I posted about my new "friend" Lindsay here and here. Here was her original profile photo:

I thought she might have been a shill for EQO as she invited me to that group. The people at EQO have denied responsibility. Lindsay recently deleted me as a friend, but with no message, leading me to conclude she really is a shill as opposed to a real person who read my blog and was miffed. "She" has lots and lots of friends now. I guess I will never really know who "Lindsay" was/is. Her profile is still public and here is the current profile photo:

Imation has these cool USB 2.0 wristbands.

I have been thinking about USB fobs for 2 factor authentication. This is a great form factor. I wanna get one just because I think they are cewl!

My buddy Paul Kedrosky recently wrote that Structured Blogging Will Flop. His reasons:

It’s the usual three reasons I trot out repeatedly to technologists with utopian visions who want to change the world on the back of altered user behavior:

1. People are lazy
2. People are lazy
3. People are lazy

I agree people are lazy. I know. I’m lazy. So is Paul. He is so lazy that he uses the same point three times in a row. I am a supporter of structured blogging. To counter, each of my points will be different, and I will even up the ante with a fourth:

1. Existing structures
2. Real time web
3. Machine RSS
4. Spam issues

1. Existing structures. Lots of bloggers categorize and tag their content today. People are already taking the time to add semantics. Blogging tools strive to differentiate themselves, and will add tools to make it easy to add structured blogging to their post, just like it is easy to tag and categorize. (btw: Paul, when are you moving to WordPress?) Since I am lazy, I would prefer to create a post about a public event so that it gets promoted by event tracking systems like Eventful, rather then run around and promote it myself.

2. Real time web. As the web gets bigger, and the cycle time of polling all the pages by the search engines gets longer, the relevancy of a search drops. The data in an RSS feed, or in the future, in a Ping, will be more relevant then data on a web page. If the data is structured, it will be even more relevant

3. Machine RSS. Lots of interesting feeds are not generated by humans. It is easy for machines to endlessly add the same structure tags to data that already has structure. With the rise of the real time web, publishers of data will look to move their data out so that it is easily found, just like people have been doing search engine optimization for years.

4. Spam issues. One kind of structure that is needed is the identity of the blog. 75% of new pings are spings (splogs). Splogs and spings are degrading the value of the real time web. Efforts are under way to resolve this problem, and hopefully we have all learned from our ant-spam experiences on how to do this right.

Structured blogging will not solve world hunger. It will likely look somewhat different from what the existing structured blogging effort, and I am sure there was more hype, then beef at Syndicate about this, but let’s not be lazy and dismiss it out of hand.

I have been reluctant to do as many posts lately. I didn’t want to shock the identity world with my personal rants; and didn’t want to bore my friends with lengthy technical identity discussions. This site will continue as my personal site, and my identity discussions will be at Identity20.com.

Yesterday’s Wall Street Journal had an article “Microsoft Tests Software To Fight Identity Theft on Web” (paid subscription required unfortunately).

Not to be outdone, the Red Herring had “Microsoft’s security card:
‘Info-cards’ would help computer users communicate securely with web sites.” and internetnews.com had “Microsoft Said to Have New Security Plans”

I’m looking forward to learning more about MS’s “Info-card” strategy. What I know looks good.

Jeff Bezos is demoing some new features in A9. (he had a little excitement with his PowerPoint presentation first When going to A9, it bounces you to Amazon to see if you have an amazon.com cookie so that it can detect who you are. An Identity 2.0 problem.

The key thing is how you can consume search results from A9. Not quite sure how it all works yet though.

Bruce Schneier, crypto expert extrodinaire, continues his analysis of breaking of SHA-1. He provides some history on hash functions and refers to an essay he did last September that quasi predicts the break.

In summary, SHA-1 was supposedly shown to be compromised in 2**69 rather than 2**80 operations. These are both really big numbers, although 2**80 is 2048 times bigger. Assuming Moore’s law of doubling computing power every 18 months continues, 2**80 will be as weak in 16 years. It would seem to me (yeah, like I’m expert in crypto - NOT!) that all we need to do is double the size of the hash so that theoretically it is 2**160 unique, which maybe is only 2**120 operations safe, but that means it will be 75 years before it is as weak. I’ll likely be dead by then and quantum computing technology may have made current cryptography obsolete.

Sitting here this morning listening to Tim Bray give a presentation about what blogging is all about here at Northern Voice. Inspiring me to get back into writing personal posts here.

Addendum: there is a HUGE spectrum of people in the audience. Someone in the audience had thought that Tim worked for the Sun newspaper (The Vancouver Sun). She did not know who Sun Microsystems was. Good for a chuckle.

I was reading Kim’s 3rd law of Identity and I got wondering how trust is involved in an identity transaction.

Technical identity systems MUST be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship.

Who determines what is “necessary and justifiable”? Do all the parties trust each other? What is meant by trust?

I describe trust as social, not technical. Trust is dependent on the parties involved and the reputation between the parties at the time of the trust decision. Trust is dependent on the transaction. I might be ok . I wonder how Trust fits into Kim Cameron’s Identity Laws.

Perhaps one of Kim’s next laws will explain how trust fits into an identity system.

I thought I would share my thoughts on Passport after reading postings from Kim Cameron, Craig Burton, Dave Kearns and Eric Norland.

Note that I am NOT saying that Passport failed. I believe that Passport was very successful in many ways. It is the largest public identity system. It enables Passport users to move easily between the sites that use Passport. This is far ahead of Liberty.

Before we starting working on what became SXIP, we used Passport at ActiveState. Passport did not solve our problems, so we started talking to other folks and found they had the same issues as us. Here is a summary of why Pasport did not work for us and many other sites:

1. Cost to Website

The list price for using Passport was $10,000 US. That price tag rules out a majority of all sites. We wanted a system that was accessible to a vast majority of websites.

2. Difficult to Implement

It took us several weeks to implement Passport at ActiveState, and all we got was SSO.

3. Microsoft Centric Technology

Although there was a binary package for Unix systems, it seemed like more of a marketing checkmark. We ended up deploying the Passport functionality on a Windows machine. This would not be acceptable to many sites.
Since the software was not open source, we had to integrate the binary into what we our code with no visibility into what it did or to optimize what was happening in our site.

4. Primarily SSO

Although there was the ability to get the users’ email address with Passport, few of the the visitors to our site enable that (see point x). Registration was more important to us than SSO.

5. Global Attribute Release

Although retrieving the users email was a potential part of the Passport transaction, the user globally enabled or disabled this feature, and it was not readily apparent that the email was being handed out (note this may have changed). Personally, I know I disabled this feature. I wanted to know when my email was being given to a website.

6. Only Microsoft had Privileged Relationship

Large sites were not keen on giving Microsoft a relationship with their customer. They had worked hard to build that relationship, and did not want to lose that privileged (and trusted) position of authenticating their users.

7. Required Significant Trust of Microsoft

This one is the one that most people talk about. All individuals and sites had to trust Microsoft. Given the DOJ hearings on anti-competitive practices, there was not much trust of Microsoft being in another “monopoly” like position

Even if a few of these had been solved, many of them are show stoppers all on their own.