[KI-LC] FYI (a key discussion of scope at OWF)
john.fraser at mednetworld.com
Fri Dec 11 09:14:30 EST 2009
This was a very clear and level headed explanation of what Kantara is all about. As one of the co-chairs of Kantara's health work group, I never really appreciated how far we've come since moving from Liberty to Kantara. Most of this success is due to you personally and other Kantara staff who have done a very professional job of managing such diverse communities.
I want to say it is a pleasure working with such a group of professionals. Keep up the good work!
Co-chair, Health Identity Management Workgroup
From: lc-bounces at kantarainitiative.org [mailto:lc-bounces at kantarainitiative.org] On Behalf Of Brett McDowell
Sent: Friday, December 11, 2009 7:42 AM
To: Kantara Leadership Council; Kantara BoT
Subject: [KI-LC] FYI (a key discussion of scope at OWF)
FYI... here's a note I posted to the Open Web Foundation list in response to some soul-searching questions from Eran Hammer-Lahav, the OWF Chair, about the direction of OWF. If you are on that list (or would like to be) you might want to participate in this particular conversation. The mailing list detail and archive is here:
Begin forwarded message:
From: Brett McDowell <email at brettmcdowell.com>
Date: December 11, 2009 8:05:10 AM EST
To: open-web-discuss at googlegroups.com
Subject: Re: What's in a name? That which we call the Open Web Foundation
As most of you know, I'm the Executive Director of Kantara Initiative, an organization formed in April 2009. At the risk of sounding like a commercial for my own organization, I owe it to Eran (and all of you) to answer his questions as accurately and completely as I can, even if doing so makes me look like a salesman (though nothing I mention below costs any money, it's all available to the community free-of-charge, underwritten by corporate sponsorship/membership). I hope you take this email in the spirit it was intended.
But I'm confused, because you say, "Who is going to operate this incubator?
Who is going to help mentor new spec editors? That is, other than the
handful of people barely doing it today." Yet you go on to list things that
would require even more work, and some are better suited for other
What other organizations? If the Open Web Foundation isn't the place where all this belongs, tell me where to go instead. Please go point by point over my list and tell me how you think it should be provided for.
I am an open specifications developer, a community organizer, and public
complainer. I have been doing *this* work for 3 years, 2 of which
Before I get into a point-by-point analysis, I just want to say Eran's list of support requirements reads like a "why we formed Kantara Initiative" list to me. I know many of you are aware of Kantara's existence, and many of you have taken a "wait and see" approach before getting involved yourselves. Now that we are more than six months into operations it might be a good time to take another look and see what's going on and how things actually happen vs. were forecast to happen (whether it was me forecasting how good it would be, or others forecasting how bad it would be, now you can just see for yourself how it really is).
This is what I *need* in the order I need it:
* Better communication platforms - tools that integrate email, messaging,
and collaborative tools with specification development process. I want the
mailing list system to manage CLA signatures. I want the source control
system to be directly linked to email messages with ideas and contributions.
Open source is successful to a large degree because of the tools available to
create it. Until we can tell where changes to a specification came from, just
like we can do with open source, we are going to be stuck with a primitive IPR
policy and governance models.
Kantara offers Confluence, MailMan, Subversion, BugZilla and Wordpress. It's not the most sophisticated set of collaboration support tools but it seems to be doing the job. If a project would prefer SourceForge or GoogleCode to manage version control, that's fine too. I'm sure we can do better if better is required, we just need to understand those requirements. The good news is that we do have infrastructure budget and competent IT staff to build a system to support the needs of the community. This is a big part of why we were formed.
* Participation - it is surprisingly hard to get people to actually contribute to
an open community specification. I have the benefit of comparing the quality
and quantity of feedback received for my community work and my standards
body work and they don't compare. I actually have to beg now for reviews
(and still don't get them)! Maybe this is all personal and people just don't like
me, but I see the same patterns for specs I am not directly involved in.
I'm not going to pretend this issues doesn't exist in Kantara either. The old rule still stands: 20% of the participants do 80% of the work. But in Kantara some of the priority projects get additional support from hired contractors, and in general the number of participants across our groups is pretty strong. Here are some links to rosters where you can see how many folks are actively contributing (including having signed-off on IPR agreements up-front... that CLA issue OWF is now starting to tackle).
Consumer ID: http://kantarainitiative.org/confluence/display/WGCI/Participant+Roster
eGovernment (Open Gov): http://kantarainitiative.org/confluence/display/eGov/Participant+Roster
ID Assurance (Trust Framework): http://kantarainitiative.org/confluence/display/idassurance/Participant+Roster
IDP Selection (WAYF UX Problem): http://kantarainitiative.org/confluence/display/WGIDPSEL/Participant+Roster
InfoSharing (VRM): http://kantarainitiative.org/confluence/display/infosharing/Participant+Roster
WSF Evolution (Oauth Extensions): http://kantarainitiative.org/confluence/display/idwsf/Participant+Roster
Japan (regional advocacy): http://kantarainitiative.org/confluence/display/WGJ/Participant+Roster
Privacy & Public Policy: http://kantarainitiative.org/confluence/display/p3wg/Participant+Roster
Universal Login (UX optimization): http://kantarainitiative.org/confluence/display/ulx/Participant+Roster
User-Managed Access (Oauth Extensions): http://kantarainitiative.org/confluence/display/uma/Participant+Roster
(there are others but these have been up and running for awhile)
* Editors - the most labor intensive part is writing the specification, and
writing it well. It is very hard to find someone to edit open specifications. This
is why the handful of specs we have is largely written by the same small
group of people (who are getting busier). We need experienced editors to
help mentor new ones.
In Kantara we still hold to the principle that the primary Editor of a specification or policy framework should be a community stakeholder (volunteer) to help ensure the spec or framework is guided by real requirements. But, we also provide editorial services once a draft is pretty stable. Our professional editors then do a pass to align the document with all the editorial guidelines for consistency, ensuring the legal front-matter is accurate, and making sure the final version is professional-grade. We are in our first cycle now so I don't have a completed doc to show you, though I will shortly.
* Chairs, leaders - someone needs to herd the cats and give communities a
We have a Leadership Council made up of the Chairs from every group chartered in Kantara. Below is their roster. They have been quite active in getting together by teleconference to keep the cats herded and all systems go. Remember, we formed in April and we already have a number of published drafts, several chartered projects, about two hundred participants, and about a hundred sponsoring members. This didn't happen by accident. The Leadership Council is a collegial and productive group of people I'm proud to work with.
* Domains, websites, trademarks - someone needs to own this and manage
it. I think people need to worry less about OAuth IPR than who controls the
oauth.net domain name and can point it to a new specification tomorrow
(perhaps slightly changed). I wrote a new version of OAuth 1.0. Who gets to
decide if we can replace the existing one with this newer version? Who gets
to decide if WRAP can call itself an OAuth profile (when it is clearly not
according to any technical analysis)?
Kantara has the administrative resources to manage trademarks, domain registrations, etc. We already have filed trademarks across many countries (which is quite expensive as some of you know) and we manage several domains. The Board of Trustees is responsible for all fiduciary matters so maintaining the integrity of trademarks, domains, etc. falls to them, who delegate the duties to me and my team.
Legally speaking, we are a Program of the IEEE-ISTO (a 501(c)6) but we operate as an independent non-profit. We also manage a number of other assets, like hubs and routers that we bring to interoperability events, projectors we bring to meetings (to save on AV rentals), etc. We have event management staff to arrange for conference workshop, seminars, etc. We have a "speakers bureau" to help place community members on the agenda of relevant conferences around the world, etc. We have an analyst relations program and PR team to support the work that comes out of Kantara (their job is to market the work product of the community, not to market the organization itself which would explain how little "hype" you've seen from Kantara -- this email being the exception that proves the rule).
* Open Source libraries - we are extremely poor in resources for writing
quality libraries implementing these specifications. The majority doesn't even
have a reference implementation or a comprehensive test suite. The main
reason why people started working on alternative solutions to OAuth was
that the crypto was hard and the libraries did a poor job at removing the
need to do it. It was actually easier for those involved to write a new spec
than to write quality open source libraries.
Kantara Initiative funds community projects proposed through the Leadership Council. This could be any form of request that's going to help the Open Web. One example we recently approved was a modest bounty for an implementation of the UMA Oauth extension that would be used as an online test harness of sorts. In fact, the 2010 budget includes more than $150K in project funding in response to "bottom-up" proposals from the community to the Kantara Trustees.
*Governance models, documentations and guides, demos and experimental
sites, and on and on...
Governance, governance, governance. This was our focus for most of 2009 and we now have all our governance documents in version 1.1 with several tweaks to meet the needs on the ground. I'm quite pleased with how the governance piece has turned out and I'm confident that anyone here who investigates this aspect of Kantara will find it acceptable if not ideal (personally I think it's closer to ideal, but that's my bias having contributed extensively to the governance model). Bylaws and other policy docs are online here:
Another project we funded is for the Universal Login eXperience Work Group to hire usability experts and designers to mock-up some new federated login flows for OpenID, InfoCards, and SAML authentications (btw, we ourselves run a multi-protocol RP). Those are underway now, focused on NIH use-cases (that US Government Open Identity for Open Government project Eran alluded to), and should be on our web site in a few weeks.
Another thing we are spinning up now is an interoperability program that will help accelerate the maturity of implementations and refine specifications through interop testing and even software certification (for the more mature specs).
Along with Interoperability testing and certification (to launch in 2010) we have Assurance certification for IDP's to prove they comply with OMB 0404 (via the Service Assessment Criteria in the Identity Assurance Framework). I mention this because it is a tool to build trust in Relying Parties and facilitate adoption. I also mention it to point out that all such certification programs we run will have direct oversight from volunteer "Review Boards". So far we have:
Assurance Review Board with folks from: US GSA, Aetna, KPMG, SUNET, and BT
Interoperability Review Board with folks from: US GSA, NTT, Oracle, CA, Google, and Internet2
I am an open community specification developer. Literally every day I get an
email or message asking me how come this or that specification isn't finished
yet (after more than a year). This is what I need and the OWF is not helping
me. At least not yet.
You can get a lot of what you are looking for from Kantara Initiative. I'm not sure if you didn't know that or if there is something about Kantara that is off-putting. If there is a barrier to leveraging the support we offer, PLEASE let me know and I will address it!
If it is not the job of the organization called the Open Web Foundation to
help me with this list, and it clearly doesn't have the resources to do any of
this now, what's the point?
One job Kantara Initiative is not working on is the development of new IPR Policies. We allow for several different IPR Policies and anyone can propose a new one be adopted at any time. This is why I'm involved in OWF. We have discussed adding a Non-Assert Covenant to our list of IPR Policies and I've been hoping that what came out of OWF would be a good fit. But our approach will continue to be "options" for IPR on a group-by-group basis. This would allow a handful of folks who want to be very inclusive to pick a very inclusive license, and others who want narrow "necessary claims" grants can pick something like OWFa.
Again, I apologize for this "commercial" and I would have never posted something like this to the list if the Chair hadn't asked the questions that prompted my response.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the LC