Musings on Digital Identity

Category: Bandit Project

SUSE Linux Now Includes an Identity Selector

DigitalMe Logo

My thanks to Dale Olds for pointing out that the SUSE Linux distribution now contains an Identity SelectorDigitalMe (from the Bandit Project). He’s right — it’s important to mark significant milestones such as these. That’s now two platforms and counting…

Novell Product Release with Information Cards and WS-Federation

Novell logoAs announced in Dale Olds’ post Information Card breakthrough with Novell Access Manager 3.1, Novell has released a version of Access Manager that adds support for Information Cards and WS-Federation, partially courtesy of the Bandit Team. I was on the show floor at BrainShare in March 2007 when Novell first demonstrated WS-Federation interop (showing eDirectory users on Linux accessing SharePoint on Windows via an early version of Access Manager and ADFS), so I’m particularly glad to see that the scenarios we jointly demonstrated then can now be deployed by real customers.

It was also at that BrainShare where Novell demonstrated the first cross-platform Identity Selector (an event significant enough that I decided it was time to start blogging). It’s great to likewise see Novell’s Information Card work progress from show-floor demos to shipping product. Congratulations to Novell and the Bandits!

A Personal Perspective on the Information Card Foundation Launch

Information Card Foundation banner

In May 2005, when I wrote the whitepaper “Microsoft’s Vision for an Identity Metasystem“, these sentences were aspirational:

Microsoft’s implementation will be fully interoperable via WS-* protocols with other identity selector implementations, with other relying party implementations, and with other identity provider implementations.

Non-Microsoft applications will have the same ability to use "InfoCard" to manage their identities as Microsoft applications will. Non-Windows operating systems will be able to be full participants of the identity metasystem we are building in cooperation with the industry. Others can build an entire end-to-end implementation of the metasystem without any Microsoft software, payments to Microsoft, or usage of any Microsoft online identity service.

Now they are present-day reality.

This didn’t happen overnight and it wasn’t easy. Indeed, despite it being hard, the identity industry saw it as vitally important, and made it happen through concerted, cooperative effort. Key steps along the way included the Laws of Identity, the Berkman Center Identity Workshops in 2005 and 2006, the Internet Identity Workshops, the establishment of OSIS, the formation of the Higgins, Bandit, OpenSSO, xmldap, and Pamela projects, publication of the Identity Selector Interoperability Profile, the Open Specification Promise, the OSIS user-centric identity interops (I1 rehearsal, I1, I2, I3, and the current I4), the OpenID anti-phishing collaboration, the Information Card icon, and of course numerous software releases by individuals and companies for all major development platforms, including releases by Sun, CA, and IBM.

Of course, despite all the groundwork that’s been laid and the cooperation that’s been established, the fun is really just beginning. What most excites me about the group of companies that have come together around Information Cards is that many of them are potential deployers of Information Cards, rather than just being producers of the underlying software.

The Internet is still missing a much-needed ubiquitous identity layer. The good news is that the broad industry collaboration that has emerged around Information Cards and the visual Information Card metaphor is a key enabler for building it, together in partnership with other key technologies and organizations.

The members of the Information Card Foundation (and many others also working with us) share this vision from the conclusion of the whitepaper:

We believe that many of the dangers, complications, annoyances, and uncertainties of today’s online experiences can be a thing of the past. Widespread deployment of the identity metasystem has the potential to solve many of these problems, benefiting everyone and accelerating the long-term growth of connectivity by making the online world safer, more trustworthy, and easier to use.

In that spirit, please join me in welcoming all of these companies and individuals to the Information Card Foundation: founding corporate board members Equifax, Google, Microsoft, Novell, Oracle, and PayPal; founding individual board members Kim Cameron, Pamela Dingle, Patrick Harding, Andrew Hodgkinson, Ben Laurie, Axel Nennker, Drummond Reed, Mary Ruddy, and Paul Trevithick; launch members Arcot Systems, Aristotle, A.T.E. Software, BackgroundChecks.com, CORISECIO, FuGen Solutions, Fun Communications, Gemalto, IDology, IPcommerce, ooTao, Parity Communications, Ping Identity, Privo, Wave Systems, and WSO2; associate members Fraunhofer Institute and Liberty Alliance; individual members Daniel Bartholomew and Sid Sidner.

User-Centric Identity Interop at RSA in San Francisco

33 Companies…
24 Projects…
57 Participants working together to build an interoperable user-centric identity layer for the Internet!

Come join us!

Tuesday and Wednesday, April 8 and 9 at RSA 2008, Moscone Center, San Francisco, California
Location: Mezzanine Level Room 220
Interactive Working Sessions: Tuesday and Wednesday, 11am – 4pm
Demonstrations: Tuesday and Wednesday, 4pm – 6pm
Reception: Wednesday, 4pm – 6pm

Logos of RSA 2008 Interop Participants

Information Card Relying Party Software for Python

While you’ve seen posts about Information Card Relying Party code for lots of programming languages and environments here (ASP.Net, Ruby, Java, PHP, C) one language I haven’t posted about before is Python. To make up for that, here’s information about two Python implementations.

Bandit Code logoTurns out that the Bandits, in their inimitable style, have been quietly churning out useful code. In this case, Duane Buss built Python relying party code to use at the Bandit Project’s Code pages (Bandit Trac) and also released it for general use. After only minimal cajoling, he also created a demo Python relying party.

JanRain logoMeanwhile JanRain, another group well-known for producing high-quality identity code, also built a Python relying party implementation, in their case to use at MyOpenID.com. As Brian Ellin just wrote, JanRain has released their Python code for accepting self-issued Information Cards for all to use. Have at it, Python hackers!

Firefox Information Card Add-on Collaboration

Firefox logoThe new release of the Firefox Information Card add-on recently announced by Axel Nennker is notable not only for its features, but also because it incorporates contributions by Andy Hodgkinson of the Bandit Project that make it work with the DigitalMe Identity Selector. This means that the same Firefox add-on can now be used with at least three Identity Selectors — openinfocard, DigitalMe, and Windows CardSpace.

The benefits of sharing this core piece of Information Card infrastructure became apparent when some recent releases of Firefox broke the add-on in some scenarios. Because several copies of the code were in use by different projects by then, all the projects had to make their own fixes in their copies, both duplicating effort, and increasing the chances that different selectors would behave differently in quirky and non-obvious ways. I’m really pleased that Andy pitched in and contributed his fixes to the add-on project and that Axel incorporated them in a way that I believe means that DigitalMe won’t have to use a separate add-on anymore. Hopefully the other identity selectors will also follow suit soon, eliminating any unnecessary forking in this key project.

One nit with Axel’s post though… While he suggested calling the add-on “CardSpace for Firefox”, even though I’m a fan of CardSpace, the add-on is intended to work with any Identity Selector — not just CardSpace. Therefore I’d prefer selector-neutral names for the project like “Firefox Information Card add-on”, “Firefox Identity Selector add-on”, “Information Cards for Firefox”, etc. What selector-neutral term for the project do others prefer?

User-Centric Identity Interop at Catalyst in Barcelona

Logos of Barcelona Interop Participants 2007

Last night OSIS and the Burton Group held the third in a series of user-centric identity Interop events where companies and projects building user-centric identity software components came together and tested the interoperation of their software together. Following on the Interops at IIW in May and Catalyst in June, the participants continued their joint work of ensuring that the identity software we’re all building works great together.

This Interop had a broader scope along several dimensions than the previous ones:

An excerpt from Bob Blakley’s insightful-as-always commentary on the Interop is:

The participants have posted their results on the wiki, and a few words are in order about these results. The first thing you’ll notice is that there are a significant number of “failure” and “issue” results. This is very good news for two reasons.

The first reason it’s good news is that it means enough new test cases were designed for this interop to uncover new problems. What you don’t see in the matrix is that when testing began, there were even more failures — which means that a lot of the new issues identified during the exercise have already been fixed.

The second reason the “failure” and “issue” results are good news is that they’re outnumbered by the successes. When you consider that the things tested in Barcelona were all identified as problems at the previous interop, you’ll get an idea of how much work has been done by the OSIS community in only 4 months to improve interoperability and agree on standards of component behavior.

Be sure to read his full post for more details on what the participants accomplished together. And of course, this isn’t the end of the story. An even wider and deeper Interop event is planned for the RSA Conference in April 2008. Great progress on building the Internet identity layer together!

Seeing the LiveID Information Card Beta and DigitalMe in Action

Kim and I had fun with this video but we’re seriously pleased to be able to show you both using LiveID with Information Cards and DigitalMe in action together. Check it out!

DigitalMe Identity Selector for the Mac

Today Andy Hodgkinson announced a binary release of the DigitalMe Identity Selector for Mac OS X. Now Mac users can use Information Cards with just a drag-and-drop install! This release builds upon the earlier success of their binary release for SuSE Linux.

As Andy wrote: “I would encourage anyone interested in using information cards on the Mac to install DigitalMe and the Firefox plug-in.” I’ll second that. Go check it out!

Congratulations again to the Bandit team!

DigitalMe Mac screen shot

User-Centric Identity Interop at Catalyst

OSIS Logos

I’ve been waiting to write about the user-centric identity interop at the Burton Group Catalyst conference until the Burton Group report about the event was published. Now it’s here!

At the interop we demonstrated interoperability between 7 Identity Selectors, 11 Identity Providers, and 25 Relying Parties. As Bob Blakley wrote:

The interop event was a milestone in the maturation of user-centric identity technology. Prior to the event, there were some specifications, one commercial product, and a number of open-source projects. After the event, it can accurately be said that there is a running identity metasystem.

The full report includes a list of participants and the software they brought to the table, an overview of the results achieved, as well as the issues identified through the interop. See Bob’s post for all the details!

The report also includes thank-yous, to which I’d like to make some additions: Thanks are due to Jamie Lewis, Gerry Gebel, and Bob Blakley of the Burton Group for sharing our vision for this interop, striving to make it the best that it could be, and tirelessly working the details until it came true. You truly helped the industry to come together in a valuable and significant way.

Also, while I appreciate Bob’s thanks for the work I put into the Open Specification Promise, there were many believers in and drivers of this important work at Microsoft besides myself, both from the Law and Corporate Affairs team and from the Federated Identity product group. This was truly a team effort.

I’m also happy to report that there will be a follow-on interop in Europe at the Catalyst conference in Barcelona, October 22-25, which will hopefully include even more participants and scenarios, including more multi-protocol interoperation proof points. Hope to see you there!

Initial Release of Bandit Project’s DigitalMe Identity Selector

Let me be the first to congratulate the Bandit and Higgins project members on the release of the DigitalMe Identity Selector for SuSE Linux! Now, for the first time, Linux users have an installable Identity Selector available to them that enables them to use Information Cards in a way that’s compatible with Windows CardSpace. See Novell’s press release “Bandit Project’s Cross-Platform Card Selector Gives Users Control of their Internet Identities“, the Identity Selector Service page, and the Identity Selector Service Download page for more details.

This announcement lets people who aren’t developers start to use Information Cards on Linux and builds on the interoperability successes demonstrated at Brainshare. And as the downloads page says, “Work is under way to provide packages for other Linux distros, OS X and Windows.” Great stuff!

Congratulations again!

Hands-On Information Card Interop at IIW

On Tuesday afternoon at IIW representatives from numerous Information Card projects sat down at the same table (actually, 3 tables so we would all fit :-) ) and systematically used our implementations together, exercising the different possible combinations. The session notes, as posted on the OSIS wiki, tell the story:

Notes from IIW 2007a

The OSIS group sponsored an Information Card interoperability connect-a-thon on May 15, 2007 as part of the Internet Identity Workshop 2007 A in Mountain View California. Participants collaborated to work through combinations of Identity Provider, Identity Agent, and Relying Party scenarios, in order to identify and workshop problems with interoperability. The following representatives were present and participated:

5 Information Card Selectors

  • Ian Brown’s Safari Plugin
  • XMLDAP
  • Windows Cardspace
  • Higgins IdA Native
  • Higgins IdA Java

11 Relying Parties

  • Bandit (basic wiki authentcation)
  • Bandit (elevated privileges)
  • PamelaWare
  • CA
  • XMLDAP
  • Windows Live RP (used to obtain a managed card)
  • Windows Live/single-issuer (where you can use the managed card)
  • Oracle RP
  • Identityblog RP (based on Rob Richards’ library)
  • Identityblog helloworld token RP
  • UW/Shibboleth

7 Identity Providers

  • Higgins
  • Bandit
  • XMLDAP
  • UW/Shibboleth
  • LiveLabs
  • HumanPresent
  • Identityblog HelloWorld IdP

4 Token Types

  • SAML 1.0
  • SAML 1.1
  • helloworld
  • username token

2 Authentication Mechanisms

  • username/password
  • self-issued (personal) card

Many combinations interoperated as expected; several issues were identified and are being fixed in preparation for the coming Information Card Interop event to be held at the Burton Group Catalyst Conference in San Francisco (June 25-29).

One of the things I love about IIW is that it’s a working meeting — not a series of mind-numbing presentations. This interop was a great example of the industry coming together and doing work together. And of course, this session was a dry run for the upcoming User-Centric Identity Interop event coming at Catalyst next month, where even more projects will be represented. Hope to see many of you there!

Who are you?

On March 21st at Novell’s BrainShare 2007 conference, Dale Olds and I co-presented the session Who are you? From Directories and Identity Silos to Ubiquitous User-Centric Identity”. Our presentation was a brief history of digital identity solutions, ranging from a password per application to interoperable user-centric digital identity using the Information Card metaphor and several steps in between.

demo self-issued cardThe coolest thing in the session was the first public demo of the Bandit/Higgins cross-platform Identity Selector. During the demo Dale and I both used the same self-issued Information Card (that I created on the BrainShare show floor :-) ) to log into a Bandit relying party site, Dale from Linux and me with Windows CardSpace. As Dale and Pat Felsted blogged, two days later the Bandits also demonstrated their selector running on the Mac. Also see Pat’s post on the Details of the Cross Platform Identity Selector.

Great progress towards enabling everyone to answer the question “Who are you?” online with the Information Card of their choice!

Powered by WordPress & Theme by Anders Norén