Author Archives: Scott C. Lemon

About Scott C. Lemon

I'm a techno futurist, interested in all aspects of humanity, sociology, community, identity, and technology. While we are all approaching the Singularity, I'm just having fun effecting the outcomes of the future!

Directory technolgies and Identity Management

Posted on by
Reply

I saw that Mark Wahl and Kim Cameron have been talking
a while back, and I like to see that. With Mark’s background in
LDAP directory technologies, I know that he has been thinking about
this space for a long time.

When working on digitalMe at Novell, I really wanted to see directory
technologies extended to become a primary platform for Identity.
When I say “extended” it was because there are a lot of issues that we
found when attempting to store identity in a directory.

There are numerous reasons that a directory is a logical place to store identity:

  • fully extensible schema for objects and attributes
  • authentication for verifying the user
  • access control down to the attribute level
  • flexible multi-protocol access

An extensible schema gave us
the ability to quickly create a core identity representation. A
“user” object with a list of attributes. What was powerful here
was when a user interacted with a new entity and was prompted for some
previously “unknown” attribute. This would be some attribute that
might be common, but had not been pre-defined in our list of user
attributes. With a directory we were able to ask the user for the
value of that attribute, extend the schema, and populate the
value. In a later iteration, we also looked for a way to allow
the user to “alias” the new attribute to simply point at an existing
attribute. This is the case where some attribute is called
different things by different communities.

With directory authentication, we are able to verify who is talking to the directory and then enforce access control on that connection.

Access control, down to the
attribute level, was one of the most powerful features that a directory
provides. With this, we were able to determine the “visibility”
of any particular identity attribute to any requestor. With most
directories there is even the concept of a “public” or “anonymous” user
making requests, and so we were able to expose those attributes that
are considered “public.” This is also what allows me to expose
more information to people that I want to. These access controls
could also determine who was able to modify any attribute of any
object. So, for example, I might have an object that represents you in my directory, and I might choose to allow you to update and maintain some of your own attributes. It is important to see that I might choose to
… because I also might choose not to allow you to update your
object. After all … it’s my directory. However if I trust
you, why not allow you to keep me up to date on your identity if you
want to?

Lastly, it is multi-protocol
access that offered the ability to integrate with a wide range of
identity solutions. At Novell we had internal proprietary
protocols, LDAP, and even some HTTP/HTML/XML methods of access. I
worked on a protocol that I called XDAP just before we announced
digitalMe. It is almost a LID/FOAF parallel. What I did was to have XML data returned – in DSML format – when a request was received in the IETF RFC 2255
format. Even after leaving Novell I had a lot of fun
experimenting with this further and using CSS and XSL to then directly
render identity information as “documents” in the browser that looked
just like the “real” documents in the paper world.

Over all … I believe that directories could be one of the possible
stores for identity information. There are, however, some
limitations in their implementations that don’t allow for many of the
common identity request patterns … like versioning and timestamping
of attributes. Directories are not very well designed to account
for how our identities evolve and change over time. I believe
this is necessary to have effective identity management.

Representation of observable identity

Posted on by
Reply

A picture named image002.gif
I really like this post by Kim about Carl’s notions of identity.
I really agree with this, and like the overall direction, however I
believe that there is a big thing missing.

In my opinion, there has to be a larger circle that encompasses this
entire diagram that represents the community that all three of these
entities belong to!

What community? Well … there has to be some community that
exists since there is some common language, or form of representation,
that each of these entities is using to refer to the
observations. In fact, I do not believe that there is a way that
dinstinctions of identity attributes can exist outside of the context
of some language. Words to describe the uniqueness of the
attribute … to measure and quantify it.

I was reminded of this tonight while talking with my two and half year
old son, Sam. He has long know the meme “ball” which started with
watching the kids playing basket ball ouside. He then assumed
that all balls are a “b-ball” … what he would call them. One
evening while driving home, he saw the moon in the sky and yelled
“Daddy … ball!” pointing at the bright disc. I told him “moon”
and he replied “moon ball.” The birth of a new distinction.
Tonight he saw someone on TV playing with a globe that they took off of
its stand. He said “Ball!” and I replied “globe” … he then
replied “globe ball.”

As we are both making these observations and distinctions, we are only
able to refer to the identity of these objects through a common
language … and common community. This entire ability is an
accumulated experience that we all seem to forget … it is a product
of the community that we grow up and live within.

There ought to be a big circle behind the entire image … and it will
represent the community through which the three of these entities have
come into contact … and the one that give them the ability to express
their observations.

Ski Utah!

Posted on by
Reply

Today I was able to get out skiing at park City Ski Resort with my
cousin Brian.  It was a great day, and the snow and weather just
worked.  On top of that, I got to catch up with my cousin and hear
more about what he has been doing.  Brian and his wife have a
architectural firm called Dake Wilson Architects and they are building some amazing homes and buildings.  They came out for the Sundance Film Festival.

While they were here, I learned that Brian not only did the designs for
the Puma Stores, but he also worked on Bill Joy’s home in Aspen. 
It’s also fun to search Google for relatives!  I found that Renee
also wrote a brief article about their Eco-Home in LA … they are great people and it was good to see them.

Internet has room to grow …

Posted on by
Reply

This is a good article that talks about the next generation of speed
tests for transferring information. The article from
ComputerWorld shows that the research into DWDM and other types of
modulation are still progressing.

Wow! That’s fast TCP!.
Data has been sent across a wide-area optical network at 101Gbit/sec.,
the fastest-ever sustained data transmission speed, equivalent to
downloading three full DVD movies per second, or transmitting all of
the content of the Library of
Congress in 1… [KurzweilAI.net Accelerating Intelligence News]

Is there such a thing as ‘public’ and ‘private’?

Posted on by
Reply

I want to start off by saying that I am in agreement with Kim’s Fourth Law of Identity … however it did get me thinking about ‘public’ and ‘private’ … ‘omnidirectional’ and ‘unidirectional’ …

The Fourth Law of Identity

The Law of Directed Identity

A universal identity system MUST support both “omnidirectional”
identifiers for use by public entities and “unidirectional” identifiers
for use by private entities, thus facilitating discovery while
preventing unnecessary release of correlation handles.

First, when I think about identity, I now believe that a ‘public’
identity is really just a ‘default’ identity. This is what we are
willing to expose to anyone, anyplace, and at any time. If I look
at the ‘real world’, we have certain characteristics and behaviors that
we are willing to expose when we go out in public. We then might
meet up with someone else, and choose to exchange other information
‘privately’, however we actually reveal something about ourselves even
when we perform a ‘private’ exchange of information. Kim stated:

Entities that are public can have identitifiers that are
invariant and well-known. These identifiers can be thought of as
beacons, emitting identity to anyone who shows up – and thus being in
essence “omnidirectional” (they are willing to reveal their existence
to the set of all other identities).

I agree with this … for any provider of good or services to be
known, they must expose some sort of information to be
discovered. It could be that the entity might choose to ’emit
this beacon’ all of the time … or maybe to sit quietly waiting for
the detection of another entity. In either case, once the
‘omnidirectional beacon’ has been emitted, there is a way to reference
the source entity.

What I like is the second example:

A second example of such a public entity is the “polycomm”
which looms large in the scenario we chose as a backdrop to the present
discussion. The polycomm sits in a conference room in an enterprise.
Visitors to the conference room can see the polycomm and it offers
digital services by advertising itself to those who come near it. In
the thinking outlined here, it has an omni-directional identity.

This is no really big deal … it makes common sense … however:

Similarly, when entering a conference room furnished with
a polycomm, the omnidirectional identity beacon of that polycomm can be
used by the owner of a cell phone to decide whether she wants to
interact with it. If she does, a short-lived “unidirectional” identity
relation can be created between the cell phone and the polycomm – and
used to disclose a single music preference without associating that
preference with any long-lived identity whatsoever.

I’m not so sure that this is truly ‘unidirectional’ since
there are other artifacts of the ‘short-lived unidirectional identity
relation’ that could be observed. I might not be able to
determine the exact details of what is transferred, however I could
easily – with the assistance of some others in the room – triangulate
on the source of the signal and locate the owner of the cell
phone. I could then couple this with other visible or audible
information to begin the process of compiling a profile of that
person. So is this ‘private’?

Of course the owner of the cell phone could also
collaborate with others in the room to all initiate communications with
the polycomm at the same time, and the polycomm could be configured to
add random timings to assist with masking the true source of the music
preference, however this then still potentially identifies the ‘crowd’
or ‘community’ that is the source of the communications.

When I was working on digitalMe, I followed the work of the AT&T “Crowds” project … and also the Lucent Personal Web Assistant project.
Both of these convinced me that there might not really be a way to be
truly “private” … and that the best we can hope for is to hide in a
crowd.

Radio problems … again and again …

Posted on by
Reply

It’s amazing … it seems that I really can’t have a consistant
experience with Radio. After crossing into the New Year I can’t
post to my weblog home page …

{Multiple post and publishes …}

Radio has so much potential … but it’s problems like this that drive
me nuts and burn up too many hours. I have looked for support,
however it’s all like a big guessing game to see what might be
going
wrong.

{Multiple post and publishes …}

My newest 2005 posts won’t show up, however when I keep editing and
publishing this post I can see Radio upstreaming all of the old
archived posts … and only 25 at a time.

{Multiple post and publishes …}

It seemed to work it’s way through all of the archived posts …
and then even published some rss files … but that’s it.  This
absolutely sucks.

ZigBee gains more ground …

Posted on by
Reply

There are a couple of companies here in Utah that brought ZigBee to my
attention about a year ago. I’ve been following the progress, and
am amazed that the products are now starting to hit the market.
Here in Utah, Control4 is using ZigBee for their home automation systems, and MaxStream is going to be releasing a series of wireless solutions.

This is a great new solution for some very cool applications!

World’s first ZigBee phone unveiled.
But when you’re the first product to support an unratified
standard–for low-power networking, in this case–the question is,
“What does it connect to?” [CNET News.com]

It’s not just Bluetooth …

Posted on by
Reply

I have been reviewing Kim’s posts about the issues with Bluetooth and privacy/private identity. I have been meaning to comment about the fact “It’s not just Bluetooth!”

My deep networking experience from my time at Novell taught me a lot
about the inner workings of networking hardware and protocols.
Anyone familiar with how networks work knows that the first ‘key’ to
communications on Ethernet (actually any of the IEEE 802 standard
networks) is the MAC address. MAC addresses are assigned to every
networking adapter … and they are globally unique by default.
Each vendor who is manufacturing networking hardware is assigned a 3-octet IEEE assigned Organizationally Unique Identifier (OUI).
This OUI is then used by that vendor as the first 6 hex digits of every
networking adapter that they create. During manufacturing, most
vendors then simply tack on 3 more octets (6 more hex digits) and
increment the value for each board or device they manufacture.
What you end up with is a 12 hex digit number that is globally unique –
the first 6 identify the manufacturer, and the second 6 identify the
unique adapter.

You can actually go and search the OUI database here. A sample of this would be to search for ‘00022d’
– the first 6 digits from my Orinoco wireless card. The point is
… these MAC addresses are globally unique and can identify your
specific machine.

Now, one of my other occupations is being the founder of a wireless
Internet company. We operate a series of Internet Cafes, and also
offer some residential wireless. Using MAC addresses, we are able
to determine how many repeat customers we have. This MAC address
is what is used at the lowest levels of networking to obtain an IP
address. When you use DHCP, you are assigned an IP address that
is then associated with your MAC address. All DHCP servers
remember your MAC address to renew your DHCP lease.

Wireless is really where this becomes an issue with identity.
When you turn on your 802.11a/b/g wireless, you are now exposing
yourself to be tracked via the MAC address of your wireless card.
Now for those of you paying attention, you would realize that this goes
for wired Ethernet as well … when you plug into any Ethernet network,
you are leaving traces of your visit. In our wireless network, we
could easily have a script that would notify us of any particular MAC
address when it was detected at any of our Internet access
locations. In the case of 802.11 wireless, you don’t even have to
be assigned an IP address or use DHCP … if your card simply
‘associates’ to our access point we know you are there. This is
equivalent to the ‘Bluetooth bomb‘ that was talked about.

Now there are some ways around this. With more modern Ethernet
and wireless adapters, you are able to ‘override’ the default MAC
address that is provided by the vendor, but I have found very few
software packages or operating systems that take advantage of
this. I saw a “security tool” for Windows a few weeks ago that
picks a random MAC address each time you boot, and assigns it to your
networking card … but this is not a standard feature.

There are several identity issues that arise with wireless devices and
identity. This first one is a big issue since it is a globally
unique ID that the average person is not aware of. There are
others that can also be trouble … I’ll write more in another post …

Wireless in Winnemucca

Posted on by
Reply

I had to do a quick post while on wireless in Winnemucca. We’re
on our family holiday trip to the California Bay Area to visit with my
parents and sisters and we stopped overnight in Winnemucca.,
Nevada. The Holiday Inn Express has free wireless Internet … of
course.

It’s pretty wild to continue to see the growth of the Internet … and
the expansion of free wireless service. Even in Winnemucca you
can stay overnight at a Holiday Inn Express … and be ahead of a lot
of the people who didn’t! 😉