 Let's get started and way together into the confusion and Couple of comments to begin. This is your talk if you wanted to go in a different direction Let me know and I'll take it wherever you want to go if I know something about it Secondly, I had structured this more as kind of big picture versus the current events You know this is coming memories kind of stuff ten years in But if you want more emphasis on what's happening currently we can emphasize that piece I do have four or five slides on the future. So that will be part of this no matter what And then I'm gonna try a demo just so that I can crash You know, you don't know it's you know, you know, it's state of the art if it doesn't work But this is the first time I've tried to demo of this of the software that we've been developing as part of the process on consent basically a privacy Mechanism so with all of that again just small crowd. I'm thankful. I'm not in the ballroom. We're the same-sized crowd looks really tiny And Again, please if you have a question even you can just just jump right in we have years together to Ameliorate the pain So what I was going to do is a slide on forging the elements a slide on the decade of deployments What we got like what we got wrong We really need to go and then a few observations at the end and again Customizable talk So forging of the federal the key federating elements The Academy is really powerful. It has been able to move an entire base of technology and community forward in Ways that didn't happen previously So some of us are veterans of PKI and years of federal initiatives and they got basically nowhere And then along comes the compelling need of the Academy And because of that power we were able to convince folks Yeah, we could get this off the ground and we were able to convince folks that Your CIO and your provost will approve of this kind of stuff All because we needed to talk to each other across institutions more than we needed to talk to each other chemists and physicists never talk at the same institution except to argue at faculty meetings about office space, but chemists at one campus And that was very powerful and then we lucked out Well, we we chose carefully and some of the folks who were in this room were there at the at the start We got the right use cases. We got the library's use case which was Pretty much a privacy and an anonymous access. We're appropriate We got the science use case which was rich in identity because you're not going to get to my super collider unless you know Who you are? And then we got the in-between case of collaboration Which said, I don't want to know who you are, Josh, but I want to know that you're a member of a particular class Or that academic class, which is a social class and I need to know that Your member of a certain group and then suddenly collaboration to happen and it was that last one where I needed to pass Not not not a but something in between that gave us the Grist for the protocol base. So we had the three driving use cases a bunch of usual suspects began developing key elements This is around two thousand at stone suit meetings and beyond And the first thing we did we worked on the schema because that was going to require Cross-campus agreement among and again the venue we were working in was the big dog universities and big dog universities Have their own opinions and so we We had to we had to start the consensus process about what we were going to pass Long before we had a tool for passing and it took us three damn years to come up with the schema Um, what do you mean by affiliation? What do you mean by membership all of that conversation? We built some software along the way sample and shoot And then we made a key Distinction that the rest of the world is now catching up to Which is that we were going to be a multilateral relationship It wasn't me outsourcing my travel to a third party or me outsourcing my accounting to another third party It was me collaborating with all of the partners in Academia and so I couldn't hardwire in things. I had to use metadata to drive everything key distinction and that led to a federated operator and then we decided that We were going to align it influence others in the way that academia always thinks it can influence others And in fact this time we Were able to do that and so we joined International communities some standards communities The US government etc want to give credit to the various folks that supported this I want to give a lot of credit to the campuses that were involved in all of this stuff I want to give a special Without his Mumbling vision we wouldn't have gotten anywhere in this so around 2004 we deployed in common And federations began at the same time in Switzerland the UK stand-in aviary And that immediately drove us to Practices a schemeer we didn't really get too great on the alignment of scheme So for example our schema has faculty student and staff as affiliations The UK has no word back Part of the staff So they said what are we gonna do with this faculty word? And we said well, you know, don't use it What do we do when we receive one? And so we found footing we found business models We had to make this work and we had to change the paradigm that was going to be point-to-point authentication and then It happened It happened it's still happening exponential growth. I got the usual chart in there you as an international and along the way because it was Happening and it was happening pretty rapidly. We had to reinvent lots key pieces To meet the scaling set of issues initially our metadata bundle was about I don't know six megabits. That's like six kilobits We're now up to 15 megabits of metadata in in common That's too big. And so we're moving to a dynamic mechanism for distributing We adopted it was adopted by other verticals Some verticals are natural for multi lateral Federation the multiple listing service. Oh My god, did they look at this and go? Oh That's our world if we have to deal with all these other brokers around the world. How cool They run sheer Financial industries law enforcement the biggest Federation in the world if you haven't noticed is in law enforcement called NEEF and IEF the national Know that and it stands for 6,000 federal law enforcement agency state and local to actually Exchanging lots and lots of data. I could show you this schema. It's terrifying. I have to shoot you all afterwards We have in our schema. I think now a grand total of seven attributes. They have 300 When I asked them how many of those get populated they said all around six or eight Going well, you know What good is it if people aren't populating those attributes and relying parties that Farmer etc and then along the way social identity Um came along we all have Gmail accounts Yahoo, etc And their emerging business model is that you are the product, you know that it's your eyeballs that they want and and they sell your eyeballs to the advertisers and Just remember what the right structure here is in relation. You're not paying anything. So you're not accustomed And it's almost ubiquitous coverage I'll just mention I'm not going to get into Protocol war wars, but a Lot of this stuff is around Not Samo per se. We worked with the developers of this stuff It's open ID connect for those of you who know the buzzwords We work closely with them so that they would harvest the lessons that we had had as they Transited from Samo, which is a web-centric protocol To Jason which works so well on mobile and in fact one of the things we did war Which we didn't anticipate How major mobile was going to be and so if any of you try to log on into a federated environment Using your phone and I do this a lot. I'm sitting there trying to blow up the little screen So I can type my username and password I'd show like a native client that knew the platform I was on and gave me all the bells and whistles That's what Jason can give you That said we have Pretty good interoperability. So where are we now Internet identity is a big deal Consumer companies to government academia enterprises. I'm going to cover just one slide of normalization of terms I'm going to talk about the integration of the technology. I'm going to talk about the lack of governments And then a couple of challenges in this and then I'm going to despair over the fact that this has changed a large part of the world But scholarly Identity still lags. Why is that? So it's a big deal already federations lots of hundreds of millions of users thousands of service providers Google and Yahoo linear milk Dominant industry the federal government has invested a lot in this And I'll just mention that Here's where we're headed. I'll come back to this in a bit, but one of the great powers of Federated identity is to leverage multi-factor authentication So if you don't have federated identity and service providers go, you know Is it they can pass with a pass a I'm going to go with two factor authentication. Yes And suddenly Steve has a bandolier For our second factors, and he's sitting there in the 60 seconds He has a lot to give the second factor to figure out which one is the right one if we can replace that Single second fact The service providers like that because they don't have to pay that expense The institution likes it because it's something And it wasn't expensive because the second factor to that to be before Was turned out to be some other mechanism that you happen to have and so there was no real capitalization post other than the license I'll get back to the attribute-based access controls in a minute So here's a this is a stalemate of R&D federations worldwide the coverage is much bigger now, especially in Africa I wonder what privacy management means in China That said the Chinese have invited me to go there. So I might find out or I might not come back And then if you look in Europe, you can see the coverage is complete Basically, everybody has a federation. So it has worked Here's an old chart of the growth curve In common this hasn't been updated in a while you can see the exponential you can see the linear growth in the IDPs the exponential growth in the ESPs We have now concluded some structures that have been bringing in the entire UC. It's like Cal California Community Colleges And then there's some other things coming along. We're going to see an exponential growth in IDPs To be followed shortly by the fact that the chart will become utterly meaningless because we're not going to have a bundle anymore We're going to have a dynamic service that hands you exactly what you need about the relying party when you need it And so when it's going to be a harder metric to work with in that Social identity, you know, that all this stuff works well with mobile devices. They're working hard on better security They're not working on privacy. If you went to the earlier talk that Peter Brantley and others gave you know that this They do statistical identity binding to know who you are I've gotten I had to erase my eyeballs afterwards. I got a chance to look at the mechanism that Google uses for antifold and They bring in so many factors About where's this coming from? How recently was your last log in? What's the speed of your key clicks? What's your Mac adro so many factors that go in? The authentication is the least of the issues in this It's all the circumstantial evidence and they do a really good job So they come up with a pretty good assurance and one of the tussles I've seen over the last few years as they go to the federal government and they go US government You've been working on levels of assurance for a while. That's how we do our confidence building And the government looks at that and they go well, you know, you're working with the same person every time But you still don't know who that person is And that's the key distinction so they can All the attributes are self-asserted by the user and The fact that this is ubiquitous and the fact that it's a promiscuous attribute release policy Makes the Google identity very compelling to the world and we see lots of scientists. I'll come back to this Who are trying to use the institutional identity and the institution goes? Oh, we're not gonna release attributes Yeah, we're a little concerned about firber or HIPAA or new technology or all the technology And then he use it goes damn it. I'm gonna go to Google, which is gonna spill everything to the relying party It's all self-asserted, but Google has its mechanisms to release We'll come back to that man in a bit. I Just want to you I'm gonna be using three words Frequently just want to clarify them. This is now normative technology Knowing that creature You know who you are Again Identifiers are unique values That are tied to you, but they often offer privacy instead of identity So one of the key things that ship does out of the box is not to release identity You got a website and it gives them a 32-bit opaque number It says here's a state number. You can hold this for state We're never gonna give that number to any of the site. We're gonna give every other site that this year's goes to a different number So you can't correlate. We're not gonna ever use this number again So it's only a stateful identifier So it's okay, but stateful and it's okay and I'm correlating we do all these wonderful things and it works Now you then go to a screen in your time inside your service provider You type in all your personal information because you're gonna get a rubber squeeze toy at the end of that That was your choice to do that. So it goes It's the attributes that we're really interested in they provide privacy They provide access control and they provide scale and there's two kinds of attributes. It is basically the verified one and the self-asserted one and and Generally verified is really important in certain cases and self-asserted Often you know what your preferred language is and one of the favorite attributes in Europe is preferred language So you might be Dutch, but you know that when you see technical documents, you want a name Just because the translations are imperfect. So preferred language is a big attribute and you know that friend display names and then The attributes unlock all the doors so Everything is coming together technically The Samo and open ID connect are now tied together to be social to Samo gateways And we operate some Since you invited interruptions and questions, can I you couldn't stop yourself Steve if you wanted to go go Now that might be harder. Ah, so the verified attributes Verified by the identity Or so for example If I use my Colorado identity it knows what classes I'm enrolled in because that's part of the Data that's fed into the institutional directory So that's the identity provider example the attribute provider well my citizenship Who's authoritative on my citizenship? Ultimately, it should be the State Department who issues passports and then since most campuses have a mechanism By a service for looking at a passport and ingesting that data And you know, I become an attribute authority of the second hand that way The third party verifier is one of the more interesting business opportunities that's come up So one of the other efforts that spun up inside and stick is an attribute verification service And what it would mean is I go to a law and party. I want to buy that do that I want to have it shipped here and The line party goes what's the likelihood that this shipping address is really connected And they go to a third party verify these these exist today and say and by the way You hit a consent button on that screen says okay to verify this information No, they will then pass a The name that you typed in The address and it'll go out and it will verify that this name will be associated with this address The thing that's very interesting about this marketplace is who's in it So who's who's offering verification services today US Coastal Service? It might be at the shop, but they typically don't have fresh information Google will offer verification. Where'd they get the information from? I at least got it. We won't tell you Who else is third party verifiers? Well, Equifax Wait doesn't Equifax have a service to do this and yes for ten dollars. I can pay as well As a vendor I can pay Equifax to get verification and I get back a whole lot of other information and I didn't care about and So what I really care about is I just want this one verification So Equifax is eating his own business And going from a you pay for ten dollars worth of verification to you pay a buck verification But the process model them is you use the sort of relying party Which is good because now we know who we're talking about. So so I'm I'm I Need this relying party to go out and get some set of attributes without me in order to conduct the transaction That I'm doing and sometimes this relying party. Are you filled it in on the screen? It didn't get it from you You you went shopping You filled out name address, etc. You fill out a bunch of attributes about that name There was no transport from the identity that's that's the key piece Because the identity provider especially if it was an institution when why am I going to release this information to a food? Why do I even have it? Excellent point It invites privacy spills Having that information By the way, um that marketplace is failing The price points to not be anywhere between 85 cents and a buck and a quarter and no one No one who goes there knows whether if you pay a buck and a quarter you get better strength of verification So and why is it failing? because users Haven't been comfortable clicking on the consent button And if I'm making a sale to surge and he's going to turn away because there's an extra click So it's very interesting to watch what could have been a very interesting market Start to get stymied by one extra click. I mean the reality is You're not going to want to you Is there anything that's going to be in some sense tied to that I mean if I go in to some system and it bounces me back to Princeton or whatever to walk in Almost any place I'm going to That's Not content providers. They're going to want to know that you're a member of the Princeton They don't want to know locally. I'm talking to sir. They're going to in fact say welcome, sir They almost always want that because they need a no big identity when the changes or is it steady? How are they going to engage and extended conversation with how do they make you won't right? You can't get state that way you can't get any of that stuff But look through you Look through your looks through the transactions that you engage in and categorize them by whether they need to be stateful Or stateless and then whether or not even if they need to be stateful whether or not they need to be identity rich And you're going to discover especially in the community that we live in That state is really desirable Identity is second state gives you the continuity of experience that you want to have the ability to pick up the search at home All that other stuff, but none of that needs identity if you believe in open shelves I want to be able to do brows open content. Um, so One of the so we have these samov the social gateways in the social to samov gateways Um, how many people know that yahoo about a year ago started reassigning email address So if you're using If you're a live party that's using an email address as an anchor for identity You could be dealing with somebody else When yahoo made this decision because they were running out of all the good email addresses It turned out john smith was used a lot of times as a word When yahoo made this decision there was a huge upward and yahoo Said thank you. Here's the bird. We're gonna do this So if you're going to count on So we're running a social to samov gateway We come comes in a yahoo identity And we put it into a samov packet We throw away a lot of the That got who gave us those frankly A. We don't trust them They're self-asserted B. What are we doing passing them on? And then as we learn with ground university and and it's the same issue that steve raised I don't want that information to be stored because I have a Liability if I have a data So one of the things that brown is using the social to samov gateway for is to bring in all the parents And all the alumni who no longer have accounts Into the brown world And this is good and cmu is using the social to samov gateway so that parents can look at student accounts student bills, etc and Carnegie Mellon didn't want to create new accounts parents So they said use your google And we're going to throw away half the information google gives us as you come in because we don't want to hold So there is some there are no technology issues in space, but it's fraught with policy issues And every institution that is brought into the social to samov gateway, and it's really attractive has to go through this process of What information do I want to accept from these various identity providers? How comfortable am I believing that this is still the same person behind this email address as it was six months So the importance of payloads versus protocols nice thing about the opener neat connect people is they're using the same exact payloads And they're using very equivalent metadata though. It's jason based So governance Um u.s. government Just a few blocks away Has been trying this for years It's generally been led by a gsa or by mist It hasn't really worked The one accomplishment has been these high assurance hspd 12 cards based upon georgia bush's Requirement a while ago and even there I'm watching so they've issued these high assurance cards and how do I get an Anonymous access From a high assurance card. So there's all these people who work in in in various industries Who want to use their identities outside those industries? They have these hspd 12 card No attributes rich in identity. I want to go shopping I I maybe I need some attributes my preferred language I certainly don't want to give out my identity until I click for purchase So i'm watching a very interesting activity of Downscaling the high assurance credential into Functioning in a world with privacy The citizen the government space has gone through a federated model and When the federal government started this It was a major program. I'm a I'm a recipient of a call and stick And it's done a couple of quick finesses One finesses. Who does it apply to? Basically the federal government can only apply can only have citizen to government or business to government They puffed up big and said hey, we're going to try to influence the marketplace The last few meetings of this group no google No yahoo. They're not showing up These are the guys that brought me back doors in their crypto so I can imagine why they wanted why google and the other Wanted to show it on the feed quick sidebar So I know so steve raised a very interesting and delicate point, which was there were some weak standards in crypto That were created with key government personnel chairing the international standards committees Were they under instruction? I know the person who Led the effort. He was not under instruction. They just missed Nothing more Yes right, I can tell you about uh I I've actually seen little boxes that the u.s. Government puts into the switch rooms on the overseas In fact of the offenses the government made over the last few years The one that was most scurrilous in the eyes of at least silicon valley was that google was not getting clear pipes from the vendors That all of the pipes that google was used between a google data center here and a google data center here that pipe was sniffed And I know the person who puts the boxes in the rooms And he says You put this box in right next to the box in the uk government right next to the box from the french government Right next to the box and all the other governments And the u.s. Government is just certain that their box is faster and better than anybody else's Um, so the authority over the marketplace and then the internationally it all compounds things European policy affected by local laws is your ip address personally identifiable information The answer is sometimes If it's assigned dynamically no If it's not assigned dynamically if it's a static ip address, then it is personally identifiable information So there the u.s. The european policy is unless you can presume that the address unless you could show the address was assigned dynamically You have to assume static and therefore you have to assume it's personally identifiable information and the german courts went That's really weird. We don't believe that So the european policy affected by local laws Snowden has deeply affected the marketplace and finally the big dogs do what the big repurposed Personal data modify search results change the assignment of email addresses Institute risk-based measures retain histories Put cookies in we saw again peter's at the conversations there about what the big dogs do So impact on scholarly work Boy, we did this You know again steven others were there We did this because we were going to um change the way the academy worked. What fools we were It's a tough business to be in to change how the academy works Um, we've had large impacts on our enterprise our cloud services single sign-on collaboration tools but When I looked at do we have anybody here who's been involved in any of the federal initiatives around science cv It's been a 10-year process. The goal here is so that I when I create my custom cv for submission of my grant I can do this expeditiously because you don't ever submit if you're a big-time researcher It's never the same cv to the same agency. It's always refreshed This effort has been going on for a long time. I'm scholarly connection Collections have not been re-engineered access controls though. I'm really excited. There was a workshop here yesterday that's cli I are at cni sponsored on Access to restricted collections expanding access fascinating the collections want to expand They have some challenges beyond belief Henry Kissinger gives all of his materials to Yale wonderful This credit card information There's deeper information in it and we didn't take those things out, right? You know Who's going to take that out? But that separate from the lead and I heard so much yesterday about lockdown laptops When you can't even take notes you can't take screenshots the collection is so restricted That when you leave the room they go through everything that you had You know normally when you leave a library they might or when you enter a library they might check for things here It's when you leave this room To make sure that nothing business models are uncertain Um The attribute of attentive institutions Any registrars in And then the trade of the edge uses what I'm going to bring progress And lastly the catalyst for change and not connecting with the points of authority So let me go back to this attribute with tentative. Maybe I'm going to step out for a second and well I'll get to the consent manager in a second. Let me let me hold that way in for one minute Challenges and scaling privacy Um, so the spectrum of user interest Alan Weston was a researcher for many years in privacy He went through Surveys over 30 years to characterize The community at large in terms of Privacy fundamentalists to the don't cares Got lots of slides about that. Um, it's a very interesting reading Basically about a quarter of the people out there are fundamentalists about a quarter of them don't care And about a half in the middle Want to have some kind of management over privacy And so For those of us developing consent managers on our show to you in a second The challenge really is to make consent management work across the spectrum of users and you'll see something Populating releasing and using attributes have been very very hard on international complexities Spanish surnames How many fields for surname do you have in your directory for users compared to the number of and in fact In different spanish-speaking countries Which surname becomes dominant? I'm seeing nods here of people who know those that chili in argentina don't work the same way So if we're trying to say release name as name, which one are we supposed to do? I'm consent managers at different moments. I'll show you that in a second And then one of the things that we're about to get into as a community is Is the set of determining one of the minimum attributes needed by an application and we're doing this already globally in one category research and scholarship And I'll talk about that in just a second So consent management Key dimension of privacy. It's a complex set of issues I think the term is catching on privacy is a vast word Consent management is really about the release of your information to a third party. It's not about privacy spills It's not about PCI. It's not about the other things To give a comment The requirements list glows especially from the europeans The worst case is medical information in our medical system Because the number of third parties who deal with your medical records is going to be huge And so I hear all the time from the NIH Have consent flow with the information And I go lots of problems with that. We don't have to do that technically Was that the user's intent was to have consent flow Because the medical cases are the worst and then finally we're dealing with users who According to them don't even want to deal with this There's the consent screen from google How many of you used your google identity to go to a third party and use yeah Well Oh I know google likes white space, but my god So much white space Another thing to note is You you just accept you can't you can't Individually release information whereas the informed consent. Oh one more information. Yes more information Still small Still terse No display of value Spin release No revocation capability You consent once that's it You can you can go to your profile. You can go you can revoke Right, but you have to do that out. I know because yeah, I got into to use approach. It's not easy, but it's not easy It's not easy Here's the stuff we've been working on not You know first of all We're not afraid to use the screen real estate Secondly, um We give clear indications on a per attribute basis what's being sent and what's not being sent We're showing the value That's being released So you can go. Oh my god. That's not the right value We have this little eye button for informed consent. Let's just tell me more about this field Um And then we have a mechanism and I'm going to try a live demo in two seconds just to show you That says Managing privacy is a pain in the butt I've only got a few attributes here imagine if I had a whole lot So I want to be able to not see this screen again for a while and that always kills my demos because I click I don't want to see it and then I can't pull it up in the demo until I revoke Um So we give you suppression mechanisms. We give you alternate notification Which is just say send me an sms message every time attributes get released every second time Infinite capability. So here's where we're going to go into the pit I'm going to try to do a I'll get to the web browser and see if this works So now I'm going to try to log into something I'm going to get an error message So it goes it's okay Cookies What I'm going to do is I'm going to start to manage all the sliders I'm going to show you the suppression mechanism for the alternate kind of stuff Now I'm going to actually get to the application that I was trying to go to Um, we're setting up a demo site for all of this stuff is what's really fascinating and setting up the demo site Is we're looking for applications whose behavior will be different based upon what attributes you use Wiki's a wonderful I can go to a wiki as an unauthenticated person and see some content I can go there, but I can't see other content because I have an authenticated So if I authenticate I might see more content if I release some more attributes I might be able to get into a reserved spot on a wiki What's stunning is how few applications are ready to handle Distinct sets of actions Memberships etc that said we're finding calendars We're finding lots of applications that can be that can be tuned to do this But clearly the expectation out there in application land is all or nothing and we'd like all So, um, what I want to talk I'm not selling privacy lens I'm selling active end user consent management So, um, the federal government got confused about this They started to promote privacy lenses the answer to everything and it only runs on ship It doesn't run an open ID connector. It doesn't run on other kinds of SAML software but Enable effective and informed end user consent Give hierarchical information your fine-grained controls bundles of attributes allow me to revoke Bundles is because we've learned that certain attributes travel in bundles in the ecosystem And flexible notifications we talked about style of presentations I don't know if you noticed on the on the google screen The little button was marked continue It wasn't marked. Yes It wasn't marked, you know Some kind of affirmative action continue. Of course. I want to continue It turns out that if anything is important in the screen. It's that one button the research shows That that users think more if you just change from continue to something else Search It's even got the little words in the latest iteration of the rules off of your interface You as the application developer can actually design your own us Screen that the user will see when your when your application asks them to authorize you And you can control what message will go off to the user exactly what they'll see and what they're agreeing to What they think they're agreeing to To remark about sure, but we'll do this as a way to be nice to application developers Right, that's their customer base. So the experience with that The user will be a positive user would see this nice walking screen and so on and so forth But you can actually control exactly what that message is Thank you for sharing answers Okay What we got right The basic model Forget those of us who were doing pki for years. It was rigid all the way down Here's the policy your policy has to be a subset of this power. No torque in the system Didn't work and what we used to do is What we said is that pki was Globally scalable. It just wasn't locally deployable Federation was clearly locally deployable. We're a globally scale with our concern. That's being answered And yes, it does And there's a thing we use with the driver of academic collaboration Going into the provost office and saying this is going to ease the The pain of the researcher was really important In the right use cases the protocol and standardization process We forked over to Oasis. So we got together march in 99 in Tucson and at a table we said What's the hardest most important problem we could solve? It came up with this with a few mumbles along the way It was the right use case we went up the The Oasis standards group knocked on our door Six months later and said you're doing some interesting work Moving over to Oasis We said multilateral and they said no outsourced business travel And they said we're going to move this part of the problem over to Oasis But this is the part that we really can't I'll care about and so we're going to continue to work on that A simple and an extensible schema and the focus on them ever dated to drive things Well, we got warm We thought it was the web It was the web for a long time Now it's all native clients because of of mobile devices and so the adaptation of web-based technologies to native clients Another thing we got on was our expectations about various us government activities Sorry, you know, I heard that Kennedy speech asked not what you know, and uh, and so we thought he you know All of these were going to succeed. None of them really did and I'll just tell you that Decent people in all these federal government activities. It's just an impossible situation impossibly complex Politics it just fits and that privacy issues to be rationally resolved International issues so not to be very hard Still very hard attribute the tentative institutions. We've talked about array inconsistent user behavior How could we be so naive So where do we go from here? Four things to look at first scalable and accessible access So, um, most of us do access control especially in Science communities where you have to be very careful about who's getting here with a list of identifiers So full identity based or gas IP address So if it's identifiers And it's a you it's a yahoo a email address as the identifier And that got reassigned a little awkwardness as your scientific results So we're trying to move to attribute based access controls, which says A variety of tools can be out there entitlements in an entitlement And we use heavily in library space The relying party doesn't want to go for the attribute issues It's going to pass business logic saying these kinds of users can access this content Library walking users can access that kind of content. Here's my business logic You compute whether or not somebody is entitled and give me back a yes no value. Nice thing From the relying party's viewpoint No consent issue either because in fact the attributes stay down So that's one way of going about it with entitlements, but increasingly it's here's a set of attributes about people and Use the attributes to determine whether or not they're about to get in on a member of the class or they're a member of this group It's a Let me see. Let me tell you two things that we got wrong in that space and that we're trying to fix first of all Um, those of us who were developing this were directory geeks And so we said we're going to have a category called is a member of We're going to put all of your group memberships Now you don't want to release all your group memberships So it's not just releasing this attribute. It's releasing selective values of this multi-value. I don't know how to do that Um Another thing that we did wrong and this is I don't know if anybody knows this factoid But scott camter told me this two weeks ago I can tell who you are by if you give me three group memberships. I know who you are I know I've never heard of that data mining stuff and scott later admitted that it was a hunch But it's a great factoid that three group memberships can tell so group memberships may not consider your identity quite a way Accessibility this is really important. Um, and I'm not going to go into this rant, but look up gpi i.net if you haven't It's a set of attributes that help display the content not just for physical issues But for all kinds of other compensatory needs you might have the most interesting of one one of which for me is cognitive problems We're creating unfortunately through various military activities a set of of of Venomins who have cognitive issues And so they can't do depth first search. So you present three content and it's not accessible to them So you need to reformat this as a linear mechanism How do I do that? Well actually who's being developed to do that? So cognitive disabilities Um, et cetera And there's the gpi i.net and I'll just tell you that if we're successful at this the words privacy and accessibility have never been used In the same sense typically here's my access here are my compensatory problems and so i'm just writing some use cases now for the federal government where um, I want to release to a job service a set of Physical problems that I have so that I can look at the job ads But you don't need to know yet, but I have no ability It's what I apply Wouldn't it be nice if it's not all or nothing inside the you know opening the kimono, but I can give you this subset Of needs so I can look at the job ad even before I apply Those things are all tractable now. They were never doable before that's cool Um, and then we work in the access controls for restricted materials Expanding the use of trust related nevada um, so one of the things we've started recently is Tagging applications in terms of their attribute needs And we actually as a federation go in there and look at the application and go What attributes do you really need those because we're going to guarantee to Uses all over the world that we've done in order and figured out what the minimum set of attributes is to this application There'll be a whole set of optional attributes that you'll have the opportunity with those rules for us to release as well But let's see what we can do in terms of this. We called it the r&s tag research and scholarship Let me go back to the disconnection I talked about early We're discovering that A lot of institutions by default do not release much information And so the physicist is trying to get to the damn site For his physics at CERN can't get there with his campus identity goes hell I'm going to use my google identity. It spills everything white white so Does the physicist ever contact the it organization and go yo release my attributes? Disconnect does he ever contact the vp for research and say your damn it organization is attribute retentive? No So in fact when we were working with the physics community a few weeks ago, they suggested a different tag r&dallasinus Because they're bringing in so much money to the campus that certainly the vp for research would not want to Blunt their research by not releasing attributes. We're discussing this still But vanity tags are coming along said to say And so they may be legion Consent management support, etc And the business processes to support this and so there's going to be a third party industry I hope that does audits of applications for minimum attribute needs, etc We're beginning to see this again. We do this now inside in common We've certified over 100 applications as r&s. So the work is doable We engage with the owner of the application It's usually a phone call or two. It's usually pretty reasonable We don't want to be in that business at all. We need to find some other industry to do that Moving from static to dynamic metadata services. Um, I talked about that already I think we talked about, um, uh, some of this stuff So good privacy begins with good security. I'm a big fan now of multi-factor authentication. We made it painless enough It doesn't heal all the wounds out there, but I've seen some phishing attacks recently that was so good That, um, I think it's the only way of blowing So mfa and federated mfa lots of leverage. We're going into privacy by design as well. I'm not going to get into that We're doing inter federation We're doing federated incident My idp got compromised Or somebody did a password reset on an account that got google And of course the way these are worked is if I'm going to do a password reset on my google account With that information going to be mailed I can't get to my google email But I supplied an alternate email address, which was yahoo And so yahoo immediately finds out that oh, there's been a password reset happening I wonder if that person used the same password for their yahoo account And so there's a very interesting business coming up called shared signals Which is among the big dogs in silicon valley to notify each other when accounts get compromised Is federated incident handling um We are really fascist about your signing key Is it 2048 surgeries? Is it just 1024? Looks like you have a small signing key. I'm sorry. We're not going to use that So we're really fanatic about this, but we never asked by the way, did you patch heart bleed? Did you patch anything else? So we're moving to a holistic model of security, which is really pretty good Um, it's separate observations that slot um Internet identity is truly a layer It's out there. You have to use you want to use it. You have to use it Um identity is really a pretty key. I'm factoring all of this stuff, but it's not a layer It's not one crisp protocol. It's a toolkit. You have to assemble it The use cases are remarkably diverse But it looks like we can meet every use case we've seen um Is a policy design principle that was founded in 1982 when they were writing old internet protocols be conservative Um in what you send be liberal in what you accept in protocols Things thing is going to be true with attributes and everything else Um, the rapid development of the marketplace overtook I think the best example of this and this one is the european cookie policy Which was wrong Because the target of cookies And cookies wasn't the problem It was the way cookies were being used And so they just sort of if so What that says on on on a on a legislative basis is that Have the policy address what you want to have happen as an operational aspect Don't talk about the technologies because you could be used served by so many other things I think what we saw from um, peter and the other talks earlier today was that there's a whole Technology's out there being deployed to compensate for some of the european We stopped there and here are the questions Okay, um stay tuned folks. This is an interesting world We're using identity. Um, we're all spilling our attributes left in life May they not get used if our history along the way. Thank you