Andre Durand

Discovering life, one mistake at a time.

Archive for the ‘Ping Identity’

Digital Reputations

September 16, 2005 By: Andre Category: Ping Identity

I wrote this over 3 years ago, but don’t think I ever posted it to my main blog.


Anatomy of a Digital Reputation

Tue, Apr 30, 2002; by Andre Durand.

The notion of a digital reputation first came up in my discussions with
Phil Becker, editor of Digital ID World about three months ago. Ever
since then, I’ve grown in my fascination over the concept of
reputations, what they are and how a digital reputation might mirror
reputations in the real-world.

Reputations are both deep and complex at the same time, in one instance serving to amplify reality (“…she was larger than life.”) and in another instance oversimplify it, (“…he’s amazing.“).
Reputations are not limited to people, but can and do apply to groups,
organizations, companies, countries, governments and even objects.

Having a good or positive reputation can serve to make your life easier, (e.g. “…of course I trust you, your reputation precedes you.“) just like having a negative reputation can work against you, many times in ways that you’ll never even realize (e.g. “…his
resume looked like a perfect match, but when I inquired others who knew
him, I found he had a poor reputation as a team player, so I didn’t
hire him.

But what is a reputation and how might a digital reputation affect you in the future?

of all, a reputation is not something that’s internal to you. Yes, it’s
YOUR reputation, but you don’t have a reputation with yourself per-say.
Reputations only really exist within the context of your interactions
with others, and therefore, a reputation can be viewed as existing in
the space between you and others.

While a reputation can be
thought of as distinct, separate and external to us all, they are
inextricably linked to us, and don’t exist outside of the context of
their owner for which they refer. In some instances, a reputation can
become so independent from us that they ‘take on a life of their very
own.’ In these cases, reputations can actually drive how we act, rather
than how we act dictate our reputation. For example, sometimes we find
ourselves acting in uncharacteristic ways, many times unconsciously,
just to support an external perception amongst others of who we are
that is no longer true to our being.

A reputation is comprised
in part by what we say and what we do over some period of time and in
some particular context of an interaction with others. As an
individual, I might never know all of the different facets of my
reputation, just as others might also never know every aspect of my
reputation. Needless to say, reputations are important to us all
because they affect us in very tangible ways, serving to make our lives
easier or more difficult, depending on whether they are positive or

The reason we care about our reputations is two-fold:
our reputation is often tightly coupled with our sense of self-worth,
serving as an external reflection of who we are, or who we wish to be
2) our reputation can precede our physical being, serving to
‘open doors’ or generally make our lives more convenient or to close
doors, in which case we are blocked from doing something or going
somewhere, and we might never know why.

At any moment in time,
our reputation is nothing more than a snapshot of our historical
interactions with others. If the snapshot supports what we say about
ourselves, then our reputation is positively amplified (R+1). If the
snapshot contradicts what we have said about ourselves, then our
reputation is diminished (R-1).

As reputations baring any
weight and credibility are only built over time, it’s difficult to
truly circumvent their creation. This is often why we learn early the
value of ‘borrowing’ a reputation. Namedropping is nothing more than an
attempt to place oneself in the positive glow of another’s positive
reputation, hoping that it will make our life easier in the process or
gain us access to something which we would not normally have access to
on our own. How many times have you specifically gone someplace with
someone who you knew was bearing the credentials and reputation of
being ‘well-connected.’ (e.g. “I’m good friends with the owner and he always let’s us in for free.“)

are likely the most important quality enabled by identity and I believe
that digital reputations will likely become the core and central reason
why individuals will choose to have a digital identity in the future.

uses a simplified version of digital reputation to allow individuals to
quickly see whether or not a buyer or seller is trustworthy in their
ecommerce transactions, but what if the concept of a digital reputation
was expanded to encompass all facets of ones identity. The reason this
is important is that I may be completely trustworthy within one context
and completely untrustworthy within another. Let’s examine the
attributes of a reputation.

Attributes of a Reputation

What You Say
To begin with, many people believe that a reputation can be created by
what they say about themselves. Bragging is in essence nothing more
than a naïve attempt to short-circuit the creation of a positive
reputation, often eliciting the exact opposite, which is a reputation
that he/she is insecure. Of all the ways to create a reputation,
telling people what they should think of you is both the weakest and
carries the least amount of weight in the real world. That said, what
you say about yourself can serve to amplify a positive opinion of you
if it is consistent with your actions (in their experience). Likewise,
what you say about yourself can negatively impact one’s image of you if
it is inconsistent with their experiences with you.

What You Do – “Actions speak louder than words
embodies this attribute of an identity. Nothing serves to more quickly
establish a reputation than ones actions. When we say, “…what they say and what they do are two different things,”
we’re really making a profound statement about ones reputation, namely,
‘you can’t trust what they say, because in our experience, they don’t
follow through.’ One’s perceived actions, combined with ones words,
constitute the foundation of a reputation.

What’s Public
– Certain elements of our reputation are public, that is, generally
known by us (the owner of the reputation) and by others who know us. I
know that many people think of me as creative and honest, two elements
of my reputation that I consider positive attributes. Because I view
these elements as positive and because I’m aware of them, I work hard
to reinforce them by saying and doing things which are both creative
and honest. Generally speaking, we work to reinforce positive elements
of our reputation and diminish negative ones. If I knew that I’d been
branded a ‘tight-wad’ when it comes to paying my bar tab, I might
over-pay in the future to counteract a negative impression of my
reputation as being generous.

What’s Private
Certain facets of my reputation are private, and will never be known to
me or others. Individuals who choose to create a new identity are doing
nothing more than running from their reputation. The same way that
individuals might attempt to conceal their past and reputation from
others, others might also feel compelled to conceal elements of our
reputation from ourselves. While many of us are aware of some of the
negative attributes of our reputation, we will likely never be aware of
all of them, and as a result, we’ll never actually know when and where
our future has been walled in or blocked off because of them.

What Context
– Lastly, while in real life and in every day conversation we do in
fact attempt to summarize an individual’s reputation (e.g. “…she’s an amazing person.“),
the fact is, our reputation is contextual and it is quite possible for
me to have a positive reputation in one area of my life with individual
A and a negative reputation in another area of my life with individual

The Digital Reputation
While historically
reputations have been a somewhat vague and subjective, in the digital
world they are likely to become more objective, binary and long-lasting
(all the reason to take them seriously). Biologically, time is a
built-in eraser, allowing us to forget and move on. In the digital
world however, where memory is cheap and caching the norm, our
reputations are likely to become more persistent, at least in the areas
in which the law has not intervened (e.g. driving tickets are erased
every three years and bad credit every seven). Probably more important,
in the digital world, our various reputations which are today
disconnected are likely to become more connected, if not by us, then by
others. Think this is far fetched? Don’t think for a second that my
reputation as a frequent flyer is not in some way connected to my
reputation as an individual who rents cars when I’m out of town, and
that’s just the beginning.

The fact is, systems specifically
designed to create and track our digital reputations do in fact exist
today. They are disguised as cookies, packaged as awards programs and
renamed to convenience time-savers. As individuals navigating an
increasingly complex and interconnected world, our slime-trails spell
money to the private sector, and control to the government sector. As
the digital reputation is an off-spring of digital identity, ensuring
that we maintain control in how they are built, used and accessed is
essential to our future as a free society that holds dear our right to

SourceID Releases InfoCards for Java – Work-in-Process

August 13, 2005 By: Andre Category: Ping Identity

Yesterday we released our SourceID work around an InfoCard STS Toolkit for Java (Version 0.1 – Work in Progress). Kim Cameron and the group up at Microsoft are doing some very innovative things around identity, and this is Ping’s first foray into exploring that work and the implications to consumer identity infrastructure.


The SourceID InfoCard STS Toolkit for Java (available now for immediate download from
) is a
library and simple framework for writing server-side applications which interact with Microsoft’s new InfoCard identity system (InfoCard is
itself also still a work-in-progress as of this writing).

Microsoft InfoCard is an identity system scheduled for inclusion in Windows Vista (a.k.a. Longhorn), with a possible release for Windows XP
to follow. It allows users to create identity information cards (“InfoCards”)–and/or collect signed cards from third-party Identity
Providers–and use them to provision accounts and/or instantly sign in to web applications (via browser) and web services (via SOAP clients).

The best sources for InfoCard information are two web logs maintained by members of the Microsoft InfoCard team:

Kim Cameron’s Identity Weblog –
Andy Harjanto’s InfoCard Weblog –  

Dave Kearns Gets It

July 20, 2005 By: Andre Category: Ping Identity

No need for me to describe my post of a few days ago. Dave’s got it.

Passel – “Identity for the rest of us”

July 20, 2005 By: Andre Category: Ping Identity

Looks like Dave Smith and a bunch of his friends from the old gang (Peter Saint-Andre, Jer, Peter Millard) have finally posted their work related to a lightweight, end-user focused identity system here.

It will be interesting to watch where this goes over the course of the next several months. Passel describes itself as:

“Passel is a lightweight, user-centric identity system that enables people to manage their online identity. It is designed to maximize privacy and user-control of information which forms an identity. Passel is built on the idea that identity is composed of equal part social norms and 3rd-party verified information.

Passel is the foundation for a fully decentralized personal identity ecosystem. We believe that it is essential for the protocol to be not only open and specified, but also be easy to implement. Participation in the network should require the lowest possible effort without compromising security. To facilitate this vision, the Passel project provides Open Source reference implementations of the Passel protocol in multiple languages.”

View Whitepaper

Attributes, Identifyers & Correlating the Two

July 05, 2005 By: Andre Category: Ping Identity

In a Tequila induced stupor Friday night, I came to the following
realization, “the sum of the correlation between
attributes is greater than the sum of raw attributes
themselves.” I’ll explain at a later time.


Automobile Cloning

June 11, 2005 By: Andre Category: Ping Identity

My wife was telling me last night about auto-cloning, which is essentially auto-ID theft. People apparently copy registered VIN numbers and then use cars with the copied VIN’s to commit crimes. When the cops find the cars, they match the VIN’s back to regular Joe’s.

Looks like we need auto-biometrics. In my particular case, you could take a food-print (french fries, cookie crumbs mixed with slobber) from the car matt my daughters safety seat. I’m quite sure it’s a unique brew.

7 Reasons why InfoCards Matters

June 10, 2005 By: Andre Category: Ping Identity

Bryan, David and a few others over here in Pingland were kicking around some afternoon whiteboarding ideas on InfoCards. Figured since I’m getting back into my bloghead, I’d start posting a bit more…  

  1. It centers on the user. Users rule.
  2. It can stop Phishing attacks cold — as we know them today
  3. It’s better than Gator-like utilities or IE’s auto formfill for new account registration
  4. It provides users with the convenience of SSO
  5. It eliminates the need to manage weak passwords
  6. It’s a branding opportunity for 3rd party Identity Providers
  7. And of course, the client will be built into every Windows desktop

Challenges to overcome…

  • How to roam and maintain your InfoCards
  • How to recover if something bad happens to your computer
  • How to enable InfoCards on other operating systems
  • How to streamline the 1st time user experience


  • Existing consumer-facing (external) federation use-cases will be displaced by user-mediated exchanges of attributes between IdP’s and SP’s
  • A battle will ensue between companies looking to become the branded (most trusted) identity providers

InfoCards = Third Leg of Stool

June 07, 2005 By: Andre Category: Ping Identity

I’ve been giving a lot of thought lately to both the concept of a token generation/validation/exchange service, as is defined within the WS-Trust specification for a Security Token Service (“STS”) and Kim Cameron’s work around InfoCards. It all came about as a result of our participation with Microsoft demonstrating interoperability of a Ping developed (J2EE) version of WS-Trust and Microsoft’s new InfoCards client at Digital ID World 2005 in SF.

I think this is a scenario where 1+1+1 (SP’s + IdP’s + End User) is going to equate to much more than 3. The concept of InfoCards is, in my mind, the third leg of the stool. We must involve the end-user in the movement of information which pertains to their identity in order to create a balanced, sustainable equation where a balance of power exists among all three constituents in a mature identity ecosystem.  It’s the reason Ping got involved in identity in the first place!

General Update on *stuff*

May 20, 2005 By: Andre Category: Ping Identity

Ok, I’m completely delinquent in updating this blog! Heck, I barely have time to go to the bathroom these days. I actually don’t notice even breathing until I’m in the car going home lately. Here’s what’s happened in the past few weeks.

1. we closed our B financing at Ping. Phew. That was a bit harder than I had expected. Good news is, we got our #1 draft-pick, Draper Fisher Jurvetson to lead the deal.

2. Eric got us named to 1 of the top 10 startups to watch in Network World Magazine

3. We held a succesful, sold out, 4th annual Digital ID World last week. I’m a bit exhausted by it all, but probably not so much as Phil and Kathi, who did all of the heavy lifting for the event.

I’m spending most my time on the road these days, and tyring to figure this whole identity thing out. I’m hot on the trail of a reference architecture for federation… and making some progress. I promise to do a bit more updated…

Death by RFID Passport

April 04, 2005 By: Andre Category: Ping Identity

Future US Passports will have an RFID chip embedded. There’s a new website dedicated to building consumer awareness around the potential risks associated with this. While I think whomever is running this website is likely a tad paranoid, I can’t say that I don’t think the potential consequences and concerns expressed below are that far fetched — and that we likely need to think things through a bit more. I do believe there are some very real potential risks associated with the system as proposed. Here’s an exerp from their website:

“In a misguided attempt to make US passports more secure, the US Department of State plans to put radio frequency identification (RFID) chips in all new passports.  This RFID chip will contain the same information currently on our passports, including the passport holder’s name, date and place of birth, passport number and photograph.

In a dangerous world where Americans are targeted by thieves, kidnappers and terrorists, the RFID-chipped US passport will turn tourists into targets, and American business travelers will transmit their identities to kidnappers wherever they go, thanks to the US State Department.

Close up, the information broadcast from the RFID chip can be read by anyone with an inexpensive electronic reader.  Farther away, the RFID chip can be activated enough to identify the passport holder as an American.

From identity theft to identity death, an RFID-chipped US passport means good news for the bad guys.”