August 2011


Google+ is subject to a #nymwar discussion about the requirement to use Real Names. Google+ has shut down a large number of accounts, for example for IdentityWoman. The movement for use of pseudonyms have launched My Name Is Me, where the arguments for pseudonyms are presented. Some arguments are:

  • the right not to be stalked or persecuted (whistle blowers, abuse survivors,  people from small communities, sexual minorities)
  • wanting to have multiple persona, choosing nick names presenting yourself, celebrities (Lady Gaga, Bob Dylan, Madonna …)
  • being able to voice personal opinions without being associated with employer (academics, fans, bloggers, journalists, military)

Earlier this year, SXSW discussed Social Network Users’ Bill of Rights, and there was agreement on most of the points proposed. The one point with most discussion (and least agreement) was the right to use pseudonyms. Kim Cameron commented on his blog that imposing pseudonyms on all social sites breaks the laws of identity.

In Norway we have a debate about how public online discussion forums may avoid hateful and cesspit discussion. There is a need for participants to be held accountable for their opinions, but in my opinion not necessarily to expose legal identities. The federations in higher education are currently handling both Real Names, nicknames and pseudonymous/anonymous access

  1. Real Names are present in the identity management system, because the universities need these names to issue formal credentials (PhDs, MS etc) and bind the formal credentials to formal legally registered names.
  2. Nicknames are present in the attribute definitions, but we are still in the process of sorting out what are the most practical ways of sharing this information. There is ongoing debate about consent and necessity for attribute sharing, and displayName is an attribute we need to think more about. Feide decided to require both legal name (Real Name = norEduLegalName) and preferred name (nick = displayName)
  3. Federations provide anonymous traceable access, based on technology for per service unique identifiers .

We need to find a balance online, as we have for other aspects of public space where we do not need to post information about identities for each person, but in many cases require that identity is traceable. Minimal exposure of information is good, but defining minimal is difficult.

David Bantz posted an interesting email Please, somebody talk me down! on the Shibboleth users list, pointing to four issues that crop up over and over again with SSO in higher education:

  • Even if a vendor claim to support SAML, they are unable to consume attributes. And the provisioning of attributes include both sensitive, restricted and open information.
  • Proprietary extensions are used for too many of our solutions
  • Credential relays, operated by non-trusted third party (or SP). Preferably combined with non-maintenance of SP software?
  • Why not just use AD? Believing that using AD will automagically  integrate all services.
The scary summary is that we as a community are not providing enough direction when it comes to SSO solutions.
For some of these issues (why AD does not solve all problems, credential relays) we need to explain the issues in a language that may be understood, or even better, put into calls for tender. For other issues there are unsolved technical problems, like the integration of web-SSO and non-web-SSO.  The concept of real-time attributes, so beloved of higher education federation, is poorly understood by most vendors. Then again, they are not used to operating in a world where user account lifetime is planned per semester.
I am hoping that REFEDS may be a place to work on some of the issues pointed out, but the bulk of the work will have to be done by each individual university as they call for tender and discuss with their application suppliers and partners.