November 02, 2010

Google OAuth, OpenID and federated login research

In recent meetings on access management and single sign-on I've mentioned the usability work being done by the Kantara ULX Working Group and suggested that it represents real progress in terms of how the relatively complex 'federated login' experience should be presented to the end-user.

Eric Sachs of Google has written up some research that they've been doing in the same space - research that includes a significant mocked-up ecommerce website and videos covering the kinds of 'login' scenarios that they've been thinking about.

I think this represents a really interesting piece of work, especially if some of it is made available as open source code (as the post suggests might happen).

The website at was built to demonstrate how a website that already allows users to login can help those users (and new users) leverage OpenID to login.  This provides a number of advantages for website owners such as:

  • Higher signup rates for new users and higher return/login rates by existing users
  • Lower customer support costs for handling problems with accounts
  • Improved account security by leveraging the security features and scale of large identity providers like Yahoo, Google, Microsoft, AOL, etc.

Users obviously also benefit from the improved user experience that can be achieved with OpenID.

The advantages outlined here seem, at first glance, to be most appropriate to e-commerce sites but I think they apply much more widely - to academic publishers, educational service providers, government websites, health websites and so on.

It'll be interesting to see how this work develops and whether the fact that it is being undertaken by Google means that it gains more traction and acceptance than might be the case with the Kantara work.

October 14, 2010

SAML attributes vs. entitlements - a quick rule of thumb

One specific issue that came up during discussions at the FAM10 conference (see my previous post) was about the use of 'attributes' vs 'entitlements' in the SAML messages passed from Identity Providers to Service Providers'. For the purposes of this discussion:

  • an attribute is some property of the individual - eye colour, age, sex and staff category being examples;
  • an entitlement is an indication of something that the person is allowed to do once they have been authenticated.

(Note: in practice, both attributes and entitlements (as used here) are carried as SAML attributes - the difference lies only in their semantics).

In most use-cases it is possible to use either attributes or entitlements to achieve a particular task. For example, individuals with a staff category of 'librarian' (an attribute) may be inferred by the Service Provider to be allowed to order new books within, say, a library management system - anyone with that attribute is allowed to do so. Alternatively, a 'bookOrdering' entitlement may be used - only people with that entitlement are allowed to order new books, irrespective of whether they are a librarian or not.

So, the question arose, when does one use an attribute and when does one use an entitlement?

In the discussion, I proposed a rule of thumb for making that decision, as follows:

Where you specifically want to control access to some resource or function, and particularly where such a requirement exists across multiple Service Providers, use an entitlement. Where you want to record a property of an individual, particularly where that property issued across multiple Identity Providers, and where different Service Providers may take different actions based on that property (e.g. one system may use the property to configure the user interface, another may use it to control access) use an attribute.


Well, not really, but it's a start.

October 13, 2010

What current trends tell us about the future of federated access management in education

As mentioned previously, I spoke at the FAM10 conference in Cardiff last week, standing in for another speaker who couldn't make it and using material crowdsourced from my previous post, Key trends in education - a crowdsource request, to inform some of what I was talking about. The slides and video from my talk follow:

As it turns out, describing the key trends is much easier than thinking about their impact on federated access management - I suppose I should have spotted this in advance - so the tail end of the talk gets rather weak and wishy-washy. And you may disagree with my interpretation of the key trends anyway. But in case it is useful, here's a summary of what I talked about. Thanks to those of you who contributed comments on my previous post.

By way of preface, it seems to me that the core working assumptions of the UK Federation have been with us for a long time - like, at least 10 years or so - essentially going back to the days of the centrally-funded Athens service. Yet over those 10 years the Internet has changed in almost every respect. Ignoring the question of whether those working assumptions still make sense today, I think it certainly makes sense to ask ourselves about what is coming down the line and whether our assumptions are likely to still make sense over the next 5 years or so. Furthermore, I would argue that federated access management as we see it today in education, i.e. as manifested thru our use of SAML, shows a rather uncomfortable fit with the wider (social) web that we see growing up around us.

And so... to the trends...

The most obvious trend is the current financial climate, which won't be with us for ever of course, but which is likely to cause various changes while it lasts and where the consequences of those changes, university funding for example, may well be with us much longer than the current crisis. In terms of access management, one impact of the current belt-tightening is that making a proper 'business case' for various kinds of activities, both within institutions and nationally, will likely become much more important. In my talk, I noted that submissions to the UCISA Award for Excellence (which we sponsor) often carry no information about staff costs, despite an explicit request in the instructions to entrants to indicate both costs and benefits. My point is not that institutions are necessarily making the wrong decisions currently but that the basis for those decisions, in terms of cost/benefit analysis, will probably have to become somewhat more rigorous than has been the case to date. Ditto for the provision of national solutions like the UK Federation.

More generally, one might argue that growing financial pressure will encourage HE institutions into behaving more and more like 'enterprises'. My personal view is that this will be pretty strongly resisted, by academics at least, but it may have some impact on how institutions think about themselves.

Secondly, there is the related trend towards outsourcing and shared services, with the outsourcing of email and other apps to Google being the most obvious example. Currently that is happening most commonly with student email but I see no reason why it won't spread to staff email as well in due course. At the point that an institution has outsourced all its email to Google, can one assume that it has also outsourced at least part of its 'identity' infrastructure as well? So, for example, at the moment we typically see SAML call-backs being used to integrate Google mail back into institutional 'identity' and 'access management' systems (you sign into Google using your institutional account) but one could imagine this flipping around such that access to internal systems is controlled via Google - a 'log in with Google' button on the VLE for example. Eric Sachs, of Google, has recently written about OpenID in the Enterprise SaaS market, endorsing this view of Google as an outsourced identity provider.

Thirdly, there is the whole issue of student expectations. I didn't want to talk to this in detail but it seems obvious that an increasingly 'open' mashed and mashable experience is now the norm for all of us - and that will apply as much to the educational content we use and make available as it does to everything else. Further, the mashable experience is at least as much about being able to carry our identities relatively seamlessly across services as it is about the content. Again, it seems unclear to me that SAML fits well into this kind of world.

There are two other areas where our expectations and reality show something of a mis-match. Firstly, our tightly controlled, somewhat rigid approach to access management and security are at odds with the rather fuzzy (or at least fuzzilly interpretted) licences negotiated by Eduserv and JISC Collections for the external content to which we have access. And secondly, our over-arching sense of the need for user privacy (the need to prevent publishers from cross-referencing accesses to different resources by the same user for example) are holding back the development of personalised services and run somewhat counter to the kinds of things we see happening in mainstream services.

Fourthly, there's the whole growth of mobile - the use of smart-phones, mobile handsets, iPhones, iPads and the rest of it - and the extent to which our access management infrastructure works (or not) in that kind of 'app'-based environment.

Then there is the 'open' agenda, which carries various aspects to it - open source, open access, open science, and open educational resources. It seems to me that the open access movement cuts right to the heart of the primary use-case for federated access management, i.e. controlling access to published scholarly literature. But, less directly, the open science movement, in part, pushes researchers towards the use of more open 'social' web services for their scholarly communication where SAML is not typically the primary mechanism used to control access.

Similarly, the emerging personal learning environment (PLE) meme (a favorite of educational conferences currently), where lecturers and students work around their institutional VLE by choosing to use a mix of external social web services (Flickr, Blogger, Twitter, etc.) again encourages the use of external services that are not impacted by our choices around the identity and access management infrastructure and over which we have little or no control. I was somewhat sceptical about the reality of the PLE idea until recently. My son started at the City of Bath College - his letter of introduction suggested that he created himself a Google Docs account so that he could do his work there and submit it using email or Facebook. I doubt this is college policy but it was a genuine example of the PLE in practice so perhaps my scepticism is misplaced.

We also have the changing nature of the relationship between students and institutions - an increasingly mobile and transitory student body, growing disaggregation between the delivery of learning and accreditation, a push towards overseas students (largely for financial reasons), and increasing collaboration between institutions (both for teaching and research) - all of which have an impact on how students see their relationship with the institution (or institutions) with whom they have to deal. Will the notion of a mandated 3 or 4 year institutional email account still make sense for all (or even most) students in 5 or 10 years time?

In a similar way, there's the changing customer base for publishers of academic content to deal with. At the Eduserv Symposium last year, for example, David Smith of CABI described how they now find that having exposed much of their content for discovery via Google they have to deal with accesses from individuals who are not affiliated with any institution but who are willing to pay for access to specific papers. Their access management infrastructure has to cope with a growing range of access methods that sit outside the 'educational' space. What impact does this have on their incentives for conforming to education-only norms?

And finally there's the issue of usability, and particularly the 'where are you from' discovery problem. Our traditional approach to this kind of problem is to build a portal and try and control how the user gets to stuff, such that we can generate 'special' URLs that get them to their chosen content in such a way that they can be directed back to us seemlessly in order to login. I hate portals, at least insofar as they have become an architectural solution, so the less said the better. As I said in my talk, WAYFless URLs are an abomination in architectural terms, saved only by the fact that they work currently. In my presentation I played up the alternative usability work that the Kantara ULX group have been doing in this area, which it seems to me is significantly better than what has gone before. But I learned at the conference that Shibboleth and the UK WAYF service have both also been doing work in this area - so that is good. My worry though is that this will remain an unsolvable problem, given the architecture we are presented with. (I hope I'm wrong but that is my worry). As a counterpoint, in the more... err... mainstream world we are seeing a move towards what I call the 'First Bus' solution (on the basis that in many UK cities you only see buses run by the First Group (despite the fact that bus companies are supposed to operate in a free market)) where you only see buttons to log in using Google, Facebook and one or two others.

I'm not suggesting that this is the right solution - just noting that it is one strategy for dealing with an otherwise difficult usability problem.

Note that we are also seeing some consolidation around technology as well - notably OpenID and OAuth - though often in ways that hides it from public view (e.g. hidden behind a 'login with google' or 'login with facebook' button).

Which essentially brings me to my concluding screen - you know, the one where I talk about all the implications of the trends above - which is where I have less to say than I should! Here's the text more-or-less copy-and-pasted from my final slide:

  • ‘education’ is a relatively small fish in a big pond (and therefore can't expect to drive the agenda)
  • mainstream approaches will win (in the end) - ignoring the difficult question of defining what is mainstream
  • for the Eduserv OpenAthens product, Google is as big a threat as Shibboleth (and the same is true for Shibboleth)
  • the current financial climate will have an effect somewhere
  • HE institutions are probably becoming more enterprise-like but they are still not totally like commercial organisations and they tend to occupy an uncomfortable space between the ‘enterprise’ and the ‘social web’ driven by different business needs (c.f. the finance system vs PLEs and open science)
  • the relationships between students (and staff) and institutions are changing

In his opening talk at FAM10 the day before, David Harrison had urged the audience to become leaders in the area of federated access management. In a sense I want the same. But I also want us, as a community, to become followers - to accept that things happen outside our control and to stop fighting against them the whole time.

Unfortunately, that's a harder rallying call to make!

Your comments on any/all of the above are very much welcomed.

September 17, 2010

Key trends in education? - a crowdsource request

I've been asked to give a talk at FAM10 (an event "to discuss federated identity and access management within the UK") replacing someone who has had to drop out, hence the rather late notice. I therefore wasn't first choice, nor would I expect to be, but having been asked I feel reluctant to simply say no and my previous posts here tend to indicate that I do have views on the subject of federated access management, particularly as it is being implemented in the UK. On the down side, there's a strong possibility that what I have to say will ruffle feathers with some combination of people in my own company (Eduserv), people at the JISC and people in the audience (probably all of them) so I need to be a bit careful. Still, that's never stopped me before :-)

I can't really talk about the technology - at least, not at a level that would be interesting for what is likely to be a highly technical FAM10 crowd. What I want to try and do instead is to take a look at current and emerging trends (technical, political and social), both in education in the UK and more broadly, and try to think about what those trends tell us about the future for federated access management.

To that end, I need your help!

Clearly, I have my own views on what the important trends might be but I don't work in academia and therefore I'm not confident that my views are sufficiently based in reality. I'd therefore like to try and crowdsource some suggestions for what you (I'm speaking primarily to people who work inside the education sector here - though I'm happy to hear from others as well) think are the key trends. I'm interested in both teaching/learning and research/scholarly communication and trends can be as broad or as narrow, as technological or as non-technological, as specific to education or as general as you like.

To keep things focused, how about I ask people to list their top 5 trends (though fewer is fine if you are struggling). I probably need more than one-word answers (sorry) so, for example, rather than just saying 'mobile', 'student expectations', 'open data' or 'funding pressure', indicate what you think those things might mean for education (particularly on higher education) in the UK. I'd love to hear from people outside the UK as well as those who work here. Don't worry about the impact on 'access management' - that's my job... just think about what you think the current trends affecting higher and further education are.

Any takers? Email me at [email protected] or comment below.

And finally... to anyone who just thinks that I'm asking them to do my work for me - well, yes, I am :-) On the plus side, I'll collate the answers (in some form) into the resulting presentation (on Slideshare) so you will get something back.


September 06, 2010

When technology disappears

A colleague at Eduserv asked me the other day why there isn't as much noise as there used to be about OpenID and whether it was indicative of a loss of interest or something else.

It's inevitable I guess. New developments, particularly those that look as transformative as OpenID looked at the time, tend to generate a lot of noise and activity, often at a level that isn't sustainable for very long. Something else of interest comes along, there are various contenders in this case, and the world shifts its interest - or, at least, the audible noise that results from such interest.

In the discussion that followed the initial question it turned out that we both thought that some combination of OpenID and OAuth was somehow being used behind the scenes of things like Google Friend Connect and Facebook Connect but we weren't quite sure how much and how often.

I decided to look around and find out.

Unfortunately, I was somewhat disappointed with what I could find - at least without spending more time on it than I could afford. The website carries an impressive list of adopters across the bottom of the page but doesn't indicate whether they are Identity Providers or Replying Parties (or both), nor what the status of their adoption is. So I asked on the [email protected] mailing list:

Also, when I chose to login via Google, Facebook, whatever... from a typical pull-down list (e.g. that offered by something like Janrain Engage)... is it ever using OpenID behind the scenes? If so, what proportion of the time?

and got the following helpful response from Brian Kissel at Janrain:

Speaking for Janrain Engage, yes, it’s OpenID behind the scenes for Google, Yahoo, AOL, MySpace, LiveJournal, Blogger, PayPal, etc. Facebook, Twitter, LinkedIn are based on OAuth, and some use a hybrid of OpenID and OAuth.

So... OpenID is alive and well (I'm sure you knew that) but looks like it is probably disappearing into the infrastructure to a certain extent - which is exactly where it belongs.

In case you were worried...

September 03, 2010

Call for 'ideas' on UK government identity directions

The Register reports that the UK government is calling for ideas on future 'identity' directions, fishes for ID ideas:

Directgov has asked IT suppliers to come up with new thinking on identity verification.

The team, which is now within the Cabinet Office, has issued a pre-tender notice published in the Official Journal of the European Union, saying that it wants feedback on potential requirements for the public sector on all aspects of identity verification and authentication. This is particularly relevant to online and telephone channels, and the notice says the services include the provision of related software and computer services.

The notice itself is somewhat hard to find online - I have no idea why that should be! - but a copy is available from the Sell2Wales website.

Oddly, to me at least - perhaps I'm just naive? - the notice doesn't use the word 'open' once, a little strange since one might assume that this would be treated as part of the wider 'open government' agenda as it is in the US where a similar call resulted in the OpenID Foundation putting together a nice set of resources on OpenID and Open Government. In particular, their Open Trust Frameworks for Open Government whitepaper is worth a look:

Open government is more than just publishing government proceedings and holding public meetings. The real goal is increased citizen participation, involvement, and direction of the governing process itself. This mirrors the evolution of “Web 2.0” on the Internet—the dramatic increase in user-generated content and interaction on websites. These same social networking, blogging, and messaging technologies have the potential to increase the flow of information between governments and citizenry—in both directions. However, this cannot come at the sacrifice of either security or privacy. Ensuring that citizen/government interactions are both easy and safe is the goal of a new branch of Internet technology that has grown very rapidly over the past few years.

August 23, 2010

Upcoming identity events

A couple of upcoming UK identity events worth highlighting...

Firstly, FAM10, which is being held in Cardiff on the 5th and 6th October:

Some of the areas that delegates can look forward to hearing about this year include:

  • Detailed overview of the progress made in the school's sector to adopt federated access management;
  • Interfederation use cases, including links to the Government Gateway to allow parental access to schools data;
  • Detailed technical information for advanced programmers;
  • Update on JISC Services for accounting and statistical mnagement;
  • Updates on identity management, user management and licence management;
  • International speakers on areas such as Kantara, Shibboleth and Gartner;
  • Service updates from the UK federation.

Secondly, the Internet Identity Workshop - Europe, which is being held a few days later in London on the 11th October:

IIW’s focus is on "user-centric identity" or "user-driven identity" – addressing the technical and adoption challenge of how people can manage their own identity across the range of websites, services, companies and organizations with which they interact. The focus of this first IIW-Europe will be on the whole range of global and European initiatives in this space.

August 13, 2010

Federation Metadata Explorer - update

Quick note: I've updated the Federation Metadata Explorer to support metadata from six European federations. 

July 21, 2010

Getting techie... what questions should we be asking of publishers?

The Licence Negotiation team here are thinking about the kinds of technical questions they should be asking publishers and other content providers as part of their negotiations with them. The aim isn't to embed the answers to those questions in contractual clauses - rather, it is to build up a useful knowledge base of surrounding information that may be useful to institutions and others who are thinking about taking up a particular agreement.

My 'starter for 10' set of questions goes like this:

  • Do you make any commitment to the persistence of the URLs for your published content? If so, please give details. Do you assign DOIs to your published content? Are you members of CrossRef?
  • Do you support a search API? If so, what standard(s) do you support?
  • Do you support a metadata harvesting API? If so, what standard(s) do you support?
  • Do you expose RSS and/or Atom feeds for your content? If so, please describe what feeds you offer?
  • Do you expose any form of Linked Data about your published content? If so, please give details.
  • Do you generate OpenURLs as part of your web interface? Do you have a documented means of linking to your content based on bibliographic metadata fields? If so, please give details.
  • Do you support SAML (Service Provider) as a means of controlling access to your content? If so, which version? Are you a member of the UK Access Management Federation? If you also support other methods of access control, please give details.
  • Do you grant permission for the preservation of your content using LOCKSS, CLOCKSS and/or PORTICO? If so, please give details.
  • Do you have a statement about your support for the Web Accessibility Initiative (WAI)? If so, please give details?

Does this look like a reasonable and sensible set of questions for us to be asking of publishers? What have I missed? Something about open access perhaps?

July 07, 2010

On federated access management, usability and discovery

A little over a week ago I attended a meeting in London organised by the JISC Collections team entitled From discovery to log-in and use: a workshop for publishers, content owners and service providers.

The meeting was targetted at academic publishers (and other service providers), of whom there were between 30 and 40 in the room. It started with presentations about two reports, the first by William Wong et al (Middlesex University), User Behaviour in Resource Discovery: Final Report, the second by Rhys Smith (Cardiff University), JISC Service Provider Interface Study. Both reports are worth reading, though, as I noted somewhat cheekily on Twitter prior to the meeting, if the JISC had paid more for the first one it might have been shorter!

Anyway... the eagle-eyed amongst you will have noticed that the two reports are somewhat different in scope and scale. Both talk about 'discovery' but the first uses that word in a very broad 'resource discovery' sense whilst the second uses it in the context of the 'discovery problem' as it applies to federated access management - i.e. the problem of how a 'service provider' knows which institutional login page to send the user to when they want to access their site. This difference in focus left me thinking that the day overall was a little out of balance.

For this blog post I don't intend to say anything more about 'resource discovery' in its wider sense, other than to note that Lorcan Dempsey has been writing some interesting stuff about this topic recently, that there are issues about SEO and how publishers of paid-for academic content can best interact with services like Google that could usefully be discussed somewhere (though they weren't discussed at this particular meeting), and that, in my humble opinion, any approach to resource discovery that assumes that institutions can dictate or control which service(s) the end-user is going to use to discover stuff is pretty much doomed from the start. On that basis, I'm not a big believer in library (or any other kind of) portals, nor in any architectural approach that assumes that a particular portal is what the user wants to use!

The two initial presentations were followed by a talk about the 'business case' for an 'EduID' brand - essentially a logo and/or button signifying to the user that they are about to undertake an 'academic federated login' (as opposed to an OpenID login, a Facebook Connect login, a Google login, or whatever else). Such a brand was one of the recommendations coming out of the Cardiff study. I fundamentally disagree with this approach (though I struggled to put my case across on the day). I'm not convinced that we have a 'branding' problem here and I'm worried that the way this work was presented makes it look as though the decision that we need a new 'brand' has already been taken.

During the ensuing discussion about the 'discovery problem' I mentioned the work of the Kantara Initiative and, in particular, the ULX group which is developing a series of recommendations about how the federated access management user experience should be presented to users. I think this group is coming up with a very sensible set of pragmatic recommendations and I think we need to collectively sit up and take some notice and/or get involved. Unfortunately, when I mentioned the initiative at the meeting, it appeared that the bulk of the publishers in the room were not aware of it.

To try and marshal my thoughts a little bit around the Kantara work I decided to try and implement a working demo based on their recommendations. I took as my starting point a fictitious academic service called EduStuff with a requirement to offer three login routes:

  • for UK university students and staff via the UK Federation,
  • for NHS staff via Athens, and
  • for other users via a local EduStuff login.

I'm assuming that this is a reasonably typical scenario for many academic publishers (with the exception of the UK-only targetting on the academic side of things, something I'll come back to later).

Note that this scenario is narrower than the scope of the Kantara ULX work, which includes things like Facebook Connect, Google, OpenID and so on, so I've had to interpret their recommendations somewhat, rather than implement them in their totality.

You can see the results on the demo site. Note that the site itself does nothing other than to provide a backdrop for demonstrating how the 'sign in' process might look - none of the other links work for example.

The process starts by clicking on the 'Sign in' link at the top right (as per the Kantara recommendations). This generates a pop-up 'sign in' box offering the three options. Institutional accounts are selected using a dynamic JQuery search interface which, once an institution has been selected, takes the user to their institutional login page. (My thanks to Mike Edwards at Eduserv for the original code for this). The NHS Athens option takes the user to an Athens login page. The EduStuff option goes to a fairly typical local login/register page, but one which also carries a warning about using one of the other two account types if that is more appropriate.

Whichever account type is chosen, the selection is remembered in a cookie so that future visits to the pop-up 'sign in' box can offer that as the default (again, as per Kantara).

Have a play and see what you think.

Ok, some thoughts from my perspective...

  • In the more general Kantara scenario, some options (Facebook, Google, OpenID, etc.) are presented using clickable buttons/icons. I haven't done this for my scenario because the text wording felt more helpful to me. If icons were to be used, for example if a publisher wanted to offer a Google-based login, then I would probably present the NHS Athens and EduStuff choices as icons as well.
  • You'll note that the word 'Athens' only appears next to the NHS option. I think that our Athens/OpenAthens branding should become largely invisible to users in the context of the UK Federation - or, to put it another way, one of our current usability problems is that publishers are still presenting Athens as an explicit 'sign in' option when they really do not need to so. In the context of the UK Federation, OpenAthens is just an implementation choice for SAML - users need be no more aware of it than they are of the fact that Apache is being used as the Web server. (The same can be said of Shibboleth of course). Part of our current problem is that we are highlighting the wrong brands - i.e. Shibboleth and OpenAthens/Athens rather than the institution - something that both the JISC and Eduserv have been guilty of encouraging in the past.
  • The institutional search box part of the demo is currently built on UK Federation metadata, so it only offers access to UK institutions. There is no reason why this interface couldn't deal with metadata from multiple federations. Indeed, I see no reason why it wouldn't scale to every institution in the world (with some sensible naming). So although the current demo is UK-specific, I think the approach adopted here can be expanded quite significantly.
  • On that basis, you'll note that there is no need in this interface for an EduID brand/button. Users need only concern themselves with the name of their institution - other brands become largely superficial, except where things like Google, Facebook, OpenID and so on are concerned.
  • I've presented only the front page for the EduStuff site. On the basis that we can't control how users discover stuff, i.e. we have to assume that users might arrive directly at any page of our site as the result of a Google search, the 'sign in' process has to be available on each and every page of the site.
  • Finally, the demo only deals with the usability of the first part of the process. It doesn't consider the usability of the institutional login screen, nor of what happens when the user arrives back at the publisher site after they have successfully (or otherwise) authenticated with their institution. I think there are probably significant usability issues at this point as well - for example, how to best indicate that the user is signed in - but I haven't addressed this as part of the current demo.

I'd be very interested in people's views on this work. It's at a very early stage - I haven't even presented it properly to other Eduserv staff yet - but we have some agreement (internally) that work in this area will likely be of value both to ourselves and our current customers and to the wider community. On that basis, I'm hopeful that we will do more work with this demo:

  • to make it more fully functional, i.e. to complete the round-trip back to the EduStuff site after successful authentication,
  • to make the 'sign in' pop-up into a re-usable 'widget' of some kind,
  • and to experiment with the usability of much larger lists of institutions, taken from multiple federations.

Whatever our conclusions, any results will be shared publicly.

Overall the day was very interesting. I'll leave you with my personal highlight... the point at which one of the (non-publisher) participants said (somewhat naively), "What would it take to make all this [publisher] content available for free? Then we wouldn't need to worry about authentication". Oh boy... there was a collective sharp intake of breath and you could almost hear the tumble-weed blowing for a minute there! :-)

Addendum (8 July 2010): in light of comments below I have re-worked my demo using a more icon-based approach. This is much more in line with the current Kantara ULX mockups (version 4) including the addition of a 'more options'/'less options' toggle on second and subsequent sign ins. Overall, it is, I think, rather better than my initial text-based approach. I stand by my assertion that an EduId button is not required in the 'sign in' process demonstrated here (irrespective of whether the icon-based or text-based approach is used). That said, I'd welcome views on how/where such a button would fit in.

June 17, 2010

Where next for resource licensing?

Five hours of presentations and discussion about scholarly resource licensing probably doesn't strike most people as a 'good day out' but, actually, yesterday's joint JIBS/Eduserv Where next for Resource Licensing? event was a surprisingly enjoyable and interesting experience.

My live-blogged notes of all the talks are available on eFoundations LiveWire. On that basis, I won't go into the details of any of the talks here. Rather, I'll focus on my overall impressions and thoughts (all of which is very much a personal view)...

Firstly, the academic landscape is changing, both in terms of student expectations and in terms of the nature of university 'business' practice (e.g. greater intra-UK and international collaboration around course delivery). A number of the talks provided evidence for this. Now, of course, we already knew that the landscape was changing... but it doesn't do any harm to keep reminding ourselves of how (and how much) and it was particularly pleasing (for me) to see Owen Stephens (who gave the opening keynote) quoting a couple of the speakers (Paul Golding and Chris Sexton) at our recent symposium by way of evidence.

Secondly, there is something of a tension between wanting to grow the complexity of our resource licences (to take account of newly emerging business practices and user groups for example) and the desire to consolidate, and indeed grow, our existing use of a small number of 'model' licences. (Clearly, this is an area in which the Eduserv Licence Negotiation team has had a big impact over the last 10 to 15 years). In theory, the emerging technical possibility for machine-readable licences (Mark Bide of EDItEUR gave an interesting talk about ONIX-PL for example) means that we can leave software to deal with making access decisions based on a growing collection of different licences. Yet there seemed to be little appetite for this in the room. (Indeed, I'm not even sure such a scenario is really possible or effective for a variety of reasons). As a counterpoint, my colleague Martyn Jansen put forward some suggestions in the final talk of the day to simplify the existing standard Chest Agreement, both in terms of having a smaller number of classes of users and in terms of simplifying the types of use allowed. For my part, this feels like a sensible way forward.

Thirdly, the idea of allowing 'walk-in users' in the digital age was called into question. Owen Stephens referred to the whole notion as "stupid" in his opening talk, suggesting that we need to completely revisit what we are trying to achieve by it and, more importantly, talk to publishers about what we want to do. Sticking my neck out a little, my personal take on this is that in the age of the Web and widely implemented federated access management it is somewhat unreasonable of academic institutions to expect publishers to provide any access to digital resources by walk-in users. But perhaps I'm just being naive about the issues here?

Fourthly, there was some discussion around overseas students. Louise Cole of Kingston University noted, with some irony, that in some cases walk-in users with no affiliation to the institution can get a better deal in terms of access to resources than registered students of that institution who happen to be based overseas. Again, I'll stick my neck out with a personal view (quite possibly a view not shared by my colleagues here!). Geography has become irrelevant and should play no part in our licensing deals. A university with 6000 undergrads should be dealt with as a university of 6000 undergrads, irrespective of whether 3000 of them happen to be based overseas. If this gives publishers problems in terms of pricing across different geographic markets, get over it. The world is largely flat.

And finally, another personal view about something that didn't really come up during the day (at least until drinks in the pub afterwards!) but which increasingly struck me as the day progressed. We seem to be hitting something of a disconnect between theory and practice in this area - which is probably something that neither institutions nor publishers really like to acknowledge. On the one hand, we have relatively complex discussions around licensing terms and conditions, coupled potentially with relatively detailed ways of exchanging those licences in a machine-readable form. At the same time we have an over-arching emphasis on security and data protection in the way our access management federation is delivered (in a way that I've not really seen justified in terms of the risk of abuse of the resources being made available thru that federation). Meanwhile, on the other hand (err... back in the real world?) Shibboleth and OpenAthens system administrators are nearly always just setting the simplest kind of "This person is a member of the institution" attribute, passing it to the service provider and having them gain access to the resource as a result.

Are we routinely comparing our technology choices against a measure of the risk we are dealing with? Are we joining up our discussions about new kinds of users and usages in our licences with the same constructs in our SAML attribute sets? And finally, are we taking note of whether people on the ground are actually acting in line with our somewhat theoretical technology-centric positions?

Or is the reality that the people doing the day job are getting by with a just good enough approach and that, actually, publishers are perfectly happy with that provided the university pays the subscription fee?

June 11, 2010

I/AM moves up from 6 to 5, alright pop pickers? Not 'arf

[Title for Alan Freeman fans.]

Via a tweet from @chrisb (of the JISC) I note that Educause have published the results of their survey of the Top-Ten IT Issues, 2010 (for US HE institutions).

I/AM (identity and access management) has moved up from number 6 to number 5, about which the report says:

Critical questions for Identity/Access Management include the following:

  1. What is the institution's documented process for verifying the identity of individuals and linking physical and electronic identities?
  2. What standards, trust systems, or existing federations (e.g., InCommon) can be used to ensure that an institution can trust another institution's electronic identities?
  3. Are I/AM policies and processes adaptable and flexible to allow for changes in roles and access rights over time?
  4. How should institutions strike the balance between carefully managing identity and access and utilizing broadly distributed networked resources?
  5. Do current I/AM strategies account for federation and single sign-on with third-party hosted and cloud-based applications?
  6. How can institutions create stronger linkages between physical and electronic identities?

(Note: the bullet points were not numbered in the original.)

I think the JISC's work on the UK Access Management Federation has done much to help with these kinds of issues in the UK, so I wonder if the critical questions in the UK might be somewhat different?  For example, number 2 would probably focus more heavily on issues around inter-federation trust (i.e. trust between institutions in the UK and those elsewhere).

Numbers 3 and 4 are interesting and I expect that these kinds of issues will be touched on during next week's Where next for resource licensing? event, organised jointly by JIBS and Eduserv and from which I hope to live-blog on eFoundations LiveWire.  The explicit cross-over between resource licensing and access management seems to feature fairly low in our discussion priorities (at least as far as I'm aware) though it is clearly a topic of interest to Eduserv, since we offer services in both spaces (Licence Negotiation and Access and Identity Management).

I suspect that number 5 is of interest to us all and, for information, we have a bit of work bubbling under here at the moment to link together OpenAthens with Google Apps, though I'm not sure if there's anything more public that I can share with you yet.

Number 6 looks interesting, though I'm slightly bemused by what it actually means.

December 14, 2009

Internet Identity Workshop news

A series of notes taken at the recent Internet Identity Workshop (IIW) #9 held in Mountain View are now available. I was hoping to attend but in the end wasn't able to.

The extent and detail of the notes varies across different sessions but they are probably worth a look for those with an interest in this area.

Note also that the dates for IIW #10 have been announced, again in Mountain View, as Tuesday 18 May thru to Thurs 20 May 2010.

December 10, 2009

Please update your privacy settings

Still interested in Facebook?

If so, remember that the privacy settings are in the process of being changed, with the default settings being much more public than before.

It would have been nice if they'd opted to leave things as they are by default and let people open things up gradually but it isn't too hard to change from their suggested 'public' settings to what you had before (10 clicks to be precise).  How many people actually do it remains to be seen of course.

I know it's fashionable to paint Facebook as the bad guys but I actually think they try quite hard to make it clear who can see what.

November 18, 2009

Where does your digital identity want to go today?

This morning I had cause to revisit an identity-related 'design pattern' that I originally worked on during a workshop back in January, in readiness for a follow-up workshop tomorrow.

The pattern is concerned with the way in which personal information can be aggregated, shared and re-used between social networking sites and other tools and the moral and legal rights and responsibilities that go with that kind of activity.

I don't want to write in detail about the pattern here, since it is the topic for the workshop tomorrow and may well change significantly.  What I do want to note, is that in thinking about this 'aggregating' scenario I realised that there are three key roles in any scenario of this kind:

  • the subject - the person that the personal information is about
  • the creator - the person that has created the personal information
  • the aggregator - the person aggregating personal information from one or more sources into a new tool or service.

In any given instance, an individual might play more than one of these roles.  Indeed, in the original use-case which I provided to kick-start the discussion I played all three roles.  But the important thing is that in the general case, the three are often different people, each having different 'moral' and legal rights and responsibilities and different interests in how the personal information is aggregated and re-used.

To illustrate this, here is a simple, and completely fictitious, case-study:

Amy (the subject) uses Twitter to share updates with both colleagues and friends.  Concerned about cross-over between the two audiences, Amy chooses to use two Twitter accounts, one aimed at professional colleagues and the other aimed at personal friends.  Amy uses Twitter's privacy options to control who sees the tweets from her personal account.

Ben (the creator) is both a friend and colleague of Amy and is thus a follower of both Amy's Twitter accounts. On seeing a personal tweet from Amy that Ben feels would be of wider interest to his professional colleagues, Ben retweets it (thus creating a new piece of personal information about Amy), prefixing the original text with a comment containing the name of Amy's company.

Calvin (the aggregator) works for the same company as Amy and looks after the company intranet.  He decides to use a Twitter search to aggregate any tweets that contain the company name and display them on the intranet so that all staff can see what is being said about the company.

Amy's original 'private' tweet thus appears semi-publicly in-front of all staff within the company.

Depending on the nature of the original private tweet, the damage done here is probably minimal but this scenario serves to illustrate the way that personal information (i.e. information that is part of Amy's digital identity) can flow in unexpected ways.

One can imagine lots of similar scenarios arising from unwanted tagged Flickr or Facebook images, re-used links, forwarding of private emails, and so on.

Who, if anyone, is at fault in this scenario?  Perhaps 'fault' is too strong a word?

Well, Amy is probably naive to assume that anything posted anywhere on the Internet is guaranteed to remain private.  Ben clearly should not have retweeted a tweet from Amy that was intended to remain somewhat private but in the general to-and-fro of Twitter exchanges it is probably understandable that it happened. Note that the Web interface to Twitter displays a padlock next to 'private' tweets but this is not a convention used by all Twitter clients. In general therefore, any shared knowledge that some tweets are intended to be treated more confidentially than others has to be maintained between the two people concerned outside of Twitter itself.  Calvin is simply aggregating public information in order to share it more widely within the company and it is thus not clear that he could or should do otherwise.

On that basis, any fault seems to lie with Ben.  Does Amy have any moral grounds for complaint? Against Ben... yes, probably, though as I said, the mistake is understandable in the context of normal Twitter usage.

The point here is to illustrate that currently, while many social networking tools have mechanisms for adjusting privacy settings, these are not foolproof and the shared knowledge and conventions about the acceptable use of personal information (i.e. digital identity) typically have to be maintained outside of the particular technology in use.  Further the trust required to ensure that things don't go wrong relies on both the goodwill and good practice of all three parties concerned.

November 12, 2009

Where Next for Digital Identity?

In collaboration with the three 'digital identity' projects that we funded last year, we have organised a day-long event looking at the future of digital identity.  The day will feature an invited talk by Ian Brown of the Oxford Internet Institute, followed by talks from each of the three projects (Steven Warburton, Shirley Williams and Harry Halpin), followed by an afternoon of discussion groups.

The event will be held at the British Library in January next year. Places are limited to 50.

October 22, 2009

This is me – now what was the question?

I note that the call for papers for the TERENA Networking Conference (TNC) 2010 is now out. Given that the themes focus (in part) on network lifestyle and identity issues I wondered about putting in something based on Dave White's vistors vs residents work (yeah, that again!). Something like the following:

The Web used to be seen as a tool to get various jobs done – booking a holiday, finding a train time, reading email, catching up on lecture notes, checking a bank account, and so on. The people using such tools adopted a largely visitor mentality, - they fired up their Web browser, undertook a task of some kind, and left. Little or no trace was left.

Over the past few years the Web has changed significantly. It is now a social space, as much a part of people's lives as going down the pub, going to work, or turning up for lectures. As a result, many people are now increasingly adopting a resident mentality – cohabiting a social networked environment with others and intentionally leaving a permanent record of their activities in that space.

In a world of visitors, the principle reason for asserting identity (“this is me”) is so that the particular tool being used can determine what an individual's access rights are. But in a world of residents, that is only part of the story. They are more likely to assert their identity as part of a “this is who I am”, this is what I’ve done”, this is who I know” transaction with other people in their social space.

The functional requirements of the identity infrastructure are therefore very different for residents than they used to be for visitors. SAML is geared to meeting the needs of visitors and the tools they wish to access. OpenID caters much more to a ‘resident’ way of thinking.

If we believe that the Web is changing us (as it certainly is), and particularly if we believe that the Web is changing learning and research, then we have to be prepared to change with it and adopt technologies that assist in that change.

Does that resonate with people?  I'd be interested in your thoughts.

October 08, 2009

Multi-factor authentication

PayPal users will probably know this already but for some time now it has been possible to double-lock your PayPal account with an SMS Security Key, meaning that as well as having to give your email address and password to sign in you also have to type in a random 6-digit code sent to your mobile phone via SMS. This combination of something you know (your password) and something you have (your mobile phone) is intended to increase the security of the service.

I was initially rather sceptical that this would work, being under the impression that SMS is inherently unreliable, but it actually seems fine. OK, I'm not the world's biggest PayPal user - I probably sign in once a week at most - but, so far, I've not suffered lock-out because the SMS message with my 6-digit code in it didn't arrive quickly enough.

I'm surprised that more banks don't offer this feature for their online banking? (Actually, I don't use that many banks! But I can say that mine doesn't.)

I also noticed today that Amazon Web Services offer a similar multi-factor feature (which I think is reasonably recent), but using dedicated hardware rather than your mobile phone and SMS.

Finally, I note that offer CallVerifID, which will call your mobile when you try and sign in - though it is not currently available in the UK (because of the call costs).

All of which is largely anecdotal - I assume there are plently of other examples I could/should have cited, these just happen to be the ones I've noticed/used - but it strikes me that the use of the mobile phone as a second authentication device has some significant advantages (for the user at least) over a dedicated device.  As Will McInnes noted at FOTE last week, we all keep our mobiles close to us pretty much all the time now anyway.

September 03, 2009

More on identity and access management...

I seem to be on a mini-roll of posts related to identity and access management at the moment...  so, while I'm at it, a couple of quick (and largely unrelated) things.

Firstly, the JISC call 08/09: Access & Identity Management is currently out and, while I don't know that we are actively seeking partners, if any institutions are interested in working with us around OpenAthens (I guess I'm thinking primarily of the Innovation part of the call here) then I'm sure that there will be people here who would be happy to talk to you.

Secondly, Johannes Ernst has a short post, On Identity Business Models or Lack Thereof, which, while not directly relevant to the education space, is certainly interesting and notes various categories of model that might usefully help frame our wider thinking.

Internet Identity Workshop

I note that the ninth Internet Identity Workshop (IIW IX) is taking place on November 3-5 (Tuesday to Thursday) in Mountain View California at the Computer History Museum.

I mention this primarily because it looks like an excellent event - take a quick look at the breadth of topics discussed at the last meeting for example - but is one that is a long way away from those of us in the UK. Is there space to have this kind of 'identity' meeting in Europe - or does such a thing already exist?

September 02, 2009

Publisher Interface Study - final report

Back in June I reported on a meeting that I had attended as part of the JISC-funded Service Provider Interface Study. The final report from that project is now available, in a commentable form, and feedback is requested.

The report makes two key recommendations:

Recommendation 1 - A brand should be created for academic federated access. For this brand to be successful, it needs widespread adoption worldwide. The brand should include a short name and a logo; these need not mean anything but simply provide a familiar point of reference.

Recommendation 2 - A "style guide" should be created for publishers to follow around implementing discovery using the brand created.

These seem sensible to me and certainly in line with my suggestion that there needs to be much "greater consistency to the way that SAML-based sign-on is presented to the end-user".  Note that the brand refers to 'academic federated access' generally, rather than to the UK Access Management Federation for Education and Research in particular - i.e. it needs to work across federations (possibly based on differing technologies?) - a non-trivial task to say the least (but one that is probably worth aiming for).

As a result of this study the JISC intends to:

  1. carry out a full public consultation on the findings of the report;
  2. instigate an international competition for the design of a federated log-in brand;
  3. develop full brand guidelines for publishers and other service providers;
  4. develop an easy-install tool and guide for embedded WAYFs (Where are You From services).

I would hope that service providers themselves get heavily involved in these activities.  And for the last... I think the JQuery demo, provided in the previous post, is indicative of one direction such an "easy-install" tool could take.

Addendum: Johannes Ernst has an interesting post, Information Cards Have the NASCAR Problem, Too, which notes that OpenID and Information Cards, both of which have globally identifiable logos, also suffer from the multiple brand problem (roughly equivalent to the multiple federation/multiple institution issue in SAML-based federations). He ends with:

What about we drop the NASCAR argument in the OpenID vs. information cards discussion, and figure out how to solve the common issue instead?

a principle that I think we might usefully expand to include our own SAML world if at all possible.

July 02, 2009

Investigating the "Scott Cantor is a member of the IEEE problem"

The UK Access Management Federation and other similar initiatives worldwide provide a SAML-based single sign-on solution for access to online resources for the education and research community.  Typically, a user must sign-on to their home institution, using their local username and password, before being granted access to a remote online resource.  In the main, this prevents the user from having to remember a separate username and password for each online resource that they wish to access.  However, there is a perceived problem that some users have several affiliations (their university, their employer, the NHS, their professional body, etc.), each of which may grant access to a different set of online resources, and that, currently, online services are not able to make seamless decisions about which resources a given user is entitled to access because they lack knowledge about these multiple affiliations.

We have recently funded Simon McLeish at LSE to undertake an investigation into this area, commonly known as the Scott Cantor is a member of the IEEE problem. (Scott Cantor is lead developer of the Shibboleth software and an editor of the SAML 2.0 specification).  This investigation will try to discover the extent of this problem in UK HE - who is affected, how serious stakeholders perceive it to be, and what is expected from a solution - in order to inform future work in this area.

More information about this study can be found thru the project's Wiki.  As usual, the final report will be made openly available to the community under a Creative Commons licence.

June 29, 2009

Making the UK Federation usable

About a year ago, in Bye, bye Athens... hello UK Federation, I questioned the rather grand claims being made about the then new UK Access Management Federation for Education and Research, notably that it would deliver "improved services to users", and wondered what the reality would be like.

I think we're still waiting to find out to be honest but there doesn't yet seem to be much evidence that anything has really improved over what we had before - certainly not in terms of usability for the end-user!

Last week I attended a meeting set up by the JISC-funded Service Provider Interface Study project, looking specifically at usability issues within the federation as things currently stand.

Firstly... hats off to both the project team and JISC for being so open about the issues. The meeting was a real eye-opener (for me at least), not only in that it demonstrated just how poor usability is across all the players that make up the federation, but also in the realisation that, actually, most service provider access control is done via IP address checking rather than by SAML-based authentication, in part because the usability issues are so great. For most users, SAML only comes into play when they are off-site (at least according to the service providers present at the meeting). Note: I appreciate that this was also the case under the old Athens system... I mention it here only because it seems to me that the continued use of IP address checking hasn't been widely acknowledged in the way the federation is generally presented, so it came as something of a surprise (to me at least).

Usability problems hit almost every aspect of the Federation as it is currently deployed, from the point that the end-user is initially asked to sign-on right thru to the ways in which service provider services are personalised (or not). Overall usability is made worse because the end-to-end experience is distributed across several players - the service provider, the identity provider, and (optionally) a 'where are you from?' service - each of which can, and do, make different decisions about naming and design. The result is a confusing experience for the end-user, combining poor usability of the individual components in the system coupled with a lack of consistency between the different parts, leading to a situation where it must be near impossible, for example, to write user-support documentation (i.e. help pages) covering everything in a comprehensive form. Even trivial issues, such as what 'sign-on' is called and where it is positioned on the page, are handled differently by different players.

It seems to me that privacy and security issues seem to have driven much of the thinking behind the Federation in its current form. At one point I asked the meeting whether anyone had actually asked real end-users whether they would like to have the option of sharing more information between the identity provider and the service provider in order to enjoy a more seamless and usable experience overall (even if it theoretically compromised their privacy in some way)? I'm not sure I got a clear answer... but it is hard not to draw the conclusion that the Federation has been designed by people with a primary interest in the technology rather than the user experience. A bit like the 'good old days' when we let the techies have full control over firewall policies, disregarding the fact that people actually had jobs that they needed to get done.

I'm sorry if all this seems very blunt but the current deployments are so un-friendly that something has got to be done - otherwise we might as well just bite the bullet and go back to having separate login accounts for every service we access (something that most people are perfectly accustomed to these days anyway!).

So... I want to focus on two, related, aspects of usability for the remainder of this post: naming the authentication process and discovering the identity provider.

Firstly... what do you call the process by which you gain access to a service provider in a SAML-based world? How are things 'branded' if you like? This is a non-trivial question to answer but a great example of how largely technical considerations (like the need for federations) have been allowed to get in the way of user-oriented usability issues. It's also something that the OpenID crowd have got cracked. That's not to say that there aren't other problems with OpenID - there are - but at least they have a single global brand (and associated logo) which makes it easy for any user, anywhere in the world to realise when they are being asked to sign-in using their OpenID.

What's the equivalent brand in the SAML world? There isn't one. Nobody pushes the use of a "SAML sign-on" (quite rightly in my opinion) since it would be meaningless to people. Shibboleth, as I've argued before, names a particular bit of software rather than an approach, and so is inappropriate. Some service providers in the UK still use 'Athens' (because it's what end-users are used to!) - again, clearly wrong in a SAML world. That leaves branding at the level of the federation... but who on earth wants to refer to their "UK Access Management Federation login" - what a horrible mouthful that is. And remember... most service providers offer their services globally, so if we brand things at the federation level then service providers have to start asking their users which federation they are part of - something that I suspect most of us neither know nor care!

That brings us on to my second usability issue. In a SAML-based world, service providers have to direct the end-user back to their institution in order that they can sign-in using their institutional username and password before being redirected back to the target service. This is typically done using a 'where are you from' service, either stand-alone on the network or embedded into the service provider website. Typically, this involves the end-user selecting from a pull-down list of identity providers (there are over 500 in the UK Federation currently), optionally preceded by a pull-down list of possible federations.  This is horrible.

I'd like to propose a new rule of thumb for the design of user-interfaces in a SAML world... if we ever have to explicitly ask the end-user to choose from a list which federation they are part of, then we have a totally borked approach and we need to do something different. This seems obvious to me - yet it is exactly the direction we are heading in right now :-( .

I'd actually go much further and say that if we ever have to explicitly ask the end-user to tell us which institution they are a member of just so they can sign-in to something, then we have similarly broken the system - but I appreciate that is a more difficult part of the process to remove given the current technology. We can, however, make the selection of the institution rather easier than scrolling thru a list of 500 (or 1000, or 5000) names. How about looking at the way TheTrainLine let you select a station name? How about using the JQuery Auto-Complete function to narrow down the list of available names as the end-user begins to type? Here's a demo of just that. Much more intuitive than a pull-down list.  (Thanks to my colleague, Mike Edwards, for the sample code to build this, based on the JISC "what do we do?" page.)

It'll be interesting to see what recommendations the Service Provider Interface Study project comes up with.  Here are mine.  Let's stop thinking in terms of asking the end-user what federation they belong to and think instead of questions they are likely to know the answers to.  What is the name of the institution you belong to? What's the URL of your institutional website? What country are you in?  Let's make the machines do the hard work of sorting out which federation is relevent.  In short, let's start building user-interfaces, no... scrub that... let's start designing the system as a whole such that usability and the needs of the end-user are put first rather than being tacked on as an after-thought!

Finally... I'm surprised that publishers, and other service providers, aren't driving this much more forcibly than they appear to have done to date.  There was a strong feeling in the meeting that things have got much worse (in usability terms) since the demise of Athens - yet the publishers present seemed rather defeatest about what they could do about it.  Every time the usability of the system breaks, a service provider somewhere stands to lose a customer and while they are not typically paying for content individually it ultimately all adds up.  Publishers should be pressing the UK Federation (and all other federations) for a system that works end-to-end, not just because of their own self-interests, but because of the interests of their primary user-base.  I also think that they should be working much more closely together to bring greater consistency to the way that SAML-based sign-on is presented to the end-user.

May 18, 2009

Symposium live-streaming and social media

We are providing a live video stream from our symposium again this year, giving people who have not registered to attend in person a chance to watch all the talks and discussion and to contribute their own thoughts and questions via Twitter and a live chat facility (this year based on ScribbleLive).

Our streaming partner for this year is Switch New Media and we are looking forward to working with them on the day.  Some of you will probably be familiar with them because they provided streaming from this year's JISC Conference and the JISC Libraries of the Future event in Oxford.

If you plan on watching all or part of the stream, please sign up for the event’s social network so that we (and others) know who you are.  The social network has an option to indicate whether you are attending the symposium in person or remotely.

Also, for anyone tweeting, blogging or sharing other material about the event, remember that the event tag is ‘esym09’ (‘#esym09’ on Twitter).  If you want to follow the event on Twitter, you can do so using the Twitter search facility.

May 13, 2009

Identity in a Web 2.0 world?

In the flurry of Twitter comments about the Higher Education in a Web 2.0 World report yesterday I noticed the following tweet from Nicole Harris at the JISC:

#clex09 disappointed by lack of attention to identity issues in the report-despite it being included in the definition IDM hardly mentioned

I have to say that I share Nicole's disappointment.  Having now read thru the whole report I can find little reference to identity or identity management.  Identity doesn't appear in the index, nor in the list of critical issues.

This seems very odd to me.  The management of identity (in both a technology sense and a political/social sense) is one of the key aspects of the way that the social Web has evolved, witness the growth of OpenID, OAuth, Google OpenSocial and Friend Connent, Facebook Connect and the rest.  If the social Web is destined to have a growing influence on teaching and learning (and research) in HE then we have to understand what impact that has in terms of identity management.

There are two aspects to this.  I touched on the first yesterday, which is that understanding identity forms a critical part of digital literacy.  It therefore worries me that the report seems to focus more heavily on information literacy, a significantly narrower topic.  The second has to do with technology.

Let me give you a starter for 10... identity in a Web 2.0 world is not institution-centric, as manifest in the current UK Federation, nor is it based on the currently deployed education-specific identity and access management technologies.  Identity in a Web 2.0 world is user-centric - that means the user is in control.

Now... I should note two things.  Firstly, that Nicole and I might well have parted company in terms of our thinking at this point but I won't try to speak on her behalf and I don't know what lay behind her tweet yesterday.  Secondly, that user-centric might mean OpenID, but it might mean something else.  The important point is that learners (and staff) will come into institutions with an existing identity, they will increasingly expect to use that identity while they are there (particularly in their use of services 'outside' the institution) and that they will continue using it after they have left.  As a community, we therefore have to understand what impact that has on our provision of services and the way we support learning and research.  It's a shame that the report seems to have missed this point.

April 07, 2009

W3C launches Social Web Incubator Group

The W3C has launched a Social Web Incubator Group, chaired jointly by Dan Appelquist (Vodafone), Dan Brickley (Vrije Universiteit) and Harry Halpin (W3C Fellow from the University of Edinburgh) and I'm very pleased to note that Harry Halpin's contribution to this activity is supported by Eduserv through the Assisting the W3C in opening social networking data project funding that we made available late last year.

The group's mission is to "understand the systems and technologies that permit the description and identification of people, groups, organizations, and user-generated content in extensible and privacy-respecting ways".

March 20, 2009

Unlocking Audio

I spent the first couple of days this week at the British Library in London, attending the Unlocking Audio 2 conference.  I was there primarily to give an invited talk on the second day.

You might notice that I didn't have a great deal to say about audio, other than to note that what strikes me as interesting about the newer ways in which I listen to music online (specifically and Spotify) is that they are both highly social (almost playful) in their approach and that they are very much of the Web (as opposed to just being 'on' the Web).

What do I mean by that last phrase?  Essentially, it's about an attitude.  It's about seeing being mashed as a virtue.  It's about an expectation that your content, URLs and APIs will be picked up by other people and re-used in ways you could never have foreseen.  Or, as Charles Leadbeater put it on the first day of the conference, it's about "being an ingredient".

I went on to talk about the JISC Information Environment (which is surprisingly(?) not that far off its 10th birthday if you count from the initiation of the DNER), using it as an example of digital library thinking more generally and suggesting where I think we have parted company with the mainstream Web (in a generally "not good" way).  I noted that while digital library folks can discuss identifiers forever (if you let them!) we generally don't think a great deal about identity.  And even where we do think about it, the approach is primarily one of, "who are you and what are you allowed to access?", whereas on the social Web identity is at least as much about, "this is me, this is who I know, and this is what I have contributed". 

I think that is a very significant difference - it's a fundamentally different world-view - and it underpins one critical aspect of the difference between, say, Shibboleth and OpenID.  In digital libraries we haven't tended to focus on the social activity that needs to grow around our content and (as I've said in the past) our institutional approach to repositories is a classic example of how this causes 'social networking' issues with our solutions.

I stole a lot of the ideas for this talk, not least Lorcan Dempsey's use of concentration and diffusion.  As an aside... on the first day of the conference, Charles Leadbeater introduced a beach analogy for the 'media' industries, suggesting that in the past the beach was full of a small number of large boulders and that everything had to happen through those.  What the social Web has done is to make the beach into a place where we can all throw our pebbles.  I quite like this analogy.  My one concern is that many of us do our pebble throwing in the context of large, highly concentrated services like Flickr, YouTube, Google and so on.  There are still boulders - just different ones?  Anyway... I ended with Dave White's notions of visitors vs. residents, suggesting that in the cultural heritage sector we have traditionally focused on building services for visitors but that we need to focus more on residents from now on.  I admit that I don't quite know what this means in practice... but it certainly feels to me like the right direction of travel.

I concluded by offering my thoughts on how I would approach something like the JISC IE if I was asked to do so again now.  My gut feeling is that I would try to stay much more mainstream and focus firmly on the basics, by which I mean adopting the principles of linked data (about which there is now a TED talk by Tim Berners-Lee), cool URIs and REST and focusing much more firmly on the social aspects of the environment (OpenID, OAuth, and so on).

Prior to giving my talk I attended a session about iTunesU and how it is being implemented at the University of Oxford.  I confess a strong dislike of iTunes (and iTunesU by implication) and it worries me that so many UK universities are seeing it as an appropriate way forward.  Yes, it has a lot of concentration (and the benefits that come from that) but its diffusion capabilities are very limited (i.e. it's a very closed system), resulting in the need to build parallel Web interfaces to the same content.  That feels very messy to me.  That said, it was an interesting session with more potential for debate than time allowed.  If nothing else, the adoption of systems about which people can get religious serves to get people talking/arguing.

Overall then, I thought it was an interesting conference.  I suspect that my contribution wasn't liked by everyone there - but I hope it added usefully to the debate.  My live-blogging notes from the two days are here and here.

March 11, 2009

Eduserv Symposium 2009

Yesterday we announced our annual symposium for 2009, Evolution or revolution: The future of identity and access management for research [title updated 23 March 2009], which this year will focus on the intersection between identity management, access management and e-research. I think this is an important conjunction of themes and one where most focus to date has been on controlling access to resources whereas I think the interesting issues in the future will be around the changing nature of a researcher's online identity.

We think we've put together a nice mix of speakers, including those speaking from the perspective of researchers, funders, publishers, providers of national services and providers of institutional services. We also have a couple of speaking slots for which we are awaiting confirmation before we can go public.

This meeting is the 5th in our symposium series and comes at a time when we are transitioning from a Foundation to a Research Programme (about which, more later). As usual, attendance on the day is free. The symposium will be held at the Royal College of Physicians in London on Thurs 21 May 2009. Hope to see you there.

March 10, 2009

Free lunch?

Interesting that ClaimID (my current OpenID provider) are considering a subscription model, ClaimID nears 75k users.  As they say in their blog post:

Unfortunately, running ClaimID is not cheap, so we’re going to strive for a model that is both sustainable and secure.

I find myself increasingly prepared to pay for those services that I find valuable. Perhaps more importantly, I find I worry more about those services that don't offer me a way of paying directly for what I'm getting. This is just a personal thing and its certainly not clear cut one way or the other - some things are so successful that subscription model or not I don't have concerns about their future (though I appreciate that cast iron "sure things" don't actually exist in the real world). Others are worrisome even with the ability to pay directly for them. Indeed, this is one of the major considerations before starting to shell out hard-earned cash for something I guess. Whatever... one of the benefits of paying for something is that it helps to provide some direct context for the question, "How valuable is this?".

I'm saying all this primarily from a personal perspective you understand, though the reality is that the same considerations apply for those things we buy into in a professional capacity - it's just that in that case someone else is usually stumping up the cash.

February 19, 2009

Software as a disservice

I note from the UK Federation home page that the:

federation uses the standards-based Shibboleth software, developed by the Internet2 community in the United States. Shibboleth defines a common framework for access management that is being adopted by education and commercial sectors across the world.

A point echoed on their How it works page:

The UK federation uses the standards based Shibboleth software, developed by the Internet 2 community in the United States to facilitate the sharing of web resources that are subject to access control.

How odd... I've always understood the Federation to be based on an open standard, SAML to be precise, not on a particular piece of software, open-source or otherwise, and indeed this point is confirmed in the Federation's technical recommendations:

The UK federation uses the Security Assertion Markup Language (SAML) standards for the communication of authentication, entitlement and attribute information. The core of the federation is implemented using the Shibboleth software from Internet2. It is recognised, however, that any particular software implementation may not be suitable for all participants, and federation members may deploy any software that meets their specific service goals.

A perfectly reasonable statement.

Interestingly, I am often guilty of confusing the two (and I see the same thing happening with colleagues here at Eduserv), using the word Shibboleth effectively as shorthand for 'a profile of SAML'.  This confusion is a mistake and does significant harm to the community IMHO.

Open-source is fine and dandy but open standards are much more important and the effective positioning of a particular open source package into a psuedo-monopolistic position does nobody any favours.  That's the position we were trying to move away from as a community!  Shibboleth is to federated access management in the UK what Hoover used to be to vacuum cleaners.  This is great if you are trying to promote a single product but very poor if you are trying to build an open community.

February 11, 2009

Two snippets of OpenID news

A couple of bits of OpenID-related news that are worth noting...

First, both Paypal and Facebook have recently joined the OpenID Foundation.  The two are interesting for different reasons.  Paypal, it seems to me, brings with it the functional requirements of an environment that is very different from OpenID's original, low-trust, arena of blog posting and commenting.  On the other hand Facebook brings a high commitment to usability and, despite a generally bad press (or perhaps because of a generally bad press?), it seems to me is actually making some of the right kind of noises around openness.

In short, these moves are very interesting in terms of the future of OpenID and, to a certain extent, bring with them the potential of a shot in the arm for the credibility of OpenID in the education space.

Second, the work that Plaxo have been doing, using OpenID and OAuth to streamline their use of the Google as an OpenID provider (OP) also looks very interesting.  As the Wired article says:

This is momentum. All of a sudden, OpenID is looking like it has a very bright future.

January 27, 2009

Share creep

Nicholas Carr, Sharing is creepy, writing in response to Steven Levy's The Burden of Twitter, says:

Though he never names it, what Levy is really talking about here is shame. And the shame comes from something deeper than just self-exposure, though that's certainly part of it. There's an arrogance to sharing the details of one's life in public with strangers - it's the arrogance of power, the assumption that such details somehow deserve to be broadly aired. And as for the people, those strangers, on the receiving end of the disclosures, they suffer, through their desire to hear the details, to hungrily listen in, a kind of debasement. At the risk of going too far, I'd argue that there's a certain sadomasochistic quality to the exchange (it's a variation on the exchange that takes place between celebrity and fan). And I'm pretty sure that Levy's remorse comes from his realization, conscious or not, that he is, in a very subtle but nonetheless real way, displaying an undeserved and unappetizing arrogance while also contributing to the debasement of others.

I'm not sure that I buy the 'arrogance' argument. In a comment on Carr's blog post, Tom Slee reiterates the arrogance theme, comparing book writing to blog posting as follows:

With a book, you have to get a stamp of approval before inflicting your thoughts on readers (in the form of a publishing contract), so there is something un-egotistical about a book: "I'm not the one claiming that my scribblings are worth reading, someone else thinks they are too". But with a blog, or other intermediary-free publishing mechanism, there is something about the effort -- "Here Are My Thoughts, Listen To Them!" -- that is presumptuous, almost distasteful.

Here's a different take on it. If I write a book I'm saying, "Here are my thoughts, I (and at least one other person?) think they are worth paying for". If I write a blog post I'm saying, "Here are my thoughts, read them if you want to". Which is more arrogant?

I don't feel particularly arrogant about writing here for example - it's a take it or leave it thing for the reader as far as I'm concerned.  I sometimes feel bemused that people read it (you are reading it aren't you? :-)) but that's a different matter.  That's not to say that I don't feel some level of shame in exposing my digital identity so openly. I do. Actually, I'm not sure that shame is quite the right word here but it is used above and I'm willing to go with it for the sake of this post.  I've recently started, as a personal activity, blogging a photo every day over on Blipfoto and this does, I must admit, cause me to think about what I am doing with my digital identity much more acutely than I have before.

The problem, for me, lies in the increasingly fuzzy divide between professional and personal, a semi-controlled growth in the leakage of information between the two, and a partial transference of practice from my professional to my personal life. It is no accident that both Twitter and Facebook have a tendency to blur the interface between these two worlds quite significantly and, as a result, are often cited as a source of potential discomfort around digital identity.

For me, there are two aspects to that discomfort I think.  Firstly, a slight tendency on my part to write things online (of the thoughts and feelings variety) that I might struggle to express verbally to the people around me, an aspect of my character that some people (who I would consider to be close to me) find bemusing.  For the record, I find it slightly bemusing myself. Secondly, an understanding that I am contributing in various ways to the digital identity of my children (and others around me), coupled with an incomplete understanding of quite what impact I am having.  I know that, as parents, we all contribute to the identity of our children, not only genetically but also in our relationship to them and the mediation of their relationships to other people - but somehow the addition of a digital aspect to that equation seems to make the issues more up-front and permanent.  So, yes, shame might not be the right word for it, but there is some level of discomfort around my digital identity and it's impact on my real-life relationships.

The slight irony is that this blog post is probably now part of that discomfort!

January 21, 2009

OpenIDs, researchers and delegation

Cameron Neylon has an interesting post, A specialist OpenID service to provide unique researcher IDs, which discusses the possibilities of using OpenIDs as identifiers for researchers as part of the scholarly communication process. As Cameron says:

Good citation practice lies at the core of good science. The value of research data is not so much in the data itself but its context, its connection with other data and ideas. How then is it that we have no way of citing a person? We need a single, unique way, of identifying researchers. This will help traditional publishers and the existing ecosystem of services by making it possible to uniquely identify authors and referees. It will make it easier for researchers to be clear about who they are and what they have done. And finally it is a critical step in making it possible to automatically track all the contributions that people make.

I touched on some of these issues a while back in Repositories and OpenID though, as Cameron notes, the real (and very significant) hurdle to be overcome here is convincing people to think about solving a problem they don't even know they have using a solution that they probably don't find very intuitive!

There's a good deal of discussion about the post in Cameron's FriendFeed. (It's slightly annoying that the discussion is somewhat divorced from the original blog post but I guess that is one of the, err..., features of using FriendFeed?)

One aspect of the OpenID specification that seems to be missing in people's examples (given as part of the discussion) is that of delegation.  If you sign up for, and publicise, an OpenID directly based on one of the major OpenID providers ( or for example) then you are at the mercy of those services for the persistence of your OpenID.  If they go under, so does your personal identifier.  This probably doesn't matter too much in the context of signing in to multiple blogging services but it certainly does in the context of scholarly communication.

Instead, use OpenID's delegation feature to use a domain under your direct control (or under the control of an organisation you trust) as the basis of your OpenID to better guarantee its persistence into the future.  For example, I have OpenIDs from both the providers above but I use and publicise as my OpenID, delegating the technical bits to for the time being whilst retaining the ability to delegate somewhere else in the future if I so choose or if the need arises.

For a description of how to delegate your OpenID see this post (from December 2006) by Simon Willison.

Actually, the fact that I'm citing something from late 2006 might be seen as a useful reminder of how slowly OpenID is gaining any significant traction?

January 15, 2009

Digital Identity Workshop

As you may know, the three projects that we funded last year are all investigating different aspects of digital identity. The projects came together last week to organise a Digital Identity Workshop at the British Library.  This seemed to me to be a great success and you can read other people's reactions to it here, here, here and here.

The day used a Pattern Language methodology, led primarily by Steven Warburton and Yishay Mor, which I found particularly interesting.

The methodology focuses on abstracting 'patterns' (as that term is used in architectural design) from similar pairs of case studies (or stories).  Prior to the day we had been asked to submit our case studies (in a lightly structured form) to the Pattern Language Network Wiki.  On the day itself, we were split into small groups and one of us was asked to recount our case study to the others.  Then a second member of the group was asked to recount a similar or related case study of their own.  The intention was to identity 'assets' (things about which there was agreement) and 'hazzards' (things about which there wasn't agreement) from the two case studies, ultimately leading to one or more 'patterns' (a recurring solution) being identified.

It was a lot to fit into a single day and my suspicion is that most people left the event feeling quite drained.  I certainly did.  But it was refreshing to be involved in something so active and participatory for a change - not just listening to presentations by other people.

We could have done with more time at the end to discuss our findings but my suspicion is that if we'd tried to do so, some of the groups probably wouldn't have got as far as they did with their patterns.

The resulting patterns and other outputs from the day are beginning to appear in the Wiki.

In my group, we started with my own Identity Aggregation case study, then talked about Harry Halpin's desire to aggregate address book and related 'contact' and 'presence' information, resulting in a simple pattern that we called 'Permissioned aggregation of personal information'.

Ian Truelove makes the point in his blog post that the process being used here was more important than the resulting outputs and in a sense I agree.  But I also hope that as this work moves forward, and a second meeting is already in the pipeline, there will be useful resources that result from this work.

January 12, 2009

Mapping Me

Last Thursday I attended the workshop on digital identity co-ordinated by members of the three new projects funded by Foundation research grants this year (Rhizome, This is Me, and Assisting the W3C in opening social networking data).

Ahead of the event, moved partly by thinking about the day (and by Andy's earlier post) and partly by a post by Botgirl Questi I happened across the other day, I thought it might be interesting to try to sketch out a "mind map" of the principal digital sources where I create (or created) content which contributes in some way to the representation of my "digital identity".

(To be honest, I did this mostly for my own purposes, just so that I could visualise what that landscape looked like, but as my posts here have been somewhat thin on the ground (mainly because I don't feel I've had much of interest to say of late, to be honest - I did half-draft a post on that topic, but it was getting too depressing!), I thought I'd share it here.)


I've included only those sources where I've identified myself by my birth name or a nickname/userid that I frequently associate with it (usually "PeteJ" or "PeteJo" or something similar) - my "work-related" identity, if you like - even if the content isn't always directly related to my work activity, it is associated with the identity under which I perform that activity. In at least some of those sources, I've actually posted very little content, so there may be little more than a minimal "profile" page, but I guess even the presence of that minimal page "says" something about work-me in that it indicates that at some point I had sufficient interest to register for a service. On some other services, my main input has been comments on, or ratings of, or maybe just subscriptions to, the contributions of others, rather than any new "primary content" of my own.

The resulting "map" probably looks fairly complex, but I was mildly surprised that it was relatively limited in extent. And kinda pleased too, because over recent months I have been making some efforts to "prune" back some of the content which I've put "out there" over the years which has left me slightly uncomfortable about just how much information about myself I have disclosed, and to "take firmer control" of other bits. I've deleted a few accounts (Orkut, LinkedIn) which I wasn't making any real use of but which nevertheless disclosed a fair amount of information, and I've restricted access to content on others (notably by switching to "protected" status on Twitter). (Though, yes, I know, caches like Google's probably have some of it.)

I keep thinking of things I've missed: I've got some accounts with other virtual worlds which I used only once or twice; I've certainly registered on dozens of other "Web 2.0" services, played around for 15 minutes, and forgotten about them by the following day....

December 23, 2008

The apples and oranges of Shibboleth and OpenID

The JISC-funded Review of OpenID was recently made available, announced in a blog post by James Farnhill and resulting in quite a long thread of discussion on the [email protected] mailing list.

The report is not exactly my cup of tea, though I can't find much fault with the individual words (I'll leave my detailed comments on James' blog post), more with the overall tone. The trouble is that it inevitably ends up comparing OpenID against the Shibboleth / UK Federation which is not comparing like with like - one is a bare technology, the other a technology delivered in the context of a set of national policies.

As I suggested (implicitly) in the follow-up discussion, a fairer comparison would be to consider what an OpenID-based UK Federation might look like - white-listing trusted (institutional) OpenID Providers and mandating the use of SSL as appropriate to build a reasonable(?) trust infrastructure on top of OpenID rather than Shibboleth.

Those who see OpenID as an all-or-nothing 'open' solution responded that such an approach wouldn't work.  Or as the report puts it:

... because "the OpenID technology is not proprietary and is completely free" then users, OPs and SPs will expect that all OpenID providers are equal and can be used interchangeably.

I couldn't disagree more.  That's like suggesting that all email providers are seen as equal.  It seems almost ineviatble to me that some OPs will emerge as being more trusted than others, either explicitly thru the creation of federation-like initiatives or as they naturally emerge out of the Internet soup.

In his response to the blog post, Brian Kissel notes that:

the OpenID Foundation would welcome participation, input, and recommendations from JISC on how OpenID could evolve to meet your needs.

This is helpful.  For me, I'd like to see more discussion around trust issues and how we might sensibly begin to layer trust networks around the use of OpenID in areas such as higher education.

Final comment... I love (not!) the apparent quote from the survey of attitudes to OpenID by computing service staff:

why would the University put in effort to make it easier for students to access other people's [non-academic] resources?

Good grief... with attitudes like that it's hardly surprising that users are moving to external service providers :-(

December 18, 2008

JISC IE and e-Research Call briefing day

I attended the briefing day for the JISC's Information Environment and e-Research Call in London on Monday and my live-blogged notes are available on eFoundations LiveWire for anyone that is interested in my take on what was said.

Quite an interesting day overall but I was slightly surprised at the lack of name badges and a printed delegate list, especially given that this event brought together people from two previously separate areas of activity. Oh well, a delegate list is promised at some point.  I also sensed a certain lack of buzz around the event - I mean there's almost £11m being made available here, yet nobody seemed that excited about it, at least in comparison with the OER meeting held as part of the CETIS conference a few weeks back.  At that meeting there seemed to be a real sense that the money being made available was going to result in a real change of mindset within the community.  I accept that this is essentially second-phase money, building on top of what has gone before, but surely it should be generating a significant sense of momentum or something... shouldn't it?

A couple of people asked me why I was attending given that Eduserv isn't entitled to bid directly for this money and now that we're more commonly associated with giving grant money away rather than bidding for it ourselves.

The short answer is that this call is in an area that is of growing interest to Eduserv, not least because of the development effort we are putting into our new data centre capability.  It's also about us becoming better engaged with the community in this area.  So... what could we offer as part of a project team? Three things really: 

  • Firstly, we'd be very interested in talking to people about sustainable hosting models for services and content in the context of this call.
  • Secondly, software development effort, particularly around integration with Web 2.0 services.
  • Thirdly, significant expertise in both Semantic Web technologies (e.g. RDF, Dublin Core and ORE) and identity standards (e.g. Shibboleth and OpenID).

If you are interested in talking any of this thru further, please get in touch.

December 11, 2008

OpenID Foundation community board member elections

The election of community board members of the OpenID Foundation is underway and voting is now open. Snorri Giorgetti has a nice summary of why this is important (though I should note that using this link is not explicitly intended to endorse his candidacy).  As a non-profit member of the Foundation and an educational charity, Eduserv will be using our vote in what we consider to be the best interests of the UK education community.

As I minor aside, I note that in email discussion around the voting process Peter Williams has asked all 17 candidates to state where and how they use OpenID or to justify why they don't use it.  Setting aside whether this is a valid criteria for selecting a candidate (FWIW, I'm not totally convinced that it is) it did prick my conscience about this blog which still doesn't support OpenID-based comments.  Why not?  Because despite the advent of things like Typepad Connect and Profiles it still feels harder than it should to configure this stuff on any Typepad-hosted blog where you have moved to advanced use of the templating system.

We're working on it and offer our apologies in the meantime.

November 13, 2008

OpenID market research

Brian Kissel (of JanRain) has a nice set of slides on Slideshare, OpenID Foundation Market Research Report from IIWb 2008,summarising the market drivers, technology enablers and business benefits of OpenID, then listing some of the challenges currently being faced and the initiatives underway in response.

I've been meaning to write up some of this stuff here but these slides capture the issues very succinctly so I won't bother :-)

The user experience of OpenID continues to be one of the major barriers to more widespread take up, something that has been discussed here before.  What I think is interesting, at least in comparison to what I suggest are a very similar set of usability issues for Shibboleth (as adopted by the UK Access Management Federation), is how openly the usability problems are being discussed and how significant the resources are (e.g. including a contribution from the likes of Google and Yahoo) that appear to be being put into solving them.  This is where the adoption of mainstream technologies (such as OpenID), as opposed to education-specific technologies, can bring real benefits for the education community.

November 10, 2008

define:digital identity

I recently had need of a one line definition for 'digital identity' (as part of writing some blurb for a forthcoming (invitation-only I'm afraid) workshop with our newly funded 'identity' projects).

My usual course of action in such situations is to type "define:whatever" into Google and/or to go to the appropriate Wikipedia page (though more often than not both approaches lead to the same definition in any case).

In this case however, I felt a little let down.  Wikipedia currently defines 'digital identity' as follows:

Digital identity refers to the aspect of digital technology that is concerned with the mediation of people's experience of their own identity and the identity of other people and things. Digital identity also has another common usage as the digital representation of a set of claims made by one digital subject about itself or another digital subject.

Perhaps it's just me, but I find that opening sentence somewhat less clear and helpful than it might be.  "Concerned with the mediation..." - what's that all about?

Well... to cut a long story short, I spent some time looking around at alternative definitions, including those used in some of the proposals we received in response to this year's grant call, and came up with the following:

Digital identity is the online representation of an individual within a community, as adopted by that individual and/or projected by others.  An individual may have multiple digital identities in multiple communities.

I appreciate that this isn't technically one sentence but it is short and sweet - and reasonably easily understood.  I'd welcome comments about it.

As Pete pointed out in a comment on one of my previous posts, Steve Warburton of the Rhizome project has quite a nice set of slides exploring the issues of digital identity in the context of learning, teaching and research:

I particularly like the opening quote from Cole Camplese:

"As I try (and leave) more and more environments I am depositing small identity artifacts that I can no longer track and I am feeling like I am fracturing my identity more and more along the way.”

My suspicion is that most of us feel a bit like that! And, as Steve says on slide 8:

  • digital identities are performed across a variety of electronic spaces
  • we are in effect, curators of the self
  • leveraging a number of differing services
  • comprised of structured (transactional) and unstructured data
  • resulting in the creation of distributed, proliferating digital selves

To try and illustrate this I've added a short case-study about my own 'fractured' digital identity to the wiki that the projects are using to gather scenarios in advance of the workshop. The remainder of this blog entry contains a slightly updated version of my case-study.  It is by no means complete.  I wanted to try writing it all down partly because in a recent radio interview for Emerging Mondays I was asked a direct question about what I thought my own digital identity was and I didn't really have a sensible answer (not that this case-study is necessarily a sensible answer either).

The text below follows the formatting used in the wiki.


What was the setting in which this case study occurred?

  • Prior to the 'Web 2.0' age I was reasonably successful at focusing the bulk of my digital identity at a reasonably small number (3 or 4) Web 'home' pages. (There was other stuff of course - like every email I've ever sent to a public list - which was more distributed but I'll ignore that for now.) A Google search for 'Andy Powell' still returns two of these (both on UKOLN servers) as 3rd and 4th hit -  coming after the guitarist of Wishbone Ash (my long-term Google nemesis).
  • This was achieved in part simply because of the high ranking of UKOLN pages, but also thru a reasonably consistent approach to linking back to my UKOLN home page from email footers, other web pages, open source software README files, and so on.
  • Since the advent of Web 2.0, my digital identity has become dispersed across a large number of sites - Facebook, Flickr, Typepad, Blogger, Hotmail, GMail,, Animoto, Slideshare,, the Eduserv web site, LinkedIn, Plaxo, FriendFeed, YouTube, Yahoo Pipes, Ning, … I could probably go on and on.  (Note that not all of these offer public profiles and that for some of them I contribute under several accounts).
  • I take reasonable care to name myself consistently within these services as 'andypowe11' (note the use of digit '1's rather than letter 'l's) but that name is not always available (e.g. Google) or appropriate (e.g. Facebook and Eduserv). In any case, some of the material is hosted on joint work-related 'eduserv' or 'eduservfoundation' accounts within these services - with hindsight this was probably not a sensible approach to take but I'm now stuck with it.
  • The choice of name (using digit 1's reather than letter l's) has resulted in a reasonably unique name, but can also lead to some confusion, e.g. where people mis-read it as 'andypowell' (with letter l's) - it is certainly not an intuitive search term for people to use when looking for me.  It is also not used totally consistently, for the reasons outlined above.
  • I have 3 primary email addresses ([email protected], [email protected] and [email protected]).
  • My public relationships with other people are mostly embedded into the sites listed above (using their internal friending mechanisms) - particularly Facebook, Twitter, Second Life.
  • Facebook is probably the biggest of these. It contains both personal and work relationships. In the main, other services contain mainly work-related relationship details.  Note that the ultra-simplistic use of 'friend' as the only available relationship type in these services doesn't capture any of the more subtle aspects of my relationships with other poeple in any case.  Note also that one of the things that has changed significantly over the last few years is that I have a much stronger 'personal' presence on the Web.  Before about 5 years ago, my only visibility on the Web was professional.  There is an ongoing tension around exposing my professional life to my personal friends and my personal life to professional colleagues.  Whilst this isn't a major problem or headache for me, I am conscious that there is now much more cross-over than there ever used to be.
  • I also have an alter-ego, in the form of Art Fossett (my Second Life avatar), who appears both in-world and on the Web (via the ArtsPlace SL blog and a Flickr account for example) and in email ([email protected]).
  • I am the developer of Second Friends, a Facebook application that allows people to share parts of their Facebook, Second Life and Twitter accounts (in relatively limited ways). This is the major point at which I draw together my two primary digital identities - though in general I make no secret that Andy Powell and Art Fossett are one and the same.
  • As Andy Powell, I blog at eFoundations, which I author jointly with a colleague (Pete Johnston) at Eduserv - i.e. this blog isn't all my own work. I also maintain a personal blog (intermittently) at a7eleven.
  • I have at least 3 OpenIDs (as Andy Powell - and others as Art Fossett) of which my preferred one currently is ClaimID have a nice 'verified' option, allowing readers to verify that I own the things I say I own (at least in the context of trusting what the ClaimID site says about me).
  • The content of many of these fragmented parts of my digital identity(ies) is quite fragile - in the sense that it resides at external Web 2.0 services over which I have little or no control and which are probably less persistent than I am.
  • All in all, it's a confusing picture.


What was the problem to be solved, or the intended effect?

  • I would like to consolidate my Web presence as far as possible, at (or around) (and [email protected]).
  • Note that this will not be completely possible (or desirable) - my Eduserv work related material will always reside at (or around) the Eduserv Web site for example and will always be associated with my [email protected] email address (as its most visible Eduserv unique id).
  • I also have something of an identity crisis around Art Fossett - specifically concerning how closely the digital identities of Andy Powell and Art Fossett should be related.


What was done to fulfil the task?

  • Aggregating blog, Flickr, Twitter and other content at is reasonably easy to do, and I have an ongoing (lightly resourced) activity to do this (based on a combination of Yahoo Pipes and PHP scripting primarily).
  • I still need to resolve the issue of whether material associated with Art Fossett should be included in this aggregation.
  • Note that I have to dis-aggregate my contributions to the eFoundations blog before aggregating them with my other stuff (so as not to confuse stuff that is written by my co-author). This is done with a Yahoo Pipe based on a 'dc:creator=PowellAndy' tag which is auto-inserted into the Typepad RSS feed from the blog.
  • I don't currently aggregate stuff from Slideshare and YouTube, though ultimately I would like to - again, much of this material has been made available under a single 'eduserv' account - so I will have to disaggregate it before adding it to my own stuff. Again, this will be done based on the same tag.
  • I would also like to transfer the Google-juice that is associated with my 'old' personal pages at UKOLN to my new Web presence. Technically, this can be done by asking my old employer to issue a 301 (Moved permanently) from the old URL to Whether UKOLN would be willing to do this is another matter - my guess is that they might be willing to do so for my old personal page ( but not for my more formal old work page (  I haven't got round to asking yet.
  • I want to increase the machine-readability of the information held at using micro-formats (hCard) and related technologies.
  • I plan to move my OpenID to using delegation to ClaimID.


  • No results to date - other than a minimal but growing presence at

Lessons Learned

  • Think carefully before pushing content into external web 2.0 services using a shared account because disaggregating content back out may be difficult.
  • Think carefully about where you build up Google-juice because moving it around may be outside of your control.
  • Using external tools is fine, but whenever possible host the resulting content at a domain name under your control.  For example, using Wordpress or Blogger and hosting the resulting blog at or is much better than using Wordpress, Blogger or TypePad and hosting the resulting content under, or  Why?  Because the result should be more persistent (or if it isn't, it is at least your own fault).
  • Stuff on the Web is messy and it's probably going to get messier... get used to it.

Of course... I could have made all this up and it is actually someone else that creates all this stuff!

November 03, 2008

2008 grants - social networking and online identity

We have been very slow in bring you news of our grant funding for 2008.  Sorry about that.  The delay is basically down to getting all of the projects fully signed off by all parties.  Anyway, enough of the excuses...

...we are very pleased to be supporting three projects this year, representing, in total, over £200,000 of project funding.  The projects, conducted by University of Edinburgh, King's College London, and University of Reading, all focus on issues associated with social networking and digital identity.

Assisting the W3C in opening social networking data
This two-year project, undertaken by Harry Halpin at the University of Edinburgh, aims to explore the power and utility of royalty-free standards for extensible open social data. This project will help investigate and generate work proposals for opening social data at the Web's foremost standards body, the World Wide Web Consortium (W3C).
Rhizome: exploring strands of online identity in learning, teaching and research
A fourteen month project, led by Dr Steven Warburton of King's College London. The project will use narrative inquiry and scenario mapping to explore the key technical and social elements that impact on the construction of online identities. The work will build a framework for understanding the tools, literacies, and practices needed to create and manage individuals' digital self-representations.
This is me
An eight month project, led by Shirley Williams of the School of Systems Engineering at the University of Reading, will investigate how individuals can be made more aware of their digital identity and how such identities can be developed and enhanced. The project will produce a set of Web-based resources designed to be of use both within the University of Reading and by the wider UK HE community.

October 14, 2008

Thoughts on FOWA

I spent Thursday and Friday last week at the Future of Web Apps Expo (FOWA) in London, a pretty good event overall in retrospect and certainly one that left me with a lot to think about.  I'm not going to write up any of the individual talks in any kind of detail - videos of all the talks are now available, as is my (lo-fat) live-blogging from the event - but I do want to touch on several thoughts that occurred to me while I was there.

Firstly, the somewhat mundane issue of wireless access at conferences...  I say mundane because one might expect that providing wireless access to conference delegates should have become pretty much routine by now - a bit like making sure that tea and coffee are available?  But that didn't seem to be the case at this event.  My (completely unscientific and non-exhaustive) experience was that everyone with a Mac in the venue had no trouble with the wifi network but that everyone with a PC seemed to have little or no connectivity.  (Actually, that's not quite true, I did find one person with a PC laptop who had no problem using the wifi).  Whatever... my poor little brand new EeePC didn't get on the network for any significant period of time at any point in the two days :-(

P1070969So, OK, we all know that Macs are better than PCs in every way but I was amazed at the stark difference that seemed to be in evidence during this particular event.

The lack of wifi connectivity was of particular annoyance to yours truly, since I was hoping to live-blog the whole event.  In the end, I used the mobile interface to Coveritlive via my iPhone over a 3G connection to cover some of the sessions - not an easy thing to do given the soft-keyboard but actually an interesting experiment in what is possible with mobile technology these days.  By day 2 of the conference my typing on the soft-keyboard was getting pretty good - though not always very accurate.

The conference had quite a young and entrepreneurial feel to it - I'm not saying that everyone there was under 30 but there were a lot of aspects to the style of the conference that were in stark contrast to the rather more... err... traditional feel of many 'academic' conferences.  I don't want to argue that age and attitude are necessarily linked (for obvious reasons) but the entrepreneurial thing is particularly interesting I think because it is something that has a non-obvious fit with how things happen in education.  Being an entrepreneur is about taking risks - risks with money more than anything I guess.  I don't quite know how this translates into the academic space but my gut feeling is that it would be worth thinking about.  Note that I'm not thinking about money here - I'm thinking about attitude.  What I suppose I mean is our ability to break out of a conservative approach to things - our ability to overcome the inertia associated with how things have been done in the past.

I realise that there are plenty of startups in the education space - Huddle springs to mind as a good current example of a company that seems to have the potential to cross the education/enterprise divide - my concern is more about what happens inside educational institutions.  A 24 year-old can run the world's biggest social network yet we don't see similar things happening in education... do we?  Calling all 24 year old directors of university computing services...

Is that something we should worry about?  Is it something we should applaud?  Does it matter?  Is it an inevitable consequence of the kinds of institutions we find in education?

Funding by JISC, Eduserv and the like should be about encouraging an entrepreneurial approach to the use of ICT in education but I'm not sure it fully succeeds in doing that.  Project funding is by its nature a largely low risk activity - except at the transition points between funding.  There are exceptions of course - there are people that I would say are definitely educational entrepreneurs (in the attitude sense) but they tend to be the exception rather than the rule overall and even where they exist I think it is very difficult for them to have a significant impact on wider practice.

The entrepreneurial theme came out strongly in several sessions. Tim Bray's keynote for example, my favorite talk of the conference, where he focused on what startups need to do to react to the current economic climate.  And in a somewhat contrived debate about 'work-life balance' where Jason Calacanis argued that "it's ok to be average but not in my company" - ever heard that in the education sector?  I'm not saying that his was the right attitude, and to a large extent he was playing devil's advocate anyway, but these are the kinds of issues that we tend to be pretty shy about even discussing in education.

Unfortunately, the whole entrepreneurial thing brings with it a less positive facet, in that there tends to be a "it's not what you know, but who you know" kind of attitude.  This comes out both face-to-face (people looking over your shoulder for a more interesting person to talk to - yes, I know I'm a boring git, thank you!) and in people's use of social networks.  The people I'd unfollow first on Twitter are those who spend the most time tweeting who they are meeting up with next. Yawn.

Much of FOWA was split into two parallel tracks - a developer track and a business track.  I spent most time in the former.  Overall I was slightly disappointed with this track and found the talks that I went to in the business track slightly better.  It's not that there weren't a lot of good talks in the developer track - just that they didn't seem like good developer talks.  My take was that many of them would have been more appropriate for managers who wanted to get up to speed on the latest technology-related issues and thinking.  It didn't seem to me that real developers (of which I'm not one) would have got much from many of those talks - they were too superficial or something.

Now, clearly, running a developer track aimed at 700-odd delegates is not an easy task - I certainly wouldn't be able to do any better - but more than anything you've got to try and inspire people to go away and learn about and deploy new technology, not try and teach it directly during the conference.  For whatever reason, it didn't feel like there was much really new technological stuff to get inspired about.  This is not the conference organiser's fault - just timing I guess.  The business track on the other hand had plenty to focus on, given the current economic climate.

As you'd expect, there was also a lot about the cloud over the two days.  Most of it positive... but interestingly (to me, since it was the first time I'd heard something like this) there was an impassioned plea from the floor (during the joint important bits of cloud computing slot by Jeff Barr and Tony Lucas) for consumers of cloud computing to band together in order to put pressure on suppliers for better terms and conditions, prices, and the like.

Overall then... FOWA was a different kind of event to those I normally attend and to be honest it was a very last-minute decision to go at all but I did so because there were some interesting looking speakers that I wanted to see.  It wasn't a total success (hey, what is!?) but on balance I'm really glad I went and I got a lot out of it.

P1070970Two final mini-thoughts...

Firstly, virtual economies came up a couple of times.  Once in the Techcrunch Pitch at the end of the first day, where one of the panel (sorry, I forget who) suggested that virtual economies would increasingly replace subscriptions as the way services are supported.  I think he was referring to services outside the virtual world space where these kinds of economies are regularly found - Second Life being the best known example of a virtual world economy - though I must confess that I don't really understand how it might work in other contexts.  Then again in Tim Bray's talk where he noted the sales of iPhone applications at very low unit costs (e.g. 59p a time) - a model that will become increasingly sustainable and profitable because of the growing size of the mobile market.  (I appreciate that these two aren't quite the same - but think they are close enough to be of passing interest).

Secondly, I had my first chance to play on a Microsoft Surface - a kind of table-sized iPhone multi-user touch interface.  These things are beautiful to watch and interact with, and the ability to almost literally touch digital content is amazing, with obvious possibilities in the education and cultural sectors, as well as elsewhere.  Costs are prohibitive at the moment of course - but that will no doubt change.  I can't wait!

P1070972 And finally... to that Mark Zuckerberg interview at the end of day 2.  I really enjoyed it actually.  Despite being well rehearsed and choreographed I thought he came across very well.  He certainly made all the right kinds of noises about making Facebook more open though whether it is believable or not remains to be seen!

It's easy to knock successful people - particularly ones so young.  But at the end of the day I suspect that many of us simply wish we could achieve half as much!?

September 24, 2008

Laws of identity - the short version

Kim Cameron's laws of identity have attained a kind of "stone tablet" status in the identity world since their introduction in 2006 but the document in which they first appeared is not necessarily one that everyone is going to read. The appearance of a short version a while back, picking out the essential points of the original into six brief statements, might therefore be of interest - especially for those of you that prefer a "back of the fag packet" kind of approach (<cough>twitterers</cough>).

I repeat their new brevity in full here:

People using computers should be in control of giving out information about themselves, just as they are in the physical world.

The minimum information needed for the purpose at hand should be released, and only to those who need it. Details should be retained no longer than necessary.

It should NOT be possible to automatically link up everything we do in all aspects of how we use the Internet. A single identifier that stitches everything up would have many unintended consequences.

We need choice in terms of who provides our identity information in different contexts.

The system must be built so we can understand how it works, make rational decisions and protect ourselves.

Devices through which we employ identity should offer people the same kinds of identity controls - just as car makers offer similar controls so we can all drive safely.

Good stuff. These make a lot of sense to me. I have a very slight wording issue with the second one, which following on from the first (" people ... should be in control") might be better re-phrased in terms of our expectation of services (rather than as a direct command to the user). Something like:

Systems should only require the minimum information needed for the purpose at hand and that information should only be shared with those who need it. Details should be retained no longer than necessary.

The car analogy in the last point is interesting. When I drive a hire car I sometimes find myself wiping the windscreen when I really mean to indicate or flash the headlights but I never find myself hitting the brakes when I mean to hit the accelerator or reverse gear when I mean 5th gear. So, yes, the important things are consistent enough across different car manufacturers that we can drive safely whatever car we get into (even given fairly major differences like left vs. right-hand drive for example).

The usability and security of the identity system overall is similarly bound up in people's understanding of it and the consistency of the user-experience across different parts of the system. On that basis, I think the last two points of the six are quite tightly coupled. Without such an understanding, issues like phishing become much more of a potential threat. There is a slight danger that the last point will discourage innovation in the identity space but, on balance, I think that is a risk worth taking.

August 01, 2008

Bye, bye Athens... hello UK Federation

It's a big day today for federated access management in UK academia with "nearly 500 institutions and organisations [completing] the transition to a new open standard SAML compliant access management system and the UK Access Management Federation", many of them using our own OpenAthens offering.

Out with the old (Athens), in with the new (UK Access Management Federation) and all that (at least within education).

The JISC press release on the subject is somewhat disingenuous in not acknowledging the significant role that Athens has played in the UK's academic information landscape over the last 10 years or so.  I don't have the figures to hand but in a way the figures don't matter - the reality is that a very significant proportion of the UK academic community have found Athens to be a fundamental, usable, reliable and robust part of their online experience for a very long time.  I can't take any credit for that because I haven't worked at Eduserv for long enough... but there are people here, a lot of people actually, who deserve significant kudos for what they have achieved in servicability terms since Athens was first funded way back when.

It seems incredible to me that the end of such a fundamental and successful service is not being more overtly and publicly celebrated in some way.  Perhaps it is and I just haven't been invited! :-)

Similarirly, the press release makes no mention of the role that individual members of staff at Eduserv have had in helping with the transition.  Yes, there have been corporate differences of opinion along the way but my impression is that people here have been working hard to make the transition as painless as possible for institutions within the constraints of what is being funded.  It seems to me that you can't transition a service as fundamental as access manangement from A to B without at least some help from those who helped to kept A running smoothly.

In the past three months, membership of the Access Management Federation has risen dramatically as educational institutions and service providers move to take advantage of the numerous benefits of joining.

Well, yes... erm... that's "numerous benefits" as in "shotgun wedding" I presume? :-)

These include improved services to users, easier compliance with regulatory requirements, reduced support requirements and improved data security.

Grand claims... for which I'd like to see the evidence.  I'm certainly not holding my breath!  As I've argued before, I see usability getting significantly worse within the Federation than it has been using Athens, so I'm not sure that I see short-term "improved services to users" - but in the longer term, yes hopefully.  I'm not anti the Federation but I think we have to be honest about where the benefits come from - for me, it's purely about the adoption of open standards, which ultimately will bring benefits for the community - but possibly (probably?) with some short term pain on the way.

Anyway, I'm being churlish again... tonight I will raise a glass (probably on my own!) to the successes of the past and the even bigger successes of the future.  Here's to both Athens and the Federation.

July 25, 2008

MySpace does OpenID

TechCrunch report that MySpace will become YAOP (yet another OpenID Provider), bringing the total OpenID-enabled accounts to over 500 million.

The numbers are fun and superficially impressive but don't really amount to a "hill of beans" since they fail to acknowledge the two most pressing issues around OpenID adoption.  Firstly, that there aren't enough relying parties (i.e. sites that will allow you to log in using an OpenID provided by a different service) and secondly, that the user experience needs significant improvement.  The two are related, or so it seems to me, because I think there would be significantly more (and probably better) eyes looking at solving the usability problems if the big players entered the OpenID space as relying parties rather than (or as well as) OpenID providers.

Oh well, all adoption is good adoption I suppose...

July 17, 2008

OpenID and usability

Hot on the heels of my own post about the unsatisfactory nature of usability within Shibboleth-based federations, Mike Ellis has a nice post about the usability problems with OpenID.

Overall, I pretty much agree with where Mike is coming from on this.  My own experience of trying to use OpenID tends to one of confusion (possibly because my use of Sxipper makes the situation worse?).  As I said in a comment on Mike's post:

Something needs doing. Browser plugins might help - but I’m generally sceptical about such things because requiring a browser plugin for what is essentially ‘core’ Web functionality indicates a serious mis-match somewhere.

I’m still hopeful that things will get better.

In general, I tend to recommend Sxipper rather than OpenID for people who want help managing multiple usernames/passwords - but Sxipper is no way perfect either. I wouldn’t recommend it to my mum for example.

Information cards anyone - yes, I’m probably clutching at straws.

July 03, 2008

Catch you on the flip side later - improving the federated user experience

My colleague, David Orrell, gave a presentation to the JISC Federated Access: Future Directions day in Birmingham earlier this week.  Here are his slides:

David's presentation covered the user experience of both federated and user-centric approaches to identity management (i.e. the UK Access Management Federation and OpenID), the associated trust issues, and the potential impact that Information Cards might have on this space.

This blog entry focuses primarily on the first of these - the potential lack of consistency of the user experience in federated identity management environments such as that offered by the UK Access Management Federation.  There are two aspects to this: firstly the different experiences that different users see of the same service (by virtue of the fact that the authentication part of that experience is offered by their home institution rather than by the service itself) and secondly the different experiences that the same user sees of different services within the federation.

By way of example, let's consider two users, Janet and John (each from different universities, let's say Bath and Bristol) and two services, Service A and Service B.

When Janet and John access Service A they will each have a slightly different experience because the authentication part of the process will be provided by Bath in one case and Bristol in the other.  That makes it difficult for Service A to completely document its interface because at some point it will have to resort to saying something like: "you will then be re-directed to your institutional login page, we'll catch you on the flip side once you've been authenticated".

Conversely, when Janet (or John) accesses Service A followed by Service B she (or he) will have a different user experience of each in terms of how she (or he) is authenticated because the two services will probably present the login form differently and at a different place on the page, one may point to the federation WAYF service while the other embeds a pull-down list of universities, they may use different language to describe what is happening, and so on.

Ukamfexamples_2 Don't believe me?  Just look down the list of UK Access Management Federation services and try it for yourself.  David has put some images of the way in which different services in the UK Federation present the login process to their users on slide 26 of his presentation but it is a little hard to read in the Slideshare version (above) so I'm embedding a bigger version here (click on the image to see it full size).

Look at the differing forms of language being used - "Shibboleth" vs. "UK Federation" vs. "institutional" vs. "organisational" login.  Look at the differing ways of selecting the user's home institution - "search" vs. "pull-down list" vs. "multiple pull-down lists" vs. ...

The point here is not to suggest that any one of these approaches is better or worse than the others (though I happen to think that putting form boxes labelled "User Name" and "Password" next to text saying "Athens/Other Institution Login" when in fact the username/password pair being requested is the service-specific (i.e. non-federated) one, as one service has done, doesn't exactly represent best-practice and is presumably resulting in large numbers of institutional username/password pairs being seen by the service in question!).  Rather, the point is that there is currently a very wide range of practice out there across UK Federation service providers (including that adopted by Eduserv in our own services), ultimately leading to confusion for the end-user.

Now... inconsistency of experience isn't bad just because it confuses people - though of course that is a very real problem.  Inconsistency also represents an opportunity for phishing to take place because users have less of a handle on what step comes next in the authentication process.  We probably haven't seen any phishing taking place in the context of the UK Federation to date, and maybe the controlled nature of the environment means that we won't.  But it is certainly something to beware of - and certainly something that has troubled the rather more open environment within which OpenID has to operate.

Lack of consistency also represents a significant (and in the case of the UK Federation probably insurmountable) hurdle to overcome for browser-based plug-ins that might otherwise help smooth the federated authentication process.

Consider a tool like Sxipper, a Firefox plug-in that manages your usernames and passwords for you (including your OpenIDs) and that can recognise when and where to present them to services as part of their Web registration and/or login pages.  Sxipper works because, despite some superficial differences across services, most logins revolve around two text boxes and a submit button (though actually, Sxipper can deal with much more than this).  Furthermore, in the case of OpenID at least, there are well-adopted conventions for how these XHTML form items should be named.  Heck... in most cases, even in the absence of a tool like Sxipper, the browser will do a pretty good job of remembering what needs to go where.

Contrast this with services in the UK Federation.  The lack of consistency in the way information is presented and requested and the widespread use of drop-down lists to navigate to the user's home institution means that browsers and plug-ins like Sxipper stand very little (probably zero) chance of helping to smooth the process.

We can and should do better.  In the short term I think we need the help of some usability designers to streamline the UK Federation user experience and to issue guidelines for service providers so that a more coherent and consistent experience is offered overall.  And in the longer term... well, readers of this blog will know that I have views on institutional vs. user-centric approaches to identity management.  But setting those views to one side for the moment, I suspect we are still not mainstream enough in our approaches to access and identity management.  For example, can anyone point to a single mainstream Web 2.0 service that has adopted Shibboleth?  The move from Athens to Shibboleth has been a step in the right direction for the UK education community (at least in my opinion) since it represents a move to open standards. But does it go far enough? Shibboleth still feels like a community-specific solution to me. Whilst I accept that the community is now significantly bigger than was the case with Athens and that the solution is based on open standards I think we will only see real community benefits (in terms of the widespread adoption and development of tools and services) if we become part of a much bigger community - a truly global community.

I think it will be interesting to see what comes of the information card work, and in particular whether the ability to embed our identity management toolkits more firmly into the desktop improves the user experience whilst stengthening security and thus improving trust models.  I certainly hope so...

June 26, 2008

Information Card Foundation - second attempt

I've been doing some work recently on a draft blogging policy for Eduserv staff and one of the things it suggests is:

Don't pick fights, be the first to correct your own mistakes, and don't alter previous posts without indicating that you have done so.

(Those of you who are familiar with IBM's policies in this area will probably recognise the wording!)

Well it's time for me to eat my own dog food and hold my hands up (not an easy combined activity at the best of times :-) ).

Kim Cameron pulled me up for being overly negative about his blog post on the new Information Card Foundation (ICF) in my original post of the subject yesterday.  And he was quite right to do so.  I put an apology in a comment but that probably isn't sufficient - so I'm writing it here as well.


The fact is, I'm basically guilty of judging someone and something on the basis of my personal views about the company they work for and that is, frankly, unacceptable.  I don't know enough about the space to form a sensible opinion and therefore shouldn't have done so.  I'll think much harder before doing it again.  It's particularly inappropriate for me to do it, since I sometimes feel like I am judged in association with the company I work for!

Whether one views Microsoft as 'good' or 'evil' is pretty much a religious issue - and most of the time I try to keep religion out of my blog posts.  Clearly, on this occasion, I failed to do that.

For the record, and irrespective of how I came across on the blog, my first reaction on seeing the announcement of the ICF was to initiate some discussion in Eduserv about becoming a member.  (As an aside, I'm also hopeful that we'll join the W3C and the OpenID Foundation.)  This is an important initiative, for all sorts of reasons, and I'm hopeful that positive and open things will come of it.

June 25, 2008

Information Card Foundation

Yesterday, Kim Cameron noted the creation of the Information Card Foundation (ICF).  Here's the start of the press release:

An array of prominent names in the high-technology community today announced the formation of a non-profit foundation, The Information Card Foundation, to advance a simpler, more secure and more open digital identity on the Internet, increasing user control over their personal information while enabling mutually beneficial digital relationships between people and businesses.

His post ends with a slightly odd looking (to me at least), though admittedly positive, reference to OpenID:

One thing for sure: the Identity Big Bang is closer than ever.  Given the deep synergy between OpenID and Information Cards, we have great opportunities all across the identity spectrum.

Why do I think it's odd?  I'm not sure... a natural tendency to scepticism I guess, especially given the events around the "standardisation" of the Open Office XML format (see the comments on Brian Kelly's post on the subject for some of the discussion around this).  As Joe Wilcox on Microsoft Watch notes:

I notice that while ICF claims Equifax, Google and PayPal as founding members, their executives aren't listed as board members. Now why is that? Perhaps no coincidence, most ICF board members come from companies supporting Microsoft technologies, such as CardSpace. I make the distinction for clarity purposes only. ICF's press announcements indicate broad industry support and lofty interoperability goals, but not without Microsoft's heavy hand in the process—or so I perceive.

Well, I guess its no big surprise that most interest in Information Cards comes from those already in the CardSpace camp.  What will be more interesting is to see how this space develops over the coming months.

June 04, 2008

UK identity management future directions

In the run up to a meeting organised by the JISC, Federated Access: Future Directions Day, (at which my Eduserv Foundation colleague, David Orrell, will be speaking), Nicole Harris is seeking input from the community about what areas of activity the JISC should be considering funding in the near future.

If you have any ideas on this don't be shy...



eFoundations is powered by TypePad