One other thing I thought of is that we're probably going to be podcasting there, so whenever you and I get to a conference together, we bring all verb recording equipment and try to get a few episodes in. What happened? Nothing happened as far as I know. My monitor just turned off. Sorry guys I don't. I didn't even move down the inch. Hashtag just gym things. Oh. My God. Alright, just Jim's poor technology. Jim gave up, he walked away. He's like I'm done, mark this down.
We we made it 5 minutes before we had a gym technical issue. Well, I am back, so where was I? I'll start. Over. I don't remember where I about where I was I guess. It was too close to the mic. You keep bouncing around. Yeah, my my screen is kind of flickering, so hopefully I got everything set up here.
This is identity at the center. If it has anything to do with IAM, this is the go to podcast now your hosts Jim McDonald and Jeff Steadman. Welcome to the Identity the Center Podcast. I'm Jeff, and that's Jim. Hey, Jim. Hey, Jeff, how are you? Oh, not so bad yourself. Doing great man. It's definitely summer here in Georgia.
It was about 100°F the other day or yesterday and man, I'm feeling it. But fortunately I work in an air conditioned building and you know, I, I'm feeling it when I'm outside and that's for 10 minutes. First as I run to my truck that is also air conditioned and then I go to drive through windows and I can feel the air conditioning emanating from those buildings. So I I can't complain too much. That's kind of how I feel about
like winter is I work. When I lived in a wintry area like Chicago, it was, well, I'm inside where the heat is and then I'm in my car where the heat is, and then I'm walking outside to somewhere and then I'm somewhere where the heat is. So same thing. But yes, definitely hot. I'm in Minnesota today, so another week on the road for me. But we'll see how hotel Wi-Fi holds up for this episode. But so far so good. Not quite as hot here. My watch says it's 69° here in Minnesota.
So nice. Yeah, that's definitely not too bad. And by the way, Father's Day just passed here in the US and I've received a pretty awesome award, Greatest Dad of all time. It it's great because I also got a commemorative notebook which has all of my past awards #1 Dad, Best dad ever. That's pretty much it. I mean #1 dad and best dad ever, and now the greatest dad of all time. I think that's the trifecta.
What do you think? Well, I'm not a dad, so I'm, I'm feel bad for all the other dads who thought that they were number one. I guess. What are they? Are those like, you know, fake news, false, false prizes? Their kids are lying to them. I mean, which one of those poisons do you want to pick? I think so. I think they've, they've been buying the coffee mugs as a number one dad and giving it to their dad. And really, they should have been giving it to me. Apparently I am the greatest dad
of all time. Oh well, congratulations on your major. Award. Thank you, Sir. All right, what else do we have going on? We, we forgot to mention last week, but we're definitely gonna beat Identity Week coming up later this year. Identity Week. Europe has already passed by the time people listen to this. But we do have discount code for both America, which is in Washington, DC, September 11th and 12th. IDAC 30 gets you 30% off of your registration.
And that code is also good for Singapore, which is October 22nd and 23rd. Jim, you and I are going to be in DC September 11th and 12th. We're going to start to work on plans in that probably the next, you know, few weeks here, but hoping to see some, some friendly faces there. What do you think about DC and Identity Week? Well, I think it's going to be hot as heck in DC at that time. Oh wait, you're going to be inside. Probably be. It'll be perfect weather.
I love DC. There's a few things I really love about it. One is a sandwich shop called Potbelly's, which I think is in a lot of places, but it's not in the Southeast. It's a. Chain a small little place like McDonald's. Well no no like McDonald's is everywhere and Potbelly's is not here and I love it. I I would eat there at least every week if I lived there. Also the museums are pretty awesome. Last time I was there, I went to the Holocaust Museum, which is free.
And man, it's like, it's pretty somber. But I think it's an experience everybody should go through. And then I just feel like, you know, when you're in DC, like there, you know, there's so much going on. So, yeah, I'm really looking forward to it. Plus, I think the conference is going to be awesome. I mean, you know, you've been there before you told me about it. It sounds like it's becoming one of the conferences people have got to get to and and give it a shot. Yeah, definitely.
I think it comes at a good time of the year too. It's kind of a lull in between like Adeniverse, which just took place a couple weeks ago and then like Gardner, which is later in the year. So I think it's really good kind of opportune timing. So yeah, hopefully see lots of people there that we know. I know last year there was quite a few people there was like, wow, OK, there's some, there's
some names at this conference. So I'm expecting, you know, similar and or better turn out for this year as well. So that's kind of exciting, but hopefully people take advantage of that. That code's a good way to show support for us. We'll have link in our show notes so people can can use that as well. I'm looking forward to the conference in terms of, you know, hopefully we can record a few episodes.
And while we're there, I mean, whenever we go to conferences, bring all of our recording equipment, try to record a few episodes, put out some more additional content for the listeners. And I think people appreciate it because one of the things I noticed is that most of the episodes get a lot of views, get a lot of downloads. So we'll keep doing it unless, you know, we hear from people that it's too much, it's too much, dial it back. It's never too much. You can never have enough
identity center in your life. So we're just going to keep doing it. We don't do it for you. We do it 'cause we like to do it. No, I'm just kidding. We do it for you too. That's why we started, though. We started out just doing it because we like doing it because. I mean, we're going to keep doing it as long as we keep like keep liking to do it and we do. So that's good. All right, let's get going with the show. Let's talk about Bubbles vaguely cryptic topic.
We've got Justin Richer. He's security and standards architect and founder of Bespoke Engineering. Joining us again. Welcome back to the show, Justin. Hi, Jeff. Hi, Jim. Thank you guys for having me back on. Yeah, thanks for taking the time. It's been about a year since you were with us. You've already given us your origin story. That was back in episode 222. We're on episode 291 now, so we'll point people back if people want to learn more about your background.
But let's talk about the past year. How's your year been, what you've been up to? Anything new and exciting? Oh man, it's, it's been a busy year. So we had the GANAP protocol is now with the with the RFC editor. So that'll be becoming a, a final RFC soon. It still takes a while even when it's at that stage, but hopefully soon. We had HTTP message signatures, which is another draft that I've been working on for a few years that is now an RFCR FC9421. And so that's exciting to go to
see go through. And then also in the ITF, we have spun up the workload identity in Multi System environments or Whimsy working group and that is new work and I'm helping Co chair that at the ITF. And that we've just gotten that started really within the last year, which is absolutely breakneck speed by ITF standards to get a new working group up and running in that time. That is pretty quick and and you've got a great acronym,
Whimsy, which is awesome. It's right up there with Cheeto for Chief Identity Officer. I I can't I can't take credit for whimsy. We, we originally tried to do workload identity in distributed environments or wide. And it turns out that there is a, there's already a, a project named that. So they wouldn't let us have that. But the security AD came up with whimsy when brainstorming with, with a few of the folks that were proposing it. So and I, I absolutely love it.
It's give nerds enough rope and we will like we will come up with the most ridiculous set of acronyms that you can possibly possibly use. Yeah, but you know what? It's all about marketing, right? If you, you have to have a good name for your thing, otherwise they'll never get traction. And Whimsy's a great name. I, I, we're gonna, I wanna dig into that more 'cause there's another one that you were mentioning before we hit record called Spiffy, which is even
awesomer. So it's like between Spiffy and Whimsy and Cheeto. And I'm sure there's other ones out there. Oh yeah, Spice is just starting up too. So, you know, that's a lot, lot of lot of good stuff. And yeah, naming things is worth. We're gonna get to that in a second. I wanna ask you about Identiverse 'cause I saw you in the hallway.
We kind of chatted for a couple minutes there while I think, I think I was coming from a recording and walking somewhere and you were sitting in a chair holding court as as you do. What did you think of the conference this year? Any thoughts? Overall it was good. Honestly most of my time I got pulled into hallway conversations this year it was it was a hallway con for me. Just a lot of good conversations with people that are working on
lots of interesting stuff. The the big topics this year really seem to be like authorization. Absolutely a big topic this year that's really kind of coming out into its own. All the workload stuff like for example, like we're doing with whimsy that showed up in a bunch of different spaces. And so that was that was really good to see. And it's interesting seeing all of this stuff happen in, in a world where like O auth and open ID connect stuff that I helped like define and and build.
It's not the new stuff anymore, right? That's that's the old guard that's been around for over a decade. Like let's what's, what's next? What are we? What are we building on now? And to me, that's really exciting to see what the new takes are on solving not only the same problems, but also like problems that that stuff just doesn't solve well. It never, it was never meant to solve well.
And so, yeah, seeing a lot of people working in just, I, I think we're really seeing a lot of new flourishing ideas in a lot of different spaces in the identity community right now. And most of them are probably going to end up being bad ideas. We don't know which ones those are yet. And I, I think we'll see some really, really cool stuff landing over the next couple of years.
That's a good perspective. And I think a lot of the things that you talked about with, you know, the whimsy, the swiffy, it all is going to tie into this concept of federation bubbles. You're going to kind of educate us on today. But you start at the most simple level. What is the use case that the federation bubbles concept is meant to solve and kind of how how did you stumble into this And you know, tell us the give us the background.
Yeah, of course. So the whole concept I'll, I'll start with like what an idea of a bubble is and then it'll make sense of a little bit more of where it fits. The idea of a bubble is that you have a network of systems wherein everything is just kind of self-contained. So you have accounts that work, applications that work, authorizations, all of that. And then you have controls about how stuff gets into that system and how stuff gets out of that
system. So how I provision accounts in and how I can use that as a launching point to provision stuff outbound. Now where this really ends up being pretty useful is places where you have disadvantaged environments. So you have systems where you might lose network connectivity. One of the places that. So I've been working with Uber Ether on this project for about the last year or so and they do a lot of Department of Defense and sort of forward deployed type of stuff.
This is cases where you literally have a bunch of people on a boat and then that's going to go sail off and you're going to be outside of satellite coverage, outside of connectivity range. Or even when you do have coverage, the latency is so high that traditional federation concepts and protocols just don't really don't really work
anymore. Like bouncing somebody back to their home IDP back on their, you know, their base or back at, you know, DoD somewhere is not not really going to work because it's going to time out before it ever it ever returns. And so you need to have a system that works within this sort of sometimes disconnected environment.
The other thing that got me really interested in this is that years and years ago, you know, several, several jobs ago, I was working at a company called Mitre and we were doing a lot of rural search and rescue work at the time. I was doing interface design for unmanned aerial vehicles, drones, we would call them today.
And one of the things that we found in that environments is that we would go work with these groups that you got a whole bunch of people that just kind of show up to help with a rescue operation or help with disaster recovery. And you might not be able to identity proof these people. You might not be able to tie them back to anything in particular. But you know what, you're here, you can hold a shovel, that's good enough.
Here you go. And we really felt that in going into this bubbles project, we really need felt that we need to be able to extend that into the digital space. Like you're showing up in the fact that we are together in this same space means that like I trust you enough for right now to do something. And that trust didn't come provisioned from some central system that said, Oh yeah, you know, you're, you're down here in this in the same area that this other person is going to be.
And so you can work together and here's all of your policies and here's all of your accounts and all of that. It's like, no, we just showed up and we might not have even known that each other was going to be there and we're going to figure out how to connect. The thing is we do this type of dynamic connection all the time today. But the way that we do it is that people show up and we just hand them a username and password on a sticky note and
say, Hey, this is your account. And and we're going to burn that account when when you leave or when we remember at some point, hopefully in the future. And The thing is like, we're doing that same type of thing for people that we've that just rolled up off the street and people that we have a long standing relationship with. And occasionally people that are actually are provisioned in our sort of larger environment. We just don't have the latest updates yet.
So we're treating all of these accounts exactly the same and they end up all basically in this muddy mess that occurs out in these sort of edge environments. And So what we wanted to do with this concept of a bubble is like embrace that mess and figure out like, what is it actually mean to work within that type of system? What are the constraints here that we need to to work with?
But also on a very practical level, what does it mean to onboard somebody into that from a trusted domain, from an untrusted domain, from no domain at all? And what does that look like within these systems once we actually get all of those tied together? So it's the idea here to have like this, I don't know, serendipitous. I am force field that sort of gets erected for a short time. Is it something that's a little more permanent maybe based on location or use case?
Like help me understand, like how these little bubbles, is it one bubble or are these bubbles connected in some way? Oh, there's many, many, many bubbles. So the idea is that we want to really draw the perimeter down as far as we can, and so that when we have one of these groups that's going out into the field, we create a bubble for that. And we provision into that bubble all the stuff that we
know ahead of time. It's like we might have 20 accounts that we know are supposed to be in there. So we can drop those in there, We can drop default policies, we can drop all sorts of stuff into that, create this entity and then send it off. Now, what's important here is that this creates its own separate entity and managed space, because a lot of people that are listening right now are probably thinking, oh, OK, what we're talking about is I have an
IDPI, have a user data store. I'm going to create a Shard. I'm going to just Shard my ID system. And you get a copy and you get a copy and you get a copy. And then eventually we just need to reach some sort of consensus mechanism about any updates and then it'll all be fine. It's a, it's a synchronization problem. But what we found is that that doesn't take into account the type of dynamism that you actually see out in the field where you've got people coming and going.
You've got people making these real runtime decisions. That it's not that I don't have the latest policy to address this, it's that the policies never thought of this. They couldn't predict this. But I am in a position out on the edge where I need to make a decision.
And So what happens historically is that This is why people create admin accounts with the password admin because they just need to be able to override a couple of things locally just to get something done because they're out there in the edge and they need to do something. So, you know, let's go back to the to the disaster recovery scenario. You're out there and you've got a bunch of people that show up out of nowhere and just want to help.
You got a, a group of people that roll up in a pickup truck and say, Hey, we're electricians and you can say maybe you are, maybe you aren't. I like nothing is on right now, so I can't actually check that. But you look like you have electricians tools and you know what I'm going to assign you to go, you know, to, to clear out to go clear the wiring on that block and hand me whatever credentials you have. And we will clean up the mess later of authorization and
everything else. We will figure this out later when we actually have the time, because right now it's more important that we get people who can hopefully go do things out there and working to try and help us out. And, and it's the same type of thing that happens in all of these types of environments that we're looking at.
Like we have some type of local information that wasn't accounted for that you know what, I'm going to make a decision right now and I need, I should be able to write down why I made that decision. What was the provenance of that? What was the input to that decision making? And then push that out into some type of auditable log so that when I do reconnect, it's not just, oh, just give me the new copy of everything. And that wipes out all of the
local changes that I made. No, it's like, hey, here's the set of changes that I made, right. Here's the set of decisions that I made locally. And maybe some of those are going to be like, oh, wait, those three guys showed up. Yeah, they don't actually have journeyman's licenses. So go send a licensed electrician to check that entire block that we assigned them to, to make sure that that is actually correct.
Because that is a realistic way to deal with that type of, you know, breach effectively that we've given somebody access to somebody to something that they didn't necessarily have the right to. But given the context, it seemed like it might have actually been a good idea for us to do that. So Justin, is Federation bubbles a concept? Are you working toward it being a standard or is a product or is it all those things at once? That's a great question, Jim.
So I will say it's not a, it's not a product or a single standard. I don't think that there is a, that the solution to this is going to be a single protocol stack. And I can talk about that more in a little bit. It's a, it's a proof of concept that we've been building out in, in different layers and pieces. So for example, we've got an identity provider just to make things very concrete, we, we built out an identity provider that the first time you log in, you give it your identifier.
If it doesn't know you, it goes and figures out where your home IDP is, does a dynamic connection to that. You log in from your IDP and then you immediately, immediately get prompted for a web authent credential. And then the next time you show up at that same IDP with that same identifier, you're only prompted for the web authent credential because we've already gotten all of your attributes from the IDP. We have already, like we took that step of validating your account.
All we need to do now is log you in and we have the machinery to do that locally without having to reach back out across the network every time. So we do that heavyweight federation operation as an onboarding exercise and then from there we are just doing an authentication operation and there's some fantastic technology that lets us do that in a way that's secure and you know, user friendly and all of
those good things today. On top of that, we've also built out with these prototypes at Uber Ether, these trust bundle domains to allow you to, to address these different systems. So one of the things I mentioned is that, you know, we think that there's going to be a lot of different bubbles out there and they're all going to be sort of coming from different trust routes and they're not all tied to the same route.
So you've got folks coming in, you know, going back to the, to the military side, folks coming in from the US, from the UK, from, from France, some other, some other partners coming in. They're all going to be having their own trust roots, their own policy roots, their own account roots. It's ridiculous for us to assume that they're just going to want to synchronize everything into our system so that so that ours work, especially when we are not willing to synchronize our stuff
back out into their systems. And, and it's funny, as soon as you bring that up as an option with a lot of people in the space, you get like the looks of shock and horror are like, like, why would we ever do that? That's a security risk. That's a privacy risk. We would never do that. It's like, OK, but you're asking everybody else to do exactly that in order for these things to work. And so sorry, go ahead. I, I, I want to ask about that item, about people not trusting the sink backwards.
I mean, it seems like if you're establishing some sort of IM bubble, why wouldn't you want to sync back some of that data or some of those attributes for future use? Maybe it's, hey, wait, this guy is a license, we've verified it here. Would you want to carry some of that information forward? I mean, I'm trying to think of like obviously the security aspect of it, but I would think enriching data is generally a good thing though.
Well, yeah. And in the bubbles construct, it absolutely is. We would expect these bubbles not to just be, you know, input only views of the world 'cause they're out there collecting all sorts of information that is going to be useful to other parties in the network. And so we would want that to not only propagate back up any type of tree, but we would also want to be able to share that out to
other peers. So let's say, for example, you know, we're, we're AUS thing and we, we show up, we've got our bubble and one person comes over from the UK and we onboard them into our system. And then then we go and we connect our system out to the French system and we can say like, oh, hey, we have this, we have this Brit with us and we validated it. Here's our record of the validation that we did and we can assert that out to you.
So in other words, we're kind of doing an identity proxy at this point, but it's not, it's not the traditional real time online proxying where you're sending them out to the IDP and then to our IDP and then to the other system all at runtime. It's we did that once we wrote it down, here's the record. If this is good enough for you, then great, trust it.
If not, there's a record in here that says, hey, that's where this person's IDP is. So they might connect out to the French system, which then says, you know what, OK, fine, for today, we'll let you in. But if you want to come back tomorrow, we need to talk to your IDP. Once we're back online, we're going to talk to your IDP to make sure, really make sure that that is the right type of
connection. And this is that type of data augmentation that is really, really rich that ends up getting just completely sort of chopped and lost in systems today. Because right now, like I said, what happens is somebody like that shows up, It's like, oh, fine, we'll just make him a local account so that they can log in. And then, and then you lose that entire chain of information, right? You lose all of that rich
information. So now when it goes to, for example, audit things six months later after all of this is, is done, you, you can say, well, I there was somebody that made a local account named Jay McDonald. We don't, that's all that we have. You know, he did a bunch of things. We don't know what that means where as opposed to like, no, this is Jim, he came from here. We onboarded him On this date.
We checked the provenance on these, on these dates and these are the things that he did within the system. And it's like, oh, by the way, when I'm back online and I'm doing this sort of, it's not, it's not really a reconciliation in a classical data sense, but it's kind of a this, this reconnection exercise. I can go back and say, oh, like, hey, Jay McDonald came from you guys. He did some shady stuff. And this is the nature of the
shady stuff that happened. You might wanna, you might wanna look into that account a little bit, 'cause we had to like, we had to like shut them down and cordon them off over here for a little while. And that might be news to to Jim's organization or that might have been why they sent Jim, you know. That's just Jim. That's just Jim doing Jim things. Exactly. It started.
Sorry to pick on you, Jim, but you know, just to make it, just to make it really concrete, these are the types of like really local, really individual types of decisions that we, we've got to make. And this notion of, oh, we can just centralized all of our identities that really starts to fall apart. So to to the synchronization thing, that is absolutely key to the whole Bubbles concept and
prototypes. It is antithetical though to an identity Shard because if I am only supposed to have my subset copy my subservient copy of some portion of the IDP, well then what are all of these other accounts doing there? That's, that's aberance. That is, you know, I'm going off of what I was told was OK, and now synchronizing with all of that. Does that mean that I'm supposed to just throw that out? I'm supposed to eject all of these people that I've onboarded?
Because if you tell me to do that, what am I probably going to do? Just go make new accounts as soon as the synchronization is over, right? Because people need to get things done at the end of the day. This, and this goes back to something I, I know I mentioned in the last show, I very, very deeply feel that security needs to serve functionality. You know, it needs to be there to protect systems, absolutely.
But it's only as good as the functionality that it enables and not the functionality that it prevents. Not the attacks that it prevents, not the, you know, the, the off label stuff that it prevents. It's only as good as the positive functionality that it enables. Well, you're talking about the the usability of security, which I think is, is hugely important,
right? It doesn't matter how many rules you have, if they're not designed around humans, I think it makes it just that much more difficult to comply with. I want to ask you one more question about the bubbles because now I got my head thinking here about these different kind of use cases. Can two bubbles merge to form a
bigger bubble? So in that example that you used of like, OK, well, here is, you know, the US and England and then France. And what if the US and England are working on one thing and then they kind of are working on the same thing? Would it become one big bubble? Would it be two little bubbles that are kind of Federated to each other immediately? Like how do you see that kind of
use case taking place? So I, I, I see it happening in two potential ways, although I think we'll see what it really looks like once once this type of thing is deployed and people start throwing it up against the wall to see what breaks. But where I see it happening is in that type of scenario. I think that if you have an environment where you have two existing groups that need to come together to work on something together, you create a new bubble for that working
together portion. So either one side or the other is going to host it, or you're going to create a new environment where all of this actually happens. And we see that pattern in the research and academia world with virtual organizations and like, people will go stand up a lab that is, yeah, you know, a partnership of seven different universities and a bunch of commercial firms and some
government funding, right. Like that's that's exactly the type of like weird collaboration that we should be taking inspiration from. Now, in the academic world, the assumption is that you're online so that you can check ID PS, you can check account records, you can do all of that type of
stuff. But if we take that type of dynamic environment and move it into this space where it's a lot more dynamic and it's not like we can't really sit down and plan this over a, a bunch of grant writing sessions. We just kind of have to make it happen. Like that's the type of space that I'm talking about.
So to me, I think the most sensible thing would be for a these organizations to create sort of a new bubble that running somewhere it almost doesn't matter where at this point, but it gets on boarded by members of both of those bubbles into that space. So now you have this separate independent environment that is then sort of parented to two other places and it knows how to talk back to both of those, both
of those other domains. And immediately you can start to see where the Shard thing doesn't work anymore because like this is not a subset of either of those. It is a subset and union. And this is the type of math that doesn't work with trees, right? They they get too, too tangled with each other like this. We are very deeply into graph territory now. Justin, you mentioned a company that you're working with on this federation Bubbles concept, Uber Ether.
I've never heard of them. What did they do? So Uber Ether is a technology integrator in the US They do a lot of work on the federal government side, a lot of identity platform type of stuff. So a lot of government agencies, you know, don't have the don't have the IT depth to go and stand up a secure identity system.
Uber Ether will run that. They don't actually, they don't have an identity sort of a core identity product like a Ping or Ford Rock, although I guess that's the same thing now or, or anything like that. But but they will give you a platform that runs that and sets that up with all of like the provisioning and all of the bits and pieces that make the most sense for that given agency and organization.
And a big part of this, a big part of what they've been working on is stuff with the Department of Defense, which as you can imagine, both needs pretty advanced functionality and is also, quite frankly, 20 to 30 years behind the times in terms of this notion of what what technology we actually feel like running. Like I mentioned, I used to work for a company called Miter. We did tons of work with the US
federal government. I was on the research side, but I still touched a lot of the customer side stuff while I was there. And I remember back, I want to say this was like, this is about 10 years ago now, but talking with a government group even then. And they were like, well, we just heard of this new thing called SAML and we're thinking about using it, but we're not sure yet. And the reason for this is that
these systems move very slowly. And some of that's a good thing 'cause it's a little bit more predictable, but it also you, you lose out on a lot of the like, well, we need to go solve all of these problems. And we're trying to do it with, with this technology that has been around for 30 years. It's it's a really difficult mismatch. So anyway, Uber Ether will basically build and run modern identity platforms for all of these different groups they specialize with, with the federal stuff.
But it's not just necessarily that space. Cool. So you had mentioned a couple of standards. I wanted to talk about those. The first one was whimsy, the second one was spiffy. Can you kind of give us the overview of what they do and maybe an add on of what the tie in back to Federation bubbles was? So starting with whimsy. Yeah, of course. So they're actually, they're
actually related. So Whimsy is the workload identity and Multi systems environments working group in the IETF, the ITF being the standards body that gave us things like HTTP and Oauth and TCP and TLS and all of these other great acronyms. And what we're doing with with Whimsy, which has to be one of my favorite acronyms to date, is we're trying to look at the space of workload identity. So let's say you're out and you you need to spin up one of
these, one of these bubbles. Well, that's a stack of software and all that software is just going to be kind of like waking up. And just like in its environment, you need to know that your database is connecting to the right things. That your your API processing is going through all of the right channels, that your filters are all lined up in the OR in are lined up in the in the right
ways. That everything is running software that actually has a good software bill of materials to it that all of that's BeenVerified and validated and you need to be able to secure and reason about all of the connections between all of these pieces. Well, solving that is actually where solving parts of that is actually where Spiffy comes in. And I always forget what spiffy stands for. It's secure something identity
for everybody. It's SPIFFE will have a, a link in the, in the show notes, I'm sure. And, and what Spiffy does is that when a piece of software wakes up, sort of the environment around the software says, oh, here's your identity, here's your, your credentials for calling other people. And importantly, here's the set of things that you trust. So it's this bootstrapping of trust at a very, very fundamental software level at
runtime that Spiffy solves. What we're doing with Whimsy is saying like, OK, so we can get that part and we know how to talk to different things in terms of like O auth authorization or, you know, user identities coming in or credentials coming in. How do we start to reason about systems as we connect them all together and especially as we
cross security boundaries? You know, it might not be enough that it's just, oh, this one workload is connecting to this other workload and they're allowed to do whatever they're allowed to do. I might actually want to know that in order for this one to call the second one, well, something else has to have been called first. Maybe that's an auditing system or maybe that's a a very specific gateway that that request has to come through before this is even allowed to talk to me.
Now in today's systems, a lot of a lot of stuff is like you're down here on the leaf node and you're like, Oh, well, if somebody's calling me, everything must have gone right. And so I can just trust that everything else happened just fine. And then I'm just going to do my little job and then that's it. Obviously that's very fragile. That's a very sort of, you know, harden the exterior and keep the inside soft and squishy type of type of thinking.
As we move towards smaller and smaller boundaries around zero trust thinking, we need to be able to say like, OK, not only is the correct party calling me, they're calling me in the right context. It came through the right call chain, which may actually not even be a single linear chain. You know, it may have graphed off into a whole bunch of different systems before it ever got to me. If I can quickly check that against something that said, here's the list of things that you trust.
Here's the policies that you're supposed to check it against. Well, then I can actually make some real determinations about what I'm supposed to be doing here in this system. And that's the type of stuff we're doing in Whimsy.
So how this relates to bubbles is we spin up this bubble and yeah, we need to be able to identify all of the pieces that are running inside of it. But also, I think that there's a lot of applicability at a more macro level because once I spin up one of these bubbles, well, I'm going to want to be able to talk to other bubbles. That means I need to be able to
address another bubble. When I send a user, so I've got this Jay McDonald guy that I'm sending over to you and I actually got his account from somewhere else. Well, I need to be able to say somewhere else in a way that makes sense to you. I need to be able to say through me in a way that makes sense to you. And we can't just assume that everything is on a publicly available web-based URL like a lot of the a lot of the federation systems that we we have today actually do.
One of the things that Spiffy gives us is a way to build out URLs within their trust bundles that that actually makes sense contextually. And this actually brings up a a really, really interesting tie in from the very beginning of the show is the award of the greatest dad ever. I believe it was. And here's the thing, it's
absolutely reasonable. I think we all know that is absolutely reasonable for every kid to give their dad the greatest dad mug because that is a contextual assertion, right? Greatest dad of all time is a contextual exactly. And so that is the bit that makes that truly meaningful. It's not actually a global declaration. As much as we love, we love to joke about that. Like I, I, I love that joke. It's a great, it's a great standby. It's really wonderful.
But the truth of it is that just like in all of these security systems, it's contextual. Like I might be needing to make a decision about what to do next based entirely on only the things that I know in my environment. And I might have some policy that says only the greatest dad of all time can call this API and and when he does then then he gets the data. Everybody else I just give him a 403 and say Nope, not going to happen. Thing is, how do I determine that?
How do I determine the validity of that assertion? It's probably going to be it's only asserted by people that I trust to make that particular assertion within a context that I am comfortable with validating it in. And that's the reality of all of these security systems that are out there today, whether we like to think about it that way or
not. I think we're too quick to say like, Oh yeah, we're going to solve things on a global scale of like we'll have an authorization policy for every system that we deploy and it's all going to be the same. We're going to manage it centrally. We're going to have like a cedar file that we just send out to everybody and it's just going to work. It's like, OK, that's that's going to get you some distance
of the way. But eventually down there at the nodes, I'm going to need to be able to decide. Well, you claim to be the greatest ad. Do I believe that? Like who said it? Where does that come from? And yeah, if your kids tells you that, that's great. If a random stranger on the street handed you that, I think it would be a much stranger type of conversation than. What I do in my own time is my
own business just. You know, no judgement here, no judgement but but really that's really one of the core things here is that we're embracing that contextuality. We're embracing that messiness at the edge and just admitting that it's there and admitting that it's not part of a problem, but it's just it's part of the world.
That's just how this works. And so by no longer pretending that that's not part of this overall conversation, now we can really start to make some smart decisions about it. You know, we can really start to think about how we process these things, how we talk about these things 'cause I can now actually say like Jim's kids called him the greatest dad. That is a, that is an assertion that I can make and you can do
with that whatever you like. You know, I can, I can check the Providence that might be good enough for me. That might not be good enough for you because we're operating in different contexts and I need to be able to make those statements and reason about those statements in a way that crosses boundaries in a way that actually makes sense. So Spiffy solves the identity piece just for that running bit
of software. Whimsy's looking at how do we reason about this across multiple systems, especially across security domains. And the bubbles concept is really looking at that at a, that same style of thing, but at
a macro level. You know, how can I have an identity system that I know is independent and that I that I treat as independent and that is not always connected but is not always disconnected 'cause like when I come back online, like you were saying, Jeff, I want to be able to say like, hey, these three electricians came on. Can I double check all of their credentials right now? OK, great, thank you.
Right. I want to be able to do that kind of thing and not just sweep all of that under the rug. Yeah, it's a real interesting concept. I'd be curious to see how it continues to evolve and more importantly, how does this actually make it into the real world? Right. From a thought experiment and and I will assume there's probably stuff that's happening, but it seems like it's very much still on the upward trajectory of figuring things out, right?
Absolutely. We're building into bits and pieces, figuring out where the technology gaps are, deploying it where it makes most sense. And one of the things I've said from the very beginning of this is that it's, it's not a product, it's not a technology stack, it's not even a standard, because there have been attempts to have like a global vision of distributed identity systems. And it's like, well, if everybody would just use this agent, then all the problems
would go away. And that's just that is never going to happen because as soon as you want to connect to somebody else, they're going to be using a different agent, right? They're going to be using a different schema, They're going to be using something that's not the same. And so the interoperability here, I think needs to be about as messy as as it it, it can be and still connect because that's that's how human systems work.
So I'm looking forward to the next RSA where we start to see products with, you know, 100% more bubbles or something like that, just like we saw with the AI and Zero trust and all that other stuff. I want to wrap up our conversation on a lighter note and I'm happy to say that I am a sponsor or contributor or funder. I'm not sure what the right word is. Backer, I guess probably the right word of a new board game that you had been working on called Natural Ball.
Talk about that cause got a link in our show notes. It sounds really cool. And I also want to get into Cards Against Identity for for a couple minutes. But tell us about Natural Ball. What is it? Yeah. Well, so one of the things we talked about last time is that one of the other things I do beyond all of this identity stuff is I really enjoy board games and I've, and you know, I like designing them.
Cards Against Identity is something that I've, I've published a new version every single year over the last five years or so. And that's been a very small sort of niche thing that that shows up at the identity conference circuit. But with Natural Vol, this is a game that actually came to me through a friend of mine who I met in, she's based in Iceland. And she came up with the original idea of this game when just talking with her kid who
was I think 9 or 10 at the time. And he just wanted more facts about animals. So like, hey, mom, can you just make a bunch of the animal flash cards and let's make an animal game. Let's do something. And so she came up with this idea of basically having animal flash cards with a bunch of statistics about the animals on the cards and then rolling dice to compare the statistics. Very simple rules, very simple mechanics, really easy for kids
to pick up and learn and play. She showed me this game a couple of years ago and it had been sitting around in the back of my mind like, like, there's this there, this is a neat idea. Like this is, this is pretty, pretty neat. Now, she had been just printing things out on her home printer and, you know, putting contact paper over them because I had been doing game design and prototyping for a couple of
years. I actually printed up, I went and designed and printed up an actual prototype, sent one copy to her in in Icelandic with the condition that she translated into English so that I could also have a copy. And then we had those for a little while and we're playing with, with our kids and with friends and stuff. And both of us were like, this is this is a fun game. Like this isn't just like a, a neat little hobby. So we want to make this into like a real commercially
available board game. So what we're doing right now is we're trying to raise enough money through it's basically pre-orders with a bunch of extras through game found. And like Jeff said, you can find the link in the show notes. And the way that it works is if if we reach our goal by the end of it, then we are going to get a full set of these games printed from an actual game manufacturer.
It's actually the same printer that does Wingspan and Pandemic Legacy and Gloomhaven and a bunch of other like really big games. They're they were. Legit. Yeah, they were really excited to work with us little indie developers. It's a it's a team of three people total, and that's that's been working on this. Four, if you count my friend's son, who's arguably the original designer for this whole project. And, and yeah, we're trying to, we're trying to kick this off.
And so yeah, please check out the game. I spent way too much time putting together the the little pitch video that's on that website. So and that runs until I think mid-july. So if you if that sounds interesting to you or if you know somebody it sounds interesting too, please check it out and send it along. Yeah, we'll have a link in our show notes. I'm a backer. I bought one for myself and 1:00 to give to my local community
thing. I think that's still to determine right how you like determine where, where the extra copies will go, but. Yeah. So that is that is something that we're doing with this because it's an educational game. We're giving people the option to basically pay for extra copies that then get donated and shipped out to to schools, to libraries, to community centers, to all sorts of things like
that. So so yeah, you can get you can get a copy for yourself and there's a bunch of extras that you can do to like our artist is is gonna be like sketching animals for people. Or you could actually design a card to go in this. So we've got friends who like people have already contacted us that they're getting like their friends, pet cats on a card in this with whatever stats you want. We don't care if they're
accurate at that point. And so like my kids hamster is probably gonna be gonna be one of one of the cards. But yeah, in addition to all of those extras, we're we're letting people sort of donate this to spaces that wouldn't have the opportunity to just go out and buy a $20 board game. And and that's something that we really, we, we felt really strongly about going into this. Yeah, it's a very cool idea. I love the art style of the direction of it.
Like I said, I've I've I bought 2, so I'm looking forward to getting that one out. Cards can card scan's identity real quickly. What's the latest on that? Was there a new pack for this year? I I don't, I forgot to ask you identiverse about it, but. Yeah, so there was a new pack this year.
I so it's one of those things that if you catch me on on the spring identity conference circuit, then I usually have a backpack full of them with me. Those sold out through the absolute gauntlet that was Identiversed immediately followed by EIC, plus a bunch of other stuff around that time. But you can go to cardsagainstidentity.com and that will actually you can, you can buy it online since that's a
small run. It's a it's basically goes through a print on demand service, but you can get everything all going all the way back to the original 20/19/2019 deck. What's your favorite white card and black card for this year? For this year, Oh my gosh. So I think my favorite black card is that's it. I'm creating my own standards organization with blank and blank and white card. Oh my gosh, there's so many different, there's so many cards now across all the years that I
have to remember. I, I will say my, you know, instead I'll give you my favorite white card of all time was from a couple of years ago was the Super Vittorio card. As, as you know, there, there was somebody in our community, an absolute giant Vittorio Betochi. And there was, there's this video that's still on YouTube of him as a superhero anime character.
And I was able to actually clip that from the video and get that onto onto a card And that that I don't think that one's gonna get replaced as my favorite card for a very long time. That's a tough one to top for sure, and well earned too, by the way. OK, why don't you go ahead and wrap it up, I think for this week, Justin, thank you so much for spending time with us. I'm really interested to see how this bubble, how these bubble things take off. I guess terrible pun, error rising.
I don't know. So, you know, keep us posted on how that's goes on, how that goes. I'm sure there's other topics we want to talk about with you in the future. So we'll have you back if you are so inclined. Absolutely, thank you for having me on again. I would love to come back. Yeah, and I appreciate it. I, I, I mentioned before you before we started your real Pros pro from a microphone and a recording and all that good stuff. So two thumbs up makes my job easier.
And this isn't even the good Let's see what the computer that's back there. You got so many that you're choosing from. Meanwhile, I'm here in a Springfield Suites in Minnesota. Oh, it's. It's with a lovely mini Can you call us a kitchen? I mean, it's got a mic, it's got a microwave and a fridge and I don't. Know drink the top water. Yeah, it's pretty bare. All right, let's leave it there.
idacpodcast.com, Twitter at IDAC podcasts, the YouTube channel youtube.com slash at IDAC podcasts, Mastodon, IDC podcast at info psych dot exchange. Do all those cool things like like subscribe, share with your friends, share with your enemies, doesn't matter long people hit that button. I don't care who does it and we'll leave it there for this week. So thanks everyone for listening and or watching and talk with you all in the next one. You've been listening to Identity at the Center.
We hope you've enjoyed the show. Make sure to like, rate and review, and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com. See you next time on Identity at the Center.