Planet OpenID

September 18, 2014

Nat Sakimura

車輪は丸くなったのか〜ID関連標準の成熟度と動向

ID&ITのサイトは仮題のままですが、明日、ANAホテルで「車輪は丸くなったのか〜ID関連標準の成熟度と動向」というタイトルで30分ほどスピーチさせていただきます。セッション番号は GE-05 です。外タレ、ナット・サキムラとしてです。

お申し込みはこちら→ http://nosurrender.jp/idit2014/registration.html

内容は、3月までガートナーのIdentity関連のアナリストだったイアン・グレイザーから独自に入手したCloud Identity Summit基調講演のスライドのネタを下敷きにして、彼の考え、私の考え、はたまた、元米国大統領サイバーセキュリティー特別補佐官のハワード・シュミット氏との朝食会で話したことなどを交えながら、認証、認可、属性、プロビジョニング、の国際標準の状況を「今使えるのか」という観点も含めながら紹介します。

外タレとしてなので、同時通訳を要求したのですが、予算厳しきおり認められませんで、一人同時通訳による日本語でお届けいたしますw。はい。それじゃぁ「外タレ」じゃなくて「ヘタレ」ですね。それでも果敢に最初のスライドは英語で入りますんで、生ぬるい笑いをお願いします (_o_)。

Do we have a round wheel yet?

by Nat at September 18, 2014 12:58 PM

September 17, 2014

OpenID.net

General Availability of Microsoft OpenID Connect Identity Provider

Microsoft has announced the general availability of the Azure Active Directory OpenID Connect Identity Provider.  It supports the discovery of provider information as well as session management (logout).  On this occasion, the OpenID Foundation wants to recognize Microsoft for its contributions to the development of the OpenID Connect specifications and congratulate them on the general availability of their OpenID Provider.

Don Thibeau
OpenID Foundation Executive Director

by Don Thibeau at September 17, 2014 02:45 PM

OpenID.net

Review of Proposed Errata to OpenID Connect Specifications

The OpenID Connect Working Group recommends the approval of Errata to the following specifications:

An Errata version of a specification incorporates corrections identified after the Final Specification was published. This note starts the 45 day public review period for the specification drafts in accordance with the OpenID Foundation IPR policies and procedures. This review period will end on Friday, October 31, 2014. Unless issues are identified during the review that the working group believes must be addressed by revising the drafts, this review period will be followed by a seven day voting period during which OpenID Foundation members will vote on whether to approve these drafts as OpenID Errata Drafts. For the convenience of members, voting may begin up to two weeks before October 31st, with the voting period still ending on Friday, November 7, 2014.

These specifications incorporating Errata are available at:

The corresponding approved Final Specifications are available at:

A description of OpenID Connect can be found at http://openid.net/connect/. The working group page is http://openid.net/wg/connect/. Information on joining the OpenID Foundation can be found at https://openid.net/foundation/members/registration. If you’re not a current OpenID Foundation member, please consider joining to participate in the approval vote.

You can send feedback on the specifications in a way that enables the working group to act upon your feedback by (1) signing the contribution agreement at http://openid.net/intellectual-property/ to join the working group (please specify that you are joining the “AB+Connect” working group on your contribution agreement), (2) joining the working group mailing list at http://lists.openid.net/mailman/listinfo/openid-specs-ab, and (3) sending your feedback to the list.

A summary of the errata corrections applied is:

  • All – Added errata set number to the titles.
  • All – Updated dates for specs containing errata updates.
  • Core – Changed the RFC 6749 references from Section 3.2.1 to Section 2.3.1 in the “client_secret_basic” and “client_secret_post” definitions.
  • Fixed #954 – All – Added “NOT RECOMMENDED” to the list of RFC 2119 terms.
  • All – Updated references to pre-final IETF specs.
  • All – Replaced uses of the terms JWS Header, JWE Header, and JWT Header with the JOSE Header term that replaced them in the JOSE and JWT specifications.
  • Fixed #921 – Core 3.1.2.1 – “Authorization Request” should be “Authentication Request”.
  • Fixed #926 – Core – Typo in Self-Issued ID Token Validation.
  • Fixed #920 – Core – Attack identified against self-issued “sub” values.
  • Core – Authorization Code validation is not done when using the response type “code token” because the validation process requires an ID Token.
  • Fixed #925 – Registration – Typos (“jwk” vs “jwks”) in “jwks” client metadata parameter definition.

– Michael B. Jones – OpenID Foundation Board Secretary

by Mike Jones at September 17, 2014 01:05 AM

OpenID.net

Review of Proposed Implementer’s Draft of OpenID 2.0 to OpenID Connect Migration Specification

The OpenID Connect Working Group recommends approval of the following specification as an OpenID Implementer’s Draft:

An Implementer’s Draft is a stable version of a specification providing intellectual property protections to implementers of the specification. This note starts the 45 day public review period for the specification drafts in accordance with the OpenID Foundation IPR policies and procedures. This review period will end on Friday, October 31, 2014. Unless issues are identified during the review that the working group believes must be addressed by revising the drafts, this review period will be followed by a seven day voting period during which OpenID Foundation members will vote on whether to approve these drafts as OpenID Implementer’s Drafts. For the convenience of members, voting may begin up to two weeks before October 31st, with the voting period still ending on Friday, November 7, 2014.

This specification is available at:

A description of OpenID Connect can be found at http://openid.net/connect/. The working group page is http://openid.net/wg/connect/. Information on joining the OpenID Foundation can be found at https://openid.net/foundation/members/registration. If you’re not a current OpenID Foundation member, please consider joining to participate in the approval vote.

You can send feedback on the specifications in a way that enables the working group to act upon your feedback by (1) signing the contribution agreement at http://openid.net/intellectual-property/ to join the working group (please specify that you are joining the “AB+Connect” working group on your contribution agreement), (2) joining the working group mailing list at http://lists.openid.net/mailman/listinfo/openid-specs-ab, and (3) sending your feedback to the list.

– Michael B. Jones – OpenID Foundation Board Secretary

by Mike Jones at September 17, 2014 12:59 AM

September 15, 2014

Nat Sakimura

IT&ID 2014に出演します

IT & ID 2014

9/17(水)に大阪、9/19(金)に東京で開催される『IT&ID 2014』に、外タレの枠で出演します。

General Session [GE-05] です。さて、お約束の「** is DEAD」は出るのか?!

[GE-05]

デジタル・アイデンティティの標準化動向とそのゴール

標準化が進む認証・認可プロトコルやプロビジョニングAPI。現時点で実際のシステム、サービスとして十分に活用できるレベルの標準化技術はどの技術でしょうか。また、どこまでも続く標準化作業のゴールはどこにあるのでしょうか。

OpenIDファウンデーションの議長である崎村氏がわかりやすく解説します。

講師:

OpenID Foundation

Chairman

Mr. Nat Sakimura

 大阪 9/17 15:40~16:10 : ROOM A & B
 東京 9/19 15:50~16:20 : ROOM A & B

外タレ枠ですが、日本語でやりますのでご心配なく。

また、例年通り、クロージングパネルにも登場します。General Session [GE-07]です。

[GE-07]

日本IT業界の特殊性と対応

スマホだけではなく、クラウドでも BYODにしてもその特殊性が目立ち始めた日本の IT市場。特殊性の原因とこの特殊性を認識した上で IT部門や SIerはどう対処すべきか、毎年恒例のメンバーでパネルディスカッションしていただきます。

パネリスト:

株式会社 企
株式会社TNC

代表取締役 クロサカ タツヤ 氏

OpenID Foundation 理事長
Kantara Initiative 理事
株式会社 野村総合研究所 オープンソースソリューション推進室 上席研究員

崎村 夏彦 氏

国際大学GLOCOM

客員研究員 楠 正憲 氏

モデレータ:

一般社団法人 OpenIDファウンデーション・ジャパン

コミュニティ・リード 山中 進吾 氏

 大阪 9/17 16:40~17:40 : ROOM A & B
 東京 9/19 16:50~17:40 : ROOM A & B

無料ですから、ぜひ参加登録の上、お越しください。

[参加登録はこちら]

by Nat at September 15, 2014 11:38 PM

September 12, 2014

Nat Sakimura

InstagramなどのAndroidアプリにプライバシー上の欠陥、研究者が指摘

unhcfregまぁみんな薄々知っては居たことですが、アプリ開発者のセキュリティ・プライバシーに関する認識は、とてもずさんなようです。

CIOマガジン[1]とPCWorldが報じたところによると[2] InstagramやViberなどのAndroidアプリにプライバシー上の欠陥があることが見つかりました。今回報告したのは、ニュー・ヘイブン大学のフォレンジック研究センター(UNHcFREG)です。それによると、画像をアクセス制御無しでサーバに保存していたりなど、かなり残念なことになっています。

また、これらのアプリの問題として、セキュリティの問題を報告しようとしても、開発者に連絡がつかないというのもあるようです。てか、これもずっと知られていたことですけどね。@nov とか、多くのメジャーアプリで苦労してましたから。

UNHcFREGは、この件に関して5本のビデオをYoutubeで紹介しています。参考になると思います。

[1] http://itpro.nikkeibp.co.jp/atcl/idg/14/481709/091000017/?ST=cio-appli&P=2

[2] http://www.pcworld.com/article/2603900/popular-android-apps-fail-basic-security-tests-putting-privacy-at-risk.html

by Nat at September 12, 2014 02:11 AM

September 11, 2014

Nat Sakimura

500万件にも及ぶGmailのユーザー名とパスワードが流出?!

怪しさ満点の記事が流れてきた。曰く

500万件にも及ぶGmailのユーザー名とパスワードが流出

TheDailyDotによると、ロシアのBitcoinフォーラムに、500万件にも及ぶGmailのユーザー名とパスワードがリークされたと伝えています。

流出経路は不明ですが、流出したのは、英語、ロシア語、スペイン語を話し、Gmail、Google+などGoogleサービスを利用するユーザーに関する情報のようです。
(出所)MACお宝鑑定団のBlog:『500万件にも及ぶGmailのユーザー名とパスワードが流出』[1]

まぁ、ちょっと待て。もしGoogleからだとすると、500万件は少なすぎる。10億ユーザも居るのよ。もしデータベースにアクセスできたのだとしたら、0.5%しかとって行かないというのはあり得ない。さらに、言語特定があるのも怪しさ満点。おそらく、フィッシングによるものだろう。と、思って元記事であるTheDailyDot [2] を見に行ったら、案の定Googleの談話として、多くは既に存在しないか停止されている非常に古いアカウントのもので、おそらくフィッシングされたものという旨のことが書いてあった。そこから、更に元記事のロシア語のフォーラム[3] を見に行くと、「状況から見てフィッシングされたもの」との記載有り。なんだ、最初は冷静じゃん。それが、再配信されるにしたがって、過激になっていったのね。

センセーショナリズムはイカンよ!

なお、isLeaked.com で漏れたかどうかテストできると記事中にあるが、isLeaked.com がまともなところであることを確認してからテストしたほうが良いと思いますよ、老婆心ながら。ちなみに、Googleの公式ブログによると、有効なメアド・パスワードの組合せは2%に満たなかったそうだ[4]。

[1]MACお宝鑑定団のBlog:『500万件にも及ぶGmailのユーザー名とパスワードが流出』http://www.macotakara.jp/blog/news/entry-24544.html (2014/9/11取得)

[2] TheDailyDot:”5 million Gmail passwords leaked to Russian Bitcoin forum”, http://www.dailydot.com/crime/google-gmail-5-million-passwords-leaked/ (2014/9/11 取得)

[3] А теперь и gmail.com: в сеть выложена база на 5 000 000 адресов http://habrahabr.ru/post/236283/

[4] http://googleonlinesecurity.blogspot.jp/2014/09/cleaning-up-after-password-dumps.html

[*] なお、ちなみに日経BPの記事は流石にちゃんとしてた。 http://itpro.nikkeibp.co.jp/atcl/news/14/091100836/

by Nat at September 11, 2014 02:28 PM

Nat Sakimura

想像力の無い日本:『「全盲なら乗るなよ」「相当イラつくのは確か」川越線での全盲女子負傷 加害者への同調がツイッターで続出』

engelleri kaldır remove barriers   YouTubeまったくひどい話だ。

JR川越線で全盲の生徒が乗客から暴力を受けてけがをした事件[1]はみなさんの記憶にあたらしいと思うが、このNaverまとめ[2]によると、なんとツイッター上ではにわかに加害者の肩をもつ発言が台頭してきているという。曰く、「自業自得」「被害者ヅラするな」など。せっかく日本も「障害者の権利に関する条約」を批准[3]したという年に、こういう光景を眼前にするのは信じがたい思いだ。

町村先生のブログ、Matimulog「美しくない日本、炸裂」[4]にもあるが、この傾向は障害者にだけではなく、例えばマタニティ・マークをつけている人とかにも現れているようだ[5]。「同調圧力」の裏返しとして、「違う存在」「マイノリティ」への攻撃性として顕在化しているようだ。

相手の立場にたって考えることができないわけで、これはある意味想像力の欠如の現れとも言えよう。そしてこうした想像力の欠如は、とても恐ろしいことなのだ。日本をかつて戦争に駆り立てていったのも、こうした想像力の欠如による、同質性の強制に負うところが大きいように思える。

一つ良い動画を紹介しよう[6]。自分がマイノリティの側だったらどうなるのかということを教えてくれる動画だ。

「違う存在」に対して「いらついている」想像力の働かない人たちは、この動画を見たら、少しは分かってもらえるようになるのだろうか…。

[1] 『全盲女子生徒:足蹴られケガ つえで転倒の腹いせか 川越』 毎日新聞http://mainichi.jp/select/news/20140910k0000m040094000c.html (2014年09月09日 20時49分)

[2] 「全盲なら乗るなよ」「相当イラつくのは確か」川越線での全盲女子負傷 加害者への同調がツイッターで続出http://matome.naver.jp/odai/2141040600248450501 (2014/9/11取得)

[3] 外務省:『日本と国際社会の平和と安定に向けた取組』http://www.mofa.go.jp/mofaj/gaiko/jinken/index_shogaisha.html (2014/9/11取得)

[4] 『美しくない日本、炸裂』http://app.m-cocolog.jp/t/typecast/30148/31412/80603640

[5] 実際、私の友人の妊婦も突き飛ばされたりなどしているらしく、電車は怖いと言っている。

[6] Facebookで、N先生に教えていただきました。

by Nat at September 11, 2014 01:24 PM

Nat Sakimura

Googleの第一回「忘れられる権利」の公開討論会終了

全7回行われる予定のGoogleのAdvisory Council主催の「忘れられる権利」公開討論会の第一回が、去る9日、マドリッドで行われた。ロイターによると[1]、スペインから8人の専門家が出席して討論会が行われ、同国のプライバシー専門家協会のトップなど数人は、大衆の情報アクセスに影響を及ぼす判断をグーグルのような民間企業に委ねることの是非を質問したとのこと。

GoogleのAdvisory Councilは、シュミット会長とドラモンド最高法務責任者に、

  1. Luciano Floridi オックスフォード大学教授(情報哲学で有名)
  2. Silvie Kaufmann 仏ル・モンド紙 編集主幹
  3. Lidia Kolucka-Zuk 元ポーランド大統領補佐官
  4. Frank La Rue 国連高等弁務官事務所・言論の自由の推進に関する特別ラポータ
  5. José-Luis Piñar 元29条委員会副委員長
  6. Sabine Leutheusser-Schnarrenberger 元ドイツ法務大臣
  7. Peggy Valcke KUルーベン大学教授
  8. Jimmy Wales Wikimedia財団創始者

の8名を加えた10名で構成される。

今回の一連の討論会に関しては、EU当局は歓迎しているものの、フランスの当局であるCNILの長官であるIsabelle Falque-Pierrotin氏などは、参加者がオープンでなく、Googleが決めるために、それを通じて議論を誘導しうるとして批判的だ。

一連の討論会の内容は報告書にまとめられ、来年グーグルに提出される。

次回会合は10日にローマで開かれる。

[1] http://jp.reuters.com/article/marketsNews/idJPL3N0RB12P20140910

Advisory Council – Google Advisory Council

by Nat at September 11, 2014 12:19 PM

September 09, 2014

Nat Sakimura

Googleが「忘れられる権利」の公開討論会を欧州で7回開催

BBCニュースの報道[1]によると、Googleは「忘れられる権利」についての公開討論会を、9月9日のマドリッドを第一回として、11月4日までに合計7回、欧州各国の首都で行う予定だ[2]。8月までにGoogleは9万件の削除依頼を受けており、その約半数は実際に削除されているが、残りの半数は不適切な申請として退けている。人々の「知る権利」との兼ね合いもあるので、単純に削除するわけには行かないのが悩みどころだ。

そこで、Googleは、この「忘れられる権利」と「知る権利」のバランスをどう取っていくかということの討論会を行い、検討してきたいというわけだ。討論会は、Googleが設置したAdvisory Councilによって運営され、議長は同Councilから出る。同Councilは、Wikimedia財団の創始者のJimmy Walesや、かつてプライバシー当局に勤めていたり、プライバシー関係の裁判に関わった裁判官によって構成されている。

9月15日から始まる、「忘れられる権利」を各検索エンジンにどのように整合性をもって適用していくかということに関するEU各国のデータ保護当局の会合の直前に始まるこの討論会を、EU当局はこの動きを歓迎しているとのこと。一方、フランスの当局であるCNILの長官であるIsabelle Falque-Pierrotinは、批判的で、ロイターの取材[3]に対して、「彼らはオープンで倫理的であると見られたいのでしょう。しかし、CouncilのメンバーはGoogleによって選任され、だれが聴衆として参加できるか、どのような結論が出るかは彼らが決めるのです」と述べている。

[1] http://www.bbc.com/news/technology-28344705
[2] https://www.google.com/advisorycouncil/
[3] http://www.reuters.com/article/2014/09/08/us-google-privacy-idUSKBN0H308I20140908

Advisory Council – Google Advisory Council

by Nat at September 09, 2014 12:19 AM

September 05, 2014

Nat Sakimura

ロシアのデータ保護規則の重要な変更点

kremlin-300x228ACCの8月29日の記事[1]によると、去る7月22日、ロシアの改正データ保護法に大統領が署名しています。同法は、2016年9月1日に全面施行されます。

重要な変更点として、ロシア人のデータの保管及び処理は、ロシア国内で行わなければならず、違反者は、ロシアの通信当局であるRoskomnadzorが作る違反者レジストリに登録され、最終的にはwebブロッキングされるとのことです。

手続きは、Hogan Lovelsの記事[2]によると以下のようになります。

  1. まず裁判所が、そのサイトが違反をしているかどうかを認めます。
  2. 違反が認められると、RoskomnadzorがWebサイトをホスティングしている事業者に違反の通知をします。
  3. ホスティング業者は1日以内にサイト提供者に連絡しなければなりません。
  4. そこから1日以内にサイト提供者は是正をしなければなりません。
  5. もし是正がされなかった場合は、ホスティング事業者はそのWebサイトへのアクセスを制限しなければなりません。

これは、ロシア向けのビジネスを行っている企業や、ロシアにオペレーションを持っている企業に影響を与えます。これには、ロシア人の登録を許すWebサイトなども含まれるように読めます。これまでは、ロシアにプレゼンスが無い企業はRoskomnadzorの管理対象外だったようですが、今回の法制でロシア国内にデータを留めることになると、自動的にロシアにある種のプレゼンスができてしまうからです。

実際Webサイトがこれをやろうとすると、まずロシア国内のクラウド事業者かなにかと契約して、コピーサイトを立て、ユーザがメインサイトに来たら、IPアドレスなどからロシアからのアクセスであることを検出してロシアサイトに飛ばして、以後そちらで処理するなどが必要になると思われます。データも二重管理になりますし大変です。また、「ロシア人」というのですから、海外にいるロシア人も対象になるのでしょう。その場合は国籍を聞く必要も出てきそうですがが、日本だと国籍が機微情報だったりするので悩ましいところです。「私はロシア人ではありません。」というようなチェック・ボックスでも作るんでしょうか…。

ロシアからすると、ひょっとするとこうした法制を敷けば、二重管理を嫌うWebサイトがロシアのクラウドに引っ越してくるというような目論見があるのかもしれませんが、どうですかね。単にロシア・パッシングになる気もします。あるいは、本当は医療データとかゲノムデータとかそういうものを対象に考えていたのが、いつの間にか一般化されてしまったような形でしょうか。

有識者によると、この法律は外国企業のロシアへの投資に影響が大きく、施行前におそらく修正されるだろうとのことですが、いずれにせよ該当する企業は、どのように対応していくか、少なくとも動向をウォッチするべき時期に来ていると言えるでしょう。

なお、今回の改正では新たな罰金は導入されていないので、既存のものが適用されます。金額はRUB10,000[2]ですので、3万円弱ですね。これは大したことありません。EUのように全世界の売上の5%とかいわれると厄介なので、そういう変更が行われないように切に願います。

いずれにせよ、もう少し調べて、新しいことが分かったら、またここで報告いたします。

[1] http://www.lexology.com/library/detail.aspx?g=a6877256-b7bc-4278-b984-d364ad150bf4

[2] http://www.hldataprotection.com/2014/07/articles/international-eu-privacy/russia-enacts-new-online-data-laws/

by Nat at September 05, 2014 02:10 AM

September 04, 2014

Kaliya Hamlin

I’m running for Mayor* again!

I’m planning on running for Mayor * again (a position on the NSTIC Steering Group Management Council) – this time for a different “municipality” (delegate representative).

Currently I am the Consumer Advocate delegate – I’m going to shift my membership and join the IDESG with my hat as Executive Director of PDEC and run for the Small Business and Entrepreneur delegated on the Management Council.

If you want to be a part of the IDESG and VOTE in this round of elections you MUST register by February 14th.  

Go to KaliyaforMayor.org to learn more about my campaign & register to vote OR just go to their site if you are new. If you registered last election you have to submit the new/updated membership agreement including signing it and sending it in.  Send an e-mail to:  administrator@idecosystem.org update your registration.

If you want updates from me put your e-mail here 

Why the shift in my mayoral race to a new stakeholder delegate category. Simply it creates greater alignment with the main focus of my day to day work on two fronts.

  • PDEC is a trade association of entrepenuers from around the world working developing personal clouds and services.
  • I myself am a small business owner Unconference.net is my conference design and facilitation business

It seems like it was just yesterday that I ran for Mayor * (The Consumer (and Citizen) advocacy delegate on the management council of the Identity Ecosystem Steering Group for the National Strategy for Trusted Identities in Cyberspace) but that was in August. Another round of elections is happening this spring.

I have been to all the Management Council meetings even those that happened at 3am local time when I was in China in September. Much of the energy and attention in this first period of of NSTIC was on the governance of the steering group but now we are focusing on getting real work done.

In December I was asked by Brett McDowell chair of the Management Council to chair a sub-committee of the Management Council focused on collecting Holistic Pictures.  We have completed our work you can see it here.

I also have been helping people who were involved in the NymWars who have an interest in ensuring that NymRights issues are represented within NSTIC.

Recently within NSTIC there has been a focus on business models for businesses and overall market models. I think that PDEC companies have a lot to offer in this effort and are really making privacy protecting, end user empowering business models.

by Kaliya Hamlin, Identity Woman at September 04, 2014 05:31 AM

Kaliya Hamlin

It’s NSTIC election time!

So it’s NSTIC election time!

I’m running for the Consumer (And Citizen) Advocacy delegate position on the Management Council of the Steering Committee for the National Strategy for Trusted Identities in Cyberspace!  Learn how to vote for me and get involved at KaliyaForMayor.org and see my campaign video.

I, like many in the identity community, have been paying attention to and tracking this since the first draft of the proposal two summers ago.

They wrote a draft we gave input. They announced they would be launching a strategy in Silicon Valley then they launched the Strategy.

They wrote a Strategy and then hosted a Governance  and Privacy technical “workshop”.   Both were poorly designed and kinda ineffective but non-the-less well intentioned. 

They asked us how it should be governed with a “Notice of Inquiry” about that last summer (I submitted my ideas others did too).

The technical meeting about NSTIC was woven in with IIW #13 last fall.

They had a briefing about the Grants for pilot projects (I attended via webinar).

They ( the NSTIC National Program Office) put forward a charter and by-laws. They have an Identity Ecosystem Steering Group webinar.

by Kaliya Hamlin, Identity Woman at September 04, 2014 05:07 AM

Kaliya Hamlin

NSTIC Governance….Privacy Interests

This past weekend I finally got onto a bunch of mailing lists for NSTIC including the governance one. (you can too)

It is a generally accepted best practice that governance systems should be developed by the communities that need to live by them. With NSTIC the stakeholders were handed a charter and bylaws created (primarily driven by the vision of one guy) in the NSTIC National Program Office.  They kept saying “there is consens” around the charter and bylaws…but there wasn’t they were sort of thrust upon us and not developed by us.  We chose to accept them for now and are now in the process of re-visiting the bylaws handed to us and we agreed to for a short period to get things going.

The draft by-laws include a privacy standing committee that has veto power over the outcomes of Identity Ecosystem Steering Group.

One theory about why this is, I have heard more then once from industry folks involved with NSTIC, is that the privacy constituency “got” this committee and its veto power as a deal to participate in NSTIC.  We don’t know … cause the process of how this idea of having this committee have a veto was not transparent or open.

If we are committed to actually having a consensus based process then no one group committee needs a veto.

I said on the chat during the call that there was a misttrust issue.  I don’t trust giving the privacy advocates a veto in part because they don’t currently show up and engage with industry in the development of the tools and technologies.  I have regularly invited privacy advocates to participate in the Internet Identity Workshop and I regularly have those invitations declined. I will call out the specific groups the ACLU of Northern California and the EFF.  (Having received a cool shoulder from them I haven’t pursued inviting other groups however the woman from the World Privacy Forum who spoke today on the governance call would be great to have at IIW) Both claim “nonprofit” poverty and say lack of budget to attend such events. (IIW has an early bird ticket price of $150 and includes three meals a day for three days….so its not expensive). Both have multi-million dollar budgets and choose not to invest, as part of how then spend their resources, on showing up in forums like IIW with industry “making the sausage” of open standards for how identity will work for people on the internet.

Organizations like this tend to spend their money on lawsuits against companies who have violated privacy. I don’t disagree that EPIC and other groups should be holding Google and Facebook accountable for changing their settings in ways that violated user expectations and therefore one version of waht privacy is. However if that is all they do…(sue and file complaints with government agencies) then it is like investing in prisons instead of schools.  If you invest in schools you won’t need prison’s later to hold the citizens who become criminals because they didn’t get a good education.

If they chose to invest in the fora where technical standards are made and work with industry to ensure that the interoperable systems they design are in alignment with core functional requirements that give people control of the flow of information about them in digital systems (what we might call privacy). Then they wouldn’t have to file so many law suits down the road cause they would work well.

There is also the issue that “Privacy” isn’t ONE THING.

See: Solove – Taxonomy of Privacy 

Until it is clearer what the groups who are pro-privacy mean and how they see it being instantiated in the standards that becoms the code that will be the basis for the ecosystem.  It feels really hard to engage or trust them with a veto.

My fear is that a structure for IDESG that includes a privacy committee with a veto will continue to foster the current pattern of of industry interaction. The privacy interested groups will stay away from really engaging with technology developments as they are done BECAUSE they have a veto over them .. at the end of the process. They will stand on the sidelines and then swoop in and kinda “gotcha” those in industry who have been working together.

by Kaliya Hamlin, Identity Woman at September 04, 2014 05:06 AM

Kaliya Hamlin

Consensus Process and IDESG (NSTIC)

In my governance NOI response I proposed several different methods be used to solicit input from a wide variety of stakeholders and bring forward from those processes clear paths for making a real strategy that take input from a wide range of stakeholders.

When the first governance drafts came out of the NPO, they articulated that the steering committee would operate via consensus BUT then it also articulated a whole set of voting rules for NOT abiding by consensus.

When I asked about their choice of using the term consensus to define a particular methodology – they came back and said well we didn’t actually mean to suggest the use of a particular proces.

But consensus IS a process method I said…and they said we didn’t mean to proscribe a method. So we were sort of in a loop.

Now that we are in this stage that is considering governance and systems for the community of self identified stakeholders (and people beyond this group who will be the users of the outputs).  What I don’t know is if people really know what real consensus process is or if we have anyone who is experienced in leading actual consensus processes? It keeps feeling to me like we are using Roberts Rules of Order and then getting everyone to agree – thus having “consensus”.  That isn’t consensus process.

Tree Bressen who was the leader of the Group Pattern Language project (I participated along with many others in its development) has an amazing collection of resources about conensus process including a flow chart of consensus process and Top 10 mistakes to avoid them.

Are we using consensus process?

One of the big issues of our democracy today (in the liberal west broadly) is that we have this tendency to believe that “voting” is the thing that makes it democratic. Voting is a particular method and one that by its nature sets up an adversarial dynamic. There are other methods and ways of achieving democracy and we can go well beyond the results of our current systems by using them. Tom has done a lot of research into them over the years at the Co-Intelligence Institute and has published two books The Tao of Democracy and Empowering Public Wisdom. 

I am glad methods outside what has been the normative frame of “Roberts Rules of Order” as Democracy are being considered…however we need to be clear on what processe we are using.

by Kaliya Hamlin, Identity Woman at September 04, 2014 05:05 AM

Kaliya Hamlin

IDESG Governing “us”: Challenge 1 for NSTIC

I am posting to this blog the two posts I made to the NSTIC IDESG governance list on Tuesday. Here is the first one on Governing “us” (that is the word “us” not U.S.)

I only got on the [governance] list over the weekend despite raising my hand to be a part at some point in the Chicago meetings.

I am working to track all that is being discussed and I also want to breath and step back a bit. I want to share two bigger challenges and perspectives.

First Challenge how are we we connecting/structuring and governing the interested stakeholders who ARE showing up to engage.  How are we as Bob just asked creating ways, systems, processes and tools forward to create alignment and agreement?

Second Challenge  How are we meaningfully and regularly checking in with those outside the community of self selected stakeholders – to regular citizens who have to use the currently broken systems we have today and hopefully will be enthused and inspired to adopt the outcomes of this whole effort?

They are two quite different but related challenges. This e-mail will deal with challenge 1. The next one with Challenge 2.

We are looking at a system design and catalyst work to facilitate emergence.  This requires system thinking and system oriented methods and tools are needed.

Why am I using what seems like “mushy” language – not cause I live in Northern California and hang out with “hippies” there…I’m using it very specifically because WE DO NOT HAVE CONTROL in the way that the current language of management and government would lead us to believe.  This is especially true when we are dealing with a networked voluntary system (as outlined in NSTIC) rather then a closed kind of container created by a company or within a government in its own domain.

Systems Thinking 101 from Donella Meadows is a good place to start: http://www.chelseagreen.com/bookstore/item/thinking_in_systems/

Berkana (http://berkana.org/) and the work of Meg Wheatly ( http://margaretwheatley.com/) who’s background is a former Organizational Development consultant who left because it refused to see organizational systems of people as living, as being organic beings.

I specifically named to very very concrete methodologies in my NSTIC NOI that I thought could be applied over the course of the past year and lead into an event like we had in Chicago. None of my suggestions were headed nor was I asked how they could be done/ adapted given the government’s constraints in terms of not having “advisory committees” or something.

We were all just jammed into that Chicago meeting and many stakeholders had very little familiarity with who others were or what their perspectives might be. There was certainly no coherent agreement about any system we were working towards building.  (although it seems that corporate insiders certainly seem to think they have figured some stuff out about how they think things will/should be/work).

You can see the whole of my response linked off this page – http://www.identitywoman.net/nstic-response-by-identity-woman

Let me point you specifically the two methods I suggested –

Polarity Management Mapping – http://www.identitywoman.net/ecosystem-maps-present-evolving-future

Value Network Mapping- http://www.identitywoman.net/value-network-mapping-and-analysis

I co-wrote the chapters in the response with the founders of the methods themselves.

IF the NSTIC NPO had been foresighted enough to do either of these at a cost of a few hundred thousand dollars in small meetings around the country inviting highly diverse stakeholders based in those cities together to talk for a day with in a structure format of producing one of the out comes we would have several 100 maps to “see” a big picture of what those who are stakeholders think could/should/might be built and what the issues and tradeoffs are. We would be in a better place to make forward progress now…instead we are starting off trying to get to know far distant stakeholders….and we can’t make much progress until those connections/relationships and subsequent understandings can happen in their own time.

Governance emerges once there is clarity from those who are seeking to have structure about how it should be structured to achieve the shared purpose… they willingly submit to those because they want to get to the end goal together and have it work.

We have to build greater coherence and alignment  (http://www.identitywoman.net/alignment-of-nstic-stakeholders) amongst the stakeholders (dividing us all up on to 40+ lists DOES NOT HELP (who is governing that proliferation BTW).

Without more proactive connectivity across stakeholder communities and a fairly intensive process of getting them in rooms together (this can happen in many places) we will likely find it very hard to move this whole NSTIC thing very far.  Shared Language and Understanding are critical…my NOI touched on these too – defining them and reflecting on how they have helped the user-centric corner of this community find a coherent voice.

Shared Understanding – http://www.identitywoman.net/ecosystems-collaborate-using-shared-language-nstic

Shared Language – http://www.identitywoman.net/ecosystems-collaborate-using-shared-language-nstic

I was very serious when I proposed in the below section that we should be using the squrim test – YES!!! to figure out if we are in alignment – if agreed to this method – then the privacy people wouldn’t need a veto – it would be obvious that things couldn’t move forward because they would be squirming until the visions aligned.

Shared understanding arises from shared language. When groups collaborate effectively together, a recognizable pattern emerges for shared understanding.  This means unifying a goal/mission/vision so that the question “what are we trying to do” doesn’t continually to come up. Within this pattern collaborators aren’t in group think but agree about their disagreements and understand what they are trying to do together.

Eugene Kim, along with some colleagues, created The Squirm Test to measure the level of shared understanding in a group:

The Squirm Test is performed on a group of people collaborating on something together. You get all of the people in a room, seated in a circle, and sitting on their hands.

The first person then stands up and spends a few minutes describing what the group is working on and why. No one is allowed to respond except to ask a clarifying question.

When the first person is done, the second person stands up and does the same thing, articulating the group’s goals and motivations in his or her own words.

Everyone in the circle speaks in turns.

You can measure the amount of shared understanding in the group by observing the amount of squirming that happens during the process.

The squirm test is qualitative as a repeatable, measurable and visible to the whole group that does it.

So, I can just hear the chorous…”what is your proposal” Kaliya???

I am not putting one forward…in part cause I am not sure anyone has even heard or “gets” what I am talking about systems wise. If you do…great then lets go from there and talk about how we can make key understandings from this come alive in these documents and that will be lived by the structure we are creating over time.

by Kaliya Hamlin, Identity Woman at September 04, 2014 05:05 AM

Kaliya Hamlin

IDESG: Governance beyond “us” Challenge 2 for NSTIC

Second Challenge:  How are we meaningfully and regularly checking in with those outside the community of self selected stakeholders – to regular citizens who have to use the currently broken systems we have today and hopefully will be enthused and inspired to adopt the outcomes of this whole effort?

The openness of NSTIC overall was inspired by the Open Government memo (http://www.whitehouse.gov/the_press_office/TransparencyandOpenGovernment)  signed first day in office. It inspired a lot of my colleagues in the dialogue and deliberation community. (Yes, I have another life/carreer doing facilitation see http://www.unconference.net)

They went to work figuring out how to be sure that coherent resources and tools were available to those who were now mandated to “do” open government and have more public participation would have really good resources available.  Tom Atlee the person I co-wrote the Governance section of my NOI was one of the leaders of this working with the NCDD (the National Coalition for Dialogue and Deliberation) to define 7 core principles of public engagement.

Blog post that outlines them: (http://ncdd.org/rc/item/3643)

12 Page PDF: http://ncdd.org/rc/wp-content/uploads/2010/08/PEPfinal-expanded.pdf

The Core Principles for Public Engagement

These seven recommendations reflect the common beliefs and understandings of those working in the fields of public engagement, conflict resolution, and collaboration.  In practice, people apply these and additional principles in many different ways.

1. Careful Planning and Preparation
Through adequate and inclusive planning, ensure that the design, organization, and convening of the process serve both a clearly defined purpose and the needs of the participants.

2. Inclusion and Demographic Diversity
Equitably incorporate diverse people, voices, ideas, and information to lay the groundwork for quality outcomes and democratic legitimacy.

3. Collaboration and Shared Purpose
Support and encourage participants, government and community institutions, and others to work together to advance the common good.

4. Openness and Learning
Help all involved listen to each other, explore new ideas unconstrained by predetermined outcomes, learn and apply information in ways that generate new options, and rigorously evaluate public engagement activities for effectiveness.

5. Transparency and Trust
Be clear and open about the process, and provide a public record of the organizers, sponsors, outcomes, and range of views and ideas expressed.

6. Impact and Action
Ensure each participatory effort has real potential to make a difference, and that participants are aware of that potential.

7. Sustained Engagement and Participatory Culture
Promote a culture of participation with programs and institutions that support ongoing quality public engagement.

These were developed by a range of practitioners who use a range of methods and is widely accepted by this community as good advice – WE SHOULD LISTEN to and follow them too.

They also worked on defining different streams of engagement – that each have different methods that when used could be effectively applied – be useful to different types of situations.

  •  Exploration
  •  Conflict Transformation
  •  Decision-Making
  •  Collaborative Action

Blog post – links to downloads of several PDFs – http://ncdd.org/rc/item/2142

With NSTIC and the challenges we are working to address we touch on all those different streams.

They also have a Resource Guide that is short – well written and clear and worth reading if you want to understand what I am talking about. Blog Post with links to PDFs – http://ncdd.org/rc/item/4471

I am familiar with almost all the methods and have among my network colleagues from this sphere of knowledge practitioners who are amongst the worlds best or even the inventors of those methods.

In my NSTIC NOI (http://www.identitywoman.net/insight-for-governance) I propose that the “steering committee” (what now seems to be the “management council” should actually be “making decisions” but rather convening open forums (of various types) and to take the results of those and then STEER based on that.

To be concrete I outlined three different methods that could be used – it didn’t have to be “these methods” other ones could be chosen too.

I wanted to outline “Process as Policy”  – that we would govern and layout that a certain kind of meeting (maybe not a specific method but different qualities/requirements of a method). would happen on a regular schedule and that the outcomes of it would be public and it would be a source of real insight.

I proposed NO requirement to “join” something we are calling a “plenary” or to have vesting be a requirement for ongoing say/voting. Or that these meetings would have such a requirement… I envisioned these to be meetings that were open to anyone – they would likely lean towards existing self identified stakeholders and in fact…stakeholders who have some time but not huge amounts of time would come to trust these regularly held yet open meetings as a way to dive in.. participate…give real input – trust the wisdom of the whole would be surfaced and choose to re-engage again in 3months, 6 months, 1 year.

This would balance out power…between two groups – those who have a lot and those who have a little.  What power am I talking about? The power to have enough time/money/energy to show up constantly.  While it is noble and in one way accurate to assert that this is a “volunteer” body…some of the volunteers are being PAID by their employers for their time “volunteering” and thus have far greater capacity.  We can pretend that this is not there but it is.   If the only “valld” way to participate is long term ongoing vested (you must attend a certain number of meetings or you are not a valid member) requirements….will skew the ongoing output of the community.

This touches on my first e-mail about Challenge 1 – the “us” of people who self identify as stakeholders.

I also saw these meetings as an opportunity for the regular general public to be engaged and express themselves – explore issues, give meaningful feedback to industry, government and “the stakeholders” that “represent” them – the Privacy people and Consumer Advocates.

Per the Core Principles outlined above … yeah those – they need to be well planned.

We need to think about ways to systematize engagement – one way that could be done and is a proven way to get meaningful (accepted on a national level in small countries) citizen engagement / decisions with science and technology policy is the citizen’s deliberative council (or Jury) http://co-intelligence.org/P-CDCs.html.

I first learned about it from Tom Atlee and he wrote about it (and other great methods) in his book the Tao of Democracy.  It takes randomly selected citizens and pays them to come together for a week and basically hear from all sides…learn from experts (kinda like how congress in the US holds hearings…but “they” the people sit in the congress peoples seats interviewing the experts etc.  Then they having got a whole range if input from across the spectrum of possibility put before them and deliberate and put forward what they think the best option/policy should be.

Another method that is similar is a Wisdom Council (http://www.co-intelligence.org/P-wisdomcouncil.html) that uses a method called Dynamic Facilitation. If implemented it would bring 24 randomly selected people together and basically ask them how they were doing with their identities online – were they working for them? etc. GEt a from the people’s “report” of the state of their reality.   The results would be made public and they wouldn’t be being asked to provide an answer…different years would have different very divers types of people..they would surface different issues and needs but in time…if we are doing what is asked of this group – then their experience of using online ID will get better and it will be evidenced in the result of the process.

These are two clear concrete ideas…there are many many options. I will be attending (and speaking at about identity online in public engagement processes)) the National Coalition for Dialogue and Deliberation (http://ncdd.org/) conference in Seattle on October 12-14. This is really the world’s leading forum for practitioners and implementors of dialogue and deliberation methods and tends to have a heavy emphasis on public participation in government.  If we had even a couple of you on this list attending we could engage with the material and come back with ideas/recommendations.

Just as in my previous post I don’t have a proposal beyond the fact we should be mandating a cyclical process to have real meaningful engagement with the public that they can come to trust (know it will happen) and thus trust (have faith in the good will / non-evilness) of that is being put forward through NSTIC.   Since I am using the word trust I should qualify and say that I am using it in the systems and societal level…and that in using that word we should take care to know for ourselves and know for our community efforts what level we are talking about and be explicit rather then throwing the word around(See my blog post on the issue of the use of the word trust within our sector – http://www.identitywoman.net/the-trouble-with-trust-the-case-for-accountability-frameworks).

No one of these processes is a magic bullet. They all have different positives and negative, they have different costs, different needs for better or more involved design, and different needs for more or less facilitation (for example a home study guide for a book club on identity would be high design/input/research low facilitation needs as groups would download and self facilitate).

We need to discern what kinds of engagement we need both in the short term and longer term…and make space for them within our governing structures/systems and documents we are writing.

As I said in my last e-mail. I will be on the call tomorrow and have requested time to speak…but I would like to use my time to answer questions about what I have said here. [Feel free to post questions on this blog in comments...if you want to ping me in e-mail and let me know you have done so that would be great!]

– Kaliya

by Kaliya Hamlin, Identity Woman at September 04, 2014 05:04 AM

Kaliya Hamlin

NSTIC and She’s Geeky

I took the opportunity of the women’s technology conference I run (She’s Geeky) to host sessions about NSTIC.  This diagram was drawn.  It articulates the issue of attention and participation based on those in industry and those not “in” industry.

by Kaliya Hamlin, Identity Woman at September 04, 2014 05:03 AM

Kaliya Hamlin

What could Kill NSTIC? PDEC White Paper Released

My colleague at the Personal Data Ecosystem Consortium, Phil Wolff, hosted sessions at the last two IIW‘s that invited community consideration of the risks to NSTIC. He has put together a paper that outlines the results of these two sessions that were titled “Death to NSTIC” the white paper is “What Could Kill NSTIC: A Friendly Threat Assessment”. He has a video about it and you can download it from our website. 

It also has a Bonus Section I wrote that:

  • Explains some of the background of NSTIC
  • Articulates the 6 main parts of NSTIC and what they do
  • Explains the relevance of NSTIC to the companies in the Personal Data Ecosystem Consortium.

by Kaliya Hamlin, Identity Woman at September 04, 2014 05:03 AM

Kaliya Hamlin

NSTIC in six simple parts

One of the challenges with the whole NSTIC thing is that it has a bunch of different parts. I wrote up this description as part of our What could Kill NSTIC paper.

NSTIC National Program Office. The NSITIC NPO operates within the Department of Commerce’s National Institute of Standards. It is lead by Jeremy Grant. The office has several full time staff and they are responsible for the transition of NSTIC from a US government initiative to an independent, public- private organization. They’re smart, talented, and they care.

Identity Ecosystem Steering Group (IDESG). The NPO invited many people, NGOs, government bodies, and companies to participate in building an identity ecosystem in the Identity Ecosystem Steering Group. All the people and organizations who sign up to be a part of this are together called “The Plenary.” The NSTIC NPO wrote IDESG’s charter and its first bylaws.

IDESG Management Council. The IDESG management council is elected by the members of the plenary who self-selected into stakeholder categories. Each stakeholder category elects a delegate to the Management Council. The entire plenary also elects two at-large positions and two leadership positions. The management council can create sub-committees to get its work done. I’m chaired one that collected holistic ecosystem pictures, for example.

Committees within the IDESG Plenary. These committees do the actual work of making the identity ecosystem’s vision a reality. New committees can be proposed by any member. Committee membership is open to all plenary members. The work and activity of the committees is shared openly. A few of the active committees are working on standards, privacy, trust frameworks, accreditation, and nymrights.

The Secretariat. The NSTIC NPO awarded a $2.5 million dollar contract to provide support services to the Identity Ecosystem Steering Group. Trusted Federal Systems won the contract to act as the IESG’s “Secretariat.” They coordinate meetings, manage listservs, and the like.

NSTIC Pilot Projects. In early 2011, the National Program Office put forward $10 million in funding for five pilot projects that worked to solve some of NSTIC’s challenges. Grants were awarded in September 2012 and run for one year. The pilot projects were set up before the IDESG existed and the IDESG had no input into the selection of the the winning pilots. 187 different initial pilot projects applied for grants, 27 were selected to submit full proposals, and five were selected. Applications for a second round of pilots are coming in Q1 2013.

by Kaliya Hamlin, Identity Woman at September 04, 2014 05:02 AM

Kaliya Hamlin

Super Trip Review from NSTIC to RSA

I’ve been on two super trips recently.  One went from before American Thanksgiving to early December. This last one was much of February beginning with NSTIC and ending with RSA. I wrote this in pen and paper last week and typed it up today.

One way I manage to get around is to piece together what could only be considered “super trips” – 18 days.

I actually started off at home on Feb 2nd helping Van Riper run the Community Leadership Summit West. Its an unconfernece for mostly technical  community leaders but also managers but was inclusive of other community based community leaders. I will have a blog post about it up on my Unconference.net site.

February 4th I headed to NSTIC’s 3rd plenary in Phoenix. I presented the results of the Holistic Picture Visualization Sub-Committee printing out the images we found online.  Bob Blakley and Brett McDowell did a good job shaping the agenda and inviting plenary participants to connect with the big vision of NSTIC of 10 years out.

  • All implementation actions are complete, and all required policies, processes, tools, and technologies are in place and continuing to evolve to support the Identity Ecosystem.
  • A majority of relying parties are choosing to be part of the Identity Ecosystem.
  • A majority of U.S. Internet users regularly engage in transactions verified through the Identity Ecosystem.
  • A majority of online transactions are happening within the Identity Ecosystem.
  • A sustainable market exists for Identity Ecosystem identity and attribute service providers.

While at the same time reminding on the way to getting a man on the Moon we got a Monkey into the Ionosphere – so what is our monkey in an Ionosphere – at the plenary groups were invited to articulate this:

  • Relying parties from multiple sectors are demonstrating identity and strong authentication credential interoperability
  • Is easier to use than the broken user account and password methods
  • Licensed professionals now have a common way to express credentials and ongoing certification.   No longer do licensed professionals need to scan, fax or otherwise send paper copies proving their qualifications every time another client seeks to retain their services.
  • allows citizens to securely establish a multi-purpose single identity that will significantly reduce, and eventually eliminate, the need to create and maintain multiple passwords and PINs.
  • Secure web accounts for use in circles of on line providers by 10 banks, 15 insurance companies and 25 hospitals.

February 7th I headed to Washington DC to work with my colleague at PDEC Steve Greenberg who is based there. We came up with some great new metaphors to explain for what is happening on the Personal Data Ecosystem.  You will have to come to one of our seminars if you wanna know ;)

I logged in to find a place nearby via AirBnB and had to go through KBA to do so (I had a choice I could have held up my drivers licence beside my face and turn on my camera too).  They also strongly encourage people to login with Facebook.  Your username is prominently displayed and well I didn’t get that in choosing Kaliya this was the case. I have to see if I can change this. I stayed with a great couple – they had just given up cable in exchange for Netflix and Hulu. We watched the first episode ever of Star Trek.

I took a BoltBus from Baltimore to NYC with 4h to get to JFK for my direct red-eye flight to Vienna. I was met by Rainer Hober at the airport. He and Markus Sabedello invited me to help them put on an unconfernece in the spirit of IIW – the name of it became the European Workshop for Trust and Identity.  Rainer did an amazing job of pulling it all together and Terrena folks were well represented along the 40 people. There were folks from at least 12 different countries.  You can see the notes here.

I was excited to learn new things and have new insights / clarity enough not so easy these days.  I will write a post about the insights from this particular session where I whiteboard some new understandings.

A key to super trips is to not make travel to stressful. So mid-day Wednesday I travelled to London. I went to my a friend’s flat and headed to the Innovation Wearhouse to touch base with Tony Fish & Prep for the first ever seminar. It went well – I covered more material then I planned for the day.

We had:

  • 2 Consultants
  • 1 guy from a Telco
  • 1 Investor
  • 1 University Student
  • 1 Business guy

Three knew Tony well, 1 had seen our diagrams circulating and looked us up.

The next day I had the day off in London and met with Jon Sharman and his daughter about the idea of an identity film festival of both short and long films.  We had the idea of creating an identity game with trump cards. I went to the Muji Store <3 Then I met up with Peter Stepman from WPSChallenger for a drink and some food while we wandered to a new part of London.

I headed to DC mid-day Sunday and stayed with a friend from the identity community. I met up with Greg who runs myUSA. They are looking at how people can use personal clouds to fill out government forms.  We talked about Identity standards and what is emerging in the industry. I encouraged him to head out to IIW.  It turns out we met about 10 years ago at an event that Susan Mernit put on.

I headed to NYC for our now postponed Seminar there. I got to meet up with Allison Fine who invited me to contribute to the Anthology Rebooting America. She is working on a new project on how us being networked is impacting collective generosity.

I took a break and saw Avenue Q off broadway. It was super fun – basically Sesame Street for adults.

I was reminded by a friend about Brene Brown’s work on whole hearted living. The only difference between those who experience whole hearted is that they believe they are worthy of love and belonging. I totally recommend all 3 of her TED talks and this other one.

The East Coast part of trip ended with my meeting up with a guy who pinged me from the internet because my blog is referenced in  the wikipedia Social Login article (with a rare direct link pointing to my identity spectrum post). It turns out the company has a product in the personal data space. I headed to Seattle and spent the morning with my Unconfernece.net colleague Bill Aal.

by Kaliya Hamlin, Identity Woman at September 04, 2014 04:59 AM

Kaliya Hamlin

How to Join NSTIC, IDESG – A step by step guide.

The National Strategy for Trusted Identities in Cyberspace calls for the development of a private sector lead effort to articulate an identity ecosystem.

To be successful it needs participation from a range of groups.

An organization was formed to support this – the Identity Ecosystem Steering Group in alignment with the Obama administration’s open government efforts.

The “joining” process is not EASY but I guess that is part of its charm. It is totally “open and free” but challenging to actually do.

PART 1 – Getting an Account on the Website!

Step 1: Go to the website: http://www.idecosystem.org

Step 2: Find this box on the right hand side of the site.

IDESG-1 Step 3: Login to the website.

You can use any e-mail address you want to do so. If you click on the IDESG labelled button.

If you have a Yahoo! e-mail address OR a Google/GMail account you can use that by clicking on their respective buttons – but the next steps that follow are for the IDESG button path (recommended).

Step 4:  Click on the button circled below.

IDESG-3b

Step 5: Enter the information requested.

IDESG-4

Step 6: Pick a Time Zone!

The note in red is making it clear that when you are sent a form to fill out with the membership agreement in step __. you must write down the same e-mail address that you have here so they can correlate your account to membership.

IDESG-4

Step 7: Confirm that you want an account. Click the Button.

Unknown

Step 8: You Should See this Screen. Make sure you check your e-mail account – it will have a link you click on. Then you can login to the website.

IDESG-6b

Step 9: You might see this screen.

IDESG-6

Step 10: Contact the site Administrator at this e-mail address : idecosystem@trustedfederal.com or phone them (240) 403-4092

IDESG-7

PART 2 – Filling out Membership Form on Website!

Step 11: Go to this page to access the new member registration application http://www.idecosystem.org/page/join-idesg-0   Fill out the fields of the application.

You will be asked to pick a stakeholder category. 

I recommend either the #11 Small Business and Entrepreneur category if you are an individual who has a business.

OR the #3 Consumer Advocate Group if you represent people in your work .

PART 3 – Sign and SEND in the form

Step 12: You will get an e-mail from the administrators of the organization with a membership agreement.

  • You need to print it out and read it or at least scan it
  • Sign it
  • Return it  (via fax OR scan -> email)

The agreement has a clause about intellectual property – this can scare some people. It is basically saying that contributions you make to public mailing lists can be posted online by the organization and used in the work outputs of the organization. It is common in technical communities and supports sharing and development of collective work products.

Step 3: You will get a confirmation from the administrators and you will be officially a member.

Trouble Shooting

How you can get involved is another post….so stay tuned.

by Kaliya Hamlin, Identity Woman at September 04, 2014 04:56 AM

Kaliya Hamlin

How to Participate in NSTIC, IDESG – A step by step guide.

The Identity Ecosystem Steering Group is a multi-stakeholder organization (See this post about how join.) Technically You can participate on lists even if you are not members but it is better that you go through the process of joining to be “officially” part of  the organization.

If you join the IDESG it is good to actively participate in at least one active committee because that is where organization work is done by committees – any person or organization from any stakeholder category can participate.

The committees have mailing lists – that you subscribe to (below click through where it says Join Mailing list and put in the e-mail address you want to use, share your name and also a password).

On the list the group chats together on the list and talk about the different work items they are focused on.  They have conference calls as well to talk together (these range from once a week to once a month).  You can also contact the chair of the committee and “officially” join but that is not required.

If you are reading this and getting involved for the first time – read through this list and pick one of the committees that sound interesting to you.  They are friendly folks and should be able to help you get up to speed – ask questions and ask for help. This whole process is meant to be open and inclusive.

It might be confusing but that is ok.  You haven’t learned all the language of this very particular sub-industry. Remember you can always ask me questions and I can connect you to a community of others who are engaging with this field for the first time.

The next Face to Face meeting is happening April 1-3 in Mountain View California. It is totally open and free you can register here. Follow just one of the committees and maybe two and join us there – if you can only make it for part of a day you can come when the committee you have been following meets.

Trust Framework and Trust Mark Committee

Very important work is going on in this committee.  It will define the legal, policy and technology underpinnings of the whole effort to get identities work.  Some of the questions that I have about the outcomes of this work are

  • Will the policy and technology choices (they call these trust frameworks) they respect people and their rights online?
  • Will they let people who are citizens define how they are “seen” online or will they only permit “real name – verified identities” to be used?
  • How will end users be protected both with policies and technologies from the sites they use their digital identities? and services that help them use their digital identities?

This group is VERY active right now – that means they are producing work very fast and the outcome is basically the CENTRAL DOCUMENT outlining “how” this identity system will work. It needs attention to track it and ask quesitons and give substantive input.

The Committee Work products, Work Plan and Collaboration space.

Join the mailing list here –  Documents for meetings – It meets EVERY Wednesday at 3pm EST / noon PST for two hours.  To see all their documents click on this page and then on the file folder for “Functional Model AHG”

Functional Model Group

It is currently working on getting feedback on these documents:
The Functional Elements Applied PPT.
Functional Models Applied PDF to go with the PPT

Yep they are very confusing – they are confusing to me too.

Join the Mailing list is here – I can’t find its meetings on the calendar.

To see all their documents click on this page and then on the file folder for “Functional Model AHG”. The wiki is here.

Policy Committee

This committee is working on the development of policy recommendations for the White House and Legislators. These will likely influence what provisions that might come into law all with the goal of helping the vision of the Identity Ecosystem being developed in this institution coming into being.

The current draft of the document IDESG Policy Committee findings on policy incentives(As best as I could find)

Join the Mailing List is here – It does not have meetings currently scheduled they will be announced on the list.

To see all their documents click on this page and then on the file folder for “Policy Coordination Committee”

Use Case Committee

This group is defining all the different Use-cases that is the stories of how regular citizens will use the system.  My concern is they have developed detailed cases such as ____ and ___.  Without ever speaking to real people from those groups or have those need.  The generic use-cases about Authentication and Proofing also impact different populations of people differently and diverse input is essential.

The use-cases are then used to define the different technology and policy building blocks in what they call a Functional Model.

Join the  Mailing list is here – It meets Every Wednesday at 4pm EST/1pm PST

To see all their documents click on this page and then on the file folder for “Use Case AHG”. The wiki is here.

Security Committee

This group is looking to define a security model for use in Identity Ecosystem. It has many different sub-committees including Taxonomy, Attributes, Functional Model and Use-Cases.

The Mailing list is here.  It meets every Thursday 2pm EST/11am PST  

To see all their documents click on this page and then on the file folder for “Security Committee”.

They are just starting to begin meetings on the Security Evaluation Methodology.

Standards Committee

This committee is working on so many different things and has spawned 4 Ad-Hoc/Sub Committees.

The Standards Coordination Committee will be responsible for coordinating, reviewing, and recommending the adoption of technical standards to facilitate interoperability within the Identity Ecosystem.

The Mailing list is here –  Its Documents are here. It meets every Thursday 11am EST/8am PST

To see all their documents click on this page and then on the file folder for “Standards Committee”

Taxonomy Committee

This committee is defining the words that we use to talk about the Identity Ecosystem – such as Pseudonymous Transactions, Credentials, Attributes, Identifier.

The Mailing list is here – It meets every Thursday 12:30 EST/9:30 PST

To see all their documents click on this page and then on the file folder for “Taxonomy AHG”

Privacy Coordination Committee

The Privacy Coordination Committee will be responsible for seeing that other Committees’ work products adhere to the Privacy-enhancing and Voluntary Guiding Principle.  All work products developed from all other committees pass through this one. The model of privacy they have is oriented to the Fair Information Principles and Practices developed in the 1970’s – and doesn’t necessarily look at new ideas of how to manage the needs of people having dignity.

Join the Mailing List here - It meets the first Tuesday of the month at 4pm EST/1pm PST.

To see all their documents click on this page and then on the file folder for “Privacy Coordination Committee”

Financial Services Committee

This group creates space for those from the Financial Industry to contribute the specific needs of that industry into the work of the IDESG.

Join the Group Mailing List on this Page   They meet the 2nd & 4th Tuesday of every month at 11am Eastern Standard Time

To see all their documents click on this page and then on the file folder for “Financial Services Committee”

Health Care Committee

This group creates space for those from the Health Care Industry to contribute the specific needs of that industry into the work of the IDESG.

Join the Mailing List here -  It meets

To see all their documents click on this page and then on the file folder for “Health Care Committee”

Attributes Committee

Join the Mailing ListHereIt meets every 2nd Friday

Their wiki page is here. To see all their documents click on this page and then on the file folder for “Attributes AHG”

User Experience Working Group

Join the Meeting List here – It meets

To see all their documents click on this page and then on the file folder for “User-Experience Committee”

International Coordination Committee

The International Coordination Committee will be responsible for reviewing– and where appropriate, coordinating alignment with – similar international standards and policies.

The Mailing List is here – It currently doesn’t have a meeting scheduled – it sill be announced on the list.

To see all their documents click on this page and then on the file folder for “International Coordination Committee”

by Kaliya Hamlin, Identity Woman at September 04, 2014 04:55 AM

Kaliya Hamlin

What is a Functional Model?

I have been working in the identity industry for over 10 years. It was not until the IDESG – NSTIC plenary that some folks said they were working on a functional model that I heard the term.  I as per is normal for me pipped up and asked “what is a functional model”, people looked at me, looked back at the room and just kept going, ignoring my question.  I have continued to ask it and on one has answered it.

I will state it out loud here again –

What is a Functional Model?

by Kaliya Hamlin, Identity Woman at September 04, 2014 04:54 AM

Kaliya Hamlin

I’m not your NSTIC “delegate” any more … pls get involved.

I have heard over the past few years from  friends and associates in the user-centric ID / Personal Cloud/ VRM Communities or those people who care about the future of people’s identities online say to me literally – “Well its good  you are paying attention to NSTIC so I don’t have to.”

I’m writing to say the time for that choice is over. There is about 1 more year left in the process until the “outputs” become government policy under the recently released White House Cyber Security Framework (See below for the specifics).

Key items of work are progressing and the time for “our” world view showing up within the work is now and my ability to get them to be taken seriously is ZERO if I continue to be an almost lone voice expressing these key items – particularly

The functional Model Group is working on defining all the “bits” of the system. I believe this is where the “personal cloud” should be a key primary function/piece of the ecosystem. So far it has not been raised in a significant way and not be addressed by the powers that be leading the committee.

The Trust Framework work is progressing rapidly. This is the work to take existing what they call Trust Frameworks (and I think should be called Accountability Frameworks). These are where the existing rules/policies and technologies for various networks are all harmonized and then through that some how we get to a kind of mata/uber trust framework and interoperability.

The big challenge that I see is that it is all coming from existing frames within the conversation do NOT have a remotely “user centric” frame.

  • I don’t hear any conversation about how individuals will be protected from their “Identity Provider” (the entity that has “all” their identity information and vouches for them at a Relying Party).
  • I don’t hear any conversation about how people will be protected from over zealous relying parties asking for way to much information.
  • I don’t hear any conversation about how individuals will be protected from IdP’s and RP’s being able to sell their data into the data broker industry.
  • I don’t hear any conversation about how people could collect their own attributes and information in a Personal Cloud and from that center of personal sovereignty use it in the ecosystem.

I do see:

  • Assertions that Relying Parties can ask for whatever they want / think they need to complete a transaction and that “the market will decide”
  • Assertions that concerns about people’s rights around how they choose to name and identify themselves should be set aside for future iterations.
  • I do see that one of the pilots in the last round of multi-million dollar grants went to a defense industry consortium specifically for “development of an open source, technology-neutral Trust Framework Development Guidance document”

So what should you DO?

1) Sign up to attend the April 1-3 Plenary in Mountain View (bonus you don’t have to attend in person) Link Here.

2) Sign up to watch and contribute to the Trust Framework and Functional Model Groups – please see this post OR any of a number of groups with activity.

3) Sign up to join the IDESG organization (that way you can be “official members”) of the committees and “vote” on things.  See this Post.

4) Let me know you are keen on getting more involved and I can help connect you others also “diving in” right now [ kaliya AT identitywoman DOT net].

5) Bonus - Attend the Internet Identity Workshop in Mountain View May 6-8 and work with others in the user-centric community on this and other more fun issues (like building cool decentralized, empowering technologies).

This is what I referenced above it becoming government policy and practice.

As the White House announcement details below, today marked the release of the Cybersecurity Framework crafted by NIST – with input from many stakeholders – in response to President Obama’s Executive Order on Improving Critical Infrastructure Cybersecurity issued one year ago.

NSTIC is not discussed in the framework itself – but both it and the IDESG figure prominently in the Roadmap that was released as a companion to the Framework.  The Roadmap highlights authentication as the first of nine different, high-priority “areas of improvement” that need to be addressed through future collaboration with particular sectors and standards-developing organizations.

The inadequacy of passwords for authentication was a key driver behind the 2011 issuance of the National Strategy for Trusted Identities in Cyberspace (NSTIC), which calls upon the private sector to collaborate on development of an Identity Ecosystem that raises the level of trust associated with the identities of individuals, organizations, networks, services, and devices online.

NSTIC is focused on consumer use cases, but the standards and policies that emerge from the privately-led Identity Ecosystem Steering Group (IDESG) established to support the NSTIC – as well as new authentication solutions that emerge from NSTIC pilots – can inform advances in authentication for critical infrastructure as well.

NSTIC will focus in these areas:
· Continue to support the development of better identity and authentication solutions through NSTIC pilots, as well as an active partnership with the IDESG;

· Support and participate in identity and authentication standards activities, seeking to advance a more complete set of standards to promote security and interoperability; this will include standards development work to address gaps that may emerge from new approaches in the NSTIC pilots.

by Kaliya Hamlin, Identity Woman at September 04, 2014 04:53 AM

Kaliya Hamlin

BC Government Innovation in eID + Citizen Engagement.

I wrote an article for Re:ID about the BC Government’s Citizen Engagement process that they did for their eID system.

CoverHere is the PDF: reid_spring_14-BC

BC’S CITIZEN ENGAGEMENT:A MODEL FOR FUTURE PROGRAMS 

Because of my decade long advocacy for the rights and dignity of our digital selves, I have become widely known as “Identity Woman.” The Government of British Columbia invited me to participate as an industry specialist/expert in its citizen consultation regarding the province’s Services Card. I want to share the story of BC’s unique approach, as I hope that more jurisdictions and the effort I am most involved with of late, the U.S. government’s National Strategy for Trusted Identities in Cyberspace, will choose to follow it.

The Canadian Province of British Columbia engaged the public about key issues and questions the BC Services Card raised. The well-designed process included a panel of randomly selected citizens. They met face- to-face, first to learn about the program, then to deliberate key issues and finally make implementation recommendations to government.

The Services Card was developed over the last 10 years under the Ministry
of Technology, Innovation and Citizen Services. Inside the same ministry an office of Citizen Engagement was created four- years ago. The minister of these two offices was one and the same and to ensure the success of the project, he instructed the offices to work together to conduct a wide- ranging and meaningful constellation on the future of the card.

The first step was the creation of a white paper, Designing the Digital Service Consultation. It described core issues raised by deployment of the card and outlined processes project leaders could use to address these issues. They could have simply moved ahead with what was outlined but instead solicited feedback and used it to adapt the approach.

The User Panel was one of three streams outlined in the white paper that would feed in to a, still forth-coming, final report to government. The other two were the specialist consultation, the part I was involved with, and an online survey that any citizen could fill out.

This User Panel method was chosen because the Province’s approach to digital services and identity management are both reasonably complex subjects and require time to understand. By convening the panel of citizens over two weekends they provided time for participants to get up to speed.

Secondly for recommendations to have legitimacy, the broader public needed to have high confidence that the right mix of British Columbians had an opportunity to contribute to the discussion. The way the panel was selected meant that it was a defensibly representative group of citizens to both consider the issues put to them and to legitimize their recommendations.

So how was this panel selected such that it would be representative of the population, age, income, ethnicity, gender, and geography of the province?

The Office of Citizen Engagement sent out a letter to16,500 randomly selected citizens – one in 110 – across the province inviting them to signal interest in participating. From this group, 800 individuals responded sharing basic demographic information, age, gender and location. From this group, 36 were selected – an equal number of men and women across age groups and from around the province. They also specifically selected a person with a disability and a person of aboriginal decent.

A critical success factor, highlighted in the white paper, was the need
for the government to be clear about, “what it needs to learn so that it can ensure public input can most effectively inform its decisions.”

The Government set two specific tasks for the Panel:

  1. Review the Province’s approach to digital services, recommending actions the Province can take to build citizens’ confidence in the Services Card and in the digital services that take advantage of the opportunities it creates.
  2. Recommend principles and priorities for the design and implementation of digital services and the next phase of the provincial identity management program to support the Province’s vision to save citizens’ time in their interaction with government and make it easier to access better quality services.

This was then broken down into five more specific questions:

  • Where should the Province focus its efforts in using the Services Card to create new kinds of digital services, and why?
  • How can the Province best balance privacy, security, cost effective- ness and convenience
    in the design of the Ser- vices Card to include key features such as pass code reset and managing transaction history?
  • What actions can the Province take to build citizens’ confidence in the Services Card and in the digital services that take advantage of opportunities it creates?
  •  How should the Province explore using data created from digital ser- vices to improve policy and services?
  •  What would it mean for BC’s identity manage- ment service to be used by organizations that aren’t part of government?

An independent chair and facilitator of the panel lead the process and developed the learning curriculum for participants. It involved learning from the government how the Services Card worked and their perspectives on digital futures. It also included the views of the BC Civil Liberties Association and the BC Privacy Commissioner. As part of their deliberations participants explored different possibilities through group discussion and sorting exercises.

The Citizen Panel report was completed and submitted to the government. The Office of Citizen Engagement is now weaving the outcomes of all three streams of engagement into the final report that is to be released this spring.

I asked David Hume the executive director, of Citizen Engagement for the Province of British Columbia what resources he would recommend for those considering citizen engagement within their jurisdiction.

He suggested that the web site, Particiipedia.net, is a great place to explore a variety of case studies. More step-by-step guidance for such processes can be found at the National Coalition for Dialogue and Deliberation (ncdd.org) and the Canadian Coalition for Dialogue and Deliberation (c2d2.org). Additionally, the Environmental Protection Agency has good, broad guidance (http://www.epa.gov/oia/ public-participation-guide/ index.html).

by Kaliya Hamlin, Identity Woman at September 04, 2014 04:53 AM

Kaliya Hamlin

NSTIC WhipLash – Making Meaning – is a community thing.

Over a week-ago I tweeted that I had experienced NSTIC whiplash yet again and wasn’t sure how to deal with it. I have been known to speak my mind and get some folks really upset for doing so – Given that I know the social media savy NSTIC NPO reads all tweets related to their program they know I said this. They also didn’t reach out to ask what I might be experiencing whiplash about.

First of all since I am big on getting some shared understanding up front – what do I mean by “whiplash” it is that feeling like your going along … you think you know the lay of the land the car is moving along and all of a sudden out of nowhere – a new thing “appears” on the path and you have to slam on the breaks and go huh! what was that? and in the process your head whips forward and back giving you “whip-lash” from the sudden stop/double-take.

I was toddling through and found this post.  What does it Mean to Embrace the NSTIC Guiding Principles?

I’m like ok – what does it mean? and who decided? how?

I read through it and it turns out that in September the NPO just decided it would decide/define the meaning and then write it all out and then suggest in this odd way it so often does that “the committees” just go with their ideas.

“We believe that the respective committees should review these derived requirements for appropriate coverage of the identity ecosystem.   We look forward to continued progress toward the Identity Ecosystem Framework and its associated trustmark scheme.”

Why does the NPO continue to “do the work” that the multi-stakeholder institution they set up was created to do that is to actually figure out the “meaning” of the document.

Why not come to the Management Council and say – “hey we really need to as a community figure out what it “means” to actually embrace the guiding principles. We need to have a community dialogue that gets to a meaningful concrete list relatively quickly – how should we do that as a community.” Then the Management Council would do its job and “manage” the process and actually figure out 1) if the NPO was right that indeed now would be a good time to figure out the meaning of embrace and 2) then figure out how to do it and the people on the council (and others in the community) who have some experience in leading real mulit-stakeholder efforts and skills inclusive methodologies would have debated and put forward a path. The Secretariate – (if it actually functioned as a support organ for the Management Council) would then help the council carry out the process/method and get to the needed “outcome” some community developed articulation of what embracing the principles means.  Instead we just have what the NPO staff thinks. Which while I am sure it is “great” and they are such “hard working, good folks”…it wasn’t community generated and therefore not “owned” by the community which is not good if the outcomes of this effort are to be “trusted” by public at large all the core work items of a mutli-stakeholder institution can’t just be done by the NPO.

by Kaliya Hamlin, Identity Woman at September 04, 2014 04:38 AM

Kaliya Hamlin

Resources for HopeX Talk.

I accepted an invitation from Aestetix to present with him at HopeX (10).

It was a follow-on talk to his Hope 9 presentation that was on #nymwars.

He is on the volunteer staff of the HopeX conference and was on the press team that helped handle all the press that came for the Ellsberg – Snowden conversation that happened mid-day Saturday.  It was amazing and it went over an hour – so our talk that was already at 11pm (yes) was scheduled to start at midnight.

Here are the slides for it – I modified them enough that they make sense if you just read them.  My hope is that we explain NSTIC, how it works and the opportunity to get involved to actively shape the protocols and policies maintained.

I am going to put the links about joining the IDESG up front. Cause that was our intention in giving the talk to encourage folks coming to HopeX to get involved to ensure that the technologies and policies for for citizens to use verified identity online when it is appropriate and also most importantly make SURE that the freedom to be anonymous and pseudonymous online.
This image is SOOO important I’m pulling it out and putting it here in the resources list.

WhereisNSTIC

Given that there is like 100 active people within the organization known as the Identity Ecosystem Steering Group as called for in the National Strategy for Trusted Identities in Cyberspace published by the White House and signed by president Obama in April 2011 that originated from the Cyberspace Policy Review that was done just after he came into office in 2009. Here is the website for the National Program Office.

The organization’s website is here:  ID Ecosystem - we have just become an independent organization.

My step by step instructions How to JOIN.

Information on the committees - the one that has the most potential to shape the future is the Trust Framework and Trust Mark Committee

Here is the video.

From the Top of the Talk

Links to us:
Aestetix –  @aestetix Nym Rights
Kaliya – @identitywoman  –  my blog identitywoman.net

Aestetix – background + intro #nymwars from Hope 9

Aestetix’s links will be up here within 24h
We mentioned Terms and Conditions May Apply – follows Mark Zuckerberg at the end.

Kaliya  background + intro

I have had my identity woman blog for almost 10 years  as an Independent Advocate for the Rights and Dignity of our Digital Selves. Saving the world with User-Centric Identity

In the early 2000’s I was working on developing distributed Social Networks  for Transformation.
I got into technology via Planetwork and its conference in 2000 themed: Global Ecology and Information Technology.  They had a think tank following that event and then published in 2003 the Augmented Social Network: Building Identity and Trust into the Next Generation Internet.
The ASN and the idea that user-centric identity based on open standards were essential – all made sense to me – that the future of identity online – our freedom to connect and organize was determined by the protocols.  The future is socially constructed and we get to MAKE the protocols . . . and without open protocols for digital identity our ID’s will be owned by commercial entities – the situation we are in now.
Protocols are Political – this book articulates this – Protocols: How Control Exists after Decentralization by Alexander R. Galloway. I excerpted key concepts of Protocol on my blog in my NSTIC Governance Notice of Inquiry.
I c0-founded the Internet Identity Workshop in 2005 with Doc Searls and Phil Windley.  We are coming up on number 19 the last week of October in Mountain View and number 20 the third week of April 2015.
I founded the Personal Data Ecosystem Consortium in 2010 with the goal to connect start-ups around the world building tools for individual collect manage and get value from their personal data along with fostering ethical data markets.  The World Economic Forum has done work on this (I have contributed to this work) with their Rethinking Personal Data Project.
I am shifting out of running PDEC to Co-CEO with my partner William Dyson of a company in the field The Leola Group.

NSTIC

Aestetix and I met just after his talk at HOPE 9 around the #nymwars (we were both suspended.
So where did NSTIC come from? The Cyberspace Policy Review in 2009 just after Obama came into office.
Near-Term Action Plan:
#10 Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the Nation.
Mid-Term Action Plan:
#13 Implement, for high-value activities (e.g., the Smart Grid), an opt-in array of interoperable identity management systems to build trust for online transactions and to enhance privacy.
NSTIC was published in 2011: Main Document – PDF  announcement on White House Blog.
Trust Frameworks  are at the heart of what they want to develop to figure out how navigate how things work.
What will happen with results of this effort?
The Cyber Security Framework (paperObama Administration just outlined . NSTIC is not discussed in the framework itself – but both it and the IDESG figure prominently in the Roadmap that was released as a companion to the Framework.  The Roadmap highlights authentication as the first of nine different, high-priority “areas of improvement” that need to be addressed through future collaboration with particular sectors and standards-developing organizations.

The inadequacy of passwords for authentication was a key driver behind the 2011 issuance of the National Strategy for Trusted Identities in Cyberspace (NSTIC), which calls upon the private sector to collaborate on development of an Identity Ecosystem that raises the level of trust associated with the identities of individuals, organizations, networks, services, and devices online.

I wrote this article just afterwards: National! Identity! Cyberspace! Why we shouldn’t Freak out about NSTIC   (it looks blank – scroll down).
Aaron Titus writes a similar post explaining more about NSTIC relative to the concerns arising online about the fears this is a National ID.
Staff for National Program Office

The put out a Notice of Inquiry – to figure out How this Ecosystem should be governed.

Many people responded to the NOI – here are all of them.

I wrote a response to the NSTIC Notice of Inquiry about Governance. This covers that covers much of the history of the user-centric community  my vision of how to grow consensus. Most important for my NSTIC candidacy are the chapters about citizen’s engagement in the systems co-authored with Tom Atlee the author of the Tao of Democracy and the just published Empowering Public Wisdom.

The NPO hosted a workshop on Governance,  another one Privacy – that they invited me to present on the Personal Data Ecosystem.  The technology conference got folded into IIW in the fall of 2011.

OReilly Radar – called it The Manhattan Project for online identity.

The National Program Office published a proposed:

Charter for the  IDESG Organization

ByLaws  and Rules of Association for the IDESG Organization

Also what committees should exist and how it would all work in this webinar presentation.  The Recommended Structure is on slide 6.  They also proposed a standing committee on privacy as part of the IDESG.

THEN (because they were so serious about private sector leadership) they published a proposed 2 year work plan.  BEFORE the first Plenary meeting in Chicago in August 2012

They put out a bid for a Secretariat to support the forthcoming organization and awarded it to a company called Trusted Federal Systems.
The plenary was and is open – to anyone and any organization from any where in the world. It is still open to anyone. You can join by following the steps on my blog post about it.
At the first meeting in August 2012 the management council was elected. The committees they decided should exist ahead of time had meetings.
The committees - You can join them – I have a whole post about the committees so you can adopt one.

Nym Issues!!!

So after the #nymwars it seemed really important to bring the issues around Nym Rights and Issues into NSTIC – IDESG.  They were confused – even though their bylaws say that committees. I supported Aestetix writing out a charter for a new committee – I read it for the plenary in November of 2012 – he attended the Feb 2013 Pleanary in Pheonix. I worked with several other Nym folks to attend the meeting too.
They suggested that NymRights was to confrontational a name so we agreed that Nym Issues would be a fine name. They also wanted to make sure that it would just become a sub-committee of the Privacy Committee.
It made sense to organize “outside” the organization so we created NymRights.
Basically the committee and its efforts have been stalled in limbo.
        Aestetix’s links will be up here within 24h

The Pilot Grants from the NPO

Links
Year 1 – announcement about the FFO , potential applicant Webinar – announcement about all the grantees and an FAQ.
  • Daon, Inc. (Va.): $1,821,520
    The Daon pilot will demonstrate how senior citizens and all consumers can benefit from a digitally connected, consumer friendly Identity Ecosystem that enables consistent, trusted interactions with multiple parties online that will reduce fraud and enhance privacy. The pilot will employ user-friendly identity solutions that leverage smart mobile devices (smartphones/tablets) to maximize consumer choice and usability. Pilot team members include AARP, PayPal, Purdue University, and the American Association of Airport Executives.
  • The American Association of Motor Vehicle Administrators (AAMVA) (Va.): $1,621,803
    AAMVA will lead a consortium of private industry and government partners to implement and pilot the Cross Sector Digital Identity Initiative (CSDII). The goal of this initiative is to produce a secure online identity ecosystem that will lead to safer transactions by enhancing privacy and reducing the risk of fraud in online commerce. In addition to AAMVA, the CSDII pilot participants include the Commonwealth of Virginia Department of Motor Vehicles, Biometric Signature ID, CA Technologies, Microsoft and AT&T.
  • Criterion Systems (Va.): $1,977,732
    The Criterion pilot will allow consumers to selectively share shopping and other preferences and information to both reduce fraud and enhance the user experience. It will enable convenient, secure and privacy-enhancing online transactions for consumers, including access to Web services from leading identity service providers; seller login to online auction services; access to financial services at Broadridge; improved supply chain management at General Electric; and first-response management at various government agencies and health care service providers. The Criterion team includes ID/DataWeb, AOL Corp., LexisNexis®, Risk Solutions, Experian, Ping Identity Corp., CA Technologies, PacificEast, Wave Systems Corp., Internet2 Consortium/In-Common Federation, and Fixmo Inc.
  • Resilient Network Systems, Inc. (Calif.): $1,999,371
    The Resilient pilot seeks to demonstrate that sensitive health and education transactions on the Internet can earn patient and parent trust by using a Trust Network built around privacy-enhancing encryption technology to provide secure, multifactor, on-demand identity proofing and authentication across multiple sectors. Resilient will partner with the American Medical Association, Aetna, the American College of Cardiology, ActiveHealth Management, Medicity, LexisNexis, NaviNet, the San Diego Beacon eHealth Community, Gorge Health Connect, the Kantara Initiative, and the National eHealth Collaborative.In the education sector, Resilient will demonstrate secure Family Educational Rights and Privacy Act (FERPA) and Children’s Online Privacy Protection Act (COPPA)-compliant access to online learning for children. Resilient will partner with the National Laboratory for Education Transformation, LexisNexis, Neustar, Knowledge Factor, Authentify Inc., Riverside Unified School District, Santa Cruz County Office of Education, and the Kantara Initiative to provide secure, but privacy-enhancing verification of children, parents, teachers and staff, as well as verification of parent-child relationships.
  • UniversityCorporation for Advanced Internet Development (UCAID) (Mich.): $1,840,263
    UCAID, known publicly as Internet2, intends to build a consistent and robust privacy infrastructure through common attributes; user-effective privacy managers; anonymous credentials; and Internet2’s InCommon Identity Federation service; and to encourage the use of multifactor authentication and other technologies. Internet2’s partners include the Carnegie Mellon and Brown University computer science departments, University of Texas, the Massachusetts Institute of Technology, and the University of Utah. The intent is for the research and education community to create tools to help individuals preserve privacy and a scalable privacy infrastructure that can serve a broader community, and add value to the nation’s identity ecosystem.

Year 2 – announcement about the FFO, potential applicant webinar, annoucement about the grantees.

  • Transglobal Secure Collaboration Participation, Inc. (TSCP) (Va.): $1,264,074
    The TSCP pilot will deploy trusted credentials to conduct secure business-to-business, government-to-business and retail transactions for small and medium-sized businesses and financial services companies, including Fidelity Investments and Chicago Mercantile Exchange. As part of this pilot, employees of participating businesses will be able to use their existing credentials to securely log into retirement accounts at brokerages, rather than having to obtain a new credential. Key to enabling these cross-sector transactions will be TSCP’s development of an open source, technology-neutral Trust Framework Development Guidance document that can provide a foundation for future cross-sector interoperability of online credentials.
  • Georgia Tech Research Corporation (GTRC) (Ga.): $1,720,723
    The GTRC pilot will develop and demonstrate a “Trustmark Framework” that seeks to improve trust, interoperability and privacy within the Identity Ecosystem. Trustmarks are a badge, image or logo displayed on a website to indicate that the website business has been shown to be trustworthy by the issuing organization. Defining trustmarks for specific sets of policies will allow website owners, trust framework providers and individual Internet users to more easily understand the technical, business, security and privacy requirements and policies of the websites with which they interact or do business.Supporting consistent, machine-readable ways to express policy can enhance and simplify the user experience, raise the level of trust in online transactions and improve interoperability between service providers and trust frameworks. Building on experience developing the National Identity Exchange Federation(NIEF), GTRC plans to partner with the National Association of State Chief Information Officers (NASCIO) and one or more current NIEF member agencies, such as Los Angeles County and the Regional Information Sharing Systems (RISS).
  • Exponent (Calif.): $1,589,400
    The Exponent pilot will issue secure, easy-to-use and privacy-enhancing credentials to users to help secure applications and networks at a leading social media company, a health care organization and the U.S. Department of Defense. Exponent and partners Gemalto and HID Global will deploy two types of identity verification: the use of mobile devices that leverage so-called “derived credentials” stored in the device’s SIM card and secure wearable devices, such as rings and bracelets. Solutions will be built upon standards, ensuring an interoperable system that can be easily adopted by a wide variety of organizations and companies.
  • ID.me, Inc. (Va.): $1,204,957
    ID.me, Inc.’s Troop ID will develop and pilot trusted identity solutions that will allow military families to access sensitive information online from government agencies, financial institutions and health care organizations in a more privacy-enhancing, secure and efficient manner. Troop ID lets America’s service members, veterans, and their families verify their military affiliation online across a network of organizations that provides discounts and benefits in recognition of their service. Today, more than 200,000 veterans and service members use Troop ID to access benefits online. As part of its pilot, Troop ID will enhance its current identity solution to obtain certification at Level of Assurance 3 from the U.S. General Services Administration’s Trust Framework Providers program, enabling Troop ID credential holders to use their solution not only at private-sector sites, but also when interacting online with U.S. government agencies through the recently announced Federal Cloud Credential Exchange (FCCX). Key project partners include federal government agencies and a leading financial institution serving the nation’s military community and its families.
  • Privacy Vaults Online, Inc. (PRIVO) (Va.): $1,611,349
    Children represent a unique challenge when it comes to online identity. Parents need better tools to ensure safe family use of the Internet, while online service providers need to comply with the requirements of the Children’s Online Privacy Protection Act (COPPA) when they deal with minors under the age of 13. PRIVO will pilot a solution that provides families with COPPA-compliant, secure, privacy-enhancing credentials that will enable parents and guardians to authorize their children to interact with online services in a more privacy-enhancing and usable way. Project partners, including one of the country’s largest online content providers and one of the world’s largest toy companies, will benefit from a streamlined consent process while simplifying their legal obligations regarding the collection and storage of children’s data.

Year 3 – ? announcement about FFO - grantees still being determined.

Big Issues with IDESG

Diversity and Inclusion

I have been raising these issues from its inception (pre-inception in fact I wrote about them in my NOI).

I was unsure if I would run for the management council again –  I wrote a blog post about these concerns that apparently made the NPO very upset.  I was subsequently “univited” to the International ID Conf they were hosting at the White House Conference Center for other western liberal democracies trying to solve these problems.

Tech President Covered the issues and did REAL REPORTING about what is going on.  In Obama Administration’s People Powered Digital Security Initiative, There’s Lots of Security, Fewer People.

This in contrast to a wave of hysterical posts about National Online ID pilots being launched.

They IDESG have Issues with how the process happens. It is super TIME INTENSIVE.  It is not well designed so that people with limited time can get involved.  We have an opportunity to change tings becoming our own organization.

The 9th Plenary Schedule – can be seen here.  There was a panel on the first day with representatives who said that people like them and others from other different communities needed to be involved AS the policy is made.  Representatives from these groups were on the panel and it was facilitated by Jim Barnett from the AARP.

  • NAACP
  • Association of the Blind
  • ACLU

The Video is available online.

The “NEW” IDESG

The organization is shifting from being a government initiative to being one that is its own independent organization.

The main work where the TRUST FRAMEWORKS are being developed is in the Trust Framework and Trust Mark Committee.  You can see their presentation from the last committee here.

Key Words & Key Concept form the Identity Battlefield

Trust

What is Identity?  Its Socially Constructed and Contextual

Identity is Subjective

Aestetix’s links will be up here within 24h

What are Identifiers?: Pointers to things within particular contexts.

Abrahamic Cultural Frame for Identity / Identifiers

Relational  Cultural Frame for Identity / Identifiers

What does Industry mean when it says “Trusted Identities”?

What is Verified?

AirBnB
Verified ID in the context of the Identity Spectrum : My post about the spectrum.

Reputation

In Conclusion: HOPE!

We won the #nymwars!

Links to Google’s apology.

Skud’s the Apology we hopped for.

More of Aestetix’s links will be up here within 24h

The BC Government’s Triple Blind System

Article about & the system  they have created and the citizen engagement process to get citizen buy-in – with 36 randomly selected citizens to develop future policy recommendations for it.

Article about what they have rolled out in Government Technology.

Join the Identity Ecosystem Steering Group

Get engaged in the process to make sure we maintain the freedom to be anonymous and pseudonymous online.

Attend the next  (10th) Plenary in mid-September in Tampa at the Biometrics Conference

Join Nym Rights group.

http://www.nymrights.org

Come to the Internet Identity Workshop

Number 19 – Last week of October – Registration Open

Number 20 – Third week of April

by Kaliya Hamlin, Identity Woman at September 04, 2014 04:36 AM

Kaliya Hamlin

I’ve co-founded a company! The Leola Group

Thursday evening following Internet Identity Workshop #18 in May I co-Founded and became Co-CEO of the Leola Group with my partner William Dyson.

So how did this all happen? Through a series of interesting coincidences in the 10 days (yes just 10 days) William got XDI to work for building working consumer facing applications. He showed the music meta-data application on Thursday evening and wowed many with the working name Nymble registry.  The XDI [eXtneible Resource Identifier Data Interchange] standard has been under development at OASIS for over 10 years. Getting it to actually work and having the opportunity to begin to build applications that really put people at the center of their own data lives is a big step forward both for the Leola Group and the  Personal Data community at large.

William and I met in September of 2013 via an e-mail introduction from Drummond Reed.  We started working together the day I met him on the efemurl project.  We were dating a few days later and a few weeks later we were engaged. We announced this during the closing circle at IIW #17.

The efemurl project was taking a extensively featured web platform William had built over several years and working to turn it further develop it and turn it into a consumer-co-operative.  The short hand way to describe, you know in that way they describe movie plots, it’s like Google and REI have a baby.  The core ideas developed for the efemurl platform will be brought over into the applications the Leola Group is developing.  Core aspects of what the Leola Group is are to valuable to be owned by one company and we will be working with Planetwork to turn the operation of those into a consumer co-operative.

So big questions for people in the community include:

Are you still involved with IIW? 
Yes of course!  IIW will continue and my roll with it will too. Phil Windley founded his company Kynetx and continues to be a co-leader of IIW with me and Doc.  We have a great production team lead by Heidi Nobantu Saul.

What is going to happen to PDEC?

We have worked to create a 6 month transition plan for the organization/community to new leadership.   We have brought on Dean Landsman (well known for his leadership in the VRM community) serve as Communications Director and among other things host regular community calls and host a podcast.  As part of taking on the Co-CEO role in the new company I have woven into the job taking the time needed to properly transition out of my role as Executive Director and work with the community over the next 6 months to get governance in line and then have that leadership group hire an new Executive Director. You can read more about it on the PDEC blog and see a video we made.

The organization just welcomed 11 new members. Dean will be presenting about his new role with PDEC at the Personal Data Meetup in NYC on Monday.

When are you getting Married?

William and I are getting married the weekend after IIW #20 which is April 7-9 (Yes, it’s way early!!!).  This will help friends coming for IIW from around the world being able to join in the celebration.

by Kaliya Hamlin, Identity Woman at September 04, 2014 04:34 AM

Kaliya Hamlin

BC Identity Citizen Consultation Results!!!!

This article explains more about the different parts of the British Columbia Citizen Consultation about their “identity card’ along with how it is relevant and can inform the NSTIC effort.

As many of you know I (along with many other industry leaders from different industry/civil society segments) was proactively invited to be part of the NSTIC process including submitting a response to the notice of inquiry about how the IDESG and Identity Ecosystem should be governed.

I advocated and continue to advocate that citizen involvement and broad engagement from a broad variety of citizen groups and perspectives would be essential for it to work. The process itself needed to have its own legitimacy even if “experts” would have come to “the same decisions” if citizens were and are not involved the broad rainbow that is America might not accept the results.

I have co-lead the Internet Identity Workshop since 2005 every 6 months in Mountain View, California at the Computer History Museum. It is an international event and folks from Canada working on similar challenges have been attending for several years this includes Aran Hamilton from the National oriented Digital ID and Authentication Council (DIAC) and several of the leaders of the British Columbia Citizen Services Card effort.

I worked with Aron Hamilton helping him put on the first Identity North Conference to bring key leaders together from a range of industries to build shared understanding about what identity is and how systems around the world are working along with exploring what to do in Canada.

CoverThe British Columbia Government (a province of Canada where I grew up) worked on a citizen services card for many years. They developed an amazing system that is triple blind. An article about the system was recently run in RE:ID. The system launched with 2 services – drivers license and health services card. The designers of the system knew it could be used for more then just these two services but they also knew that citizen input into those policy decisions was essential to build citizen confidence or trust in the system.  The other article in the RE:ID magazine was by me about the citizen engagement process they developed.

They developed to extensive system diagrams to help provide explanations to regular citizens about how it works. (My hope is that the IDESG and the NSTIC effort broadly can make diagrams this clear.)

The government created a citizen engagement plan with three parts:

The first was convening experts. They did this in relationship with Aron Hamilton and Mike Monteith from Identity North – I as the co-designer and primary facilitator of the first Identity North was brought into work on this. They had an extensive note taking team and the reported on all the sessions in a book of proceedings. They spell my name 3 different ways in the report.

The most important was a citizen panel that was randomly selected citizens to really deeply engage with citizens to determine key policy decisions moving forward. It also worked on helping the government understand how to explain key aspects of how the system actually works. Look in the RE:ID I wrote an article for RE:ID about the process you can see that here.
The results were not released when I wrote that. Now they are! yeah! The report is worth reading because it shows the regular citizens who are given the task of considering critical issues can come out with answers that make sense and help government work better.

They also did an online survey open for a month to any citizen of the province to give their opinion. That you can see here.

Together all of these results were woven together into a collective report.

Bonus material: This is a presentation that I just found covering many of the different Canadian province initiatives.

PS: I’m away in BC this coming week – sans computer.  I am at Hollyhock…the conference center where I am the poster child (yes literally). If you want to be in touch this week please connect with William Dyson my partner at The Leola Group.

by Kaliya Hamlin, Identity Woman at September 04, 2014 04:32 AM

August 30, 2014

Nat Sakimura

「マイナちゃん」にマイナンバー・キャラクターの名前決定!

以前公募をお知らせしていた社会保障と税の共通番号制度(マイナンバー制度)のマスコットキャラクターの名前が、29日(金)発表されました[1]マイナちゃん

「マイナちゃん」

これは、6月20日(金)から7月21日(月)まで行われた一般公募で寄せられた723案の中から、「マイナンバーを連想しやすい名称であり、ロゴマークのウサギの親しみやすさが表現されている」[2]ということで選定されました。表彰者については、複数の応募があったため、厳正な抽選を行った上で後日連絡をするとのことです。

マイナンバーは(基本的に)一生変わらない番号を個人に割当て、年金や納税の事務の効率化、正確性向上と手続きの簡便化を目指す制度です。これによって「消えた年金問題」なども起きなくなることが期待されます。2015年後半からカードを配り始め、2016年1月から利用が始まります。お給料をもらっておられる方は、必ずご自身とご家族のマイナンバーを勤め先に届け出る必要が出ますので、ほとんどの皆さんに影響がある制度です。国民の皆様にこの制度を知っていただくためにも、マイナちゃんの活躍が期待されます。ふなっしー並になったらすごいですね!


[1] 内閣官房 『「マイナンバー広報用ロゴマーク」の愛称決定』http://www.cas.go.jp/jp/seisaku/bangoseido/logo/aisyou.html


[2] あと重要な点として、既存の商標を侵害していないというのがあったそうです。なんでも、ウサギ系は結構商標押さえられてしまっていて、ご苦労されたとのこと。ポケモンの「マイナン®」とかとか…。(←これ、うさぎっぽいのすごい)。お疲れさまでした!

by Nat at August 30, 2014 02:29 AM

August 27, 2014

Nat Sakimura

クラシック音楽の父、C.P.E. バッハ〜生誕300年

C.P.E. Bachあーまた扇情的なタイトルを付けてしまった…。

でも、今年生誕300年のC.P.E. Bach (カール・フィリップ・エマニュエル・バッハ)、あの大バッハ(J.S.Bach)の次男ですね、彼を狭義のクラシック音楽=古典派音楽の父というのは、あながち間違ってないと思うのですよ。あのモーツァルトさえ、「彼は父であり、われわれは子供だ」[1]と言っているくらいですし。

ちょっと古典派音楽をそれ以前の音楽からわける特徴を書き出してみましょう。

  1. メロディー+和声の形(モノフォニー)
  2. 複数の性格の異なる主題
  3. バロックに比べて短い主題とその動機(motif)分解、およびその運用・展開
  4. → ソナタ形式

これらは、ロマン派以降にも引き継がれる、いわば古典派以降の「クラシック音楽」の根幹をなすものです。

一方、C.P.E. Bachの音楽の特徴は以下のようにいわれます。

  1. ギャラント様式(メロディ+和声)
  2. 多感様式[12](複数の性格の異なる主題)
  3. 短い主題と動機分解、およびその運用・展開(動機分解とその運用をしたのは彼が最初といわれています[2])
  4. 3楽章形式のソナタと、イントロ+(第一主題[主調]+ブリッジ+第二主題[属調/平行調])x2 + 展開 + 再現部の楽章=ソナタ形式

あれ、これ、古典派音楽の特徴そのものじゃん。どうりでモーツァルトが彼のことを「父」と言うわけですね。

実際、ハイドン、モーツァルト、ベートーヴェンへの影響は顕著で、ベートーヴェンも尊敬していた[3]ようです。また、メンデルスゾーンのオラトリオ「エリア」は、C.P.E. Bachの「荒野のイスラエル人」の影響が見て取れますし、ブラームスは彼の作品の校閲[4]をしたりもしているようです。

バッハファミリーでいうと、弟のJ.C.Bachとモーツァルトの親交が深く、

  • J.C. Bach → モーツァルト
  • C.P.E. Bach → ベートーヴェン

の影響が強いといわれることもあります。まぁ、そうかな、と思うことも無いのですが、晩年のモーツアルトに関しては、結構C.P.E. Bachの影響も強いような気もしています。晩年のモーツアルトは、それまでの「楽しい単純なホモフォニー音楽」とは打って変わって、非常に凝った作りのポリフォニー音楽、ある意味難しい音楽になっていって[6]人気失墜、妻の病気も有り借金苦に苦しむわけですが、そのきっかけとなったのが、スヴィーテン男爵に見せられたバッハの音楽と楽譜だといわれています[7]。

[1] Wikipediaカール・フィリップ・エマニュエル・バッハ (2014/8/27取得)

[2] Wikipedia: “Sonata Form“, http://en.wikipedia.org/wiki/History_of_sonata_form(2014/8/27取得)

[3] 要出典

[4] Wikipediaカール・フィリップ・エマニュエル・バッハ 後世への影響(2014/8/27取得)

[5] 要出典

[6] それまでまず書き損じがなかったモーツアルトが、ハイドン・セット (1782〜1785)では、散々書き直しをするようになったらしいことからも見て取れる。って、ほんまか?30年以上前に読んだ吉田秀和さんか誰かの本に書いてあったのを覚えているだけなんだが…。

[7] シンフォニア Wq. 182/1〜6, H.657〜662 (1773年作曲)

[12] 多感様式(ドイツ語:Empfindsamer Stil , 英語:Sensitive Style)は、18世紀ドイツで作られた音楽様式。「すなおで自然な感情」の表現を目指し、突然の気持ちの変化を特徴とする。一曲(楽章)を通じて同じ感情が支配するべきであるというバロック音楽のドクトリン「Affektenlehre」に対比する形で発展した。

by Nat at August 27, 2014 05:57 PM

August 25, 2014

Nat Sakimura

政府、マイナンバーを利用した「所得連動返還型奨学金」を導入する方針

文部科学省は、2018年度から大学生の奨学金制度に「所得連動返還型」を導入する方針を固めた。所得連動返還型はイギリスやオーストラリア、アメリカで採用されている制度で、卒業後の年収に応じて返還月額が変動する。景気や年収の増減に応じて返還額が決定するため、低所得の者ほど負担が少なく、回収率を上げることができるという。

引用元: EconomicNews(エコノミックニュース).

明日の某研究会で話そうかと調べていたら、既に発表されていたようだ。

所得連動返済型奨学金は、オーストラリア、ニュージーランド、英国などで提供されている。オーストラリア(HELP)は、2013年現在、450,314人が利用している。また、米国でもFederal Student Loan に関して同様の取り組みが始まっている。ただし、こちらは低所得者のみが対象である。

所得連動変換型奨学金は一定の収入になるまでは返済しなくて良いため、個人に取ってリスクが低く借りやすい。そのため、学資が無くて進学を断念するなど、平等性の観点から問題がある状況を緩和できる。オーストラリアは収入がAU$53,345以上で返済開始、英国は£21,000で返済開始である。オーストラリアの場合、新卒の平均収入がこの閾値を全分野で超えるのは5年目で、最初に返済を始めてから平均8.1年で返済完了している。 収入の把握は各国とも税当局が行い、収入条件を満たした時には、税と一緒に徴収する。利率はCPI+α(収入が上がると上がる)などいろいろである。

これらの国は、ほとんどの大学が国立なので、ファンドも国が用意している。日本の場合は私学が多いので、このファンドをどうするかというのは別途検討が必要かもしれない。たとえば、各学校が用意するなどということも考えられるかもしれない。この場合、良い教育をして高収入の人を産出すればリターンが良くなるわけで、大学の教育の質の改善にも寄与することが期待される。

ちなみに、オーストラリアのHELPの残高の推移は、図1のようになっている。

オーストラリアHELP残高推移

(図1)オーストラリアHELP残高推移 (出所)Group of Eight “HELP: Understanding Australia’s system of income-contingent student loans”

一方、金額の問題もある。上記の記事によると現在の貸与額は年平均80万円だそうである。

教育の高度化に伴って、今後、教育費の高騰が予想される[1]が、これでは全然足りない。学資が無くて進学を断念するのを防ぐためには、金額面での充実も必要になってくると思われる。

いずれにせよ、良い方向への一歩だと思うので、継続的にフォローしていきたいと思う。

[1] 米国の名門大学だと、授業料だけで年間500万円ほどかかるといわれる。

by Nat at August 25, 2014 01:33 PM

Nat Sakimura

Facebookに対してウィーンで集団訴訟–プライバシー法違反の疑い

Facebookは同社に対するプライバシー関連の苦情に対処しなければならない、とウィーンの裁判所が判断したことで、Facebookに対する集団代表訴訟が動き始めた。

8月初旬、プライバシー活動家で弁護士のMax Schrems氏が率いるユーザーグループは、Facebookが複数のプライバシー法に違反しているとして、ウィーンの裁判所で同社のアイルランドの子会社を相手取って訴訟を起こした。

苦情には以下のものが含まれる。Facebookのデータ使用ポリシーは欧州連合(EU)の法律に違反している。Facebookはユーザーの有効な同意を得なくてもデータを再利用できるようになっている。ユーザーの許可を得ずにサードパーティーアプリケーションにデータが譲渡されている。

引用元: Facebookに対してウィーンで集団訴訟–プライバシー法違反の疑い – CNET Japan.

どうやら欧州でFB相手の集団訴訟が動き出したようです。

このグループは、過去にアルルランドの裁判所で訴訟を起こしており、広告クリックデータの保持期間を二年に制限したり、顔認識機能についてユーザに警告したりすることを引き出しているようです。

今回の訴訟はウィーン地方裁判所で起こされており、2万5000人以上が原告として名を連ね、一人あたり500ユーロの損害賠償金を要求しているとのこと。

欧州における集団訴訟はあまり効果的でないというようなこともちらほら聞きますが、今後の展開に注目していきたいところです。

by Nat at August 25, 2014 12:42 PM

August 21, 2014

Nat Sakimura

米国保健福祉省国家医療IT調整室(ONC)がOpenID Foundationに理事として加盟

National Coordinator for Health Information Technology米国保健福祉省(HHS)国家医療IT調整室(ONC)が、現地時間8月21日、米国OpenID Foundation(OIDF, 理事長:崎村夏彦)に理事機関として加盟しました。ONCは米国連邦政府における全米の健康情報の電子的な交換を行うための最高度の健康情報技術(HIT)[1]を利用・実装するための調整を主担当する機関です。

ONCは現政権のの健康情報技術関連の取り組みの最前線におり、健康情報技術の普及と全国規模の医療情報共有インフラ構想である「NwHIN(Nationwide Health Information Network)[2]を推進するための、国家健康システム用の標準開発の主要リソースです。デビー・ブーチ氏(Ms. Debbi Bucci)がONCの代表としてOpenID Foundationに参加します。

ONCはOIDFで2つのことに取り組もうと考えています。一つ目は、Healthcare Information Exchange (HIE) ワーキング・グループを主導してOpenID Connectのプロファイルを定義することで、もう一つは、それを使ったパイロットプロジェクトをを推進することです。ONCにおいて技術プロファイリングと相互互換性試験を主導する実装・試験部門のITアーキテクトであるブーチ氏が、HIE WGの活動を率います。

詳しくは、OIDFの英文リリース[3]をご参照ください。


[1] Health Information Technology, HIT.

[2] http://www.healthit.gov/policy-researchers-implementers/nationwide-health-information-network-nwhin

[3] OpenID Foundation: “US Government Office of the National Coordinator for Health Information Technology (ONC) Joins the OpenID Foundation”, http://openid.net/2014/08/21/us-government-office-of-the-national-coordinator-for-health-information-technology-onc-joins-the-openid-foundation/

by Nat at August 21, 2014 11:00 PM

OpenID.net

US Government Office of the National Coordinator for Health Information Technology (ONC) Joins the OpenID Foundation

The Office of the National Coordinator for Health Information Technology (ONC) located within the Office of the Secretary for the U.S. Department of Health and Human Services (HHS) has joined the OpenID Foundation (OIDF). ONC is the principal federal entity charged with coordination of nationwide efforts to implement and utilize the most advanced health information technology for the electronic exchange of health information.

ONC is at the forefront of the Administration’s Health IT efforts and is a key standards development resource to the national health system to support the adoption of health information technology and the promotion of nationwide health information exchanges. Ms. Debbie Bucci will join the Board of Directors of the OpenID Foundation as the ONC representative.

Two key initiatives the ONC plans to undertake within the OIDF is to lead a Healthcare Information Exchange (HIE) working group to create a profile of OpenID Connect and follow-on associated pilot projects. Ms. Bucci, an IT Architect in the Implementation and Testing Division, is helping lead a profiling and interoperability testing effort at ONC and will be one of the leaders of the HIE working group activities.

Don Thibeau, Executive Director of the OIDF, pointed out that this public sector effort parallels the increasing global adoption among large commercial enterprises. Google, Microsoft, Ping identity, Salesforce, ForgeRock and others have embraced OpenID Connect as fundamental to their identity initiatives. Thibeau noted, “After the launch of OpenID Connect early this year, the OIDF finds itself working on one of the hardest use cases in identity; patient medical records at the same time as working on the platform of choice; the mobile device. Working with OIDF member organizations like the ONC, GSMA and others brings important domain expertise and a user-centric focus to these OIDF working groups. These standards development activities are loosely coupled with pilots in the US, UK and Canada.”

If you are interested in the HIE working group, please consider attending the OpenID Day on RESTful Services in Healthcare at MIT on September 19th in Cambridge, MA. This event will focus on emerging Web-scale technologies as applied to health information sharing. The focus will be on group discussion among MIT’s expert participants. The OIDF will follow its standards development process while MIT leads outreach and industry engagement. This day is part of the 2-day annual MIT KIT Conference at MIT on September 18-19. For more information on this event and to register, please visit http://kit.mit.edu/events.

by Mike Leszcz at August 21, 2014 03:07 PM

August 20, 2014

Nat Sakimura

JIPDEC、ヤフー他6社と組んで、なりすましメール防止ソリューションを銀行へ提供開始

日本情報経済社会推進協会(JIPDEC)のプレスリリース[1]によると、ヤフーら6社[2]と共同で、なりすましメール防止を目的とした「安心マーク」(写真)の銀行への導入を開始したとのことです。採用の一番乗りは常陽銀行で、Webメール利用時のセキュリティ対策として安心マーク(図1)の採用を決定したとのこと。

図1 安心マーク

図1 安心マーク

これは、受信者が簡単にそのメールがなりすましメールでないことをDKIM[3]というメールに対する電子署名技術と、JIPDECが提供するサイバー法人台帳であるROBINSの組合せで確認し、Webメールから見るときに、この「安心マーク」を表示することによって示すというものです[4]。

この安心マークのサービスは、昨年7月の参議院議員選挙のときに開始されたもので、今回は新たに金融機関向けにもサービス開始したものです。執筆時点で安心マークがついているのは、自民党、民主党、JIPDEC、常陽銀行となります。

現状、Webメールからしか確認できないのが玉に瑕ですが、それでも安心できる方向への第一歩ですね。メジャーなメールクライアントにもプラグインなどで提供されるとさらに良いのですね。

また、ちょっと専門的になりますが、これはある意味、ROBINSがトラストフレームワークとして機能して、DKIMを使った今回の仕組みがその登録を確認する、いわば「メタデータ・サービス」として機能しているとの見方もできると思います。

一方で、ボーダレス社会においては、日本国内の法人にたぶん限られるROBINSだけでなく、他国の同様な仕組みも統合的に組み込めると、なお良いとも言えましょう。

いずれにせよ、今後の展開に注目です。

※ Disclosure: 筆者は2014年現在、JIPDECのアドバイザリー委員です。

[1] JIPDECニュースリリース安心して利用できる電子メール環境への取り組みについて
~ なりすましメール防止安心マークを銀行へ導入開始。~」

[2] インフォマニア、シナジーマーケティング、トライコーン、ニフティ、パイプドビッツ、ヤフー

[3] DKIMの仕組みはこちらの記事が詳しいです→電子署名方式の最新技術「DKIM」とは

[4] 「安心マーク」を銀行が初採用、送信ドメイン認証でなりすましメール防止 (2014/8/11)

by Nat at August 20, 2014 01:38 AM

August 16, 2014

Nat Sakimura

政府、マイナンバー用コールセンター10月を目処に設置へ

政府は10月をメドに、内閣府に社会保障給付と納税を1つの個人番号で管理する「マイナンバー制度」のコールセンターを設置する。2016年1月から制度が始まるのを前に、企業や個人からの問い合わせに対応し、制度の周知を図る。

引用元: マイナンバーでコールセンター 政府、10月メド  :日本経済新聞.

マイナちゃんマイナンバー制度への一般の理解が不十分として、10月から取り組む周知活動の一環のようです。これまでも文書やセミナー、Webサイト[1]を通じて周知活動はされてきていますが、音声でも受け付けるようにすることによって、これまでリーチできていなかった層へのリーチにも取り組むという意味もあろうかと思います。

Webサイトには、よくある質問(FAQ)などもありますが、それを読んでもよくわからない時など、やはり問合せしたくなることは十分考えられます。そんな時に、電話やメール、問合せフォームなどで問合せができるととてもよいですね。最近の海外のWebサイトなどでは、コールセンターを使って、チャットで質問に回答するなどということも良く行われています。こうした対応もできるようになると、更に良いと思います。今後の内容拡充に期待大です。

[1] 内閣官房:『社会保障・税番号制度』http://www.cas.go.jp/jp/seisaku/bangoseido/

by Nat at August 16, 2014 09:36 PM

August 12, 2014

Nat Sakimura

政府、マイナンバー制度に関わる本人確認の措置についての資料を公表

マイナちゃん
政府は12日、マイナンバー制度に関わる本人確認の処置についての資料[1]を公表しました。

これは、行政手続における特定の個人を識別するための番号(マイナンバー)の利用時に法律に基づき要請される番号確認および身元確認の方法について解説したもので、(I)本人から提供を受ける場合 (II)代理人から提供を受ける場合に分け、それぞれ(1)対面・郵送(2)オンライン(3)電話の場合に分けて説明したものです。

わけかたとして、対面と郵送を一つにしているところが面白いですね。国際規格だと、(1)対面(2)リモートに分けますから、郵送はどちらかと言うとオンラインとセットになりそうですが、今回の政府のわけかたはむしろ(1)紙での確認 (2)電子的確認 (3)音声による確認、という分け方にしたように思われます。

基本、マイナンバー法施行規則[2]をわかりやすく解説する形をとっており、施行規則のどこを参照したら良いかなども書いてあります。例えば、(I)本人から提供を受ける場合の(2)オンラインの場合ですが、次の3つのように書かれています。

① 個人番号カード(ICチップの読み取り)【則4一】
② 公的個人認証による電子署名 【則4二ハ】
③ 個人番号利用事務実施者が適当と認める方法 【則4二ニ】

ここで【則4二ニ】は、「施行規則第四条第二項のニを参照するように」ということですね。実際に該当部分を見ると「ハに掲げるもののほか、個人番号利用事務実施者が適当と認める方法により、当該電子情報処理組織に電気通信回線で接続した電子計算機を使用する者が当該提供を行う者であることを確認すること。 」と書いてあります。

この資料で個人的に注目したのは、上記の③ 個人番号利用事務実施者が適当と認める方法に付けられた解説です。「※ 民間発行の電子署名、個人番号利用事務実施者によるID・PWの発行などを想定」とのことですので、今後の広がりが考えられますね。


[1] 内閣官房:『本人確認の措置についての資料』http://www.cas.go.jp/jp/seisaku/bangoseido/sekoukisoku/26-4hk.pdf

[2] 内閣官房:『行政手続における特定の個人を識別するための番号の利用等に関する法律施行規則(マイナンバー法施行規則)』http://www.cas.go.jp/jp/seisaku/bangoseido/sekoukisoku/26-3.pdf

[3] うさぎイラストはこちらからいただきました→http://pic.prepics-cdn.com/munimuniwaon/35872028.jpeg マイナンバーのキャラクターのうさぎを使うと、使用規約にひっかかるとの指摘があったので。

by Nat at August 12, 2014 11:00 PM

July 24, 2014

Nat Sakimura

縦割りスパゲッティの情報基盤整理しようとしているが…

Twitter   jirok  縦割りスパゲッティの情報基盤整理しようとしてるのですが、「  ...

尊敬する國領先生にお題を頂いたので、ちょっと時間がかかりましたが、ブログにまとめてみました。

まずは結論から。

(1) 識別子 → Identity Register+RA

(2) 本人確認基盤 → IdP+CSP

(3) 属性 → IIA/IIP

(4) サービス → RP/SP

と読み替えるならば、このように分割して分別管理するのが良さそう、ということになります。

以下、その解説です。

IdMの基本は、当該ユーザの識別です。識別とは、その存在を母集団の中の他の存在から一意に区別するということです。わたしたちは、存在を直接的には観測できないので、これは、その存在に紐付いている属性の値の集合が一意になるまで集めるということに他なりません。この状態では、その属性の値の集合が「識別子」になっています。ただし、値はどんどん変わり得て、別の時点では識別性がなくなるかもしれないので、識別された時点でユニークかつ不変な文字列を振っておかないと管理上困ったことになります。この目的のためにふられる識別子のことを、ISO/IEC 24760-1では reference identifier、この識別子を生成する機能のことをreference identifier generatorといいます。

識別には属性の値を使っているので、その識別の信頼性は属性の値の信頼性に依存します。この属性の値の集合の信頼性を測ることをIdentity Proofing といいます。Identity = ある主体に関係する属性の集合と定義されているので、Identity Proofing は「ある主体に関係する属性の集合を確かめること」ということになります。日本でいう「本人確認」は、基本的にはこの特殊系~属性が基本4情報~であると考えて良いです。この属性の集合の値の信頼度をISO/IEC 29115では4つに分けることを提唱しています。

Identity管理(IdM)では、識別された主体のidentityを管理していきます。そのために、Identity Register と呼ばれるレジストリに登録します。この際、Identity Proofingを行ってIdentity Registerに登録する人のことをRegistration Authority (RA)といいます。

Identityはライフサイクルを持っています。ISO/IEC 24760-1では、ライフサイクルを不明、確立済み、有効、停止、保管の5つのフェーズに分けて管理することを提唱しています。

一旦こうして識別された主体がオンラインサービスを利用するには、自分を代理させるidentityをオンライン上に生成して使います。このidentityは、本人しか作ることができなくて、かつ他者から見た時に本人が制御しているということの確認ができなければなりません。本人しか作ることができないようにするために使われる情報のことを「クレデンシャル」と呼びます。これは、本人しか作ることができないものです。代表的なものにパスワードがあります。本人は、このクレデンシャルを「確認者(verifier)」とか「Credential Service Provider(CSP)」とか呼ばれる機構に提示して、今そこにいるのは本人であることを証明します。このことを認証(Authentication)といいます。この認証を経て作られた、他者から見た時に本人が制御しているということが確認できるidentityのことを認証済みidentity(Authenticated Identity)といいます。

この認証済みidentityの信頼性は、使われたクレデンシャルの信頼性に依存しています。そしてこの信頼性は、クレデンシャルの発行~交付~有効化~利用~停止~削除までを通じたライフサイクル管理がどれだけ信頼性高く行われているかによってきます。そして、出来上がった認証済みアイデンティティの信頼性は、それに含まれる属性(クレデンシャルを使って認証したという情報も属性の一つです)の信頼性ですから、Identity Proofing で確認された属性の信頼性と、クレデンシャルの信頼性の両方に依存するということになります。

一方、属性には、識別のために使ったもの以外にもたくさんあります。Identity registerも属性を保存していますが、その属性の範囲は、Identity Proofing に必要な範囲です。それ以外もそこに突っ込んでしまうという運用も多く見られますが、必ずしもそうである必要は無く、独立した属性プロバイダーを想定することができます。ISO/IEC 24760-1では、これのことをIdentity Information Provider (IIP)と呼んでいます。一般には、属性プロバイダー(Attribute Provider)という名称のほうが使われますね。IIP中で、Authoritativeな情報を出せるもののことを、Identity Information Authority(IIA)と呼びます。情報の鮮度・正確性の観点からは、情報は常にIIAからとったほうが良いことになります。ただし、こうするとどこにその情報を提出したのかがIIAに分かってしまうので、それを回避するためにわざと他のIIPを経由して取りに行くこともあります。この辺りは、プライバシーと情報の正確性のバランスで決めるところになります。なお、認証済みアイデンティティを作成して提供する機関もIIPの一種であることに注意してください。このようなIIPのことを、業界ではIdPと呼ぶことが多いです。

なお、Identity Register はクレデンシャルやら本人による認証を通じた認証済みアイデンティティの作成やらとは完全に独立して存在しうることに注意してください。たとえば、顧客データベースなどというものは、典型的なIdentity Registerです。これの管理も広義のアイデンティティ管理の範疇に属します。

一方、こうして作られた認証済みアイデンティティを利用するひとも居ます。他者にidentity情報を依存するので、Relying Party(RP)と呼ばれます。また、これが、本人や第三者に対してサービスを提供するということに着目した場合には、Service Provider(SP)とも呼ばれます。RPは受け取った認証済みアイデンティティの信頼性や有効性を署名などから確認してから利用します。

IIPとRPの間で情報の要求・応答を行うプロトコルのことを、Identity Federation Protocol といいます。わたしが仕様策定をしていたOpenID Connectは、Identity Federation Protocol の代表例になります。OpenID Connectでは、都度、必要最低限の属性情報を要求して、本人の許可のもとに、RPが利用できるようになっています。

さて、これで、アイデンティティ管理と連携をするための機能が揃いました。(ざっくりですが。細かく言うと、PDPとかPEPとかいろいろありますが、それは別の機会に譲りましょう。)問題は、この機能をどのように配置するかです。効率性、セキュリティ、プライバシー、それぞれの観点がありますが、ここではプライバシーの観点から考えたいと思います。

プライバシーの観点から考慮すべきものをまとめたものに、いわゆる「プライバシー原則」というものがあります。OECD8原則や米国のFIPPSなどが有名ですが、ここではISO/IEC 29100の原則を使って考えたいと思います。

ISO/IEC 29100の原則は以下の11個になります。

1. 同意と選択
2. 目的の正当性と規定
3. 収集の制限
4. データ最小化
5. 利用、保持、開示の制限
6. 正確性と品質
7. オープンさ、透明性、通知
8. 個人の参加とアクセス
9. 説明責任
10. 情報セキュリティ
11. プライバシー法令遵守

この中で、配置に関係してくるのが、3. 収集の制限、5. 利用、保持、開示の制限、6. 正確性と品質、です。

「3. 収集の制限」は、当該業務を行う上で必要最低限の情報しか集めてはいけないという要求です。これに合わせようとすると、identity registerに、登録の際に必要になる情報以外を集めるのは良くないということになります。したがって、identity register とその他のIIPは独立させたほうが良いということになります。一方で、reference identifier generator とidentity registerは別管理にすることも可能ではありますが、どの道identity registerにはreference identifier が入ってしまうので、同一組織で運用したほうが効率的でしょう。一方で、Identity proofing を行い、その結果をidentity registerに登録するRegistration Authority (RA)は、Identity Registerとは別組織が運営することは多いです。Identity Registerには、Identity Proofing に使った一部の情報しか収録しないような場合には、収集の制限の原則からすると分けたほうが良さそうです。ただし、Identity Lifecycleを考えると、Identity RegisterとRAはかなり緊密に運営されるべきとなります。そして、ここの緊密な関係が維持されないと、意図されない開示だとか、他のプライバシーリスクが上がってくることが想定されます。こうした観点に鑑みて、個人的にはRAとIdentity Registerは一体運営しても良いと思っています。

「5.利用、保持、開示の制限」は、データの利用は、取得した時に許可を得た目的に沿ってしか使ってはいけない、必要な範囲でしか保持してはいけない、そして同意を受けた範囲にしか開示をしてはいけないということを言っています。ということは、データは利用目的と同意に紐づけて管理されなければならないということになります。そう考えると、異なる目的のために取得したデータをごった煮にして管理するのは、なかなか難しいということになります。したがって、RPもいたずらに統合せずに、管理負荷が大きくなり過ぎないように分割して管理したほうが良いということになります。

最後に「6. 正確性と品質」です。これは、効率上可能な限り、IIAからリアルタイムに情報をとったほうが良いですね。これもまた、いたずらにIdPに情報を集めないほうが良い理由の一つになります。なので、属性はIIA毎に管理するのが良いということになるでしょう。

最後に残ったのがCSPです。CSPはIdentity Registerと一体運営するということは十分考えられます。その場合のプライバシー影響には何があるかということですが、そんなに大きなものは即座には思いつきません。一方で、柔軟性という観点では分離することも十分ありえます。分離すれば、Identity Registerが複数のCSPを使ったり、CSPが複数のidentity registerにサービス提供したりがありえるからです。

というわけで、やっとご質問への回答です。

(1) 識別子 → Identity Register+RA

(2) 本人確認基盤 → IdP+CSP

(3) 属性 → IIA/IIP

(4) サービス → RP/SP

と読み替えるならば、このように分割して分別管理するのが良さそう、ということになります。

by Nat at July 24, 2014 11:22 AM

May 19, 2014

OpenID.net

The Economics of Identity

Those of us working on Internet identity issues have lots of conferences to attend when it comes to technology and privacy. Less attention has been paid to how to make money, how value is created, and how business models and monetization works across sectors. Meanwhile governments and companies are reorganizing to better address Internet identity as a cross sector “ strategic utility”. OIX Vice Chairman and Senior Fellow / CTO at Symantec, Paul Agbabian, has encouraged OIX’s quantitative market research on new and emerging internet identity services. OIX’s market research on identity business cases has three elements.

OIX has helped fund Control Shift’s independent primary research on market take up in the UK. A diverse set of organizations are contributing to the study by providing data and insights and helping to identify revenue opportunities and efficiencies relevant to their sectors and business models. The more comprehensive the sources the more complete the UK study and the model becomes more applicable to other markets. OIX is planning to publish the results in early June.

We’ve commissioned a series of white papers on value drivers like liability, trustmarks, alternatives to third party certification, etc. to provide new solutions for the roadblocks of bringing new systems and services online. This provides presenters and participants “pre-reads” to maximize the value of attending for all and the basis for follow up research.

OIX is building a series of “Economics of Identity” workshops with members and partners. The first of a series will take place on June 9th at the KMPG Offices Canary Wharf, London’s financial and banking business heart. This event will be a global summit to consider the ‘economics’ of internet identity that includes very senior level public and private sector leaders. The attendees of this workshop will be privy to a convergence of OIX White Papers and IDAP industry project showcases enabling the discussion on understanding this markets economic value. Alexander B. Howard, renowned writer and editor spanning technology issues of online identity, will MC the event.

We will follow that event at The Gates Center at the University of Washington in Seattle on June 23rd and are planning additional workshops in September 2014 and Spring 2015.

by jfe at May 19, 2014 11:27 PM

May 15, 2014

OpenID.net

Covert Redirect

“Covert Redirect”, publicized in May, 2014, is an instance of attackers using open redirectors – a well-known threat, with well-known means of prevention. The OpenID Connect protocol mandates strict measures that preclude open redirectors to prevent this vulnerability.

Please see Section 4.2.4 of RFC 6819 (http://tools.ietf.org/html/rfc6819#section-4.2.4) for more information on open redirector threats and their prevention.

by Pamela Dingle at May 15, 2014 09:12 PM

May 12, 2014

Kaliya Hamlin

Rosie the [New Language] Developer – Where are you?

This past week we [me, Phil, Heidi + Doc] put on the Internet Identity Workshop. It was amazing.

There is a new project / company forming and they are very keen to have women programmers/developers in the first wave of hires.  They are also committed to cultural diversity.

Since they are developing in a new language – you don’t need to have experience in “it” – you just need to have talent and the ability to learn new things.

I asked them for a list of potentially helpful per-requisites:

  • Some experience with ruby on rails
  • Some experience with JSON
  • Some experience with XML
  • Some experience with HTML5
  • Some experience with semantic data modeling
  • Some understanding of the ideas related to the semantic web and giant global graphs

If you are reading the list and thinking – I don’t have “all” of those qualifications…then read this before you decide not to reach out to learn more – The Confidence Gap from this month’s Atlantic.  TL:DR “Remember that women only apply if they have 100% of the jobs qualifications, but men apply with 60%!”

Please be in touch with me if you are interested. I will connect you with them this week.

Kaliya [at] identitywoman [dot] net

by Kaliya Hamlin, Identity Woman at May 12, 2014 06:25 PM

May 05, 2014

Kaliya Hamlin

Field Guide to Internet Trust Models: Introduction

This is the first in a series of posts that cover the Field Guide to Internet Trust Models Paper.

The post for each of the models is here – full papers is downloadable [Field-Guide-Internet-TrustID]

The decreasing cost of computation and communication has made it easier than ever before to be a service provider, and has also made those services available to a broader range of consumers. New services are being created faster than anyone can manage or even track, and new devices are being connected at a blistering rate.

In order to manage the complexity, we need to be able to delegate the decisions to trustable systems. We need specialists to write the rules for their own areas and auditors to verify that the rules are being followed.

This paper describes some of the common patterns in internet trust and discuss some of the ways that they point to an interoperable future where people are in greater control of their data. Each model offers a distinct set of advantages and disadvantages, and choosing the appropriate one will help you manage risk while providing the most services.

For each, we use a few, broad questions to focus the discussion:

  • How easy is it for new participants to join? (Internet Scale)
  • What mechanisms does this system use to manage risk? (Security)
  • How much information the participants require from one another how strongly verified?

(Level of Assurance -not what I think assurance is…but we can talk – it often also refers to the strength of security like number of factors of authentication )

Using the “T” Word
Like “privacy”, “security”, or “love”, the words “trust” and “identity”, and “scale” carry so much meaning that any useful discussion has to begin with a note about how we’re using the words.
This lets each link the others to past behavior and, hopefully, predict future actions. The very notion of trust acknowledges that there is some risk in any transaction (if there’s no risk, I don’t need to trust you) and we define trust roughly as:
The willingness to allow someone else to make decisions on your behalf, based on the belief that your interests will not be harmed.
The requester trusts that the service provider will fulfill their request. The service provider trusts that the user won’t abuse their privileges, or will pay some agreed amount for the service. Given this limited definition, identity allows the actors to place one another into context.

Trust is contextual. Doctors routinely decide on behalf of their patients that the benefits of some medication outweigh the potential side effects, or even that some part of their body should be removed. These activities could be extremely risky for the patient, and require confidence in the decisions of both the individual doctor and the overall system of medicine and science. That trust doesn’t cross contexts to other risky activities. Permission to prescribe medication doesn’t also grant doctors the ability to fly a passenger airplane or operate a nuclear reactor.

Trust is directional. Each party’s trust decisions are independent, and are grounded in the identities that they provide to one another.

Trust is not symmetric. For example, a patient who allows a doctor to remove part of their body should not expect to be able to remove parts of the doctor’s body in return. To the contrary, a patient who attempts to act in this way would likely face legal sanction.

Internet Scale

Services and APIs change faster than anyone can manage or even track. Dealing with this pace of change requires a new set of strategies and tools.

The general use of the term “Internet Scale” means the ability to process a high volume of transactions. This is an important consideration, but we believe that there is another aspect to consider. The global, distributed nature of the internet means that scale must also include the ease with which the system can absorb new participants. Can a participant join by clicking “Accept”, or must they negotiate a custom agreement?

In order to make this new world of user controlled data possible, we must move from a model broad, monolithic agreements to smaller, specialized agreements that integrate with one another and can be updated independently.

A Tour of the Trust Models

The most straightforward identity model, the sole source, is best suited for environments where the data is very valuable or it is technically difficult for service providers to communicate with one another. In this situation, a service provider issues identity credentials to everyone it interacts with and does not recognize identities issued by anyone else. Enterprises employing employees, financial institutions, medical providers, and professional certifying organizations are commonly sole sources. Because this is the most straightforward model to implement, it is also the most common.

Two sole sources might decide that it’s worthwhile to allow their users to exchange information with one another. In order to do so, they negotiate a specific agreement that covers only the two of them. This is called a Pairwise Agreement and, while it allows the two parties to access confidential resources, the need for a custom agreement makes it difficult to scale the number of participants. This is also a kind of federated identity model, which simply means that a service accepts an identity that is managed someplace else.

As communication technology became more broadly available, the number of institutions who wanted to communicate with one another also increased. Groups of similar organizations still wanted to issue their own identities, but wanted their users to be able to interact freely with one another. The prospect of each service having to negotiate a custom agreement with every other service was daunting, so similarly chartered institutions came up with standard contracts that allow any two members to interact. These groups are called Federations, and there are several different kinds. Federation agreements and membership are managed by a Contract Hub.

When the federation agreement limits itself to policy, governance, and common roles, but leaves technical decisions to the individual members, it’s referred to as a Mesh Federations. Individual members communicate form a mesh, and can communicate directly with one another using whatever technology they prefer.

Alternatively, a Technical Federation defines communication methods and protocols, but leaves specific governance and policy agreements to the members. In some cases, the technical federation may also route messages between the members.

As the number of services has increased, so has the problem of managing all of those usernames and passwords. Users might decide to reuse an existing identity rather than creating a new one. In recent years, some organizations have made identities that they issue available to other services. Service providers accept these identities because it lowers the cost of user acquisition. When the same entity provides identities for both the requester and the service provider, it is referred to as a Three Party Model.

If the requester and the service provider have provider have separate but compatible identity providers, it is called a Four Party model. This is present in highly dynamic models, such as credit card processing,

Peer-to-peer networks are for independent entities who want to identity assurance, but who lack a central service that can issue identities to everyone. To get around this, the participants vouch for one another’s identities.

Individual contract wrappers are an innovation to enable complex connections between services where the terms and conditions of using the data are linked to the data.

Common Internet Trust Models

Sole source: A service provider only trusts identities that it has issued.

Pairwise Federation: Two organizations negotiate a specific agreement to trust identities issued by one another.

Peer-to-Peer: In the absence of any broader agreement, individuals authenticate and trust one another.

Three-Party Model: A common third party provides identities to both the requester and the service provider so that they can trust one another.

“Good Enough” Portable Identity: In the absence of any institutional agreement, service providers accept individual, user-asserted identities.

Federations: A single, standard contract defines a limited set of roles and technologies, allowing similar types of institution to trust identities issued by one another.

Four-Party Model: An interlocking, comprehensive set of contracts allows different types of entity to trust one another for particular types of transaction.

Centralized Token Issuance, Distributed Enrollment: A shared, central authority issues a high-trust communication token. Each service provider independently verifies and authorizes the identity, but trusts the token to authenticate messages.

Individual Contract Wrappers: Manage how personal data is used rather than trying to control collection. Information is paired contract terms that governs how it can be used. Compliance is held accountable using contract law.

Open Trust Framework Listing: An open marketplace for listing diverse trust frameworks and approved assessors.

Personal Cloud + Agents: An Individual has a personal Cloud and delegates agents it trust to work on their behalf.

by Kaliya Hamlin, Identity Woman at May 05, 2014 06:13 PM

April 07, 2014

Kaliya Hamlin

Big Data and Privacy

On Friday I responded to the Government “Big Data” Request for Comment.

I will get to posting the whole thing in blog form – for now here is the PDF. BigData-Gov-2

by Kaliya Hamlin, Identity Woman at April 07, 2014 02:13 AM

April 01, 2014

OpenID.net

More Momentum: OpenID Connect Adoption

In my last blog, I noted, “it’s time to build out the final elements of OpenID Connect and move to mobile.” We’ll soon announce the official working group with the GSMA focused on a OpenID Connect mobile profile. Foundation members, partners and independent developers continue to integrate OpenID Connect in robust and interoperable identity services into enterprise solutions.  Enterprise solutions are the focus of OpenID Workshops preceding the European Identity Conference in Munich in May and the Cloud Identity Summit in Monterey, California.

OIDF member salesforce.com is hosting a webinar next week on Wednesday, April 9th, “OpenID Connect: The new standard for connecting to your Customers, Partners, Apps and Devices.” You can find more information and register by clicking on this link  Join Chuck Mortimore, Pat Patterson, and Ian Glazer’s socks as they overview how OpenID Connect can help better connect customers, partners, apps, and devices. Chuck, Pat and Ian will speak to how OpenID Connect builds on OAuth and how to consume OpenID Connect from identity providers with Social Sign-On. While this webinar is aimed at a technical audience, I’m confident that anyone looking to learn more about identity and standards will benefit.

I will continue to keep you abreast of OpenID Connect events and adoption success stories. Feel free to contact me directly with any events or experiences that you feel should be highlighted.

Thanks,

Don

by jfe at April 01, 2014 09:05 PM

March 21, 2014

OpenID.net

Growing list of OpenID Connect libraries available

The list of publicly available OpenID Connect libraries is growing, with implementations available for numerous development platforms and environments, including Drupal, Java, PHP, Python, and Ruby. See the Libraries page for a list of OpenID Connect libraries, as well as libraries implementing the related JSON Web Token (JWT) and JSON Object Signing and Encryption (JOSE) specifications. These libraries make it easy to join the likewise growing list of OpenID Connect deployments.

If your library isn’t listed and you’d like it to be, please drop us a note on the code@openid.net mailing list or the general@openid.net mailing list.

Also, if you’re interested in participating in OpenID Connect interop testing, please join the openid-connect-interop@googlegroups.com mailing list and ask to be added to the current OpenID Connect interop.

by Mike Jones at March 21, 2014 12:45 AM

March 20, 2014

Santosh Rajan

Browser supported Single Sign on with Email Addresses


In this post I would like to explore Single Sign on's with email addresses, with the support of the users browser. Browsers do not currently support Single Sign On. Recently Mozilla showcased their concept of BrowserID.

I am not comfortable with their use of asymmetric keys, because this requires the user to manage his own private/public keys. Indeed BrowserID will ease the process for the user, but he still needs a private key on every computer he uses. And this may include public computers at browsing centers etc.

So here, I will present a Single Sign on process, that will not require asymmetric keys. For the sake of this post we will call the users email provider "email.com". The site he wants to sign into "site.com", and "BSSO"  for Browser Supported Single Sign On. This article will not get into the details of algorithm's etc, because each step described here can be carried out in many ways, and has already been implemented in some form or the other by other protocols. A good example is OpenID 2.0.

First, I will describe the process when the user is already signed into "email.com", and wants to sign into "site.com".

Case 1 - User signed into email.com


Step 1
The user browses to "site.com". "site.com" needs to indicate to the user's browser that it supports BSSO. This can be done in many ways. I will give one example here. On site.com's page it can include two elements. One element in the html head part like below
<link href="https://site.com/bsso" rel="bsso_end_point"/>
In the body part it can have an element with id "bsso_sign_in_button".
The rel="bsso_end_point" link element will indicate to the browser that this site supports BSSO and it should listen to the click event of the element with id="bsso_sign_in_button".

Step 2
When the user clicks the "Sign In" button for "site.com" the browser will make an authentication request to "email.com" on behalf of "site.com" with "site.com"s end point. This will need the user to have pre selected his prefered email address(s) in the browsers BSSO setup, if not the browser will show a popup asking the user to select his prefered email address. The browser may also have discovered "email.com"s end point during setup using webfinger.

Step 3
"email.com" returns a positive assertion of the user's email address. This is not a problem because the user is currently signed into "email.com". Also a private "association key" is included along with the assertion.

Steps (2) and (3) are transparent to the user. The browser makes a cross-domain ajax request to "email.com". This is possible because it is the browser making the request and not any javascript on "site.com"s page.

Step 4
The browser now directs the user to "site.com"s end point url with a http post request, with the assertion returned from "email.com" in the post body.

Step 5
"site.com" will now verify the assertion by sending the assertion along with the association directly to "email.com"s endpoint. "site.com" would have also followed the webfinger protocol to determine the end point. It is possible for "site.com" to request a time bound association with "email.com", so that Step 5 and 6 can be avoided in subsequent requests.

Step 6
"email.com" will respond with success or failure. 

Case 2 - User Not signed into email.com

In the case where the user is not signed into "email.com", in Step 3 "email.com" will respond with a "user not signed in" response along with a sign in url that might have an encoded token in its query parameter. (The encoded token is for preventing phishing, I am not yet sure if this token is required or not as of now). The browser will pop up a window and listen to the popup's close event, and direct the user to the returned sign in url. After sign in "email.com" must "close" the popup via javascript. When the popup is closed the browser will continue with Step 2 again. In case the popup was closed without the user signing in, the browser will receive a "user not signed in" for the second time, in which case the browser has to query the user again.

Some Notes
This may look like a lot of steps, but the user only "see's" (1) and (4). Also (5) and (6) are not required after "site.com" and "email.com" have established an association.

Phishing is not possible, because there are no redirects from "site.com".

The user can sign in from anywhere, there is no need to have any private keys on the computer being used.

Unlike BrowserID "email.com" will be aware of the site's the user sign's into. I don't know how much of a problem this is. It's a debatable issue I guess.

by Santosh Rajan at March 20, 2014 03:56 AM

March 19, 2014

OpenID.net

Last Call on the Launch and the Move to Mobile

This is my first blog after a successful OpenID Connect launch in San Francisco, Barcelona and Japan on February 26th. The launch generated global buzz and coverage. Below are a few links to my previous posts highlighting statements of support and press coverage:
Statements of Support
Additional Statements of Support
OpenID Connect Press Coverage

Congratulations to the OpenID Foundation Marketing Committee and the membership as a whole for the creativity and commitment that launched OpenID Connect from Tokyo, San Francisco and Barcelona.

On behalf of the Foundation, a “thank you” to Tim Bray for his expertise and overall contributions to the OpenID Connect launch. We await news from Tim as he decides what‘s next in his highly successful career. We are happy to hear Tim will never be too far from the OpenID Foundation’s work.

Jeff Fishburn from OnPR led the PR efforts and ensured that OpenID Connect received the coverage it deserved at the very “noisy” RSA and Mobile World Congress events. I appreciate the efforts of the PR teams at the GSMA, Google, Microsoft, Ping, Salesforce, ForgeRock and others as well as our OpenID Foundation Japan colleagues in ensuring a successful launch. Thanks to Microsoft and Google providing direct funding to support of launch activities. Jeff Fishburn’s firm, OnPR, has been a long standing supporter of Jeff’s volunteer efforts on the Marketing Committee over the last few years.

And thanks to Mike Leszcz who has been working with me on OIXnet as Technical Program Manager. Mike helped coordinate the OpenID Connect launch with OIX members like the GSMA. Mike worked closely with Jeff Fishburn on communication efforts and coordinated launch support across time zones, late night deadlines and member organizations.

Now it’s time to build out the final elements of OpenID Connect and prepare to move to mobile. I spent last week in London at the headquarters of OIDF member, the GSMA. We had a big crowd for the kick-off of a new mobile centric working group. It was a diverse turnout of mobile network operators (MNOs), telcos, data aggregators, bureaus, IDPs, SPs, RPs, government standards representatives and others. The all-important scoping discussion was encapsulated in what to call this new working group. Should it be a profile for mobile network operators? Understandable, certainly legitimate, but even the GSMA representatives pushed for more. Tim Bray encouraged the group to leverage the momentum of OpenID Connect to address the systemic needs of the market, developers and consumers alike. Despite, or because of the diversity of stakeholders in the room, a strong consensus grew around the timeliness and importance of the work group’s focus.

OIDF Chairman Nat Sakimura used the OIDF Work Group chartering process to articulate what is now “The Mobile Profile for OpenID Connect Working Group.” No doubt soon to be nicknamed “Mobile Connect”. This Working Group plans to apply to the Specs council to develop an OpenID Connect profile intended for use by MNOs providing identity services to RPs and for RPs in consuming those services as well as any other party wishing to be interoperable with this profile. David Pollington, Senior Director of Technology at the GSMA, is acting Chair of the WG. The draft Charter is also available here and it has been submitted to the OIDF specs list for approval.

I draw your attention to that last part. As part of this work, the Working Group will identify and make recommendations for additional Connect standards items. This is a positive as it can complement and further strengthen Connect adoption. It also signals the increasingly important compatibility with other protocols in the OIDF pipeline, notably Account Chooser and NAPPs. This also strengthens emerging federation architectures in enterprise, government and other sectors.

Foundation members and others interested in the progress of this Working Group as well as others are invited to join. Foundation workshops detailing develop of all OIDF protocols are planned for the EIC in Munich, at the Yahoo! Campus before the May IIW, at the European Identity Conference in Munich, and at the Cloud Identity Summit in Monterey, CA in July.

None of this would not have been possible without the dedication, direct funding and on-going support of the OIDF and OIX members. Thank you again and I look forward to continuing our work together.

Don Thibeau
Executive Director
OpenID Foundation

by jfe at March 19, 2014 05:04 PM

March 11, 2014

Kaliya Hamlin

Meta-Governance

This spring I attended the Executive Education program Leadership and Public Policy in the 21st century at the Harvard Kennedy school of government with fellow Young Global Leaders (part of the World Economic Forum).  A line of future inquiry that came to me by the end of that two weeks –

How do we design, create, get functioning and evolve governance systems?

The governance of governance systems = Meta-Goverancne. 

At the Kennedy program all they could talk about was “individual leadership” (with good advice from good teams of course) at the top of  Organizations.  They all waved their hands and said “Good luck young leaders, We know its more complicated now…and the problems are bigger then just organizational size but we don’t really know how what to tell you about how to interorgainzational collaborative problem solving and innovations…so “good luck”.

It was surreal because this inter-organizational, complex space is where I spend my work life helping design and facilitate unconferneces – it is in that complex inter organizational place.

I have this clear vision about how to bring my two main career bodies of knowledge together (digital identity + digital systems & design and facilitation of unconferneces using a range of participatory methods) along with a range of other fields/disciplines that I have tracked in the last 10 years.

by Kaliya Hamlin, Identity Woman at March 11, 2014 05:18 AM

Kaliya Hamlin

Core Concepts in Identity

One of the reasons that digital identity can be such a challenging topic to address is that we all swim in the sea of identity every day.  We don’t think about what is really going in the transactions….and many different aspects of a transaction can all seem do be one thing.  The early Identity Gang conversations focused a lot on figuring out what some core words meant and developed first shared understanding and then shared language to talk about these concepts in the community.

I’m writing this post now for a few reasons.

There is finally a conversation about taxonomy with the IDESG – (Yes! after over a year of being in existence it is finally happening (I recommended in my NSTIC NOI Response  that it be one of the first things focused on)

Secondly I have been giving a 1/2 day and 1 day seminar about identity and personal data for several years now (You can hire me!).  Recently I gave this seminar in New Zealand to top enterprise and government leaders working on identity projects 3 times in one week.  We covered:

  • The Persona and Context in Life
  • The Spectrum of Identity
  • What is Trust?
  • A Field Guide to Internet Trust
  • What is Personal Data
  • Market Models for Personal Data
  • Government Initiatives Globally in eID & Personal Data

I created a new section of this presentation to cover some core concepts that I realized needed to be fully articulated to talk about

Identifiers (generic)

Identifiers are pointers.

A description of an object and a location can be an identifier for it – “The green chair in the corner.”

Names

Names are identifiers.

The names of people are ways to identify them in the context of the society in which they live.  Different societies have different conventions for naming people.

Names are asserted by people about themselves.

Some people use different names in different contexts.

Names are often not unique (that is more then one person will have the same name as another person).

Identifiers in modern systems 

In modern society governments, organizations and businesses all provide services to people (citizens). If names are not unique the builders of these systems needed to figure out how to identify them to do the record keeping.  A sensible solution to this was to assign a unique identifier number to people so that interactions between the person and the system could be correlated.

Examples: 

An identifier that people in the United States have to track their engagement with the pension system is the Social Security Number. It is issued or assigned to people by the Social Security Administration.  Today it is common practice for this number to be issued at birth to babies born in the US. People born outside of the US who come to the country can apply to get a number.

It is normal practice to register children’s births with the jurisdiction in which they are born. A form is filled out by the parents and signed by a physician and submitted. Then a birth certificate is issued. The birth certificate has a serial number on it that identifies it as a unique document.

Note: Billions of people world wide do NOT have this type of document.

Companies issue numbers to their customers to track them and their interactions with a company.  When you call a company to interact with them they ask you what your customer number is.  The bar code on loyalty cards encodes a customer number and when they scan it with a purchase – which then links that purchase with prior ones.

Identifiers with End-Points (Digital Identifiers)

The above type of identifiers that are issued by bureaucratic systems that point to particular people.  They are however not end-points on a network. Information can not be sent to them.  The person who the identifier points at can not do a technical authentication to prove that indeed at the end of the end point to receive the information.

One type of network with an end-points that we are familiar with is relatively modern but presides electronic networks is the street address system.  Integrity in this system is backed up by laws in the US that impose sever consequences for its use for fraudulent purposes. It is also illegal to open mail not addressed to you.

In electronic systems we have identifiers that point to people and are end points. These include phone numbers, e-mail addresses, debit card numbers, employee login’s etc. Information is sent to these identifiers and access to resources is available via the end-point. To protect the information, to make sure it is only seen by the person who it was for (the person that the identifier points at) and only that person can access resources.  These electronic systems support the person claiming they are indeed the person that a particular identifier points at – proving they are that person.  This requires that systems provide ways to do Technical Authentication AuthN.

This can be done in a variety of ways – sharing a secret only they know (password or PIN), sharing a changing secret that only they have access to it (a code that changes on a token or in software generating a one time password), scanning a body part to see if it matches the body part that matches one that was enrolled, having a thing that only they have (a phone with the SIM card in it, a debit card). Different types of technical authentication are possible for different systems but they have the basic function of supporting the person who the identifier points at being able to prove to the system that they are the person a particular identifier points at.

More sophisticated systems issue both a “core” identifier that is the primary pointer at a particular person AND a different identifier that is an authentication end-point.  This has an advantage because if control over the authentication end-point is lost then it can be re-issued but the core identifier stays the same.

Attributes

Attributes are things about a person (or an entity).

They include personal details like birthday, age, gender, residence, place of work, income, preferences and habits, credentials from educational institutions, record of employment.

Claims

Claims can include identifiers (both authenticatable end-points, identifiers that are not end-points / not resolvable) and attributes.

Proofing / Verification 

This is the process where the certain things that you claim about yourself are checked to see if the assertions line up with how you presented yourself in the past or how facts about you were recorded in record keeping systems.

One way that proofing is done is the presentation in person of formal government issued paperwork that affirm certain claims: a birth certificate asserts a birth date, a passport asserts citizenship, and has a photo asserting likeness, a drivers license has a photo for asserting likeness, a residential address (asserted by the person when getting the license),

Another way to do proofing is to look up claims by people about themselves in databases managed by data brokers.

Document Validation 

This is the process where documents presented can checked to see if they are valid – were in fact issued by the authority and the name on the presented document matches the one on file.  These are typically set up so that the person viewing a document presented by an individual can type in the document information, serial number, birthdate, name and find out via a yes-no answer if it is a valid document.

The e-verifiy program for employers is a system designed to do this. It should be noted that this process does have negative impact on particularly transgender people who have hidden their gender at birth from their employer and who are rejected by the system when the gender they present to their employer does not match the one in the social security administration records. 

Enrollment 

This is the process that people go through to be issued an identifier in a system. This is true for identifiers with and with-out Authentication end-point. What information do they need to present? How is it checked or verified? Do they need to it in person? Does it involve the collection of a biometric (photo, fingerprint, iris scan)?  The end result of an enrollment process is the issuance of an identifier and often some type of credential that can be used to authenticate into a system. For example: a student ID card at a university has a student number on it AND a magnetic stripe (with an identifier for that particular card) that can be used to authenticate (via swiping it in a card reader) the student to gain access to the student dorm one lives in or libraries on campus.

Authentication – AuthN

This is what happens after one is enrolled in a system and an individual has an end-point that they want to use – they have to Authenticate via any one of a number of methods to prove they are indeed the person who set up the account or was issued the identifier.

(repeated from above) This can be done in a variety of ways – sharing a secret only they know (password or PIN), sharing a changing secret that only they have access to it (a code that changes on a token or in software generating a one time password), scanning a body part to see if it matches the body part that matches one that was enrolled, having a thing that only they have (a phone with the SIM card in it, a debit card). Different types of technical authentication are possible for different systems but they have the basic function of supporting the person who the identifier points at being able to prove to the system that they are the person a particular identifier points at.

Authorization – AuthZ

Once Authentication is done in a digital system the question is what resources can be accessed and what can be done to them (just read them, read and write them, delete them) – What is Authorized.

One way Authorization is managed is by defining roles and determining access based on roles.

More definitions to come soon include : Delegation, Triangulation, Persona, Role, Context

by Kaliya Hamlin, Identity Woman at March 11, 2014 05:17 AM

Kaliya Hamlin

Personal Clouds, Digital Enlightenment, Identity North

Next week Thursday August 22nd is the Personal Cloud Meetup in San Francisco. It will be hosted at MSFT.  If you want to get connected to the community it is a great way to do so. Here is where you register. 

In September I’m heading to Europe for the Digital Enlightenment Forum September 18-20th. I’m excited about the program and encourage those of you in Europe who might be reading this to consider attending. We are doing a 1/2 day of Open Space (what we do at IIW) where the agenda is created live at the event.

October 1-2 is Identity North in Toronto and Vancouver. I’m working with Aran and the other organizers again. The first day will be curated talks and the 2nd day will be Open Space (what we do at IIW) where the agenda is created live at the event.

I’m heading to Investing with a Gender Lens Convergence in CT.  Topic that I’m bringing there is Gender and Big Data.

I’m considering plan to spending the week of October 7th in Boston and/or New York. If you think this is a good idea and want to meet with me or make something happen out there this week let me know.

NSTIC’s next IDESG Plenary is the week of October 14th in Washington, DC.

Then its the Internet Identity Workshop October 22-24th in Mountain View.

The next thing on my calendar is a tentative dates in December for the UnMoney Convergence December 10th.

Then in the new year its She’s Geeky! at the end of January.

by Kaliya Hamlin, Identity Woman at March 11, 2014 05:16 AM

Kaliya Hamlin

Personal Cloud Gathering Sept 25th – Video’s from August 22

The next SF Personal Cloud Community Gathering is September 25th in downtown.

Please head over to the Eventbrite to register and learn who is speaking.

Jospeh Boyle record and posted the presentations from the last meetup you can find them here.

Trovebox by Jaisen Mithai

priv.ly – Daniel

Cozycloud – Benjamin Andre

Update on Nym Research – aestetix

Indie Box – Johannes Ernst

Following the presentations about the futures and what people are building now and how it links together – you can find them on the wiki.

by Kaliya Hamlin, Identity Woman at March 11, 2014 05:15 AM

Kaliya Hamlin

She’s Geeky! Bay Area, January 24-26

Calling all Geeky women!

We are doing it again – a weekend of fun and connection and nerding out.

January 24-26th at Microsoft in Mountain View.

http://www.shesgeeky.org

It is one of my favorite weekends of the year. If you are a woman and you do anything related to tech or science or math or day dream about science fiction, are a gamer.  The diversity of women is amazing.

It is a great place to practice a talk you are thinking about or have to give at some other event, talk about critical issues like NSA spying, learn about other nerdy things like bee-keeping and knitting weird math shapes.

Feel free to ask me any questions you have about it.

If you are a guy reading this…please let women friends and colleagues know about it.

by Kaliya Hamlin, Identity Woman at March 11, 2014 05:15 AM

February 28, 2014

OpenID.net

No Oscars, But OpenID Connect Launch Receives International Raves

This past Wednesday, February 26th, the OpenID Foundation, it’s members and the OpenID Connect Working Group successfully launched the OpenID Connect standard in the US, Europe and Japan. The launch generated press coverage at RSA in San Francisco and the Mobile World Congress in Barcelona. This was made possible by you; our members, contributors. Thanks for a successful launch and reaching this important milestone.

Below is the OpenID Connect launch coverage to date:

February 27, 2014
InfoWorld
Google, Microsoft, Salesforce back OpenID Connect — but it’s not enough
Despite big-name support, newly finalized OpenID Connect protocol is a security building block, not a silver bullet
http://www.infoworld.com/t/identity-management/google-microsoft-salesforce-back-openid-connect-its-not-enough-237258

The Register
OpenID Foundation launches XML-free ID handler
OpenID Connect spec touts simpler messaging
http://www.theregister.co.uk/2014/02/27/openid_foundation_launches_xmlfree_id_handler/

heiseDeveloper
OpenID Connect als Standard ratifiziert
Der von Unternehmen wie Google, Microsoft, Deutsche Telekom und Salesforce.com ausgearbeitete Standard soll über kurz oder lang OpenID 2.0 im Web ablösen – auch dank der ungemeinen Popularität von OAuth..
http://www.heise.de/developer/meldung/OpenID-Connect-als-Standard-ratifiziert-2126073.html

Help Net Security
OpenID Foundation launches the OpenID Connect Standard
http://www.net-security.org/secworld.php?id=16445

Golem.de
OpenID Connect fertiggestellt
http://www.golem.de/news/authentifizierung-openid-connect-fertiggestellt-1402-104838.html

Cnews
Мобильные операторы заменят пароли номером телефона
http://www.cnews.ru/news/top/index.shtml?2014/02/26/562446

DataNews
Des opérateurs sortent une alternative ‘sûre’ à Facebook Connect
http://datanews.levif.be/ict/actualite/des-operateurs-sortent-une-alternative-sure-a-facebook-connect/article-4000539065405.htm

Nikkei ITPro
グーグル、マイクロソフトが採用する「OpenID Connect」の仕様が最終承認
http://itpro.nikkeibp.co.jp/article/NEWS/20140227/539966/?top_tl1

dig.no
OpenID tar ny sats
http://www.digi.no/927406/openid-tar-ny-sats

February 26, 2014
ZDNet
Cloud-era authentication infrastructure taking shape
Google, Microsoft, Salesforce, GSMA, UK, welcome final OpenID Connect spec in effort to scale ID services across cloud, mobile
http://www.zdnet.com/cloud-era-authentication-infrastructure-taking-shape-7000026718/

ZDNet
Deutsch Telekom on cutting edge for ID management, mobile log-ins
German company puts faith in OpenID Connect to secure infrastructure, integrate SSO with partners
http://www.zdnet.com/deutsch-telekom-on-cutting-edge-for-id-management-mobile-log-ins-7000026717/

SecureIDNews
OpenID Connect enables online identity
http://secureidnews.com/news-item/openid-connect-enables-online-identity/

TechCrunch
OpenID Connect Identity Protocol Launches With Support From Google, Microsoft & Others
http://techcrunch.com/2014/02/26/openid-foundation-launches-openid-connect-identity-protocol-with-support-from-google-microsoft-others/
- Techmeme – http://www.techmeme.com/140226/p19#a140226p19
- Daily Motion – http://www.dailymotion.com/video/x1dhp1g_openid-connect-identity-protocol-launches-with-support-from-google-microsoft-others_tech
- TechCrunch Japan – http://jp.techcrunch.com/2014/02/27/20140226openid-foundation-launches-openid-connect-identity-protocol-with-support-from-google-microsoft-others/?utm_source=dlvr.it&utm_medium=twitter

T.H.E. Journal
OpenID Connect Standard Extends Digital Identities Across the Web
http://thejournal.com/articles/2014/02/26/new-openid-connect-standard-extends-digital-identities-across-the-web.aspx
- Campus Technology – http://campustechnology.com/articles/2014/02/26/new-openid-connect-standard-extends-digital-identities-across-the-web.aspx

SDTimes
The OpenID Foundation launches an authentication protocol
http://www.sdtimes.com/content/article.aspx?ArticleID=68832&page=1

WSJ MarketWatch
The OpenID Foundation Launches the OpenID Connect Standard
http://www.sdtimes.com/content/article.aspx?ArticleID=68832&page=1

Bloomberg
The OpenID Foundation Launches the OpenID Connect Standard
http://www.bloomberg.com/article/2014-02-26/asf8Wzgm0W00.html

telecompaper
OpenID members finalise OpenID Connect standard (subscription required)
http://www.telecompaper.com/news/openid-members-finalise-openid-connect-standard–998934

InformationWeek
‘Connect’: A Modern Approach to Mobile, Cloud Identity
Patrick Harding, CTO Ping Identity (contributed article)
http://www.informationweek.com/security/identity-and-access-management/connect-a-modern-approach-to-mobile-cloud-identity/d/d-id/1113894

InternetWatch
ID連携のAPI標準仕様「OpenID Connect」が承認される
http://internet.watch.impress.co.jp/docs/news/20140227_637343.html

RELATED NEWS
Bloomberg Businessweek
Carriers Back Mobile-Based IDs to Match Google, Facebook Service
http://www.businessweek.com/news/2014-02-24/carriers-back-mobile-based-ids-to-match-google-facebook-service

FierceWireless
U.S. operators are MIA in the GSMA’s new Mobile Connect universal login program
http://www.fiercewireless.com/story/us-operators-are-mia-gsmas-new-mobile-connect-universal-login-program/2014-02-24

LightReading
Operators See Eye-to-Eye on SIM-Based Security
http://www.lightreading.com/services-apps/mobile-services/operators-see-eye-to-eye-on-sim-based-security-/d/d-id/707918?_mc=RSS_LR_EDT

Rude Baguette
Mobile World Congress Day 1 Highlights – Connected Living, Samsung, Mobile Connect & Zuckerberg
http://www.rudebaguette.com/2014/02/25/mobile-world-congress-day-1-highlights-connected-self-samsung-zuckerberg-mobile-connect/

Mobile News
GSMA and operators to use mobile to protect digital security
http://www.mobilenewscwp.co.uk/2014/02/24/gsma-and-operators-to-use-mobile-to-protect-digital-privacy/

telecompaper
Orange to offer Mobile Connect across EMEA by 2015
http://www.telecompaper.com/news/orange-to-offer-mobile-connect-across-emea-by-2015–998177

OIDF MEMBER BLOGS AND NEWS RELEASES
Google Developers Blog
Welcome OpenID Connect
http://googledevelopers.blogspot.com/2014/02/welcome-openid-connect.html

GSMA
Leading Mobile Operators Unveil GSMA Mobile Connect Initiative to Provide Consistent and Interoperable Approach to Managing Digital Identity
http://www.gsma.com/newsroom/leading-mobile-operators-unveil-mobile-connect-initiative/

Microsoft Active Directory Team Blog
OpenID Connect is Now Final!
http://blogs.technet.com/b/ad/archive/2014/02/26/openid-connect-is-now-final.aspx

Microsoft – Mike Jones Self-Issued Blog
OpenID Connect Specifications are Final!
https://self-issued.info/?p=1191

Matias Woloski – Auth0 Blog
OpenID Connect specs are final! (with links to open source implementations)
http://blog.auth0.com/2014/02/26/openid-connect-final-spec-10/

Nat Sakimura
OpenID Connect is here! – An Identity Layer on the internet
http://nat.sakimura.org/2014/02/26/openid-connect-is-here/

OpenID Connect リリース~インターネットのアイデンティティ層
http://www.sakimura.org/2014/02/2277/

Ping Identity CTO Blog
Now, OpenID Connect is Real (and ratified)
https://www.pingidentity.com/blogs/cto-blog/2014/02/now-this-morning-openid-connect-became-real.html

by jfe at February 28, 2014 06:54 PM

February 26, 2014

OpenID.net

The OpenID Foundation Launches the OpenID Connect Standard

Providing Increased Security, Usability, and Privacy on the Internet

RSA 2014 and Mobile World Congress- San Francisco, CA, and Barcelona, Spain – Feb. 26, 2014 – The OpenID Foundation announced today that its membership has ratified the OpenID Connect standard.  Organizations and businesses can now use OpenID Connect to develop secure, flexible, and interoperable identity Internet ecosystems so that digital identities can be easily used across websites and applications via any computing or mobile device. OpenID Connect has been implemented worldwide by Internet and mobile companies, including Google, Microsoft, Deutsche Telekom, salesforce.com, Ping Identity, Nomura Research Institute, mobile network operators, and other companies and organizations. It will be built into commercial products and implemented in open-source libraries for global deployment.

“Widely-available secure interoperable digital identity is the key to enabling easy-to-use, high-value cloud-based services for the devices and applications that people use,” said Alex Simons, Director of Program Management for Microsoft Active Directory. “OpenID Connect fills the need for a simple yet flexible and secure identity protocol and also lets people leverage their existing OAuth 2.0 investments. Microsoft is proud to be a key contributor to the development of OpenID Connect, and of doing our part to make it simple to deploy and use digital identity across a wide range of use cases.”

OpenID Connect is an efficient, straightforward way for applications to outsource the business of signing users in to specialist identity service operators, called Identity Providers (IdPs). Most importantly, applications still manage their relationships with their customers but outsource the expensive, high-risk business of identity verification to those better equipped to professionally manage it.

The Strength of Mobile Identity

Mobile operators are placed ideally to offer identity services with their differentiated assets such as the SIM card, strong registration process, authentication, and fraud detection and mitigation processes. They have the ability to provide sufficient authentication to enable consumers, businesses and governments to interact in a private, trusted and secure environment and enable access to services. The GSMA earlier this week announced the launch of the Mobile Connect service, a collaborative initiative, supported by leading mobile operators, to develop an innovative new service that will allow consumers to securely access a wide array of digital services using their mobile phone account for authentication.

“The GSMA’s role is to work with the Mobile Operators to deliver relevant services to their customers; one such area that is growing in importance is the use of the mobile phone for authentication or identification purposes,” said Marie Austenaa, Head of Personal Data, GSMA. “In order to achieve global scale and ease of implementation both for Mobile Operators and for the Service Providers, it is important to have a consistent approach and this is what OpenID Connect provides.”

“Today is an important milestone in the evolution of online identity; the launch of OpenID Connect provides an open standard enabling global interoperability,” said Don Thibeau, Executive Director of the OpenID Foundation. “The strength of the standard is validated by industry competitors cooperating to lead the development and adoption of OpenID Connect. It is further validated by the plans for adoption by the GSMA, which represents over 800 global Mobile Network Operators.”

OpenID Connect Makes Online Transactions Easier and More Secure

OpenID Connect is the third generation of OpenID technology. Its predecessors, OpenID 1.1 and OpenID 2.0, were well received and are in production today by many well-known Internet companies worldwide.

“Google is betting big on OpenID Connect because it’s simple for developers to understand and makes it easy to federate with identity providers. It also protects users by only sharing account information that users explicitly tell us to,” said Eric Sachs, Group Product Manager for Identity. “As of today, Google offers support for OpenID Connect as an identity provider and we are excited to see how this standard will make Internet use easier for users without having to enter passwords.”

“Salesforce.com is committed to unlocking new ways for companies to build meaningful relationships with their customers, and that engagement starts with standards-based identity,” said Chuck Mortimore, vice president, Identity product management, salesforce.com. “We’ve built OpenID Connect into the core of the Salesforce1 customer platform, allowing companies to connect the next generation of apps, devices and products—delivering a unified customer experience through a single identity.

“Today’s ratification of OpenID Connect is a big step forward in making business interaction easier and more secure,” said Ping Identity CTO Patrick Harding. “Standards are critical to supporting a new era of identity-centric business. OpenID Connect spans Web, API and mobile, making it an especially important protocol in our collective efforts to move identity from application to infrastructure.”

The formalization of OpenID Connect as an open global standard allows developers, businesses, governments, accreditors, and other interested parties to build creation and adoption of sector-specific OpenID Connect profiles into 2014 plans and priorities. Next week in London at the GSMA Headquarters, OpenID Foundation Members including Google, Microsoft, Ping Identity and others will meet with counterparts at the GSMA to begin work on ensuring interoperability across global Mobile Network Operators. The OpenID Foundation, the Open Identity Exchange, and the GSMA are collaborating on pilot and discovery projects and in 2014 will begin testing how OpenID Connect implementations can enhance online choice, efficiency, security, and privacy.

Internet identity initiatives like the UK Identity Assurance Program (IDAP) rely on open standards. The UK Cabinet Office has been a global leader in discovering how commercial identity providers and mobile network operators can contribute to the goals of its Digital By Default Strategy. The GSMA, OpenID Foundation, the Open Identity Exchange, and four leading Mobile Network Operators are collaborating on a set of tests in support of the UK IDAP program using open standards.

Why OpenID Connect?

Barely a week goes by without another news story about some Internet-facing organization suffering a damaging data breach, often including passwords, sometimes numbering in the tens of millions. The constant drumbeat of data breaches is damaging organizations’ reputations, the Internet as a whole, and in particular, the trust of Internet users worldwide.

OpenID Connect provides a simple, standard way to outsource site and application login to operators who continually invest in sophisticated authentication infrastructure and who have the specialized skills required to securely manage sign-in and detect abuse. That investment is coupled with the increased cost of helping users with lost-account recovery, password changes, and so on. The organizations that contributed to OpenID Connect are leading the way in the development of advanced authentication technologies such as risk-based authentication and multi-factor authentication and deploying them at their OpenID Connect IdPs. This ongoing investment in technology and expertise is increasingly beyond the reach of most application providers. It is not a core competence, and is thus an excellent candidate for outsourcing.

OpenID Connect builds on the foundation of successful open identity and security standards like OAuth 2.0 and TLS (also known as SSL or “https”). As a result, it has the advantage is that it is substantially easier for developers to implement and deploy than other identity protocols, enabling simpler deployments without sacrificing security.

“NRI has been actively involved in developing OpenID Connect as one of the authors. We have deployed an open source implementation of OpenID Connect as a backend technology provider for media companies, mobile operators, credit card and commerce companies,” said Nat Sakimura, Senior Researcher of Nomura Research Institute, Ltd.

OpenID Connect was developed by a working group of independent security experts and specialists from several continents at companies including Microsoft, Google, salesforce.com, Ping Identity, AOL, Nomura Research Institute, and Deutsche Telekom and tested for interoperability among over 20 implementations.

About The OpenID Foundation

The OpenID Foundation is an international non-profit organization of individuals and companies committed to enabling, promoting and protecting OpenID technologies. Formed in June 2007, the foundation serves as a public trust organization representing the open community of developers, vendors, and users. The OIDF assists the community by providing needed infrastructure and help in promoting and supporting expanded adoption of OpenID technologies. This entails managing intellectual property and brand marks as well as fostering viral growth and global participation in the proliferation of OpenID.

# # #

News Media Contacts:

Jeff Fishburn

OnPR for OpenID Foundation

jefff@onpr.com

by Don Thibeau at February 26, 2014 02:08 PM

February 25, 2014

OpenID.net

A Great Day for Internet Identity

Passwords are a pain. Internet security is difficult. But getting consensus among competing vendors, independent developers, privacy advocates seemed impossible. But OpenID Connect is finally done. This internet identity layer is already helping websites, enterprises and mobile network operators identify people. OpenID Connect enables better privacy controls and stronger (and more user friendly) authentication. Application developers have responded the working group’s mantra, “Keep simple things simple, make complex things possible.” Given the almost daily drumbeat of data breaches, websites operators, mobile applications developers and enterprise architects are welcoming the increased security options OpenID Connect provides for their domains.

Standards are only as good as their adoption. And adoption is a product of the hard work of the OpenID Connect Working Group and our member organizations that have continued to support the painstaking work on building OpenID Connect:

GSMA
“The GSMA’s role is to work with the Mobile Operators to deliver relevant services to their customers; one such area that is growing in importance is the use of the mobile phone for authentication or identification purposes,” said Marie Austenaa, Head of Personal Data, GSMA. “In order to achieve global scale and ease of implementation both for Mobile Operators and for the Service Providers, it is important to have a consistent approach and this is what OpenID Connect provides.”

salesforce.com
“Salesforce.com is committed to unlocking new ways for companies to build meaningful relationships with their customers, and that engagement starts with standards-based identity,” said Chuck Mortimore, vice president, Identity product management, salesforce.com. “We’ve built OpenID Connect into the core of the Salesforce1 customer platform, allowing companies to connect the next generation of apps, devices and products—delivering a unified customer experience through a single identity.”

Ping Identity
“Today’s ratification of OpenID Connect is a big step forward in making business interaction easier and more secure,” said Ping Identity CTO Patrick Harding. “Standards are critical to supporting a new era of identity-centric business. OpenID Connect spans Web, API and mobile, making it an especially important protocol in our collective efforts to move identity from application to infrastructure.”

Nomura Research Institute Ltd.
“NRI has been actively involved in developing OpenID Connect as one of the authors. We have deployed an open source implementation of OpenID Connect as a backend technology provider for media companies, mobile operators, credit card and commerce companies,” said Nat Sakimura, Senior Researcher of Nomura Research Institute, Ltd.

by jfe at February 25, 2014 07:53 PM

February 20, 2014

OpenID.net

OpenID Connect FAQ Now Available

With the OpenID Connect specifications expected to be approved on Tuesday, February 25, 2014, a set of answers to Frequently Asked Questions has been published at http://openid.net/connect/faq/ to help answer questions people might have about OpenID Connect.

OpenID Connect is an interoperable authentication protocol based on the OAuth 2.0 family of specifications. It uses straightforward REST/JSON message flows with a design goal of “making simple things simple and complicated things possible”. It’s uniquely easy for developers to integrate, compared to any preceding Identity protocol.

Regards,
Don

by jfe at February 20, 2014 05:40 PM

February 18, 2014

OpenID.net

OpenID Connect Launch: Statements of Support

Last week I blogged about how we are in the final stretch of launching OpenID Connect on Thursday, February 26, 2014 at RSA in San Francisco, Mobile World Congress in Barcelona and in Tokyo with OpenID Foundation Japan. In that blog, I mentioned some of the industry leaders who have been and will be adopting the OpenID Connect standard. As a follow-up to my comments from last week, below are some of the statements of support for OpenID Connect received thus far:

Microsoft
“Widely-available secure interoperable digital identity is the key to enabling easy-to-use, high-value cloud-based services for the devices and applications that people use,” said Alex Simons, Director of Program Management for Microsoft Active Directory. “OpenID Connect fills the need for a simple yet flexible and secure identity protocol and also lets people leverage their existing OAuth 2.0 investments. Microsoft is proud to be a key contributor to the development of OpenID Connect, and of doing our part to make it simple to deploy and use digital identity across a wide range of use cases.”

Google
“Google is betting big on OpenID Connect because it’s simple for developers to understand and makes it easy to federate with identity providers. It also protects users by only sharing account information that users explicitly tell us to,” said Eric Sachs, Group Product Manager for Identity. “As of today, Google offers support for OpenID Connect as an identity provider and we are excited to see how this standard will make Internet use easier for users without having to enter passwords.”

ForgeRock
“There is more pressure than ever for CIOs to drive revenue and new business models across mobile platforms,” said Lasse Andresen, CTO, ForgeRock. “OpenID Connect is an essentials standard for any organization wanting a simple, repeatable approach for extending identity relationships to any device and directly impacting top-line revenue.”

Additional statements of support are forthcoming and I will include those in a follow-up blog.

-Don

by jfe at February 18, 2014 07:22 PM

February 15, 2014

Kaliya Hamlin

NSTIC - Elections & Giving It One More Go

I wrote an essay to give some context for these elections.  You can see part 1 below.

If you are a voting member of the IDESG you were just sent an invitation to vote for leadership positions.

For Management Council Chair please vote for

Salvatore D'Agostino

For at Large Delegate please vote for

Ian Glazer

Kim is the only person running for Plenary Chair and she will be great in that role.

Plenary Vice-Chair I like Colin, from New Zealand and Andrew, from Vancouver, Canada - both would be great in the position - so read and evaluate.

I am running again to represent small businesses and entrepreneurs - elections for those positions are in week or so.

The Essay:

I could write a long essay about all that, in my opinion, has gone wrong with the NSTIC process over the last  years.  I’m not doing that now.

I’m instead writing about why still have a bit of hope for the effort and why I’m making a choice to run once again for the Identity Ecosystem Steering Group - Management Council as the representative for Small Businesses and Entrepreneurs.

Lets be REAL.
There are some serious doubts about the state of the IDESG.

They built a gi-enormous super (super monstrously, extra big, kluge tower) structure before they defined work they wanted to do.

NSTIC has metastasized yet another entity but hopefully this is the last.

The execution of the strategy never cohered and the foundations are crumbling. The execution and instansiation fundamentally flawed.

I basically agree with these statements.

The key one, where my seeds of hope lie, is the fact that there is an entirely new organization - the IDESG is now a nonprofit corporation that is independent.

The Kay Chopard Cohen who was hired by the Secretariat to be the Executive Director of the organization will now actually be playing that role. She had been very limited in her ability to actually lead organizational development by the man who owned the company (Trusted Federal) who won the bid Secretariat.

The NSTIC NPO will be providing funding to support the IDESG dot org so we have another year of life/runway before it has to collect dues from the private sector.

Andy Ozment from the White House came to speak at the last NSTIC meeting in Atlanta and said  - Identity is a fundamental part of any cybersecurity framework.  The outcomes of our work will be part of their framework for protecting critical infrastructure.
He reiterated the importance of the work we are doing because it requires a multi-stakeholder process to find the right way to integrate Technology, Public Policy and Public Concerns.  The solutions need to  respect privacy AND earn the trust of consumers.

The newly elected management council will be going on a multi-day retreat.  This will give us the chance to really figure things out to get in sync and from there support a effective organization emerging.

Taking the time to get to know each other, our motivations for being involved in NSTIC, hearing our highest hopes and greatest fears around the effort.
Learning about the gifts we have to bring to the project - what we have to offer and how we want to contribute.
We all share the same goal we want the organization to function effectively. What does that look like? and what are the priorities of the organization? How is staff time dedicated towards these goals/priorities?

This fall a communications firm came in and listening to those involved in the IDESG to write our “value proposition” and “differentiators”:

IDESG provides an inclusive forum for organizations, government and citizens to take on the complex issues of online security and privacy. IDESG spurs dialogue and action for common ground and common sense solutions.  

Our unique value comes from integrating public policy, individual perspectives and cross-sector industry leadership and collaboration. This dynamic partnership enhances choice and stimulates innovation and growth.

An organization that is seeking to “take on complex issues” in a way that is “inclusive” needs to actually use processes and methods that are capable of holding complexity AND being inclusive.

We as the Management Council need to grapple with HOW to do this in the emerging IDESG dot org.

We have to go beyond what has been unfolding so far.

Roberts Rules of Order is the default modality that “everyone knows” so it is how virtually all committees use along with the management council.  It is fine for what it is good at - but it does not actually make space for listening to a broad group like the IDESG Plenary (or at least what could be the NSTIC plenary of 1000’s if not 10’s of thousands of people & organizations)

In committees I participate in we have a culture where you can not object to something “unless you have a solution” so it is suppressing the ability to raise concerns. Those who work at corporate day jobs in middle management run them under “their rules” there is no space for collective discernment and consensus to emerge.

We also have the challenge that committees of the plenary where formed and the “work products” would be focused on were outlined in detail before there ever was a management council.  Who defined them? David Temoshok via the NSTIC NPO also wrote an entire work plan of how they saw getting to the “end work product” of an Identity Ecosystem Framework.

Instead of bringing the governments version a potential work plan and the government’s idea of what committees should be brought into being and why to work on a work plan to the newly formed IDESG and working with the Management Council’s elected stake holder delegates to figure out a work plan for this private sector led organization.

It ended up that because the NPO was main instigator (via the Secretariat that they funded to support the functioning of the IDESG) of the first meeting of the IDESG in Chicago - it set all the committees in motion motion before a management council ever existed.

Committee topics were just single words like “Security” or Standards” and people who were in attendance went to these first meetings and then “elected leaders” out of the blue at those initial meetings.  These leaders have all been defining what they thought a particular group of people who were interested in “Trust Frameworks” or “International Outreach” or “Privacy” - should do - and muddling through how they thought they should relate/work together.  All of this was done outside of any connection or interaction with the Management Council.

This alone should make clear some of the origins of why people have doubts about the organization.

So the leadership retreat we will be having is key - it will give us a chance to re-set, get in sync - really for the first time and provide LEADERSHIP.

We as a management council discern what we want to accomplish - to find agreement amongst ourselves regarding what a Trust Framework actually is and how we as an organization/community tasked with helping

The gap between the optics of everything going well and the substance of what is happening has to be closed in the coming year or there will be no IDESG.

The NPO has gone to great lengths to ensure that appearances of the organization functioning are “kept up”.  Of course that is there job - they need to have it look good so they can continue funding and avoid congressional investigation.

The reality is that the NSTIC / IDESG regulars see through the image of it working.

Example 1) [self-censored]

Example 2) [self-censored]  For this election I went through the list of all the members of the organization there was only 4 State, Tribal and City governments who are members of the IDESG.There are only 5 Relying parties that are members of the IDESG - these are two groups who play critical roles in the ecosystem and well they are barely represented. [self-censored]

Example 3) We have consensus on what any of the following words actually mean.

  • an Identity Ecosystem,
  • a Trust Framework
  • an Identity Ecosystem Framework

I have rough outlines of the remainder of this essay but I ran out of time to finish it. I will post part 2 in the coming days.

by Kaliya Hamlin, Identity Woman at February 15, 2014 07:25 PM