Apr 29, 2005

Immeasurable Steps for Quantum crypto

The Register reports that while there are a few Quantum Crypto vendors shipping goods today, recent developments show that this technology is rapidly emerging, and has the properties of being deployable.

Cost and requirements for dedicated pair-wise fiber links between parties (up to a few dozen kilometers) will impeed broad deployments in areas other than (perhaps) financial services, telecoms industry and the media. This will change, and there are claims for the development of other key distribution transports, which will bolster the adoption curve, and mitigate the distance problem.

With keen interest, I read that Toshiba Research Europe has applied Quantum crypto for protecting streaming video... With new encryption keys for every frame, theft on-the-wire will become exceedingly impractical, too costly relative to the value of the pilfered content.

I watch this with continued admiration of the research community...

Apr 24, 2005

Where are the customers

Identity Woman asks "Where are the customers"... well, i can say for certain that there have been circles of trust formed in 2004, some quite large. having been there, i can say this stuff does not come easily. And it's not the technology. Marc recently wrote about this here saying
The legal complexities of this style of federation are significant, and they must all be considered.
Absolutely, and the bigger the radius, the greater the degree of complexity (and the number of lawyers... there's a joke in there somewhere...).

So while perhaps AOL's circle and a few others that have formed are not awe inspiring (yet). I think given that these standards are not yet even three years young, they've gone a long way fast. But look at the commercial software support. So, pulling out my old (dusty) IT Architect calculator with integrated time sink-hole estimator:
[Spec release] + [CoTs development]*2 +
([Corp Sponsorship]^2 + [IT planning] + [IT development] +
[marketing something-or-other]/[very small number less than 1] + [role-out])*2
= [something north of 3 years]
So perhaps the early movers have done so... i'd venture 2005 we'll see some more interesting Circles take shape.

Apr 21, 2005

Reflecions for "The Identity Corner » Liberty Alliance on data protection and privacy"

I recently completed reading Stefan Brands post reviewing Liberty's “Circles of Trust: The Implications of EU Data Protection and Privacy Law for Establishing a Legal Framework for Identity Federation“.

First, I'm thankful for the review. External commentary is extremely valuable, as those of us working on these problems in standards bodies crave new input. I think some clarifications, however, are required for proper analysis of the Liberty Specification suite. This review results in two recommendations:

  • User-centric data flows for directing (properly authenticated and protected) identity and attribute assertions through the data subjects themselves in a manner that gives each data subject fine-grained selective disclosure capability over identity and attribute assertions made about him or her, and
  • Genuine privacy-preserving authentication technologies – as opposed to the current smoke-and-mirrors “pseudonyms” of Liberty Alliance, which are not pseudonyms at all but centrally assigned aliases.

The primary error in this analysis (and thus the resulting recommendations) is some presumption of the locations/ownership of the architectural elements:
+ Service Providers [SP] (who rely on assertions from a trusted party),
+ Identity Providers [IDP] (who may or may not be an 'anchor' of trust in the network),
+ Attribute Authorities [AA] (who may be trusted by the principal for managing their data 'at-rest' and 'in-motion')

These entities in fact can (and do) express themselves into networks in many ways. While it is true that in one form, the IDP and AP may be operated by institutional bodies (corporations, governments, public trusts, etc...), it is equally true that a principal can control these functions themselves, on their own terms, with their own policies, even on their own hosts. In addition, it is likely that a single principal will have many attribute authorities, even for a single service type, creating distributed data-web's. Implimentations may choose from many deployment paradigms.

This satisfies the first recommendation, and can be implemented using current versions of the Liberty Alliance Specifications suite ID-WSF 1.x in conjunction with SAML v2.0 (as a footnote, the panoptic discussion is more properly placed with the OASIS SSTC, rather than Liberty).

Of course, there are negative privacy consequences when everything (authentication and attribute assertions) are sourced from a single point. Most notably, triangulation of the subject of these assertions due to single points of origin.

Further, user control of some attributes will be inappropriate. Attributes which are assigned to a principal such as credit cards (card issuing bank is the authority), identification numbers (governments assign drivers license numbers), and health care records (which are create and maintained by health care providers). Relying parties of such assertions a better served by assertions from the assignment authority, rather than some measure of confidence that the principal is stating fact.

To the topic of pseudonym manufacture, thus, clearly given a deployment described above, where the principal themselves may choose to operate their own authentication service (perhaps populated with security tokens obtained from elsewhere or locally). This would then satisfy the second observation.

I'm greatful for you pointing these things out, as it underscores just how composable the framework has become. The wonderful thing about open standards... everyone can read, review, comment, implement and deploy upon them, and are encouraged to do so.

Apr 15, 2005


Research Buzz alerted me to YaGoohoo!gle from this article. A wonderful play on two search engines... side-by-side (frames) comparison for search results. Just for kicks, i yagoohoogled for my own blog. rather disapointing results, i must say. but at least there were no ads purchased for that string.

But this does motivate me to write something that actually intermixes their results into one single page.

Apr 8, 2005

Datamonitor - Gemplus and NEC win e-Passport bid - News

So Datamonitor - Gemplus and NEC win e-Passport bid - News reveals some interesting emerging identity systems activities in nation-states. The U.S. Government has been working this angle for quite some time, and most recently at the RSA conference this winter.

I can only hope that this activity continues. There is a lot at stake for many, not the least of which are the citizens of many contries contemplating the authentication and authorization problems mixed into this quagmire of Identity.