14:59:58 RRSAgent has joined #swxg 14:59:58 logging to http://www.w3.org/2010/06/09-swxg-irc 15:00:00 RRSAgent, make logs world 15:00:00 Zakim has joined #swxg 15:00:02 Zakim, this will be 7994 15:00:02 ok, trackbot; I see INC_SWXG()11:00AM scheduled to start now 15:00:03 Meeting: Social Web Incubator Group Teleconference 15:00:03 Date: 09 June 2010 15:00:45 INC_SWXG()11:00AM has now started 15:00:52 +OpenLink_Software 15:01:06 Zakim, OpenLink_Software is temporarily me 15:01:06 +MacTed; got it 15:01:41 zakim, call thomas-781 15:01:41 ok, tlr; the call is being made 15:01:46 +Thomas 15:01:46 Zakim, mute me 15:01:48 + +1.781.416.aaaa 15:01:52 MacTed should now be muted 15:02:39 + +1.218.296.aabb 15:02:41 paul, is that 416 number you? 15:03:14 - +1.218.296.aabb 15:03:23 rreck has joined #SWXG 15:03:33 I'm on a 781 number 15:03:46 781.416...? 15:03:52 are we meeting? 15:04:12 me too 15:04:23 Zakim, aaaa is paul 15:04:23 +paul; got it 15:04:45 + +1.218.296.aacc 15:04:48 i'm having trouble geting in too 15:04:55 the UK and FR lines seem to have issues, yes 15:04:56 zakim, +1.218.296.aacc is me 15:04:56 +rreck; got it 15:05:00 zakim, mute me 15:05:00 rreck should now be muted 15:05:08 afk 15:05:33 +[IPcaller] 15:05:48 Zakim, [IPcaller] is hhalpin 15:05:48 +hhalpin; got it 15:06:10 Chair: hhalpin 15:06:17 Zakim, pick a scribe? 15:06:17 I don't understand your question, hhalpin. 15:06:19 Zakim, pick a scribe 15:06:19 Not knowing who is chairing or who scribed recently, I propose hhalpin 15:06:23 Zakim, pick a scribe 15:06:23 Not knowing who is chairing or who scribed recently, I propose Thomas 15:06:28 Zakim, pick a scribe 15:06:28 Not knowing who is chairing or who scribed recently, I propose paul 15:06:31 Zakim, pick a scribe 15:06:31 Not knowing who is chairing or who scribed recently, I propose Thomas 15:06:32 +[IPcaller] 15:06:39 zakim, [IPcaller] is danbri 15:06:39 +danbri; got it 15:06:41 Mischa - can you scribe? 15:06:48 oshani has joined #swxg 15:06:56 zakim, who is on the phone? 15:06:56 On the phone I see MacTed (muted), paul, Thomas, rreck (muted), hhalpin, danbri 15:07:00 Zakim, pick a scribe? 15:07:00 I don't understand your question, hhalpin. 15:07:04 scribe: danbri 15:07:13 Zakim, who's on the phone 15:07:13 I don't understand 'who's on the phone', hhalpin 15:07:17 +MIT531 15:07:20 Zakim, who's on the phone? 15:07:21 On the phone I see MacTed (muted), paul, Thomas, rreck (muted), hhalpin, danbri, MIT531 15:07:34 is the log loggering? 15:07:35 PROPOSED: to approve minutes from June 2nd meeting. 15:07:41 rrsagent, pointer? 15:07:41 See http://www.w3.org/2010/06/09-swxg-irc#T15-07-41 15:07:42 http://www.w3.org/2010/06/02-swxg-minutes.html 15:07:51 +1 15:07:55 +1 15:07:59 RESOLVED: approved minutes from June 2nd meeting 15:08:22 danbri regrets for next week (Notube f2f project meeting) 15:08:31 Next Meeting: Distributed access control languages for privacy providers, MIT on AIR and PrimeLife on XACML 15:08:42 topic: final report updates 15:08:46 agenda: http://lists.w3.org/Archives/Public/public-xg-socialweb/2010Jun/0010.html 15:08:57 hhalpin: run-thru of final report actions 15:09:02 ... we had several regrets 15:09:16 ... mischa started an etherpad draft 15:09:19 melvster: share etherpad with the rest of the group? 15:09:31 one sec 15:09:35 just dailing in 15:09:37 sure! 15:09:40 + +1.510.931.aadd 15:09:49 *work in progress* http://openetherpad.org/Ea4YsoZGeU 15:10:02 hhalpin: i didn't make muh progress on gap analysis 15:10:08 any prog on use cases? 15:10:16 http://openetherpad.org/Ea4YsoZGeU 15:10:24 (i dropped some messy notes into etherpad but not done much yet) 15:10:33 topic: Paul Trethevick on the State of Digital Identity 15:10:48 (welcome Paul...) 15:11:00 http://www.slideshare.net/ptrevithick/swxg-201069 15:11:00 ok i won't scribe things that are in the slides 15:11:06 +??P24 15:11:07 http://www.slideshare.net/ptrevithick/active-clients-and-pd-ses-4452852 15:11:10 who joined? 15:11:13 zakim, ??P24 is me 15:11:13 +melvster; got it 15:11:14 Paul, do you wish to begin? 15:11:14 zakim, who is on the phone? 15:11:14 On the phone I see MacTed (muted), paul, Thomas, rreck (muted), hhalpin, danbri, oshani, +1.510.931.aadd, melvster 15:11:38 Paul: Harry asked for a few thoughts on state of Identity industry. Hard challenge! 15:11:53 So we are on first slide-deck, i.e. http://www.slideshare.net/ptrevithick/swxg-201069 15:12:01 ... identity hard problem as perceived differently in different communities 15:12:25 bblfish has joined #swxg 15:12:28 ...language varies by community; it 'obviously' means x to some, something quite different / richer to others 15:12:32 hi 15:12:40 ... some call that more advanced form 'claims based' identity 15:12:51 ...you don't necessarily need to identify a person to haev an interaction 15:12:59 ... some see authorisation as primal, identification as secondary 15:13:07 bblfish: http://www.slideshare.net/ptrevithick/swxg-201069 15:13:09 ... most of us tend to drop the word entirely due to these kinds of confusion 15:13:43 ... i was looking yesterday at privacy aware Web definitions, use of 'publisher', ... have to get over these kinds of terminological problems 15:13:52 ... - requirements vary by community 15:14:09 ... idea that different people are trying to solve slightly different problems 15:14:15 ... why do we look at this so differently? 15:14:22 ... idea of levels of assurance, eg. NIST's 4 levels 15:14:34 ... how much can relying party depend on strength of some assertions 15:14:40 ... some need levels of assurance > 1 15:15:20 (hmm this? http://en.wikipedia.org/wiki/Identity_Assurance_Framework#Assurance_Level_Criteria ) 15:15:33 NIST levels are interesting... 15:15:34 ... challenge here , some feel that anything > 1 is irrelevant, uninteresting 15:15:47 ... that perspective driven by high volume, low value social web transactions 15:16:00 ...those on higher level (payment, govt) sometimes feel like 'long tail' cornercases 15:16:00 . 15:16:07 but the high-volume transactions can eventually get need higher NIST level, i.e. binding payment to your social networking account ala Payswarm 15:16:12 .. also eg yesterday talked w/ natioanl cancer institute re sharing medical records 15:16:26 - +1.510.931.aadd 15:16:26 ...also Verified vs self-asserted attributes 15:16:32 .. much socialweb stuff is just asserted by end users 15:16:55 ... other scenarios (reputation systems, payment systems), ... some people / communities will look at these requirements and say 'no thanks' 15:17:22 ... eg. equifax can issue 'bearer of assertion is > 21 years old' (but we'll reveal nothing else about them) 15:17:41 ... a lot of probs around protecting children are around lack of verified 3rd party assertions of attributes 15:17:53 ...also req: need to aggregate from multiple different providers 15:18:02 ... for high volume / simple sites, this isn't a problem 15:18:16 ... other use cases, you distinguish even from an ID provider and an attribute provider 15:18:24 attribute provider/identity provider an interesting distinction. 15:18:27 ... you can not have to keep authenticating but can aggregate attribs [missed] 15:18:37 [slide 5 now on slideshare] 15:18:40 ... linkability 15:19:04 ... this makes perfect sense to some, but too much for others [see kim camerons laws of id ... re deployable systems] 15:19:19 ... you can agree / disagree, but this is the landscape of [lack of ] consensus 15:19:37 "Some uses cases require high assurance and unlinkability (and sometimes even offline presentation of security tokens)." 15:20:17 submarine example; disconnected from 'net but need to auth things internally 15:20:24 ... a lot of discussion lately re levels of protection 15:20:28 ... converse of levels of assurance 15:20:38 ... coudl we could to a world where use is a party to digitally signed contract 15:20:49 ... it's released to relying party, but the rp is bound not to resell 15:21:08 ... for that to be non-repudiable, need ... [missed detail, sorry] 15:21:12 + +1.510.931.aaee 15:21:18 ... concern that lately too much emphasis on crypto 15:21:29 .. some control, but also more on accountability, in everyday life 15:21:35 zakim aaee is bblfish 15:21:42 zakim, aaee is bblfish 15:21:42 +bblfish; got it 15:21:46 ... so there are only prototypes of tech currently that can handle this 15:21:58 ... again these are just examples of why this [consensus] is hard 15:22:06 ...hard to build something universal, addressing all requirements 15:22:24 ... ie. this talk might be considered something of an apology for lack of progress given the energy/effort 15:22:28 no apologies needed paul, there is clearly progress being made and the problem is hard! 15:22:31 ... several community 15:22:37 Identity Commons (2005) http://idcommons.net 15:22:52 AnitaD has joined #swxg 15:23:02 ... distinguishing open / user centric id folk from enterprise / proprietary world (of which i know little) 15:23:09 IIW is the (intense, 3 day) hub of this world 15:23:17 ... OpenID Foundation (2007) http://openid.net 15:23:25 + +049172247aaff 15:23:33 [ is http://community.livejournal.com/lj_dev/683939.html the 1st openid spec btw?] 15:23:43 ... internal competition within openid now 15:23:52 ... different groups, perceive problem sets differently 15:24:13 ...Qs: what is the openid foundation? a broad church or an advocacy org for one particiular protocol? 15:24:24 dataportability? DataPortability.org (2007) 15:24:29 ... struck a nerve re user control 15:24:34 Information Card Foundation (2008) http://informationcard.net 15:24:46 ... began around ms cardspace and oasis IMI, ... 15:24:57 ..."Next generation: Integrated with the browser. Consistent UX across protocols including: un/pw, OpenID (to reduce phishing), IMI (legacy), and OpenID V.Next, client side certs (perhaps)?" 15:25:02 ...that foundation also at a crossroads 15:25:08 ... is more emphasising active clients 15:25:31 ... found some issues w/ active clients 15:25:41 esp requiring a download, and insisting on a single unifying protocol 15:25:51 ... soul-searching and next gen work 15:25:56 ... moving beyond single protocol 15:25:59 makign it 'better with' 15:26:15 "Kantara (2009) - http://kantarainitiative.org 15:26:19 ... kinda interesting 15:26:31 ... analysis coupleyears ago, interviewed rigorously many from ID scene 15:26:33 ... under NDA 15:26:42 ... to make a new org 15:26:53 ... they [we] concluded that we have moved into a cross-protocol era 15:27:02 ... needed a pulling together of a number of these disperate communities 15:27:10 ... was then the old liberty alliance, saml work 15:27:19 ... which was a response to hailstorm/passport 15:27:26 ... also openid appeared 15:27:31 ... 3 tech groups appeared 15:27:37 ... to some extent it's an unrealised objective 15:27:41 ... strategically it's right 15:27:57 q+ to ask how messy patent situation is (what is feasible royalty-free?) 15:28:18 ... Kantara replaced liberty alliance 15:28:27 ... and working on some crosscutting stuff 15:28:42 ( also new ones this year ) 15:29:03 a joint board, infocard and openid(?) 15:29:09 q+ to ask about browser integration and w3c 15:29:11 ... discussion of what's missing, usability vs specs 15:29:30 ... role of biz agreements that allocate liability 15:29:34 ... joint sales efforts 15:29:53 ... obama team wanted to open govt up and use commercial ids from industry 15:29:58 ... catalytic effect 15:30:13 ...govt said we like openid, but want also stronger assurances, info card stuff, ... but hey we're just a customer,... 15:30:25 ... big enough that got attention of those 2 foundations, who self-organized and stopped quibbling 15:30:30 ... in some way stopped competing a bit 15:31:04 ... united front to the federal govt, and said 'whichever, we see the fed govt won't enter into commercial relationships w/ for example paypal, yahoo, google, whoever... unless there are certifiable properties, privacy characteristics, audits, ... 15:31:08 ... understand liability, ... 15:31:18 ... caused spontaneous creation of the Open Identity Exchange 15:31:21 (OIX?) 15:31:29 ... so they joined forces to form that 15:31:44 ack danbri 15:31:44 danbri, you wanted to ask how messy patent situation is (what is feasible royalty-free?) 15:32:08 q+ to ask how messy patent situation is (what is feasible royalty-free?) 15:32:12 (patent talk later) 15:32:17 q+ danbri 15:32:30 kantara and others ... corporate sponsors, + leadership council 15:32:32 (i missed some detail) 15:32:48 likes the community members and corporate sponsor model, maybe that could work for the w3c 15:32:50 oidf and icf ,... same governance model, blender board, 1 member one vote, community members outweigh 15:33:06 ... re participartion, indivs and companies can join, but $100 for an indiv, in some cases $25 15:33:18 ... in terms of how openly they operate, that could be debated 15:33:23 .. theoretically, all open to all 15:33:41 ... but strong interpersonal relationships and personalities are in many cases the driver of what happens than the formal structures 15:33:46 ... has to be seen to be believed 15:33:55 ... this is not something like w3c or oasis 15:34:07 ... kantara is most formal/structure, icf more, openid foundation 15:34:28 they all have public archived mailing lists 15:34:34 all 3 have private board lists 15:34:44 vast majority of everything is public 15:35:03 last one, Xauth, is interesting --- 15:35:14 --- it's a way to personalise the login situation 15:35:28 ... if oyu only have an unmodified browser, you show up with a fresh browser it can't be customised 15:35:36 (forgetting the CSS History hack :) 15:35:50 ... school of thought that says 'browsers don't know who you are ... 15:35:59 ... nor who your preferred attribute/identity providers are 15:36:08 ... hence the 'nascar problem', long list of logos 15:36:13 ... so a tyranny of the mega-brands 15:36:22 ... so relying parties put facebook/google/yahoo at the top 15:36:32 ... which has a somewhat perverse effect 15:36:50 ... xauth says with html5 and some tricks, we can hack a way for the relying party to learn what someone's prefs are 15:36:55 ... shorter list 15:37:17 ... these are ways to work around an architectural problem 15:37:25 ... which is that browsers don't know who you are 15:37:38 ..slide 7 http://www.slideshare.net/ptrevithick/swxg-201069 15:37:46 ... openid 2.0 (legacy openid) 15:37:51 50k sites and growing, relying parties 15:37:56 ... q is where we go from here 15:38:02 openid has a number of problems 15:38:08 3 key 15:38:31 1 - OpenID-AB [Attribute Binding] - http://bitbucket.org/openid/ab/wiki/Home 15:38:35 Proposed by Nat Sakamura and others in early 2009 15:38:40 ... has not had much attention yet 15:38:49 2 - OpenID V.Next 15:39:02 (discussed last fall and this spring at IIW) 15:39:08 v.Next codename for whatever appens 15:39:28 in May, OpenID Connect proposal from David Recordon (and social Web friends) 15:39:32 all these 3 are breaking changes 15:39:39 not backwards compatible 15:39:48 ... I don't yet see how this is going to get resolved 15:39:59 ... openid connect is 'get a spec out there ... let's just do it!' 15:40:04 ... caught some ppl by suprise 15:40:12 ... openid community is trying to figure out a way fwd thru all this 15:40:22 ... I hope the earlier slides set some context for this 15:40:33 ... and difficulty in agreeing even common requirements 15:40:36 Slide 9 - 15:40:40 personal opinion - 15:40:45 ... we can't stop creation of new protocols 15:40:49 ... open, etc 15:40:55 ... what happens a lot is much reinvention 15:41:03 ... come up with stuff, don't see what came before 15:41:16 ... do something quick/dirty that solves some problems now 15:41:20 ...then start making it more robust 15:41:30 ... realise it isn't 80% solution, but 45%, ... 15:41:33 ... then someone new jumps in 15:41:40 ... natural cycle of reinvention 15:41:53 ... yesterday/last-night investigating webid [ie. foaf+ssl] 15:41:59 I'd say WebId being based on the semweb, in one protocol that can then bind all of them together.... One can bind in OpenId for example. (not sure about the others) 15:42:02 ... looks like it would solve some fraction of use cases, has nice characteristics 15:42:08 .... but partial solution 15:42:23 ... not clear how much things will converge 15:42:40 ... or how much analogy with email, where Internet email eventually dominated 15:43:16 ... i note that whenever we build something new that gets used, ... it is out there and not going away 15:43:27 ... and that username + password could easily stay dominant for 10+ more years 15:43:33 ... we have learned things 15:43:36 ... users don't care 15:43:42 ... they want something that makes sense to them 15:43:46 ... ux is the key to them 15:44:18 ... if you go to an RP and say 'this is great tech, saml no infocard no openid no ...." the RP will say "well, we have to support at least username/ password .. and i'll have to link the accounts ... 15:44:26 (note on above there is work integrating WebID with SAML in Machester, with SOAP in University of Southampton...) 15:44:26 ... so the RPs live in a necessarily multi-protocol world 15:44:34 but our communities don't organize in those terms 15:44:40 ... eg create a common apache module 15:44:46 ... this is a structural problem 15:44:51 [ very interesting! --danbri ] 15:45:06 ... communities eventually say 'oh we have overlap, need to blend things ... ' 15:45:21 tlr has joined #swxg 15:45:21 ... attempts to say 'here is an active client, eg. ms cardspace '. ... it just didn't work 15:45:36 ... to use the solution, you needed 'this thing', the right version with your OS, download it if needed, need to be on windows, etc etc 15:45:46 ... so the idea that active clients needed for system to work ... a nonstarterr 15:46:08 ... always this locked down enterprise computer, library kiosk, ... person can't install plugin, upgrade a pc, etc ... 15:46:18 ... so lately active client ppl have a 'better with' approach 15:46:32 q? 15:46:47 ... ie. it works normally but is 'better with' the addon (whether an ng-browser, or addon) 15:47:10 ... ppl look at 'open identity community' and they see a swirling churning mess of people putting down each other's stuff, partial penetration, etc 15:47:19 ... and they say 'ok, let's wait for this catfight to calm down' 15:47:38 ... status quo, is do nothing, use a proprietary thing, if username/password don't do it 15:47:50 ... with 1 exception: facebook connect, picking up a lot of use across Web 15:47:57 ... they have an id tech plus attributes 15:48:18 ... last pt: the identity community, with all these nonprofits, is not structurally in a good place to solve needs of the marketplace 15:48:27 ... couple of specific points re socialweb 15:48:33 ... identifiers and user experience 15:48:36 ... my perception 15:48:43 ... in beginning, was 'type in your openid URI' 15:48:53 ... rough consensus: not working 15:48:59 ... they understand it only as for pages/info 15:49:02 ... doesn't work on ppl 15:49:07 ... they understand email addresses 15:49:12 dsearls2 has joined #SWXG 15:49:13 ... so openid said 'click on a button' 15:49:21 .... but measured results were higher conversion rates 15:49:29 Hey Dan, all. It's Doc. 15:49:32 ... with benefit to those at top of list 15:49:42 rrsagent, pointer? 15:49:42 See http://www.w3.org/2010/06/09-swxg-irc#T15-49-42 15:49:52 see link for logs, doc 15:49:58 ok 15:49:59 paul: 'people get that, re use of email 15:50:12 .... end-user re-education is a huge issue 15:50:25 ... and now with xauth we can personalise the nascar icon list to something more manageable 15:50:30 ... best we can do short of active client 15:50:32 ... slide 12: 15:50:42 dsearls2, here's the slides: http://www.slideshare.net/ptrevithick/swxg-201069 15:50:44 attribute schemes 15:50:51 ... there are so many of these things, so much overlap, ... 15:50:57 -bblfish 15:51:12 ... if you start taking view from biz point of view, that relying party is key ,... you want that to be easy as possible 15:51:20 too many schemas makes RP's life hard 15:51:38 q? 15:51:45 ack danbri 15:51:45 danbri, you wanted to ask how messy patent situation is (what is feasible royalty-free?) and to 15:51:47 [other deck] 15:51:53 can you scribe harry? 15:51:58 thanks for your presentation, it was very informative 15:52:20 scribenick: hhalpin 15:52:29 danbri: any patents in identity scene? 15:52:32 +bblfish 15:52:34 ... any idea how messy situation is? 15:52:48 paul: it doesnt get talked about that much 15:52:56 ... varies by organization depending on struture 15:53:05 bblfish_ has joined #swxg 15:53:08 ... we try in ICF and Kantara to have IPR rules 15:53:19 (w3c history - eg see http://www.w3.org/TR/P3P-analysis ) 15:53:19 ... we can tell that things happen just willy nilly 15:53:47 ... not developed in a structure and not necessarily ideal 15:53:49 q+ to ask whether Paul sees any chance for the identity work to move into less willy-nilly space, eventually 15:53:51 ... pretty confusing to me 15:54:10 ... hard to know whats lurking out there, esp. with OpenID 15:54:18 danbri: if we wanted to get something in all the browsers 15:54:25 ... could we get those vendors to commit to RF-status? 15:54:34 paul: I work in this Eclipse Higgins project 15:54:46 ... so our patent reviews are pretty good 15:54:57 ... an explicit license is being given to contribution 15:55:21 danbri: relevant specification, go back to paper trail to see how the W3C developed its patent policy 15:55:29 paul: not sure re specs 15:55:36 scribenick: danbri 15:55:53 q? 15:55:55 paul: awesome job 15:55:57 ?q 15:56:02 q+ bblfish_ 15:56:07 heh 15:56:08 ack tlr 15:56:08 tlr, you wanted to ask whether Paul sees any chance for the identity work to move into less willy-nilly space, eventually 15:56:20 tlr: thx for the talk, paul 15:56:30 ... in your answer to danbri's impossible q, you sounded mildly frustrated 15:56:36 ... re work happening in a 'willy nilly' way 15:56:45 ... see any chance for that to fix itself over time? 15:57:07 paul: for full disclosure, ... there is a project 'bingo' towards consolidating a number of these efforts, back into a more structured but broad church 15:57:19 ...where the church is about consistent messaging/marketing/ipr, not tech 15:57:39 ... my personal bias is that we would do better to come up with a broad base consolidating a number of these 15:57:45 Think big tent instead of church. 15:58:02 ... but saying that i can hear friends of mine like dave recordon, chris messina, saying 'we can just hack it...' 15:58:11 ... but when the recession came, they took jobs at big companies 15:58:25 ... so now when they say it you have to consider the source, they work for google, yahoo, facebook etc 15:58:38 Hey, I am unemployed now! 15:58:40 Dave works for a different big co every year. 15:58:43 so you can trust me :-) 15:58:50 ... you always have to figure out what's personal view, and what [ not wanting to say something unfair here ] ... looking at openid connect, ... 15:59:22 ... could be perceived as a retrospective stdisation of fb connect 15:59:25 theres also Google FriendConnect 15:59:28 i.e. FriendSense :) 16:00:07 ... some aren't so concerned for the crypto 16:00:13 ... and oauth hardcodes rather a lot 16:00:21 ... so i'm somewhat at a loss to predict what'll happen 16:00:36 q? 16:00:41