It all has to start with I, doesn’t it?

It always has to start with the self. The self is the center of the world in the brand new avatar of the Internet. While it feels gratifying to be acknowledged as The Master of the world, I would perhaps have been more comfortable just having the royal seal at my disposal. However, idempotent as we might be, we have to realize that in the increasingly fragmented world, we need better techniques of establishing ourselves. The self needs better means of self-expression and self-authority. And, thus, my first blog post in my new technical blog starts with a discussion of identity management systems on the Internet.

A discussion of identity management systems has to start with the Laws of Identity, penned by the grand daddy of all-things-identity at Microsoft, Kim Cameron. Unlike what people would expect, the laws are not written in a technical language with complex cryptographic equations making them esoteric, but rather in a very accessible language because they talk more about the philosophical aspect of identity rather than the technical, a very important consideration in the design of a mature technical system. The seven laws (over-simplifying them) are:

  1. User Control and Consent: The user is the King, the Queen and the Jack. The identity meta-system must recognize the user as being the final authority on whether he wants information to be disclosed, and ask him/her at every instance. It should also have means of protection against phishing and other attacks.
  2. Minimum Disclosure for a Constrained Use: Information disclosed should be the minimum required for the completion of the current task. Essentially, there should be no need of disclosing credit card information if you try to comment on this blog. Also, if a site just needs the single bit information whether a person is above 18 or not (as many do!), they should not ask for the date of birth, since that means divulging more information.
  3. Justifiable Parties: This is from the experience of the failure of the over-arching vision of the Microsoft Passport identity management system. The law states that there should be a justifiable need for an identity provider and its interactions to have identity information. Essentially, there is no need to unify my Social Security Number of Tax Identification Number with my MySpace account. Users may not be very comfortable having one identity system for all uses. I may not want to divulge my company identity when surfing objectionable material online.
  4. Directed Identity: This, to me, seems like a corollary to the laws 2 and 3 above. It says that there should be unidirectional identity handles which don’t reveal more information about the identity than that required. For instance, if my employer allows me to ex-officio access IEEE Journals, IEEE should not be able to get my identity handle, except for the information that I work for a particular company which allows me access. Also, identity providers should be like ‘beacons’ emitting identity information as allowed by the users, but establishing an identity relationship with it should be a uni-directional identity relationship. This is essentially to prevent correlation of identity-handles. Cookies are an example — while a cookie might authenticate a user in a widget, cookies cannot be shared across sites to avoid correlation. Of course, there can be ways to defeat this purpose and those are essentially the instances that are undesirable.
  5. Pluralism of Operators and Technologies: Cameron states that one single monolithic system can never be enough for all our identity needs. A person might definitely want to have separate providers (Windows Domain Authentication, Open ID, Paypal) and technologies (Kerberos, Web Services) for different use-scenarios and may not want to correlate them for obvious reasons.
  6. Human Integration: Cameron makes the point that we need better design of UI to prevent identity theft and ensure privacy during the interaction of the human and the terminal on which they authenticate themselves. There can be many a slip between the cup and the lip, and this is becoming all the more apparent thanks to phishing and other kinds of attacks. We need better methods to prevent identity systems masquerading as others, and more secure means of communication between the user and his terminal for identity information exchange (biometrics?).
  7. Consistent Experience across Contexts: Cameron tries to make a point for a universal identity information entry interface across the various kinds of identities we might like to maintain (professional, personal, financial), but the point seems more for Windows Info Card (I’ll talk about that later). It seems inspired by our carrying different kinds of identity cards in our wallets, such as the Driving License, employer ID card and so on each of which have the same experience (show the card and gain access).

It is great to have somebody’s wisdom and experience captured so concisely in a set of seven rules. That is what lets us stand on the shoulder of giants and build bigger and better technologies.

The laws seem simple, intuitive and practical, and are extremely general. I think that is its biggest undoing — since they do not give formal semantics of the laws in a mathematical language, it is very easy to have ambiguity and doubt in terms of their interpretation. (A mathematical formulation of something as general as identity is not very easy either). Also, since they are written in such general language, there can be very loop holes and an actual identity system would have to do a lot of thinking to make them very robust, secure and private. I would only request Cameron to explore writing more formal means of expressing these laws and have extensive case-studies (I may not have looked very carefully for them) and have more extensive discussion about privacy, security and so on — concepts that are becoming very pertinent by the day. I would also like to see more discussion from the perspective of the identity system — things such as identifying bots, using captchas, and establishing authenticity of information a user enters (is the user really over 18?). He should perhaps consider writing a book!

A theoretical discussion of identity systems is not of much use, so I would endeavor to discuss some systems in use today. The simplest by far is the simple login password form backed by a text file/database that you can implement in under an hour. My guess that is a pretty robust solution for most simple sites. The downside is a registration process and the need of remembering one more set of usernames and password. The fact that most of us practically use the same usernames and passwords for every site is a matter of convenience as well as a significant security threat. If any one of the sites of compromised (which is very much possible because such under-an-hour hacks can not possibly maintain the highest standards of software quality), the risk of all your accounts being compromised is quite high. Also, it is very difficult to ensure consistent interfaces, and security of transactions. Varying privacy policies might well mean that the user control on the information s/he has divulged to one party is rather suspect. However, they serve their own purpose. This method is quick and dirty — and works well in a rather large number of scenarios.

Of course, identity is very well understood in an enterprise setting. Kerberos and Lightweight Directory Accesss Procotol (LDAP) have been around for ages and have been the subject of a lot of research. There are standard implementations that can be used like a black box, and single sign-on within a single enterprise is probably a well-solved problem (that is a rather speculative statement). It is a much easier problem also because if we consider the scope of privacy and security etc. is a single enterprise intranet and the problem as well as their solutions are primarily technical. If, however, we consider a federated identity management system for the whole of internet, the scope is much larger, and the deliberations are not just technical, but philosophical as well, since it involves trust between parties who don’t trust each other :)

Another concept that tries to ensure convenience is Open ID – a federated identity management system. The aim is simple — to use identification information on one site to automatically establish it for some other sites. For instance, if you have WordPress blog and you want to leave a comment at LiveJournal, you can provide your WordPress blog URL and LJ automatically uses Web Services to establish identity. There is a user-consent phase and since it is not controlled by a single party, it is preferred by many (unlike Passport). The scheme works well for simple single sign-on areas which are public facing. This has recently been backed by AOL and Microsoft which has lent a lot of weight to the OpenID system. However, the system only establishes a basic protocol. The Open ID site unequivocally states that it is not a trust system and doesn’t try to control spam. I would also be worried about using it in a general setting because if one site gets compromised the taint can spread across the federated system (this probably needs to be studied more). Another problem is that, since Open ID itself is rather vague about security and a number of other points, I very much envisage individual corporations coming up with their own standards (much like Javascript) which would yield a number of child-protocols perhaps not interoperable.

Microsoft is promoting the Windows CardSpace (nee Information Card and many other names). This follows the common practice of lifting paradigms from the real world into the virtual. A user can have a number of cards provided by various Identity Providers which Windows would save securely. When a website (Relying Party) wishes to establish the identity of a user, he would be presented with a secure dialog where he can choose which identity information to transmit, much like you looking into your wallet and taking out either your business card or your Driving License as required. Microsoft provides a number of cryptographic protocols which form the bedrock of secure transmission, and the initiative can not be successful without the participation of the other parties involved (one of the biggest problems due to intense competition). I am sure it would satisfy Cameron’s laws since Cameron would have been obviously involved in the development process. However, I can very easily foresee myself lifting the problems from the real world as well — what happens when my wallet gets lost (laptop stolen, or even virus infected), people cheating about credentials, Relying Parties passing information around (that could compromise the whole system!).

On the Internet itself, identity for very specific applications has been worked out to a little extent. Paypal and Google Checkout establish your identity with respect to financial transactions, and have become hugely popular. One of the oldest technologies on the internet (email) still remains the most popular means for establishing your identity in the online realm. How much progress have we really made in the last decade or two?

Considering that identity is a problem which is not well solved even in the real world completely, my guess the virtual world will only lag behind. There are a lot of new technologies, ideas and we have to wait and see which ones click. However, my humble guess would be that as Cameron himself proffers that there should be a pluralism of operators and technologies. The application and the usage scenario should be clearly delineated before starting to design any system (which is so true!) and it is easier and viable to solve specific needs (financial identity, enterprise setting). Scoping the usage always makes the problem tractable and leads to success (perhaps after a few iterations). My concern is that none of the current technologies clearly scope their work and that would be my biggest gripe.

[Another review of identity related technologies at Read Write Web. There is a conference Internet Identity Workshop as well. If you want a fleeting identity to login to sites which unnecessarily want login, you can check out Bug Me Not. Thanks to Mohit for some initial pointers.]

Advertisements

Independent India: The discussion continues…

[Two other worth reads: John Elliot at CNN Money (India at 60: A Nehru Dream Comes True) and Rajdeep Sardesai at IBN Live (Needed: A Lesson in History)]

I heave a sigh of relief when I read things like these in the papers:

Nobel Laureate Mistaken for Street Vendor

She was wearing a Mayan dress, the traditional attire of indigenous people in central America, and the hotel’s response was also traditional: throw her out.

Staff at Cancun’s five-star Hotel Coral Beach appear to have assumed this was another street vendor or beggar, so without asking questions they ordered her to leave. Except, the woman was Rigoberta Menchu, the Nobel Peace Prize winner, UNESCO goodwill ambassador, Guatemalan presidential candidate and figurehead for indigenous rights.

And our neighbors haven’t taken too kindly towards car owners. In the bid to improve the quality of air in the run up to the Beijing Olympics next year, the city has come up with a wonderful new idea to test if they can reduce the number of cars in the US. I have always felt glad that some bolt of lightning like this can not come and havoc my life, while I live in India. Sample this:

tjblog: Odds and Evens — 1.3m Cars to be Taken Off the Road

Finally, yesterday – at yet another press conference – officials announced that they have decided to implement an “odds and evens” system during the last four days of the “Good Luck Beijing” test events. The measure will remove 1.3 million cars from the road on each of these days. On August 17 and 19, only vehicles with odd-numbered number plates will be permitted to take the streets, and on August 18 and 20 only those with even-numbered plates. Drivers caught breaking the rules will be fined a rather measly 100 kuai. A blanket ban on all city and provincial government cars will also be implemented over the four-day period.

Drivers whose plates end in 0 will not be able to enter into deep philosophical arguments about the nature of zero with traffic police, as city authorities have already indicated that 0 is officially an even number.

I have always wondered about the subtle connection between mathematics and philosophy, but it was never so apparent in public life earlier!

Not to be outdone, cops at our capital were ready with a booklet instructing girls in the north-east to dress appropriately since here has been increase incidence of rape and eve-teasing. Since, the women from the north-east are victimized very frequently, they came up with a prescription for the victims instead of going against the criminals. I have always wondered how we tend to take the most convenient path in India. And the instructions are not very kind:

India Together: Be Safe, Don’t Exist

“When in rooms do as Roman does” (whatever that means). Under security tips: “Revealing dress to be avoided.” “Avoid lonely road/ bylane when dressed scantily”. And “dress according to sensitivity of the local population.”

I have only read excerpts from the booklet. For all its good intentions, it is clearly inappropriate and offensive to the sensibilities of women from Northeast India. Not only does it give gratuitous and useless advice to women but it also proceeds to tell everyone from northeast India how they should behave in Delhi. How else can one explain a sentence that reads: “Bamboo shoot, Akhuni and other smelly dishes should be prepared without creating ruckus in neighbourhood”. Smelly dishes creating a “ruckus”? This would be amusing if it were not culturally offensive.

Anyway, India can still claim to have made a lot of progress in the last 60 years. So much so that Amartya Sen makes an argument in his essay ‘India in the World, in the Hindu special supplement on I-Day (I can’t seem to find it online!) that India which earlier “never liked being confined to just minding its ‘own business’, seems now dedicated exclusively to that minding, pointedly excluding larger ideas and objectives. In fact, Indians seem to have become skeptical of the ‘vision thing'”. He makes an argument about why India should celebrate the success of its political democracy and have a stronger voice in world affairs. He grumbles that India has let go of the leadership position that Nehru had created for it during the non-aligned movement. His lament is that Indians now suffer from a ‘ethical near-vacuum in our global thinking as an inescapable result of the priorities of a market economy’. ‘The alleged skepticism in the ‘vision thing’ is really an alternative vision — one that Gandhi and Tagore, even Nehru, would have found a little difficult to comprehend’.

While I do agree with Sen that India should brandish its new position of importance in the world economy and take a moral leadership position, I also believe that we have made rapid progress in the times when we shut our minds to meddling in other people’s affairs and concentrated on cleaning our house instead. And if we try to stake claim to moral leadership, we might just be held in the same negative light as the United States, which has made its mission to cleanse the world of anything George Bush doesn’t like. I would rather that India continued in this path of self-discovery and introspection and improved the life of the billions that inhabit it, and when a situation does arise when it can add some value by saying a few words of wisdom to interested parties, to delve into its own experiences and tender advice. I would not be a very keen supporter of India peddling free advice to unwilling states. (Amartya Sen knows a lot more than me. I am just trying to interpret his words)

Sen also talks about India’s rapid progress in crime control, especially ‘in his humble Kolkata’, which often goes unnoticed. He cites numbers — the average incidence of homicide in the principle Indian cities is only 2.7 per 100,000 people with a measly 0.3 in Kolkata. The numbers in some international cities is devastatingly high eg., New York 5.0, Los Angeles 8.8, Mexico City 17.0 and Rio de Janerio at an astounding 34.9. This indicates the strength of the social fabric in India and Sen speculates that culture, mixed-neighborhoods, family life, and mainstreaming of economic discontent into politics (particularly in Kolkata) might be some of the reasons. I am with Sen on India having a much lower crime rates than many of these cities (having visited NY and LA and finding them rather unsafe). I have, however, two doubts:

  • I would like to know what correlation homicide rates have on other violent crimes, such as crimes against women, stealing, burglary and dacoity. My humble surmise would be that India might have higher rates of smaller crimes primarily because going the whole hog and committing murder would still be a mental block, and also because weapons are not that easily available in India as in other places.
  • Are these officially published numbers? I know of many instances when the police refuses to take down FIRs in India to keep its books clean, in fact a systematic suppression of crimes which explains the low crime rates in Uttar Pradesh. While I agree that the numbers can not be cooked in the case of homicide, this would be an important consideration while collating data related to petty crimes.

I was still happy reading Amartya Sen’s articles despite the fact that I might not find myself agreeing on a few counts. Jawaharlal Nehru had said:

A moment comes, which comes but rarely in history, when we step out from the old to the new, when an age ends, and when the sound of a nation, long suppressed, finds utterance.

And Sen’s article indicates that India is ready, now, more than ever to find utterance of its sounds in the global cacophony.

Technorati Tags: , ,

Thakur Ka Inteqaam

Another Viral by WebChutney. It’s a must watch:

I just love the sights and sounds of Sholay, even if it’s in a caricature.

Webchutney has made a lot of very enjoyable virals in the past including Chitthi Aayi Hai and Makkadman.

Chitthi Aayi Hai  Makkadman

Here is an older list of their virals. I also discovered the WebChutney blog, where they post a lot of interesting stuff. It’s going right into my GReader.

Made my day!

Swadheenta Diwas

India completes 60 years of being independent, being a Sovereign Socialist Secular Democratic Republic upholding the virtues of Justice, Equality and Fraternity. It is another question that we have made a mockery of each of those words by tailing the USenabling reservations long after they were dueletting our country through infernal riots, rigging polls and undermining the Presidential office. While a full discussion is beyond the scope of this blog (and the knowledge of the author) and we might not have made as much progress as our enviable neighbors, I am still grateful that we are able to live a life and not die by the millions quite unlike our enviable neighbors.

However, one thing disturbs me. I had written last year about being insouciant about independence, the pop patriotism that pervades our country (is patriotism just another passing fad?), when every year newspapers come out with flashy supplements (with essays by nobel laureates, who else?) and leadership contests (and using Atlas as the hackneyed metaphor for holding the weight of the country?), news channels with deplorable documentaries (Aamir Khan recounting the making of Rang De Basanti?), thankfully I am not too much into FM or else I would have to bear to hear the troubled voice of a damsel in distress yearning for the glory of her country. Having supplements and documentaries is great, by why have them only twice a year. So very convenient. We spare two days in a year for our conscience, for remembering our heroes, for taking a break from Harry Potter and revisiting Bhagat Singh. Two days out of three hundred and sixty five. Undoubtedly, the rest of the time we are busy raising the roof (Chak De Phatte or should I say Chak De India?), banging desks in the Indian parliament, traveling around the world, buying and selling cars, and generally carrying on with life.

And we fail to see instances which need to be curbed. I am not sure if the media will report this tomorrow but my cousin was telling me that a bunch of hooligans landed in her school (DPS in Yelahanka, Bangalore) today and started throwing stones on the school building because they were having independence celebrations. Apparently, their complaint was that it was Pakistan’s independence day and not our own. Some school authorities as well as children suffered injuries. While I do not wish to get into a discussion if having a flag hoisting on 14-Aug is sacrilege to the nation or not, what I can’t quite understand is what chain of logic can lead people to throw stones at children. Silly me, we are an independent nation after all and people can, of course, throw stones in the air wherever they like.

As Spidey said, “with great power comes great responsibility”. With freedom comes the responsibility of thought that we exercise our freedom in a sane and sensible fashion, not by printing out advertisement supported extra supplements or stoning school buildings (or even getting stoned?). It took an arachnid to talk to some sense.

Finally, for lack of anything else to say, I am going to end with the lines of Bismil Azimabadi which were made famous by Ram Prasad Bismil during the freedom struggle (and subsequently and more famously sung in Rang De Basanti). If we just perhaps spare the noble thought our freedom fighters had, and what their country meant for them:

सरफ़रोशी की तमन्ना अब हमारे दिल में है
देखना है ज़ोर कितना बाज़ुए कातिल में है

है लिये हथियार दुशमन ताक में बैठा उधर,
और हम तैय्यार हैं सीना लिये अपना इधर.
खून से खेलेंगे होली गर वतन मुश्किल में है,
सरफ़रोशी की तमन्ना अब हमारे दिल में है

हाथ जिन में हो जुनून कटते नही तलवार से,
सर जो उठ जाते हैं वो झुकते नहीं ललकार से.
और भड़केगा जो शोला-सा हमारे दिल में है,
सरफ़रोशी की तमन्ना अब हमारे दिल में है

हम तो घर से निकले ही थे बाँधकर सर पे कफ़न,
जान हथेली पर लिये लो बढ चले हैं ये कदम.
जिन्दगी तो अपनी मेहमान मौत की महफ़िल में है,
सरफ़रोशी की तमन्ना अब हमारे दिल में है

More pop-patriotism. I myself am culpable because I thought of writing this post only on the occasion of the 60th year of India’s Independence. Ok, I lied about ending earlier. Just to feel a little better, I will also quote a poem by Henry Louis Vivian Derozio titled ‘To India – My Native Land’:

To India – My Native land
My country! In thy day of glory past
A beauteous halo circled round thy brow,
And worshipped as a deity thou wast.
Where is that glory, where that reverence now?
Thy eagle pinion is chained down at last,
And groveling in the lowly dust art thou:
Thy minstrel hath no wreath to weave for thee
Save the sad story of thy misery!
Well – let me dive into the depths of time,
And bring from out the ages that have rolled
A few small fragments of those wrecks sublime,
Which human eyes may never more behold;
And let the guerdon of my labour be
My fallen country! One kind wish from thee!

[Thanks StubbornFanatic for putting it online]

The Cafe at Alliance Francaise de Bangalore and the number 13

I saw Let’s Have Sex by Vladimir Krasnogorov performed by Workshop Productions today at Alliance Francaise de Bangalore. While the play will not find its way into my spaces blog, it was my first visit to af Bangalore, and I liked the place. What really piqued me was the cafe. There was a strange mathematical irony (or perhaps creativity!) because almost everything seemed to be priced at Rs. 13. Obviously, Nobody there suffers from triskaidekaphobia. However, looks like the architect of the place was cut short of using his math-creativity fully. The samosa stood out as an eye-sore at Rs. 8 and tea (2 cups) was disappointingly priced at Rs. 14 (how could they break the symmetry?!).

Gave me an idea. Imagine, a row of gourmet items all priced at Rs. 13. Of course, there are 13 items. The cafe-owner could very conveniently hang a large board with multiplication tables of 13 to aid the customers (the clincher!).

Cafe 13, or perhaps to make it even more mathematically esoteric, Cafe E.

[I am not the lone lover of symmetry. Looks like very much a geek thing. People have done it with far more disastrous consequences. Damn, if I knew how to draw cartoons!]

Vijay Tendulkar’s ‘Kanyadaan’ – An Unparalleled Performance

I saw a performance of Vijay Tendulkar’s Kanyadaan, directed by Lilette Dubey. One of the best professional plays I have been. The story was strong, a family drama with a strong social undercurrent, and backed with extremely powerful performances. It was performed at Chowdiah Hall, Bangalore, tonight and I am so glad I went!

The play is about a girl born into a political family with progressive views who marries a Dalit man because she sees angst in his poetry, and promise in delivering him from his devilish tendencies. Her fathers lofty ideals have inculcated in her a spirit which tries to find the good in people, and strive to change them. However, after getting married to him, she soon realizes that the devil and the poet-lover are one and the same person, they can not be separated, neither can he be cleansed of the vices (drinking, wife-beating) that are a part of him. In fact, there is a strange malice in him, a sadistic desire to punish her for the suffering his ancestors have gone through the ages. Finally, the father, who has taught her the lofty ideals of humanity and socialism is defeated — he finds himself powerless before the predicament of his daughter, and has to praise his son-in-law’s autobiography, applause spewing from his mouth and poison dripping from his eyes. His daughter tells him how his great ideals, his hope in human innocence is faulty, and how she is a victim of his faith in pursuing this promise.

If the story was already strong, and relevant even now — 25 years of its setting (Pune in 1981), the acting lived up to the script. It is difficult to pick out any of the actors, but if I could, I would pick Joy Sengupta for his portrayal of Arun in the first Act. The unpredictable savage beast-like portrayal of Arun sent shivers down many a spine. Rajendra Gupta as Nath was brilliant as well — cracking jokes with suavity, as well as handling emotional scenes brilliantly. Lillete Dubey as the Mother should have got more lines, and should have been more cathartic in some parts perhaps, but considering she directed the play as well, it is too much to expect. Radhika Apte as Jyoti was also good, but perhaps not in the same league. She was just a little monotonic. The set (a living room) was very good, and the lighting and the sounds were just perfect!

What stood out in the performance was Joy Sengupta’s portrayal of Arun in this first part and Rajendra Gupta’s humour — very well intentional and very witty. The monologues were very well done with excellent usage of lighting and music since not once did the audience feel that a dialog was not required. The great thing was the acting was very real — nobody seemed to actually be acting, rather they just fir into the scene (except for the son in a few places). They cueing was just perfect, not once could somebody feel that it was really not happening. The first half was just fabulous!

If I would have liked to change some things, they would have been in the second half. The brilliance of Joy Sengupta in the first half, some how became a very predictable malice in the second half. It would have been good to keep some shades of good in him till the end. In the scene where Arun comes to meet Nath, Joy’s acting seemed overdone. Another thing I would have liked to see would have been more shades of Arun in Jyoti when she comes to talk to her father in the last scene. While the strength in the girl came out very well, and her determination to stick with the destiny she had chosen for herself as well, the impact on the audience would have been so much higher if she had inculcated some of Arun’s unpredictable savageness instead of just a steely determination. Lastly, Rajendra Gupta’s final whimper should really have been a wail — a heart-rending purgatory wail which could make a person cry. (A woman crying doesn’t have so much impact because the audience expects it, but a man crying can just destroy mental peace)

An amazing play, amazing script, amazing performances! I am out of words… I just wish I can now see it in Hindi, or better still, the original Marathi.

[Some more details here]

Vijay Tendulkar’s ‘Kanyadaan’: An Unparalleled Performance

Went to see Vijay Tendulkar’s Kanyadaan directed by Lillete Dubey performed at Chowdiah Memorial Hall today. It was an amazing performance, one of the best I have been. Read more at my spaces blog.

Technorati Tags: , , , , , , ,

%d bloggers like this: