Having grown up in Germany and living in the US, I continue to be intrigued (amused?) by the differences in the way things are done in these still relatively close cultures. (Bhutan anyone? But I disgress.) One of the differences is when applying for a job:

In Germany, you typically get (or at least try to get) letters of recommendation from your old employer, satisfied customers etc. You then take those letters (or don’t, if you don’t like what they say) to your prospective new employer and present them to bolster your claims about your talents.

In the US, or at least in Silicon Valley, the prospective new employer asks you for references, such as your old boss at your old employer. The prospective new employer then contacts your references, and also often other people who know you but whom you did not specify as reference, and asks them whatever the prospective new employer feels like asking.

The goal is the same, to increase the prospective new employer’s confidence that the impression you made is consistent with those of others who have known you for longer than the prospective new employer. But these two approaches have made different trade-off’s:

In the Recommendation Letter model, you, the prospective employee, are in full control of the information that you present to your prospective new employer. The disadvantage is that the new employer will have no way of ever obtaining negative information about you (in fact, if I recall that correctly, you can get sued as an employer in Germany if you write a too-negative letter; in response, an entire new sublanguage has developed among Human Resources professionals through which they say negative things without the use of any negative words; quite an accomplishment). As the employee, this may please you a lot, but leaves a lot of employers unhappy because they only get part of the picture about you.

In the Reference Check Model, the employer can get as much information as they like; however, the employee has no control over, and often no knowledge of the information exchanged in the conversations between the prospective new employer and the references. That’s clearly less privacy-protecting.

No, I’m not writing this because I’m looking for a job we’re plenty busy at NetMesh these days. I’m writing this because both of these data flows are valid models for accessing the knowledge that third parties may have about an entity. The constellation of entities in the hiring scenario is the exact same as the constellation at the heart of many digitial identity scenarios: a Relying Party (the prospective new employer) wishing to obtain third-party information aka claims about a User (the employee).

When putting digital identity technologies in place, we have the same choice to make: either, all third-party information about the user has to flow through the user (the Recommendation Letter Model), or some of the third-party information flows through channels other than the user (the Reference Check Model). And just as there are at least these two models for hiring a new employee, chances are that there are at least the same two models for digital identity. Let’s keep this in mind before we get to zealous arguing that it always must be one of those two and never the other…

Side note: the attack vector are also different; forging of a Recommendation Letter, vs. impersonation of a reference.

I’m very happy to hear this from Kim Cameron at Microsoft today:

We don’t live in a one-size-fits-all world. Identity involves different - and even contradictory - use cases. Rather than some monolithic answer, we need a metasystem in which the cost (in complexity or money) of using identity is proportional to the value of the asset being protected. OpenID cannot replace crypto-based approaches in which there are trusted authorities rather than trusted web pages. But it can add a whole new dimension, and bring the “long tail” of web sites into the identity fabric.

While I’d quibble with him about how far OpenID can go, anybody who’s heard me speak or has read this blog over some period of time knows that I very much agree with the sentiment: many people have invented (and deployed!) really interesting and useful technologies in this industry, and it simply would be disingenous for anybody to claim that any one such approach meets all requirements, both technical and economic. Fortunately, while such claims were fairly common a year ago, more and people are coming around to the same idea.

He continues to mention the intriguing possibility that the WS-based stack of protocols, the SAML-based protocols and the OpenID-based protocols could merge. Which, of course, has been the whole idea behind an Open Source Identity System, an effort co-initiated by Microsoft and now involving most large technology vendors and a host of startups (including NetMesh). I assume that he means merge-by-plugging, rather than merge-by-requiring-all-of-them-simultaneously so everything and everybody can focus on what they are best at (technically and economically) while getting interoperability all the same.

Came across this credit on the about page of the VeriSign Personal Identity Provider website:

Thank you!

Here is a summary of what Bill Gates said about OpenID and CardSpace at his RSA conference keynote. (Thanks to Mike Jones, who took these notes and let me publish them):

• Slide: Evolution of Identity: Making the Vision Real (with picture of two cards in hands)
• People are used to choosing what credential to use where for what purpose (talking about cards in our wallets)
• We use a variety of physical tokens to represent these things
• CardSpace creates a vehicle to allow people to have a GUI for credentials that represent their identities or personas in particular situations
• Each thing in the physical world conveys a particular set of information and discloses just enough information
• CardSpace provides a drag & drop interface for identity
• People will have to acclimate to it
• People can create their own credentials and others can give you credentials
• The system reasons about what the right credential is for you to simplify things for users
• WS-* hints about what credentials that are being looked for
• CardSpace shows candidates for credentials

Then they segued to the OpenID collaboration announcement:

• Issues of reputation and trust are foundational on the Internet
• Different levels of trust are needed in different contexts, such as blogs and access to enterprise resources
• People have been thinking about issues of trust
• OpenID 2.0 is doing this in the blog / Web 2.0 world, others are coming at this from the enterprise space
• We see these approaches as being complementary
• “Today we are announcing that we are supporting OpenID 2.0 and that they’re extending what they’ve done to enable the use of strong credentials”
• They’re doing this because they see that it solves problems and attacks that a pure password approach has
• We’re excited about this marriage of CardSpace and Web 2.0
• This will help eliminate the possibility of man-in-the-middle attacks
• CardSpace is built on our work on the WS-* specifications
• OpenID will be endorsing the CardSpace marriage later today
• We see this as a very smooth continuum with a common GUI metaphor

Wow, how far a little identity URL can go!

As OpenID grows, some form of governance structure is required. After many months of discussion, our collective plans for the creation of the OpenID Foundation was announced today to the OpenID-general mailing list.

Here is the announcement:

OpenID’s growing popularity over the past few months bring two pain points to light:

1. A clear home for the intellectual property, trademark, and infrastructure (hosting, legal, marketing).
2. A good open way for people to organize joint marketing efforts for OpenID.

Hosting is largely resolved through the generous support of the OSU Open Source Labs. The vendors in the bounty program have also worked together on presentations, articles, and community conference calls every few weeks, though it is however evident that we need to organize for a broader effort. Amsoft, Cordance, JanRain, NetMesh, ooTao, Opinity, Six Apart, Sxip and VeriSign started working on these issues recently looking for possible solutions.

We propose forming an OpenID Foundation (US 501(c)3 non-profit) as a very good way to proceed. This approach would provide:

1. One home for all the IPR.
2. A formal way to engage lawyers and other services on behalf of the OpenID community.
3. A mechanism to provide and maintain hosting infrastructure for the OpenID community.
4. The ability to do inclusive joint marketing efforts in collaboration with the wide OpenID community.

The idea is to formally commit to doing everything with the support of this community and we very much want your feedback.

Attached is a draft of the charter for the OpenID Foundation. We hope the charter expresses the vision and purpose of the OIDF, along with the responsibilities, governance, and management in a clear, cohesive fashion. Next is developing the bylaws and working with a legal firm in Portland, OR which has previously guided the legal formation of the OSDL and Wi-Max Forum.

From these companies in the OpenID community, the following individuals have agreed to serve as the initial board for the foundation:

• Artur Bergman (Six Apart, abergman@removed-you-know-where.com, San Francisco CA USA)
• David Recordon (VeriSign, drecordon@removed-you-know-where.com, San Francisco CA USA)
• Dick Hardt (Sxip Identity, dick@removed-you-know-where.com, Vancouver BC Canada)
• Drummond Reed (Cordance, drummond.reed@removed-you-know-where.net, Seattle WA USA)
• Johannes Ernst (NetMesh, jernst@removed-you-know-where.us, Sunnyvale CA USA)
• Martin Atkins (independent, mart@removed-you-know-where.co.uk, Essex England UK)
• Scott Kveton (JanRain, scott@removed-you-know-where.com, Portland OR USA)

Bill Washburn has also graciously agreed to help us through this process due to his vast experience with organizations like this in the past.

We feel certain these individuals understand OpenID’s roots, well represent the various integral parts of the larger OpenID community, share a strong vision for moving OpenID forward, and will serve with integrity as individuals while transparently representing the needs and values of their respective companies.

So, before we go any further, we want to bring you up to date and make sure that:

1. We’re on a good track.
2. This organization will actually be useful and productive.
3. We’re doing this with sufficient clarity and in a transparent fashion.

Please also feel free to ask questions, I’m sure there are things we’ve missed that we’ve either not thought about or have just forgotten to write down.

(Signed)

–David
–Artur
–Bill
–Dick
–Drummond
–Johannes
–Martin
–Scott

(No link because the mailing list archive seems to have truncated the post there ..)

Of course, I’m very happy to serve as a member of the initial board of directors, and promise to conduct my work there in the most constructive manner for the benefit of the entire community. This is not always easy, as the difficulties in creating this organization in the first place have shown, but I believe that we all in this community ultimately win or fail together, and that understanding is definitely taking root.

One of my first priorities is getting the principles articulated that the OpenID community and the Foundation Board work under, such as meritocracy, open process on all levels, etc.

As board member, I definitely want to have an open-door policy. Please send all questions, concerns, suggestions that you might have to make the OpenID Foundation work for you. Thank you!