Thankfully Wed. was not quite so intense, at least for me. The main items of interest for me were a review of Pythia (a reputation system that Phil Windley has been working on), the results of the OSIS interop event, and a discussion about user experience and identity.
Phil Windley lead a session on the reputation system (pythia) he's been working on with his graduate students over the last year and a half. The system is based on evaluating transactions between identities. Reputation scores are calculated on a “personal” basis meaning that I can define my own ruleset for calculating reputation that might be different than someone else's ruleset. This, I think, is important because it allows me to value the information I receive about another identity according to my own view of what's important. For example, just because an identity has a great reputation within the drug culture doesn't mean that I want to ascribe a high reputation to them. Reputations are very contextual and I ascribe different levels of value to the different contexts.
In a very concrete example, there was a fair amount of discussion by relying party implementors (both during and after the session) about how to get transaction data (i.e. initial reputation) when a new identifier shows up at their site. The basic question being, is there a way for a relying party to know whether they can “trust” the 3rd party OpenID to be a genuine user. If there was a way to convey transaction data such identifier creation date, date of last use, number of “publish” transactions (meaning blog posts, comments, etc) then RPs could make a much better decision on whether to just let the identifier use their site, or whether they need to do some additional “verification” of the user. In this specific case there is immediate value in identity providers providing some additional attributes about the identifier that relying parties can use to make business decisions. For OpenID this probably means adoption of the Attribute Exchange extension or some additions to SREG.
OSIS interop event
I didn't participate in the OSIS event but was interested in the issues that arose from the event. Being an “outsider” it seems that while a number of issues were found, over all the event was a success. I think a next step is to get more RP's and IdP's involved especially where RP's are bridging identity meta-systems. Things like namespace mismatches, claim mismatches, and certificates are small hurdles that can easily be fixed.
This was a very interesting discussion as it did not focus on computer user experience and UI for interacting online. Instead it was much more about how people use identity in the offline world and how does that map into the online world. One of the interesting points to me is that in the offline world, there is a lot of context available as part of the interaction. These could be visual clues (body language, facial expressions, etc), auditory clues (tone of voice, distance from sound, etc), olfactory clues (smell, etc) and the list goes on. In online social interactions much of this additional context is lost and hence a “distance” in the communication is created. This “distance”, or incompleteness in the context, causes some to feel safe to say anything and others to hold back and mask themselves. As more transactions and social interactions move online, it will be increasingly important for consumers to understand these dynamics. A more complete summary will likely be appearing on Heather's blog.
Tags: iiw2007, Reputation, OSIS, Offline Identity