At the first of the month I attended IIW 14 in Mountain View. I also attended the VRM workshop on the 30^th. The VRM workshop was hosted by Ericsson. The IIW was held at the Computer History Museum.

Before I summarize what happened at those events, I want to give a little background on IIW.

IIW

IIW uses a format referred to as an “unconference.” The main purpose of an unconference is to avoid the traditional design of a conference. A way I have heard it described is the format developed by Harrison Owen. Legend has it that Owen noticed that during a conference, most of the real activity and deals were going on out in the hall during the breaks.

He questioned “why can’t we create a conference that works like being out in the hall all of the time?” IIW is more about that.

Here are the main operational points:

In the morning of the first day, everyone attending introduces themselves and tells all of the other attendees who they are, who they represent, why they are there and what they expect to get out of the conference.

After that, anyone is invited to create a session and a topic. Each person with a topic stands up and says what the topic is and the purpose of the session. Everyone then rushes to the open space scheduling wall and gets a particular space and time slot during the day. This is self-managed. Figure 1 shows a portion of the scheduling wall.

Figure 1: Open Session Scheduling Wall

Each time slot is 50 minutes long. Each session starts at the top of the hour. Anyone can attend any session they desire.

At the end of the day, the session leader—or someone that attended the session—gives a summary of the session. Session notes are to be emailed and posted on the IIW Wiki later.

In closing, there is an acknowledgement ceremony.

Figure 2: Acknowledgement Ceremony

In this ceremony, anyone is invited to stand up and acknowledge anyone else for anything that is relevant to the workshop. This is done by giving the person a choice of wine or chocolates. Figure 2 shows the acknowledgement ceremony and shows Doc Searls acknowledging someone.

Each day then follows the same format except that only new people who did not introduce themselves the first day are introduced.

VRM Day Overview

The entire day was discussing projects and products that are finally starting to use VRM as their underpinnings.

We also talked about Doc Searl’s new thinking about VRM. The best place to review that is by watching his presentation given at the KuppingerCole EIC 2012 conference.

Here were some of the topics discussed.

• Open API Economy
• FreedomBox
• Commercializing VRM
• Life Management Platforms
• Selling the first Vendors – Who Goes First
• VRM and CRM
• IntentCasting Networks – beyond the cliche: vertical use cases
• UI and UX for VRM, PDS, R-buttons, ToS, Cheese
• Personally Asserted Terms and Conditions
• Sovereign ID vs. Admin ID
• Customer Commons: Live!

IIW Overview

This year’s sessions were very diverse, but there were some consistent themes every day.

• VRM
• APIs
• Protocols
• Privacy
• Personal Data and Life Management Platforms

For a complete list of all of the sessions, you can look at the IIW wiki at http://iiw.idcommons.net/IIW_14_Notes

VRM

There were more VRM sessions this year than I have ever seen. I attribute this explosion of sessions to the release of Doc’s Book—The Intention Economy. Usually there was an entire day of VRM sessions every day of the workshop. On the first day, I attended almost all of the sessions. The VRM community is very broad and does not lean so much on Doc for its progress. Everyone was very excited about the book and the concepts there.

For a list of all of the sessions and some of the notes, see the VRM blog post about IIW. http://blogs.law.harvard.edu/vrm/2012/05/09/vrm-at-iiw/

In several of the sessions I focused on the link of the Open API Economy, the Life Management Platform and the roles of these two trends as they relate to VRM. From our opinion at KuppingerCole it is important to point out that VRM is much more than the counterpart to CRM and includes many more things that just e-commerce and shopping. People were very responsive to these perspectives.

Another cool result of all this is the new post that Doc Searls put up on the VRM Wiki adding and attributing KuppingerCole to the term Life Management Platform.

http://cyber.law.harvard.edu/projectvrm/Main_Page

APIs

There was much talk about APIs and Open APIs. The Open API Economy session was packed and generated great discussion.

The link to my Prezi used in the session is here.

http://prezi.com/rt07gxj02hf8/open-api-economy-ii/

Almost a thousand people (998) have viewed this presentation since the workshop – I’m really impressed.

Other API discussions were around OpenID Connect and SCIM.

Protocols

The three most active protocol discussions centered around OpenID Connect, SCIM and XDI. In addition, every discussion talking about any type of service, from privacy to personal data stores, talked about their status and intent to provide API access.

The Open API meme is clearly on fire and KuppingerCole is viewed as the thought leader around this topic.

The entire community is very excited about Open ID Connect and SCIM as they are protocols seen to solve serious problems, programmatic access to endpoints through the SAML namespace, and programmatic protocols for automated provisioning.

Privacy

There was a lot of discussion concerning privacy and the meaning of privacy. Scott David contributed significantly to this discussion with legal definitions and implications. The question kept coming up on how to build products that satisfy personal and legal privacy requirements across international boundaries. Especially since the requirements, laws and social conventions are not well defined. Again, KuppingerCole’s approach of Life Management Platforms provides some interesting thoughts (and maybe answers) on that.

Personal Data

Personal Data Stores, Personal Data Lockers, Personal Clouds, Freedom box and on and on.

The meme about Personal Data is very much on the move and in flux. Almost everyone who says they are working with Personal Data has a different notion of what it is and how it should work.

One of the presenters opened with a great joke from Steven Wright that is a useful analogy about personal data. It goes “I have a large seashell collection which I keep scattered on the beaches all over the world. Maybe you’ve seen it.”

One of the most fun and interesting personal data sessions was around the freedom box. Markus Sabadello managed this session.

http://blog.projectdanube.org/2012/05/freedombox-at-the-internet-identity-workshop/

This link gives a review of the session. He also brought up the Life Management Platform. He didn’t quite get it right, but I like it that the term is being inserted in the discussion. Life Management Platforms are much more than just data stores; there is much in it about how to ensure the secure and privacy-aware use of personal data – e.g. not just storing, but using them the right way and enabling new (and improved) forms of business.

Summary

IIW is well run and is mature and consistently meets it purpose of quality discussion and advancement of personal identity issues.

IIW 14 topics were spot on, fresh and informative.

The biggest complaint I have about IIW is that there are no notes posted for many of the sessions.

The VRM Workshop was well attended and reflects the interest shown at the KuppingerCole EIC 2012 conference.

Perhaps this year we will finally see some products that are VRM oriented.

I had a conversation with Gunnar Peterson recently. Here is the transcript of the exchange. It is short but worth looking at.

Today’s Security > 140 Conversation is with Craig Burton is a Distinguished Analyst at KuppingerCole, in his  recent work, Craig explores the API Economy and how participating in the API economy reconfigures organizations’ priorities.

Gunnar always asks insightful questions. I really enjoy his presentations each year at the Cloud Identity Summit. Not sure if I will be speaking this year or not.

As I said in an earlier post, the folks as Programmableweb.com announced the that the number of open APIs they track reached an unbelievable number—4000—in record time.

The published this graph showing the hockey stick growth rate:

Figure 1—Total Number of APIs

source: Programmableweb

So lets take quick look at the dynamics of this growth rate.

Phil Windley helped me out and here is what we came up with.

The data could be interpreted as a power law.

Phil  used this: http://zunzun.com/Equation/2/Power/Power%20A%20Modified/

Here’s the data:

0, 0
8.5, 1000
10.5, 2000
11.25, 3000
11.75, 4000 

Power law says:     Y = aX^b

The fit says

a = 13.665
b = 1.618

So, by the year 2013, (X = 13), we’d expect: 7117.

2016 shows 30,000 APIs.

This is a nice steep curve.

Figure 2—Extrapolating the Numbers

source: Craig Burton and Phil Windley

But I am going to go out on a limb and predict that something even more dynamic is in play. If you look at Figure 3, you can see that somewhere between Oct. and Nov. 2010, the growth Netflix was enjoying took a serious turn for the better. Hits on the API went from 4 billion a month to 12 billion in 30 days.

Figure 3—Growth of Netflix API

source: Programmableweb

If I am right, I expect that we hit the 5000 API mark sometime in mid 2012. Then instead of just going on the power curve to 7117 APIs by 2013, the industry will experience an exponential skip—like the one in figure 3 for Netflix—the jump will go from 5,000 to over 10,000 almost over night. So that we will be way ahead of this ambitious curve shown in Figure 2.

I have no real data to support that. I just think the movement is about to jump the chasm from early adopters to early majority sometime in 2012.

Whatchout.

Intro

Provocative quotes:

Baking your core competency into an open API is a economic imperative.

source: Craig Burton

If you are not engaged in generating or enabling open API’s for your business—you are not in the game.

source: Craig Burton

Social—, Mobile—, and Cloud-computing are hot. The API computing magic troika is white hot.

source: Craig Burton

Ubiquitineurs don’t litigate or file for patents. Litigation and patents are the tools of the purveyors of scarcity.

Source: Craig Burton

I talk to my buddy and visionary Doc Searls almost everyday. He is busy writing his new book about the Intention Economy: When Customers Take Charge. The book is the long expected follow up on his first co-authored work: The Cluetrain Manifesto.

While we talk, we often riff on ideas and things we have read or heard. We have been doing this now off and on for twenty years so we have a language and process that lets us get right to the meat of things quickly. It’s fun. When Doc gets on a rant I just shut up and listen. It’s like listening to Stevie Ray Vaughn riff with words.

One more thing: This post is the first instance of a new term. The term is Ubiquitineur. The definition of ubiquitineur is: Ubiquitineur—An entrepreneur whose business and innovation practices are ubiquity-based as opposed to scarcity-based.

The API Computing Magic Troika

Here is my point.

We are riffing on three core things that make the Intention Economy work. Surprisingly one of them isn’t social computing. They are:

1. Cloud-based code (Code platforms like Kynetx that are API and cloud-centric).
2. Cheap telephony-data (Affordable mobile—telephony data pricing like Ting.com provides)
3. Personal Data Technology(cloud-based stores that are controlled by the individual. Singly is promising such a thing, Cloudmine.me has one up in beta.)

Cloud-based Code

Here is why Kynetx (or possibly other cloud/API-centric code platform) rocks for the Intention Economy rapid prototyping and apps.

1. Runs in the cloud.
2. Has built in constructs for managing developer keys.
3. Late-binding is intrinsic
4. Loosely-coupled is explicit
5. Built in support for OAuth 1.o and 2.0.
6. Event-driven
7. JSON and JSON Path-centric
8. Much more but you get the point.

Traditional languages are playing catch-up to this. (I like the precepts of the new Dart language spec from Google. It needs to be evented though. Plus is doesn’t have key management as an intrinsic.)

Cheap Telephony Services

Current telcos are ripping us off for data access. Competition and common sense ( of which little is found in telcos today) will change this. For example look at what Ting.com is doing with providing no frills pay as you go telephony services over the Sprint Network.

Mobile device data access is fundamental to the Intention Economy.

Personal Data Technology

This a new category of technology that is just emerging. Call the personal data ecosystem, or personal data store or architecture, whatever, the point is a place in the cloud where you can store and control information about you.

There are a lot of players emerging in this space. The two I am going to mention are Jeremie Miller’s Singly.com project and the Cloudmine.me service.

To be honest I haven’t used either of them yet, but the precepts in Jeremie’s vision are spot on plus he has gathered an all star group that are likely to do something that will either rock or give us much to think about if it tanks.

I will be playing with the Cloudmine stuff shortly and let you know what I think. So far I like everything there. The one exception is their terms of service. It doesn’t really effect me, but I think they are missing out on the benefits of clear ubiquity-based thinking when the contractually prevent anyone from creating a compatible service.

Soap box rant

This is specifically to the Cloudmine folks but it applies to anybody. If you get enough inertia to attract someone interested enough to start copying your protocol, rejoice—things are good. Litigation is not your friend. Litigation is the tool of the purveyors of scarcity. Protectionism is contrary to what you are trying to accomplish. It is contrary to the laws of ubiquity. You have an alignment problem there. Ubiquitineurs don’t litigate or register for patents.

The API Economy

The API Economy is not something that is going to happen. We are already in full swing.

Look at the numbers published by  the folks at the Programmableweb earlier this month when they hit the 4000 API mark.

source:Programmableweb

Summary

Get with it. Figure out your API strategy. Understand the API Economy Troika and how it relates to what you are doing.

What more point. If you don’t know by know I will end with another quote that is not so provocative and should be obvious:

Digital Identity is core  to all this stuff.

source: Craig Burton.

I am the same age as Steve Jobs.

So when Phil Windley sent me the link to the 1985 Playboy Magazine interview of Steve Jobs (just before he was forced to leave Apple) I had to laugh at some of the questions made by the interviewer and remember all of the things that where going on in the industry then.

During the 80’s I worked for Ray Noorda at Novell. My job was to create and drive Novell’s strategy. The plan was simple, give real freedom of choice to the customer and be interoperable with as many networks and computers as possible.

By 1985 Noorda was finally coming around to the freedom of choice thing. But I had a hard time convincing Ray that the Macintosh was an imperative to support with NetWare. And he had good reasons to balk at my insistence.

Apple was notoriously difficult then—as now—to work with.  Especially when Jobs was at the helm. At times it seemed that Apple’s strategy was just the opposite of Novell’s. Don’t give any choice to the customer except to buy Apple. Interoperability? Never heard of it. Freedom of choice was something Jobs then—and still lives on at Apple now—resisted at every opportunity.

The operating system, the mother board, the bus, the network, the transport, you name it. Apple built their own and was slow to adopt anything that any other vendor supported or invented.

It seems that the only time Apple breaks down and supports any standard is when it is forced to do so. That’s how it was then at Apple, and that’s how it continues to be at Apple. All designed and driven by Jobs.

I doubt Novell would have had Apple attend the rollout of Macintosh support in NetWare if Jobs had been CEO when it happened. Of course having John Scully at the event made it less than stellar, but at least it happened. And the world business community loved it.

When I read the sections of the interview that talk about Apple’s struggle to get a foothold in corporate computing environments it reminds me just how big of a role Novell played in making that happen. Both Apple and Microsoft seemed to revel in the fact that their systems were not interoperable. Novell solved the namespace and interoperability issues between the Macintosh and DOS (and later Windows) in spades in spite of proactive resistance from both vendors.

It would have taken Apple another 10 years before gaining a foothold in the business community without Novell. With the bottom up approach and huge Novell channel and support network, Apple was able to slip in the back door of enterprise departments along with NetWare and the PC before corporate IT knew it or could try to stop it.

With the way things worked out—Apple being the most profitable company in the world and Novell being dead—you might conclude that the Steve Jobs approach to standards and interoperability are the way to go.

It isn’t that simple, things are much more complicated than that.

While no one can deny that Jobs was a great visionary and did incredible things for the world and computing, I can’t stop and wonder what really could have happened if Apple/Jobs had taken the approach of building sexy interoperability along with sexy computers and phones.

While attending the Cloud Identity Summit last week in Keystone Co. I noticed a usage trend that needs addressing.

Almost without exception, the discussions around identity and identity technology used two categories for defining market segments. The two categories are:

• The Consumer
• The Enterprise

These ambiguous categories are hindering moving forward with identity discussions and productivity. Every session I attended, I challenged the presenter to define these terms. Without exception, the confusion and ambiguity were rampant. For example, where are the people that don’t work for a large company defined here? They aren’t consumers, they aren’t an enterprise. Are you saying that a person at work is only recognized if they work for a large company? How large?

I don’t even want to go down the path of the Consumer word.

The Consumer

The Enterprise

As a result, I am proposing 6 alternate top level category definitions. These definitions are as follows:

• Person
• Group
• Organization
• Non-Profit Organization
• Government
• Program/Code

Of course there are sub categories to each of these definitions, but at least we have a set of of top level definitions that make sense.

Here are some icons I will use. Note that I use the accessory of a “hat” to distinguish the entity. This works for me, I often think of myself in a different hat depending on what role I am in.

I’ve been watching the recent announcements about how hackers—some speculate foreign countries—have cracked the security infrastructure of a system and have stolen the names and passwords of thousands—sometimes millions—of customers.

The details of all these disasters are not what I want to talk about. Just this simple and seemingly obvious point.

Any system that stores the names and passwords of anyone is a failed security design.

Symmetric vs. Asymmetric keys

In the late seventies, these three guys—Rivest, Shamir and Adleman (you probably know them as “RSA”)—published a paper describing a scheme for public-key cryptography.

They later formed a company based on this patented technology. Pretty much every systems company on the planet has ponied up and bought a license for some aspect of the technology.

If PKI is so good and so revolutionary to security design, why is this malicious theft of names and passwords happening?

I keep reading about how the RSA product line has been cracked and is not longer secure. We need to distinguish between the one time password product (SecureID and asymmetric cryptography.)

The bigger question for me is, why are there secrets that allow access being stored on the server in the first place.

Cryptographic protection can be implemented with symmetric keys or asymmetric keys. With the symmetric design, both the endpoint and the server keep copies of the keys. With an asymmetric design, the server NEVER sees or knows the keys. The key is only stored at the endpoint. To me, this is the main point for private and public key pairs in the first place.

With that knowledge in hand, one has to ask, “Why would anyone—including RSA’s SecureID product—design a system that uses symmetrical keys?”

Good question. Answer: Poor cryptographic implementation decisions.

So now you can always spot a failed identity design. Anytime the details of a security compromise includes the theft of user ID’s and passwords you can nod wisely and say—“Symmetric keys. What were they thinking?”

If you want to protect the names and passwords of your customers, an asymmetrical cryptography implementation is desirable.

By the way, just to stick it to whoever the idiot was at Microsoft that decided that the CardSpace design should be scrapped—CardSpace is the BEST security design at Microsoft that uses an asymmetric key design.

In hindsight, dumping CardSpace was clearly a political move, not a technical one.

When I was deeply involved in technology and company acquisitions at Novell, I learned the hard way how difficult it is to merge disparate corporate cultures.

Money usually only helps a little.

Company after company acquired by Novell disappeared from the planet. Often times with disastrous results. It was only on occasion that an acquisition yielded any measurable benefit.

This is why I winced and expected the worst when Novell announced the acquisition of Ximian back in 2003. How Miguel de Icaza survived the Novell acquisition gauntlet is a mystery to me. When I read Attachmate fired all of the people working on the mono project a few weeks ago, I figured the axe had  finally fallen and that the Mono project was dead.

Not a good thing. It certainly speaks to the visionary skills of the new Suse management team. Mono was the ONLY innovative thing happening at Suse. Everything else is just playing catch up to Red Hat.

Even the language of the announcement sucked:

“We have re-established Nuremburg as the headquarters of our SUSE business unit and the prioritization and resourcing of certain development efforts – including Mono – will now be determined by the business unit leaders there,” said Jeff Hawn, Chairman and CEO of The Attachmate Group in a statement sent to InternetNews.com. “This change led to the release of some US based employees today. As previously stated, all technology roadmaps remain intact with resources being added to those in a manner commensurate with customer demand.”

To fully understand this announcement, a quick lesson on “vendor speak” is appropriate. When a vendor invokes anything that resembles “Our actions are based on ‘customer demand’” you know that you are being fed a line. It is what magicians refer to as “misdirection.” It is a form of deception in which the attention of the audience is focused one thing in order to distract its attention from another.

A vendor that states its future planning is based on customer demand is a vendor in cruise-mode with no budget or plan to do anything about the particular topic. Thus the interpretation of the vendor speak “…all technology roadmaps remain intact with resources being added to those in a manner commensurate with customer demand” is: “we have no logical explanation for this irrational behavior.” In other words, you’ve just been fed a line of bullshit.

Rising from the ashes

Then I heard the welcome surprise, Miguel announced the formation of Xamarin. Unlike the bumbling headless Attachmate strategy, he nails a clearly articulated plan and vision for Xamarin.

“We believe strongly in splitting the presentation layer from the business logic in your application and supporting both your backend needs with C# on the server, the client or mobile devices and giving you the tools to use .NET languages in every desktop and mobile client.”

Yes!

I am so happy to see the Mono team emerge from 8 years of suppression and fighting for an incredibly visionary cause with no support, marketing budget or corporate sponsorship.

Well done Miguel. Breath easy, the worst part is over.

Novell is dead, but—thank the Gods of good code—the mono project lives on.

It isn’t very often that an Internet principle comes along that is so important that it actually affects almost everyone and everything. The Live Web  is one of those Internet principles.

The Static Web — the Internet as we know it today — has no thread of knowing or context. Until now, there has not been enough infrastructure in existence for a computer to do the work of presenting the Internet in a context of purpose. The Live Web presents an infrastructure and architecture for automating context on the internet. The Live Web brings to life the notion of context automation.

Read the rest of this entry »