I was at the Planetwork N2N meeting last month, and Mike Schwartz included in his presentation a recommendation that people have a look at the OpenID Connect standard. He thought it was a worthy simple replacement for the complexities of SAML in many cases. That evening when I got home, there was an email in my inbox to the IDCommons list from Mike Jones pointing to an article by Nat Sakimura called OpenID Connect in a nutshell. (This cast of characters will be familiar to current or former participants of the Internet Identity Workshops and/or the Oasis XRI/XDI technical committees.)

When something new (to me) gets mentioned twice in one day by independent sources, it’s the virtual equivalent of the proverbial book falling off the shelf and hitting me in the head — a “pay attention to this” message from the universe. So I read Nat’s article carefully.

As I said to Mike Schwartz when I saw him again two days later at a different meeting, I liked everything I’d read so far about OpenID Connect except the OpenID part. His response was that the only part of OpenID that remained in OpenID Connect was the name, which seems to be true. As Nat says in his post, “To turn an OAuth 2.0 request into an OpenID Connect request, simply include openid as one of the requested scopes.” The response then contains the standard OAuth access token, but also an “id token”. If I understand the point correctly, the server is basically saying that along with an access token to acquire data about this user, I’m certifying with the id token that this user was able to authenticate with me — thus facilitating SSO.

Evidently, the reason I needed to pay attention to OpenID Connect was to stimulate me to flesh out the affiliation feature of MetaConnectors. The point of this article is to propose what I think is an even simpler and imho better method for SSO and data exchange authorization than OpenID Connect — in the special case of peer affiliates. Until dissuaded I’m going to call it PAX, as in P(p2p and pki)A(affiliate)X(whatever). It’s also the Latin word for peace.

Peer-to-peer Public Key Infrastructure (PKI) is at the core of PAX. MetaConnectors publishes a public key (in the form of an X509 cert encapsulated in a JSON XRD) for each network and each user, for example this, or for human readability this (forgive the self-signed certs and resulting browser warnings – these will become CA-signed certs before we go into production). The corresponding private keys are held in our database. This is quite easy to do — all the popular programming languages support OpenSSL, and OpenSSL creates key pairs and reads and writes various types of certs. I chose X509 as the most venerable and familiar certificate format – it is after all just a standard container that includes the public key and some metadata about it. Ruby has good OpenSSL support, although the documentation for it is virtually nonexistent. I wrote and open-sourced a library to wrap the parts I needed, just to make it easier to understand and use.

PAX also makes use of the JSON Web Token (JWT). One of the things I liked best about OpenID Connect was the use of the JWT, which is basically a string divided into three fields (by “.” dots), where (when used in signature format) the third field is a base64url encoded signature over the first and second fields. The second field is a base64url encoded version of the plaintext JSON data structure. The first field is a header field with algorithm info, also in base64url encoded JSON. So clean, so simple. (Compare with the horror of XML DSIG.)

Other relevant standards are the Extensible Resource Descriptor (XRD) in JSON format (called a JRD), and Simple Web Discovery (SWD).

Affiliates in the PAX system have mutually agreed to affiliate beforehand by an out-of-band process (could be a phone call or email, or a more automated process involving web forms). As part of that process they have exchanged Simple Web Discovery and possibly host-meta URIs, which in turn supply various other service URIs used in the examples below. In a peer system each party can act as a client — the one who requires data, or a server — the one who offers data. I’ll describe several scenarios, and how PAX is used in each. In each case, a person who is participating in this process will be called a “user” and an organization or collection of users participating in the peer system as a collective entity will be called a “network”. For these examples we will imagine two affiliated networks, the Association of Affiliates (AOA) and the Network for a Better Planet (NBP). For the sake of clarity, the examples gloss over many details, some of which I’ll address in a later post.

Scenario 1. Client initiates single-sign on:

In this scenario, a user registered at NBP starts at the website of affiliated network AOA, wishing to be authorized by AOA as an affiliated user. AOA offers an affilate login form that says something like “Login as a participant in…” followed by a selection list of affiliated networks. The user chooses NBP from this list, which causes the user’s browser to be redirected to the NBP authentication URI, constructed like this (line breaks added):

https://nbp.org/authentication?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.
eyJpc3MiOiJhb2Eub3JnIiwiaWF0IjoxMzI4NzE2MjIzLCJleHAiOjEzMjg3MTY1MzMsImp
0aSI6IlZUT2FCdEY2enRmR3ZBIiwiYXVkIjoibmJwLm9yZyJ9.
n53mdKp7NRcIiAd_USwqE1PnUNK-R5eUYHXtAkopjsyAba1Oi_ji7Yc3xzAr0CQMZrQZ5je
vihIAeHinUiTnsr0ua-cIFXEu45vwMa5c7gmm281ugkGMMEmD5wf-v4xI8HYjjPTnAjmAYn
G_71Jk3xFLewqH8NQxoDtarYEPCayZFz7pS-MV52OjLJRI4hh3Z4AHGnDMXm1j3NlMjXfMZ
B_A-yk-QSxJmLcFlzUhr6IPwm6fk58ZfkIyEyppyPJ_UdgFM_NDZtCJXmIWabsBzrIQH0Tg
254qTZhWunE-u79P6qxm1p2kclzrHntKUiDtxYb7ktile2AHaJqZbGliCg

Now, that’s one ugly URI to human eyes, but trust me it’s really a thing of beauty. It consists of NBP’s authentication URI template “https://nbp.org/authentication?jwt={jwt}” (discoverable via Simple Web Discovery and host-meta), with the {jwt} template variable replaced by an actual JSON Web Token. If you base64url decode the second field you get the JSON payload, aka the “JWT Claims Set” (here formatted for readability):

{
  "iss":"aoa.org",
  "iat":1328716223,
  "exp":1328716533,
  "jti":"VTOaBtF6ztfGvA",
  "aud":"nbp.org"
}

The keys in the above example are all JWT Reserved Claim Names. They translate as follows: “iss” denotes the issuer of the claims set, “iat” is the “issued at” timestamp, “exp” is the time beyond which the JWT is no longer valid, and “aud” is the audience the claim set is meant for. A random value unlikely to repeat, sometimes known as a nonce, is here called a JWT ID, or “jti”. Taken together and signed, these values provide resistance to replay attacks.

The JWT is validated by the server by first retrieving AOA’s public key, either from cache if it hasn’t exceeded its expiry time, or via AOA’s JRD, then verifying the signature in the request and ensuring that the timestamps are within range, and that the jti hasn’t been seen before. The jti nonces should be kept by the server for some small increment beyond the expiration timestamp, so that the same nonce and timestamp combination can never be used again. I’ll refer to this whole sequence as “verifying the JWT” in the following examples.

In the examples that follow, I will also be adding Private Claim Names to the claims sets, i.e. names that are defined by PAX. I won’t hurt your eyes with any more JWT’s, but just show the URI templates and the JSON claims sets.

To proceed with Scenario 1, when the NBP authentication server receives the above request, it verifies the JWT. Now NBP knows that this request came from AOA. There are some phishing mitigation possibilities inherent which I will discuss in a later post. NBP then authenticates the user via whatever means NBP uses for that (probably user name and password for now). NBP then redirects the user to AOA’s authorization URI (cached or looked up), constructed like this:

https://aoa.org/authorization?jwt={jwt}

with a JWT Claims Set like this:

{
  "iss":"nbp.org",
  "iat":1328716253,
  "exp":1328716553,
  "jti":"wFnCyBMkqH33YQ",
  "aud":"aoa.org",
  "prn":"nbp.org/victor#1316743228"
}

Here the “prn” key is a JWT Reserved Claim Name denoting the subject (principal) of the claim. It should be a persistant non-reassignable pseudonym for the user in question. More on the way I’m constructing a non-reassignable pseudonym later.

When the user arrives at AOA’s authorization URI with those parameters, AOA proceeds as follows: first retrieve NBP’s public key, then verify, decode and validate the JWT. The user can then be considered by AOA to have been authenticated by NBP.

Scenario 2. Server initiates single-sign on:

The first scenario, where the user is redirected by the client contains inevitable phishing vulnerabilities. They can be mitigated somewhat, but since all phishing mitigation schemes require an alert user, and all users are at times tired, distracted and/or in a hurry, the danger can never be entirely eliminated. Safer for the user (and more efficient all around) is to begin SSO at the server, as follows: the user logs into a network where they have established an account directly, in this case nbp.org. The NBP website has a page listing affiliated networks. To SSO into an affiliated network, the user simply clicks on one of these links. This causes the user to be redirected to the chosen affilate’s authorization URI, constructed exactly as in the second part of Scenario 1, and the affiliate authorizes them the same way.

Scenario 3. Client requests data that is pre-authorized for affiliates:

AOA wishes to access data that is under the control of an NBP user (profile data, posts, pages, or whatever). The user has previously set permissions on their NBP account that permit affiliate organizations to access some or all of the data that they’ve entered at NBP. In this scenario the user is not necessarily present although they may be, but via previous interaction, AOA knows the user’s identifier at NBP. AOA sends a request to NBP’s data access URI constructed like this:

https://nbp.org/data_access?jwt={jwt}

with a JWT Claims Set like this:

{
  "iss":"aoa.org",
  "iat":1328818771,
  "exp":1328819071,
  "jti":"njbcHnRj7Nv4NA",
  "aud":"nbp.org",
  "prn":"nbp.org/victor#1316743228",
  "scope":"profile"
}

Here we have added a “scope” parameter, and its semantics and syntax are exactly the same as in OAuth. When NBP receives this request, it validates the JWT, then checks to see if this user has pre-authorized the release of all or part of the requested data to affilate organizations. NBP then responds with a JWT, the claims set of which includes a “scope” array, and a “data” object containing the requested data if authorized. The scope value should be an array of objects, one for each scope requested. The possible values for each scope object are “allowed”, “denied”, or “partial”. If no data was allowed to be sent consistent with the user’s pre-authorized settings, the data object will be null.

Scenario 4. Client requests data that requires user authorization:

This scenario most closely resembles the primary use case for OAuth. We accomplish it using almost exactly the same procedure as outlined in Scenario 3, except that the user must be present at AOA, and instead of AOA sending a data access request directly to NBP, it redirects the user to NBP with a data access request constructed as in Scenario 3, with the addition of a “request” value in the claims set, a token with which AOA can identify an asynchronous response. NBP must then present a UI to the user that shows what is being requested and by whom, and affording the user a way to approve or deny part or all of the request. Once the user has made her choices, she is redirected back to AOA’s data-available URI with a new JTW containing a claims set like this:

{
  "iss":"nbp.org",
  "iat":1328818771,
  "exp":1328819071,
  "jti":"njbcHnRj7Nv4NA",
  "aud":"aoa.org",
  "prn":"nbp.org/victor#1316743228",
  "scope":"profile",
  "request":"PpLfO0bi8CKBCA",
  "authorization":"allowed"
}

The scope and request values repeat the corresponding values from the request, so that AOA can identify which request is being responded to. The possible values for the “authorization” parameter are “allowed”, “denied”, or “partial”, with the possible addition of a second space-separated value of “permanent”. The presence of the “permanent” value indicates that the user has chosen to permanently allow the selected access to the requesting client. The absence of the “permanent” value implies that a one-time only access has been made available. In that case, the server should have set temporary permissions for the selected data for the client organization only, which are then cancelled after one access.

The client may then make a new data request just as in Scenario 3.

Scenario 5. Server pushes data to subscribed clients.

This scenario makes use of the Evented API spec, which is an elaborated and constrained use of the Webhooks proposal.

One typical use case would be that AOA has acquired a copy of an NBP user’s profile data (using Scenario 3 or 4), and wishes to keep that profile copy current when the NBP user updates their authoritative profile at NBP.

AOA for example can subscribe to be notified of changes to the profile of the NBP user “nbp.org/victor#1316743228″, by sending an HTTP POST request to the NBP event-subscribe uri, with the POST body containing a JWT that might look like this:

{
  "iss":"aoa.org",
  "iat":1328820639,
  "exp":1328820939,
  "jti":"CLQ5kLG5G7nG3g",
  "aud":"nbp.org",
  "prn":"nbp.org/victor#1316743228",
  "scope":"profile",
  "subscribe":true,
  "notify":"https://aoa.org/data-available"
}

Whenever an NBP user that AOA subscribes to updates their profile, NBP sends a POST request to the “notify” URI with a claims set like this:

{
  "iss":"nbp.org",
  "iat":1328820951,
  "exp":1328821251,
  "jti":"lCZTYcO1XIBstQ",
  "aud":"aoa.org",
  "prn":"nbp.org/victor#1316743228",
  "scope":"profile",
  "_domain":"nbp.org",
  "_name":"update",
  "_timestamp":1328820950,
  "urls":["https://nbp.org/data_access?jwt={jwt}]
}

The last 4 keys in the above JWT are from the Evented API spec. AOA may then fetch the updated info using the same method as in Scenario 3.

Other use cases that could be serviced include users wishing to be notified when specific users from an affiliated network post new content, or when there is news from an affiliated network itself.

Once again, this proposal relates to the special case of data exchange and SSO between affiliate organizations and their participants, and serves their need to identify and securely interact with one another. I’ll follow up soon with an elaboration on some of the details of this proposal. I’ve added a JSON Web Token module to the CertLib ruby gem at https://github.com/victorgrey/cert_lib.

Secondly, I’ve just had an interesting experience. I woke up last Monday morning feeling fine. I worked for an hour or so on MetaConnectors, tracking down the cause of a failing test and writing a few more.

Then Carol and I did our morning meditation, and I showered, did my morning exercises, and went downstairs to eat breakfast. With the first few bites of breakfast I started feeling intense stomach pain. I couldn’t eat any more. So I went back upstairs to lie down, thinking it would pass in a little while.

It didn’t pass. By afternoon it was only getting worse. Finally around 5pm I called our health plan advice nurse, and after asking a bunch of questions she sternly ordered me to report to the hospital emergency room to be evaluated.

Carol drove me to the ER, I walked in and stood in line to be seen, and was brought into an exam room for an EKG and blood tests. I was quite surprised when the doctor came in and informed me that I was having a heart attack. Mind you, I was not weak or dizzy, had no trouble breathing, no “elephant sitting on my chest” or any of the symptoms I’d read about. Just intense pain in my lower chest in the area of my stomach, radiating up my esophagus into my jaw and into my left arm.

But, I was told, there is a very specific enzyme that the heart releases when it is in trouble, that never comes from anything else, and I had a high level of it in my blood. And although my first EKG had looked pretty normal to them, they did another and were now seeing changes.

So it was off to the cardiac catheter laboratory with me. When you’re lying flat on your back on a wheeled bed being pushed through the halls of a hospital, all you can see is the ceiling passing by. I recognized the movie cliché right away — I’ve seen this view of the corridor ceiling lights passing by in more than one movie.

Entering the “cath lab” as they called it was a different movie — the one where you’ve been abducted by aliens or robots and you’re in a room with an array of techno-medieval devices hanging off the ceiling.

There were a lot of people around me being very busy — I don’t know how many since all I could see was the impressive ceiling. At the time all this was happening I didn’t feel the least bit scared, just alert (I thought) and rather detached. But then, who knows what kind of drugs they were pumping into me through the three iv’s they had started. There was an electronically amplified voice (perhaps someone in another room?) commenting on the proceedings. There was a doctor who began describing what he was doing in truly impenetrable jargon, and the voice would repeat what he said and sometimes ask a question. I couldn’t feel what they were doing to me at all. Every now and then someone would ask me how I was doing, and not knowing what else to say (I’m in an alien abduction movie and my stomach hurts like hell) I would say “OK.”

After what seemed like 10 or 15 minutes had passed (it was really more than an hour), someone asked me if my pain was any better. At that very moment it was worse, a lot worse. “It should be better” one of the doctors said rather querulously. Then there ensued a bunch more jargon, and then lo, it was getting better.

With the release of the pain I must have drifted off, because the next thing I remember is seeing Carol’s face looking down at me. And the next thing after that was a sweet-natured young ICU nurse introducing herself to me as my nurse for the rest of the evening. It was 1:30am.

I’m told that one of my coronary arteries had been 100% blocked, and another one 80% blocked. I am now the proud possessor of two PROMUS Everolimus Eluting Coronary Stents, and the paperwork to prove it should you doubt me.

What to say about all this? For the 3 days that I was in the hospital afterwards, I was in good spirits and cheerfully demanding that they let me out now — I’m fine! Once I got home, I started on a roller coaster of emotion. Something like this changes who you think you are. It’s a new phase of life, a new archetype. My previous method for dealing with any physical pain was to first try to push through it, and if that didn’t work go lie down until it went away. For the first time in my life that modus operandi didn’t work for me. I’m no longer invincible.

Ah, well. There’s still an anti-social network generator to launch, several books to write, a wife to be devoted to, a daughter to admire, grandchildren to adore, friends to have intellectual jousts with. A life that I’m very far from done with.

Which brings me to my third entendre. In the very first post to this blog, I quoted the mathematician G. Spencer Brown¹:

“Those of us who have gone back and remembered our births, remembered what we knew,and remembered the covenant we then made with those standing around our cradle, the realization that we now have to forget everything and live a life…”

There’s an ellipsis at the end of that quote that carries a lot of meaning. The only way I know of to embrace it is to …be still, …be here.

¹ http://www.lawsofform.org/aum/

Well, CouchDB turned out to be a disappointment in several ways. First of all when I did some simple benchmarking against a real application, CouchDB was surprisingly slow. Considerably slower in fact that the default Rails ActiveRecord and MySQL. Secondly, the CouchDB paradigm of saving a javascript function for every desired query gets tiresome after not too long.

I’m still bullish on the NoSQL notion though, so I’ve moved on to MongoDB. I’ve been developing the next small thing in anti-social networks using MongoDB with Rails 3 and the Mongoid object mapper, and so far I’m very happy with it. It’s fast, it’s flexible, and it lends itself to modeling data in a way that feels just so. MongoDB is developed as open source by a small engineering-driven company called 10gen, and there seems to be a vibrant community of developers springing up around it. There’s even a monthly meetup in SF.

Meanwhile, I had this blog backed by CouchDB and no longer any good reason to incur the overhead of running CouchDB. Having approximately no interest in writing yet another blog app, I’ve decided to follow the path of least resistance off the cliff and bring up TATWD in WordPress.

Importing the posts from the previous blog was not all that easy, it being an idiosyncratic home-made application, and most of those posts just traced my own process through the world of software and identity anyway. Not the kind of literature that improves with age. So I just copy-and-pasted the few posts that I though I might conceivably want to refer to some day, and am letting the rest die gracefully. I hope the readers of this blog (yes, both of you) don’t mind too much.

As serendipity would have it, right afterwards I came across an article entitled “Anti-Social Networks” by John Shade. It’s a PDF, so you have to download it and then turn to page 38. Shade is a funny guy, and his article skewers the kind of thinking that went into FOAF+SSL. Here’s my favorite paragraph:

“It used to be enough to make the software work. But when software is all about human-human interaction, the goal becomes to make the human-human interaction work. And its worse than that, because social software is not about individual users. You have to understand groups, which, it turns out, can’t be done by understanding an individual user and iterating.”

This of course got me thinking. Everyone wants to build the next big thing. No one seems to be asking whether we really need another big thing.

One capability of the internet that has been celebrated from its inception is that it makes it possible for anyone in the world to connect to anyone else. The first big thing that exploited this was email. The most recent big things are large social networks like MySpace and Facebook. They have their place, but they also create a big problem — when anyone in the world can connect to you, anyone does.

People often try to filter this problem by creating small ad hoc groups within the open space, and various social software systems facilitate this with varying degrees of transparency and privacy. Smaller networks like LivingDirectoryand Ning formalize group creation within their respective networks.

My little epiphany was that this network within which groups are created is an unnecessary construct. Even if a single web service has created many different groups, each group has its own identity and does not need to partake of an artificially created enclosing identity. A group’s identity is formed by its stated purpose, its history and its participants and their contributions to the group. Since it is possible to move all of these things from one software host to another, the identity of the group does not of necessity have any relationship to its current host, any more than it does to the current hardware it is running on.

The whole notion of user-centric identity has been fraught from the start. The thing is, to be a “user” you have to be a user of something. The something of which you are a user is as much a part of the online identity created as you are. This is imho the misdirection facing efforts such as the Data Portability Project.

Your identity in what we are pleased to call the “real world” is based on your physical body. It came into being when you were born, and it will cease when you die. You can have many identity documents, but they presumably all point to one human individual. You only get one body (at a time). Online identities however are disembodied, and you can have as many as you like, but you probably have to share them with the group they exist within.

Stand-alone groups only need a few rules and a protocol. Some rules needed are: who can join and how; authorizations required for different kinds of access; how content moderation happens. The protocol must define how groups can affiliate with each other to share data if they wish, and a serialization standard for the group data and rules so they can be moved from one host to another.

The ability to affiliate means that a group doesn’t have to choose between being a virgin or a slut, i.e. a walled garden or globally available.

Shade uses the phrase “anti-social network” ironically. I’m going to appropriate it to mean (slightly less ironically) networks that don’t want to connect to the whole world, just to their own and affiliated participants.

It’s written about the Women’s Liberation Movement of the sixties (something about which I am not completely unaware, having been in a former life married to one of the founders of the local Women’s Liberation Organization in New Haven, Connecticut, a role referenced in the article), but it is a generalizable and brilliant analysis.

Try reading it while mentally substituting IIW/Identity Commons/Data Portability/etc for the women’s groups the author discusses.

African Grays are very large parrots that are remarkable in a number of ways. They can live to be more than one hundred years old, and are fiercely loyal to their owners. If you own an African Gray, you have a moral responsibility to ensure that it will be inherited by a good owner when you die, since it will very likely outlive you, and to arrange for a long and gradual introductory period between your parrot and its prospective new owner.

African Grays are also noted for their intelligence. They can learn to “speak” with large repertoires, and can learn to associate sounds with properties such as shape, color and composition, so that for instance when asked for a “red triangle” or a “brass circle” they will accurately pick it out of a collection of objects, not confusing it with a blue triangle or a plastic circle.

However all that pales in comparison to what this particular African Gray in the presentation could do. The experiment took place in the owner’s home, which was a two story structure. The bird was upstairs by itself, with a video camera recording what it did. Downstairs, the owner and a researcher sat at a table, with another video camera recording them. The researcher was showing the owner a series of cards with pictures on them. As the owner looked at the pictures, the bird – upstairs in another part of the house mind you – would speak what was on the picture!

Later they interviewed the owner, who said that she first noticed her parrots psychic abilities when she would wake up in the morning remembering a dream, and the parrot would speak some fragment of the dream. So she started leaving a tape recorder running by her bedside, and discovered that the parrot talked off and on all night, narrating her dreams as she had them.

Have you ever sat quietly with a close friend, and felt that you have had a deep and meaningful conversation, even though neither of you said a word? That was the experience I had with those ravens that day – hard to pin down, and yet very vivid in my memory even many years later. I learned something from those birds that day, something that I don’t have words for, that can’t be expressed in words. A connection.

Then there are the creative thoughts. They have a frequency of days to weeks. I will be working on something, and stumped or blocked, I will let it go. A few days (or weeks) later I’ll stumble across something that is just the answer I was looking for. Or the answer will, unbidden, just spring into clarity for me at some random moment in my day.

The longest waves of all are the thoughts that happen over years to decades. These are the thoughts that shape my life. They have no words or images or emotion. They are raven thoughts, pure connection.

I have my own conjecture about it. If there are other civilizations out there in the universe, and it seems almost certain that there must be, and equally certain that some of these must be millions of years older than our own, where might evolution have taken them? I think that the evolutionary step after (or before or in parallel with) what we are pleased to call “intelligence” is psychic connection. Perhaps these UFO beings are what we call “psychic” to an extent far beyond anything we have experienced, in the same way that we are intelligent in a way far beyond anything a chimpanzee has experienced.

In the presence of that much psychic power it may be that our minds become disorganized, that we aren’t capable of processing what we are experiencing. That what those who have had this experience therefore remember about it is a kind of dream imagery, a representation of the experience in subconscious symbology.

If you Google the phrase, you get a lot of references to Stephen Hawking and Bertrand Russell. Great men these may be, but I find the setting up of a straw man by reasoning from a literal interpretation of a mystical concept a bit silly, and strangely akin to the claim some folks make to a belief in a “literal” interpretation of the (old English translation of the Latin translation of the Greek/Hebrew/Aramaic) bible. But then, science as an intolerant religion, and what it means to be truly rational…that’s a whole ‘nother post.

Dig a bit deeper, and you’ll find references to John Grinder and Gregory Bateson. Now you’re getting closer to what I mean. There is something deeply moving in the contemplation of infinite recursion. It is one way to come face to face with a mystery, that everything is a construct of my consciousness except right here, right now. That I don’t know where my consciousness came from, that it seems to stand on the back of the previous moment’s consciousness, which stands on the back…

“This statement is false.” Suppose that the preceeding statement is true, then it can’t be true because it says that it is false. OK then, supposing it is false, then it must be true because it says that it is false. While you’re thinking about that, someone kicks you in the shins.

Here’s a couple of quotes¹ from the truly mystical mathematician G. Spencer Brown (image added by me):

“A mystic, if there is such a person, is not a person to whom everything is mysterious. He is a person to whom everything is perfectly plain.”

“Those of us who have gone back and remembered our births, remembered what we knew,and remembered the covenant we then made with those standing around our cradle, the realization that we now have to forget everything and live a life…”

¹ http://www.lawsofform.org/aum/