Know SAML cold

I came across this series tonight while traipsing through Technorati SAML searches. JeffH, however, got there before me.

SAML and ColdFusion - Part 1 (December 29, 2006)
SAML and ColdFusion - Part 2 (February 9, 2007)
SAML and ColdFusion Part 3 : XML Digital Signatures (April 16, 2007)
SAML and ColdFusion Part 4 : Setting Up the Library (April 26, 2007)
SAML and ColdFusion Part 5 : Signing a Document (May 1, 2007)
SAML and ColdFusion Part 6 : Validating an Assertion (May 10, 2007)

Nicely done!

Privacy and the Almighty Dollar

Apparently Google feels that operations in China are more important than user privacy... still. In a shareholder vote held yesterday, they voted against a proposal which outlined the following:

1. Data that can identify individual users should not be hosted in Internet-restricting countries, where political speech can be treated as a crime by the legal system.
2. The company will not engage in pro-active censorship.
3. The company will use all legal means to resist demands for censorship. The company will only comply with such demands if required to do so through legally binding procedures.
4. Users will be clearly informed when the company has acceded to legally binding government requests to filter or otherwise censor content that the user is trying to access.
5. Users should be informed about the company's data retention practices, and the ways in which their data is shared with third parties.
6. The company will document all cases where legally binding censorship requests have been complied with, and that information will be publicly available.

While much coverage on this issue has focused on the censorship issues while operating (for example) in China, ignored were the stipulations about disclosure to third parties and data retention practices.

The shareholders were advised by Google Sr Executives that this measure should be voted down, as it would prohibit their operations in China. While I understand this point of view, at some point, conscionable corporations are going to have to face data protection, disclosure, and retention issues head on. Perhaps a more well informed shareholder base will be required to force such practices on public companies.


1 point for the dollar, 0 for privacy.

PII's Journey - Chapter 1

From the “What do two identity architects chat about while waiting for the plane to board” department.

Companies large and small gather personally identifiable information all the time (never mind that they rarely really need to, other than to fulfill their ill-conceived belief it will make my experience better or their wallets thicker). The data they get (lies, generally, unless it's important business) might be sent over TLS and the like, and may be covered by one or more privacy policies conveniently referenced far-far-away from the 'Submit' button... but there is never any mention what really happens to that data, after it's collected. Follow PII on it's epic journey through networks, servers and tapes in 'PII's Journey - an EPIC tale'.

It's a sad sad story....

Once upon a time, somewhere in one of the happier nooks of the internet, there was a little bit of data, named PII, just leaving it's owners computer, destined for important tasks at www.example.com. It was carefully sent, nice and snug under the covers of it's good friend TLS, and informed by some pleasing P3P policies, whereby it was assured no harm would befall it upon arrival at it's destination.

Feeling emboldened by anticipated loving care, it speed into the warm embrace of www.example.com's host, which was clearly identified by the DNS and the subject of a certificate upon which it's TLS road was paved (where said cooboration was of course carried out with the greatest of care).

Little PII, arriving in it's new home, is passed most respectfully to WWW's close friend and helper, apps.example.com, who generally assists in matters more complex than simple HTTP. PII looks backward, somewhat forlornly, at it's companion and confidant P3P and TLS, who accompanied him on the begin of his epic quest to conduct some important business.

PII arrives at apps (well it thinks that's her name, anyway), and is quickly swished through memory and swapped about a bit in apps file system, while apps performs what PII is certain is most difficult and arduous work. Variables and arrays and other structures serve as short stopping places. PII sees all sorts of other, unfamiliar and unrelated data too. Some seemed to be in classes, and PII wondered what instruction they were getting, and if they too were there for the same purpose.

PII doesn't mind so much the jostling and bumping about, knowing that it's mission is vital. At last, after what seemed like thousands of milliseconds, it is instructed to rest, with some other PII, at database.example.com... well, apps told PII that was his name... he arrived at a somewhat anonymous-looking dotted quad. Poor PII, not knowing what to do, and wishing to go home after recent mishandling, finds a row to rest in, and closes it's weary eyes.

PII dreams of the good times it spent with TLS and P3P, all the frolicking about, obediently following the directions of BGP and IP. It fondly remembers the comforting covenants of Jurisdiction and Purpose... of Recipient and Remedy. As the dream grows somewhat dark in nature, a shadow of database is seen in the distance, and PII sees itself moving slowly towards it, completely detached from Purpose and Reason, and with no special protections for its' journey. After fading into the distant ether, PII can no longer see itself, and hope's it's copy can remember all the promises made when it first began it's epic voyage.

Stayed tuned, for the continuing (mis)adventures of PII...

Bewitched flatware

George reported last week the magentic qualities of his flatware. And were it not for the photograph, none of us would have beleived him.

I can now report a second sighting of the unusual phenomena. I, unfortunately, did not have the camera handy, as I was held captive by the tray table, and the flight attendant (4/28 UA951 crew .. if your out there, wonderful job, by the way) whisked away the knife before I could capture the event in silicon (does anyone capture events on 'film' anymore?).

The flatware must have been stored outside the airplane during departure, as it's surface temperature was low enough to bond skin to metal.

Discussions ensued in Brussels, at the IOS confence as to the cause of the magnetic charge, but no consensus could be reached. But it is strangely coincident with the re-emergence of metal knifes on flights.

Trusting SIP

My good friend and colleague with others have for over a year now been working on a trait-based authorization specification for SIP known to some as 'SIP-SAML' . This fulfills the requirements outlined in “Trait-based Authorization Requirements for the Session Initiation Protocol (SIP)”, which specifies bindings and profiles for attribute statements (and assertions) from SAML artifacts. This then informs SIP intermediaries with the necessary material to make policy decisions about handling SIP signals (and the subsequent messages), among other use cases.

I've recently discovered that some have considered applying openID in a (slightly) similar manner for SIP mentioned here.

As the above reference articulates, improvements are required to the base openID architecture to accomplish this. Perhaps a token transformation via Liberty Alliance Authentication Service (pdf) accomplishes this objective.

The swiss beverage empire

I'm here in Brussels for the Liberty Alliance Members meeting and Identity OpenSpace event, and they have been making certain we maintain our appetites by supplying cannabis in liquid form.

These need to be in the states. Both are quite good. It's a shame that the notion of a cannabis-based beverage would never fly in the US.
...
I think i need a snack now.

(Finally found the vendors website)

Open Space Logo Mashup

I've just registered for the upcomming Identity Open Space in Vancouver. A co-production of the Liberty Alliance and the good folks over at unconference and IIW.

I couldn't resist mixing the logos.

Hope to see you there.

Liberty Adoption Announced

[Lost in my draft bin]

Liberty Alliance announced new adoption information. It's a pretty impressive list and forecast for 2006.

Some Notable numbers in summary:

• 120 million citizen identities in the global e-government sector including deployments in Austria, France, Finland, Norway, the Middle East, Spain and the United States;
• 585 million identities and devices in the mobile and telecommunications sector with vendors and carriers around the world implementing Liberty Federation and Liberty Web Services for identity-based consumer and enterprise applications;
• 72 million online service provider users able to leverage Liberty identity specifications for conducting e-commerce and accessing and managing a variety of entertainment and social applications;
• 20 million Liberty enabled identities in the technology and enterprise sectors with organizations managing B2B, B2E and B2C services based on Liberty Federation and Liberty Web Services.

What's more, there are inumberable deployments that are not announced, for various reasons. I think that is a pretty impressive adoption curve, given that ID-FF 1.2 is only a couple of years old.

Congrats to the Liberty folks for:
- make this happen
- finding all this deployment data

Technorati Tags: Federated_Identity, identity, identity20, Liberty_Alliance

Infrequent Visits

I checked into a hotel last night in Phoenix, Arizona, and was greeted by a rather amusing placard.

On the placard, which provided instructions on how to begin an internet session (non WiFi tho... sheesh), it suggested that if you were having trouble connecting, and to ensure you are not viewing a cached page,

“Go to a public website (not an intranet), such as www.msn.com, that you do not normally visit.”

Is msn.com in that much difficulty, or is this service provider not a fan of Microsoft... perhaps we'll never know.