Jan 23, 2006

Sxip in ... or not

Paul Madsen's post on Sxore got my to waltz on over and read up on what it's up to. What i found was not quite as expected... From 'An Identity 2.0 Company' anyway).

It stared with the irony that Sxore, from the people that brought you Sxip, and Identity2.0, and purveyors of all things good in decentralized identity systems and designs (a Good Thing), ask that you 'create and account' with them, and 'store your account information in the Sxore system'?

Sigh. I thought the days of federation were nearing. I hope I am mistaken, and if i enroll, they ask me to federate to my Homesite (at least) or my openID, LID (or better, YADIS). But the FAQ leaves my less than optimistic.

Better by far... I could federate with the Sxore service to my Identity Provider via SAML2, point to my Liberty People Service for a more seamless experience, for folks i already know, to comment on my blog (which i moderate for the very reason Sxip created Sxore).

I _would_ like to be able to have a reputation system which maps back to this blog (not that it has much of a readership), not the Sxore identity.

Further reading of the Sxore FAQ shows a few more flys in the Identity Ointment:
Since each sxore account can only be associated with a single blog, you might want to have a sxore account for each of your blogs. However, each sxore account requires a unique email address; you must use a different address for each of your sxore accounts.
... so i get to make a plethora of identities, each requiring a unique email address ???
Comments and tags are stored on the sxore comment server, but are displayed on the blog. In a future version of sxore, we intend to provide an API that will allow blog sites to extract their comments and tags from the sxore comment server.
... so the comment thread is the property of who, exactly?? Although they have something with RSS feeds of the comments. something not all Weblog software have.
Can I automatically approve or delete comments from certain people?
+ Yes. When you moderate comments, use the Approve and Whitelist button to automatically approve future comments from the comment author. (The comments are still displayed in your inbox so that you get comment notifications and can post comment responses.) Similarly, use Delete and Blacklist to automatically delete future comments from the comment author.
... this is the perfect use case for the Liberty People Service (and using federated identifiers, eliminating the need for a Sxore account!).

So I urge Sxip and Sxore to become self-interoperable. It's hard enough to get interoperability across multiple specifications and vendors, but at least support your own identity protocols!

Technorati Tags: , , , ,

Jan 18, 2006

Tag, You're It

CNN posted a story recently on using RFID technology which has been used for years in dogs (and i suppose other critters) for identification, and applying this to people. It reports:
With a wave of his hand, Amal Graafstra, a 29-year-old entrepreneur based in Vancouver, Canada, opens his front door. With another, he logs onto his computer.
It's always nice to find more shortcuts in life (how many times have we locked ourselves out of our car?), but the trouble with these sorts of technologies, is they neglect to consider the potential for nefarious uses.

The US Govt explored RFID enabled passports (and promptly got rebuked for flaws [PDF]), yet another example of applying the technology, but neglecting the concequences.

Even if the tag carries nothing more than some unique identifier, it's that identifier that introduces the privacy invasion. Picture Walmart putting tag readers on all the store shelves, and observe how one looks at and handles which products. Over time, they can amass significant knowledge of ones shopping behaviour.

Technorati Tags: ,

Jan 5, 2006

an 'eye' for SSO

Paul Madsen over at connectID comments on the i-Names i-SSO specification:

Looking at the i-names SSO (ISSO) spec being defined at XDI.org, they account for some minimum password strengths by which users MUST authenticate to their i-Broker (within the XDI.org community)

To help prevent dictionary attacks, XDI.ORG MUST specify a minimum password strength required of all ISSO accounts in the XDI.ORG network.

As they use SAML 2.0 as the protocol by which the Website requests an authentication and by which the i-Broker responds, it seems strange that they don't refer to SAML 2.0's Authentication Context as the mechanism for defining such minimum authentication requirements.

In fact, the next revision to this draft (which i am penning as we speak) does, in fact do that. It will also define a couple new profiles, and two new authN contexts (enhancements really, not new).

• XRI-based services discovery profile which allows for the determination of an Authentication Authority based on an iName (XRI)
• Slight variant on Web Browser SSO Profile (adding requirements for the new contexts)
• contexts which add some defenses against phishing

Stay tuned here or over at XDI.org, where the specs formally live for the next release.

Technorati Tags: , , ,