foolstr is innovative in that it relies on OpenID as its form of authentication. This means foolstr doesn’t invade your privacy and registration is a snap. It’s also completely anonymous. Things like Passwords or Email addresses, we don’t need ‘em. Your email or password is never sent to Foolstr, you don’t have to remember a NEW password, you don’t have to remember ANYthing. Try it and see!

It’s a fun site and we want the barrier of entry to be small. You can post content without even registering and so far there is some interesting content.

From a technical side this site is another experiment, this time dealing with OpenID to determine just how viable this technology is. So far it seems sound for this level of authentication. The question is will the public understand it and be comfortable with this as a means of authentication. We’ll see. I’ve also hooked up the Yahoo Term Extraction API for content analysis and Google Analytics for Traffic.

So blog about it, Facebook it, Digg it, tell your friends, share your ideas and opinions and vote on what’s there. Let’s see what the fools know…

Foolstr’s still in pre-alpha, with many kinks still being ironed out. If you find a bug, post back to http://foolstr.blogspot.com or use the contact page at foolstr.com.

Now get out there and tell us something we don’t already know!!!
HTTP://FOOLSTR.COM

-==============================-
FOR IMMEDIATE RELEASE

April 7, 2008

MEDIA ALERT
Showcasing How Users Can Control their Identity Online, Industry’s Largest Identity Interoperability Demonstration Scheduled for RSA 2008
Fifty-seven member open source identity group to test and demonstrate interoperability between user-centric identity protocols and providers

SAN FRANCISCO (RSA Conference 2008) – April 7, 2008 – Open Source Identity Systems (OSIS) will conduct the largest user-centric identity interoperability test and demonstration at the 2008 RSA Conference, April 7-11 at the Moscone Center in San Francisco. The 33 member organizations and 24 projects of OSIS will showcase network interoperability between identity providers, card selectors, browsers and Web sites, demonstrating practical uses for user-centric identity technology, including how users can "click-in" to Web sites via self-issued and managed Information Cards and OpenIDs. The user-centric identity model gives consumers greater control and security over their identity information, allowing them to determine how sensitive identity information should be shared at each visited Web site.

During the demonstration, OSIS members will illustrate interoperability between Information Card and OpenID software, the technologies behind user-centric identity.Features being demonstrated include:

* Enabling people to control what identity information is disclosed about them
* Portability of digital identities across software and platforms
* Management and use of Information Cards and OpenIDs
* Information Cards used with OpenIDs to enable phishing-resistant sign-in to Web sites

WHO:OSIS, a working group of Identity Commons (please see below for a list of companies and projects). Members of the group are committed to a goal of Internet identity interoperability across projects, protocols, companies and platforms.

WHAT:OSIS User-Centric Identity Interoperability Demonstration at RSA 2008

WHERE: RSA Conference, Moscone Center South, San Francisco, Mezzanine Level, Purple Room 220

WHEN:Tuesday, April 8 and Wednesday, April 9; public working sessions 11 am to 4 pm, demonstrations 4 pm to 6 pm
About OSIS

Open Source Identity Systems, a working group of Identity Commons, brings together many identity-related open-source and commercial projects, and synchronizes and harmonizes the construction of an interoperable identity layer for the Internet from open-source parts and software that interoperates with them. For more information on OSIS, visit http://wiki.idcommons.net/index.php/OsisCharter.
OSIS participating companies:

* AOL
* ATE Software
* CA
* Cordance
* Fraunhofer FOKUS
* FuGen Solutions
* Fun Communications
* Google
* IBM
* JanRain
* LinkSafe
* Microsoft
* NetMesh
* Novell
* Nulli Secundus
* ooTao
* Oracle
* Orange
* Parity
* Ping Identity
* Plaxo
* Siemens
* SixApart
* Sun Microsystems
* Sxip Identity
* Thinktecture
* ThoughtWorks
* TrustBearer Labs
* VeriSign
* Vidoop
* WSO2
* Yahoo!
* Zend

Projects and Organizations:

* Bandit Project
* Codeplex
* DiSO Project
* Dominck Baier
* Drupal
* Francis Shanahan
* Higgins Project
* I-names
* Identity Commons
* Information Cards
* LID
* OpenID
* OpenInfocard
* OpenSSO
* Open XRI
* Pamela Project
* Rob Richards
* Sharp STS
* SignOn.com
* SourceID
* Shibboleth
* Verisign Personal Identity Provider
* Xmldap
* Yadis

All company/project names and service marks may be trademarks or registered trademarks of their respective companies/organizations.
OSIS Participants Contact Information:

http://osis.idcommons.net/wiki/Category:Participant
Media Contact:

Charlotte Betterley

Novell

(781) 464-8253

cbetterley@novell.com
-==============================-

What’s going on? The internet has a crappy way of managing your personal information. We’re trying to fix that.

Why should I care? Right now you’re at quite a high risk of having your identity stolen, losing control of your personal information, of being phished or losing track of what personal information is stored where. See my previous post on Identity Fragmentation [LINK].

So what are you talking about now? RSA is happening NEXT WEEK! (7-11th April) [LINK]

What’s RSA? Only the largest conference focused on information security in the world. It starts in San Francisco and is replicated around the world.

Is Shanahan going to be there? Well no, but my code will be. A while back I created a Cardspace Identity Provider and Relying Party test harness [LINK]. That code has been participating in the OSIS Interop 2008.

What’s OSIS Interop? It’s a grass-roots effort to prove out the interoperability of various Identity solutions.

We’ve been testing the interoperability (how things work together) of all these solutions since January. You can checkout the results of the testing here [LINK].

Who’s participating?  Easy, just checkout this diagram (yes that’s my logo underneath Bandit!): Click for a LARGER image.

Checkout what Mike Jones, Pamela Dingle and Kim Cameron have to say on the topic.

So get yourself to RSA and checkout the OSIS Interop room. They have BEER!!! [LINK]

The Foreword is by Identity luminary (and friend) Kim Cameron and if I’m keeping it real, rather than describe the book’s contents, I wish he’d shared more thoughts around the problem space, the approach to the solution and the roadmap BEYOND cardspace.  Here’s Kim’s take on the book [LINK].

The book itself is an easy read. Not a tome by an means. Easy to pickup as a reference or to sit with and read chapter by chapter.

It succeeds at describing Identity Federation from a conceptual level as well as from a technical level (as it pertains to Cardspace). It even addresses some of the less obvious issues such as the notion of auditing and non-auditing IdPs.

Be warned, this book focuses on Cardspace fairly exclusively. There isn’t a lot on interoperability here between things like OpenID and Cardspace for example. That’s a topic for another book and could not easily be incorporated without devoting a lot of pages to OpenID.

The technical section is navigated through use cases that tackle things from an end-user experience as well as from the developer angle. This is effective as often it’s hard to understand one without the other. At every point the reasoning behind the solution is presented also. This worked well.

For me personally, I wish they’d spent a little more time on things like GetToken() although using this directly will likely not be of interest to 90% of folks out there.

Unique to books of this type is a section devoted to Practical Considerations. Why one would want to setup an IdP or simply play the role of Identity Consumer for example. In today’s environment the business value of establishing yourself as an IdP is questionable and I was glad to see this point addressed head on.

Vittorio, Garrett and Caleb have done an terrific job of describing and grounding one of the most compelling and abstract problems faced by the internet today. This an excellent book and for many will serve as a one-stop-shop for all your Cardspace questions.

As mentioned in an earlier post, my Cardspace Relying Party Test Harness[LINK] as well as my Identity Provider [LINK] are in the testing this year. I get a big kick out of seeing the interoperability work between my hacked-together test harness and the other implementations out there.

Results are being gathered in the following matrix and will likely be reviewed at RSA 2008 this year.
[http://osis.idcommons.net/wiki/I3:Cross_Solution_Results]

After some initial testing it seems my RP/IdP works reasonably well as long as it’s based on SAML 1.0 and not too strict on the token elements.

Really looking forward to this one and hoping it will answer some of the more obscure questions I’ve encountered in my Cardspace Explorations.

In related news, my Cardspace STS and Managed Card Test Harness [LINK] is in the mix of RPs and IdPs currently being tested as part of the latest OSIS interop. Many thanks to Mike Jones [LINK] for including me on this. The list of participants is here: [LINK] and it looks like results will be posted on this Wiki page [LINK].

But what if you just want to protect a file. Or an XML resource like an RSS feed?

In this post I’ll propose an extension which would allow Cardspace to be leveraged to protect resources without the need for a UI to be rendered in the browser.

The scenario I’m proposing works like this: Let’s say I have a file, "fs.png" that I want to protect using claims. I host the file somewhere. This is my "claims protected resource".
Now I want to give you a link to the file so you can download it, but only if you have a good token.

Instead of me giving you a link to the file, I give you a link to an XML document that describes the file along with the claims needed to access it. I’ve called this document a "claims protected resource manifest".
It looks like this:

<claimsProtectedResource>
  <tokenDetails>
    <tokenType value="urn:oasis:names:tc:SAML:1.0:assertion=" />
    <requiredClaim>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier</requiredClaim>
    <requiredClaim>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname</requiredClaim>
    <requiredClaim>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname</requiredClaim>
    <optionalClaim>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress</optionalClaim>
     <issuer>http://schemas.xmlsoap.org/ws/2005/05/identity/issuer/self</issuer>
  </tokenDetails>
  <targetResource>cprExampleImage.png</targetResource>
  <targetCert>http://www.francisshanahan.com/cardspace/fs.cer</targetCert>
  <claimConsumer>http://www.francisshanahan.com/cardspace/cprConsumer.aspx</claimConsumer>
</claimsProtectedResource>

The XML here consists of a targetResource (the file you’re trying to access) along with details of the token needed to access that file. Very similar to the object tag notation currently in use.

When the web server serves this manifest file, it serves it with a new mime type (application/cpresx-manifest) (I just made this up).

That mime-type is associated with a small shim application that you can download and install here [LINK]. The shim examines the manifest and launches Cardspace to obtain a token. In this case a Self Issued Card token.
Once Cardspace is finished, control returns to the shim which forwards the token along with the identifier of the desired file on to a token consumer service on the server.

The token consumer processes the token and streams down the file you asked for originally.

To test this scenario yourself…

1. first install the shim application available here [LINK]
2. Then access the claims protected resource manifest here [LINK]

You’ll need a self-issued card for this example but the model could be used with managed cards also.

In this example, the claim consumer will grant you access to the resource with any card EXCEPT a card with the first name set to "noaccess".

——— TROUBLE SHOOTING ———
This app is just a POC and has little error handling.

If you run access the manifest link and nothing happens, try saving the manifest to disk and running the application from the command line like this:
C:Program FilesFrancis Shanahan[.com]Claims Protected Resource Shim>CPR_Shim mydoc.cpresx

If you’re behind a proxy, add an app.config file with the proxy details to the same folder as CPR_shim.exe. The contents of the app.config file should look like this:

C:Documents and Settings<USERNAME>Local SettingsTempcprExampleImage.png

If the cprExampleImage.png file is there just double click it. If an "Open With…" dialog pops up, pick an application (like Internet Explorer or Paint) and make sure to click "always do this" checkbox.

After all that you should be in business. Hey, what do you want for a couple of hours work?

——————————————–
This example requires a shim as there’s no such thing as a "claims protected resource manifest" in the current Cardspace spec. I like this pattern as it

1. Doesn’t require a session on the server
2. Supports bookmarking and emailing of links through the CPR manifest notion
3. Extensible to any resource type
4. Easy deployment, hooking cardspace up with a Mime Type seems to make sense
5. Abstracts the actual resources from end users and puts claims right in the middle.

I think that this pattern has its uses and would propose that this pattern (maybe not my implementation) be considered as an enhancement to Cardspace in a future release.

Attribution: Many thanks to Dominick Baier of LeastPrivilige.com[LINK] who supplied the Cardspace abstraction on which the shim code is based. [LINK]

Will an OpenID stand the test of time? Is it intended to?

When you cross silos you often uncover ideas people haven’t considered. Take Identity and apply Long Now thinking. The Long Now is a term intended to encapsulate the notion of Long Term Thinking. The Long Now Foundation [LINK] "hopes to provide counterpoint to today’s "faster/cheaper" mind set and promote "slower/better" thinking. We hope to creatively foster responsibility in the framework of the next 10,000 years."

When you start thinking in terms longer than 1, 3, 5 years out to ideas take on a new form and priorities change. The Long Now’s idea of building a clock that’ll run for 10,000 years is a great example. Can it be electronic? Made from space-age technology? Should the clock be a paragon of man’s engineering excellence? An atomic clock perhaps?

Probably not. 

With so much knowledge required to run it, it could not be guaranteed to last 10,000 years.

  So the clock should be as simple as possible, but no simpler. It probably should be mechanical and it needs to stand up to the elements. The clock should have some artistic or inspirational elements incorporated so that it will become beloved by the world and cared for as opposed to just another maintenance headache.

So applying this thinking to Identity and OpenID the biggest thing that jumps out at me is that this is a technology solution. Identifying someone as a URI does not endear itself to me at all. I am not "http://FrancisShanahan.com", I am not "Double-U, Double-U, Double-U Dot".

Identities need to be durable and last at least as long as a person’s lifetime or maybe two or three times as long. Will we still be using "http://" in another 80 years? 160 years? Are we going to bet that a baby born today will be traceable through an openID in another 100 years? Maybe that’s not the intent of OpenID or any of the other "redirect" protocols out there.

I mention it to highlight the point that we cannot limit our thinking to identity solutions that will be durable 5-10 years out. Perhaps 10,000 years is too long but we need a model that will be viable in the Long Now and not box us into the technology of the day.

Last night I took a stab at listing out the various entities that know me, regardless of how they know me. The list is overwhelming. It quickly became apparent that to develop a comprehensive list was not feasible. What I ended up with was a good all around representation. I then generalized it to include things not solely pertaining to me as an individual (e.g. I’m an immigrant, I can never have govt clearance).

With all the talk of identity and claims federation, this was a good way to step back and at least understand the problem space a little better. I’m sure there are other such diagrams out there but the benefit for me was to go through the process of drawing it rather than take one off the shelf.

Here’s the diagram, it turns out there are bits of us EVERYWHERE!!! Click for a larger view [LINK].

I’ve tried to group the entities (blue) by function or core competency(green). It could be inferred I suppose that similar entities would require similar forms of assurance around the claims they’re willing to accept. For example, to establish an XBox Live Gamertag doesn’t require the same degree of assurance around identity as opening a bank account. But on the other hand, Digg might be quite willing to accept my Facebook ID.

In theory these entities could share Identity Providers. I believe we’ll start to see this quite soon in the social networking space most likely through OpenSocial.

Ultimately, Identity Providers themselves will begin to exchange claims although it’s questionable if this is an appropriate model.

This is by no means a complete model. I worry that I’ll never be able to effectively manage all the pieces of me that I’m absent-mindedly handing out.

The card can then be used to obtain claims from a Simple Security Token Service. Lastly, these claims can be consumed and parsed out to complete the end to end process.

This might seem like a trivial exercise but I have not come across any other publicly available service that demonstrates the end to end flow for Cardspace MANAGED cards or one that lets you play with the claims, generate your own Cards or build your own Relying Parties against an STS in this manner.

As such I think it’s a useful learning tool. I know I learned a lot from it. I didn’t build all of this, a lot of it is hacked together from samples available at http://cardspace.netfx3.com. There were some challenges in getting it to work on an external host (vs localhost). I hope it’ll benefit the Identity Community in some way.

You can try it out at https://francisshanahan.com/cardspace
and the sample Security Token Service is here http://francisshanahan.com/sts/fssts.svc.


This code has been verified working as recently as April 2009.