No Such Weblog

In an interesting example of how the different identity systems around play together (or not), SXIP has proposed an "OpenID infocards" spec. Allegedly, there is a working implementation around; I haven't tried it, though.

OpenID Information Cards 1.0 - Draft 01
D. Hardt, J. Bufu
Sxip Identity
August 10, 2007

"Infocards" in this context effectively means "OpenID over WS-Trust." Painting with a broad brush, this specification essentially takes OpenID's colon-separated-tag-value assertion format and embeds it with WS-Trust.

Signalling that a relying party supports this protocol variant is not interoperable with the signalling used traditionally in OpenID.

An OpenId infocards relying party needs to understand an additional -- though quite lightweight -- protocol exchange which wraps the OpenId token into token XML pointy brackets, to Paul Madsen's immense delight.

An OpenId infocards provider needs to implement a WS-Trust Security Token Service.

The protocol interchanges are not interoperable with the ones traditionally used in OpenID: Steps 1-6 of the OpenID protocol are replaced with WS-Trust based interactions. Step 7, in its "direct verification" variant, remains in place, and ensures that the identity (still a URI) remains bound to the overall transaction.

Conversely, there are similar implications for Infocard enabled services that would want to support this scheme; for them, the OpenID infocards spec effectively introduces yet another token format. See Eric Norman's blog.

On its face, this proposal suggests splitting the OpenID protocol into two not mutually interoperable variants, one fitting into Microsoft's cardspace framework, and one having all the lightweight RESTful karma that makes OpenID interesting to the parts of the Web community that are less than fond of WS-*. The URL as an identity paradigm is much less central to this variant of OpenID than to the classical one: For much of the protocol exchange, what matters is the endpoint that serves as the Security Token Service. The "identity" URL itself only ever plays a role in the final verification step.

All this points to interesting times ahead, as the various camps in identity space will continue to perform tangled dances.

Via flyertalk, this story about a transparent bag mandate outside an airport context: Wissahickon Students Face Strict Backpack Rules

High School students in the Ambler, Pennsylvania, headed back to school Tuesday facing new security measures limiting their choice of backpacks. Effective Tuesday, all students in the Wissahickon School District are required to carry clear bags. Students are currently permitted to bring mesh backpacks to school, but once inside the building, they must change to a clear backpack. ... Wissahickon is the third high school in Montgomery County to adopt clear backpacks.

I spent the last week-end touring Crete, and the subsequent week in meetings in beautiful Agia Pelagia. While everybody was longing for the breaks and evenings (you just can't not go for a swim there), a lot of us were fighting with Internet access: While nominally high-speed access was available in a number of places, the latency often turned out to be a killer. Using skype for a telephone conference (which I do pretty regularly while traveling) turned into a disaster, both concerning sound quality and latency; I did more than one conference call from my mobile, which I normally avoid like the plague for these things. Doing work on CVS was annoying and made focusing hard, since any update or commit would take ages. Going through list archives was almost impossible.

In the end of the day, I was much less effective getting my usual work done than I normally am while traveling. Without me having noticed before, my work style had become dependent not just upon having some Internet access, but upon having low-latency Internet access. I was surprised myself how badly I function in asynchronous mode these days.

I wonder if that's just how my personal work style evolved, or whether it's a more general effect? How do others deal with work in high-latency environments with spotty Internet access?

One of the most fascinating side conversations last week was about picture and face recognition in social networks: The basic argument was that, even if people might have the good sense to use a pseudonym for some social network activity, they'll often associate photos with their profiles, and that these photos might lend themselves to easy recognition and linking of online profiles to real-life identities, undoing the privacy effect of having chosen a pseudonym in the first place. It might be a good idea, that particular argument continues, to include features with social networking sites that might obfuscate photos to the point that they aren't easily recognized by machines. As an example, a somewhat embarrassing questionnaire scraped off some social networking site was shown. ("Have you been involved in a fist-fight? Have you been arrested? ...") It featured a photo of what was presumably the young lady that had filled it in. The implication was that, some time soon, a would-be employer might find that entry based on a photo search, with all that follows.

The "let's obfuscate photos" approach is a particularly illustrative example for a deeper conflict: The one between self-expression online (which is enabled by sharing real data, real photos, real stories -- and real lies!), and privacy online (which is endangered by sharing real data, real photos, real stories -- and real lies!). The question in this conflict is no longer about collecting (or publishing) data (as the obfuscators seem to suggest). The solution is no longer about pseudonyms or hard controls: The question is ultimately how we deal with the societal and personal cost that comes with the Net's vast opportunities for self-expression, and the solution must be in the same sphere. Technology can help us find a solution, though, and Creative Commons is an important example for this approach in the copyright space: It helps people to do the right thing. And sometimes it helps people to make errors that need to be settled in court.

The critical observation here is that technology takes an helping role, not an enforcement role, not a decision-making role. The decisions and the enforcement are kept on the social and societal level.

And to some extent, we might be starting to see societal change: When youthful (or later) mistakes are made part of a permanent record by the information sphere that we live in, when 20 year old traffic tickets show up in the reports that would-be employers ask to be prepared about candidates, we might find that the answer is actually to just cope with these mistakes, and to accept that to be human means to err.