The next two months

This is going to be a fun summer for anyone interested in information cards. Everyone seems to be on the cusp right now, and I hope to see an explosion of available code, products, and services surrounding the identity metasystem.

Just to put a bit of skin into the game, so to speak, here is what you can expect to see from the Pamela Project before June:

  • A new PamelaWare Joomla plugin (available by May 10)
  • A release candidate for the WordPress Plugin (available by May 10)
  • Updates to both plugins that allow:
    • integration with native username/password functionality
    • integration with the WP-OpenID plugin (not sure about Joomla)
    • ability to specify & map claims to database fields for adaptation to managed card requirements
    • ability to specify & advertise a privacy policy
    • Audit capabilities that are compatible with the XDAS standard and hopefully contribute to the OpenXDAS project.
    • a prettier, more web-standards-compliant login page
    • Ability to choose either an XHTML or HTML compliant login page
    • A release candidate for the WordPress Plugin (available by May 10)
  • More surprises, just wait and see

Before the above can be rolled out, I need to finally & totally grok subversion branching & tagging. The textbooks have been ordered… but if you are a subversion guru and would like to contribute to the PamelaProject, you would be my hero.

I had the chance last week to hang out at Bandit HQ, and they are doing some really exciting things. It was a blast getting to geek out and they really took care of me – we even had a photo day! I have dastardly designs on most of the infrastructure that they and others are putting together, and the code is now at the point where I, as someone wanting to develop that next layer up, can actually depend on the foundation. It isn’t perfect, but I do think that having someone actually working on top of a layer is a great way to vet the solution. I’ve already warned the Bandits that I’m really talented at breaking things :)

The Directory Experts Conference is on next week in Vegas — be there or be square, we are planning a few of what I hope to be information card firsts for the attendees, stay tuned for more information.

CardSpace: The Selector Strikes Back!

For those who are attending the Directory Experts Conference in Las Vegas NV in April, I had hoped to run a workshop before the start of the conference where people could dive in and explore the technology first-hand. That didn’t work out, so instead I am running a session on Wednesday morning, April 25th, at 9:15am. By the time you get to that session, you will all be Identity Selector experts. Trust me. I have my ways. The session abstract is below.

For those of you who aren’t attending DEC, if you ever wanted to go under the hood of Active Directory (or MIIS), this is where you need to be. Not only will you be party to an unbelievable amount of technical and strategic information, but you get to meet the folks who Know. And getting to talk to the folks who Know is an experience in itself. Just hanging out on the periphery and trying to absorb as much as I can has been an incredible learning experience for me. And just in case you don’t really know what I mean about meeting the folks who Know, you can check out, or just meditate on the picture at the bottom of this entry – that’s where the conference is being held. Not too shabby, hey? Those NetPro folks know how to throw a conference, let me tell ya…

CardSpace: The Selector Strikes Back!

P. Dingle, DEC Conference 2007
In the time since DEC 2006, Windows CardSpace has been released as part of the .NET Framework version 3.0, and Microsoft has released the technical specifications surrounding the Information Card profile. Higgins is one of several entities with an STS that can issue managed cards, and all sorts of relying party code is in the works, with more code supporting and consuming information cards every day.

In this session, Pamela will bring attendees up to speed on the current state of the identity metasystem:

  • Communities surrounding user-centric identity.
  • Where to get the toolkits, libraries and modules available, and what they do.
  • Open source and proprietary initiatives.
  • Protocol interoperability (playing nice with the neighbours).
  • Pain points & barriers to adoption.
  • Known successes.

If you are interested in staying informed as information card technology inevitably moves towards an explosion of mainstream adoption, this session should help you to keep the right items on your radar.

Red Rock Casino, Las Vegas NV

PamelaProject @ RSA

The Pamela Project officially kicked off on Monday Feb. 4th 2007 at the Liberty Alliance Identity Standards Workshop, with a joint presentation between Mary Ruddy of the Higgins project, Dale Olds of the Bandit project, and myself. The demonstration started off by accessing a resource behind Novell Access Gateway operating as a Liberty Relying Party. When we authenticated to Novell Access Manager operating as a Liberty IdP, we used a managed information card, which received its identity data from a Higgins STS.

After this, we used the same managed card to access non-Liberty (Identity Metasystem) Relying Parties – one of which was PamelaWare for WordPress.

During the demo, we used the same information from the same base repository but passed it in different ways, either in Liberty protocols or in Information Card V1.0 protocols. We demonstrated all of this both on Vista using Windows CardSpace – and on a Linux machine using Chuck Mortimore’s Firefox plugin. It was pretty exciting to see a solid connection between such a diverse set of projects and groups.

The demonstration was a lot of fun, and I was really excited to have the opportunity to kick off the Pamela Project in such style, many thanks to Mary and to Dale for allowing to be part of the demonstration. It is worth checking out all of the presentations from the Liberty Alliance Identity Standards Workshop – they were excellent.

Airport PARTY!!!

Here’s to all the Calgary geeks waiting at the San Francisco International Airport for the last 5 hours. 6:56pm delayed to 11:10pm, 5 gate changes, and multiple pints later, I’m not holding out for an actual arrival of my aircraft, but we’re having a good time in any case :)

If you too are stranded in terminal 3, you should come by the bar @ gate 77A, last call is long gone, but at least you can get in on the tall tales…

Update: ugh, got home just before 4am…

When AD Meets IdP

I have been working with the folks over at NetPro on putting together a 1/2 day tutorial on CardSpace, to be taught during the workshop day of the Directory Experts Conference in Las Vegas, on April 22nd, 2007.

Originally I had envisioned a blow-through of all the bits of the Identity Metasystem, demonstrating cross-platform abilities of multiple identity selectors, relying parties, and IdPs. The problem with this, is that such a tutorial does not necessarily align with the typical job description of the attendees of DEC; DEC attendees are deep subject matter experts in Active Directory & MIIS. They are not necessarily the people who will architect or implement authentication or SSO solutions – yet they are intimately concerned with how their identity data is used throughout the Enterprises they represent, and also how that data is communicated to third parties.

Perhaps the initial approach would be interesting from a pure geek viewpoint to many DEC Attendees – but the thing about a tutorial is that the tutorial day costs extra to attend, and I think that most attendees would not be comfortable spending corporate $$ if they can’t see a direct benefit to their Enterprise.

It literally took me until today to see the light — today I finally realized that these folks primarily need to be concerned with one particular part of the Identity Metasystem, because they are the future Identity Providers of the corporate world!

Luckily, the DEC folks are very flexible and accomodating, and in fact Gil (NetPro’s CTO) has created a wiki for people to review sessions, give feedback, and generally be involved in the DEC 2007 organization process. Gil wasn’t originally sure about my initial plan on CardSpace for the reasons I’ve mentioned above, he’s waiting to see if there is interest on the part of his attendees — I’m hoping that the revised plan I’ve got below will be more applicable and will constitute worthwhile business value that attendees can take back to their employers.

So on that note, if you have attended or will be attending DEC, or if you are interested in any way at all, check out my plan below, and check out the CardSpace Tutorial wiki page to give us feedback, indicate interest (or lack thereof), or offer suggestions as to how we could improve this plan! I really do think that it would be informative and useful to DEC Attendees to understand this technology, and I hope we can inspire the interest of enough people to keep this workshop on the roster!

When AD meets IdP:

What it Means to be a User-Centric Identity Provider in an Active Directory Driven Enterprise

With Microsoft’s release of Windows CardSpace, forward-looking enterprises will begin analyzing how user-centric technologies can be used to solve authentication problems both within and outside the Enterprise. In order to implement these technologies, information stored within AD (and other data repositories) will be accessed and distributed by a service layer referred to as an “Identity Provider”.

This tutorial aims to help Active Directory Administrators understand what user-centric identity is from the Identity Provider perspective, and how this service can be architected to both conform to and complement already existing AD policies and data.

Questions to be answered during the course of the tutorial:

  • What is an IdP and why would an Enterprise want to stand one up?
  • What kind of control will Identity Provider administrators have over the data passed?
  • How will admins know who is asking for what data?
  • What kind of business problems could be solved?
  • What audit capabilities exist?
  • How will this service work with provisioning efforts?
  • How will this service integrate with what may be already implemented?
  • What is the status of IdP efforts in this space, and when will popular adoption come?
  • What are the liability factors to take into account?
  • What are the necessary steps in standing up an IdP Service that rests on AD?
  • What AD-specific data could or should be passed?

Sign up for Pamela Dingle’s CardSpace tutorial at Dec 2007, and find out about how this new industry direction could affect you!

Well? What do you think? We need active conversation to know whether or not this is the right way to go…

IIW 2006b – Content

Here are the things that I want to remember about IIW 2006b in Mountain View CA – meeting all sorts of brilliant people, trying to make Kaliya’s massive unconference schedule stick to the wall so that the lines matched between sheets, ordering larb gai at dinner PET PET, strategizing over lattes, impromtu demos and work sessions, suggesting new voices for TomTom (ya hoser), and late night life philosophy trading… Yeah, we had fun.

And now for the geeky bits:

1) OSIS update: This was one of the first sessions of the day, and I found it fascinating. Session notes are here.

My takeaways (FWIW as an outside observer):

  • We won’t see any release of an Identity Selector by a vendor until certain things are ironed out on the IP front. Who knows how long that will take. What a bummer.
  • I find that there is a disconnect between how insiders see OSIS and how outsiders see OSIS, which seems to results in the need for constant expectation adjustment at these public meetings. The insiders grok all the history, how it evolved, how this group and that group blended & merged to form today’s OSIS working group, and what they hope to accomplish. Perfectly logical, but inwards facing. Outsiders don’t see that stuff. They see an entity that calls itself a system, and which seems to offer an opportunity to rationalize a whole bunch of separate efforts into a more easily understood whole — in other words, an outwards facing project. As far as I can tell, the current OSIS goals are primarily about making sure the vendors get it all ironed out between themselves. It is a critical function. At the same time, however, the rest of us are already clamoring to build on that foundation. The external rationalization needs to come, one way or another. Perhaps OSIS will start a second committee – after all, it is a logical place for this work to occur, and also, this is where all the thought leaders are. If not — well I guess we’ll have to wait and see who picks up that particular torch.

2) Lightbulb: Pat’s code is always fun to see in action, but what excited me was the integration he showed with the Sun Access Manager product. That opens up a whole raft of possibilities… Now that I’ve seen it, I might have to take a shot at OpenID-enabling our company mail server, just for fun :-D

3) Sxipper Demo: Sxip showed off their new service, which lives at The goal is to simplify online interactions with both registration and login forms. It looked purty, definitely worth trying out.

4) Speed-Geeking: This was the highlight of the conference for me. I was able to get a quick glimpse of many different development efforts, a number of which I’m sure I would have missed had they been only in a full-time conference session. Since my primary focus is on the CardSpace stuff, I hadn’t been attending as many of the OpenID-facing sessions, but some of the OpenID demos really opened my eyes. I think the most fascinating demo was the one that was given by Avery Glasser – but I’ll save my thoughts on that topic for another entire entry :)

5) Kim’s Code: Kim showed off PHP code that utilized new XML security libraries that I can’t wait to get my grubby little paws on.

6) The Ruby on Rails guys: After Kim’s talk, 3 guys decided to take fate into their own hands and code an RP in Ruby on Rails. Justin, Trenton, and Devlin worked into the night figuring all of this out from scratch, and they made a significant dent in the code, too. It was really really fun to watch them work. I hope we get to see the fruits of these efforts at the next speed-geeking session!

7) OSIS in Action: It was great to see Dale Olds and Mary Ruddy demonstrate RP & IdP interactions using an open source stack. Talk about a wonderful milestone to hit – it was obvious that some serious love and care had gone into the making of this demo. During the session, there was an interesting discussion around ways in which an RP can deal with mid-session elevation of privileges that I think is just the tip of the iceberg, and which demonstrates the massive body of best practices that need to emerge surrounding information card based user interactions. The scenario at hand was as follows: a user needs one set of claims to have read access to the site, and should they wish to write to the site, they need a single extra claim. If the RP asks for the extra claim as an optional claim at initial login, they need to somehow communicate to the user (a) That the optional claim exists (since it isn’t particularly obvious in the CardSpace GUI), and (b) in what exact context the optional claim is meaningful. These are critical conversations to have, and I enjoyed taking part.

Ha, well there you go, more opinion than you ever wanted on IIW 2006b…

IIW 2006b – Logistics

I don’t know even where to start, in talking about the last week. Many of you who are likely to be reading this were probably at the Internet Identity Workshop in Mountain View CA. For those who weren’t, you missed out on a pretty spectacular meeting of the minds.

I have so much to say, that I’m going to have to divvy up the content into multiple entries. Before I even get into all the things that inspired me technically, I want to talk about the conference itself.

In my opinion, IIW 2006b was well organized, well situated, and well provisioned. Whoever thought of having a Barista onsite for both days should be given a medal, it was so very civilized to wander over and grab a latte between talks. I also liked the fact that there were recycling bins for cans and bottles – maybe it’s just where I come from, but throwing cans into the garbage makes me feel like a bad person. Recycling seems low on the priority list of most conference organizers these days, so it was nice to see a blue bin around.

The recommended hotel was beautiful, and the service was flawless. How nice to be in a hotel where everything isn’t bolted to the floors and the walls, where the rooms contained things like vases and a stereo and a pack of cards, and where if you became thirsty and picked up the bottle of water next to your bed, it said ‘compliments of Hotel Avante’ instead of showing a hefty price tag.

Most importantly, the structure of this conference was perfect for what everyone wanted to accomplish. Tuesday and Wednesday were dedicated, not to the people that the organizers thought were important, but to the people who had something to say, or something to show. It was great to see who was making progress at what, and to meet new people tackling fresh problems, and to watch conversations start and evolve, instead of having to follow a strictly pre-organized rhythm. I also loved seeing someone like Pat Patterson demonstrate code that was written the day before – as he noted, you don’t get to see such things when you have to submit your slide decks weeks in advance.

To be honest, IIW 2006b seemed less like a conference and more like an enthusiasts club. And, seeing that I am nothing if not enthusiastic, you can imagine why I might have had such a good time :)

Stay tuned for my report on the oodles of user-centric geek goodness that went down…

Update: Just in case you thought I was the only one who had a good time…

‘Confabulated’ is definitely the starting point

I really like the idea of – a nice spot to go find out about various conferences that you might want to attend, with reviews and other great stuff built in.

As a first impression, however, I think that they have a ways to go before they are relevant. A search for identity management doesn’t exactly return comprehensive results. A search for “Catalyst” does bring up the Burton Group Catalyst conference — but they seem to think that the conference is about: “Computers and Internet , Computers and Internet, Computers and Internet , Computers , Networking , Firewalls/Security.” Out of their advertised 16,000+ conferences, who wants to guess how many of them are similarly tagged?

But the one that really makes me crack up is this:

Here is Eric’s review of Digital ID World – you can see the conference has a number: 4810. This would say to me that it is registered somewhere. You can also see the review, and the details of the conference:

However even though you can get to it if you go through the review, you can’t search for it by name:

So – Confabb has a little work to do. Or should I say, conference organizers have a little work to do. Confabb has supplied little more than a placeholder — the question is, will organizers care enough to fill the database with relevant data? Here’s hoping they do, and that after they do, the vendor improves their search algorithm enough for the rest of us to actually leverage the information.

Good luck Confabb, I hope people work hard to make you a success :)