June 2009

Through a roundabout way, I’ve just been looking at TripIt, currently a US application that basically provides a convenient overview of your trip itinerary (and wraps all sort of services around it like advertising, user recommendations, sharing with friends etc). All you have to do is e-mail your booking confirmations / itineraries from any travel company to TripIt and they build your itinerary at TripIt. For people like me who are hopelessly unorganised it is simple, elegant and quick and works across different companies through aggregation.

Hang on a minute. E-mail TripIt your booking confirmation? With all of your travel details, personal details, payment details on it? How valuable is that information? How personal is that information? How much do I trust TripIt with that sort of data?

Now to be fair, TripIt have a clear privacy policy and user agreement prominently on their website:

.

However, this agreement is fairly open and allows for a lot of sharing and reuse of personal data, and open publication of travel dates (burglars – over here!).

Users love this site. They love the functionality and organisation features and all of the enhancements it gives to your user experience…and they don’t seem that worried about sharing this data. As organisations struggling under the burdens of the Data Protection Act in the UK, how do we get the balance right between protecting users and warning them of the dangers, but developing services that can exploit personal(ly) (identifiable) information (PII) to meet user demands? It’s an interesting quandry but I’m keen that it is properly explored as a subject area and not shut-down by overly risk-adverse approaches.

Last week, I spoke at the eema European e-Identity Management Conference. Although intended for “those in business, public sector and government who are involved in the policy, security, systems and processes surrounding identity management”, the high price tag of the conference meant it was very business oriented. This lead to an interesting focus on mobile identity – an area that we haven’t touched on in much detail within JISC – but also to many concepts that we have been exploring in the JISC arena for some years such as federated identity, identity in the cloud etc. etc.

It was of course very satisfying for me to hear Kim Cameron of Microsoft talking about identity federation, interoperability with SAML, and the Cloud Identity Federation Gateway which is part of recent work at Microsoft, including the Identity Software and Services Roadmap. Cameron described identity in terms of claims based access, with a claim as an assertion that is in doubt. He sees it as the business of identity management to validate that claim. The importance of this in the changing environment is that enterprise systems used to be closed, but are now permeable with many interactions outside of the traditional firewall. These are exactly the issues which the education community has been grappling with through its adoption of SAML.

Kim finished by warning people ‘not to be the only person out there with a fax machine’. Given the focus on SAML at the conference, the adoption of the standard seems a sensible way of not being that person.

Overall, it seems as if the commercial world is in agreement with the education sector on its approaches to access and identity management, and in fact the education sector seems to be ahead in many respects in the route it has chosen. The hot topic of the conference was ‘identity in the cloud’ – my immediate reaction to this is that a fully distributed federated identity system does much of this already. We are in the right place.

(Oh, and in case your interesting, my slides on the Tao of Attributes are here, with much thanks to Ken Klingenstein for all the input!).

Having done a number of FE events this month, I’ve got the impression that when all the to shib or not to shib deployment issues are unpacked, a reoccurring problem is the ability of LRC staff to make their case at the SMT level. It’s not that they can’t articulate it, they certainly can but too often (and by too often, I mean based on anecdotal and entirely unscientific evidence) it seems that if it isn’t part of the IT department agenda, it can be all but impossible for FE librarians to get it onto the SMT agenda. Somewhat ironic that just as the term Shibboleth can symbolize divide (in the biblical sense), it can also represent the sometimes divide between LRC and IT and even the divide between teaching / learning and supporting infrastructure.

I’m very happy to be told I’m wrong and if anyone is at an institution where they don’t have that divide, I would live to hear about how they have achieved that cultural change.

I’ve come to realise that we are very keen on Services in the education sector, particularly within the UK. By this I mean capital S Services, big monolithic ‘things’ with the sense of tangibility: websites, service levels, staff, physical homes, known server locations – that sort of thing.

I think this is why there is so much focus in the work I currently do on the UK federation itself, rather than the thing that we are actually trying to implement – the SAML standard. OK, I know, standards are dull and boring things for techies and Services are things that real people use. I just wonder how this focus will bear out in the long-term vision of where we are going with access and identity management in a world of web2 and cloud computing?

I’ve always seen the federation structure as a practical delivery model that will change over time. As seen in the slide below and in presentations I have recently given on assurance – federations are as means to an end. They are a convenient, pragmatic, usable way of embedding the SAML standard within the UK education community.

It is important that we don’t get too obsessed with the construct of the federation and remember that it is the standard that is the important thing. I think it is very likely that the structure and central role of the federation will significantly change over the years as metadata aggregation takes on a more distributed model as I have previously discussed. Federated access management has the potential to offer a lot as a distributed service model within the cloud – which is why I disagree somewhat with some of the developments of federations in Europe that are placing a lot of functionality within the federation itself.

Focusing on the standard rather than technologies and applications helps remind us of what has been achieved in the federated access management space – a significant number of countries all converging on SAML. This means that whatever service structures we put in place to help support adoption of the standard in our countries, we should always have the potential to talk to each other. This is a huge achievement, and one that I think goes a little unrecognised in the nitpicking about service delivery. It also means that we have the flexibility to move forward and adapt – SAML allows you to work with new technologies such as OpenID and InfoCard implementations, but also with new platforms such as Google Wave. Standards are the key to moving forward, and that is why we have moved or community towards its adoption, whatever the technological implementation.

This is why I was pleased to see the official announcement of the Kantara Initiative yesterday. Kantara aims to be a global talking shop for all things access and identity management – but based around open source, open standards and open participation. The announcement states that:

“A commitment to open standards means the Kantara Initiative Community will collaborate on projects that make use of all of the identity frameworks, protocols and specifications in the marketplace today. This means solutions could be built based on one or a combination of several IAF, ID-WSF, IGF, Information Card, OAuth, OpenID, SAML 2.0, WS-*, XACML and XDI standards.”

I think that is exactly the right attitude to have, and would encourage you to go and look at the Kantara website. You can also follow ‘Kantarainitiative’ on Flickr, SlideShare and YouTube, and KantaraNews on Twitter.

I’m not going to comment on the rights and wrongs of the election but this does seem almost a test of the power of web 2.0 vs traditional state apparatus. BBC now with reporting restrictions have started providing links to all sorts of citizen journalism. Very useful but the only problem is that if I see John Simpson (a credited BBC Journalist) doing a report, there is a degree assurance as to his identity ( I say degree because even the New York Times hasn’t been immune from made up reports). Some of the stuff I’ve seen on Youtube is authentic but then some I have my doubts about. Even if I have an assurance about the origin ( ie student at Tehran ac uk or the equivalent) it probably wouldn’t help me in this case, as my understanding of Iranian affairs is too poor to make a qualitive assessment of that info. But imagine it was transposed here….video footage or tweet of an incident….. would it help to know it was from a UK Media student?, UK Academic? Academic in a Politics faculty?

Competitiveness of UK HE v the world is a hot topic so I wanted to look at push factors for ebook adoption in UK v US. Certainly a lot of work is going on in the e-textbook market but to help that take off, the mass market needs to help as well. UK HE / FE staff really only got into “computers” once they had a personal use for one. One college principal who had an early one per desk policy actively encouraged staff to surf for cheap holidays etc knowing that eventually it would filter down to them accepting e-learning at a more rapid rate. So will staff (and here I mean curriculum rather than librarians) push e-books textbooks to their students if they don’t use them in their personal life?

Well part of the factor in getting mainstream adoption is price, and a quick, dirty and absolutely statistically irrelevant survey around the web showed up interesting price differentials between the UK and US. For the “new” James Bond novel by Sebastian Faulks (don’t get me started on that issue- I’m with J D Salinger all the way) the US ebook non discounted price is 45% cheaper than the discounted UK ebook price. The UK discounted ebook price is itself 45% more expensive than the UK paperback list price. Now I know there are a ton of issues here – VAT, discounting, market differentials…. but if pricing is anywhere in the ballpark just described, mass take up of ebooks is surely gonna lag in the UK compared to the US in a way that we have never lagged before? (PC’s Video, DVD etc we are always up there with the US in early adopter stakes)

Arnie terminated paper books in KAL LIF FORNIA last week – suspect might be while before e-readers rise up to take control here….

Those of you deeply embroiled in the finer details of federation constructions (no, it’s not just me!) cannot have avoided being in a conversation recently about the need to separate the role of Federations as registrars of metadata and the role of metadata aggregation and distribution.

Simply put, Federations add useful assurance and trust qualities to metadata through registration processes. This is particularly important at the moment in the UK federation, which has been focusing in on commercial content provision via the federated model. However, there are use cases where the geo-centric nature of Federations is not helpful.

We looked at such a case within the REFEDS meeting on Sunday at #tnc2009. All those involved in the REFEDS group need to be able to use federated access to use the REFEDS wiki space and the Kantara wiki space (Kantara is the new Liberty Alliance, watch that space!). It does not make any sense for organisations like Kantara and TERENA to attempt to join all of the Federations involved in REFEDS – even the most lightweight agreements still involve a contract signature process that is difficult to obtain in such organisations.

The solution? A metadata aggregation of all of the entities involved in REFEDS. In this sense, we are talking about a real virtual organisation in operation. John Paschoud rightly queried me on how trust will be maintained within such an arrangement without a Federation. There are various ways of adding trust and assurance to this aggregation. Firstly, the metadata aggregator will come from within the REFEDS group and will only aggregate the metadata of members of the group. In this sense, the virtual organisation itself provides the trust assurances through its operation.

The more interesting point is controlling the way in which Service Providers use the aggregated metadata. Well, in the case of TERENA and Kantara I think we can have a reasonable amount of trust through the status and position of the organisations themselves. For other service providers, the simple approach is to provide ‘terms of use’ for the metadata – akin to an open source software license. Leif has described this approach on several occasions, and it seems very likely now that this will be taken forward. It is the driver behind the new focus of eduGAIN.

The long term impact of this approach will be interesting. In the short-term, I think it will only be used for lightweight applications (such as blogs and wikis) in virtual organisations – in short, the role of the geographically organised federation will not be impacted. In the longer-term, this could put an end to the need for Service Providers to join Federations. Service Provider use of the metadata will be controlled by the metadata ‘terms of use’, negating the need for the providers to join up to membership – they can consume the metadata as long as they follow the terms. It could also affect the concerns that some people have regarding the need for Federations to have strict legal liability cover – I feel that this concern has hindered the progress of interfederation agreements, and of course such a focus will always make Federations more static…and more expensive!

This is a fundamental change to the way that federations might operate in the future. I’ve tried to capture some of this thinking in a presentation…more to follow!

Plenary session starts at TNC2009 with a focus on the importance of communities of practise within science infrastructures. This echoes back to the discussions we had in the REFEDS meeting yesterday on the importance of allowing communities to define their identity assurance profiles – I’ve been arguing for sometime that this is not something that federations should be in the business of creating as they do not represent a community of practise.

After the usual dry Geant3 stuff, we get on the session that might explain why I am currently holding 3D glasses in my hands. Jorge Cortell from Kanteron Sytems is here to talk about augmented reality – specifically in healthcare. Augumented Reality is being used in the operating room to project very specific scans on to the patients body. This means that a doctor knows exactly where they need to operate – saving important time when, for example, removing a difficult to locate tumor. Anchoring points are used to ensure the image is located in the correct location on the patients body. This is patient specific – we all have specific anatomical abnormalities. The benefits are less pain, less medication, lower risk, and lower costs.

The day seemed to start well, when we discovered that all the local bus stops in Malaga were advertising the TERENA conference – a marvellous piece of comms work!

Things started to go less well when we realised there was a local bicycle race on that meant our bus was redirected – and we didn’t know where! In the end, flagging down a local taxi was the only option.

The return back to the hotel was slightly more successful, particularly when it was revealed that eduroam was available on the bus!

A lesson for us in the UK – we are struggling to get eduroam live in the JISC London Office…maybe was can hire Malaga Bus Authorities to do the job for us?

As you may know, I have struggled for sometime with the concept of user-centric identity. To be very upfront, i don’t think that institutionally managed access and identity management is the answer to everything and I do think that it will improve, move forward and tie in with processes used elsewhere by users in a more effective way. I have just struggled a bit with user-centric. What exactly do we mean by user-centric??

Whilst at the eduserv symposium last week, I accidentally managed to provide some clarity to my addled brain with two accidental comments. At lunch, I was talking to Nate Klingenstein about Facebook Connect and Facebook interaction with OpenID and Nate talked about his ‘Facebook identifier’. I quickly piped up – “but Nate, there is no such thing as a Facebook identifier”. Now i don’t know the ins and outs of the Facebook system and I am sure they may very well have their own unique identifier for users in there somewhere but as a user, my unique identifier within Facebook is my e-mail address. In my case, one of a couple of hotmail addresses that I hold. I also commented during the symposium that i was disappointed that the Facebook implementation of OpenID did not allow a user to register with OpenID…you still have to register with an e-mail address. In this instance Facebook are not really implementing OpenID as a true alternative for users – but simply aggregating their identity and access controls with an OpenID. My OpenID becomes an attribute held by Facebook.

This also got me thinking about domains and identity. I am very used to the concept of identifiers being associated with domains – this is exactly how the UK federation and its attribute sets work. With OpenID my identity is also connected to a domain and my identifier is expressed as part of one. I got myself in an interesting muddle when talking about OpenID during the symposium when I referred to ‘your management and your ability to be trusted’ – meaning “you the domain owner”. Many people took this to mean “you the user”. This lead to an interesting question about users who actually own and manage their domain and create an OpenID as part of this domain that is independent from any other OpenID provider…and perhaps more trust worthy because user-MANAGED and truly user-centric. Unfortunately affording your own (sensible) domain name and managing your own OpenID in this way is beyond most of us!

So where am I going with all this? I think it might be sensible if we stopped talking about institution-centric and user-centric identity management. This implies that things like Google ID’s, Twitter ID’s or even OpenID’s are more “user-centric” than an institutional identifier. They aren’t – they are all related to a specific domain and at the moment if you want to have access to services within that domain, you have to have one. I think this is still true of most OpenID providers…you still have to chose someones domain. You sign up for an institutional ID when you register at an institution in the same way as you sign up for a twitter ID by, erm, signing up!

I think it might be better if we started talking about a User’s Preferred Domain (UPD) for access and identity management. I get JISC-points for creating a TLA (Three Letter Acronym) and it is also wonderfully perverse in its inaccuracy like the ubiquitous ‘pin number’ (small things like this please me). I get to elect a UPD where my identity is managed. This might be my institution, it might be hotmail, it might be Facebook, it might be OpenID, it might be Twitter. I then get to link all my other identities to this UPD using identity management tools such as CardSpace and its related developments. This is where the user-centricity comes in…in the ability to use the management tools effectively and not in the actually process of assigning an identifier. It is also inclusive of what we currently term ‘institutional-centric’ identity management – which in itself can still have user-centric management tools in a layer above the identity store. Authorisation is also possible based on the various assurances that can be provided by each of my presented domains.

This is not radical new thinking in the identity management space (sorry, not that clever) but is attempting to break down the myth that institution-centric identity is somehow different and comparable to processes that have been termed user-centric identity. It’s all domain-centric, it’s all domain-managed…we just need to work out how to better enable the user-management within these domains, and provide better user-management across these domains.