She’s Geeky 2009

•6 Jan 09 • Leave a Comment

Hats off to Kaliya for organizing She’s Geeky this year – I wish I could be there.

I love the idea of showing up and just finding out what other women in technology are doing, it seems like such a positive experiment.  I hope you all have a great time!

Information Cards on Drupal

•22 Dec 08 • Leave a Comment

Finally! I’ve got what I hope to be a decent prototype for a Drupal Information Card module.    I’ve made huge changes to the user interface on this one, and as a result, I hope to have streamlined the process for framework owners.   What I haven’t yet got, is a lot of eyeballs from a lot of people on different platforms, in different situations, and with different frames  of mind.  If you have 5 extra minutes, please check out my example site.   There is a poll there to let you give extra-fast feedback, and there is a feedback form if you want to address a specific finding.

Here’s a quick summary of the new features:

User Card Management

  • Once authenticated, users can add and remove cards from their accounts, as well as seeing when the card was associated and when it was last used.

Lost Card Recovery

  • Users can now use an email-based recovery process to attach a card to an account that they’ve lost credentials to.  This is incredibly important in a case where all passwords have been turned off for the site.

Purple “i” means Selector launch

  • Everywhere you see a purple “i”, you should see a selector launch immediately – no more intermediate pages.
  • (Note there is a purple “i” in the card mgmt console, that card will eventually launch the selector to verify the Friendly Identifier)

Minimum clicks

  • The goal is to get the job done in the smallest number of clicks.   There is probably even more to be done here, but we’ve made progress.

Developer Improvements

  • Code is now documented with a standardized, doxygen-compatible format
  • Much more consistency in approach
  • Lots more to do 😉

WordPress users:  I’m upgrading that plugin right now to use the same flows — so if you don’t like them, speak now!

Microsoft Live – say it is not so.

•18 Dec 08 • 3 Comments

I hear you’ve been going back on your word, Microsoft Live.  I hear you’re talking behind people’s backs, giving away all their secrets.

If you want to change your current policies on accepting anonymous comments, fine.   But when you promise a user that the comment they are about to submit is anonymous,  that promise should mean something.  Forever, not just until your next TOS change.  You shouldn’t have even stored information about who made a comment if they asked you to keep that comment anonymous.

People trusted you and believed in you, and they acted according to their trust and belief.  They didn’t know that anonymous really meant “tracked, stored, and correlated, but hidden only until we decide otherwise”.

Those of you out there who think anonymous comments are only about making nasty retorts or spamming- think again.  Sometimes, anonymity enables people to talk about their health, their relationships, their issues, their innermost thoughts, things they would otherwise be afraid to reveal.  Sometimes, anonymity enables an intimacy that can be a lifeline in rough seas.   Anonymous comments can be as deeply personal as any church confession – imagine if your confessions were taped, played to the world, and associated to you forever more.

I suppose the only moral of this story is to assume the worst about any technology that makes promises around secrecy.  Perhaps this will encourage pseudonymity – at least then you’re known to be tracked, but you can control what correlation might exist to your real name.  If nothing else, this should call into question the practices of any service that supplies that little “post as anonymous” checkbox.

Lowest Common Denominator

•16 Dec 08 • Leave a Comment

Yesterday Friend Connect added Twitter to their list of accounts that can be used to authenticate and to communicate friend data between cooperating sites.

From a social graph perspective, this makes complete sense, although I’m not sure what is supposed to happen when a twitter user with 5,000 followers and following 5,000 logs into a site for the first time.   I have to assume that you get little dribbles and drabbles of friend links over time, in the background.  Still,  if the website operators are using an elastic, as-needed payment model, it could be rather expensive for true twitter addicts to visit for the first time.

From an authentication perspective,  I can only laugh, the irony is too much for me.   Twitter as a provider of identity information.    This is a site with an unbelievably cavalier attitude towards the credentials of users, as evidenced by the fact that they force their entire partner community to ask for and resend usernames and passwords, and as evidenced by the fact that they encourage their users to type their credentials into any input box that might present itself with the short introduction of “Twitter API”.

You may say that Twitter was never intended to be a highly secure service,  and I’m sure you’re right.  What so many people in this industry are trying to do, however, is to provide a way for services like Twitter to no longer have to badly manage their user data,  but instead to rely on the services that DO care about security,  and do actually take the security of user credentials seriously.

In the short term though, convenience wins out over security. It’s bass-ackwards, but it’s still progress.  Gotta crawl before we can run.  Anything that connects sites and propels application and service owners to start considering externalized Identity is good in my book.   We need to get in there, mix it up, and hope that something reasonable emerges from the fray.

On Aggregation

•3 Dec 08 • Leave a Comment

Do you remember this quote from the movie “The Incredibles”?

… And when I’m old and I’ve had my fun, I’ll sell my inventions so that *everyone* can have powers. *Everyone* can be super! And when everyone’s super– [chuckles evilly]  –no one will be.

Sometimes I think that this is the end game we’re looking at with Social Media.  Right now, we’re so busy hooking every acquaintance we ever had to every other acquaintance as virally as possible on every site everywhere, that we forget who it is we’re going to end up talking to, and to whom our words have meaning.

It’s great that we’ve gotten to the point where I can broadcast a single thought simultaneously to all of my many services – but what happens when everybody does that?  What happens when the majority of the people you know are on two or more of the sites you visit and all of them are broadcasting across services? I like seeing tweets from people I know.  But when I see the tweet on twitter, then the next time I get onto Facebook the identical tweet shows up as a status update, and then I see it yet again in a weekly digest of tweets that shows up in my RSS reader from that person’s blog –  it gets old fast, and it takes away from the unique character of any one service.  As a very subjective judgement, I personally start to feel more like I’ve been spammed than confided in.

Right now, I would choose an aggregation service not for the combination of what’s different so much as the elimination of what’s redundant. As all these services bleed into each other, the ratio of new to redundant will become very pronounced;  I imagine that creative solutions to this problem will be an important future differentiator.

TEC 2009

•2 Dec 08 • 1 Comment

Thanks Axel for highlighting my TEC 2009 talk abstract — you’re much better at publicizing my upcoming speaking plans than I am, something I need to improve upon!

My plans for TEC 2009 are indeed to talk about a Survivalist’s Guide to Identity Management.  In my years working in this space, I can’t help but note that most of the things that companies pay me to unravel are things that a little foresight and planning could have rendered unimportant – often they come down to configuration decisions made arbitrarily in the absence of any guiding principle.  I believe that if you can introduce some simple discipline into IT practices early on in a company lifecycle, you can drastically reduce the complexity, and therefore the cost of automating your processes and applications when the time comes.  My goal is to document that discipline in very simple terms, and then to demonstrate how  a pragmatic IT department can go on to derive benefit from that discipline.

I can’t tell how much I’m looking forward to this presentation – It is a topic very near and dear to my heart, and something I hope to enlarge upon whenever I can, for a long time to come.

Just got off the Schemas WG Call

•24 Nov 08 • Leave a Comment

I love working with smart people.  I went into the ICF schemas working group call with my set of gobbled-together proposals, and everybody seized on it and started breaking those ideas down into their separate pieces, using language with far more structure than my own words.

There were some excellent points made:

  • What are the expectations of the “Display Claim” versus the actual claim in providing human-readable claim values?  Is it reasonable (or even preferable) to define a claim value that is not human-readable and trust that the STS will be responsible for mapping that value to something useful?
  • Is it expected that the selector will do a metadata discovery on each and every claim passed?  I had never even thought of such a thing, so will have to learn more.

I will keep you up to date with the conversation, which is expected to continue on the working group mailing list this week.  The mailing group is:,  I believe anyone can read, but you have to be an ICF member to participate.   If you are keen to participate, let me know.