 Let's get started, folks. I'm Ken Klingenstein. I do middleware work for Internet too. I get to live on the frontier, got to do the frontier one other time at Internet one, and riding the exponential is always fun. So we'll talk a little bit about some of that stuff. I sure welcome that if you have any questions, barbs, whatever, you just run to the microphone and yell out point of order in classic Don Juan fashion, and we'll take it from there. We're going to talk about things identity, social, federated, scholarly, et cetera. So without any ado, I'm going to begin with a quick social identity update. I got one slide, but it's really chewy. And then I'll move into federated identity. I got graphics and the other kinds of stuff. I've been gifted with a NIST grant over the last few years to do some work with the federal government in this space. I played the White House last week just not far from here. I believe Darth Vader was in the audience, and we'll talk a little bit about some of the aspects associated with that. We'll go into some scholarly identity stuff. We've had some conversations in the last few days with Orchid, and I have some actual questions to ask you folks. And then we'll end with collaboration platforms, which are the orchestration of collaboration tools into an integrated access and identity management framework. And again, interrupt whenever you'd like. So social identity update. We all have our Gmail and Yahoo accounts. And in fact, in the U.S., this stuff is reaching saturation. Notice that the focus of service to the consumer continues, but it's really that you are the product that Google wants. And be very clear about that. It's you. And so they will be harvesting all your information, as you well know. And I'll talk a little bit about some of those activities when we talk about a privacy manager. But interestingly, about three or four years ago, when the Feds were ramping up an identity initiative, Google and Yahoo and Microsoft all lined up to be certified as LOA-1 for federal applications, allowing you to use your Gmail account to check your social security balance, for example, or to book campgrounds in the National Park Service. And they went through a process and they all got certified. They're up for a renewal. None of them has shown up at the door. Have they given up? Or is the federal government not a particularly attractive relying party? Is it a particularly demanding relying party? And so Google wants nothing to do with that. I don't know the answer, but it is striking that these companies that were lined up are now not lined up anymore. They're dropping their certifications or at least they haven't renewed them. And I think it's partially around if you serve federal government sites, you may have to meet federal standards for privacy. And they don't have an interest in doing that. In fact, if we're going to infringe on the terms and conditions that Google puts up there or Yahoo puts up there, those terms and conditions are their business and they're not about to change those. And there's a wonderful movie out there that some of you may have seen on terms and conditions that is very compelling. If you haven't seen the movie and you don't have 90 minutes, there's a 30 minute South Park episode, which is the distillation, but it's essentially the same activity that the character in South Park loses their identity to whoever they've clicked through on that agreement and can't get it back. So this is consumer as a service, not consumer. Serving the consumer, it's using the consumer. There's a protocol evolution happening underneath, OpenID Connect. And some of you may know that terminology. There is standard processes that are moving at a fairly slow but steady rate to begin to make OpenID Connect as rich as SAML. And in doing so, they're making it as complicated as SAML. So if you've been following the OpenID story, it was, oh, nice idea to use SAML, federalistas. But my God, this is really hard. We can make it simpler. Well, it turns out if you're trying to solve the problems we were trying to solve, you can't make it simpler. And so courtesy of our dear departed colleague when we were doing SAML, we took six months out in the beginning of the process to make sure that we couldn't make it simpler. And I had coding money and I'm going, Bob, Bob, we want a code. And after six months, we had convinced ourselves that this is as simple as you can make it and still meet the use cases we were trying to satisfy. So the problem with moving slowly and moving with an increasingly complicated standard is that some of those social companies aren't moving along with it. So Facebook has said, my God, what we're doing is good enough. Our business is not on the authentication process. Our business is in harvesting your data. And so it's not going to be the uniform market that we wanted to. And a lot of this is around the OAuth mechanism for non-web-based apps. And basically, phones have changed the name of the game. And I'll come back and talk about that. But for so long, those of us who were purists in the middleware business said, oh, my God, we can't put a client on the desktop. How would you begin to maintain that? Along comes telephones. My God, it's all clients on that little desktop. And so suddenly we're going to be the same kind of slobs that everybody else are and put clients on the desktop. It's the way of the world. The FIDO Alliance is a group of social identity providers that are promoting multi-factor authentication. Multi-factor authentication is really important. I'll come back to this in a bit. But with the rise of really good phishing, the only alternative left is MFA. And we're not going to get away from really good phishing. In fact, it's getting better and better as we speak. Notice that in typical identity landscape, there are two things we worry about. Is it really you? And then how is your active authentication? Well, social IDPs don't even worry about, is it really you? Just the active authentication. And so how do they know that it's really you or the same person coming back each time? I've seen the Google matrix. Over 100 factors go into figuring out if the person sitting at the keyboard someplace is really the same person who was sitting at the keyboard 10 days ago. And so we've all traveled overseas. We've all had little prompts from Google going, hmm, what are you doing in England? And you have to go through one of your security questions, et cetera. That's part of their massive algorithm that they apply in this space. That massive algorithm is harvesting your privacy left and right, not the subject of this conversation. But basically the relying party is deciding whether or not what they're offering is so risky that they have to worry about who you are. The Yahoo email address issue opened up massive eyes. If you're not familiar, Yahoo decided to recycle email addresses, which means recycling authentication names. And they'll send, if an account's been dormant for six months, they'll reassign it. They may send an email note to that dormant account. But this changed everything. For all of us who were going to say, social identity is a real good bootstrap answer to lots of issues, suddenly we don't know if it's the same person knocking on the door. And I was with the feds when this got announced. The feds had no influence over getting Yahoo to change their policy. It's all about business for Yahoo. And so it is as it is, and we're left with sweeping up over after the fact that norm at gmail.com may in six months be somebody else other than trustee old norm. So it goes. The NSA revelations are changing international marketplaces. I don't need to say much about that, but there's not a single service provider out there be it Amazon web services, Google, et cetera, that isn't scurrying to figure out how they're going to deal with the NSA blowback. Typically they're doing it by setting up centers in other countries, but as you've probably followed the lines between those centers in the other countries and Google's massive data center in many places in the U.S. are also being tapped. So there is no security there. And I don't think U.S. companies can escape this trap. So totally changed everything. Thank you, Ed. So getting into the federated space, we've been doing R&E federations now since about 2003 and they've caught on. So worldwide they're now in most places. I'll leave it to the reader to try to figure out what preserving privacy means in China. I don't have an answer to that, but there is a Chinese federation. We build these privacy managers. I presume they don't get deployed in some locations. So it goes. In Europe, we've got almost 100% coverage there. R&E federations. In some of these countries it's coverage of the entire population. You can't get welfare in Denmark unless you have a federated account. It's a nice efficiency. They're going to put the money, your welfare check, directly into the bank. So about five or six years ago there was a solicitation done by the Danish government on providing federated identity to all the citizens. Some small company won. The next day it was bought by a bank. So it goes. But in fact federated identity has really good traction out there. In common is our own local federation. We've been in business now for about eight or nine years. Got 400 plus universities. Over 600 participants. Growth is continuing very nicely. We've had the traditional areas of collaboration support and access to shared content, etc. Many of you may recall that SHIB was designed one of the key use cases. Two of the three use cases were library focused. Pivotal in what we were doing. There's lots of new services out there and these new services are echoes of what we hope to promulgate into the world at large. I'll come back and talk about that. And we're certified for government business. There is no whole lot of government business out there at this point, however. There's the growth curve for in common. Again, the exponential in the number of service providers. That IDP list is going to have a stair step of about 2000 coming next year when OCLC rolls out software that's going to have SHIB IDP baked into it and then every public library that's running that can also be an identity provider inside in common. This graph will become incredibly meaningless in a year or two as we do interfederation and we won't be able to count things the same way. So I'm using the graph while I can because the technology will undermine it if we're good. So, U.S. government efforts. There are two efforts underway by the U.S. government. The first is FICAM and it's been around for about seven or eight years. It's classic identity services for government. It's growing pretty slowly, but it is growing. It includes a high assurance PIV cards. There may be some federal employees here that have those cards. Thankfully none of us do. There is PKI. There's federated identity. There's gateways. It's a mix of technologies. It provides the LOA certifications that motivate in common assurance programs. Research.gov is accessible through this mechanism and so I submit my NSF grants using my federated identity using this vehicle. NSTIC is the next generation stuff. It's next generation services, privacy, etc. It has distinct government and pilot efforts and the scoping is a finesse. A very tricky finesse. So the federal government can only really control access to federal sites. But they want to affect the entire marketplace including Google. Similarly, the U.S. government is just in the U.S. But they want to affect the entire globe. So there's a couple of finesses going on in this space. Those finesses have intermittent success. Like I said, Google isn't really playing much anymore. Microsoft still shows Yahoo has never been there. I can go through the litany of players out there. They it's tough leading those cats of companies when they don't have a whole lot of business motivation to play. About two years ago the NSTIC effort issued a set of grants. This is the list of grants from the first year, first round. I want to call attention to two, I'll call attention to three grants here. Multifactor, mobile authentication. I'm going to give you this example only because I can't think of a single use of it, which is five factor authentication. So factor one is username and password. Factor two is an SMS message comes back to my phone and I type that pin in. Factor three is my voice recognition. So there's a secure app on the phone, I speak into the phone, it doesn't match and says, whoa, we got three factor authentication. So I put the phone around and I take a picture of myself and it does facial recognition. And now we can say, hey, we got four factor authentication. Do you really need that? And then factor five turns out to be geolocation, which is where is the cell phone right now? Is it an implausible location? I assume there's some very key constituency that needs five factor authentication. So I want to call attention to the starred application up there, the commercial open source ID verification. This one's going to hit you where you live. This is verifying attributes on a per attribute basis. So today if I'm a company selling on the web and I want to know, gee, shipping address, hmm, you know all this information, is it really valid? My only recourse is to go to one of the eqfacts, one of the credit card companies pay about $10 and get a credit report. How about if I could say somebody just filled out a web form and they did a shipping address. I want to know if this shipping address is plausibly attached to this particular user and instead of going to Experian for $10, I'm going to go to that market for verification over there and I'm going to say who's going to bid on who can verify that address. Who's going to bid? Well, U.S. Postal Service will bid. Google is going to bid. Experian noticing that their business model is about to get destroyed is now selling per attribute little tapas as it were versus the whole credit report. Just they recognize their business is about to get loaded. So price points, typical price point about a dollar to verify a postal address. Hey, that's a lot less than that credit report, especially if I'm doing it in the hundreds of thousands. Oh, somebody has it for a dollar and a quarter. Will I get better verification? We don't know. There's no standards on that verification back end piece. It's just price points. So you as a consumer say, hey, I'll pay a dollar and a quarter and get a stronger binding of address to user. Why is this relevant to us? We're part of this pilot. They want us to sell studentness. Is somebody a student? So they can get a discount at Under Armour. They can get software from Microsoft. Lots of places will give software discounts or freebies based upon being a student. There's a lot of precious possible data on studentness. So they would like in common to step up and say, yeah, we'll do a studentness service. In common has a tough issue here. We're not doing anything in this process, right? That you're being a student is being verified by Chicago. So I'm supposed to pass it to you. We'll see how this goes. But we're being asked, now interestingly, these companies can join in common and get all the verification they want for free. My guess is that about a third of the assertions being passed in our landscape today are nothing, but the anonymous person that you're asking about is a student. And so studentness is the best item up there. The two stars is scalable privacy. It's the grant that we were awarded and I'll get to that in a second. They just awarded some new grants and I'm not going to dive into them, but you can see trust frameworks are really important. I'll talk about trust frameworks in a few minutes. But the interesting one in that list is PRIVO. It's a minor's trust mark. It's an interesting company. Needs to decompose their business model. But copper compliance, Child Online Privacy Protection Act is very important stuff. It turns out to be fairly global. In that no other countries have evolved the case law and regulations around this kind of act. So many other countries refer to copper as their benchmark, which is a goodness. Copper is very interesting stuff. It's been a couple of years by the Federal Trade Commission. The latest revision is that if you're under 13 and you want to go to a chat room you have to have the option of releasing a non-personally identifiable name. So I'm working with PRIVO and I'm going, how are we going to do this? Whereas those of us who are middleware geeks go, oh, we're going to release give the users the ability to set their display name and they can release that attribute. If you're under 13 you can't put pictures online that are personally identifiable. It's an interesting set of regulations. I like it because it's fairly demanding. I like it because it's very analogous to what we've been doing in the R&E space, but in a very different quadrant and they have all the same information. So, on to the grant that we have, Scalable Privacy. We picked the prism before the Federal Government began to use prism as a code name for a bad thing. And so, oops. It's a two-plus year grant to Internet 2 and in common. I tap a lot of the expertise from the campuses that come to CNI. There are several focal points that we're working on. I'm going to go through what we did with that in case you're interested. So, what we're trying to deliver, we're beginning with promotion of two-factor authentication. Good privacy begins with good security. Critical. And if you're not doing MFA, my gosh, you need to be doing MFA. And I'll come back in a second for the leverage between MFA and Federated Identity. The Department of Energy requires you to specify your citizenship in order to use supercomputers. How is that verified? It's a self-asserted value that you provide for your citizenship. Self-asserted. I think I'm Cambodian today. Trusted metadata approaches. And I'll come back and talk about that. I think the one issue of interest to this crowd would be the next-generation privacy manager. So, we are, as a community, what I call attribute retentive. We are very parsimonious in what attributes we release from our campuses to relying parties. That causes a lot of problems because we're not releasing sufficient attributes for access control. I'll contrast that with the consumer marketplace where Lord, I have a slide on that. So, we're beginning to do a privacy manager that will put the attribute release in the hands of the end user, and then we're looking at anonymous credentials, and I'll come back and talk about that. MFA. There's just a lot of attack vectors that MFA is the best solution for. A lot of second factor alternatives are now available. USB devices, NFC devices, cell phones, et cetera. And we can manage most of these. And then lastly, coupling federated identity and MFA is extremely powerful. So, I was at a cloud identity summit in July with Amazon. And Amazon proudly announced that Amazon Web Services now has multi-factor authentication. So that you can use two factors to log into Amazon. And I said, that's wonderful. I have hundreds of users on my campuses. They already have second factors. Oh no, no, we're shipping out new tokens to everybody. At which point I went, wait, the users, you know, your users of AWS are generally enterprise centric. They often have second factors. And the second, oh, I know what you're up to, Amazon. You're trying to sell suspenders to hold all of those second factors. And I went over to Amazon's retail site. This was during the presentation. It was really a stupid thing for me to do 119 pages of suspenders on the Amazon Web site. Several ready-made to hold all of those second factor devices. You don't want that. You want a single second factor and federated identity. And in the underlying party, no, we've had a rigorous two-factor authentication. Oh, a five factor if you want to go that way into the space. It's a wonderful leverage. We need to get to this place. I won't mention that. I won't mention. We're doing two efforts here in this space. We've got about 2 million users now across 40 some odd campuses. Moving the needle, it's important. We're discovering lots of tough issues here. Accessibility support. Accessibility is a major part of our proposal. How do we make accessible second factors? Furper issues. So if I'm going to use Duo and I want my second factor to be my cell phone, I go to Duo and I give them my cell phone. Whoa, is that Furper issues? I don't know. We're worrying about that. Cloud authenticators and DDoS attacks. So courtesy of MIT, we've discovered that on occasion, there were DDoS attacks onto your campus. If you move basic authentication out to the cloud as several campuses are doing, and then you get a DDoS attack, you do not get to the applications out there in the cloud, you can't authenticate anymore for local campus applications. Do you really want to give up that vulnerability? So the next time somebody knocks on your door and says, gee, you can get out of the authentication business and go to the cloud, think twice. Alternative strategies when multi-factor tokens aren't available. The students on a dig in Tanzania, the doctors in a shielded room, second factors not working. What do you do? This turns out to be a real problem with MFA. Not a reason not to do MFA by any means, because there's evil out there, but something to compensate for and build policy around. And we've had a set of campuses now develop compensatory policies in this space. And then lastly, returns on investment. We're delivering some important software along the way. I just mentioned this in passing. In case you have a geek back in IT who wants to know when is SHIB going to do MFA well? It does MFA well. When is CAS going to do it? We got it. And then we're doing an open-source client certificate activity. Citizen-centric attribute deliverables. We've built a schema catalog. We've done some annotation of use cases. We've done a cookbook to serve citizens. Any Rod Serling fans out there? Thank you. To serve mankind being one of the legendary shows of all time. We're going to be a little bit more benign, I hope, in this process. We're doing a lot of stuff with GPII. I'll get to that in a second. And we're doing a privacy manager. If you're not familiar with GPII, get to be familiar with GPII. Global, publicly inclusive infrastructure. It's accessibility support done right. Where there's a set of attributes that control the presentation of information to you. And you can do that for any device without configuration. You can do this in ways that are privacy-preserving, saying, I'd like the job postings to recognize that I'm colorblind and be displayed in every fashion. But you don't need to know yet that I'm not ambulatory during the interview process. I want to be able to control that. We can do that. A lot of the stuff is standardized through some ITU schema. I have those listed up there. And we've got some pilot applications going on there. The GPII stuff is not only for those with physical disabilities, but for those with cognitive disabilities which comes back to this community because seemingly content providers are very comfortable providing information in a compensatory fashion for physical disabilities such as colorblindness, Namious Greenreader. If we ask them to reformat content for cognitive disabilities, because frequently one of the impacts of a cognitive disability is I can't do depth-first search. I want to be restructured. Publishers seem to balk at that one and I don't know why, but we're having a tough time convincing them to refactor content. Even as this group that's doing this out of Toronto and out of the University of Wisconsin and a few other places are building tools to automatically refactor the content for different kinds of compensatory aids. But look at this stuff. I believe it's the future of accessibility. So we're going to continue to work in this. So here's the slide. We're running a social disarmament gateway. We're getting to see what social identity sites release to us. And what we're discovering is that it's promiscuous. My God, they release a lot of attributes. I don't need those attributes. I don't want to know those attributes, but they just release them. It's arbitrary. They change what they're going to release on the basis of I don't know what Marisa's mood is that morning kind of thing, but Yahoo will change what attributes they're going to release. And now, as I mentioned with Yahoo, the attributes may not even have any persistent value. That makes it really tricky. Name is a really difficult field. Stay tuned to this. The federal government is about to mandate legal names in order to make their online services work. By the way, if you don't know, one of the 15 problems healthcare.gov had in opening up its doors was that they did a really stupid SAML configuration for the audience field, and so all kinds of commercial SAML software broke. The only software that worked, it turned out with SHIP for that particular field, but it was a stupid software. So the stuff's in deployment and you get the, so the federal government needs to know your name. How's it going to find your name? How's it going to believe that name? But they really want to know your name for online transactions. And so they've come to us and they say, well, how are you going to solve this problem? That's an international set of issues. One of our prime examples is what we call the Spanish surname problem. People of Spanish descent may have into first name, last name boxes. Well, it turns out that that's very country dependent. So how am I going to solve this globally in terms of that packing problem? Interesting stuff. We're going to be doing some usability. Let me get on to the privacy manager. Here's the privacy manager work. It's being done by the Center for Usable Privacy and Security at Carnegie Mellon. Best in the biz. It's going to help users manage the release of attributes. And we have excellent research that shows that over 90% of the users of social sites do not know what attributes are being released or how to control them. When I spoke to the researchers at Carnegie Mellon a couple of months ago and I said, by the way, I need a speaker from, I'm going to be out in Silicon Valley, I need a speaker in usability. Where should I get one? They said, go to Google. And I said, but didn't your research show that 90% of users of Google don't know how to use it? And the answer was, yeah, those people are really good. So Google's business model is to make sure you don't know how to manage your attribute release. No offense to Google, it's their business. So we're going through some key design considerations. Perhaps the hardest part in this issue is informed consent. It's not enough to do consent. And if you look at it like the Google release page for attributes, it's all or nothing. And there's no information about what these fields are or what the values of those fields are. Compare that to this screen, which is what the Carnegie Mellon people have developed. A couple of things to note. Pretty clear on what's being released, the value of what's being released is displayed. So you can say, that's not right and maybe correct it. And it's granular. Controls over each attribute. And perhaps most importantly is that little blue i dot which is tell me more. It's the informed consent button. Where can informed consent go? Well, it can go and reach into the SAML metadata from the Federation and say, this is a research and scholarship application. We've vetted it. It's asking for the minimum set of attributes it needs. We've made sure they dispose of those attributes properly. Go forth, release and prosper. That same i button can go to a reputation system. What are my friends released to this site? It can go to an institutional repository that says, your university recommends that you release these attributes. So that little i button is a door into a whole lot of informed consent in the background. Very different than the experiences you have on Google and Yahoo. This is kind of the information that can pop up in that process about the site that you're visiting. And it has some implications about metadata that we're passing around in the Federation. And I won't go into this for the interest of time. Enough stuff. One thing that we're starting to do here is roll this out to campuses. And so a few of the campuses in this room, I'm talking to you, Orrin. I'm talking to you, the University of Washington and a few other places. We're going to be asking to participate in something about deploying this. Right now we're calling this Lifestyles of the Attribute Rich in Privacy Names. But what we're trying to do is get privacy managers into the hands of end users. We're trying to get some normalization of attributes out there. And we're trying to look at some anonymous credential use and international privacy laws. So for those of you who have international campuses, you're befuddled about, oh, my god, whose attribute release policy applies when the students from Dubai, the websites in the U.S. and the identity provider is the University of Chicago. Yeah. So those international privacy laws are getting very confounding. We're going to step into that swamp. So along the way, one of the things the N-Stick process decided to do was to sell trust marks. It needs a business model. The federal government funding for this runs out in six months. It was a two-year grant. So what are they going to do? They're going to sell trust marks. Do you know what a trust mark is, federal government? Oh, probably not, but we can sell a lot of them. And so out of that experience I built a periodic table of trust elements. The website has the periodic table in it and out of that we built trust marks and those trust marks of importance in the world and we're doing a minus trust mark and a few others. Enough said on that. So where's the puck going? If we're successful, there shouldn't be federation in two years. There should just be inter-federation just as there is the internet. So the steady state here is inter-federated identity and that's why the chart I talked about earlier of growth is going to become vacuous because we're not going to have a crisply defined federation. We should have a large mass of community doing consistent approaches to federated identity. We need to do federation inter-federation across countries. All those countries that I showed on the earlier map of R&E federations want to work together? How are we going to make that happen? We're going to do inter-federation between sectors. K-12 federation is starting to run in this country. Very exciting work. How does that relate to in common? Healthcare, et cetera. Doctors are a thrill, you know that, but a doctor can belong to a hospital and have a hospital identity and then walk across the street to the medical school with a doctor. Now, that's supposed to be tethered to both locations and both models. We need to make that inter-federation work. We're doing the technologies now to make this work. Those are relatively straightforward. For those of you who go back to the early days of the internet, we used to do Etsy hosts for all of the machines on the internet when we could list them all on the internet. Nice work underway, internationally done. Policy issues, well, this is going to be trickier. For example, right now Europe has drafted a policy that says if a user located, let's say in Spain is using a site at the University of Chicago and the University of Chicago spills attributes that the user is given on the floor and the user wants relief. They will be able to sue in Spain. So I hope the University of Chicago has lots of lawyers well-versed on the laws of Spain, Belgium, France, Japan, etc. It's a difficult task and so one of the things we're trying to do is modify this code of conduct. Much as Safe Harbor handles lots of international issues internationally. So the social disarmament gateway again we're doing big business in this space right now if you have a let's say Carnegie Mellon University and you want parents to be able to look at the bills of their student how can they do that? Well you can give the parents accounts, oh my god you don't want to do that. Accounts are enough of a hell as it is. You could ask the student to loan the parents their account. Neither you nor the student wants to do that or you can say parents use your Google account and come in through the gateway and that's what many universities are doing. Again we're doing this it's very handy for extended populations. It's showing lots of issues. I talked about the course grain research release. I talked about the promiscuous attribute release what's in the name LOA mapping. Lots of hard issues we're working through them. Scholarly identity all in two minutes. So we're doing lots of categorization to get the right attributes to be released by campuses to scholarly sites. There's a wonderful activity called CI logon out of Argon labs that converts regular federated identities into certificates for use in the grids. And then finally we're starting conversations with ORCID about putting the ORCID identifier into edgy person and we had a great core with Jeff builder and Laura earlier this week. Lots of interesting issues came out of it and they don't seem to have made the slide deck which is kind of okay. Last thing is collaboration platforms . It's not about identity. Having just talked about it for 48 minutes it's not about identity. It's about access control. We're building access control federations. That's really the business. I don't want to know your identity unless I have to. But identity is not privacy preserving etc. So we're really into attributes and access control and we're building collaboration platforms that take all of your favorite tools and domesticate them to a consistent open standards approach to access control. We're trying to leverage we will leverage your federated identity but we'll also give you the ability to create attributes. We're going to stick every possible application we can think of into a different regime. And this is being done in many other countries along the way. And what it looks like is a model like this. So you as a federated user just use your federated identity to get to all of those applications in red and hundreds more that are domesticated and maybe you'll get in because of the identity maybe you'll get in because the right attribute was released that said you're a citizen of so and so or you're a student enrolled in a certain course. But all of that stuff will work for the access control and then you might be the czar of the collaboration. So you want to determine which groups can access this instrument or reset this instrument. So then you take that blue line and you come around and use open tools that we developed over the last few years to do group memberships create groups put groups within groups etc. take people out of groups and then all of that group stuff is used to do the access control for all the applications sitting in the red. So take a ways. Moving the needle on MFA really important work. Attributes are the key and it's already a mess. Watching what goes through the social disarmament gateway what Yahoo thinks your name is. Whoa, that's not really your name is it? The same with phone numbers lots of stuff out there. We're researching what it takes to put informed into consent and trying to deploy it. I didn't cover anonymous credentials much but it's interesting stuff. It's a technology that's been out there for a while and it gives us one of the standards that the federal government holds us to which is unobservability. So if I'm dealing with classic federated identity I can protect your identity as an IDP. I can just release attributes I can release opaque identifiers but I know what you're doing. I'm releasing attributes. The only technology that gives me unobservability so that not even the IDP knows is these anonymous credentials. How might they be used in our community? One very interesting idea is that you get an e-diploma which is an anonymous credential. And then if some place wants to know whether or not you graduated Brown they can query the credential they get back a yes no answer or you graduate of Brown and Brown doesn't know who asked. Brown wasn't involved in the transaction. Interesting. That's what we're trying to do. Social identity has its virtues in its perils. Collaboration platforms are the access management part of IAM and they're coming along. And lastly we're moving towards inter federated identity and I can handle questions. Thanks a lot.