The Data Sharing Summit: Problems and Solutions

Posted on 9/7/2007 by Drummond Reed

Certain events scream out for live blogging. The Data Sharing Summit is one of them. So these are my notes from first half of Day 1. (Then why are they being posted at midnight, you ask? Because there was too damn much to talk about during the second half of the day. More on that tomorrow.)

First, this is the list of problems that attendees want to see addressed:

  • The distributed schema mapping problem – how do you map across zillions of different local schemas?
  • The “Social Web Bill of Rights” or “identity rights agreement” problem – how can you have “Creative Commons licenses for data sharing”?
  • The protocol problem – how do you move social graph data around?
  • The “too many IDs” problem – how can we not require more IDs (even with OpenID there is starting to be a proliferation of IDs)?
  • The directory or “friend discovery” problem – how do you find other people in the social graph (a “People’s Guidestar”)?
  • The addressing problem – how can data be addressed in a consistent manner across distributed locations?
  • The user privacy and control problem (also called the “fear” or “surprise” problem) – how can users not be spooked by the idea of their social graph data “getting loose”; how can they maintain control over portable social graph data?
  • The granular access control problem – how can control be easily brought down to the individual attribute level, e.g., date of birth?
  • The regulation problem – how can social graph portability be accomplished within the bounds of data sharing regulations that currently do not permit certain types of personal data to be shared across certain jurisdictions?
  • The safety problem – how can portable social graphs not be subject to the same spam, phishing, and phraud problems as email and the Web?
  • The political problem – how can we make it “politically necessary” for sites and applications to offer social network graph export?
  • The “friend description problem” – how can we have a interoperable means of providing richer description of “friend” relationships?
  • The calendar sharing problem – of all the different types of social graph data, how specifically can we reach alignment over sharing of calendar data?
  • The adoption problem – what are the compelling uses of social graph portability that will drive large-scale adoption?
  • The internationalization problem – how can attribute sharing work across all world languages?
  • The user experience problem – how can social graph sharing operations be made simple and understandable to everyday Web users?
  • The operational problem – how will large-scale data sharing affect network loads, caching, firewalls, security perimeters, etc.?
  • The “invitation fatigue” problem – how can we stop being overwhelmed by yet another source of messages and “click-to-accept” links?

Second, this is the list of solutions being offered at the DSS:

  • An OpenID interoperability testing service (Marc Canter)
  • A new open source project & community for social data portability using Higgins and Higgins context providers.
  • A community dictionary service for schema mapping (Markus Sabadello, Drummond Reed, Paul Trevithick)
  • Different companies offering the potential to have open APIs for sharing their social graph data (AOL/AIM, Yahoo, Google, Cyworld).
  • OpenID-based attribute exchange (Dick Hardt & Sxip)
  • An open API format for social network portability and sync’ing (Brad Fitzpatrick and David Recordon)
  • A social network export service (Upscoop from Rapleaf)

Third, here are the demos that were shown before lunch:

  • Cloudtripper: Paul Trevithick and Markus Sabadello showed how Higgins in conjunction with Higgins context providers (code chunks that know how to talk to specific data sources) can be used to pull a user’s social graph data together directly to their own desktop client.
  • Community Dictionary Service (CDS): Markus Sabadello and I demo’d a new service contributed to the Identity Schemas Working Group at Identity Commons. Intended to help solve the schema mapping problem for highly distributed data sharing, the CDS is a “Wikipedia for machines” – a way for applications to discover and map elements from different data schemas. (I’ll blog a bunch more about this after the Summit is over, but please do see it for yourself.)
  • FOAF crawler: David Recordon (now back at Six Apart) showed a service that crawls public FOAF, XFN, or other relationship metadata to produce aggregated social graphs.
  • Pownce: Leah Culver demo’d a social network aggregation service that lets users aggregate their own social graph.
  • XRI-based data sharing: Mike Mell showed an implementation of a data sharing solution based on XRI structured identifiers for La Leche League International.
Posted in Community Dictionary Service, Dataweb, General, Higgins, Identity Rights Agreements, Privacy, Social Web, XDI, XRI | Leave a comment

The Value of Vacation Mind

Posted on 9/5/2007 by Drummond Reed

No, I haven’t fallen off the face of the earth. But this has been a summer of big transitions — big enough that it will take several posts to cover it all.

Yet on this, my first day “back to school”, I want to share the simple observation that the value of “vacation mind” is vastly underrated. Robert Pirsig, in Zen and the Art of Motorcycle Maintenance (don’t get me going on that book) doesn’t use that phrase precisely, but he does refer very eloquently to that heightened state of energy and creativity you enter into after you’ve been out fishing for a few days and have completely relaxed inside and out. Once your mind is truly “off” things…

…suddenly it’s able to get “on” things like never before.

I’ve experienced it every year now for four years running (after two-week plus summer vacations) and I can’t rave enough about it. I come back to an explosion in new ideas and perspectives that seems to drive me forward until at least Christmas.

There’s great juju there. I look forward to exploring that phenomena in more detail once there’s a breather. But there’s not going to be a breather for quite a while. After Brad Fitzpatrick’s and David Recordon’s Thoughts on the Social Graph set a wildfire last month on the topic of social network portability, and now with Marc Canter, Joesph Smarr, Robert Scoble, and Micheal Arrington publishing a Bill of Rights for Users of the Social Web; and with Marc and Kaliya facilitating the Data Sharing Summit starting Friday…

…this new “school year” at the University of Digital Identity and Data Sharing is going to be a whopper. And fresh from vacation mind I’ve got a huge backlog of topics to write about. I’ll squeeze them out as fast as I can squeeze them in.

Posted in Blogging, General, Social Web, vacations, XDI | Leave a comment

Joe Andrieu on the User as the Point of Integration

Posted on 6/14/2007 by Drummond Reed

Joe Andrieu, one of the pioneers of the VRM movement, wrote an inspired blog post on how not just VRM, but user-centric identity as a whole, can enable a radical rethinking of how systems integration can work. If you put the user at the center of the system not just from a “control” standpoint, but from a data integration standpoint, all kinds of new possibilities arise.

What’s really eye-opening about his post is the way he puts it in the context of Einsteinian relativism and an AI concept called “stigmergy”.

You have to read it. In his conclusion, Joe notes:

Sure, there is still a lot of work yet to be done. We have to figure out the protocols and technologies for what data vendors actually share in that data-store and how we assure reliable, always-on access in a secure and privacy-protected manner. Fortunately, as I mentioned earlier, the user-centric Identity meta-system is addressing a huge portion of that.

If ever there was a clarion-call for XDI as a protocol for doing exactly what Joe envisions, this is it.

Posted in Blogging, General, VRM, XDI | Leave a comment

Phil Windley on XRDS

Posted on 5/31/2007 by Drummond Reed

I just added XRDS (Extensible Resource Descriptor Sequence) as a new category on my blog because this simple XML document format, created by the OASIS XRI Technical Committee to provide XRI resolution metadata and subsequently adopted by Yadis, is starting to gain attention as the discovery format for OpenID.

Phil Windley just posted a good overview of XRDS today. For even more detail about XRDS (and OpenID in general) see this article written for the Java community — perhaps the single best technical article on OpenID I’ve read.

Posted in General, OpenID, XRDS, XRI, Yadis | Leave a comment

Semantically Meaningful Identifiers: What a Concept!

Posted on 5/8/2007 by Drummond Reed

I haven’t blogged in a month because I’m so heads down with XRI 2.1 specs, prep for IIW (next week), and the business side of user-centric identity (yes, this really needs to turn into an industry if it is to ever really matter). But I could not help but note the explosion of discussion around Tim Bray’s post that Sun will be using OpenID and — gasp! — actually providing a semantically meaningful OpenID identifier! I can’t reference the discussion on the Identity Gang mailing list per community agreement, but see:

  • Paul Madsen’s post.
  • Eve Maler’s post.

If this raises a ruckus, imagine the concept of an entire LANGUAGE for machine-proveable assertions using machine-readable identifiers. Imagine if Sun could move from it’s current “tincture of trust” to a simple yet provable assertion like…

@sun+employee=example.name

…which is itself would be a valid OpenID under the proposed OpenID 2.0 spec and the proposed XRI 2.1 syntax.
With XRI 2.1 and the XDI RDF model, about which I’ll start blogging much more extensively after IIW, that’s what we’ll have laid the foundation for. A semantic web where the semantics are actually in the identfiers.

Exactly the way it works with human language.

What a concept.

Posted in Blogging, General, OpenID, XRI | Leave a comment

Mike Jones Issues Himself

Posted on 4/5/2007 by Drummond Reed

Mike Jones, anchor of the Microsoft Cardspace team along with Kim Cameron & crew, has moved into the blogosphere. I’ve referenced his home page in MS Research (where he used to be) in many blog posts, but now I can reference his new blog, Self-Issued (a nice play on the information card metaphor).
Since information cards and XRIs (or more informally, i-cards and i-names) are already kissing cousins (and flirting closer still), plan to see lots more cross-references to Mike’s new blog.

Posted in Blogging, CardSpace, General, I-Cards | Leave a comment

Eve Gets the Venn of Identity

Posted on 4/3/2007 by Drummond Reed

Speaking of great posts and great pictures, I think Eve Maler’s recent Venn of Identity diagram is the best thumbnail picture of “Internet identity space” I’ve ever seen. She credits both Johannes Ernst and Paul Madsen for the progenitors. Eve’s Venn diagram approach to the “three corners” capture the subtlety of the overlap very nicely.

Makes me look forward to the next Internet Identity Workshop May 14-16 to see the next evolutionary leap. Don’t forget to register early.

Posted in Blogging, CardSpace, General, OpenID, SAML | Leave a comment

Talking XRI with Phil Windley and Scott Lemon

Posted on 4/3/2007 by Drummond Reed

Last week I had a long talk about XRI with Phil Windley and Scott Lemon that they just posted as an IT Conversations podcast. If you ever wanted to know the full XRI story from start to finish (verbally, at least), this is the podcast for you. Phil tends to draw out the details from me, so there’s quite a bit of “verbal whiteboarding” (I live for whiteboards), but altogether it amounts the most comprehensive oral summary of XRI I’ve ever done.

After all, the point of this blog is that identifiers matter. Few people understand just how much.

Posted in Blogging, General, Practical I-Names, XRI | Leave a comment

Victor Finally Writing Turtles All the Way Down

Posted on 4/3/2007 by Drummond Reed

Victor Grey, co-founder of i-broker 2idi with Fen Labalme, has always been one of my favorite cats in the identity universe, but you need to know him well enough to coax out his deep wisdom. Now that he’s blogging, you can sample it directly. I particularly love this entry on why he called his blog TATWD (Turtles All The Way Down) — one of our favorite expressions on the OASIS XDI Technical Committee.

Victor also has some wise observations about the extensive phishing debate around OpenID.

Enjoy!

Posted in Blogging, General, I-brokers, OpenID | Leave a comment

Identity Commons 2.0 and the Chief Catalyst

Posted on 3/8/2007 by Drummond Reed

Yesterday the long-simmering process of birthing the second-generation Identity Commons reached a key milestone: the Stewards Council reached consensus on moving forward with formal incorporation (in Florida to save money, since Steward Dan Perry has volunteered to serve as counsel), set a budget, and began the process of soliciting donations so Identity Commons can become a formal organization.

Over seven years in the making (if you include the evolution of the first generation of Identity Commons started by Owen Davis, Andrew Nelson, and Joel Getzendanner), Identity Commons is the perhaps the most intentionally-designed un-organization in history.

Un-organization? That’s really one of the best ways to describe the goal of Identity Commons, which is to serve as what Joel calls an “upside-down umbrella” organization for a set of Working Groups that do all the real work of figuring out a user-centric identity layer for the Internet.

In other words, the real purpose of Identity Commons is to just “hold the space” for the conversations and collaboration necessary to happen to build that layer we all want. We need just enough to make a “there” there — and no more, because it’s in that “more” that all the complications arise. (This notion of serving as “just a container” was originally suggested by Bill Aal, founder of Riseup, who thought Identity Commons could do for the identity layer what IETF did for the physical layer.)

So how much is enough “there” there? So far the consensus of the stewards is that it’s just a Stewards Council, a simple non-profit corporation, a set of wikis and mailing lists, and a Chief Catalyst. (That wonderful role title courtesy of Eugene Kim, who has served as unofficial chief facilitator of the incubation of this second generation Identity Commons.)

From the moment he suggested that role a few weeks ago, the Stewards have had one person in mind: Kaliya Hamlin, the fabulous Identity Woman. Her work in conjunction with Phil Windley and Doc Searls to catalyse the evolution of user-centric Internet identity via the Internet Identity Workshops has been the single biggest factor in the remarkable amount of convergence that’s already happened (and more to come).

So here’s the way I think of the new Identity Commons: it’s a way for all of us to support the work of Kaliya — and the 15+ working groups — to accelerate achieving the goal of making this identity layer real. Because we can’t get there fast enough.

In particular, I would urge you to support Identity Commons, either as an individual or corporate sponsor, because it will mean Kaliya as Chief Catalyst will have a budget to do more travel around the world and hold more events and do everything else she does to bring more people and organizations into the community and into the work.

Posted in General, Identity Commons | Leave a comment

OpenID and CardSpace Dance Takes the Next Step

Posted on 2/6/2007 by Drummond Reed

User-centric identity infrastructure just took another key step forward today: Janrain, Sxip, Verisign, and Microsoft announced they will all be working together to help OpenID users get the benefits of CardSpace and vice versa. Links to the blog announcements:

I’m very happy to see this step for all the reasons I’ve been blogging recently:

  • OpenID is about user-centric identity services that are possible because OpenID turns the user (or any entity with an OpenID identifier) into a first-class addressable endpoint on the net, with a standardized, lightweight service discovery mechanism (XRDS).
  • CardSpace is about secure cross-domain authentication and exchange of both first-party and third-party claims.
  • OpenID can use CardSpace’s security and anti-phishing protection — every website that accepts OpenID can leverage the use of CardSpace-protected logins at the user’s OpenID provider.
  • CardSpace can use OpenID’s privacy-protected digital identifiers and lightweight service discovery, making information cards more dynamic and actionable to CardSpace relying parties.
  • There has never been any need for the two technologies to compete on authentication. We need the strongest authentication we can get, as widely as we can get it, as soon as we can get it. Once that’s in place we can finally begin building new applications on top of the identity layer.

The devil’s always in the details, but let’s nail down the details on this one and get these two technologies working together ASAP.

Posted in General | Leave a comment

I-Names, OpenID, and Cardspace

Posted on 2/6/2007 by Drummond Reed

Kim Cameron has done another great post about how Cardspace and OpenID can work together, and specifically about the potential relationship of information cards and XRI i-names and i-numbers. This continued a thread that started with a post I did January 22 suggesting that it would be ideal for the CardSpace schema to support XRI identifiers as a specific claim type. In his response that same day, Kim said:

“…just a small clarification. Drummond talks about the “default CardSpace schema”. He’s really talking about the “default Self-Issued Card schema.”
CardSpace itself handles tokens of any type, containing claims of any type. There are no limitations on your schema if you create a managed card. I’ll make that clearer in my next post.
Further, we tried to keep the ”bootstrap” Self-Issued Card provider down to a minimal set of initial schema choices – precisely to leave room for a managed card ecology. But one of those initial claims is a URL… I thought an i-name or i-numbers would be able to go there. Is more needed?

As usual, Kim’s architectural instinct goes straight to the heart of the matter. In fact he poses such a important question that I’m going to provide a very detailed answer, starting with a use case involving the very blogs on which we are holding these conversations.

The Power of Abstraction

In Kim’s post, where he responds to this excellent post by Andy Dale explaining why the i-name and CardSpace value propositions are so complementary, Kim was particularly kind about the work we have been doing on identifiers at the OASIS XRI and XDI Technical Committees. He gives the example of using his own i-name on his blog. To quote his post (including the links):

By the way, I’ve been using my =Kim.Cameron i-name for a couple of years now – ever since I started this blog. It has been a life-saver. It has been my email conduit to my readers and allowed me to interact personally with many people all over the world – without ONE piece of spam.

Thank you again Kim for your kind words about what I believe is currently one of the most useful features of i-names – they come with contact pages that let you be reached on the net without opening yourself up to spam. But now let me drill down into a crucial feature of how i-names and contact pages work.

First, if you hover over Kim’s “=Kim.Cameron” i-name link above, the underlying href value you will see is:

http://2idi.com/contact/=kim.cameron

Interestingly enough, this is not the original XRI. XRIs are abstract identifiers, so to go to a specific location they are resolved into URIs. The HTTP URI at 2idi.com (2idi is Kim’s i-broker for his =Kim.Cameron i-name) is actually the default HTTP URI that =Kim.Cameron resolves to if you use an XRI resolver. (Why that particular URI is the default is beyond the scope of his post; the complete details are in the current XRI resolution spec.)

The original XRI for Kim’s i-name, in pure XRI format, is:

=kim.cameron

That’s right, there isn’t even an “xri:/” scheme name. That’s optional in XRI syntax because XRIs are protocol independent, so the XRI “scheme” is actually indicated by one of give global context symbols as the first character of the XRI (=, @, !, +, $). That doesn’t mean an XRI can’t use a domain name to specify the authority; it can, just after the prefix “$dns” (or “$ip” if you want to use an IP address). While this syntax is not yet recognized yet by today’s text editors and browsers, the same was true 10 years ago of www.*. That will come in time if XRIs prove as useful as those of us developing XRI infrastructure believe they will be.

To solve the problem of how XRIs can be used immediately with today’s Web infrastructure, the OASIS XRI TC defined an HTTP(S) XRI format called HXRIs. This adds an http(s) URI scheme and domain name as a prefix to the pure XRI. The two rules for an HXRI are: a) the domain name must start with “xri.” and b) the first character of the path must be an XRI global context symbol.

An HXRI is sent to a web server called an HXRI proxy server. Anyone can operate an HXRI proxy server just by creating an “xri.” subdomain and running an instance of XRI proxy resolver code available from the OpenXRI project (see dev.inames.net for more info). So the second form of Kim’s i-name is a HXRI that uses the xri.net public HXRI proxy resolver operated by XDI.org.

http://xri.net/=kim.cameron

If you click this URI, it calls the xri.net proxy resolver which looks up the target XRDS document (I can’t display it here but you can view the XML directly).

Since the xri.net proxy resolver was not given any other instructions about what service type to select, it selects the default service (again, out of scope for this post), which in this case is a contact service, identified by the following XRI in the Type element:

xri://+i-service*(+contact)*($v*1.0)

(Note that this XRI is in URI-normal form, which is why it shows the “xri:” scheme name.)

The xri.net proxy resolver then follows the instructions for composing the final target URI, which is to append the original pure XRI (=kim.cameron) to the value of the URI element (http://2idi.com/contact/). This gives you:

http://2idi.com/contact/=kim.cameron

While this is the HTTP URI that Kim cut-and-paste to put on his blog (probably because that’s what appears in his browser address bar when he goes to his contact page), that’s not actually the HTTP URI he should use if he wants the link to persist. He should use the original HXRI of:

http://xri.net/=kim.cameron

Why? Because this is the full abstract identifier that will continue to work even if Kim later changes i-brokers to a different i-broker (such as 1id.com, Encirca, Initech, or LinkSafe – more in the pipeline). In fact if Kim wants to, he can gain even greater persistence by making the underlying link for “=Kim.Cameron” to his i-number instead of his i-name. You wouldn’t see it unless you hovered over it, but this would look like:

http://xri.net/=!BC75.AD44.D370.C0A0

This is the safest and strongest link Kim could put up because unlink global i-names, global i-numbers will never be reassigned to another XRI registrant if the original registrant expires– all global i-numbers are permanently globally unique.

The moral of this story? While XRIs (in URI-normal form) are technically URIs, they are a special kind of URI intended to be resolved into other concrete URIs that actually indicate the current network location of a particular type of resource. An XRI by itself doesn’t indicate the current network location of anything. It’s purpose is to represent an abstract identity – the real world entity that has a representation somewhere on the network (or is in fact represented entirely by the identifier, in the case of purely abstract entities like tags).

Finally Answering the Question: XRI Claims for the Self-Issued Cardspace Schema

With this background laid, we can now finally start to answer Kim’s original question:

Further, we tried to keep the ”bootstrap” Self-Issued Card provider down to a minimal set of initial schema choices – precisely to leave room for a managed card ecology. But one of those initial claims is a URL… I thought an i-name or i-numbers would be able to go there. Is more needed?

My answer is that while it is technically possible to put an XRI (in URI-normal form) into a URI field, and such an XRI would carry the necessary identifier metadata to indicate its URI type (the xri: scheme name), this would be akin to putting a fax number in a phone number field. Yes, technically, a fax number is a phone number, but it’s a special kind of phone number capable of a special kind of phone service, and this is typically indicated to both humans and devices by providing an input field that is explicitly typed to contain a fax number, even though the format is identical to that of a regular phone number.

The same applies to XRIs—in fact even more so because:

  • There are explicitly two different kinds of XRIs: i-names and i-numbers. The first is reassignable and the second persistent.
  • XRIs are explicitly intended to come in synonym sets, for example one-or-more i-names paired with a persistent i-number. In fact when you register a global i-name with the XDI.org global registry service, you are automatically assigned a global i-number (unless you have one already, in which case you can choose to make the new i-name a synonym to your existing global i-number if you want).

So the bottom line is that for the Microsoft default schema for self-asserted cards to fully support XRI i-names and i-numbers as privacy-protected digital identifiers, I recommend that it include two claims for this purpose: one for a human-readable i-name, and one for a persistent i-number. Ideally both can support multiple instances, though in 99% of the cases only one i-number field will be needed, while in some cases users may wish to share more than one i-name synonym.

I look forward to working with Kim and Mike Jones and the CardSpace team to figuring out the best way forward to full interoperability — and synergy — between CardSpace, XRI i-names and i-numbers, and OpenID.

Posted in Blogging, CardSpace, General, I-Cards, OpenID, Practical I-Names, XRI | Leave a comment

Identity Meme

Posted on 1/22/2007 by Drummond Reed

If you want to follow the real down-and-dirty of what the identity layer will become, catch Jeff Hodges blog at identitymeme.org. Before he joined NeuStar two years ago (lured by Peter Davis among others), Jeff was with Oblix and Sun and is the editor of several Liberty Alliance specifications. He also co-chaired the OASIS Security Services TC (producers of SAML). He’s currently working with Eve Maler’s “SAMListas” looking hard at the intersection of SAML, OpenID, and XRI.

Posted in Blogging, General, OpenID, SAML, XRI | Leave a comment

CardSpace and OpenID Starting the Convergence Dance?

Posted on 1/22/2007 by Drummond Reed

Earlier this month Kim Cameron starting blogging about some of the phishing concerns he’s had about OpenID that he and Mike Jones have shared with myself and other members of the OpenID community privately since Digital ID World last September. Given that anti-phishing protection is one of the greatest strengths of CardSpace, one of Kim’s and Mike’s suggestions has been for OpenID providers to start accepting CardSpace cards for customer authentication.

Today Kim blogged his proposed solution for integrating OpenID and InfoCard in detail. He does a wonderful job of it, making it very clear how using CardSpace and OpenID together can be a win/win for both. With Windows Vista shipping to consumers at the end of the month, and the CardSpace upgrade now available to XP users, this is a very practical solution to increasing OpenID security that I expect all XDI.org-accredited i-brokers (who all provide OpenID authentication service for i-name holders) to implement as soon as they can.

Kim closes his post by saying, “That said, I have another proposal [for integrating OpenID and CardSpace] as well.” That’s good, and I await it eagerly, because I too believe the integration can go much deeper, just as it can for OpenID and SAML. The heart of it is individuals and organizations being able to assert their own resolvable, privacy-protected digital identifiers. That’s the foundation of the OpenID framework, and the job for which we’ve been designing XRI i-names and i-numbers for the past five years. Microsoft’s current default CardSpace schema does not yet natively support XRIs as digital identifiers, but adding them could increase their power and utility and be another big step towards convergence on a unified Internet identity layer.

Posted in CardSpace, General, OpenID, XRI | Leave a comment

SAML and OpenID at the Convergence Dance

Posted on 1/21/2007 by Drummond Reed

Eve Maler called it a “swirling nexus”. That’s appropriate for both the weather and the dance of discussions at an informal meeting last week between SAMListas (Eve’s term) and OpenIDear’s (my term) hosted by JanRain last week in Portland. Eve blogs it here and David Recordon here.

Eve’s writeup is so comprehensive that I don’t have much to add, other than to say that that more than ever the forces pushing us towards a fully converged Internet identity layer are gaining momentum. See my next post for more.

Posted in General, OpenID, SAML, XRI | Leave a comment

The Golden Spike Meeting of Higgins and XDI

Posted on 1/17/2007 by Drummond Reed

May 3, 2006, mid-afternoon. The second Internet Identity Workshop had just wrapped up. It was so thick with sessions and discussions that Paul Trevithick, Andy Dale, and I just kept passing each other in the halls saying, “We need to talk!” but never having the time to actually do it.

We finally agreed to meet in one of the conference rooms after the main event was over. We migrated to a whiteboard and started drawing pictures to help us answer the key questions that kept coming up over the past two days, “How exactly are Higgins and XDI different? What does Higgins do that XDI doesn’t and vice versa?”

There was great irony in this. Besides heading the Higgins project, Paul is a member of the XDI Technical Committee (TC) at OASIS. Besides being the leading implementer of XDI, Andy has been a member of the Higgins project. And I’ve been working with both of them for several years now. Yet still none of us had a really good answer to this question.

As we kept drawing and redrawing the diagrams on the whiteboard, wrestling with how things lined up, I noticed Kaliya, Doc Searls, Phil Windley (collectively the organizers of IIW), plus several other late-stayers had joined the room and were happily monitoring to our progress. They were as interested in the outcome as we were!

I stil remember the late afternoon sun streaming in though the second-story window of the Computer History Museum as I pondered that whiteboard. All three of us had the unsettling feeling that there was much more to this story than we were able to divine off this particular diagram at this particular time. And then poof, our fifteen minutes was up and we all had to split for our respective trains, planes, and automobiles.

But the question was NOT answered, and it kept gnawing at the three of us. It was still there at Digital ID World in September, only now it was starting to surface in another direction: the relationship of OpenID 2.0 (which supports XRI) and Higgins. Could Higgins support both OpenID authentication and CardSpace authentication of the same digital subject? If so, was a URL or an XRI the common identifier of the subject? And how would this relate to attribute sharing?

Again the three of us swore we needed to get in a room together to get to the bottom of this and finally answer these questions – for ourselves, and for everyone else that was asking. We even knew of at least one context where we might get that opportunity – a new project from Paul Hawken’s Natural Capital Institute called WISER (World Index for Social and Environmental Responsibility) that will provide an indexing and data sharing platform for the entire international NGO/civil society sector. It looked like an effort on which we could all collaborate.

Still it took until December for the WISER Commons project to gel to the point where we could finally schedule three days together last week to develop a recommended identity and data sharing architecture for WISER.

As planned, the first day we spent understanding the requirements of this groundbreaking project (about which I’ll blog more soon). This gave us just what we wanted: several flagship use cases against which we could compare the Higgins and XDI architectures in detail. The next morning we sequestered ourselves in front of a white board in a conference room at Andy’s offices. We took the first use case and started diagramming it. Step by step by step we worked through how it would be implemented using the Higgins framework and the XDI protocol. But this time, where before we had drawn big boxes and circles and arrows…we started drilling down. Blowing up each box into its subcomponents and drawing the next level of circles and arrows…and when we got stuck, drilling down to yet another level below that.

As expected, there was a boatload of terminology frustration on both sides. Higgins uses “context”, “contextref”, “digital subject”, “subjectref”, and “context-unique ID” or “CUID”. XDI uses “authority”, “type”, “instance”, “i-name”, “i-number”, and “cross-reference”. But as we slowly peeled the onions, we began recognizing intersection points from which we could start mapping the terms.

For example, we knew going into it that both Higgins and XDI were based on schema-independent, context-independent data models, and those models are fundamentally based on RDF subject/predicate/object graphs. But it wasn’t until we peeled the onion all the way down to these core data models and started drawing the RDF graphs that we found ourselves not only on solid ground…

…but common ground. Acres of it. Whole continents of it. In fact, as we used to say at the gold dredging operation where I worked in Alaska, we hit bedrock – and that bedrock extended all the way under the mountain range.

Suddenly for the first time we were no longer looking at each other as “the other way of doing it”. Instead we saw we were both on the same side, building fundamentally the same thing: an interoperable way of sharing data between any two systems and applications.

The next morning when we reconvened with the WISER Commons team we hit upon the perfect analogy: it was exactly like the transcontinental railway projects in the 1800s. Higgins was building from East to West (Paul being from Boston), i.e., from the user-interface and application layer down towards the protocol layer (Paul coming from a background in page layout and desktop publishing). Andy and I and the rest of the XDI TC had been building from West to East (Andy being based in Berkeley and me in Seattle), i.e., from the protocol layer up towards the application and UI layer (Andy coming from the enterprise database and messaging world).

And although we had been building two entirely different railroads for moving data from coast to coast, suddenly here we were, meeting in the middle of the continent. And, to our mutual astonishment, finding that we were both using the same guage tracks! In other words, with a little work, you could hook the two together and data would flow as smoothly up and down the Higgins/XDI stack and across Higgins/XDI-enabled systems as steam locomotives could move across the interconnected intercontinental railway system.

The secret was the guage itself – RDF. We had both arrived at it as the common core model for data description. And although the railroads we have respectively built from it have many different features and can go different speeds and handle different types of passengers and freight in different ways, they are fundamentally interoperable.

So we dubbed this “The Golden Spike Meeting” of Higgins and XDI (Laurie Rae informs me that in Canada it was called “The Last Spike”, but there’s something more romantic about a golden spike). And hopefully it will represent as important a milestone in our progress towards an open interoperable data sharing layer for the net. At a minimum you can know that Paul and Andy and I are committed to bolting these trains together as quickly and efficiently as possible and showing for real how the data can just start moving.

All aboard!!

Posted in Dataweb, General, Higgins, I-Cards, Social Web, XDI | Leave a comment

Bob Wyman Updates it to Zooko's Pyramid

Posted on 1/7/2007 by Drummond Reed

You have to be not just an identity geek, but a dedicated addressing geek, to have even heard of Zooko’s Triangle, let alone understand how elegant an analysis it is of the tradeoffs involved with global identifiers (globally-unique, human-meaningful, decentralized: pick any two). But if you care about this particular neck of the networking woods, Bob Wyman has just redrawn the map. He agrees with those of us who believe the characteristic of identifier persistence is important enough that he’s not only suggested Zooko’s Triangle needs a new dimension, he’s drawn it up beautifully.

So clear was his argument that I updated the Wikipedia page on Zooko’s Triangle to include a reference too his post.

From now on it’s Zooko’s Pyramid!

Posted in Blogging, General, XRI | Leave a comment

VRM: VROOOM!

Posted on 1/2/2007 by Drummond Reed

Many of us in Internet identity like to joke about how we all work for Doc Searls, since he’s the one who initiated the Identity Gang and the whole current movement towards user-centric identity. But we may all seriously end up working for Doc in the new industry he’s setting out to create: VRM (Vendor Relationship Management). You can get a feel for it from the VRM wiki at Harvard’s Berkman Center, and there’s already a serious set of bloggers explaining how it will be the next big thing.

All I can say is: VROOOM! We can’t get to the starting line fast enough. As powerful as you think this idea might be, wait until the rubber meets the road and VRM services and solutions start hitting the market. It’s going be a tangible example of what Kim Cameron calls the “identity Big Bang”.
Like the Cluetrain Manifesto, I don’t think anything short of crawling inside Doc’s brain can really explain how much VRM will change marketing and CRM as we know it. But I plan to do everything I can to help, and with luck that will be plenty, because this is EXACTLY the kind of application for which XRI/XDI infrastructure was conceived.

I’ve added VRM as a category to my blog, and plan to attend Doc’s VRM development workshop before his Mobile Identity unconference at the end of January, so watch for more stories on it as the New Year unfolds.

Posted in General, Identity Rights Agreements, Social Web, VRM, XDI, XRI | Leave a comment

An XDI New Year's Present

Posted on 12/31/2006 by Drummond Reed

For months now I’ve craved the time to write up a simple tutorial on XDI that can quickly show folks already familiar with Internet identity and trusted data sharing why those of us working on XDI are so excited about it.

So even though I really didn’t have the time, I took the excuse of the impending New Year to just do it.

Enjoy — and send me feedback and more questions any way you’d like (XRI TC, XDI TC, XDi.org, or OpenID mailing lists, or directly via my contact page).

Posted in General, XDI | Leave a comment

The Persistence of Persistence

Posted on 12/30/2006 by Drummond Reed

This play on Salvador Dali’s famous painting “The Persistence of Time” is to point out a principle that seems to recur with every evolutionary step of Internet identity architecture: the fundamental importance of persistent identifiers.

For example, last week on the OpenID General mailing list, I answered a question about the difference between using URLs and XRIs as OpenID identifiers by explaining that URLs, being based on DNS names or IP addresses, have the inherent problem that they are reassignable. As I explained in an earlier post, in an Internet identity architecture like OpenID in which your identifier is the entire key to your identity (because it is resolved to determine the identity provider from which an authentication assertion can be requested), using a reassignable identifier means your entire identity can be “taken over” if the domain name or IP address of your URL is ever reassigned. This would be tantamount to a U.S. citizen having their Social Security Number reassigned to another citizen, but even worse because there would be nothing in the infrastructure at all to prevent this, or even signal that there was something wrong.

I went on to explain:

XRI infrastructure solves this problem by explicitly supporting reassignable identifiers (i-names) and persistent identifiers (i-numbers) and permitting the resolution of any reassignable i-name to be mapped immediately to a synonymous, never-reassigned i-number which can be safely stored by an OpenID Relying Party without exposing the identity owner to the risk of having their i-name “taken over”.

Bob Wyman responded with a very important point:

The XRI Syntax specification says that a Persistent Identifier is “An identifier that is permanently assigned to a resource and intended never to be reassigned to another resource.” While it may well be the “intention” that such persistent identifiers are never to be reassigned, one must accept that an “identity owner” is, in fact, exposed to some risk of having their i-name ‘taken over'” in the case of unintended events. There is nothing technical which prevents the taking over of XRI persistent identifiers. The only thing that reduces risk here is people’s and organization’s willingness and ability to follow the rules. Such trust may well be reasonably held, but there remains an ineradicable risk of entities’ failure to perform as intended… (Note: The previous comments should not be taken as a criticism of XRI. This ‘risk’ is an inevitable characteristic of this class of system and of this type of “solution”.)

So important is Bob’s point that today I replied with the following:

Bob is absolutely right that there is nothing inherent in the technical aspects of XRI architecture — nor was there in the URN (Uniform Resource Name) architecture that came before it – to prevent the reassignment of an identifier intended to be persistent (which both XRI i-numbers and URNs are). Such protection is afforded *entirely* by the operational policies of the authority assigning the identifier, i.e., the registry.Part of the reason URNs did not catch on (besides the fact they are typically very un-human-friendly identifiers) is that the operational requirements of a URN registry are so dramatically different than a DNS registry. A URN is assigned once and never reassigned, where as a domain name is registered for a specified period and then either renewed or the registration expires and it is returned to the pool of names available for registration.

As I explained in the previous thread, one of the primary motivations for the development of XRI architecture was to bring both reassignable and persistent identifiers together under one unified registration and resolution architecture that could not only solve the usability issues of persistent identifiers (by permitting them to be discovered via human-friendly synonyms), but to enable a new type of registry that supports policies for *both* reassignable and persistent identifiers.

XDI.org is (to my knowledge) the first global identifier registry infrastructure developed using this model. Although the details are probably far too esoteric for most members of this list, if you find yourself interested in the policies of a global registry infrastructure that supports the registration of both reassignable and persistent identifiers, by all means visit the XDI.org Global Services Specifications site and review the main GSS document, in particular the section on I-Numbers.

Net net: as OpenID spreads, so will recognition of the value of having a persistent identifier at the root of an OpenID identity – and so will appreciation of an identifier infrastructure designed from top to bottom to support the policies necessary to make reliance on these persistent identifiers a reasonable risk.

Mark my words as we head into 2007 (which I’ve already heard predicted as “the year of OpenID”): the need to use persistent identifiers to provide long-term Internet identity protection will finally start getting the attention it deserves.

Posted in General, OpenID, XRI | Leave a comment