provide a longer description of the protocol flows and the evolution from OAuth 1.0.
• The terminology should be based on updated OAuth 1.0 terminology which is already close to the WRAP terminology as well. We should err on the side of more generally understood terms.
• Both OAuth 1.0 and WRAP contain fairly complete introductory sections. I think that the WRAP one is a bit too long and we should shoot for this section being a little over two pages (including terminology).

Getting an Access Token

• This section really comes from WRAP. I believe that a server MUST implement at least one of the profiles to be considered OAuth compatible.
• The updated OAuth 1.0 spec could also be useful for more complete language around the Web App Profile though we should also draw from Luke Shepard's JavaScript profile (which needs updating). I believe the main difference is the security characteristics.
• While the SAML assertion profile has been in WRAP, I haven't seen strong advocates on the mailing list or in the survey for it. Does someone want to argue for keeping it? Could it be drafted as a separate profile from the core spec?

Refreshing an Access Token

• In WRAP this functionality is described along with each individual authorization profile. Some profiles require the client id and secret though not all of them. In terms of writing more reusable code I imagine that implementors will write a single refresh_token(client_id, client_secret) function so breaking this out into its own section will be easier to implement.
We could either require the client id and secret for all profiles or keep them as optional for some profiles. Personally I lean toward consistency.

Accessing a Protected Resource

• This section is really a combination of WRAP and OAuth 1.0. SSL support will be a MUST and signatures will be optional.
• Bearer tokens (even short lived) without using SSL or signatures feels like a poor idea, but given the WRAP draft it seems like the security teams at Google, Microsoft and Yahoo! are all comfortable with doing so? Given that we'll be adding signatures as an option do we still need unprotected bearer tokens?
• The SSL section basically copies directly from WRAP section #4. It's about a page and a half and really easy to implement.
• We need to agree on the signature method though there is a lot of normative text in the OAuth 1.0 spec to draw from. OAuth 1.0 is about three pages of text assuming people are happy with the mechanism; it would be good to simplify as much as possible.
• We're missing an access token secret, but I'm wondering if we can treat the refresh token as the access token secret since it's only sent over the wire via SSL?
• Alternatively we could modify the refresh token request to let the client specify that they'd also like an access token secret for that request. This seems like the right way of doing it.
• Both break the idea that the API endpoint doesn't have access to secrets, but the deployment scenarios I've seen discussed as wanting signatures (at least Facebook and Twitter) won't be separating their architecture anyway.

Security Considerations

• I'm the wrong person to write this section.

Misc

• Rename parameters to oauth_

If I were to spend some time over the next week or two drafting this spec would folks generally be supportive of it? If not, what would you change so that you could be supportive of it?

One of my goals is getting OAuth 2.0 to the point – fairly quickly – where we can start to architect the next version of OpenID on top of it. WebFinger + OAuth 2.0 + identity would be sweet and finally give us a consistent story for both authentication and authorization. I'd love whatever help I could get with all of this as well!

Cross posted to the OAuth IETF mailing list

Jump to 4:15 into this video.  Julius is touring the broadband project they’re doing in SF.

I wonder if he’s seen my three articles:

- Digital Cities and fiber connectivity

- Digital Cities and why I moved to Northern Ohio

- Digital Cities and the virtuous circle of training and volunteerism

My old buddy Tim Pozar is involved in getting fiber optic into public housing units - in SF!  I wonder if he’d move here to Cleveland?

This week's Technometria podcast is with Henri Asseily, the CTO of Telnic. Telnic is the registry for the .tel top-level domain.

The .tel domain is a little different than most domains you might run across. For one, you can't point it at a Web site (although you can get email through it using MX records). The registry controls the A records for the domain and they all point to a contact page. For example, here's my .tel domain: windley.tel.

I, of course, control all this data using a Web page that they provide for that purpose. The nifty thing is how it's stored. There's no database behind this, rather the data is all stored in the DNS records for the domain. For example, the system uses NAPTR records (yeah, I didn't know what they were either before this) to store the

pjw:Downloads pjw$ dig windley.tel -tNAPTR
;; ANSWER SECTION:
windley.tel. 60 IN NAPTR 100 100 "u" "E2U+web:http" "!^.*$!http://www.windley.com!" .
windley.tel. 60 IN NAPTR 100 101 "u" "E2U+web:http" "!^.*$!http://xri.net/=windley!" .
windley.tel. 60 IN NAPTR 100 103 "u" "E2U+x-voice:skype" "!^.*$!skype:windley!" .
windley.tel. 60 IN NAPTR 100 102 "u" "E2U+voice:tel+x-work" "!^.*$!tel:+18016494601!" .

You can see that some of the data in the page is available in these records. The textual data is in the TXT records:

pjw:Downloads pjw$ dig windley.tel -tTXT
;; ANSWER SECTION:
windley.tel. 59	IN TXT ".tlb" "1" "100" "100" "Technometria
windley.tel. 59	IN TXT ".tlb" "1" "100" "101" "Contact form"
windley.tel. 59	IN TXT ".tlb" "1" "100" "102" "Phone number at Kynetx"
windley.tel. 59	IN TXT ".tlb" "1" "100" "103" "My Skype address"

Note that the numbers in the text records are being used to link this data to the data in the NAPTR records.

This is pretty cool because it means that anything that can speak DNS (pretty much everything) could have programmatic access to this data. If you can make DNS queries, you can grab my contact data.

The system allows for me to create profiles and then make different profiles available based on where I am and what I'm doing. I could update my telephone number, preferred method of contact, and so on just by choosing a different profile. Eventually this would be done automatically for you depending on various events in your life. This is where Kynetx comes in, but that's the subject of another post once.

In the first two parts of this series I defined what I meant when I use the term “Digital City” and the basic rights that every Digital Citizen has to a JOB! I talked about a sustainable model to drive these jobs and how by paying for multimedia encyclopedias – corporations could create a 3:1 usage of their money – and write it off at the same time!

I also alluded to the importance of fiber optic connectivity as a driving force to get us OUT of the monopolistic control vice that telcos and cable companies have over our on-line entrance and exit ramps. It is this synergistic combination of all these factors that leads to the solution – I call a “Digital City.”

This is no simple task or set of goals we’ve got facing us. Resuscitating our economy and finding enough work for all is a moral issue. The idea of the Digital City project is that Digital Citizens can pool our interests, goals and money together and solve our own problems.

The answer is staring us in the face = all jobs will require tech skills, there are $100’s of billions of dollars development work needed to build the world’s multimedia encyclopedias and once we build that content, we need to put it onto open data servers – so all can enjoy and monetize it – via Open APIs.

As our fiber optic infrastructure evolves – it will be the open fiber optic networks being put into place now – that will sew the seeds of our revolution and create jobs for all! But to do that we must wrest control of the billions of dollars in workforce development money which is being squandered each year!

All governments – starting at the Federal level and moving down to State, County and City – must help provide jobs to their citizens. So if we can convince even 1% of that money to be put into NEW kinds of jobs, I think we just might pull this off!

I’ll conclude this series with an even deeper dive into some of the technical concepts and business model theories that make up this Digital City project.

The first concept (#1) I want to elucidate on is what I call a “virtuous circle of training and volunteerism.”

What we want to do is create a system where anyone can join a specially modified social network and receive handholding and get trained in all the workings of social media. As they work their way through our ‘training’ process each trainee will earn points reflecting the particular tasks, actions, volunteerism and self expression they have achieved.

The social network will have real-time video help wired into every screen and function. So if at any time someone has a question, all they have to do is click a “HELP ME!” button – and a live human will appear to walk them through using the software or answer any other questions they might have.

I believe that the digital divide is NOT about economics. The FCC report last week talks about 35% of America not having broadband access and they believe that it is because people are ambivalent, scared or apprehensive. I agree. So a key aspect of our virtuous circle process is to make asking questions REALLY easy and provide a safe, secure, warm and fuzzy environment for anyone to come up the learning curve of using computers and on-line technology.

The points earned in our virtuous circle process will be used by a trainee to work their way “up” through the system, eventually achieving a paid internship position. But to do that – they must earn more than just points. They also must establish relationships with the team and community members, contribute something to the community and participate in various kinds of volunteer activities. This earning of trust and establishing their own position in the community is another key aspect of this approach.

When a trainee first enters the system – we’ll help them signup, upload an image of themselves and show them how to navigate with and control their own personal dashboard. We’ll show them how to request real-time video help operators – who are volunteers themselves – by simply clicking on a special button and choosing which help operator they wish to talk to.

Trainees will be taught about ‘friending’, joining groups, leaving comments on blog posts, Twits and other conversations and in general – to utilize the social media environment. We’ll also show trainees how to sign up for local volunteer tasks which have been entered into the system by our virtuous help admin staff – who reside at a local “digital bureau”.

Trainees need not attend an actual digital bureau to receive training, but if they do go there they will find plenty of machines to use, training classes being offered, live help operators helping others and other trainees going through THEIR virtuous circle training process.

Each digital bureau will also produce multimedia projects and local live events – such as street fairs, community meetings, seminars, senior citizen’s homes visits, etc.

The goal here is to get as many trainees to progress through at least three cycles of the virtuous circle process. The definition of when a trainee has completed their first cycle through the circle is when they invite in a friend into the system. This is the symbolic “eat the red pill” moment – when they actually enjoy what they’re doing and wish their friends to go through the same process.

Once we begin the second cycle through the circle we explain to trainees that 1% of the population create, 9% engage by leaving comments, ratings, join groups, etc. and that 90% only watch. What we’re trying to do is get these trainees to become part of the 9% engaged population.

We do that by pointing out that they can create their OWN groups, post their OWN blog posts and start their OWN conversations. And when we ask these second cycle level trainees to volunteer for tasks, this time we’ll give them more responsibility and trust.

So instead of just setting up chairs or the tent at the street fair, they can demo our software themselves in our booth. And instead of going to the senior’s home to just help out, this time they can actually do the interviews themselves. With each stage of more trust and responsibility, comes further participation and contribution to the community.

When the trainee makes it through the second cycle of the circle – they then become part of a paid internship program. These interns will be mentored by volunteer mentors who will work with each intern disseminating the mentor’s own personal expertise and knowledge. From these paid internship positions the virtuous process will assign trained workers to particular projects, hopefully based on the many multimedia projects we’ll be producing!

Each multimedia expert and professional we hire to produce our multimedia projects will have to mentor 2-3 mentee/interns. The combination of producing large scale multimedia projects, running trainees through our internship program and our on-going efforts at producing live events and embedding trainees in local corporations – will (hopefully) start to generate real jobs that people can use to feed their families and keep a roof over their heads.

But that’s just the beginning! Once we’ve dialed in the potential of multimedia production work – we’ll need to branch out to more traditional areas – such as sales, marketing and office management, book keeping, etc. We believe that ALL jobs of the future will require tech skills, so we expect to be training folks in how to use QuickBooks and Google Apps to run a virtual office management business or create a business which takes photos from weddings, births, anniversaries, etc. and turns them into hard cover coffee table books.

This whole virtuous circle process will complement the free dashboard software our Digital City project will provide and dovetail nicely into the numerous multimedia production projects which is the essence of our sustainable engine.

The second concept (#2) of an Open Digital City is that on-line users will ‘mesh’ together a loosely knit distributed environment of people, services and content. I call this the “Open Mesh” – and I wrote a book about it. After two years of researching, proposing, meeting to discuss and extrapolating – I reached the conclusion that ‘dashboard containers’ could be a mechanism where we could “mesh our open platform together.”

The goal here is a live peacefully together in a distributed manner where no one social network, search engine, start page, real-time communication or eCommerce platforms – dominates.

In the ‘80’s we had the battle of Apple vs Microsoft. In the ‘90’s it was Netscape vs Microsoft. Then the battle morphed into Yahoo vs AOL. Or was it Amazon vs eBay? In the ‘00’s we’ve seen Google come in and take over the battle, with MySpace and LinkedIn defining a new category where social issues mattered. Now we’ve seen the lead shift to Facebook and Twitter.

Throughout this dizzying evolution of on-line offerings the poor user is subjected to the eternal question: “how can I take advantage of all these on-line tools and environments?”

Too often we’ve seen the interests of the platform preclude the importance of the user’s experience. Steve Jobs understands this – and fights this battle on his own terms. But Apple is a closed platform as many iPhone developers are discovering right now. And that’s what’s behind Google’s strategy with Android, Chrome and their desktop OS – they’re using OPEN as a strategic advantage over closed platforms. And that’s why Apple is suing them!

Facebook is a dichotomy, playing the role of open standards leader and fighter for the rights of user’s data, while they still play the closed platform role as they figure out how to ‘monetize’ their 400M users.

Throughout this battle – we know one thing for sure – we aren’t done yet! The real-time web and the next Google will continue to redefine the rules and create great new ways to communicate, learn and proposer.

“So what does this have to do with dashboard containers?”

Here’s the idea…

If we could imagine that all on-line sites had a dashboard page in them. For social networks it’s the profile page. For bloggers – it’s usually their “About Me” page. eCommerce and brochure sites have “Contact Us” pages. Every on-line site has a dashboard page, whether it was one’s start page or not. Inside that dashboard page would reside standard microformat ‘containers’ – with each container holding descriptive data of a particular aspect of the site.

Those containers would include information like: the content contained in the site, the list of friends or contacts the site (or person) has, the configuration of the site, the access privileges the site grants, the site’s media collection and who the site is associated with eg. It’s ID.

For an individual – the dashboard ID would define them as the site owner. For businesses it would probably be the site’s admin or POC (point of contact) person. The idea is that between all these different dashboard containers, any external site could query the dashboard’s APIs (application programming interface), access some of these containers and find out what’s there and do something with that data.

The data would still be controlled by the site’s owner, but a new kind of distributed interaction and synchronization would be made possible.

Distributed friending would then appear – where one’s dashboard holds their own personal social graph and list of friends, instead of being locked up inside of Facebook. Distributed access controls would facilitate uploading an image or video and controlling who gets to view it – regardless of where the photo or video are accessible. This freedom from the shackles of Facebook is what we’re aiming for!

No single site would then be able to control everything – as we’re currently seeing with Twitter and Facebook. Distributed controls, friending and accessibility are a cornerstone notion in a free and open web. By ceding control to monopolistic vendors – we can never control our own destiny.

So dashboard container standards could enable the DiSO ideal of a distributed social web – and inter-connect our Open Mesh together.

Now let’s take the virtuous circle approach and imagine how dashboard containers can connect various training efforts together across various different vendors’ implementation of Citizen Dashboards. The idea here is that no ONE vendor will control ID’s, content flow, training processes or have a strangle hold over ANY data point or touch point in this ecosystem.

Dashboards can be inter-connected together by shared containers and many different points systems, reputations and groups can be shared between different vendor’s “training systems”. This leads to an alternative currency system and all sorts of new open standards (see below.)

This approach to dashboards is what I call ‘Digital Lifestyle Aggregation’ (DLAs) – where a single dashboard interface would adapt to who the user is, what accounts and presence they have in the on-line world and what their various ‘personae’ are. DLAs provide an integrated environment that aggregates people, content and services together.

DLAs must be highly customizable so that you can mesh into whatever social networking platform, media storage site(s), favorite blogs and Twitterers, mainstream media sources, eCommerce destinations and anything else on-line – that matters to YOU!

This leads us to the third (#3) underlying concept behind the Digital City project which is to ‘normalize’ our approach to People, Content and Services – and have a free and open marketplace where users can monetize their attention, move seamlessly between platforms and prosper with plenty of work to keep them busy and employed.

Each social media tool or platform has their own representation of people, their own way they store content and their own unique set of services and on-line capabilities. These constructs of People, Content and Services are a common ground between our various different vendors’ platforms.

This is what an Activity Stream would look like in our Digital City once we all agreed to common constructs about People, Content and Service. Local shop owners, independent marketing people, community groups, married couples, churches, students and training classes could all post to this stream.

These common constructs can be leveraged as a basis for new kinds of collaborative processes which will bridge across vendor chasms and unite wide ranges of activists, creators and entrepreneurs.

The Citizen Dashboard we’ll be offering will have these kinds of collaborative tools and platform interfaces baked into the environment. Our dashboard will connect us to new kinds of marketplaces which will enable the interchange and monetization of our friends, content and attention – which we’ll be stockpiling and documenting. Since Facebook, Google and Microsoft are monetizing us – why can’t we monetize ourselves?

The Citizen Dashboard I’d like to see given away to Digital Citizens around the world will provide real-time video help, implement the virtuous circle, connect to any other kind of social networking platform, eCommerce, blogging, communication or on-line service – and the source code will be given away – for free to non-profits, government agencies, etc. A small licensing fee will be assessed to commercial platforms.

The next underlying concept of the Digital City (#4) is that by building out and running digital bureaus, creating jobs, operating a social network and the virtuous circle training and volunteerism process, and producing terabytes of on-line interactive multimedia content - a WHOLE NEW kind of system integration business will be born.

Imagine this if you will. Nancy Pelosi and Tim Ryan are standing there at our digital ribbon cutting ceremony. They go on and on about how government money was used to resuscitate NEO’s economy and that a Digital Region has been born on the ashes of America’s manufacturing base.

Our goal is to achieve 5,000 jobs in five years – and if we pull that off, convince companies to move here, discover the incredible value of homes and our lifestyle – then Cleveland and NEO’s future will change. And our Digital City project will be a showcase for the world to see!

All of the source code we use to build our Digital City will be given away for free. Any city or region around the world will be able to download it, set it up and run their own Digital City. But it won’t look or act as good as ours!

At that point – they’ll pick up the phone and call us (or Skype us as the case may be!) Our new company will be called “Digital City Mechanics” and we’ll be in the business of running or showing others how to customize, operate, evolve and prosperously create jobs in any Digital City around the world.

The trick will be to customize the environment to the particular populace, local industry and corporate sponsors, document all our processes for others to use, and capture the history and culture of the region – and put it all on-line.

That’s what Digital City Mechanics will do – and I believe it can become a $billion$ dollar business.

The final underlying concept of the Digital City (#5)

is open standards.

All of these ideas, techniques, formats, protocols and data structures we imagine our Digital City needs – others will need as well. Or they’re already doing them – right now.

I recently went to a Digital City Summit in Amsterdam and lo and behold there were folks from Helsinki, Manchester, Rotterdam and Milan all working on similar ideas. Timeline servers, traffic data servers, shared infrastructure ideas, municipal servers. This idea is HUGE and it can’t be stopped!

To be clear - all of these ideas I’m elucidating are open sourced. They’re free and available for anyone to implement and monetize. It is through this free and open idea interchange that we’ll resuscitate our world’s economy and get unemployed workers back to work.

It is through the spread of open standards – across the board – that we’ll achieve these goals.

Witness the ‘open stack’ chart above. It is a collection of open standards currently being rolled out and/or evolved in our ‘open web’ world of today. One could imagine more standards that will be added to this stack and certainly the dashboard container standards I talk about (above) would become part of this stack.

It’s through open standards that our Digital Cities will connect to other Digital Cities – unless that wasn’t quite obvious by now!

I want to conclude by pointing out to some great work and efforts already going on – which is exactly what I’m talking about:

Lynda.com – is an on-demand database of video training snippets. The best in the business!

Time to Know – a teaching platform designed as a one-to-one learning platform.

Manchester Bidwell – a series of efforts designs to empower individuals and teach them skills which will help them pull themselves up by their bootstraps.

Vurb and Ben Cerveny in Amsterdam – they’re building Digital City infrastructure – as we speak!

I hope this series of articles explained what it is I’m talking about – when I refer to my Digital City project.

I’ll be talking about this – for the next five years – if not longer and looking for funding and help to implement it.

Our goal should be to force the behemoths in our industry to provide US with ever decreasing costs on ever increasingly powerful technology. By playing the BigCo’s off each other – like we did with MySpace, Facebook and Google – I believe that they’ll choose OPEN and our Open Mesh as the way to peaceful coexistence.

Whether it be Cisco vs Google, Apple vs HTC, Google vs Twitter, Microsoft vs Google, HP vs Cisco, or Facebook vs Everyone else – it all leads to Digital Citizenry educated in the ways of the world of leveraging our software infrastructure and open dashboards – provided by (hopefully) government and local foundations. It’s our traffic that everyone wants – and we get to decide where to put it.

Here’s a map of what our pilot NEO Digital City infrastructure might look like:

The Open Identity Exchange was launched this morning at the RSA conference in San Francisco. It is a significant step for federated identity as it will enable US government web sites such as the NIH to embrace open identity standards and roll out open identity services to US citizens. For example, the National Institute of Health can now move out of pilot phase and support accredited OpenID providers.

So, what is the Open Identity Exchange (OIX)? The OIX aims at enabling specialized trust frameworks or certification programs within a vertical community (e.g. US government, health care, financial services). Certification requirements for shared identity can be diverse and complex depending on the level of assurance required. Simply said, when it comes to trust, one size does not fit all.

You can think of a trust framework as the policy sibling of technical standards for identity. Identity policies must be set to deal with privacy, security, and liability. Once policies have been defined, certification can emerge as the foundation for trust between all parties exchanging information. However, the type of policy needed greatly depends on the sensitivity of this information, the security risks, and many other factors, including geo-political sensitivities. Indeed, the level of trust assurance required to protect access to the energy grid, electronic health care records or social web pages is clearly not the same.

The open approach that the OIX take is attractive. The OIX does not try to set the policy rules. Instead, it creates a common framework, a shared approach that will enable different communities to create their own certification rules. It is not an easy problem. But because cyber security and key governmental initiatives depend on high assurance identity management, OIX is an important first step to get there.

On Saturday, I blogged about a bill before the Utah Senate that would allow law enforcement to use administrative subpoenas to get data about you from your ISP when they suspected you of crimes against children. This would be done without a warrant and without any real oversight (as currently drafted).

This morning Rep. Brad Daw is testifying about his bill before the Senate Edcuation Committee (yeah, it's confusing). @sausagegrinder (a Daily Herald reporter) tweeted that Daw said:

Daw: 4th amend doesn't apply to his bill. The subpoenas would be for information owned by a company, not property of suspect

That's an interesting position. Forget the bill itself. Just consider the question of when information about you belongs to you, when it belongs to someone else, and when it belongs to multiple parties.

If we take the position, as Daw apparently does, the data in the ISP records about you, your address, you billing information, and other transactional data (although by his admission in an unlinkable Facebook exchange not the content of the transactions themselves) belongs to the ISP and not to you, where do we draw the line on what data about you belongs to you...at least in part?

What about your health data? Yeah, I know about HIPAA, but forget that--we're trying to suss out principles, not the law. Would you consider all the information about your doctor visits, the tests you took, the payments you made (or didn't) to be data in which you had no privacy interest? Even if the actual content of the tests and medical procedures was not included, there's a lot of private data to be had in the meta data about our activities. In fact, give me just your meta data and I can probably construct a pretty interesting picture about you.

I submit that any data about me, held by another party is usually jointly owned and that I have an interest in what happens to it. And by extension, that interest means that it is data that is protected by the fourth amendment from unwarranted government prying and snooping. Daw is playing fast and loose with this for the convenience of his bill and ignoring the larger consequences to our freedoms if such a mentality is not resisted.

Are you pursuing changes to your Directory Services or Access Management infrastructure this year?  If so, there are two resources that you want to be aware of to help understand the opportunity and impact on your organization.  Eric Leach, will be presenting a webinar next week as part of the SANS Institute's Webinar series on Security.  You can register for the webinar here.

Title:  Smart Strategies for Securing Extranet Access
When:  Tuesday, March 09 at 1:00 PM EST (1800 UTC/GMT)
Presenter: Eric Leach & Dave Shackleford
Register here

 Additionally, there was a new training course that was launched for resources interested in building a solid foundation for managing Directory Services.  The course also offers an insight into the essential building blocks of access management.  Additionally, it covers the use of virtual directories which is a crucial component of an enterprise identity architecture.  The virtual directory can help consolidate legacy directories when companies want to reduce cost.  Additionally, when time is critical for federation projects or mergers and acquisitions a virtual directory can help connect necessary identity attributes without changing code. 

This foundational course on Directory Services can be found here.  The course covers the following topics:

• Discuss the importance, features, benefits, and functional aspects of identity management and Oracle Identity Management products
• Describe concepts associated with directories and the Lightweight Directory Access Protocol (LDAP)
• Compare Oracle Internet Directory 11.1.1.1.0 and Oracle Virtual Directory 11.1.1.1.0: two Oracle Identity Management products

The course can be accessed here.

These are my links for March 2nd 2010:

• 500 Internal Server Error – 500 Internal Server Error

My good friend Vittorio is one of the most gifted technology presenters - an artist!  But he’s also a talented engineer and architect - the rat!  Vittorio has been a great supporter of minimal disclosure.  I want to point you to his nice little guide to the minimal disclosure videos…  None of Vittorio’s real-time cartoons this time, but I hope they’re coming…

“As is customary by now, the IdElement is providing extensive coverage of the U-Prove CTP:

Announcing Microsoft’s U-Prove Community Technical PreviewStefan describes U-Prove, some typical scenarios where traditional technologies fall short while U-Prove provides a solution, and a summary of what we are releasing.
	U-Prove CTP: a Developers’ PerspectiveChristian and Greg explore the CTP, clarifying U-Prove’s role in the Identity Metasystem and describing how ADFSv2, WIF and CardSpace have been extended in the CTP for accommodating U-Prove’s functionality.
Deep Dive into U-Prove Cryptographic protocolsA feast for cryptographers and mathematicians! in this video Stefan describes in details the cryptography behind U-Prove’s algorithm. Not for the faint of heart!

“I know that my good friend Felix felt strongly about U-Prove: I am so glad that we can finally share this! Congratulations to Stefan, Christian, Greg and everybody in the IDA division that made this happen

Downloads

- U-Prove CTP

- U-Prove SDK C# edition or Java edition