Just finished watching Kim Cameron’s talk at the recent Microsoft Professional Developers Conference. A bit of a surprise that talk of WS-* has largely disappeared in favor of much about REST.

But the most interesting part, for me, was at the end, when Gert Drapers (Principal Architect, Identity and Access Platform), gave a demo on future directions for Microsoft’s LDAP directory. Kim called it “two orders of magnitude simpler” (for the developer) than LDAP so far. The secret? Graph traversal!

Here’s a code fragment he showed on screen (I simplified it a bit to make my point):

Party me = directory.GetPartyByIdentityKey( ... );

IEnumerable<Party> managementChain = directory.GetRelatedParties( me, System.Identity.Kinds.Relationship.Manager )

// Find the first manager which is a expense approver
foreach( Party manager in managementChain ) {
    bool isApprover = (
        from roles in manager.ProcessRolesAre
        where roles.KindID == System.Identity.Kinds.ProcessRole.ExpenseApprover
        select roles.Party
    ).count() >= 1;
    if( isApprover ) {
         ...
    }
}

Here is how we would do it in InfoGrid:

Party me = meshBase.findMeshObjectByIdentifier( ... ).getTypedMeshObjectFacade( IdentitySubjectArea.PARTY );

MeshObjectSet managers = me.traverse( IdentitySubjectArea.ISMANAGEDBY.getSource() );
while( !managers.isEmpty() ) {
    Party manager = managers.getSingleElement().getTypedMeshObjectFacade( IdentitySubjectArea.PARTY );

    if( manager.getIsApprover().value() ) {
        ...
    }
    managers = manager.traverse( IdentitySubjectArea.ISMANAGEDBY.getSource() );
}

There are some minor differences in the API, because it appears that Microsoft’s is a special-purpose graph database with a built-in “directory” schema and a leaky SQL underneath, while InfoGrid’s supports any kind of model (aka schema). InfoGrid can also be run on top of either SQL or NoSQL engines and does not leak SQL. For this example, I made up a hypothetical model called IdentitySubjectArea, but that would a really easy one to define.

“Two orders of magnitude better” according to Kim? Of course, the world’s information is clearly structured more like a graph than LDAP and people seem to get around to that idea. Perhaps there are some interesting applications for InfoGrid as an enterprise directory … never thought of that one.

I just carried out two big boxes. All music CDs have been banned from our house, starting immediately.

No more music?

Nope. Just the realization that all our CD collection still does is collecting dust and taking up space. I don’t remember when I last inserted a CD into the stereo. It must have been years.

The precious, precious collection … has long turned into an ugly dust collector.

All 75GB of it are now sitting on a RAID array, with local copies for iTunes, iPods and iPhones, from where it sings.

It’s a bit of an emotional event. So many of these CDs come with emotions when holding them in my hands. The first three I ever bought, together with the first CD player. The one that was a present from a dear friend when we were in college. The ones that made it to every party. Just having music in the cloud is not the same thing. But it’s time to say good-bye and move on.

I shudder at the amount of money we must have paid the music industry over the years. These boxes are heavy! iTunes says it’s more than 19 days of 24 hours a day of music. But they all fit on 5% of a hard drive Amazon sells for $90 today. The $4.50 of disk space is when you know the music industry has a real problem.

My son won’t ever have the emotion of holding a disc of music he relates to. He will have other emotions that I can’t even guess.

The end of an era.

The magic would never have been possible if their vision had stopped at an “Identity Selector”, for years billed as the savior of the identity universe (see my recent post Why We Really Don’t Need an “Identity Selector”). This week at Kynetx’ conference, Paul and Phil had their coming-out party re-interpreting the “identity selector” as merely an unimportant user interface to something much more valuable: driving personalization of any page displayed in the browser using the data available to the identity selector, all without cooperation by the publisher of the page.

The result: everybody’s web pages, even those people’s who have never heard of me, can become personal to me. That possibility is a very big deal and could totally change the way the entire internet looks and feels. And destroy a bunch of rather sizable businesses (irrelevant advertising, anybody?) in the process.

For years, it has been very clear that with the proliferation of websites out there has to be some kind of integration point for each individual. An integration point where all that stuff out there that I use comes together and becomes personal to me.

A few years ago, many of us thought that an individual’s blog would become that integration point. But with blogging software essentially stagnated for years, that didn’t happen.

It could have been RSS syndicators or the like, but no. Somehow they couldn’t envision anything beyond showing feed data.

The idea of mash-ups was great, but it fizzled out. Too hard to do in practice.

Right now, Facebook has the best shot at becoming that personal integration point, and it certainly wants to be it. With initiatives such as Facebook Connect, they are assembling an armada of business partners that gives them a good chance to become it. But then, it won’t be for me because I am not making my on-line personal and business relationships subject to a veto (and constant monitoring) by any one big company. At the end of the day, many people will think like that and so Facebook can’t be the solution, only a bandaid.

Kynetx and Azigo think that integration point should be right in my browser, driven by the personal information that I stored on my personal computer. (I call that information the personal data store, which may be accessed by an “identity selector” and many other kinds of software).

If you think of it, the PC/browser is not an unreasonable place for this personal integration point at all. It’s a “personal” computer for a reason, and much of that personal information is much better stored on that personal computer than somewhere in the cloud, for privacy reasons. So why not use that personal information to change and relate the web pages that I access on that personal computer, to make them more relevant to me? To make them “my” pages? VRM whether the vendor likes it or not is not a bad concept either …

Of course only time will tell. The odds against pulling this client-side revolution off are, well, impressive There are substantial technical hurdles, possibly legal landmines, usability is unclear, as are distribution, possible vetos by key technology vendors (e.g. browser manufacturers) etc. etc. But it’s worth trying, and worth some cheers.

I’ll be watching with interest how this develops.

[P.S. I didn't manage to be at the conference myself, but have been following these projects for some time.]

As of this week’s Internet Identity Workshop, I’m now rather convinced that an “identity selector” is the wrong product and the wrong feature set, regardless of the exact details of a particular vendor’s implementation. Several discussions in several contexts, including how to best make a browser identity-aware, all point to the same conclusion, regardless if the context is a card context or an identifier / OpenID context. Something had always been bothering me about the identity selector concept over all these years since I saw the first CardSpace demo, and now I know what it is.

To make my point, consider the interaction of a user with a site over some period of time:

Here, the user (necessarily) is anonymous at the site when visiting for the first time. As time progresses, the user may chose to register at the site (and log in at the same time), and then continue to have an active session for some time. This session later times out and the user returns to the site after the timeout. The user authenticates again, and later logs off intentionally, after which (one hopes) the user is anonymous again for the site.

The blue sections in the diagram show the times at which an “identity selector” is useful: upon initial registration, and then again upon re-authentication. However, compare these minuscule amounts of time with the time that the user and the site have a relationship with each other centered around the user’s identity. If it takes me 20 seconds to log in, for example, but I stay at the site for an hour with the authenticated session, the “identity selector” helps me with my identity at that site only for 0.5% percent of the time.

What about the other 99.5%?

We need functionality in the browser, or at least somewhere close to the user when using a web browser, that assists the user 100% of the time their digital identity is in the picture, not 0.5% of the time. By thinking of that product as an “identity selector”, we are excluding the other 99.5% and thus are getting the product exactly wrong.

The correct product is not a “selector”. It also must be:

• An identity “de-selector”, with which the user can become anonymous again (or perhaps even remove all the information from the site which was conveyed during the “identity selection” phase). The much-desired “single sign out of the web” button should logically reside there.
• An identity-aware session “visualizer”, which conveys to the user that there they have open sessions with which sites, which of the user’s identities are currently used with which site, which others they have used with which site in the past, whether the session is valid (as opposed to expired), what information about them they have shared with the site and perhaps how to log out.

This is particularly important if the user has multiple active sessions, perhaps with multiple identities, occurring in parallel, such as in multiple browser tabs — increasingly a fact of life for many internet users. Keeping track which sessions are still open, and which can be easily reactivated (e.g. by an OpenID checkid_immediate check) is cognitively impossible for many people (myself included) and computer support in the browser (not on the browser page) would be really useful. Throw in the use case of somebody briefly borrowing the computer to check their e-mail or Facebook account, while the primary user still has all their windows and session open, and perfect confusion ensues with a range of scary security and privacy issues around them.

So, what we need is not an “identity selector” for 0.5% of the time we use identity in the browser. What we need is a continually active, perhaps proactive assistant that helps us create and tear down sessions, watches our sessions, keeps track of the information that flows back and forth and helps us when we need it, 100% of the time.

Now I’m not a usability guy by any stretch of the imagination, but the following strawman picture popped into my head earlier today. It could live somewhere in the sidebar:

Each active session could have a separate section (rather like the Windows task bar). It would show the name of the site, whether or not the user was currently identified there, and the user’s current identifier (or card) there.

To log out, click the “x”. To log out everywhere, click the big button. To reactivate an expired session, click on the red light and it will turn green if re-authentication was successful. Clicking on the section could bring the tab / window to the front that belongs to the site, like in Windows or OSX. Right-click would show the information that has flown between user and site so far, perhaps with a time-based log. And so forth.

An alternate version could sort by identity first and then by site (as opposed to this figure, which is sorted by site and then by identifier). That might be useful, too.

But regardless of the details of this strawman screen shot, which you may or may not link, I think the idea of covering the entire lifecycle of the user’s identity-based relationship with a site would lead to a much more useful product than a mere “selector”. Many others at IIW seemed to think so, too, but I’ll let them speak for themselves if they feel inclined to.

Yes, we don’t have the protocols and conventions for all of this. But I don’t think they are hard either, so that should not be an excuse.

Let’s mull this a bit … at least one major browser manufacturer does not seem to be too disinclined to go in this direction… with a bit of squinting, today’s identity selectors could even be re-interpreted as version 1 of the more inclusive approach…

The list of brand-name OpenID adopters speaks for itself, with — by some counts — now more than 1 billion functional OpenIDs on the open internet, but for the internet identity movement this quote from Kim Cameron, Microsoft’s Chief Identity Architect, is rather significant:

In the last year, OpenID has without doubt become the most widely adopted system for reusable internet identity.  Adoption by destination sites continues to grow dramatically: approximately 50,000 sites as of July 1, 2009.  The big Internet properties like Google, Yahoo, AOL, MySpace, and Windows Live have become (or are becoming) OpenID Providers.   As a result, the vast majority of the online US population has an account that can be used to log in at the growing number of destination sites.

What a little URL could do …