Another one for the blogroll and RSS aggregator. Telepocalypse Some very interesting discussions going on here. [from: JB Ecademy]

Wow! No cigarettes for 6 weeks and I'm still more or less sane.

Just saw that SourceID supports SAML 1.1 (via Jeremy Allaire, via Marc Canter). I wrote a rant today about this whole area. The gist is that I'm sure this announcement is significant, but I can't work out why or how I can play too. I would absolutely love to see some support for LAMP instead of just Java and DotNet. And I'd love to see someone explain SAML (Liberty, PingId etc etc) in words of one syllable.

Then I read this. RSA Security has identified four patents which they believe could be relevant to implementing certain operational modes of the OASIS Security Assertion Markup Language (“SAML”) specifications. To obtain a royalty-free license to the RSA Patents to make, use and sell products conforming to the SAML specifications, a customer or partner must sign RSA's Patent License Agreement. Well I guess that's that. I cannot and will not support this sort of bollox! So if Passport is out because it's proprietary. And SAML (and hence Liberty and PingId) is out because RSA think they might have some patent hold over it, where does that leave us?

We really can't let a bunch of scary corporates have control over something as important as Mydentity.

I've got a number of applications in mind that involve Federated Digital ID. The problem is that the standard specs and toolkits are too damn hard. So I'm looking for some advice and help about how to approach this.

The basic requirements are that it should be possible to go to more websites, to be able to use a Single Sign On, have a single Profile under your control and preferably avoid having to login and be authenticated repeatedly. These websites range from simple community, news, bulletin board or social networking sites to full blown ecommerce.

So far I've discovered Passport, Liberty, LoginDog and Drupal working in this area but with very dfferent rationales. Then there's WS-Federation and a bunch of other SOAP based "Standards".

- Passport. With MS behind it and the links to MSN and Hotmail, this has considerable momentum. If you use MS technology on your web site and you're prepared to play with them at a corporate level then fine. But the support for non-MS technology is effectively dead. The wire protocols are proprietary. And while MS did pay lip service, the toolkits for non-MS (Linux, Solaris, Java) are broken and no longer for current Passport releases.
http://www.pcworld.com/news/article/0,aid,105972,00.asp

- Liberty. Liberty, SourceID, PingID are a bunch of initiatives to provide an open standards based alternatives to Passport. These revolve around XML standards like SAML. Now there are some reference implementations in Java and DotNet but nothing in Perl, PHP or Python so that pretty much cuts out the low end of the market. I had thought that toolkits in these languages would be a good thing to contribute. Then I started to look at the docs and I quickly gave up. It's full of words like "non-normative"! I still think there's something in here and this is the best bet but damn it's inaccessible.
http://www.sourceid.org/wiki/Wiki.jsp?page=Specs.Standards.Overview

- WS-Federation. Jamie Lewis at Digital ID world said "WS* is an example of a cartel in action.". If you thought Liberty was confusing you should see WS*. It certainly looks like the BigCos creating standards that are so complex that it's only possible to use them with the BigCos tools.
http://www-106.ibm.com/developerworks/library/ws-fed/

- LoginDog or Universal. This is an RFC for Universal, an authentication replication system for PHP4 and later. The rationale for Universal is web applications such as Phorum, phpBB, WebCalendar, PostNuke, Xaraya, Drupal are unable cooperate because there is no data sharing. Universal is an attempt at bridging these islands of data by providing means for PHP applications written by different people to work better together. As a PHP developer, you can help make PHP web applications interoperate by implementing a shared sign-on mechanism based on the specs described here. Great. Exactly the level of detail and capability I'm after. Except that the security approach is pretty primitive. Then the project appears to be dead and there are no reference implementations.
http://php.weblogs.com/universal

- Drupal Distributed authentication. Drupal has a working system that is in use at most Drupal sites. It's security is minimal. There's some obvious extensons that could be built. Thes are not criticisms but opportunities. If it wasnt for the other initiatives above, it might be worth pursuing as a basis of something that could be used outside Drupal. As it is there's a nagging doubt that perhaps it would be better to implement SAML in Drupal and then use that as a platform to evangelise SAML to things like phpBB, Nuke and so on.
http://drupal.org/node/view/312

This is all getting pretty frustrating! I can see some clear needs here, but I'm at a loss as to how to move forwards. Anyone got any ideas? Can anyone explain SAML to me? Does anyone want to help write code to implement some of this stuff? [from: JB Ecademy]

mySociety: a VoxPolitics project is an attempt to build more of sites like Stand and Faxyourmp.

"We think that sites like FaxYourMP, UpMyStreet.com and TacticalVoter.net are highly socially beneficial and, at base, extraordinarily cheap. However, there are very few of them. Surprisingly few, in fact. We are a project to build more of them."

So if you can code, have a little spare time and are politically inclined, why not get involved. [from: JB Ecademy]

Here's the Executive Summary of a study that shows that the total quantity of information in the world doubled between 1999 and 2002. This reminded me of the "Jumping Jesus theory" of Robert Anton Wilson and Terence McKenna.

Treat the total amount of information in the world at ADzero as 1J. It doubled by about 1500AD, doubled again at 1750AD, again at 1900AD, 1950AD, 1960AD, 1967AD. Wilson extrapolated this out to 1982 when there were approximately 512J. If we keep going and include this latest data as a data point we get these values for for date, doubling period and total information.

2002, 3, 32kJ
2005.15, 2.8, 64kJ
2007.85, 2.7, 128k
2010.43, 2.6, 256kJ
2012.89, 2.5, 512kJ

As technically aware people we'll recognise some key drivers for this. Gordon Moore's law predicted that the number of transistors on a chip would double every 18 months. Hence twice the power for half the cost. General concensus seems to be that Moore's law will keep going for at least another 10-15 years. There's no named equivalent to Moore's law for disk space, but it's going at around 3 times computer power. So that's doubling in capacity every 6-12 months. Gilder's law says bandwidth rises three times faster than computer power. So that's total bandwidth capacity tripling every 12 months.

These sorts of exponential curves have some unsettling properties. Half of all the information currently around was created during the last doubling period. And 90% in the last 3 periods which right now means that 90% of all human knowledge was created in the last 10 years.

The problem with that is that as humans we have a hard time coping with this mentally. We tend to think that the future will be more or less like the past but plus a bit. Actually the future after one doubling will be significantly different and after 3 doublings 90% different.

So let's take a really scarey view. Vernor Vinge speculated in 1993 that "Within thirty years, we will have the technological means to create superhuman intelligence. Shortly after, the human era will be ended." Given the accelerated rate of change in the first 10 years of his prediction and the expected change in the next 10 years, that doesn't look so unlikely. Which maybe brings us back to Terence McKenna who predicted a singularity in 2012 to coincide with, among other things, the end of the Mayan calendar.


[from: JB Ecademy]

Some of you know that Ecademy was originally based on Drupal. What you may not know is that you can log into and create an account on any site that uses Drupal using your Ecademy ID and password. Just go to one of the sites, and for id use my_ecademy_userid@ecademy.com with your ecademy password. The site will magically log you in and create a user record for you. [from: JB Ecademy]

Magnatune: try before you buy MP3 music.. infoAnarchy says it better than I can.

They call it "try before you buy." It's the shareware model applied to music. Listen to hundreds of MP3'd albums from their artists. Or try their genre-based radio stations. If you like what you hear, you can buy their music online for as little as $5 an album or license their music for commercial use. Artists get a full 50% of the purchase price. And unlike most record labels, their artists keep the rights to their music.

This has been tried a couple of times before but never quite like this. I happen to think this and not iTunes is the future of record companies. But what do I know? I'm not looking for the next S Club 23 to pay for my posh habit. [from: JB Ecademy]

I've just uploaded a foaf export module for Drupal V4. You can find it in the contribs CVS. It works stand alone but it depends on the buddylist and profile modules to work at it's best.

Techdirt:Free Hotspots Have A Better Return Than Paid is a report that quantifies the ROI for a venue offering free WFi internet access. The example is the Schlotzsky's Delis chain in the USA. What's interesting here is that the cost of installing a free WiFi hotspot is much, much less than a paid one, because there's a whole load of baggage you don't need. As a venue you can then concentrate on selling your primary business line to the extra customers that the WiFi brought in.

On a much smaller scale, it would be interesting to know how many Ecademists are spending money in cafe Grand Prix because there's WiFI available. I certainly know I've spent money in the Media Centre because I could get bandwidth there. [from: JB Wifi]

Silicon Valley - Dan Gillmor's eJournal - London Bloggers' Gathering Friday Evening

Meet the London Blogerati and a Superstar Journalist.

When: Friday at 18:30.
Where: Red Lion, Westminster, 48 Parliament St.
Who: Whoever wants to show up.
Why: You have to ask? [from: JB Ecademy]

BBC - iCan seems to be a group community news site. Keep an eye on this one. It appears that Matt Jones had a big hand in it. [from: JB Ecademy]

Somehow I've got myself on a mailing list for New Media Knowledge. They're courses actually look quite interesting and relatively cheap. Is anyone familiar with them?

+ Internet Research Methods *only 2 places left
+ Spam Laws: New Electronic Communications Regulations
+ Managing Online Communities + Better, Faster, Smarter: Online Advertising Returns
+ Finance for Non-Financial Managers
+ Selling Social Software
+ Measuring Website Effectiveness
+ Christmas Lecture: Kosovo 2.0
+ Cyber Curricula: The Future of the e-Learning Market
+ IVCA Perfect Pitch -- closing date 24 October
[from: JB Ecademy]

Marc points at this, Federated identity, PingID and standards cartels - TechUpdate - ZDNet : Speaking at Digital ID World General Motors chief technology officer Tony Scott detailed the difficult path to delivering a federated identity solution. Federated identity management, which supports multiple entities connected within a circle of trust, is one of the major initiatives growing out of Web services that will provide substantial benefits to corporations and consumers.

Bing! I just realized why I have a problem with this. I want to do the same thing but without the "circle of trust" bit. Or at least build the circle of trust on the fly or have it appear as emergent behaviour. As long as the circle of trust is a pre-existing requirement before we can share and move Digital Identity, we'll have big gorillas controlling who is in the circle and who isn't. And you can be sure that you and me won't be allowed in.

Just as right now you can't really use SSL unless you're CA is one of a handful of commercial entities. In that case it's because the circle of trust is effectively hard coded in the browser.

Even if it's not as good or bad as that, we'll still have to build the circle before we can use it. So how long will it take for new website Foo.com to get included in the circle managed by bar.com?

Guy Kewney of Newswirelessnet reports in The Register about Comtralis building a mesh network to distribute broadband in Newmarket.

Steve Richardson, founder of the networking specialist company, said that using the LocustWorld Meshboxes meant that he'd been able to install local broadband for a total upfront cost of £15,000, where the previous quote (from Invisible) had been for £50,000, or more.

What's interesting about this is that despite the wealth in Newmarket, only recently has it got a trigger level. Comtralis got fed up waiting and created a wireless mesh network serving 25 customers and fed by a 1Mb leaded line. Even when BT enable the exchange in 2004, it looks like Comtralis will still manage to be competitive. The second interest is of course, that it's a deployment of 20 Locustworld mesh boxes and in particular the latest dual radio meshbox.
[from: JB Wifi]

60 people now have their Skype ID on their Profile. Add yours here.

If you don't know what this is about, Skype is a telephone over the Internet system (also called VoIP) for WinTel PCs that "just works". It's currently free, once you've bought the PC and broadband connection. [from: JB Ecademy]

Marc Canter writes : Turns out Julian Bond (of Ecademy) has been working on his own extension/usage of Drupal for FOAF and single sign-on authentication. Though Drupal is a lot less "secure" than some other systems (like PingID's SourceID implementation of the Liberty Alliance) it's ALLOT easier to implement and support.

Every so often I chuck these things out. Sometimes they stick to the wall, sometimes they don't.

There are two approaches to this whole single sign on, digital ID problem. The BigCos (and including Liberty/PingId) keep trying to solve the problem completely with billing a key requirement (who are you going to sue?). This pretty much requires that trust relationships between websites are set up prior to the customer getting involved. It's getting a little less centralised and a little more federated than it used to be but you still need a consultant just to read the PDF specs let alone implement something. It feels like this is at least partly because they're trying to solve the problem completely. And there's a lot of vested interests here.

Drupal, SEA, http://php.weblogs.com/universal, FOAF and others are coming at this from the other end. They just want to let the customer login using a login that has been athenticated somewhere else. And they want to solve the age old problem of heterogeneous systems all wanting to own the customer data. It's just possible that we can bootstrap these trivial systems up to the level of industrial strength required for billing. But if we start with the idea that we can never have perfect trust setup prior to the customer we're inevitably led to the need for good audit trails in order to work out who to sue after the fact. It doesn't necessarily mean we can't find who to sue.

All I've done with SEA is to take Drupal and Universal and ask why a central website is needed at all. Hosting is cheap. Hundreds of thousands of people are now hosting their own weblog systems. Why shouldn't they host their own personal Digital ID/SSO/Profile system as well. It's not to say there won't be a need for centralised DigId systems, but they don't have to be the only game in town.

Bryan writes;
On principle, I'd be happy to see something come along which is simpler than the heavy - XML - and - PKI - and - SOAP - based SAML and it's derivitates (including Liberty).

But protocols and software implementations are different layers - so I take issue with your statement that SEA is easier to implement than SourceID. They're apples and oranges, it's like saying HTTP is easier to implement than Apache. Sure HTTP is a couple dozen pages of spec, while Apache is thousands of pages of C code, but it's not a fair comparison.

Get me?

Bryan, reference implementations of SourceId are only available now in Java and .Net(C#). Where's the Perl, PHP, Python, Ruby, Delphi, Lisp, Javascript, VB implementations? I thought seriously about starting a PHP project to implement Liberty until I looked at the specs and gave up in despair. As long as the solution is as complex as that, the implementations will remain under bigco control and we won't have enough choice of library.

Mozilla has released
- Firebird 0.7, A better browser
- Mozilla 1.5, A better browser suite
- Thunderbird 0.3, A better Email-News client.
So why not make this a Microsoft Free Friday and try these out. They're all small downloads, easy to install and just work (better).

Here's the full SP.

A couple of interesting releases by mozilla.org. First of all Mozilla 1.5 was released. This is supposed to be the last version of the old Mozilla suite. Mozilla Firebird 0.7, the stand-alone browser by mozilla.org was also released today. It includes many new features, e.g. Web Panels. For more information see the newly designed product page for Firebird. A third release is the stand-alone version of the Mozilla mail-program Thunderbird , which has now reached version 0.3.

The Mozilla Foundation also launched new end user services, like CD Sales and Telephone Support. As an effort to target more end-users, a redesigned website was also created.

As always MozillaZine has all of the stories, too. Give these new releases a try, but please use a mirror if possible. [from: JB Ecademy]

There's been two recent posts asking about home wifi installations connected to ADSL. I've also been asked offline what to recommend. Although there were several suggestions I still feel confused.

Most ADSL modems in the UK seem to have a USB connection rather than an ethernet connection. I've only been able to find a single router that uses USB on the internet side and that doesn't have WiFi. This is the Draytek 2200.

So now we have two options.

The first is to put in an ADSL modem with ethernet. The we can choose from a large number of virtually identical boxes from all the major manufacturers. Linksys, Dlink, Buffalo, Belkin, Netgear, etc, etc, all sell a 802.11g WiFi access point with 4 ethernet ports and a built in Router, Firewall, NAT. You can buy these in any PC World for around £125.00 I don't know how to choose between them and don't have the personal experience to make a recommendation so you can either go for a name brand, cheapest or read all the reviews and try and make your mind up.

The second is to buy a box that has a 802.11g WiFi access point with 4 ethernet ports and a built in Router, Firewall, NAT but also has an ADSL modem built in. You junk or return the USB modem. It looks like Draytek and possibly DLink make these. You may or may not then have problems with your ISP because you're using a modem they don't recognise or understand.

Next we come to Cable which basically means NTL. Originally NTL used to supply Motorola ethenet modems but now their supplying USB modems. We're in exactly the same situation except that I don't think anyone makes a combo box with a built in cable modem. Or at least not at an acceptable price.

So let's say we've now navigated successfully through the hardware minefield. The next problem is that one or more of these boxes now has to connect to the ISP. This is typically one of three options. PPPOA, PPPOE and DHCP+MAC. The first two are ID+Password systems and are common on ADSL. The catch is that not all of the hardware above supports both standards and both types are in use in the UK on ADSL. So can anyone fill in the blanks and say which ISPs use which system and which hardware boxes support it? The last DHCP+MAC is typically used by cable. It just means that the cable connection is tied to a MAC serial number in the modem and the first device after the modem is given a dynamic IP by DHCP. Given that we're going to have to use the cable modem and all the boxes support upstream DHCP this is not going to be a problem. Probably.

So now we've got an internet connection coming into the house and this is being shared by a wireless WIFI LAN and 4 wired ethernet ports. The next task is configuring this and connecting devices but I'll leave that for another day.

Clearly there's quite a lot of blanks in the description above. And I'm still not giving you complete answers and shopping lists. Can anyone help out here? And if you think you can, please provide some hard data with URLs, product numbers and shops. [from: JB Wifi]

So how does this work then? Boingo Wireless partners with The Cloud and so get 2,500 hotspots in the UK. Except that The Cloud has already partnered with BT Openzone. $21.95 per month for unlimited usage vs £85 per month unlimited over the same hotspot? [from: JB Wifi]