Eduserv Open ID event

The Hatton, HattonGardens, Thursday 8^th November.

Here’s the promotion material by way of introduction.

http://www.eduserv.org.uk/foundation/events/openid2007

And the presentations (slideshares with audio) are up too.

http://www.eduserv.org.uk/foundation/events/openid2007/programme

Below is a regurge with the occasional question.

Introduction – Andy Powell (Eduserv)

He showed an image – online_communities.png.

Our work and personal lives are blurring

Identity management within institutions has to work beyond institutions – why? Because:

–     We won’t put up with having institutional software imposed on us

–     But at the same time, we have a regulatory requirement to keep assessed work

–     This necessitates some way of pulling in work, with confidence, to the institution’s server. It also necessitates user accounts in different software communicating (this relates to the idea of  Personal Learning Environment where rather than operating in Moodle, you draw together applications of your choice in an environment like iGoogle.

Open ID allows an agent – you, for example – to be linked with a URI[1]{*}http://www.johnphelps.gold.ac.uk*

Some institutions have stopped forcing email accounts (this came up later as controversial)

Currently in terms of ID management we have

–     Athens (UK-Centric)

–     Shibboleth (institution-centric i.e. federated)

–     Open ID (user-centric)

Questions to think about during the day

–     What are the community’s requirements? E.g. standards

–     What are the current gaps in provision?

–     What are the relative merits of the different systems on offer?

–     What do we need to know in order to implement Open ID?

–     What are the recommendations of the community?

David Recordon – Six Apart (and formerly from Verisign)

The problem with the current way of doing things

–     Too many usernames and passwords

–     Security – password protection (there were reservations about this throughout the day)

–     Convoluted sign-up as a barrier to entry when you’re trying to get new people to try out your software

–     Lack of integration between directories – software not talking to each other

Open ID emerged out of the desire for

–     different software users to interact,

–     users of different software to only log in once

–     form filling automation

OID is decentralised at the moment

How does OID work?

1.      You use a bit of software for the first time (e.g. the online bookmarking software Magnolia) says Who are you? (prompts for a username and password)

2.      You supply your OID e.g. davidrecordon

3.      Then if you haven’t already, you’re prompted to sign into your OID provider

4.      Subsequently all you have to type in with Magnolia is enter your OID

5.      The idea is to log into your OID provider when you first start up your computer – logging in there will provide access to all your other services

What about security?

Phishing? The idea is that you never give your password to a company other than your OID provider again. This is much more secure than using an email address validation – but it depends on user education, and this is a bit of an issue.

What about trust? (Is somebody who they say they are?)

Similar to email trust (scarily almost all institutions recycle email addresses).

Question from the floor: Will this lead to federated trust, in the same way that 6 banks are trusted to do things?

Higher-value transactions will require more trust

The idea of directed identities where people get to hide or reveal aspects of themselves to or from different software.

Gavin Bell from Nature

The identity of research is changing.

–     The Oyster card metaphor – gated entry, different permissions to different locations, centralisation and tracking

–     Your web page is your identifier, not your email address.

Multiple identities

–     We might have 3 or 4 separate identities (or as Nicole Smith would have it, ‘affiliations’ – personal, work, long-term professional and anonymous

At the moment, technology expires more and more rapidly

–     OID proposes an ID for life

Universities used to be self-sufficient islands, fiefdoms, but no longer

What about Trust?

–     A central id.ac.uk provider for the education sector, allowing students to access their lifelong learning record?

–     Or would a single provider be a) monopolistic  b) unstable and c) unwilling to innovate

Archipelago metaphor

–     oAuth as the ferry between software islands – secure data exchange between disparate services

Problems

–     No tools in place for migrating between different OID providers

–     Controversy about losing institutional email – “But if you can express things as a URL you really should”.

Nicole Harris – JISC

9^th Aug 06 the Garther Group reported that “Open ID is too ill-defined to be deployed”.

Athens has worked well as a single centralised id provider. But now we’re also using Flickr, Facebook etc.

What is my identity? It consists of

–     Attributes – can be expressed as tags. I read, I cook, I write, I have brown hair, I love Marcuse.

–     Also permissions – part of my identity I don’t have control of – what I’m allowed to do and where

Can people manage their own online identities?

–     A worryingly light-minded attitude to e.g. Giving Facebook Apps access to data, clicking through security certificates which may have expired

–     People don’t know enough to take responsibility. Insufficient technical grasp

–     We need an institutional broker, or institutions which have licensed software e.g. Web of Knowledge will find themselves compromised in their terms by their users, often inadvertently.

Sean Mehan on extending institutional identities

OID should facilitate use of chosen software.

Institutions should become OID providers ordelegators

Should institutions accept 3^rdparty OIDs? No – untrustworthy – unless they’re from another educational provider in the federation.

Scenario

1.      Images used for assessment are being stored on Flickr

2.      The institution needs to validate and retain these – it’s in the regs – therefore there’s a need for ‘integration points’

3.      There’s a need for OID as a ‘pipe mechanism’ to suck data into the institution and mitigate the risk of lost data or companies folding

4.      This mindset is about institutions no longer feeling that they have to control everything

Risks

–     ID Theft. But we deal with this now

–     The third party service provider goes bust and we lost the assessment data we’re legally obliged to retain. Solution: suck it into the institution and back it up.

–     An ID changes. Solution: a UK HE/FE framework for delegation

Alternative scenario – students arrive at an institution with their own OIDs. But this won’t work because they’re not trustworthy unless from a delegated provider. Hard to work out a two-tiered solution.

What would be the unique ID

–     UCAS number is a lifelong id now (but what about PG students who don’t go down this route?)

Scott Wilson on Open Id and learning

Ed institutions suffer from a scarcity of resource. Their business is to mete it out to meet demand. Typically the resource in question is lecturer time. Resource-bargaining between tutors and students may lead to an amount of peer learning – institutional provision of taught hours accounts for approx 40% of students’ total study time.

Where is identity used in education?

–     Activity

–     Coordination

–     Resource management

–     Monitoring

–     Strategy

–     Self-organisation

–     Individualisation

Resource management has leaked because students have access to so much more technology than they used to.

A user-centric concept of OID is promising for everybody when the owner of the ID is operating in the province which isn’t currently in the domain of the institution.

Distributed, user-owned technologies are inevitable. They should help us (institutions) to regain control – by reducing costs and reducing liability.

OID is not an authentication system – it’s a pipe.

Identities are not the same a people.

OID offers a means of asserting a relationship between a software agent and a URI. It can connect things that depend on or use identities. For example, Jyte.

Panel discussion: the future

URIs as identities

Browsers will do much more than they currently do

Users as agents

–     What can we do about APIs? E.g. plugging in your Flickr account to your Facebook account without giving access to everything

–     oAuth means that user doesn’t have to have a password any more

–     You could put your API data into your OID

–     The idea of centrally storing data is against the OID ethos. It’s pointersand permissions for data which are stored.

Sometimes we don’t need to validated identities

–     All citizens of Hamburg are entitled to attend the lectures of the UniversityofHamburg

–     Much of what we do doesn’t depend on trust – “Come to our server and discuss textiles”, for example

–     It’s levels of assurance which are needed rather than tight authentication

–     But at the same time, institutions could get sued if their authentication is not secure and licenses are violated. Users have been cavalier about their logins, which is why JISC is now obliging users to use passwords that they value (presumably by linking them with sensitive information.

OID is a simple solution to a simple problem. Shibboleth is a complex solution to a complex problem.

For authentication, OID and Shibboleth might run in parallel

–     Shibboleth to authenticate identities

–     OID to assert a relationship between a software agent and a URI

Institutions should offer Open IDs now – it’s free and easy to set up.

LDAP is in a big mess. But this is because of directory structures rather than because of the protocols.

MV