Identity for All - On bits and bytes

FBI indictments raise hope

2008-05-20T21:09:00.000-05:00

May 19, 2008 BUCHAREST, ROMANIA – Thirty-eight individuals with ties to international organized crime have been charged in two separate indictments involving computer and credit card fraud schemes, Deputy Attorney General Mark R. Filip, Romanian Prosecutor General Laura Codruţa K övesi, U.S. Attorney for the Central District of California Thomas P. O’Brien and Acting U.S. Attorney for the District of Connecticut Nora R. Dannehy announced today. The Deputy Attorney General made the announcement with the Romanian Prosecutor General to highlight the extensive and continued cooperation between the two countries in addressing these types of international crimes. The announcement comes less than one month after U.S. Attorney General Michael B. Mukasey announced the Department’s new Law Enforcement Strategy to Combat International Organized Crime.

The FBI, following up on an announcement last month, has moved into an aggressive mode in prosecution for computer crimes. This indictment includes 33 individuals on 65 counts in Los Angeles, and 7 individuals in Washington, DC involving phishing scams. It also includes search warrants being issued in Romanian.

The locations of the operations included: the United States, Canada, Pakistan, Portugal and Romania.

The phishing scams were mainly target as messages from Citibank, Capital One, JPMorgan Chase & Co., Comerica Bank, Wells Fargo & Co., eBay and PayPal. All very common subjects for such attacks.

The role of identity here is unequivocal, and much work remains to be done both on existing protocol strata, including email and SIP, as well as emerging identity protocols, such as Liberty Alliance, openID, and Oauth (to name but a few).

As these new protocols mature, and their use broadens, they will form the basis for new attack surfaces for such criminal behaviors. The Liberty Alliance has been focusing some of it's talents directly in this space in the form of the Identity-Theft Special Interest group, and began working on this topic as far back as 2004.

Oddly, this topic, which has some momentum at earlier IIW events, was not touched as a primary topic at the most recent session. As an industry, we need to think about reversing this trend.

Technorati Tags: id theft, identity

Know SAML cold

2007-05-11T20:42:00.000-05:00

I came across this series tonight while traipsing through Technorati SAML searches. JeffH, however, got there before me.

SAML and ColdFusion - Part 1 (December 29, 2006)
SAML and ColdFusion - Part 2 (February 9, 2007)
SAML and ColdFusion Part 3 : XML Digital Signatures (April 16, 2007)
SAML and ColdFusion Part 4 : Setting Up the Library (April 26, 2007)
SAML and ColdFusion Part 5 : Signing a Document (May 1, 2007)
SAML and ColdFusion Part 6 : Validating an Assertion (May 10, 2007)

Nicely done!

Privacy and the Almighty Dollar

2007-05-11T08:28:00.000-05:00

Apparently Google feels that operations in China are more important than user privacy... still. In a shareholder vote held yesterday, they voted against a proposal which outlined the following:

Data that can identify individual users should not be hosted in Internet-restricting countries, where political speech can be treated as a crime by the legal system.
The company will not engage in pro-active censorship.
The company will use all legal means to resist demands for censorship. The company will only comply with such demands if required to do so through legally binding procedures.
Users will be clearly informed when the company has acceded to legally binding government requests to filter or otherwise censor content that the user is trying to access.
Users should be informed about the company's data retention practices, and the ways in which their data is shared with third parties.
The company will document all cases where legally binding censorship requests have been complied with, and that information will be publicly available.

While much coverage on this issue has focused on the censorship issues while operating (for example) in China, ignored were the stipulations about disclosure to third parties and data retention practices.

The shareholders were advised by Google Sr Executives that this measure should be voted down, as it would prohibit their operations in China. While I understand this point of view, at some point, conscionable corporations are going to have to face data protection, disclosure, and retention issues head on. Perhaps a more well informed shareholder base will be required to force such practices on public companies.

1 point for the dollar, 0 for privacy.

PII's Journey - Chapter 1

2007-04-30T20:38:00.000-05:00

From the “What do two identity architects chat about while waiting for the plane to board” department.

Companies large and small gather personally identifiable information all the time (never mind that they rarely really need to, other than to fulfill their ill-conceived belief it will make my experience better or their wallets thicker). The data they get (lies, generally, unless it's important business) might be sent over TLS and the like, and may be covered by one or more privacy policies conveniently referenced far-far-away from the 'Submit' button... but there is never any mention what really happens to that data, after it's collected. Follow PII on it's epic journey through networks, servers and tapes in 'PII's Journey - an EPIC tale'.

It's a sad sad story....

Once upon a time, somewhere in one of the happier nooks of the internet, there was a little bit of data, named PII, just leaving it's owners computer, destined for important tasks at www.example.com. It was carefully sent, nice and snug under the covers of it's good friend TLS, and informed by some pleasing P3P policies, whereby it was assured no harm would befall it upon arrival at it's destination.

Feeling emboldened by anticipated loving care, it speed into the warm embrace of www.example.com's host, which was clearly identified by the DNS and the subject of a certificate upon which it's TLS road was paved (where said cooboration was of course carried out with the greatest of care).

Little PII, arriving in it's new home, is passed most respectfully to WWW's close friend and helper, apps.example.com, who generally assists in matters more complex than simple HTTP. PII looks backward, somewhat forlornly, at it's companion and confidant P3P and TLS, who accompanied him on the begin of his epic quest to conduct some important business.

PII arrives at apps (well it thinks that's her name, anyway), and is quickly swished through memory and swapped about a bit in apps file system, while apps performs what PII is certain is most difficult and arduous work. Variables and arrays and other structures serve as short stopping places. PII sees all sorts of other, unfamiliar and unrelated data too. Some seemed to be in classes, and PII wondered what instruction they were getting, and if they too were there for the same purpose.

PII doesn't mind so much the jostling and bumping about, knowing that it's mission is vital. At last, after what seemed like thousands of milliseconds, it is instructed to rest, with some other PII, at database.example.com... well, apps told PII that was his name... he arrived at a somewhat anonymous-looking dotted quad. Poor PII, not knowing what to do, and wishing to go home after recent mishandling, finds a row to rest in, and closes it's weary eyes.

PII dreams of the good times it spent with TLS and P3P, all the frolicking about, obediently following the directions of BGP and IP. It fondly remembers the comforting covenants of Jurisdiction and Purpose... of Recipient and Remedy. As the dream grows somewhat dark in nature, a shadow of database is seen in the distance, and PII sees itself moving slowly towards it, completely detached from Purpose and Reason, and with no special protections for its' journey. After fading into the distant ether, PII can no longer see itself, and hope's it's copy can remember all the promises made when it first began it's epic voyage.

Stayed tuned, for the continuing (mis)adventures of PII...

Bewitched flatware

2007-04-29T08:01:00.000-05:00

George reported last week the magentic qualities of his flatware. And were it not for the photograph, none of us would have beleived him.

I can now report a second sighting of the unusual phenomena. I, unfortunately, did not have the camera handy, as I was held captive by the tray table, and the flight attendant (4/28 UA951 crew .. if your out there, wonderful job, by the way) whisked away the knife before I could capture the event in silicon (does anyone capture events on 'film' anymore?).

The flatware must have been stored outside the airplane during departure, as it's surface temperature was low enough to bond skin to metal.

Discussions ensued in Brussels, at the IOS confence as to the cause of the magnetic charge, but no consensus could be reached. But it is strangely coincident with the re-emergence of metal knifes on flights.

Trusting SIP

2007-04-27T13:45:00.000-05:00

My good friend and colleague with others have for over a year now been working on a trait-based authorization specification for SIP known to some as 'SIP-SAML' . This fulfills the requirements outlined in “Trait-based Authorization Requirements for the Session Initiation Protocol (SIP)”, which specifies bindings and profiles for attribute statements (and assertions) from SAML artifacts. This then informs SIP intermediaries with the necessary material to make policy decisions about handling SIP signals (and the subsequent messages), among other use cases.

I've recently discovered that some have considered applying openID in a (slightly) similar manner for SIP mentioned here.

As the above reference articulates, improvements are required to the base openID architecture to accomplish this. Perhaps a token transformation via Liberty Alliance Authentication Service (pdf) accomplishes this objective.

The swiss beverage empire

2007-04-26T14:14:00.000-05:00

I'm here in Brussels for the Liberty Alliance Members meeting and Identity OpenSpace event, and they have been making certain we maintain our appetites by supplying cannabis in liquid form.

These need to be in the states. Both are quite good. It's a shame that the notion of a cannabis-based beverage would never fly in the US.
...
I think i need a snack now.

(Finally found the vendors website)

Open Space Logo Mashup

2006-06-06T08:54:00.000-05:00

I've just registered for the upcomming Identity Open Space in Vancouver. A co-production of the Liberty Alliance and the good folks over at unconference and IIW.

I couldn't resist mixing the logos.

Hope to see you there.

Liberty Adoption Announced

2006-03-14T16:56:00.000-05:00

[Lost in my draft bin]

Liberty Alliance announced new adoption information. It's a pretty impressive list and forecast for 2006.

Some Notable numbers in summary:

120 million citizen identities in the global e-government sector including deployments in Austria, France, Finland, Norway, the Middle East, Spain and the United States;
585 million identities and devices in the mobile and telecommunications sector with vendors and carriers around the world implementing Liberty Federation and Liberty Web Services for identity-based consumer and enterprise applications;
72 million online service provider users able to leverage Liberty identity specifications for conducting e-commerce and accessing and managing a variety of entertainment and social applications;
20 million Liberty enabled identities in the technology and enterprise sectors with organizations managing B2B, B2E and B2C services based on Liberty Federation and Liberty Web Services.

What's more, there are inumberable deployments that are not announced, for various reasons. I think that is a pretty impressive adoption curve, given that ID-FF 1.2 is only a couple of years old.

Congrats to the Liberty folks for:
- make this happen
- finding all this deployment data

Technorati Tags: Federated_Identity, identity, identity20, Liberty_Alliance

Infrequent Visits

2006-03-14T08:48:00.001-05:00

I checked into a hotel last night in Phoenix, Arizona, and was greeted by a rather amusing placard.

On the placard, which provided instructions on how to begin an internet session (non WiFi tho... sheesh), it suggested that if you were having trouble connecting, and to ensure you are not viewing a cached page,

“Go to a public website (not an intranet), such as www.msn.com, that you do not normally visit.”

Is msn.com in that much difficulty, or is this service provider not a fan of Microsoft... perhaps we'll never know.

Google - Panoptically speaking

2006-03-13T09:37:00.000-05:00

Stefan Brands has some interesting material covering panoptical systems (tho imprecisely labels Liberty Specification with this moniker). The system I fear the most, is the inevitable Google Authentication service, which Phil Windley reminded me of with his post on the XMPP underbelly of GTalk.

If ever there was ever an enterprise who had the brainpower, software power, and the marketing where-with-all to aggregate all my online activities, process that, and sell as a service to others, Google is that enterprise.

They've not made any announcements, that I am aware of, but Phil is correct in saying that XMPP is underneath, and thus so is authentication services. trouble is, among other things, it looks a little too Passport-ish for my taste, and so you won't see me using it.

Technorati Tags: identity, Liberty_Alliance, Privacy

Identity Face(s|ts)

2006-03-07T11:10:00.000-05:00

I've been working recently on some new attempts at understanding what exactly is the best way to model Identity Attributes, and who should or can state them about a user (Alice from here on out). What I've concluded is that anyone can assert attributes about Alice (truthful or not). Sometimes you can find these assertions, and sometimes you cannot.

There are at least two separate layers for attributes: a horizontal and a vertical. The horizontal layer represents what can be best described as Alice's vCard. This layer represents attributes which share commonality across almost any application domain, be it social or otherwise. Other tidbits like personal preferences, the type of cell phone she carries, her iTunes playlists, and whatnot can also be lumped in here (tho in some cases, slices of these end up also in the second layer. more on that in a bit).

The second 'layer' is comprised of vertical pillars of domain specific attributes. Financial, social, business, Alice's Rock Climbing Club, her neighborhood, etc... these carry both attributes asserted by others, as well as Alice's own attribute statements.

Reputation systems (attributes asserted by others of Alice) tend to focus only in these vertical domains. Reputation systems cannot effectively function as a horizontal layer, as the perspective of Alice varies from domain to domain. But proximate domains may borrow reputation and other attributes from one another, tempered and weighted by their proximity to one another.

So the relevance of Alice's attributes is proportionate to the domains “distance”, and tempered by the asserting parties reputation in both domains.

This introduces the notion of the “over-layer” domain, where arbitrary aggregations of attributes from nearby domains define a third dimension. This domain, rather than being just another vertical domain, is my persona to a given community.

I've been dabbling with a variation to Paul Madsen's Vector Addition for Identifiers, where the vectors are influenced by these sorts of behaviors between and across domains. Hope to have that RSN ;-)

Technorati Tags: identity, attributes, reputation

Que Syrah^4 part 1

2006-02-08T19:09:00.000-05:00

Lovely. a Blog Ring experiment.

I spent tonight in a wonderful restaurant with many of my Liberty Alliance cohorts. A splendid dining experience in food, spirits and company. "La Sora Lellea". _VERY_ highly recommended, and a very fine Sicilian Syrah (x 4 bottles).

Located on the the Tiber river island of Isola Tiberina in Roma. What a fabulous restaurant. This, i think, is my attempt as 'doing as the romans' in Rome. The service and wine were fabulous. Tahs to Hellmut for the recommendation.

Of course, you have to like ox tail, pig cheeks, and tripe. but hey... when in Rome...

next

Technorati Tags: food, blogring

Localization Nits

2006-02-07T08:42:00.000-05:00

NIT:

HTTP has the ability (and most browsers support, AFAICT) to convey language preferences... and almost every site i go to seems to merrily ignore it.

NIT:

Every time I encounter a language selection list, each language is expressed in the native language of the page (not the language being listed).

Case in point. I'm in Rome this week, and Google (as my homepage) comes up in Italian. Why? Cause they 'sense' that my IP address is in Italy, so hey, i must really want the Italian Google page (nifty feature, but not helpful, generally, except maybe for them, as a traffic management and performance solution). But google.it does not mean i want italian, right?

So then i go stumbling around on their links, i find the language preferences, and all the languages are in italian. Not very helpful. Since 'english' in Italian is 'Inglese', it makes for fixing this in the preferences page. FWIW, for future reference, the url for language selection is http://www.google.it/preferences?hl=it ... so change the hl=it bit to hl=en, and walla!

These sorts of usability issues are hard for some. We all could do a better job in localization, not just Google.

Technorati Tags: Language, usability

From the Ironic Names Committee

2006-02-03T16:14:00.000-05:00

An article on Hundreds of Dead Pets found in woods, I couldn't help but chuckle at the spokesmans name:

The U.S. Forest Service is also taking part in the investigation. Woody Lipps, a spokesman for the agency, said one of the dumping sites was in George Washington National Forest and the perpetrators could face stiff fines.

"Dumping debris on federal property is a federal misdemeanor, but the attorney's office could decide this was hazardous material and if that's the case, the fines and jail time increase dramatically," Lipps said.

What a great name.

Sxip in ... or not

2006-01-23T23:57:00.000-05:00

Paul Madsen's post on Sxore got my to waltz on over and read up on what it's up to. What i found was not quite as expected... From 'An Identity 2.0 Company' anyway).

It stared with the irony that Sxore, from the people that brought you Sxip, and Identity2.0, and purveyors of all things good in decentralized identity systems and designs (a Good Thing), ask that you 'create and account' with them, and 'store your account information in the Sxore system'?

Sigh. I thought the days of federation were nearing. I hope I am mistaken, and if i enroll, they ask me to federate to my Homesite (at least) or my openID, LID (or better, YADIS). But the FAQ leaves my less than optimistic.

Better by far... I could federate with the Sxore service to my Identity Provider via SAML2, point to my Liberty People Service for a more seamless experience, for folks i already know, to comment on my blog (which i moderate for the very reason Sxip created Sxore).

I _would_ like to be able to have a reputation system which maps back to this blog (not that it has much of a readership), not the Sxore identity.

Further reading of the Sxore FAQ shows a few more flys in the Identity Ointment:

Since each sxore account can only be associated with a single blog, you might want to have a sxore account for each of your blogs. However, each sxore account requires a unique email address; you must use a different address for each of your sxore accounts.

... so i get to make a plethora of identities, each requiring a unique email address ???

Comments and tags are stored on the sxore comment server, but are displayed on the blog. In a future version of sxore, we intend to provide an API that will allow blog sites to extract their comments and tags from the sxore comment server.

... so the comment thread is the property of who, exactly?? Although they have something with RSS feeds of the comments. something not all Weblog software have.

Can I automatically approve or delete comments from certain people?
+ Yes. When you moderate comments, use the Approve and Whitelist button to automatically approve future comments from the comment author. (The comments are still displayed in your inbox so that you get comment notifications and can post comment responses.) Similarly, use Delete and Blacklist to automatically delete future comments from the comment author.

... this is the perfect use case for the Liberty People Service (and using federated identifiers, eliminating the need for a Sxore account!).

So I urge Sxip and Sxore to become self-interoperable. It's hard enough to get interoperability across multiple specifications and vendors, but at least support your own identity protocols!

Technorati Tags: Federated_Identity, identity, identity20, Liberty_Alliance, SAML

Tag, You're It

2006-01-18T14:40:00.000-05:00

CNN posted a story recently on using RFID technology which has been used for years in dogs (and i suppose other critters) for identification, and applying this to people. It reports:

With a wave of his hand, Amal Graafstra, a 29-year-old entrepreneur based in Vancouver, Canada, opens his front door. With another, he logs onto his computer.

It's always nice to find more shortcuts in life (how many times have we locked ourselves out of our car?), but the trouble with these sorts of technologies, is they neglect to consider the potential for nefarious uses.

The US Govt explored RFID enabled passports (and promptly got rebuked for flaws [PDF]), yet another example of applying the technology, but neglecting the concequences.

Even if the tag carries nothing more than some unique identifier, it's that identifier that introduces the privacy invasion. Picture Walmart putting tag readers on all the store shelves, and observe how one looks at and handles which products. Over time, they can amass significant knowledge of ones shopping behaviour.

Technorati Tags: Privacy, RFID

an 'eye' for SSO

2006-01-05T12:26:00.000-05:00

Paul Madsen over at connectID comments on the i-Names i-SSO specification:

Looking at the i-names SSO (ISSO) spec being defined at XDI.org, they account for some minimum password strengths by which users MUST authenticate to their i-Broker (within the XDI.org community)

To help prevent dictionary attacks, XDI.ORG MUST specify a minimum password strength required of all ISSO accounts in the XDI.ORG network.

As they use SAML 2.0 as the protocol by which the Website requests an authentication and by which the i-Broker responds, it seems strange that they don't refer to SAML 2.0's Authentication Context as the mechanism for defining such minimum authentication requirements.

In fact, the next revision to this draft (which i am penning as we speak) does, in fact do that. It will also define a couple new profiles, and two new authN contexts (enhancements really, not new).

• XRI-based services discovery profile which allows for the determination of an Authentication Authority based on an iName (XRI)
• Slight variant on Web Browser SSO Profile (adding requirements for the new contexts)
• contexts which add some defenses against phishing

Stay tuned here or over at XDI.org, where the specs formally live for the next release.

Technorati Tags: identity, iSSO, SAML, XRI

A whole lot of identities

2005-11-22T23:37:00.000-05:00

I've been catching up on my blog role, finally... and found a dirth of postings regarding Microsoft's recent smiting of SAML which quotes:

Microsoft will soon start shipping "a whole lot" of servers that use WS-Federation protocols, and those client computers will be compatible, Schmidt said.

Wow. so, "a whole lot of computers". Good. I fell better now ;-) Really, I have no qualms about supporting WS-Trust and InfoCard. In fact, there is no reason SAML tokens could not be used within the InfoCard architecture, as near as I can tell... we'll see what pops out of the OASIS WS-SX Technical Committee at OASIS. Before that, who knows, really.

I had high hopes that Microsoft would support SAML in at least the InfoCard architecture, and Kim was one who had given me confidence in that aspiration. But he's blogged recently:

I have been tireless in arguing the need to support new token formats essential to such [identity meta] systems - rejecting the prevelant bugaboo that we should limit all future technology to SAML and then congratulate ourselves on how clever we are. Isn't that OK too?

Well, yes it's OK. Of course, I'm not sure who's actually saying that SAML should just be adopted by everyone, and we can all go home. Perhaps IT Executives who are waiting for the dust to settle a bit over WS-Fed vs SAML are eager to at least see some effort at convergence... but it seems that is less likely to happen, given this recent sentiment.

But I would say that SAML enjoys broad support and adoption. Tens ... maybe even hundreds... of millions of users are serviced by SAML-based protocols today. I think that is a "whole lot of identities", which is just (if not more) demonstrable of success and broad adoption, than "soon shipping"... "a whole lot of computers".

Tags: Identity | SAML | Digital Idenitity | WS-Trust | Info Card

Eclipsing Identity

2005-11-07T23:00:00.000-05:00

Ben Hyde suggested some potential revisions to my Identity Topology, necessitating a v1.1 of my Identity Specs Topology. Well, I'm not quite ready for v1.1 just yet (as the lawyers have not finished convening on v1.0 IPR issues yet). But... I thought I would share one draft diagram I had, which included DRM, using the shadow technique he recommended.

The topology of Identity Standards

2005-11-04T21:30:00.000-05:00

I've seen many times, a plee for some kind of 'map', allowing a developer or other interested party, a means to navigate the exploding space of identity-oriented protocols/specifications (esp Federation Protocols). I started a diagram some time ago with every imaginable specification I could dream of. Suffice to say, it was large, and illedgable, even for the composer.

I promptly ditched that , and opted for this diagram, which drops many (very relavant) bodies of work, but captures the present trend of specifications relating to this space. It includes directional relationships and venues (mostly standards bodies) where the evolution of the specification is being nurtured.

If you read this blog, and notice the ommition of something you feel is relavant, feel free to contact me/comment here, and i'll try to update it.

pseudo-science has an identity crisis

2005-09-26T14:18:00.000-05:00

I have a little shrine in the lab where i work entitled 'Zenful moments in the lab', where quippy and astonishing events and articles get memorialized on one of the racks.

The first member, was an article (which appears to have never made the leap to the web), in which a scientist at the Brisbane College of Zoological studies concludes that duck's do not quack, they make a sound more like 'ah ah'! And if that is not quite enough research, they went on to conclude:

Cows say 'eh-muh'
dogs say 'eh-ruh'
but amazingly enough, cats do in fact make the sound 'meow'

Now, by itself, this would not have allowed this article to get such an honorable placement in our shrine, but the kicker was that this research was funded, to the tune of $290 million (australian) by the Australian parliment. The second inductee was a website promoting contenporary mumification to kids. Wow. the particularly disturbing image of kids interviewing dad the mummy in the livingroom! Or the bear which comes with removable organs and wrappings.

Most recently, a series of articles have been popping about revolving around the teaching of creationism in the public school system. What first caught my attention was a washington post article: In Evolution Debate, Creationists Are Breaking New Ground in which is covered the soon to be openned Creation Museum. "'We're placing this one in the hall that explains the post-Flood world,' explains the guide. 'When dinosaurs lived with man.' .. again... WOW! Of course, they are up to date with technology. they even have their own blog.

It seems, in the lobby they have a mural captioned by their website: "Imagine soaring cypress trees, the sounds of waterfalls and children playing with dinosaurs! What other surprises await?" well, what a lovely mental image that has. especially the one the probably didn't paint of the famished velociraptor eating the children (Is it me, or is it astonishing that google locates greater than 27,000 pages for this search).

The fact that there is such a title as 'Creationist Paleontologist' is kinda like saying there are chefs at McDonalds.

Wither Circles of Trust ... Again ...

2005-05-05T09:25:00.000-05:00

Network World's Dave Kearns has written several articles on this subject, most recently Where is Liberty Alliance's consumer-oriented Circle of Trust?

We were supposed to have had an announcement of a major, consumer-oriented Circle of Trust by the end of 2004. I'm still waiting.

and another which came in the daily Network World Email newsletter (not yet in archive).

I agree completely that these specifications are not for the faint of heart (which is why most of the Fortune 1000 leave this to the vendors to build). One aspect most vendors cannot solve for them is the legal agreements required for the formation of 'Circles of Trust' (There are some vendors which DO provide services in this space). This is precisely why the Alliance is turning some of it's pens towards non-technical advice and analysis of these challenges. The most recent being "Circles of Trust: The Implications of EU Data Protection and Privacy Law for Establishing a Legal Framework for Identity Federation", which Dave references in his article.

As for the apparent lack of Consumer facing deployments? Well, I can assure you they are there. Not in vast numbers, granted. The motivations for the deployments to date are (to the best of my knowledge) strategic in nature; part of the infrastructure. Deployments that are firmly committed to open, Identity Oriented Architectures will embed Liberty specifications INTO the networks and services they offer. Consumers may never be aware that Liberty protocols are under the hood of the services they use. Rather, they will experience ease of use and privacy-protecting interactions when service providers request authentication and attributes about them.

Liberty has focused it's brand primarily on the vendor and customer communities through it's conformance programs. These are the adopters, where-as consumers and employees are the beneficiaries.

Tags: Identity | Privacy | Liberty Alliance

Diagrams of Identity

2005-05-03T18:38:00.000-05:00

The Technorati Identity tag lead me squarely here at Nancy White's photo blog w/flickr.

Since I tend to think pictorally, just like this (and have a growing collection of mind-maps myself), I thought I'd blog this one up the stack a bit (and a mental bookmark).

What this map really demonstrates is the true relativity of Identity. Given some completely different context, the map shows compliance, strong authentication, and patient privacy.

So Nancy, the next time you make this great diagram centered on Identity, push the edges a bit, and lets see how diverse these perspectives really are! I'd bet some would recoil and others rejoice! I cannot help but wonder if Identity Perspectives will ever allow Identity Commons?

Immeasurable Steps for Quantum crypto

2005-04-29T21:43:00.000-05:00

The Register reports that while there are a few Quantum Crypto vendors shipping goods today, recent developments show that this technology is rapidly emerging, and has the properties of being deployable.

Cost and requirements for dedicated pair-wise fiber links between parties (up to a few dozen kilometers) will impeed broad deployments in areas other than (perhaps) financial services, telecoms industry and the media. This will change, and there are claims for the development of other key distribution transports, which will bolster the adoption curve, and mitigate the distance problem.

With keen interest, I read that Toshiba Research Europe has applied Quantum crypto for protecting streaming video... With new encryption keys for every frame, theft on-the-wire will become exceedingly impractical, too costly relative to the value of the pilfered content.

I watch this with continued admiration of the research community...

Where are the customers

2005-04-24T22:17:00.000-05:00

Identity Woman asks "Where are the customers"... well, i can say for certain that there have been circles of trust formed in 2004, some quite large. having been there, i can say this stuff does not come easily. And it's not the technology. Marc recently wrote about this here saying

The legal complexities of this style of federation are significant, and they must all be considered.

Absolutely, and the bigger the radius, the greater the degree of complexity (and the number of lawyers... there's a joke in there somewhere...).

So while perhaps AOL's circle and a few others that have formed are not awe inspiring (yet). I think given that these standards are not yet even three years young, they've gone a long way fast. But look at the commercial software support. So, pulling out my old (dusty) IT Architect calculator with integrated time sink-hole estimator:

[Spec release] + [CoTs development]*2 +
([Corp Sponsorship]^2 + [IT planning] + [IT development] +
[marketing something-or-other]/[very small number less than 1] + [role-out])*2
= [something north of 3 years]

So perhaps the early movers have done so... i'd venture 2005 we'll see some more interesting Circles take shape.

Reflecions for "The Identity Corner » Liberty Alliance on data protection and privacy"

2005-04-21T08:18:00.000-05:00

I recently completed reading Stefan Brands post reviewing Liberty's “Circles of Trust: The Implications of EU Data Protection and Privacy Law for Establishing a Legal Framework for Identity Federation“.

First, I'm thankful for the review. External commentary is extremely valuable, as those of us working on these problems in standards bodies crave new input. I think some clarifications, however, are required for proper analysis of the Liberty Specification suite. This review results in two recommendations:

User-centric data flows for directing (properly authenticated and protected) identity and attribute assertions through the data subjects themselves in a manner that gives each data subject fine-grained selective disclosure capability over identity and attribute assertions made about him or her, and

Genuine privacy-preserving authentication technologies – as opposed to the current smoke-and-mirrors “pseudonyms” of Liberty Alliance, which are not pseudonyms at all but centrally assigned aliases.

The primary error in this analysis (and thus the resulting recommendations) is some presumption of the locations/ownership of the architectural elements:
+ Service Providers [SP] (who rely on assertions from a trusted party),
+ Identity Providers [IDP] (who may or may not be an 'anchor' of trust in the network),
+ Attribute Authorities [AA] (who may be trusted by the principal for managing their data 'at-rest' and 'in-motion')

These entities in fact can (and do) express themselves into networks in many ways. While it is true that in one form, the IDP and AP may be operated by institutional bodies (corporations, governments, public trusts, etc...), it is equally true that a principal can control these functions themselves, on their own terms, with their own policies, even on their own hosts. In addition, it is likely that a single principal will have many attribute authorities, even for a single service type, creating distributed data-web's. Implimentations may choose from many deployment paradigms.

This satisfies the first recommendation, and can be implemented using current versions of the Liberty Alliance Specifications suite ID-WSF 1.x in conjunction with SAML v2.0 (as a footnote, the panoptic discussion is more properly placed with the OASIS SSTC, rather than Liberty).

Of course, there are negative privacy consequences when everything (authentication and attribute assertions) are sourced from a single point. Most notably, triangulation of the subject of these assertions due to single points of origin.

Further, user control of some attributes will be inappropriate. Attributes which are assigned to a principal such as credit cards (card issuing bank is the authority), identification numbers (governments assign drivers license numbers), and health care records (which are create and maintained by health care providers). Relying parties of such assertions a better served by assertions from the assignment authority, rather than some measure of confidence that the principal is stating fact.

To the topic of pseudonym manufacture, thus, clearly given a deployment described above, where the principal themselves may choose to operate their own authentication service (perhaps populated with security tokens obtained from elsewhere or locally). This would then satisfy the second observation.

I'm greatful for you pointing these things out, as it underscores just how composable the framework has become. The wonderful thing about open standards... everyone can read, review, comment, implement and deploy upon them, and are encouraged to do so.

Technorati Identity tag

YaGoohoo!gle

2005-04-15T15:25:00.000-05:00

Research Buzz alerted me to YaGoohoo!gle from this article. A wonderful play on two search engines... side-by-side (frames) comparison for search results. Just for kicks, i yagoohoogled for my own blog. rather disapointing results, i must say. but at least there were no ads purchased for that string.

But this does motivate me to write something that actually intermixes their results into one single page.

Datamonitor - Gemplus and NEC win e-Passport bid - News

2005-04-08T21:51:00.000-05:00

So Datamonitor - Gemplus and NEC win e-Passport bid - News reveals some interesting emerging identity systems activities in nation-states. The U.S. Government has been working this angle for quite some time, and most recently at the RSA conference this winter.

I can only hope that this activity continues. There is a lot at stake for many, not the least of which are the citizens of many contries contemplating the authentication and authorization problems mixed into this quagmire of Identity.

Sun Community Programs launches

2005-03-02T09:34:00.000-05:00

So, i just joined the Sun Community Programs * keiretsu Home. Motivated, i think, by Jonathan Schwartz's blog. he likes to blog, and many Sun employees are encouraged to do so as well on the employee blog. I don't get to this often enuf, but i've noticed that this seems a common malady, when you post things with a bit more relavance than letting the readers know what i had for dinner last night ;-).

eBay - FleetCenter items in Experiences Finder

2005-02-28T11:18:00.000-05:00

OK... i've seen all sort sof odd things, and still personally find the purchase of naming rights of sports stadiums a silly thing, but
auctioning single-day naming rights on eBay? It never ceses to amaze me what i find on eBay!

ICANN Auctions?

2005-02-16T11:07:00.000-05:00

So, when | VeriSign auctions pending delete domains. can i buy this at eBay? It seems i already can! let the market decide to do this, not ICANN.

It assonishes me that there is so many attempts in inflating the revenue's of domain names.

When is a CA not a CA

2005-02-16T11:02:00.000-05:00

ICANNWatch | VeriSign and Conflicts of Interest ICANN Wathch posting about Ian Grigg's grips re:Verisign and .net tld vs. NetDiscovery (CALEA compliance service). So, when they need to snoop they act as a bad ca, and when they don't, they act as a 'good' CA (well, maybe not).

This reminds me of the early days of SSL, when VRSN ruled supreme, and there was little confirmation of identity (CSR == Whois). Lame.... still.

Science & Technology at Scientific American.com: Complete Chicken Genome Sequenced

2004-12-14T15:26:00.000-05:00

Science & Technology at Scientific American.com: Complete Chicken Genome Sequenced really scares me. I can only imagine what they will find in the decoded genome. perhaps more sobering is the fact that humans share 60 percent of chicken genes. Ick.

[Sipping] Technical reports on Skype protocol analysis and SIP in peer-to-peer mode

2004-12-13T23:23:00.000-05:00

The IETF Sipping mailing list posting [Sipping] Technical reports on Skype protocol analysis and SIP in peer-to-peer mode producing two very interesting studies on SIP and especially this publication which decomposes as much of the Skype protocol that can be inferred from the unencrypted bits of the messages. Amazing what Ethereal will allow glimpses of!

Old buddy

2004-11-12T10:41:00.000-05:00

So i finally tracked down my old classmate English Faculty: Bruce Holsinger. Need to drop him a note, and get together. Cool that he ended up a prof. Seems fitting, he was always a great student, and had the knack of a teacher, even in the 80's.

IBM To Offer Single Sign On To Orange Customers using liberty

2004-07-27T08:02:00.000-05:00

So,
this: article makes the broad statement: "The IBM software used complies with the Liberty 1.1 Web Services specifications", which are words i am gratefull for, but thought i would never hear, given IBM's work with the WS-* stack. Will wonders never cease!

Of course, i am pleased to see it, and perhaps belies earlier adoption and convergence than i first believed.

Only time will truely tell.

Matrix ping pong

2004-07-16T13:49:00.000-05:00

So a co-worker pointed me to this page of videos, and i fully enjoyed the Matrix PingPong, which appears to be doen for an asian equivelent of the Gong Show. I have to say, it's one of the best spoofs on the matrix filmography i've seen.

PBL: Bits over Amps

2004-07-15T08:40:00.000-05:00

CBS writes about PBL... or Broadband over Powerlines. So my gadget list is gunno have to grow.

man.... Steven Hawking may be wrong

2004-07-15T08:08:00.000-05:00

New Scientist reports that Hawking will shortly present that he has resolved the paradox between Quantum physics and the Hawking Radiation.

National Barbie Day is comming soon

2004-07-14T08:47:00.000-05:00

FreeCulture.org: an international student movement remindes my that this event celebrating the court ruling in favor of photographer Tom Forsythe, who's images Mattel claims were violations of it's IP... hehehe. Art wins again!

This is truely cool

2004-07-13T16:21:00.000-05:00

The Next Big Thing: Do-It-Yourself: Show #445 (July 09, 2004): "build a rollercoaster in the backyard"... who'd a thunk. and they are right... it really takes guts to ride it yourself after you build it.

Now, since my 5 year old daughter (who is as big a coaster fan as i am), i'm compelled to make one myself.... or not.